Preying on predators: Security tool Mugshot can secretly take photos of whoever is trying to hack you
Have you ever received an email warning that someone is trying to hack into your account and wondered: Who is doing this to me?
A password manager called LogMeOnce now gives you the option to take a picture of whomever is trying to access the accounts you’ve registered with its service. It does this by hacking the hacker’s camera, whether on a computer or a mobile device, and secretly taking a photo.
The feature, which is called Mugshot and launched Tuesday, also provides information about your attacker’s location and IP address — the unique set of numbers that identify each computer on a network.
And it offers to take a photo with the rear-facing camera of a mobile device, so you can get a look at the hacker’s surroundings.
LogMeOnce, a Fairfax, Vancouver company incorporated in 2011, has a patent pending on the proprietary technology, which essentially tries to protect consumers by exposing the identities, or at least the locations, of hackers.
Chief executive Kevin Shahbazi phrased it another way, calling it a digital burglar alarm.
It is "identical to an alarm system that everyone uses to protect their home, business or property," only for the digital age, he said. Shahbazi compared it to closed-circuit television cameras, nanny cams and other security measures he’s worked with in the past.
Going after hackers by hacking their systems — a "hack back," as it’s called — falls in a legal grey area. A growing number of cybersecurity experts and businesses say such "active defence" measures are necessary as the threat posed by anonymous hackers grows. But officially, the US government does not allow private companies to hack back on their own.
Shahbazi said his offering is legal, likening it to the cameras that watch ATMs to catch robbers. One could also draw parallels to location apps, such as Find My iPhone, which ordinary consumers have used to bring device thieves to justice. LogMeOnce goes one step further by bringing a more advanced hack-tracking tool to the masses.
"It is very legal to protect your assets, passwords or access to your online banking credentials," Shahbazi said.
LogMeOnce does not collect any other personal data on digital intruders.
"But if they use a public library computer, a stolen phone or their own phone, and try to get into someone else’s account, then we can alert the rightful owner that someone from Ukraine, China or Fairfax is trying to access their account," Shahbazi said.
For consumers who feel menaced by anonymous, faceless hackers, being able to track who is trying to take control of their accounts could provide a measure of satisfaction.
All this is not meant to encourage vigilante justice for hacking, of course, but the tool could provide useful evidence for a higher authority if you find former a acquaintance — or, in a business owner’s case, a former employee — trying to access your accounts without permission.
Shahbazi demonstrated the feature for The Washington Post by simulating an attack on his own account. As he hacked a dummy account, his LogMeOnce dashboard showed information about where he — as the intruder — was. The programme then offered the option to snap a photo or record video of him.
Shahbazi, a serial entrepreneur who sold his last business to tech security giant McAfee, said he’s seen consumers increasingly embrace anti-hacking and other security measures. Mugshot, he said, was a feature he was particularly eager to offer.
"This has been a work of passion," he said.