The Mystery of the Missing Miles

Ever use a public computer to print a document from the office or access you work email? Read on to learn just how risky that is.

When you can't drive, have to go to school, are subject to a curfew, and fund your fun with whatever allowance, couch scroungings, and baby-sitting money you can scrape together, the idea of being a kid detective has obvious appeal. The desire to succeed where adults fail, outwit the bad guys, and make something happen rather than have everything happen to you gives rise to generation after generation of youthful sleuths, from Nancy Drew and the Hardy Boys to Encyclopedia Brown to Lemony Snicket.

My detective avatar was and is tousle-haired Trixie Belden,¹ tomboy heroine of a series of mystery stories set in the Hudson River Valley in what must have been the fifties or early sixties, judging both by the pageboys and bobby sox in the illustrations and the use of words like "dungarees" for jeans and "Gleeps!" for [expletive deleted]. Sporting red jackets bearing the cross-stitched initials of their secret club - "Bob-Whites of the Glen" - Trixie and the B.W.G. gang had all sorts of wholesome outdoor fun while unmasking impostors, foiling con-artists, and stopping thieves in their tracks. As a shy, nerdish city kid, the back covers of the books spoke to me directly with a siren song I couldn't resist:

Would you like to -

• solve mysteries?

• belong to a secret club?

• ride, swim, travel, go to parties with the best friends in the world?

Then the wonderful adventures of Trixie Belden are written just for you. Don't miss a single one!

I have spent most of my adult life trying to make the "ride, swim, go to parties with the best friends in the world" thing come true. But I never thought I'd be actually solving mysteries more complicated than "Where did I leave the car keys?" - until last month, when, with a little help from my fellow shamus Todd Flaming, I cracked the Case of the Missing Miles, and learned a valuable lesson about how not to keep client confidences and secrets.

A mysterious disappearance

I first noticed the mysterious disappearance as I was contorting myself into seat 24K in Economy Plus² on a flight from London to Chicago. I checked the United app on my iPhone one last time to see if somehow, miraculously, all five people ahead of me in line for an upgrade had missed the flight, enabling me to ascend to the lofty, lay-flat heaven of Business Class.

I was not surprised to find that Business Class had checked in full, but I was a bit startled to see that my frequent-flyer mileage balance, which stood at over 200,000 miles the last time I looked, had somehow dwindled to a little more than 1,000 miles. I checked to see if there was any activity in my account, didn't find any, and figured it was just a glitch in United's system.

It wasn't. I'd been hacked.

Trouble in Tacoma

When I got back to Iowa, I discovered that evildoers had gotten into my Mileage Plus³ account and changed my email address to a dummy account and my home address to someplace in Tacoma, Washington. The cyber-crooks then ordered some loot out of the United Merchandise Awards catalog, using almost all of my miles to pay for it. While I don't know exactly what goodies they were trying to grab, here are just a few of the possibilities:

By the time I got in touch with United, the goods had been shipped, but not yet delivered to "my" address in Washington. The delivery was intercepted, so there will be no big TV party, swingin' BBQ, flashy watch wearing, or ultra-light laptop computing in Tacoma. Not on my tab, anyway.

But even though this particular criminal scheme had been foiled, the fact remained that some nasty, greedy fiends had laid their greasy hands not only on my miles, but on my personal information. What other electronic mayhem might they be plotting in their secret lair? I spent the better part of a day changing passwords and trying to restock my cyber-security moat with piranhas.

(Not) As easy as 1-2-3-4

How did this heist happen in the first place? Someone had gotten hold of my four-digit PIN, but how? My PIN isn't one of those obvious ones - my birthday or the ever-popular "1234."⁴ I don't share PINs or passcodes with anyone. I don't write them on a big yellow Post-It stuck to my computer. I hadn't fallen for a "phishing" scheme - one of those scams in which an email that appears to be legitimate is actually a trick to get you to provide your personal information to cyber-crooks.

But while I was traveling, I had accessed my United account from the computer in the lobby of my hotel. I did it twice, actually - once to see if my upgrade had come through, and another time to print my boarding pass. And both times, I logged out of my account when I was done, and went in to delete all of the browsing history before I stepped away from the computer.

Although I didn't see anyone looking over my shoulder in the hotel lobby, an unseen someone may well have been watching my every move. It turns out that it is possible to install keystroke logging devices or software that tracks the keys pressed by computer users, and even captures screen shots. Todd Flaming, the well-known cyber-sleuth, explained the technology and confirmed that this might well be the perps' M.O.⁵ With keylogging software, the crooks could capture my PIN, go into my account, change my email and home address, and set off on a shopping spree using my frequent flyer miles.⁶

United returned the miles to my account,⁷ but, as so often happens in kid detective fiction, I learned a valuable lesson, too.

Trixie learns a lesson

Gleeps! This could have been so much worse. Have you ever used a hotel computer to print some last-minute document for a meeting or presentation, accessing your email account in the process? With keylogging software, cyber bandits could harvest your passwords and help themselves to all sorts of critically sensitive information.

For lawyers, public computers pose both a personal and professional risk. We have a duty to keep client confidences and secrets, and must "act competently to safeguard information relating to the representation of a client against inadvertent or unauthorized disclosure…."⁸ That, of course, includes electronic information.

In the words of one expert, public computers are "good for checking the latest news or weather forecast" - but not for anything that could put your private information at risk.⁹ And that goes double for your clients' private information. So channel your own "meddling kid"¹⁰ - and don't let the bad guys get away with their cyber-criminal schemes.

 

Karen Erger is vice president and director of practice risk management at Lockton Companies.

---

1. See James D. and Kimberlee Keeline, "Trixie Belden: Schoolgirl Shamus" http://www.keeline.com/Trixie_Belden.pdf; for a rather scholarly history of the series. Trixie and the B.W.G.s have gone on to lives outside of the 39-volume series in the form of fan fiction. See, e.g., Schoolgirl Shamus, Inc., http://www.schoolgirlshamus.net/.
2. The nature of the "Plus" in Economy Plus is not altogether clear. Perhaps it's an acronym for Putatively Less Uncomfortable Seating, since, according to United, Economy Plus seating allows the passenger to "[s]tretch out with more room to work and relax, sit near the front of the cabin so you can exit the plane easier at your destination and more." I don't know about you, but when the seat in front of me is reclined to the point where I can conduct a cursory dental exam on the person sitting there, I find it difficult to get much done in the way of "work," much less "relaxation."
3. And if you're wondering about the "Plus" in Mileage Plus, whatever it is, it doesn't include a warning from United when a change is made to profile information like your email or home address. Most websites will send you an email alert when this happens, but not United's. I've been advised that they are working on implementing this cutting-edge security safeguard.
4. Actually, "1234" was only the 16^th most popular password of 2013. The dazzlingly stealthy "123456" topped the list, unseating "password" as the most common password of 2013. Chenda Ngak, "The Most Common Passwords of 2013," January 21, 2014, CBSNews.com, http://www.cbsnews.com/news/the-25-most-common-passwords-of-2013/.
5. Good guy that he is, Todd also treated me to a consolatory dinner at the Girl and the Goat. It was, as Trixie would say, "Super-glamorous perfect!" See Julie Campbell, Trixie Belden and the Mystery Off Glen Road, Western Publishing (1956).
6. The hotel, by the way, provided this less-than-helpful response to my email about the theft: "After having checked with our IT department, I can confirm that the computers in our lounge are secure public access computers (protected with Virus Protection against any harmful programs and malware). Additionally, they are set so that all browsing histories should be deleted automatically once the browser is closed, although it seems that this has reverted back to default settings on this occasion - it could be possible during the browser automated update."
7. Eventually. And not without some serious effort. If I'd been billing by the hour, I could have used the proceeds to buy the big-screen TV, Weber grill, or Longines watch outright.
8. Rule 1.6(a) of the Illinois Rules of Professional Conduct ("A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent…."), Comment 16.
9. Courtney Macavinta, How to Use Public Computers Securely, cybercrimenews.norton.com, http://cybercrimenews.norton.com/nortonretail/feature/emerging_threats/s.... This article provides some good practical advice, but after my recent experience, I have to disagree with the comment that they might be OK "if you're printing a boarding pass."
10. Most, if not all, episodes of the cartoon Scooby-Doo, Where Are You? concluded with an apprehended criminal confessing his crime and lamenting that he or she "would have gotten away with it, too, if it weren't for you meddling kids!" And rest in peace, Kasey Kasem, who "lent his distinctive voice to hippie sleuth Shaggy in the Scooby Doo cartoons" and passed away on June 15, 2014. Will Dunham, U.S. radio deejay, 'Shaggy' voice Casey Kasem dead at 82, Reuters.com, U.S. Edition, June 15, 2014, http://www.reuters.com/article/2014/06/15/us-people-caseykasem-idUSKBN0E....