Hacked Neff: Scammer steals Supe candidate's accounts
Former IBM exec Cynthia Neff has used computers since the 1980s and understands the importance of secure passwords. That's why it was particularly galling to discover a hacker had taken over her Gmail account and was trying to fleece her contacts with the old "London mugging" scam.
Worse, the scammer locked her out of her email, Facebook, and even a secondary Yahoo account.
"It's horrible," said Neff July 20, still able to communicate with old-fashioned telephone. She's running for the Rivanna District seat on the Albemarle Board of Supervisors and had based her campaign distribution list on her email contacts.
Neff's hundreds of contacts, including the Hook, received an email marked "urgent" that spun a fictitious tale of her being in London and her bag had been stolen along with passport and money. Could the recipient wire her some quick cash, which she'd repay when she got home, so she could get on the next available flight?
Although the scam is not new, Neff worried that some would fall for it. "Older people and relatives called to ask, 'Do you need money?'" she recounts. "A neighbor came by, worried about me, and said he'd called the British Embassy."
The nice thing, she says, was that she got 75 phone calls from people checking to see if she was okay. Not so nice: getting locked out of her accounts during her campaign to unseat Republican Ken Boyd.
The first thing experts advise is to change passwords, but Neff's hacker was way ahead of that and had already changed the password.
Then she discovered how difficult it is to regain control of her accounts, especially for Google and Facebook, which do not provide phone numbers to users. "They're very clear they don't do customer support," says Neff.
Google offers a form for users to fill out to determine ownership of the account, but it asks for information that Neff said she didn't remember, such as the date she opened her Gmail account. Google spokesman Jay Nancarrow urges that she keep trying.
"We allow a certain amount of tolerance," says Nancarrow. "Our system tries to set up a balance to let someone prove who they are." He notes that Google doesn't ask for a lot of information when people sign up for Gmail.
"It's a regular and ongoing problem for us," says Nancarrow, who advises users to include a phone number when setting up the account. Earlier this year, Google added a two-step verification process, sort of like what's used in signing onto a bank account.
And speaking of bank accounts, reusing the same password for social network or email accounts and bank accounts is a hacker's dream, say the experts.
Neff knew better than that, and had used different, difficult passwords for her accounts. "I just wish I knew how it happened," says Neff, who finally regained control of her accounts by July 21.
Detective Michael Wells with the Albemarle police has a few ideas.
"I've been a victim of that myself with Facebook," he says. Wells uses a device on his phone called a passdroid that manages and randomly generates passwords.
"Using public wifi is great, but it's very dangerous," says Wells. Another method for pilfering passwords is a keystroke logger, a program that can be surreptitiously installed to covertly record every tap on the keyboard.
"My best advice is to keep your antivirus up-to-date, be careful where you use wifi," he says. "Or get a Mac."
Wells advises letting local law enforcement know so they can follow the money should a victim wire funds. "If they pick it up at Walmart in North Dakota, we can find that." He also suggests reporting hacks and scams to the Internet Crime Complaint Center, ic3.gov, an FBI/National White Collar Crime Center partnership. "It's an international problem." he says.
And one for which the National White Collar Crime Center doesn't offer much hope. "There's not a lot that can be done," says spokesman John Everett. He suggests contacting local authorities in case there's a crime wave going through the region, and reporting the incident on ic3.gov.
And while the Internet Crime Complaint Center has no statistics on how often the stranded traveler scam is reported, says Everett, once it's put into action, it blossoms into multiple computer crimes: identity theft, theft, fraud, and credit card fraud.
Although Neff got her e-life back, she says her hacker is still pretending to be her, communicating with a fake email account using her name with an extra "f" in it.
"It's really creepy," she says. "And it's really scary that people might fall for it. I'm afraid I'll never know unless someone tells me they sent money."