At 4am the day after my Gmail account was hacked over a month ago now, I penned a blog, Google’s Very Dark Cloud (see below if you didn’t get a chance to read it before I binned it). Sleep was elusive and there was little else to do while I waited for two hours to run my anti-virus programme before reactivating my account. Words flowed easily.
Pleased with myself I sent it to a trusted friend. It’s great, she tells me, strikes exactly the right balance. For a few minutes I wonder whether posting this is a good move and decide on balance that it might be useful for other people. I post it on LinkedIn and Facebook and tweet it to my followers. Before long people are ‘commenting’, ‘sharing’ and ‘liking’ the post. A BBC colleague thanks me for reminding him to make his password more secure. A friend re-tweets it and before long a ‘security expert’ in the US is following me and has named it a story of the day on his own blog.
Next morning 3.30 I am up again, in a cold sweat. I read a few articles about how an email account being compromised is professionally damaging and wonder what I have done by posting this blog. Could it wreck my reputation as a journalist who writes quite widely on technology and is author of Is Your Child Safe Online? published by White Ladder. Here, in this blog, I am admitting to not signing up to Google’s two-step verification which the technology editor of a national newspaper tells me is the essential weapon. My initial reaction when Google had suggested I give them my phone number was that it was one step too far. Doesn’t Google have quite enough information about me anyway? Naive, perhaps. But with all the debate around Google’s new privacy policy, then again, perhaps not. One thing is certain, that after this hacking I feel slightly uneasy being wedded to Google. In any relationship talking is good and when times are tough I want human interaction.
Still after two sleepless nights I am incapable of being rational so I remove all references to the blog and delete it – it has only been up for 24 hours after all. Hopefully only a handful of people have read it. That makes me feel better but the week is only going to get worse, much worse.
Not only did a few people actually believe I had been mugged in Madrid but a very kind, hugely generous person actually sent me money via Western Union. But before anybody gets on their high horse to say she should have known better you really need to see the exchange that happened between the hackers and my friend who was caught at a bad time – and also speaks English as a second or maybe even third language. As for those of you who couldn’t be bothered to find out whether I was okay, you are off the Christmas list.
Jokes aside it isn’t actually funny. This ‘social engineering’ is what hackers are increasingly doing Rik Ferguson, security director at Trend Micro (see blog below for the full title and connection) told me this morning. This is why Facebook and other social networks are increasingly being targeted. And if you think you need to only worry about online attacks, you’re wrong, think mobile too. And this is not just about automated phishing attacks it is about real people compromising real people for their own criminal ends. As Rik, and others, have pointed out if it can happen to me – someone who has actually written about this stuff and is pretty aware – it can happen to anybody.
To steal a line from James Fallows’ article in US-based magazine, The Atlantic magazine, I now have ‘the zeal of the convert’. Forget my reputation I want to tell people about it because cyber-crime is changing all the time and it is only going to get worse.
So here goes, below is that deleted blog posted first on February the 8th 2012. Hopefully more to follow.
Google’s Very Dark Cloud
At 4.20 pm yesterday afternoon, the very day before Internet Safety Day, my mobile rings. My children had a school inset day and for my sins I had spent a few hours in an indoor play barn. The snow had melted and a friend had convinced me it was a good day to go – not so many children on an inset day and the little ones would like it.
At 4.21pm I get a call from a friend. “You’ve been hacked, where are you, go home and change your passwords,” she says. She sounds panicked and to be honest my initial reaction is that she is being uncharacteristically melodramatic. A few minutes later Rik Ferguson, director of security research and communication for Trend Micro, an antivirus cloud computing security and internet content security software company (bit of a mouthful), is second in the queue. I interviewed him while researching my book Is Your Child Safe Online? . Oh the irony! It seems I have been the victim of a 419 type scam. “I thought I had better just let you know that your email account has been compromised,” he says.
The messages keep rolling in. Next is a text message from another friend. “You OK? You been mugged in Madrid?” “No, I’m in Wacky Warehouse,” I respond. “LOL. Think I’d rather be attacked in Spain.” Her response does indeed make laugh out loud.
I relay this to the friend I’m wacky enough to be spending the afternoon with. She laughs. “Oh this happened to me. When you get home just email everybody and let them know you’ve been spammed.”
Thirty minutes later, I’m not laughing. My mother has left an urgent message for me to contact her immediately. My younger brother wonders why I’m being so polite asking for cash. “It is not like you,” he says. I’ve had about 30 calls from friends, family, colleagues and even my dentist who tells me to call the police. I’m back at my computer trying to change my Gmail password and my computer has been well and truly compromised. This isn’t spam. I’ve been hacked. My memorable address and forwarding email addresses have been deleted and a new forwarding address set up. I have only one option: Go to the Google account recovery page. Here I am asked me to answer a number of questions – when did I set up the account (the exact day), what other Google products have I used, when exactly did I download them and so on. Some questions I answer easily but how I am supposed to remember the exact day I opened the account or officially started using Google products. I know it is about a year ago but it is asking me for an exact date.
Taking a deep breath I gather as much information as possible from my various online sources and fill in as much as I can, as accurately as I can. Then I hit send. Thank you, your query will be investigated and we will respond in three to five working days. The panic rises, I’ve completely lost my appetite – five days? Is this some sort of sick joke?
What do I do? I can’t talk to anybody at Google so instead I Google: “What to do if my Gmail account has been hacked,” and I start to read some hysterical messages from other people who have experienced the same thing. Google took forever to respond, somebody is worried about losing their job, another’s account was eventually reactivated but all contacts and the entire email history had been deleted. Eventually I stumble across Google Account Security tips where one is reassuringly told: ‘try not to worry’.
Since January 2011 I’d started to use Gmail because it is convenient and this is the primary email for most of my other online accounts. My Calendar is with Gmail and that is synced to my iPhone. Oh good I think, I can access all my emails from my iPhone but no – my password for Gmail doesn’t work here either. If it is going to take two days to sort I need to change all these. This could take a while. Not that long ago, while researching the book, I changed all passwords and made them different and stronger. As I start to do this again, I realise just how many contacts I have and how much of my life is now online and in some way linked to Google. My bank accounts, Facebook, Twitter, Linkedin, my daughter’s email address…and nearly a thousand contacts…the list goes on.
Forget about emailing your contacts protect your bank accounts and investments first seems good advice [how wrong they were], so I do that and then move on to all the other parts of my online life. Changing passwords is very tedious. I try to email my contacts from Outlook but there are so many that it keeps crashing. It is gone midnight when I eventually go to bed but sleep is disturbed and four hours later I am awake. The truth is I barely slept; I feel like I have been burgled. Worse still, is somebody somewhere building a picture of my identity and what does it all mean? Apparently that would be going against the grain of most hackers. Most just want you to send money to a Western Union account but surely nobody is going to do that.
At 4 am in the morning my other brother Skype messages me from the other side of the world. “You’re up early? Got strange message from you? You in Madrid?”
“No,” I write wearily. “I’ve been hacked.”
“I thought so. Well at least you’re not wandering the streets of Madrid sans cash,” he says. He has a point, it could be worse.
I sign into another account, where I have now diverted all emails. In my inbox is a message from Google. I feel ecstatic. The good news, apparently, is I’m just steps away from accessing my account. I run my anti-virus programme as recommended and that seems to take an interminable length of time – two hours seven minutes to be precise. The bad news is that when I sign in my entire email history has been deleted. I’ve started making a habit out of printing out important personal emails to file away for my children to dig out and read when I’m dead and gone but I haven’t done that for a while. On top of that there is lots of work related stuff and contacts and useful stuff that just isn’t there anymore. And as James Fallows a correspondent at the US magazine The Atlantic writes here about what happened to his wife last year – which is exactly what has happened to me yesterday – it is going to be really tough to get it back.
“Google offers a variety of automated ways for users to regain control of Gmail and other accounts they think have been hacked. The automated routines, plus an online forum moderated by Google employees, are the only help Google offers. With hundreds of millions of active Gmail accounts to manage—that’s as specific as Google will be about its user base—operating in 54 languages worldwide, the relative handful of human beings on Gmail’s support staff could not even pretend to offer live one-on-one service. The same is true of Yahoo, Microsoft’s Hotmail, Facebook, Skype, eBay, and the other big operators of “cloud”-based systems.”
I don’t know anybody from Google personally, as he does, but would welcome an introduction.
This business of protecting yourself, not to mention your children online is a really serious business. Very, very serious. My Gmail account has been reactivated and I have set up the two-step verification system – supposedly more secure. If hackers want to compromise your account they need your mobile too but you do too if you want to access email anywhere else (could be very irritating if you’ve left your mobile phone at home). Account back but my email history has been deleted and all the addresses in my contact book have a mysterious ae added to the end of them. I’m able to restore those to the original settings but as for the history – well that is gone. My husband is outraged and sends me the number of Google head office in London but I’m busy and can’t spend days on the phone as this person did. Thankfully many of my work-related emails are backed up in Outlook and I’d only had Gmail for a year, unlike James Fallows’ wife. I can’t believe I’m thanking God for Microsoft.
I go through my security settings very closely – this is a complex process. What I also find is that the forwarding address to a Yahoo account that the hackers had set up is still there. If I hadn’t noticed this my emails would still be arriving in the inbox of criminals. They haven’t set up an auto-responder, however, another little gift hackers like to leave, Rik Ferguson tells me.
Today is internet safety day and I’ve spent countless hours trying to get my online house in order. For the next few days at least the kitchen floor is going to have to wait.