October 30, 2008
03:10 pm | 3 recommendations | Be the first to comment
Earlier this month, hackers broke into French President Nicolas Sarkozy’s bank accounts, stealing several small sums of money after obtaining the president’s online access codes. While spokesmen for Sarkozy didn’t give details, one insider claimed that it was “classic hacking.” Two men were arrested on October 21 for identity theft -- without realizing the prominence of the identity.
The French government might have been right saying no one is safe, but there are easy precautions you can take to protect your money. The Federal Deposit Insurance Corporation (FDIC) provides a library of tips on safe online banking, including how to tell if bank websites are legitimate and how to set up strong passwords (usually involving a combo of letters and numbers). You should also look for a small “lock” or “key” logo somewhere on your browser window to ensure the site is encrypted and authenticated for your data protection.
As more people are accessing the web by cellphone, banks have caught on with mobile banking apps. Bank of America, for example, has an iPhone app, where customers can check balances, pay bills and transfer funds from their smartphones. You might be hesitant, since logging into sensitive data sites over wireless networks is usually frowned upon. However, Apple’s iPhone store is highly stringent on what applications make it to iTunes, particularly when it comes to security, as is anything made for the Google Android platform.
If you’re a developer or just curious about how the apps are put together, there are companies out there that provide security tool-kits for your product. Mocana, for example, has a complete suite of security features especially for the Google Android platform, including secure browsers, virtual private networks clients for secure data transmissions and malware protection.
As strict as these security infrastructures might be on wireless networks, they don’t necessarily prevent account invasion when you lose your phone on the subway. Thus, it’s always a good idea to password-protect your phone. And (this goes for both online and mobile banking), be sure to log off and close your browser after accessing your accounts. You wouldn’t leave your bank card hanging in front of the ATM, would you?
- Rachel King
3
Recommend This If you liked this, let others know:
October 23, 2008
09:48 pm | 3 recommendations | Be the first to comment
The recent debut of T-Mobile’s G1, the Android smart phone, is both a blessing and a curse. Why? Because Android is arguably the most open mobile Operating System yet. Created by a partnership of Google, the Open Handset Alliance, and T-Mobile, Android hopes to grab coveted market share from RIM (Blackberry) and Apple (iPhone) by opting not to put regulations on third-party application development. Essentially, those involved in bringing the G1 to life have said that nary a person or organizing body will put a limit on “what users can download to the G1 or what developers can upload to the Android Market storefront,” says Judy Mottl of Internetnews.com.
And thus, open source technology has the potential to be a bit of a double-edged sword. Google is hoping that pushing open sourcing will help catalyze a paradigm shift in how operating systems are developed. Behind this mindset is the belief that open source development will be a platform for innovation -- by advancing mobile applications, services, and by allowing carriers, OEMs (Original Equipment Manufacturers), and development experts to gain access to licensing and coding, there is the belief that Android software will proliferate and lead to more players building functional smart phones with their software.
The downside is, of course, that open source formatting can prove to be more susceptible to security threats than a more regulated system – say, with proprietary rights. Most agree that a level of openness in development is good for any platform, but at the same time, the openness needs to have checks and balances. Without the necessary regulation, we could watch the destruction of the Android platform, as we’ve watched the deregulation of the markets create unprecedented economic turmoil in the last year. Hoping to prevent hackers from spoiling their fun, Google has implemented a “kill switch” on Android’s Market service agreement that allows them to remove applications that are potentially malicious.
But this may not be enough. Users of this technology should be aware that open sourcing can bring an elevated degree of risk, as it opens the door to threats such as file deletion, stolen passwords, traffic sniffing, spamming of contact lists, and can create backdoors into corporate networks. It is also easier for hackers to cover their tracks, because of the mobile nature of the device. This isn’t to say that people should stay away from the G1, but as open source spreads across the mobile market, which it is bound to do, it is important to understand the implications. And the security threats. If open sourcing is seen as a risky platform, it may drive consumers away and hinder the development of the technology. The available applications need to be seen as legitimate and this may necessitate a level of control and oversight of the Android Market that may not yet be in place. Thus, users should take the appropriate measures to protect themselves from potentially dangerous applications and software.
-- Rip Empson
3
Recommend This If you liked this, let others know:
October 16, 2008
03:35 pm | 4 recommendations | 1 comment
After Sarah Palin's email account was breached, the McCain campaign promised swift retribution. The hammer of justice fell last week on David Kernell, the son of a Tennessee state lawmaker. The 20 year-old University of Tennessee student accessed Palin's email account by successfully guessing a number of password reset questions, the answers to which were easily found online ("Where did you meet your spouse?" was among them).
Kernell might've gotten away with the crime too, but for the fact that he shared all the sordid details of his illegal Internet intrusion on the popular website 4chan.org, which is a haunt for weird web addicts of all sorts. After he changed Palin's password to "popcorn," many other 4chan enthusiasts accessed the account as well. That's when it started to get messy. As the snowball effect took hold over the story, the FBI and Secret Service got word and got cracking. It apparently wasn't hard to crack the case; authorities were searching Kernell's apartment within days of the leak. An indictment wasn't handed out until last week, and Kernell turned himself in to Federal Court.
Yes, Palin's email security was compromised. Yes, it was an unwanted breach of Palin's privacy. Yes, it was a dumb move by a bored college kid. But was it a "hack?" No. Was it anything other than a geeky student exploiting Yahoo's awful security standards for free email? No. There are two clear lessons to draw from this leak. First, if you're a politician it's best to stick with protected email courtesy of Uncle Sam. That's a no-brainer. If you are going to do it, at least pick a service with a little bit of security behind it (like Gmail). Not only is it illegal to conduct government-related communication on anything other than official email accounts, it is also incredibly risky. In Palin's case, she set herself up for easy poaching by not keeping the alternate email address under extremely tight wraps.
The second lesson is perhaps the more fundamental one -- always keep your identity verification information extremely personalized, in case your secret under-the-table email address gets leaked. Kernell correctly guessed that Sarah and Todd Palin met at "Wasilla High," though it admittedly took him a "few tries." Even Joe Six-pack could have figured that one out, since Palin's life history has been an open book since she was announced as Sen. McCain's VP nominee. The ID verification answer should have been something that only Gov. Palin would know (favorite teacher, frequent flier mile ID, etc.).
But the real question that begs asking is this: why do figures like Palin use private email for official business? Perhaps there are nefarious deals that require an incognito approach to communication; perhaps not. Perhaps she simply likes Yahoo. The point, though, is clear -- politician or not, it's always important to keep personal email accounts secure. You never know who might be looking.
- Brendan Collins
3
Recommend This If you liked this, let others know:
October 9, 2008
12:50 pm | 3 recommendations | Be the first to comment
Every day it seems like we’re hearing about a bank merger or at least banks talking about merging. Washington Mutual and J.P. Morgan Chase. Merrill Lynch and Bank of America. It doesn’t look like we’ll be hearing any less of this anytime soon, as more banks are expected to fail. But some internet pirates are looking to take advantage of the situation, and you.
Last year, according to a Gartner study, over $3 billion was lost to phishing scams, and 3.6 million Americans were victims. According to Netcraft, phishing scams surged after the Wachovia/Citigroup merger. After the Wells Fargo bid, however, people might be receiving new fake bank notices in their inboxes, so watch out for that. With all of the mergers, takeovers, buyouts, etc., customers are confused, and phishers know this. Customers of merged banks often don’t know what their new bank website looks like, and phishers will take advantage of this ignorance easily.
“Phishers are basically lazy. They like to use templates a lot,” says Andy Klein, resident e-mail security expert at SonicWALL, an online security solutions enterprise. “They’re doing minor modifications to existing ones, leveraging the confusion factor. It’s real easy for them to update a template and using the same phish work for as it was two weeks ago with all of this in play.”
When the economy has hit rock bottom, and many Americans along with it, it is extremely cruel that some people are making a profit out of this identity theft. But there are simple precautions one can take to prevent this. “Be aware of phishing and get a little smart with it,” Klein says, “You don’t have to be an expert, but many of the different financial institutions have phishing information on their site.”
First off, if your bank wants to double check personal information with you, they will never confirm this in an email. They might notify you of something via email or US mail, but always type in your bank’s site yourself. Be skeptical of phone calls as well, as a bank will never leave you a message asking you to leave them a message with financial or personal information. If you have any questions or inadvertently do something such as clicking the link from the email, contact your bank immediately. “Make it your first phone call,” Klein emphasizes. “Usually they have someone at the bank who will help you through the process. Speed is important at that point.”
Then there are the obvious, but sometimes little clues. Check the email address carefully (Why would a bank use a Yahoo or Hotmail account?) and double-check for spelling. Spam is notorious for bad spelling. If you’re still a little unsure, you can take SonicWALL’s online phishing quiz.
Bottom line: never type in private information into any page linked from an email to what looks like a bank homepage. If you’re not sure, just call the bank. There might be a small fee and it may take a little time, but isn’t your identity worth it?
- Rachel King
3
Recommend This If you liked this, let others know:
October 2, 2008
04:18 pm | 5 recommendations | Be the first to comment
This summer, the Department of Justice cracked the biggest case of identity theft in history. While we are thankful to the Justice Department for its hard work in bringing the identity thieves to justice, it does not negate the fact that over 40 million credit card numbers were stolen by some loose outfit of swashbuckling hackers. Identity theft, as this glaring example shows us, has become a serious problem in today’s world. Both at home and abroad, the news is fairly distressing when it comes to our collective vulnerability to crime on the Internet. When we turn to the Identity Theft Resource Center’s latest findings, we learn that the total of number of data breaches (or hacks) reached an all-time high in 2008, and over 15 million Americans are victims of identity theft each year.
As the average Internet user has grown increasingly comfortable with doing business on the Web, we have seen a corresponding rise in the amount of private information that changes hands there. And of course, the potential for foul play has increased in conjunction with the rising amount of transactions. Many larger companies have the funding and technological capacity to secure the private information exchange in this process, whereas we have increasingly found that smaller companies – as well as the average consumer – is not as protected as one would like to think.
So I asked Scott Mitic, CEO of TrustedID, a private company dedicated to providing consumers with the strongest identity theft protection solutions available, what we might learn from the latest string of high-profile security breaches and the rise in ID theft.
Scott informed me that most of the research out there today shows that consumers are still most concerned about online shopping as a source of potential vulnerability, even though it has proliferated for over ten years now. Obviously, the high-profile crimes like the one the Justice Department dealt with this summer, affect the psychology of the average web user and what we think is appropriate to do or buy on the Web, “Clearly it’s a major threat. Anytime a small group of individuals can use off-the-shelf tools and consolidated brain power to compromise the identities of tens of millions of people, it’s a threat that every single person needs to understand and consider,” Mitic says.
All of the old rules still apply, the CEO continued. It’s become clear that we need to be wary of any individual, company, website, or communication that asks for our personal information. And most importantly, we need to take proactive steps to protect our information, like placing anti-spyware on our computers and fraud flags on our credit reports, for example. It also wouldn’t hurt to do business with companies who are explicit about their investment in information security and privacy, Mitic explained.
What is important to remember -- and certainly unsettling -- is that the goal of these new “pharming” attacks is not to spread viruses; they are not perpetrated for fun or for bragging rights as in the case of “trolls," they are about collecting sensitive personal information and thus financial gain -- they are about “exploiting technology for the benefit of their wallets.”
Luckily, the government has taken some preliminary steps to respond to the growing number of identity thefts. Last week, President Bush signed into law a bill that will make it easier for prosecutors to go after cyberpunks and will ensure that victims of ID theft are compensated for their stolen property once thieves are convicted.
Todd Feinman, CEO of Indentity Finder, LLC, reassured me that the government is increasingly passing regulations to make sure private information is kept secure. And where the government has struggled, companies like Identity Finder are working to close the gap. Of course, it's up to consumers to do their part as well. To help them get started, Mr. Feinman suggested three ways in which people can ramp up their protection against security threats:
(1) Find and identify unprotected forms of your identity. People should go through all of their files and emails to make sure nothing is left vulnerable, like social security numbers, credit and debit card numbers, bank accounts, passwords, dates of birth, and addresses. (2) Once you find your personally identifiable information (PII), protect it. If you need the document, but not the PII, then redact the PII. And, hey, if you don’t need that personal information anymore, then digitally shred it! Get rid of it. And if you do need it but think its not safe enough, encrypt the document or email. (3) Change your behavior. You don't want to give other people or companies the chance to access your PII, so try not to give it to other companies or websites unless it's mandatory. If a cell phone company asks for it, tell them you’d like to provide a small deposit until your history and credit with them is established first.
By doing the little things right, and by encouraging the media to cover web security news, we can stay ahead of the curve: “The media’s continued focus on the topic will help marshal the resources, both private and public, that can mitigate and potentially eliminate many of the most dangerous forms of web-crime we see today,” says Mitic. And I think he's onto something.
We could all benefit from being a little more careful of what we share on the Internet and how we do business there.
By Rip Empson
3
Recommend This If you liked this, let others know:
