There are few feelings worse than having the sanctity of your home violated by thieves. It's not just the loss of valuable possessions, but that a stranger has completely violated your personal space. This is what happened to someone I know yesterday. But what might sound like a run-of-the-mill break-and-enter was far smarter and will have lasting implications for those involved.
The victims of this crime are elderly folk for whom English is not their primary language. They received a phone call, supposedly from Centrelink, telling them an underpayment had been made and that they needed to visit the Centrelink office.
The office they were asked to visit was some distance away.
Cutting to the chase, the couple left the house. When they returned, the thieves had forced their way in through a back door (the property is quite secluded) and stolen jewellery, gaming consoles, tablet computers and a bunch of personal documents including passports and a bunch of correspondence including bills, medical records and other useful information if you're into the identity theft business.
About six months ago, a person knocked on their door, saying he was from Telstra (another fabrication) and talked his way into the house, saying he needed to perform an upgrade to their internet service. Instead, he installed malware on a computer. Fortunately, that was detected and removed by a professional not long after.
A few early lessons
We can no longer trust that the people that call, text or email us with regards to official matters are who they say they are.
Whenever I receive a call from a bank or some other organisation and they ask for my full name and date of birth, i ask them to prove who they are before i hand over any information.
Generally, that means providing me with a reference number or some other information and I call their number (looking it up for myself) and providing the reference information.
The second lesson: never let someone you don't know into your home unless you have specifically requested them to come.
In my friend's case, I'm certain (although the police haven't proven a link) that the "Telstra" techs were either the thieves or working with them.
During that visit, they would have had adequate time to case the house and work out where the most valuable assets to steal were.
Aside from the human trauma of this event (and in no way do I want to play down the impact of the property owners, their son who lives with them or their grand children who call that house their home for half of every week), the impact has been nothing short of horrendous.
Using information, presumably from stolen documents, the thieves locked mobile phone accounts so the victims of the crime could not use their mobile phones or access their accounts. They were locked out, requiring a visit to a Telstra store to resolve as the matter was not going to be fixed over the phone.
Tablet devices that were stolen - they were used by the kids for playing games - had app store log-ins that were then used to access my friends online email accounts and to lock him out so he lost access to his email.
That also meant the thieves had access to all his email - thus affecting dozens, if not hundreds, of other people.
They also used that to lock him out of his own social media accounts.
The loss of physical items can be remedied through insurance. Unravelling the data mess being wrought by the thieves is far harder.
A number of agencies have to be notified.
The passports have been cancelled, with the theft reported to DFAT's Australian Passport Office. Medicare has also been notified, as have banks (the thieves didn't get cards but they did get statements) and number of other organisations and agencies.
Closing the barn door...
it's really easy to sit back, at this point, and highlight all the mistakes that were made. But there are some things we can learn.
- Always have a strong passcode or passphrase on electronic devices. The thieves are likely to have accessed online accounts through unlocked devices.
- Keep important documents, such as passports, in a secure location. There's a good case to be made for a securely installed safe.
- Don't keep documents unless you really need them. You're better off scanning and shredding everything and storing everything on an encrypted drive or secure cloud service.
- Have a list of all your important online and physical assets so, if the worst does happen, you're not scrambling to work out what to do.
- Never let a stranger into your home, even if they have ID, unless you have specifically requested a tech or other service provider. And, even then, only let them in of they can validate who they are with a reference number or some other proof.
- Put a lock on your mail box or use a post office box. It's likely the thieves, in this case, have been looking through mail to know about Centrelink arrangements in order to exploit that in their social engineering phone call to ensure the house was vacant.
Clearly, this was not the work of an ice-addled smash-and-grabber. This was a calculated effort that used social engineering, brute force and targeted theft. The result has been devastating.
What other lessons can we learn? Is this making you rethink your home and office security?