West Seattle Crime Watch: Local resident reports ripoff via router

A Belvidere resident was hit by a “sophisticated identity theft” that she describes as resulting from “an easily overlooked risk,” and wrote this to warn you about it:

Sometime around the end of April, someone hacked into my wireless router and stole my name, address, WDL#, and SS#. I’ve since discovered that wireless routers have two passwords – one for the wireless signal (which I had locked down), but also one for the router admin itself. The router comes from the factory with a standard login/password, and no instructions for changing it. This is something I overlooked, and this is how the thief got in.

I was first alerted to the theft when I received an email receipt from a store in University Village for a large purchase I didn’t make, on a card I haven’t used in years. I called the store, and they fortunately remembered the woman who made the purchase, and were able to provide a description – a white woman, age 30-35, with long blond hair (not a description of me). She had a WDL ID with her photo and my name and address.

I of course immediately checked my credit reports and set up fraud alerts, and discovered that over a dozen inquiries had been made with my name, and several new cards opened.

It turns out the thief also had a plan to collect the new credit cards and statements. The thief put a vacation hold on my mail at the post office on California & Oregon (using her fake ID), saying she would be back May 15 to pick up the mail. Sure enough, when I figured this out & got my mail restarted, there were the new credit cards and statements.

With further investigation, I discovered that my identity had been used in Puyallup and Everett to open store credit accounts, and that the thief was using a prepaid cell phone purchased in Everett. I also received an alert that my complete information (plus passport # & medical ID #) was for sale on a black-market website.

I’ve filed reports with both the police and postal service investigators.

Just want to emphasize this was a complex and local theft – to get into my router, the thief had to physically be close to my house. Then of course they visited the WS post office, and shopped at nearby shopping centers. Everyone, please check your wireless router admin login and secure it! If you find your information has been compromised, do report it to the police and let them know you’re aware of my case so they can put it all together. I was told the police cannot investigate this kind of fraud without more evidence, more thefts, or a higher amount of actual monetary loss.

Here’s what the Federal Trade Commission says about how to protect yourself from what happened to “Belvidere Resident.”

35 Replies to "West Seattle Crime Watch: Local resident reports ripoff via router "

  • clark5080 May 8, 2015 (11:10 am)

    There is also a way to lockdown access by limiting it to devices you know by using the mac address for each device. Plus using passwords that are randomly generated with lots of characters in them are much stronger

  • bolo May 8, 2015 (11:16 am)

    Sorry this happened to you. Good that you were able to stop it before it progressed much farther. Even then, it will take quite some time to unwind it all and get your accounts straight.

    This is actually more of an issue in apartments/condos where there is greater density of wifi signals. You mentioned your “house,” so I wonder if this still could have been a neighbor or maybe a “driveby.”

    Solid advice to change the wifi router default login/password immediately. You can write it on a scrap of paper and tape it to the bottom of the router so you don’t have to worry about remembering it. Not likely this type of thief is going to get in to turn over the router.
    Some routers also need a firmware update to fix security holes.

    My elderly aunt got investigated for broadcasting kiddie porn. Turns out one of her neighbors (she lives in a dense downtown apartment complex) had hacked into her wifi router and was using it to distribute the kiddie porn.

  • Christian May 8, 2015 (11:20 am)

    Very sorry that this has happened to you.

    Here are a few things to consider when setting up your wireless router in addition to changing the password to log into the admin panel.

    1: Do not broadcast your SSID. This means that people will not be able to see your network when they are sitting outside of your house. They would have to know the full name and password to join.

    2: Most routers (newer units) have a setting in the admin panel that requires you to be hard wire connected via Cat5 cable to access the admin panel. This would prevent the type of situation you faced.

    Again, I am sorry that this happened to you, but thank you for sharing so that other may be more aware of how to protect themselves.

  • JN May 8, 2015 (11:20 am)

    This is a real risk, and it’s good advice to lock down your router password. (There are websites that list all the default passwords for every router ever). But I do wonder how the victim knows that this is how their information was stolen? It’s a possibility, but it feels much less likely than somebody at a restaurant taking a smartphone picture of your card.

  • Judy May 8, 2015 (11:24 am)

    Do you have a solution for locking the admin password??

  • Kevin May 8, 2015 (11:32 am)

    I use an Apple Airport Extreme router which has a very easy interface for managing a plethora of settings. You can easily set an admin password for the router which should be different from the password used to join the network.

    Simply launch the Airport Utility app from the /Applications/Utilities folder on your Mac. Select the “Basestation” TAB and set a password to administer the settings.

    I suggest turning on the “Create Hidden Network” under the “Wireless” TAB -> “Wireless Options” popup. This way, the name of your network is hidden when devices are scanning for available networks. Hackers can still find signals with certain tools, but this provides another level of security from prying eyes.

    And like Clark said, it’s wise to lock down access to devices using the MAC address (machine address).

    If you want to let guests connect to the Internet without giving them your Wi-Fi password, simply enable the guest networking feature and set up a separate Wi-Fi network just for them. Use a different password — or use no password at all — and your primary network, including your printer and any attached drives, remains secure.

  • bolo May 8, 2015 (11:36 am)

    @Judy, it depends on your router make/model.
    Try an internet search like:
    changing default admin password.

  • bolo May 8, 2015 (11:37 am)

    @Judy, it depends on your router make/model.
    Try an internet search like:
    (type your router make/model here) changing default admin password.

  • ChefJoe May 8, 2015 (11:38 am)

    To be honest, Christian, not broadcasting an SSID just causes a lot more hassle for setting up your computers and keeping them connected and does little to add any layers of security as the SSID must be broadcast if anything is connected to that network.

    http://www.pcworld.com/article/2052158/5-wi-fi-security-myths-you-must-abandon-now.html

    Changing your router passwords and limiting the admin functions to “must be connected via wire” and disabling any remote administration features on the router are better moves.

    MAC spoofing is also kind of easy to do and, again, may cause more hassle than its worth as far as security.

  • joezaloom May 8, 2015 (11:44 am)

    Sorry, but there was nothing “sophisticated” about this attack. If encryption was turned on and WP2 used the crooks would not have been able to access your admin panel without a truly sophisticated and difficult attack.
    Read the instructions when you buy a new piece of hardware or software folks. In the trade we say “RTFM.” And ALWAYS change your passwords.

  • CEA May 8, 2015 (11:49 am)

    Thank you for this alert – I really appreciate it when neighbors share their experiences and lessons learned with others. I’m going to look at my router tonight! I’m also thankful for the comments and suggestions provided (including the idea of someone taking a picture of my card with a phone…which just depresses me, because it goes to show there’s probably only so much any of us can do to prevent identity theft). Bad guys abound…but so do good guys! :-)))

  • Kevin May 8, 2015 (11:59 am)

    Another danger of open networks: The FCC said that, between 2008 and 2010, “Google’s Street View cars collected names, addresses, telephone numbers, URL’s, passwords, e-mail, text messages, medical records, video and audio files, and other information from internet users in the United States.”

  • onion May 8, 2015 (12:05 pm)

    Many thanks to the Belividere Resident for sharing her story, diagnosis, and followup actions. I hope you detected the problem early enough to avoid more serious repercussions.
    Thanks also to the other commenters, who all offered sound advice on how to improve router management and security.
    I am curious how anyone could get a DL# and SS# — and passport and medical ID!!! — by hacking into one’s personal network. OK, the SS# I can understand if one does one’s own taxes. But it seems clear that this attacker had rather extensive access to information about your life. Is it possible that the attacker is someone you know?

  • schwaggy May 8, 2015 (12:43 pm)

    I’m confused… Not about the tech stuff but about how the thief got the personal information from being able to get in the setup area of a router?

  • trickycoolj May 8, 2015 (12:43 pm)

    It’s very easy to reach the admin panel on newer routers that have iPhone apps that grant admin access. Not broadcasting SSID does nothing but make it a PITA for you and your guests to connect but any hack that is using default admin credentials also has the means to sniff out hidden SSIDs it’s easy. Best thing to do is make sure your SSID doesn’t broadcast any identifying information “Smith Residence” or “Johnson Family Wifi” worse yet is “Netgear” or “Apple Airport” which translates to “hi I didn’t know how to change my wifi name so I probably didn’t know how to change the admin credentials either!”
    .
    I have friends in IT that know all those tricks and hop on people’s wifi to just surf while visiting someone. When I lived in a dense apartment complex with lots of students my IT friend was on someone else’s unsecured or minimally secured network before I could unlock his MAC on my hidden network. He just wanted to play online games, but a thief will just dig in for your personal files.

  • ChefJoe May 8, 2015 (12:56 pm)

    schwaggy, sometimes people leave open network shares on their computer but, if you have admin access, you could also start monitoring traffic and intercepting unsecured data.

    I have no knowledge of the above incident to base this on, but after knowing you have had some serious data compromised it’s not hard to start taking even a ID Monitoring Service SPAM e-mail saying “your passport/insurance number is out there” rather seriously.

    Then again, I have received letters related to the Premera breach that are true…

  • waitasec May 8, 2015 (12:57 pm)

    Confidential information users provide to tax preparation software is sold to many interests by that software company. Read the finest print buried in the program. Most people do not realize that their confidential information is sold by the thousands to companies.

    Truth hurts but needs to be known. There are many ways for megacompanies to obtain that data. They buy it in partnerships daily. Go read the fine print people.

    And good luck.

    I was a victm of what it was called an “epic hack” 10 years ago. It took three years of hell to get unburied but I lost my financial aid for graduatate school because it was online. They destroyed my laptop with all of my graduate research data. Totally wiped it out. They hacked in to my financial software and got my SS# and every account I had.

    I wish that upon nobody.

    Keep a little black book and change your PW every quarter. I have to. Just last week, ten years after the fact, somebody used my ID to try to access my bank account for a $2,000 draw. The bank’s fraud unit recognized it and stopped it. But I immediately had PTSD symptom flashbacks. Not fun.

    Good luck people. Don’t be lazy about the passwords or firewalls, etc.

  • mpento May 8, 2015 (12:57 pm)

    I don’t see how you know your information was acquired by getting onto your router?

  • Marc May 8, 2015 (1:01 pm)

    I work in the IT field, and I’d like to correct some common misconceptions about wireless security in the comments.

    – “Don’t broadcast your SSID.” Wifi cracking tools can easily find any wireless network, whether they’re broadcasting their SSID (the network’s name) or not. Wifi routers are always sending out packets that let clients know that they’re there, and it’s trivial to find these packets and the network.

    – “You can block access using MAC address filtering.” MAC addresses are a unique identifier that your computer uses to identify itself on a network. When you enable MAC address filtering, you tell your router to only accept traffic from a list of addresses that you supply. While good in theory, the same tools that are used to find a hidden SSID find the MAC addresses of connected, legitimate computers. The attacker changes his MAC address to yours, and they’re in. This is also trivial to do.

    Some things that you need to do, if you haven’t already:

    – Enable wireless encryption. Don’t ever run an open wifi network. It opens you up to all kinds of problems. People can use your network for piracy, find child pornography, and do any number of things that will be traced back to YOU.

    – Disable WEP encryption. Wired Equivalency Protocol (WEP) is an obsolete encryption standard that can be cracked in as little as ten minutes. It provides virtually no security at all. If your router supports it, change to WPA2. If it doesn’t, you should probably buy a new router. It’s cheaper than having your identity stolen.

    – Use strong passwords. I use passphrases. Something like “I hate dealing with wifi security!” is long enough to defeat most brute force attacks (where an attacker hammers your network with a dictionary until he gets in), contains mixed case letters and symbols, and is easy to remember.

    – Change your router’s default username and password. Set it to something secure that is hard to guess, like a passphrase from above.

    – Disable WPS. This is the “push button” style of authentication where you press a button on the router, then it lets your computer connect without putting in a password. The process has cryptographic weaknesses that can be exploited to gain access to even a secure WPA2 network. If you have a cheapo ActionTec router from CenturyLink, it’s WPS code is actually hardcoded to all zeros, and can be broken with one try!

    I’ll be happy to answer any questions people may have in the comments.

  • CJP May 8, 2015 (1:17 pm)

    You should never leave your admin interface open wirelessly, period. Restrict it to direct cable connection only for admin purposes.

  • Todd May 8, 2015 (2:21 pm)

    How to change your CenturyLink Modem password:

    http://www.centurylink.com/help/index.php?assetid=189

  • MotorMike May 8, 2015 (2:55 pm)

    This sucks I’m really sorry you have to deal with that. I just wanted to say that I don’t see a clear connection between the identity theft and the wireless router. It could have just as easily been a virus/trojan or someone going through your trash.

  • Wilson May 8, 2015 (5:39 pm)

    They didn’t get this information through your router.

  • Vincent Dakotah Langley May 8, 2015 (7:01 pm)

    Ever since I got my very first computer and internet access, I just simply CANNOT believe that ANYONE would use their own computer equipment, their internet access and so-forth for this identity theft purpose of defrauding other innocent people. The ones who actually do low-life crimes such as this, they simply are not people, really, but rather — well, they are “people?”. I’d certainly use my computer equipment, my internet access and so-forth to help someone else in some way if I only could, in, of course, an honest, lawful and upstanding way, however, I’d NEVER use my computer equipment or my internet access to harm another human individual, in any way or ways, whatsoever!!! I have ALWAYS prided myself in this, as a computer and internet user!!! So, WHY can’t those “people?” that I just mentioned above do exactly the same thing in all of this??? Do those “people?” just simply not care at all about another human person — another human spirit — but, instead, they only care about just themselves, or WHAT??? ??? ???
    …D-U-U-U-U-U-U-U-H!!!!!!!

  • Kevin May 8, 2015 (7:54 pm)

    Identity theft by an individual hacker stealing private data is incredibly serious with obvious ramifications, but the bigger question is, why do we, as citizens, allow our government, and the many thousands of hired consultants, to scoop, store and analyze every email, text, web search, photo, phone call etc.? They are hacking in real time, all day long. Is there “No Place to Hide” ?

  • DarkHawke May 8, 2015 (10:49 pm)

    I second all the great knowledge that Marc dropped on us above EXCEPT FOR the notion of using a “passphrase.” You should NEVER use real-language words in your passwords. They can be easily found with hacking tools and there goes your security. You should use a jumble of different letter in different cases, along with numbers and “special” characters (the ones you hit the Shift key for). The more random, the better. I strongly advocate using password locker apps such as LastPass, which can generate such passwords easily, and let you easily secure all of your on-line accounts in the same way.

  • ws_suzanne May 9, 2015 (2:44 am)

    Marc and DarkHawke — Thank you so much for your suggestions. Really good to know! I’ll make these changes this weekend.

  • steve May 9, 2015 (7:58 am)

    I’ve dealt quite a bit with wireless networks over the past 10 or so years, but being able to log onto the routers IP without the wireless password? That just doesn’t make sense.

  • dhg May 9, 2015 (11:25 am)

    Nope. Someone did not break into your system through the router’s admin/password. They would have to wire in to do that. Then, having gotten access to the router, they still would not be able to access any personal info on the computers unless you have an older windows (win 98) system with no passwords. Most all routers, by default, will not allow a remote login, only local. So the person would have to be in your house and wired in, or know your wireless password (or guess it).

    Today’s CLink routers come in unique passwords. Comcast has also started to do this.

  • ws_suzanne May 10, 2015 (2:18 am)

    From the conflicting information in these comments, it’s really hard to know what is correct and how best to protect my security. Are routers secure? If not, what search terms should I use to figure out what I need to do?

    • WSB May 10, 2015 (2:33 am)

      The link in the last line of the story is from an “official” source, FWIW, if that helps.

  • ws_suzanne May 10, 2015 (2:39 am)

    It does. Thanks so much for following up!

  • gia May 10, 2015 (2:08 pm)

    Thanks for the offer of assistance, i have a comcast router, and im 100% sure that i never set up any kind of password, if someone could post a link on how to change the password, i would be oh-so-grateful :)

  • dhg May 12, 2015 (9:10 am)

    If you have a Comcast router, check for a label on the side with the stated unique passwords for admin and for wireless. If you do not have a label, it is an older router with a default password.

    You probably do not need to change the password because external requests are already blocked. Someone would have to be connected through Ethernet or wifi to make changes.

    Getting access to the router does not give them access to your PC, ipad, Mac or any other device with sensitive data.

    Changing the password on older routers happens this way: Bring up a web browser. Type 10.0.0.1 into the address at the top and hit enter. This should display the login page. Default user name is cusadmin, password is highspeed or cushighspeed. Once you’re in, look for the admin page.

    If you want to be REALLY secure, return their router and buy a Motorola SURF router. Comcast is currently programming their routers to allow connections to anyone with a Comcast account to every router. If you look at available wireless connections at home and see “Xfinity Wifi” as an option, you are looking at a guest account on your router. Guest accounts are blocked from access to all local devices. I have not heard of anyone using it to crack into a network but it is a potential vulnerability that no one wants on their equipment.

  • gia May 12, 2015 (12:57 pm)

    dhg, thanks so very much for the simple steps. I appreciate this :)

Sorry, comment time is over.