A lot of us have been concerned recently about an account created to look like one of our members. A fraudster created an account using the member's name and was able to screenshot the member's photo to add to their account, then made rude and profane comments at that member's (and other members') poems. Tom Cunningham acted quickly and posted a blog, contacted the member, warned other members, and notified Soup admin what was happening, and thankfully the admin quickly deleted the account. However, some concerns were raised about our website security against hackers and I wanted to share some tips about what we can do.
1) First, ensure that your password is a strong one, impossible to guess. We protect our money with strong passwords; we should be equally mindful of protecting our identity and creative output. I will come back to this point, but I am saying it first because it is so extremely important. If your name is John Doe and your password is John123 or JDoe, you are just asking for trouble. Don't give out your password to anyone you don't trust. Better yet, don't give it to anyone. It is verification of your identity, and nobody else needs to know it. Once someone has your password, they also have access to your address, birthday, and email address, not to mention all your poetry and the ability to pretend they are you.
2) I want people to be clear that the recent incident was spoofing, not hacking. An individual (apparently from Jamaica) created an account at Poetry Soup, using the member's name, copied the member's photo using a screenshot and photoshop-like software, and then pretended to be that member (Tom included a screenshot in his blog as evidence). No passwords were compromised and our member did nothing wrong, he was simply an unfortunate victim of identity fraud. Even if we all maintain strong passwords, this could conceivably happen again.
3) Hacking involves a person gaining control of your account, either by stealing or guessing your password. This is very serious, because an intruder in your account could do much worse damage than a spoofer; they could change your password so that you couldn't log in, they could delete your poems or post new ones in your name, or post reputation-damaging comments, replies, soupmails, or blogs. They could even delete your account. Admin would have a hard time helping you because you couldn't log in to complain about it, plus they would have to verify you are you and the hacker is indeed a hacker. Bottom line: your best line of defense is to create and use a password that would be impossible to guess, just like you would create and use for a bank.
4) I believe our Soup site is relatively safe, I am not writing this blog to create any sense of panic. I applaud our Admin for quickly removing the account of the spoofer this week (it was removed within 3 hours of being reported). I have not seen or heard of any successful hacking attempts where somebody's identity was compromised, and I have only this week seen or heard of an account spoofer. After all, professional hackers are far more interested in government secrets or financial gain than wreaking havoc at a poetry site. I want all our members to feel this is a safe haven for poets and friends to interact. So...
5) What can we do?
We are a community, and we look out for each other, as was proven this week (thank you Tom Cunningham!) But as I mentioned earlier, this could happen again. If it does, and you suspect someone is not behaving like themselves, document suspicious behavior by taking screenshots, and ask other members if they have noticed peculiar behavior, or maybe post a blog as Tom did. If warranted, notify the site admin (at the bottom of every page on the site there is a "Contact Us" link on the black banner allowing you to send an email to the admin). Before I sent an email to admin, I went to the site of the spoofer, and copied their account link to include in the email. I noticed the ID number of the spoofer was different from our member's ID number (which is how I knew it was a spoofer, not someone hacking into our member's account). The ID enables the admin to quickly investigate the fraudulent account. If possible, communicate with the person being spoofed to see if they are aware of the problem. Oh, and have I mentioned maintaining a strong password?
Let's all observe safe online practices and let's all keep looking out for each other.
Thank you,
John