Luke knows the type of coffee I drink in the morning, the university I went to, the names of all my friends.
He knows that I spend too much time (and money) on the John Lewis website and that I have been known to colour code my Christmas outfits to match my children’s Santa hats.
He even knows the password to my bank account. Yet Luke is not my husband. In fact, we’ve never even met.
Luke is an internet security expert, who has managed to build up a chillingly detailed 11-page report about my life in just a few hours online.
The Mail’s Antonia Hoyle enlisted the help of a cyber security expert to find out how vulnerable she was fraud online
In an age in which we work, shop and socialise on the internet, we are leaving more information in cyberspace than ever — and ourselves terrifyingly exposed to online fraud. Indeed there were six million cybercrimes in Britain in 2016 — more than any type of crime in the ‘real world’.
To find out just how much information is out there about me — and how vulnerable I am to being defrauded — I enlisted the help of cybersecurity expert Luke Potter.
I gave him only my name and the instruction not to use any information that is online because of my work as a journalist. The results of his investigation are enough to make anyone think twice before logging on …
MY BANK PASSWORD REVEALED IN HOURS
Terrifyingly, it takes Luke just hours to track down the most valuable of all my online information — my bank account password. I thought I’d done everything I could to protect myself from cybercrime by using online passwords which include a complex combination of letters and numbers, rather than something obvious such as my mother’s maiden name.
But I am shocked to discover the majority of my passwords are available online to anyone with an ounce of technical know-how. Unbeknown to me, over the past nine years my passwords for four separate websites — software company Adobe, professional networking site LinkedIn, pop star Lady Gaga’s fan page and social media website Myspace — have been stolen by hackers.
Worryingly, my passwords have ended up on a website on which information is traded by criminals.
It took Luke Potter just hours to track down the most valuable of all Antonia’s online information – her bank account password (file photo)
To my horror, Luke explains that in 2008 I was one of nearly 360 million Myspace members who had their email addresses, password and usernames stolen; in 2012 I was one of the 164 million LinkedIn users to fall prey to the same crime; in 2013 my Adobe account was one of 153 million hacked into; and in 2017 mine was one of the one million accounts compromised on Gaga’s site.
‘Ordinarily the public remain unaware of who hacks the websites or puts the information online,’ says Andrew Martin, CEO of online security firm DynaRisk. Often, our information ends up on the ‘dark web’ — a collection of around 30,000 websites that are publicly visible but whose IP addresses (the string of numbers that identify each computer) are kept hidden — meaning the people behind them remain anonymous and cannot be found through search engines such as Google.
Most of mine had ended up on a website the Daily Mail has chosen not to name, that contains a combined list of 562 million breached usernames and passwords traded by criminals.
‘We deciphered your password easily from the dumped information and anyone with similar technical savvy could have done the same,’ says Luke, cybersecurity practice director at tech company SureCloud. (SureCloud.com)
Most valuable of all the passwords stolen by hackers was the one for my LinkedIn account — as it is the same password I use for everything from my bank account to my email.
‘People usually use variants of one password on multiple sites and I can hazard a guess that we could have logged on to lots of your online accounts through this password,’ says Potter.
He’s certainly right in my case. I have trouble remembering too many passwords and online logins, so try to keep them as similar as possible — a mistake I certainly won’t be making in future.
WE’VE JUST MET AND HE’S GOT MY NUMBER
I’d assumed — perhaps naively — that only my friends and family have my mobile number. But Luke quickly disabuses me of this notion.
Apparently my number and private email address are available on the internet for all the world to see — leaving me an easy target for online fraudsters. My details appear on a local community website, on which people sell second-hand goods, which I first used in 2015 to get rid of baby things my children Rosie, six, and Felix, four, no longer needed.
Luke also found that Antonia’s number and private email address were available on the internet for all the world to see (file photo)
As I had to join the forum to place the post, I assumed they were only accessible to fellow members. ‘People often think being a member of a website like Gumtree or Craigslist means their details will remain private,’ says Mr Martin. ‘But it’s easy to enter personal details like an email address or telephone number in the body of an advert or tick the wrong box so they are publicly accessible, without realising.’
Such small mistakes can make us easy prey for cyber criminals. ‘If they can crack your email password, hackers can access a goldmine of information. They can reset the password and scam you or your contacts,’ says Mr Martin.
‘They might, for example, ascertain you had building work done through your email correspondence then email you an invoice purporting to be from the building company requesting payment be put in a different account.
‘The invoice looks so authentic you’d never know it wasn’t genuine.’
WEB POSTS HAVE MADE ME A TARGET…
Luke throws me when he says he is a runner, too. Has he been spying on me jogging? It turns out he has found out I ran the London Marathon 2008, through my fundraising page on justgiving.com, which I ran in support of the charity Breast Cancer Care.
He also knows that I stopped drinking Arezzo coffee last year — he stumbled upon an internet post on the community website where I gave away some unused Arezzo coffee capsules after getting a new coffee machine.
He also knows that in 2014 I decided Rosie was big enough to walk, so sold my Phil & Ted’s double buggy for £150, and by 2016 my son Felix reached the same milestone, so I sold our remaining Bugaboo Bee for £100.
Then there is the picture I posted on the same community website of my son’s cot, bearing the John Lewis logo. This information might sound innocuous enough, but apparently not.
‘It helps hackers with what we call “intelligence gathering” which allows fraudsters to build up enough of a profile of your consumer habits to use for a targeted attack,’ he says.
‘Anyone could call you up pretending to be from your bank, for example, and provide the kind of detail about you that would convince you they were genuine. This is how people fall victim to fraud. They think there is no way a stranger could have that knowledge of them without being in a position of authority.’
… AND I’M PRIME FODDER FOR BURGLARS
If Luke — or, more worryingly, anyone else looking me up online — wanted to pop around to my house they’d have no trouble. For he not only knows the house number of my terraced London home, he also knows I have a red front door and windowsills that are well overdue a clean.
He even knows how much I paid for my house in 2009 — £390,000 —and how much it is worth now.
The address was on online telephone directory 192.com, while the picture of my house is on Google Maps — a device that allows users to zone in on satellite pictures of residential streets.
Luke found Antonia’s address on online telephone directory 192.com, while a picture of her house was on Google Maps (file photo)
The picture of my house that Luke presents me from May 2016 is taken at such close range that you can see a note I have left for a delivery driver on my front door. It reveals that I am not at home and provides a mobile number for the driver to contact me on.
Not only could potential burglars find out where I live — and gauge how secure the house is from pictures online — if they happened to be passing (the mobile number isn’t visible on Google Maps) it seems they could also discover when I’m likely to be out.
Once again, my fondness for selling second-hand belongings online — as so many of us do — has left me vulnerable.
Posts when I was selling my children’s prams reveal what times of day I am at home and my full address. Without even thinking, I had conducted a conversation with potential buyers on the site disclosing this information, and anyone online can now see it.
‘Through this an attacker can build up a picture of your daily routine,’ says Luke. Which makes me prime fodder for burglars.
Estate agent records show how much we paid for the house and details on a property search engine Zoopla reveal an accurate estimate of how much it is valued at now. Anyone interested in assessing our worth could easily build up an impression of our lifestyle from this information.
‘From a fraud perspective, attackers always go for the lowest hanging fruit and a fortysomething woman, for example, who isn’t technically savvy or secure online and is registered with several different websites, is leaving herself particularly exposed to scams,’ says Mr Martin.
FACEBOOK’S LEFT ME VULNERABLE
To my horror, I learn there is a picture of me in my pyjamas with Felix as a newborn online, a picture of my son as a baby in a nappy in our garden and numerous snaps of the children smiling together at family events. All courtesy of my Facebook account.
Like more than half the UK population — 32 million and counting — I regularly log onto the social networking site. But, as I have diligently ticked the boxes for the tightest privacy settings, I was fairly confident Luke wouldn’t be able to find much about me on the site.
I couldn’t have been more wrong. It transpires that Luke, and anyone else searching my name, can discover everything from where and when we go on holiday — I posted a plea for advice on where I could find the best waterslide in Dubai — to my husband’s name and his job in finance.
Luke discovers the names and dates of birth of both Rosie and Felix through pictures I’ve posted on Facebook. None of these was captioned and in any case, I thought I had my Facebook security settings fixed so only friends could see my posts.
Alarmingly, however, Luke says this wasn’t the case and ‘at the moment your account is fairly open. You can alter privacy settings on a post-by-post basis and you might have changed yours without realising it.’
There is not only private information about my family life I’d never dream of disclosing to a stranger, but valuable insight for burglars as to when we are planning to be away.
The comments written by friends underneath the photos reveal my children’s birthdays — again seemingly harmless facts which actually provide fraudsters with vital information.
‘Dates of birth belonging to yourself or family members are useful to hackers as people may use them as pin codes for debit cards and as an answer to security data questions for websites,’ explains Mr Martin.
‘Combined with information such as an address and mother’s maiden name, they could also be used to do things like redirect your mail, take over a social media account or steal your identity.’
It’s a terrifying prospect. I shudder, change my online passwords and security settings — and vow to think more carefully about what I post online in future.
How to protect yourself
Don’t use real answers to security questions, as hackers could find out your first car/home town. Make them up.
DON’T REUSE PASSWORDS
It will make you more vulnerable to hackers. Use a combination of different letters and numbers for each website.
ALWAYS OPT OUT
Websites have an obligation to request you opt in to information they want to share and will ask for your permission. Think carefully before you tick the box.
UPDATE PRIVACY SETTINGS
Most social media provides the ability to adjust privacy controls, but it’s up to you to check and update your settings.
Never click on email links or attachments you don’t recognise. Malicious code could end up on your computer or you may end up on a ‘phishing’ site that could take your usernames and passwords.
Put a six-digit security pin on your smartphone to stop thieves from hacking into your personal data if it is stolen.