Paul Vlissidis knows that I am on a pre-Christmas break in Delhi. He can track my every move and even view the pictures I am taking. Thousands of miles away, back in London, Mr Vlissidis is wondering whether to sell my car or pop into my house and have a look around. In the meantime, he sends an email from my address to my boss informing him that I am resigning from my job.
I don’t know Mr Vlissidis, but he knows just about all there is to know about me, from the financial to the personal. He has access to everything that I have stored on my computer. Every element of my life has been exposed.
Luckily, Mr Vlissidis is not a hacker. He is the group technical director of the NCC Group, which has been cleared by GCHQ to discover loopholes in security in Government departments, police forces and many FTSE 100 companies.
This is one of the busiest times of the year for internet shopping, and many of us expect to end the season with even more electronic gadgets than before. So I put Mr Vlissidis to the test, to see how vulnerable we really are – and the results have left me shocked.
Not only could he stalk me, but he could steal my identity, leaving me with a mountain of paperwork to try to reclaim my life. And all because I back up my emails online.
‘A few years ago, you would back up your phone on your laptop and that was the only place it existed,’ says Mr Vlissidis, ‘but now everybody backs up wirelessly through a “cloud’’, which makes them much more susceptible. We conduct an enormous amount of business through email and it is available to anybody who hacks into your account. One phishing attack is all it takes. It’s like dominos: if one falls, they all fall.
‘I could send emails in your name and log into your mobile phone account and send texts as you. I could buy Christmas presents with your PayPal account, take out credit in your name, even empty your bank account. Identity theft is a real possibility here. Or if you have any enemies, they could remotely erase your phone or laptop.
‘It’s also a stalkers’ paradise: I found your flight tickets and itinerary in your emails, traced you with “Find My iPhone’’ and then used your Facebook account to work out who you were staying with in India. I then looked at her Facebook page and found out her husband worked for the American Embassy.’
At present, cyber crime is estimated to be worth up to £27 billion a year and it has a huge impact on British businesses.
‘The blurring between our corporate lives and our home lives is becoming much tougher for companies,’ says Paul. ‘People often use the same password for work, which is slightly scary for the companies concerned.’
So how do the fraudsters target you? Their first port of call is information we readily put on the internet – on sites such as Facebook, Twitter and LinkedIn – as well as public information such as the phone directory and electoral roll.
I passed with flying colours, although I do have a website which has my mobile telephone number on it. ‘We Googled you, looked at your articles, found you on LinkedIn, Facebook and Twitter,’ says Mr Vlissidis. ‘But we found very little about you in terms of your personal life. It’s uncanny how many people use their dogs’ names or their children’s names, and a bit of Facebook research and LinkedIn research is all you need to come up with potential passwords.’
After finding out my phone number, Mr Vlissidis sent me a text. Even though I did not reply, he discovered that I owned an iPhone. ‘The message came up in blue,’ he explained, ‘which meant it was an iMessage. We got very excited at that stage as it indicated that you probably had an iCloud account to back up everything.’
He then had three options: to target me at a public hotspot, change the password on my iCloud account or phish me.
His favoured option was an internet cafe or hotel – hackers set up a fake wi-fi network, which is identical to the real one, and then download all the information on your laptop. But I was in India so it was unfeasible.
‘It’s pathetically easy to set up a fake wi-fi network,’ says Mr Vlissidis, ‘and an easy way to target somebody. Criminals emulate the legitimate wireless network, like an evil twin. The best solution is to only log on when you know a network is secure.’
Then he tried to change my Apple password. But with little information about me, that too was destined for failure.
Finally he sent me a spoof email from Apple, saying someone had tried to log into my account using the wrong password.
As Apple only communicates by email – and the message was incredibly convincing – I fell for it.
‘The beauty of a phishing attack is that, if you craft your email carefully enough, when someone clicks on the link they are none the wiser,’ he says.
‘You came to our website – which looked exactly like the Apple ID website – you entered your details, we hoovered those up, got your password and then logged you on to the real Apple site on your behalf – so that you would never have known that you had gone via us to Apple.
‘Phishing emails get more and more convincing. The only way you could have known it was an attack was by looking at the headers – but it is unreasonable to expect the average user to be able to do that.
‘It’s like saying you have to understand how a car engine works in order to drive it. We as a security industry have failed.’
If phishing had failed, Mr Vlissidis had one last trick up his sleeve – downloading malware such as a Trojan horse, or virus – to my laptop, although I might have been alerted if I had some anti-virus software.
‘If we hadn’t phished you, we wouldn’t have got your password very easily at all,’ he says.
‘We would have had to download malware on to your computer, which we could have done by guessing your browser and software. But we weren’t sure if you ran anti-virus software and it wouldn’t have worked if you connected from your phone rather than your laptop.
‘This is the thing about hacking. You actually need quite specific information about the person you are targeting because the malware is very specific. We decided we didn’t want to go that route in case it alerted you and freaked you out. So we decided to go for a straightforward phishing attack.’
It was breaking into my iCloud account that gave Mr Vlissidis the key to my online life. ‘That really was the breakthrough moment,’ he reveals. ‘Once we could log on to your iCloud account, we could see all of your emails, your diary and contacts book. In fact it was slightly daunting because there was so much information in there.’
However it is not only people with an iPhone and MacBook that need to worry about cyberfraud: Android and PC users are equally vulnerable to hackers if they have an online account. They too could fall prey to spoof emails.
Even if you have different passwords for each account, you are not safe. Mr Vlissidis trawled my accounts to find emails containing the word ‘password’ or ‘welcome’ and then used a password-cracking tool to fill in the gaps (I had 66 emails containing the word ‘password’ and 85 emails saying: ‘Welcome.’).
‘With many sites you get an email, which says, “Welcome Claudia” containing your username and password,’ he explained.
‘We then went through your emails collecting your passwords. Finally we used password-cracking software to gather up the missing ones. We gave it a dictionary of the words and numbers we knew about you and it came up with a list of variations. From our point of view it wasn’t a big challenge because many of your passwords were similar.’
Once Mr Vlissidis had cracked my passwords, the sky was the limit.
He could send emails on my behalf, get a copy of my energy bill to use as ID and log on to my Oyster card to find out my regular bus and Tube timetable in London.
‘I suppose if somebody was stalking you, they could build up a pattern of your movements,’ he said.
Although he didn’t have access to my mobile telephone, he could still send messages from me by logging into my O2 account.
He managed to track me down using the app Find My iPhone, downloaded all my photographs from Photo Stream (including one of me with Nancy Dell’Olio) and then tracked my movements through my pictures. However, being stalked was the least of my worries.
By hacking into my emails, Mr Vlissidis could have eventually bankrupted me: he could have bought things on eBay and had them delivered wherever he wanted; taken money out of my PayPal account (he transferred a token £10 to his account) and even opened a bank account in my name at his own address.
‘I did try to buy something from Amazon and M&S and have them delivered to me, but I needed your credit card details which, interestingly, was the one thing I didn’t have. I found your card number but could not use it because I did not have the CCV numbers from the back of the card.
‘You are quite security savvy, compared to many I have come across over the years. A lot of people aren’t that disciplined.
‘They quite happily store their CCV details with the card details because it’s easier to do so.’
Mr Vlissidis sent my neighbour a text purportedly from me asking her to leave my spare key out. She fell for it.
And had he pressed ahead and broken into my house he could have then sold my possessions – and even my home.
‘It would have been a tall order,’ he admits, ‘but not impossible.’
In the meantime, I have bought some early Christmas presents for myself – some anti-virus software for my laptop and membership of Last Pass, a password keeper, which will hopefully protect my passwords and make my web browsing more secure.
I have changed the password on my iCloud account and set up two-factor authentication, which means that I have to key in a four-digit code texted to my mobile as well as my password.
And I have invoiced Mr Vlissidis for the £10 he owes me.
Oh, and I have also withdrawn my resignation from work.
WELL-OFF WIVES AT HIGHEST RISK OF WEB SCAMSMiddle-class housewives are at the highest risk of falling victim to internet fraud, Ministers say.
Well-off women aged between 36 and 55 have been identified by Government researchers as a target for internet fraud and will be the focus of a £4 million advice campaign in the new year.
Because they are ‘new to the internet’, they are said to be ‘lacking knowledge and understanding’ of how not to be duped by fake shopping sites or emails asking for bank details.
Officials say the vulnerability of these ‘high net worth’ women means they may lose as much as £4.2 billion a year despite being fearful and cautious online.
As a result, they are the first group to be addressed – along with small businesses – by a Home Office drive to encourage safer internet behaviour.
Its theme is that there is a ‘parallel world existing in cyberspace’ where people shop, bank and socialise just as they do in the physical world, and its ‘residents’ should take the same precautions with money and personal details.
The Cyber Street campaign, developed by famed agency M&C Saatchi, will be a ‘soap opera set in the internet’, backed by billboards and radio and TV commercials. A dedicated website will host animations showing how careless behaviour can lead to fraud, and will provide security advice.
Fraud is estimated to cost the UK a staggering £73 billion a year, with internet scams among the fastest-growing types of crime as people spend ever more time and money online.
Police are struggling to cope with demand from victims and can lack the expertise to track down the gangs behind internet scams, often based overseas.
The Metropolitan Police has resolved just three per cent of the 7,393 reports of online fraud received this year.
Security Minister James Brokenshire told The Mail on Sunday last night: ‘The threat of cyber crime is real and growing.
‘As part of our efforts to protect the UK we are launching a major new awareness-raising campaign in January to help people use the internet securely and confidently for business, exploration, convenience and recreation.
‘We have already strengthened our enforcement arm with the newly created National Cyber Crime Unit. This will bring law enforcement experts into a single elite unit.
‘This campaign will help close the net on sophisticated cyber criminals and protect the public from identity theft, scams and online fraud.’
As the MoS has reported, ministers recently passed control of the failing Action Fraud hotline from the now-defunct National Fraud Agency to the City of London police, which is experienced in tackling financial crime.
A report by the NFA already identified middle-aged, middle-class housewives as suffering the biggest losses to fraud.
It concluded: ‘Though they aren’t risk takers and are unlikely to act impulsively, their lack of knowledge around how fraud is perpetrated and what it “looks like” places them at risk.’