Fear not, the BBC News website is perfectly okay – only the page loaded into my computer’s memory has been tampered with. This is just one example of what can be achieved through the live editing feature hidden away within modern web browsers.
Live editing is among a suite of developer tools that come bundled with the likes of Chrome and Firefox. It’s used by website developers to troubleshoot problems or work out the ID of a something on the page so it can be located within the source code.
For reasons unbeknown to me, most people aren’t interested in the slightest about the inner-workings of websites. Only by accident will they come across developer tools, usually while lost in a context menu. Yet you don’t need to be a developer to get live editing to work. It’s easy enough for someone with limited technical knowledge to get to grips with and, through a simple command, you can even edit text in the browser as if it were a word processor. This is how I managed to change the title, description and photo for the BBC article above.
Unfortunately, beyond legitimate use and the odd practical joke, there is a darker side to this. One that is costing innocent victims thousands of pounds.
Online banking scams – changing the balance
You’ve probably heard of online banking scams where a cold caller claiming to be from so and so company – usually a broadband provider or bank – convinces someone to willingly transfer a large sum of money. But you might not be aware of the critical role that live editing the bank website plays in making intelligent people fall for the con.
Imagine you get such a call. Here’s how it tends to play out.
Refund scam example
The person at the end of the phone claims to be from your broadband provider. Apparently, you’ve overpaid a subscription and they’re ‘legally bound’ to send you a refund.
Convincing you that they need access to your computer to process it, they walk you through the installation of remote access software. Once the they’re connected, you’re be asked to login to your internet banking and take a note of the account balances.
Thanks to the remote access you have given them, they can see everything on your screen and control your keyboard and mouse. Once they’ve had sight of the balances in your current and savings accounts, they continue “Congratulations, you’re due a refund of £600. Don’t thank me. Just send me flowers.” [laughter and so on].
Using remote control of your computer, the scammer will turn off your monitor monitor, reassuring you this is a sign the refund is processing. But, it’s really so you can’t see what they do next.
They move money from your savings account into your current account – a transfer that rarely requires card reader verification – then use live editing to restore the balance on your savings account and change the statement in your current account to make it look like the money came from somewhere else.
They ask you to type ‘600’ on your keyboard, something that is critical to what happens next in the con. When your screen comes back on, it will look like someone has sent you money. A lot of money. Ten times the amount of money you were expecting.
After theatrical gasps from the scammer, they’ll go on – voice raised for dramatic effect – “but I told you only to type 600, you have typed 6000. I will lose my job because of you. You must send this back to us immediately. This is your mistake.”
Of course, you’re a good person and, not being a confident computer user, accept you may have made a mistake. Card reader in hand, you offer to immediately return the extra £5400 to the account you are instructed to.
Money you will discover, only too late, has come from your own savings account.
This might sound unlikely and it’s probably not something you would fall for. But it happens to people every day in the UK and it’s only possible because of the role played by live editing.
Several variations of this scam exist, like the one captured in this YouTube video from Jim Browning where the caller claims to be part of the bank’s security team.
Live editing is nothing new, it’s been around for years, but novel use of it by cyber criminals to defraud people is a recent development. So I’ll be busy spreading word about this among family and friends throughout January.
Here are three key points I’ll want them to know:
- Just hang up on cold calls. No matter who they claim to be.
- Never allow someone remote access to your computer.
- If someone has had access to your computer, don’t trust anything you see on the screen.
Coming Thursday 17 January: Look out for part two of this post for my predictions on how cyber criminals, fake news generators and hacktivists will use the same trick to create spoofed screenshots of real websites and social media profiles.