The Moriarty of Bexleyheath

[Disclaimer: I’m not a lawyer, or anything, mind. I’m not even working shifts in the Law Library till after April. I speak colloquially, because I dunno what the legal definition of a tosspot is, though the colloquial one is totally this guy.]

Today on ElectricQuaker:

The Napoleon of Crime Vs. (Wellington) Boots.com in: The Wobbly-Headed Doll Caper!!

Yes, indeed, ladies & gentlemen! Today you can thrill! at the tale of a criminal!

A criminal whose dastardly plots know no restraint, whose cruel machinations know no mercy, whose fiendish mind knows no thought!

…Or, to put it another way, who’s a right pain in the arse, because I’ve had to lock down my credit card because of him. Git.

On my way home from work on Friday (I got sent home ill, which is always annoying) I checked my email & found “Paypal” had sent me an email telling me I’d added a new address. There was a second email telling me I’d authorised a payment.

‘Huh.’ I thought ‘that’s some convincing-looking phishing, there. I guess I’ll report it.’ So I did.

A bit later Paypal replied to say, basically ‘Yep, that was phishing. Good on yer for reporting it,’ and I crashed out for the rest of the day.

Being as I was ill, my sleep patterns were all to pot, so I was awake again at midnight, and took a bath (and a hot toddy made, disgracefully, with Bowmore single malt, for we had no blend in the house), and idly fired up the computer to see how the Internet had managed to cope without me for the past six hours.

Naturally, I checked my email accounts, and I was surprised to find another email from Paypal, this time saying ‘O, hai. Your payment, we haz it.’

…This one was even more convincing than the other two; no ‘Dear customer,’ here: there was my name, all correct & shipshape, and… the last four digits of my credit card number…?

So I forwarded that to Paypal as well, along with a message that said ‘This really is just some clever phishing device, right?’ and pointed a new browser window at Paypal and went and logged in.

(This is where our criminal mastermind comes in, this is)

Somehow, somebody broke into my Paypal account, added a new address (which is presumably serving as a drop; if it transpires it’s actually their home address I will actuallyLOL), and made off with a valuable consignment of, er, Boots aren’t allowed to tell me what it is because of the Data Protection Act.

Since Paypal automatically notifies me when somebody does, for example, randomly tell them that I live in London now in case it isn’t me doing it I’m not really sure why they thought this would work, but they evidently did, because otherwise I’d have an inbox slightly-less-full of emails claiming I was editing my own account. The only equivilant I can think of is trying to theive a wallet that somebody’s got chained to their own trousers; they’re likely to notice once it starts to pull, you know…

Gormless though the theft may be, I’ve still had to scramble all my passwords, boosting them up from mixed-case alphanumerics of 6-10 characters to mixed case 12 character-plus jobs, have got myself a GPG key with which I’m slowly starting to encrypt things and I’m having to do without cards because, of course, they all have to be changed now because some poxy git couldn’t be bothered to pay for his own sodding vaseline and spot cream.

And I really don’t know how they got in. Grumble. Although as far as I know, the Met., Boots, Paypal, Dyfed-Powys police & the Bank are all looking into it (which would give me more comfort if it didn’t sound just a bit like the plot synopsis for an Ealing Comedy…) Spoke to a chap from the police down in London the other day, actually, he was nice & friendly & seemed to think I was likely to get the money back, at least.

Still a pain in the arse, though.

Those of you with GPG keys, point me in the right direction & I’ll see if I can work the buggers.

and speaking of work: back to it, I suppose…

You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments

  1. On January 21, 2009 Statto says:

    Badness.

    How does a GPG key help your PayPal account security? Can they send you encrypted e-mails?

  2. On January 21, 2009 Statto says:

    Also, how much did the mastermind spend at Boots? Doesn’t seem like the kind of place you can buy an enormous consignment of high-value, small form-factor resaleable-on-eBay electronics…

  3. On January 21, 2009 Mister JTA says:

    No, but it helps my security in general, is the theory. Saves me having to send emails in Plain.

    (Incidentally, and it’s only just as I’m writing this that the thought has occured to me: Isn’t it really weird that after over a decade of the widespread use of email most people are still sending sensitive information (not just ‘official’ stuff, but romance & sex & everything) in plain text, when people were encoding telegrams within a year?*)

    *Ish. I’ve not got the book with me to check…

  4. On January 21, 2009 Statto says:

    Yeah, it’s total madness. A few months ago you couldn’t even make your GMail account default to HTTPS. Why are we so lax? Especially when spoofing is such a piece of piss in the electronic domain.

    I think the optimal solution is encryption during transmission but storage as plaintext (obviously itself encrypted, but the encryption then depending on the host server rather than the format of the e-mail), because I trust Google to keep their server secure more than I trust my computer to keep my encryption key secure, and because I still want to be able to read my e-mail in fifty years’ time and not be foxed by a change in encryption standards.

    Sadly, no-one seems to offer this…

  5. On January 22, 2009 Statto says:

    Also, just noticed the elephant in the room:

    Why can’t PayPal distinguish between their own official correspondence and spam?!

  6. On January 22, 2009 Mister JTA says:

    Now that is an absolute bastard of a good point.

    I don’t know.

    What I do know is that if they’d told me at once ‘Uh, no… we sent you that. Er.’ I’d have got in touch with my bank nine hours sooner.

    In actual fact, I don’t think that made much difference, but it could’ve had no end of a knock-on effect. Apparently it’s too complicated to check incoming probably-spoof mail against their records, but in that case you’d think they wouldn’t have a default ‘Yes that is spam’ button…

  7. On January 23, 2009 Mister JTA says:

    Well, so far they’ve given me back £89… The other tenner-ish may’ve vanished in admin, I dunno.

    Got a call from a nice-sounding lady at Victim Support in Cardiff yesterday, who wanted to know how I was coping, so I sounded off about the waste of a perfectly good alphanumeric password for all of 30 seconds and then explained I was fine, apart from the hassle, as long as I got the money back (which seems to be happening, so that’s all to the good).

    There we go…

  8. On January 23, 2009 Statto says:

    Ah, victim support, they are eager. They tried to victim support me when my Barbour got nicked. I think I told that I had in fact found the whole incident quite funny.

  9. On January 25, 2009 Scatman Dan says:

    —–BEGIN PGP SIGNED MESSAGE—–
    Hash: SHA1

    The good thing about open standards is that you can’t (at least in theory) be the victim of lock-in. GnuPG is your friend. Sure, superior cryptography will come along, and you’ll have the option to upgrade all your existing encryption or leave it to eventually become breakable, but you should never end up in a place where you can’t decrypt old stuff so long as you use a widely-documented, open standard. Which you should be for crypto anyway, for other very good reasons.

    Virtually all encryption software I’ve seen supports the feature Statto’s looking for, though – to keep the local copy decrypted. Not on Google, though, of course, because that’s not a local copy. If it’s not on your local computer, it’s not local, and I for one don’t trust Google not to cave in to legal pressure if a search warrant is issued against them. I, however, can easily microwave the USB pendrive on which I carry my GPG keyring and then flush the remains down the toilet, making all my encrypted e-mails irretrievable. An inconvenience, sure, but better than being forced to reveal your password to an adversary under interrogation or threat of legal action (in the UK, willingly witholding your encryption keys after a warrant has demanded you provide them is severely punishable, even if revealing the data could be considered to be self-incrimination: however, if the key has been destroyed, you’re immune, at least theoretically).

    Not that I’m doing anything illegal, of course. But I hardly want to give the supercomputers an easy time by only encrypting future e-mails relating to my world domination efforts, of course: let them have to break ALL of my e-mails!

    —–BEGIN PGP SIGNATURE—–
    Version: GnuPG v1.4.7 (MingW32)
    Comment: http://www.scatmania.org/contact/

    iD8DBQFJe8O9fxYt0q+eQ7QRAlerAJ9QW/vmfjwqFsGrUA/dtMy/SLoz0wCfQey0
    ansI/GH4w0h0r6ArDFyougM=
    =z9S/
    —–END PGP SIGNATURE—–

  10. On January 25, 2009 Statto says:

    OK, two questions:

    It does rather depend what you’re worried about, doesn’t it? To what extent should one be worried about government search warrants? I, like you, am not up to anything illegal, so I’m not really worried that I’ll be prosecuted—there is a slight worry that someone will abuse the warrant and look up all my personal details. The greater worry is probably that I will, intentionally or unintentionally, microwave my USB key and be eligible for a jail term or just lose all my e-mails. I am a bit worried by criminals hacking into my account and stealing my details, or perhaps tech-savvy gossips doing so to defame my good name, but that leads me to prefer Google, because they must keep their e-mail servers much more secure than I can keep my PC, because they know loads of stuff I don’t know about computer security.
    I don’t quite understand this USB pen drive bit—do you need that to be plugged in whenever you want to send or receive e-mail? My understanding was that you needed your private key to decrypt stuff/sign stuff (though that’s technically your public key in reverse), which leaves it wide open to theft much more than if it spends 99% of its time hiding in a drawer. If you don’t actually need the pen drive plugged in, it must be storing the key on your PC somewhere..? If so, I again make the point that Google are cleverer than I am at securing this kind of stuff. Or am I missing something?