Many of you may already have seen this report from the Guardian newspaper. It concerns a case where a third party obtained access to a GMail account and, inter alia, sent emails to everyone on the account owner's contact list claiming that she had been robbed in Madrid and pleading for them to lend her money.
The tale is perhaps more relevant to the computer crime part of the module. I know though that I have received a good number of emails of this kind. Being perhaps rather cynical, I've always taken the view that there are mechanisms for a genuine victim to get help without emailing hat are often casual acquaintances.
I think the story (and many others like it) does illustrate how we are struggling to fit our lives into the new patterns of behaviour associated with the Internet. We know that it is not wise to walk through a strange city carrying large amounts of money or wearing expensive watches or items of jewellery. Its more difficult on the Internet and perhaps also we are more dependent on intermediaries such as Google. Maybe we all need to have back up email accounts? And back ups of back ups?
This comment has been removed by the author.
ReplyDeleteHi Prof Lloyd. It is very interesting how vulnerable we are once we become victims of cyber and computer crime. For example, in 'reality' we can have our car broken into but we can be reasonably assured (unless they have your keys) that your home will not be subjected to the same. However, in the virtual word many people use the same passwords for the majority of their accounts. So when the eCriminal accesses one bank account they are likely to access all your accounts and your email. Perhaps, we can think that the eCriminal gains a 'master key' to all your electronic information.
ReplyDeleteWith services such as PayPal it is very easy to transfer money to someone else, particularly a friend in need. Whilst working for the CAB for many years I noticed a common trend. No matter how absurd the idea sounded people still make silly economic mistakes. For example, the letters stating that you had won the Spanish lottery and only needed to send £1000 to get £millions back. It may sound ridiculous to us but people did and still do send substantial amounts of money to strangers in a hope to reap great rewards. This may be more prevalent during times of austerity measures. My point? Well, if the hackers manage to fool a small amount of people on your contacts list they may be able to con £1000s from those close to you. Moreover, those close to you may send the money with very little checks, particularly if they are those individuals who fall fowl to the lottery type scams.
You could also guarantee that many people who have back up email accounts would use the same passwords and security questions. Otherwise, it becomes a mind game and people end up forgetting passwords et cetera. Perhaps the best way to secure accounts is by using biometrics or smartcards. For example, fingerprints or using your mobile device to verify identity (along with traditional passwords).
To me, there's an underlying question as to responsibility.
ReplyDeleteIf I were to lock my door, but used a key shaped like a standard, off the shelf Allen key, then, whilst I might have the impression of security, and might indeed vex the casual passerby, I am unlikely to have *actual* security. Similarly, if I attempt to secure my email account with a very obvious password, then, whilst I have a degree of security, it is minimal. Perhaps a good grounding for a counter-claim of contributory negligence.
Conversely, I may pick the strongest password possible, but a flaw in the authentication system, or the service provider storing the passwords in the plain text, or other such issue on the part of provider, renders my security effectively void.
Whilst there are obligations on providers of electronic communications services to ensure the security of their services, it is questionable (and I would err on the side of highly unlikely) that Google, in its provision of Gmail, or any other service provider's email service, constitutes an electronic communications service provider, but rather an information society service, which is not subject to the same regulations. (I note the data retention experts opinion on the applicability of data retention requirements on webmail providers and Internet email providers, but still do not understand how they managed to reach their conclusion that there is a difference...)