The screening process

Implausible as they may seem to some, requests for money from friends and relatives ‘stranded’ abroad are often acceded to. But who is responsible for the wave of Internet hacking?

By SUSAN KENNEDY
Hand coming out of computer screen (illustrative) 311 (photo credit: Don Hankins)
Hand coming out of computer screen (illustrative) 311
(photo credit: Don Hankins)
A plague of identity theft has struck recently, consisting of fake messages from “friends” who say they’ve been robbed at gunpoint while overseas, have lost their IDs, cell phones and credit cards and are desperate for money to get home. Whatever you do, don’t respond because your inquiries will go straight to the hackers who are posing as your friends.
Texts vary slightly but the message is the same: send money immediately.
Identity theft, for that’s what it is, is big business nowadays. Over 40,000 Gmail addresses are hacked every day.
The first I heard of it was when mine was hacked too, several weeks ago.
A friend calls me on my land line at 7 a.m. to say “I’ve just received an e-mail from you saying you’ve been robbed at gunpoint in Madrid.” My friend knows I am in Jerusalem, but hundreds of friends abroad have no idea where I am or how to contact me, except by e-mail.
The fact that I’d actually told family and some friends that I was off to the South of France the previous week makes the story seem all the more plausible.
I run to my computer to warn everyone.
I open my Gmail account and type in my password. “Incorrect password,” I am informed. I type it in again. The same message appears. I try the “forgotten password” option. The account recovery team at Google (which I later find out isn’t a team at all, but an automated function) requests a secondary email address to which to send the password reset option, but the hint they supply to remind me of my secondary email bears no resemblance to any address I’ve ever seen. The hackers have clearly changed both my password and my secondary e-mail address has been changed as well. Even my security question – the name of my pet – has been changed.
The ghastly truth hits me. I cannot prove my identity (and thus cannot get my account back without going through a lengthy process). Worse still, I have no access to my address book with the names of thousands of people who must all have received my fake plea for urgent financial assistance. I later discover that by changing the secondary e-mail address, the hackers receive the reset password option within minutes and can lock me out of my account as often as they want. In fact, they do so three times, which gives them enough time to correspond with my friends while preventing me from doing so and to collect the money sent to Western Union.
I suddenly understand just how dependent I am on Gmail. Not only are my 2,500 e-mail addresses and phone numbers stored there, but also my bank, health, tax and insurance information. I press random key after key, hoping that my Gmail will miraculously open. I call up help forums but the only thing I discover is that Gmail is relatively easy to hack and there’s nothing much you can do about it but send in the account recovery form and wait – between 24 hours and 10 days! The recovery form requests simple information, but I can barely recall a thing. When I’m asked for the e-mail addresses of my five most frequent contacts, I don’t remember whether they’re at Hotmail or Yahoo, at Gmail or Netvision; if they use their initials or whole names, if it’s .com or co.il.
I fill in the recovery form as best I can and send it off. I give a friend’s e-mail address through which Google can contact me. It’s still too early to call family in London. Many of my friends here are aware of the scam, having received such hoax e-mails in the past. However, for the more naive and less Internet-savvy of my friends, the hoax e-mail sounds all too credible.
This scam could hardly work if it were not for Western Union, which accepts money transfers and demands no real identification except the tracking number that some kind-hearted friend has provided, along with 1,500 euros, with the understanding that I will pay them back as soon as I get home.
The hackers go to a Western Union office with the tracking number and collect the cash, no questions asked, even after I’ve informed Western Union’s head office that money has been sent to one of their offices in Spain to be picked up by thieves using my name. Western Union argues that it is not their business to ask for identification, especially since many of those who collect money say all their IDs have been stolen! The hackers correspond up to 10 times with some of my unsuspecting friends and family, who are sent gruesome details of “my” dire situation. Some friends ask why I haven’t gone to the local embassy or consulate. “I” – that is, “they” – reply that I have but was told the consulate could not help.
One friend calls up the Israeli ambassador in Madrid and is told that he received no call from a Susan Kennedy. Another Jerusalem friend who is ready to wire the funds writes that she can’t make the transfer that day as everything is shut for Yom Kippur. The hackers haven’t heard of Yom Kippur. They write back “OK, Saturday then.” At this point she becomes suspicious, calls me at home and reads me her correspondence with the hackers. But the hackers are not stupid. They check out Yom Kippur and message Israeli contacts that the funds can wait until after Yom Kippur is over. In other words, the more information friends inadvertently provide, the more authentic the hackers make their demands appear. What began as an informal request to no one in particular soon becomes a desperate plea to specific people who wrote back signing off with their names.
I spend the following day trying to get through to a human at Google headquarters in California. For hours I press keys, talk to robots and repeat words in the hopes of getting to the extension I need. Most of the time my British accented “yes” or “no” is not understood by the voice identification software.
“I’m sorry,” the automated voice politely intones “I didn’t understand that. Can you repeat?” “Yes.” I say in my best American accent. “Yes, yes, yes!” “I’m sorry. If you need assistance, please say yes.” Eventually the line goes dead. Meanwhile the hackers are enriching themselves at my friends’ expense.
Early Monday morning, three days after the account was initially hacked, I receive an e-mail from Google to my friend’s e-mail address, allowing me to reset my Gmail password and re-enter my account. I am careful to choose a password that no one could possibly hack, containing letters, numerals and symbols as I have been advised. When I enter my Gmail I see the hackers’ initial letter to all my contacts and then their correspondence with concerned friends and family members.
My access to my new account lasts about 10 minutes. I log out briefly and when I log back in to send out a global apology letter I am told I have forgotten my new password. It has been changed again! The hackers have once again also changed the secondary e-mail address and my security question and have again locked me out of my own account.
In the short time that I have access to my account, I write down the tracking numbers of the money transfers sent to “me” via Western Union. I can see who sent money, how much and from where and have the tracking details. I immediately call Western Union in Jerusalem to report the fraud. I fill in the online complaint form, as requested.
Later I call the Western Union legal department in the US and explain (to a human) what happened. The representative keeps repeating that Western Union has no responsibility for money sent, that the responsibility falls entirely upon the sender, even one who I insist has been the victim of criminal fraud.
I quote him the tracking numbers.
“Can you tell me where the money was collected?” I ask him. The unconcerned voice replies: “Ma’am, I can tell you the area but not the specific office… I don’t know how to pronounce it, ma’am, so I will spell it,” he continues, “M-A-L-A-G-A.”
I quote the tracking numbers to him and he confirms that six payments have already been collected and that two are outstanding. I ask him what ID the hackers have to show when collecting money from Western Union.
“Any government document, ma’am.”
“A student card?” I venture. He isn’t sure.
“Would a driver’s license do?” I ask.
“Yes, sure, ma’am,” the voice says.
I ask why, since Western Union has been involved in so many scams involving false documentation, they don’t have document scanners in their offices.
“That’s not our responsibility, ma’am.”
I ask him to call the Malaga office where the money is being collected and tell them not to pay out any further money in my name.
“I can’t do that, ma’am. Law enforcement has to give me instructions.”
“What law enforcement?” I ask.
“Spanish,” he replies.
So the onus is on the victim, me, to open up a file with Spanish police and get them to call Western Union headquarters and order them to stop payments, all within 24 hours.
It turns out there are 125 Western Union offices in Malaga alone! I ask the voice if there’s anything at all I can do to stop the hackers from collecting the remaining money. He tells me that the only thing I can do is call the friends whose money is still awaiting collection and ask them to go back to their Western Union agent and demand a stop to payments. I do this but it doesn’t help – the money has already been collected by the time the agents can get through.
Who is at fault? Western Union, certainly.
But given that Google is well aware of this sort of scam, why does it not have a department that reacts immediately to complaints of fraud? Accounts ought to be frozen as soon as Google receives a complaint. In the five days during which the hackers had sole access to my account, they netted a neat 4,200 euros from my friends.
Western Union is clearly not interested in security. They are interested in making commission. A sender who sends money in my name expects the receiver to have to show valid and genuine ID. Malaga is a known magnet for criminals. A forged passport costs as little as 100 euros – a drivers license half that – and both can be arranged in less time than it took me to write this story.
No one shows much interest in identity theft. The Malaga police force is overworked; it has bigger fish to fry than petty criminals who hack accounts. The police here say that identity theft is so common it’s not worth the time and effort it takes to report it.
Meanwhile, 40,000 accounts around the world are hacked every day. If each account has a thousand contacts, then four million people each day are open to emotional blackmail.
Recently Israel has been infested by these locusts. The only way to stop them is to ignore any request for money over the Internet, however authentic the request may seem.
More than just theft, we are dealing with the exploitation of the best intentions of good people. However, every Good Samaritan must be aware that an Internet plea for help can be generated by a crook or a robot just as easily as a person known to him or her.
He should also be savvy enough to know how the Internet works and that anyone who is stranded can get help from his or her country’s consulate or embassy. A request that does not identify the receiver by name should be a giveaway too. Who would ask all his friends for 1,500 euros? And yet some people are so befuddled they still can’t believe that they have been victims of their own generous spirit.
Who can blame them? Edmund Burke said that for evil to succeed it is enough for good people to do nothing.
In the Internet age the opposite is often true. Good people, when receiving pleas for money via the Internet, should regard them as spam until proven otherwise and deposit them directly in the trash.