October 2007
General Meeting
Program
Review:
How to Protect Yourself Against Identity Fraud
Online
By Chris Novell, with Philip
Chen
Philip Chen, of Hi-Link Computer Corporation, displayed a bar
graph to the audience showing that email that people want and
are expecting to receive are only a small fraction of what
actually arrives at most people’s email addresses. The
rest is spam. The volume of spam has been increasing dramatically.
Using auto preview may “count” as opening the spam
so it may be wiser to turn this feature off if it is available
through your email preference settings.
One of the big ways that crooks try to steal identities on the
Internet is through a method called phishing. This occurs when
a bogus email or instant message asks you for personal information
such as a password or bank account number. The story or manner
of request may seem convincing, e.g., using your name, or offering
a seemingly sound reason for disclosing the information. In essence,
if an email or a website seems to be a bit different from the
way it has typically been over time, be wary. If an organization
you do business with has addressed prior communications using
your name and suddenly addresses you as “Dear Valued Customer,” you
may want to stop in your tracks.
Conversely, if emails you have typically received generically
addressed start using your name, that information may have been
obtained fraudulently. The best way to interact online with a
company or organization is to type the website into the browser,
rather than go there from an email or other website link. Banks
will not send emails or instant messages asking you for account
numbers or passwords.
What are some of the signs that something could be falsified
on the Internet?
An address bar could have an appearance of kind of “floating.”
Another example of deceit that Phil specified is where two letter “v.'s” could
be used in sequence to give an undiscerning eye reading the email
the impression that it is a “w,” a ruse that could
misrepresent real website names starting with “www” for
World Wide Web. The letter “a” could appear to be
a bit “off” when it is really a letter from another
language. PayPal is an example of a site that could be misrepresented
this way.
Phil also recommended that people use either Internet Explorer
7 or Firefox 2.0 as their browser. Note: While preparing this
review I asked Phil to elaborate on this point and he kindly
provided the following additional detail:
“Internet Explorer before version 7 suffers from many
security problems. Some of the biggest issues are buffer-overflow
vulnerability, no built-in pop-up blocker and little control
over Java or active-x scripts. Buffer-overflow is specially a
huge security concern because it potentially allows an attacker
to crash the Internet Explorer or even compromise the host computer
by using crafted, malformed data packets. IE7 is securely locked
down out of the box. It is much more security conscious by design
and a big improvement over the previous releases.
Firefox has always been a much more secure and versatile web
browser from the beginning. Version 2.0 continues that tradition
by including built-in phishing protection. It checks local or
online lists of known phishing sites and warns you accordingly.
It also has a cult-like following and extensive supports for
your every security need by way of add-ons and plug-ins. At version
2.0, Firefox is a solid and very mature web browser.”
While most thinking for security seems to go in the direction
of applying layers upon layers of protection, Phil took the position
that less can be more. “Understand what you are using,” he
said. “ Make sure you use it.” Most of us probably
know of some humorous account where a person bought a PC that “came
with antivirus” but what the unknowing new computer owner
did not realize is that the antivirus had to be installed on
the computer, and scheduled, and updated. However, if someone
tries to overprotect his PC with redundancy upon redundancy,
too many protections could cause the system to breakdown. Phil
uses Norton Symantec, with its anti-phishing option turned on.
From the audience, Jeff Setaro, DACS member and former president,
offered the caution to never use a kiosk or library computer.
Indeed, even an https address that includes the words “you
are now entering a secure site” is not foolproof. If a
person uses a public computer where a miscreant has installed
keylogger hardware or software, every keystroke could be recorded,
including those that represent passwords and account numbers.
The PowerPoint of Mr. Chen’s presentation is available HERE. You
can also try out the website described during the What’s
News segment to test your ability to detect phishing URL’s:
http://cups.cs.cmu.edu/antiphishing_phil/quiz/index.html.
. |