I was hacked
(eTN) - I was hacked on Monday! Early in the morning my stockbroker called to ask if I really wanted a large sum of money wire transferred to an account in Thailand. The email was sent from one of my Google accounts, my name was spelled correctly, and I frequently include Thailand in my emails. In fact Thailand is one of my favorite places on the planet, and I have often thought of buying a condo in Bangkok.
After contacting me and being assured that I was sitting comfortably in Manhattan and not rushing to buy property in Thailand, my broker notified security at his firm. I thought that it would be prudent to notify Google security that I had been hacked and have one of the employees help me find the perpetrator and suggest ways for me to secure my account for the future.
I have had security issues in the past with emails confirming thousands of dollars worth of purchases from Amazon and Wal-Mart. I have also had requests from Federal Express asking me to verify my address for a package delivery. I quickly located the security emails/telephone numbers for these organizations, shared the information with them, and was patiently informed that the emails were bogus, security was aware of the problem, and “no” I was not going to find charges for fishing tackle and size 16 shoes on my credit cards. I felt comfortable with the information shared, got names and contact numbers should the charges appear on my card, and went back to my life.
Do not expect any help from Google
Silly me! I expected the same reaction (if not a more effective and efficient response) from Google.
What I found is that Google does not want any contact with customers… which is the reason there are no telephone numbers or email contacts. There are a few non-working telephone numbers available for a range of services from PR to ad sales. The numbers do ring – but there is no connect, not even a voice mail box. Google links bring customers to a lifetime worth of data on multiple websites (think Help and Forums). HELP did not address my issue and the Forum is less than secure. How am I to determine that someone out there pretending to be my friend with the link that will answer my question – is not leading me astray?
Out of serious frustration (we are now into hour 3) I tried to find the firm that handles PR for Google. Once again I was unsuccessful. I then headed to Google corporate with the thought that a PR contact would appear on their press releases. The first release opened had no media contact but I pushed on and finally found a document with Willa Lo listed with her telephone number (which did not work) and an email (no response). Somewhere in my search I came across a general email address for pr ( firstname.lastname@example.org ). Surprise! I got a response from Andrea Freund. Be still my heart; finally I would find the name/link/telephone for Google security and I could get off this issue and move on to something else.
Silly me! What I got was what I read online. (Why are people paid to read back to me what I can read on my own? Google executives must really have a low estimation of their customers reading ability). Anyway, Andrea is not really interested in my problem although she did ask me to send the suspected ISP numbers and a copy of the offending email. (I sent her the material; it was ignored).
She was quick to assure me that Google would not search through the ISPs to identify the bad guy nor would anyone at Google tell me how to search ISP owners… once again “not their job.” (By the way, the ISP numbers of email senders can be found below your email list).
According to “Ask Leo” unless you are a member of law enforcement or have a legal reason for finding the owner of the ISP you are out of luck. Interested in pursuing it on your own?
Leo suggests Whois, http://whois.arin.net ; MaxMind, http://www.maxmind.com/app/locate_demo_ip or http://whois.webhosting.info/ (which may or may not be accurate). Leo Notenboom (ask-leo.com) summarizes the request for ISP information with the discouraging news that “You can’t get there from here.” To get ISP contacts requires lawyers, courts, law enforcement, and, if the ISP is located outside the USA, international legal intervention.
The advice from Google to prevent hackers is to develop a strong password. What a revelation! (Gee… can I be paid Google salaries to present this information to unhappy users?)
I had to spend time on the telephone with Andrea (and then reread it in my email) to know that strong passwords are necessary. I thought I had a strong password that included numbers and words. When I started to use it the Google prompt said it was strong… so much for password advice.
To add agony to insult, Google has introduced a two-step login process. I don’t know about you, but I do not have the patience to enter one password let alone two! I did take the time to read the instructions and watch the video, and then decided I needed an advanced degree from MIT to understand the information and a doctorate from Caltech to implement it.
My mind is made up; don’t confuse me with the facts
Andrea did say that years ago Google did have an email address for queries and complaints; however, the company found that, “we were receiving many of the same questions over and over – so we set out to find a better way to offer help in a timely manner.” Not at any time in our conversation or email did Andrea suggest that Google sought to find the source of these repeated problems and make them go away!
Problems with Google
Andrea refers users to the Help Center. When I suggested that they were close to useless (i.e., not organized alphabetically, search engines were not sensitive to queries), she cut into my diatribe and suggested that I was unique and that others are happy with the Help. (Is this another Google tactic… make journalists think they are morons?) She also indicated that the company runs analytics on Forums and used this information to be familiar with top concerns that are investigated. “What happens next?” She could not answer the question nor was she inclined to find someone who could.
What to do?
In reality, there is little that can be done; however, to make yourself feel better:
1. File a complaint with the Internet Crime Complaint Center ( https://complaint.ic3.gov/defaulty.aspx ).
- The IC3 Center asks for detailed information about the incident, and suggests that hard copies of the scam/hacking be kept for future reference as evidence of the event (i.e., canceled checks, credit card receipts, phone bills, mailing enveloped, mail receipts, a printed copy of the website, copies of emails) .
- The IC3’s mission is to serve “as a vehicle to receive, develop, and refer criminal complaints regarding the rapidly expanding arena of cyber crime.” The agency receives thousands of complaints each month and does not respond to queries regarding the complaint status. They do, however, review the issues and refer them to law enforcement and regulatory agencies having jurisdiction. Ultimately, investigation and prosecution are at the discretion of the receiving agencies.
2. StaySafeOnline.org provides tips and guidelines for teaching children and adults on methods to stay safe online. While not new or unique, the review process can be helpful:
- Keep security software current as a defense against viruses, malware, and other online threats.
- Automate software options.
- Plug and Scan. USBs and other external devices can be infected by viruses and malware. Scan them before use.
- Secure accounts beyond passwords.
- Make passwords long and strong. Combine capital and lowercase letters with numbers and symbols.
- Unique account, unique password. Every account should have its own distinct password.
- Keep passwords in a safe place – away from your computer and cell phone.
- When available, keep your online presence invisible.
- When in doubt, delete. Links in emails, tweets, and online advertising can harbor cybercriminals. If it looks suspicious delete it.
- Wi-Fi Hotspots. Limit the type of business conducted and adjust security setting to limit those who can access your machine.
- Protect your $$. When banking/shopping, check to be sure the site is security enabled. Look for web addresses with https:// or shttp:// .
- Think before acting. Be wary of communications that encourages immediate action – offering something for nothing. Do not provide personal information if you are unsure of the person requesting the data.
The world of cyber space can be hazardous to your finances, as well as your reputation. Be very careful of what you write in emails! I tried to reach a company regarding encrypting information sent to my financial advisors but they are only interested in corporate accounts and not individuals. Your own bank/account/brokerage firm may have access to encryption software that they are able to share. If it is available – please use it!
What can I do about Google? Nothing! I could move my accounts away from Google to Hot Mail or Yahoo… but I have become accustomed to Google and do not have the time to move addresses and emails to another location. I may have to find another way to share sensitive information, and bringing back the fax machine is always a viable option.
I am truly disappointed with Google. I expected that they held themselves to higher standards. Silly me!