ASHLAND — When Karen Lightcap was teaching in Lewisburg on March 8, she was mugged in London — at least that’s what her Facebook page and her e-mail were telling friends.

One of her students showed her a message that arrived on her cell phone. It said Lightcap was robbed at gunpoint in England, injured and in need of $1,500 to get home.

The Ashland resident quickly discovered that she no longer controlled her e-mail or Facebook page. The passwords had been changed.

While Lightcap was helpless to stop the messages, one of her friends sent $1,000 to the Western Union office posted in the e-mail.

They reported the swindle to the Federal Communications Commission and to state police, but were told there’s no chance of getting back any of the money.

Lightcap considers herself lucky she’d didn’t lose money as well. Because she found out about the scam quickly, she was able to close her bank accounts and stop her credit cards.

But it took taking a whole day off from work to do it.

“It was a hassle,” she said.

And Facebook didn’t lend a pixel to help.

Lightcap said she went to Facebook’s security page only to find she couldn’t get anywhere without the correct password. She said she also followed the procedure for “if you did not authorize this change,” but never heard back from the service.

Facebook — which earlier this month had more Internet traffic than longtime leader Google — did not answer calls about the matter for The Daily Item. It did e-mail standard advice about scams, including the “mugged-in-London” type, which has become quite common.

When one considers that Facebook has 400 million users, it may not be surprising that getting through to someone on its staff is difficult.

Still, Lightcap thinks Facebook could have responded.



Expert: “Phishing” scams common

Robert Siciliano, a Boston-based computer and personal security guru, who counts among his clients Intelius, the public records provider that offers identity theft protection, says Facebook keeps changing its privacy policy, so it’s difficult to keep up with it.

It’s also hard to keep up with online criminals. There are many ways they can breach password security, Siciliano said.

The most well-known is “phishing.”

Phishing scams are incredibly common, Siciliano said. The scammers send you a page looking just like that from one of your trusted sites, like Amazon or eBay. They ask you to update your account information or use some other ruse to get you to click on an access portal and enter your personal information.

In October, security researchers reported that nearly 750,000 Facebook users received fake password reset messages.

“Never, ever click on a link in the body of an e-mail,” Siciliano said. “Never.”

That has been well-publicized, but Eric Santanen, associate professor of information systems at Bucknell University, said 30 percent of people who are asked will still reveal personal information this way.

The way people are using Facebook, however, offers opportunities that don’t even involve hacking or computer savvy.

You post pictures of your dog Pepper, your birthday party with its date, or list your favorite color. People commonly use the names of their pets, anniversary or birth dates, or favorite colors, as passwords.

“People put in way too much information,” said Tod Burke, criminal justice professor at Radford University in Virginia. “Names of grandmothers, siblings … it’s a hacker’s dream.”

Calling the grandmother on the phone and impersonating a relative, saying you’re in trouble, is easy.

Keep this personal information restricted to select friends offers a false sense of security.

“Because your friends become friends of friends,” Burke said. “Why don’t you just say ‘The key is under the mat and if you have any trouble, call me.’ Or, ‘Here’s my bank account number.’”

Added Bucknell’s Santanen: “You don’t have absolute control when you when you are involved in this Web site.”

The best idea is not to post personal information at all, Burke said.

If you do, and want to change your mind about it, chances are, even if you succeed in getting a Facebook or similar social media service to take the page down, that doesn’t mean someone hasn’t copied it. After you “erase” the information, it can still be as prevalent on the Web as ever.



Don’t use “password” as password

Poor passwords are another portal for thieves, Santanen said. People are still using those that are ridiculously easy to guess. Either they relate to personal information — again, what is served up on a platter on Facebook and the like — or they are just plain common.

The password “123456” is used by 300,000 people, Santanen said. And “12345” is used by 80,000. The word “password” is the password of 62,000.

“These are bad passwords,” he said. A good password requires some thought. Creating a password not associated with yourself at all, so it can’t be guessed, but with personal relevance so you can remember it, is not easy. Santanen advises a piece of a lyric from a favorite song, substituting numbers for a letter or two.

So, say you never reveal information carelessly and always create strong passwords. Are you safe?

Not a bit.

Do you surf the Web? There are programs that can install themselves on your computer without your knowledge that will record your every keystroke, Santanen said.

Typically, a user types a Web site URL followed by a user name and password. Once scammers see these patterns, they’ve got you.

Getting security software, to search and destroy this “spyware,” is essential, Santanen said.

The spyware isn’t even always illegal. If you use any software, would you read all the fine print on an 18-page licensing agreement? Often it says your information may be revealed to third parties, so when you click “I accept” you’ve given it away. “They’re not liable for anything. They own your information.”

Legitimate firms are investing in storing that information to get a picture of your likes and interests to sell you things, Santanen said. You can assume whatever you type will remain forever.

If phishing, hacking, old-fashioned tricksterism and spyware aren’t enough, there are the special perils of going wireless. If you plug into someone’s open network — like at an Internet cafe, library or the friendly grocery store that offers one, you’re vulnerable to “man-in- the-middle” attacks, says Brandon Gregg, a California based computer forensics specialist.

In this ploy, the spy confuses a computer connected to a wireless network into believing he is the router and that lets him capture a target’s data as it passes through to the real router.

Think it’s difficult?

“There are plenty of short YouTube videos that can get you running in minutes,” Gregg wrote.



Internet fraud difficult to prosecute

Using information, however obtained, to steal is illegal, of course, but policing this type of fraud is scant to nonexistent.

“I just spent four hours on the phone with a man from Ghana,” said Siciliano, the Boston-based personal security expert. “He’s 27. It’s what he does all day — phish and hack. That’s how he makes his living. How he supports his family.”

Places like Ghana and Nigeria are filled with Internet cafes where this is all people some do, Siciliano said. Often they have a partner in London or elsewhere to pick up money. After all, people are less likely to believe you’re in Ghana than in London.

Technically, it’s an illegal activity in these countries, but there is no enforcement.

And by no means is the activity limited to Africa or the Third World. It goes on in countries across the globe. Siciliano estimated 100,000 to 1 million people are working at it full time. There are online chat rooms that do nothing but sell people’s login and password information.

“It’s not just that people are naive,” Siciliano said. “People are involved in all this developing technology they don’t understand. They don’t know how it works and they don’t know what the risks are.”

Lots of people will recognize phishing attempts and delete them and, maybe, report it to the legitimate site’s spoof handlers. (This is fairly useless, by the way, Siciliano said). Enough will be suckered. Even if the bad grammar should have been a dead giveaway.

Lightcap’s purported plea for help had “awful grammar,” she said. That didn’t stop her anxious friend from being duped.

All they have to do is succeed a small percentage of the time, Siciliano said.

“They do,” he said. “That’s why I have a job.”

“The young man in Ghana? He’s a hero,” he said. “He’s the most famous guy in his village because he’s taken down a fat, greedy American.”

His children, 9 and 12, are learning fast. They have laptops They already know more than he did when he was 25. They’ll grow up working for him.

They already know they need to speak better English.