‘MY TYPICAL VISIT TO A COFFEE SHOP’, BY VICTORIA
A few months ago I visited a bespoke coffee shop in London and ordered my normal skinny latte from the nice gentleman behind the counter. ‘Another new employee’, I thought, ‘I wonder how long it will take him to remember my order…’. Upon paying for my coffee, I was handed an invitation card to sign up for extra discounts at this and other coffee shops. ‘Nice, discounts for doing nothing! Just my cup of tea (well, coffee)’. Once I got home, I signed up to the discount website and was promised my discount card in the post. This is the last I thought of it.
Now let’s look at what really happened…
Victoria walked into the coffee shop one morning when it was quiet. ‘How can I help you Madam?’, the new employee asked. ‘Hi, can I have a large skinny latte please?’, ‘Of course, what’s your name?’, ‘Victoria’, she replied.
Victoria went to pay for her coffee using her debit card. The debit machine by the till was out of order, so the employee asked for her card, produced a new machine from behind the counter and passed it over to Victoria.
As you are already aware, Bob, the new employee is not a nice fella and as Victoria types her PIN into the machine, Bob is watching. The transaction goes through, Victoria removes her card and Bob passes her the receipt, along with an invitation card for extra discounts. Bob speaks highly of the discount scheme and convinces Victoria to sign up.
Victoria enjoys her coffee and heads home. She visits the website on the invitation card and fills in the registration form. The form has the usual details:
Date of Birth
Secret Question ‘Name of your first pet’
Victoria completes the form as she normally would; her real name, her real address, real date of birth, her only email address, her usual password and the real name of her first pet.
Of course, the discount scheme isn’t real; it’s a phishing website designed to capture information from soon-to-be victims
WHAT BOB KNOWS:
1. Her name is Victoria Wilson-Smith
2. He has skimmed her debit card using a modified card machine.
3. Her knows her PIN
4. Her knows her full postal address
5. Her date of birth
6. Her email address
7. Her telephone number
8. Her usual password
9. Her answer to the secret question
From here, it would be trivial for Bob to start building up a more complete history of Victoria’s life. Using her usual password or password reset questions, etc. he could gather information from:
- Social media sites (Facebook, Twitter, etc.
Searching information in the public domain, such as:
- Electoral roles
- Companies House
- BMD (Births, Marriages and Deaths) Index
- Telephone directories
WHAT CAN BOB DO?
Just about everything. Withdraw cash from her current account; obtain credit under her name; request copies of her birth certificate; attempt to obtain a passport, or driving license… The list goes on and on.
Of course, Bob didn’t stay in that job too long, but by the time he left he had skimmed cards and gathered personal details on 50 or so people.
WHAT DID VICTORIA DO WRONG?
Not much in the coffee shop; perhaps just allowing someone to see her entering her PIN, as the modified card machine would have been difficult to recognise.
The real problem for Victoria was entering all of those REAL details into a website and re-using the same password for multiple sites.
WHAT SHOULD VICTORIA HAVE DONE?
Unless it’s really official (HMRC, Banks, Government, etc.), never use your real details or your personal email address.
Create an online alias with different details (e.g. name, address, secret questions and answers etc). Set up a second email account and use this for all of those dodgy marketing, spam and discount sites. Never use the same password on multiple sites. This is an opportunity to be the person you always wanted to be!
For example, I’m Victor Parnevik, born 14th December 1978 in Solihull for websites – and just plain old ‘Bruce’ in coffee shops.
Remember, it’s easy to change email addresses or passwords if they are compromised, but very difficult to change who you really are…
So who will you be? Protect your real identity!
For more information about keeping yourself safe online see: