October 2007 General Meeting
Program Review:
How to Protect Yourself Against Identity Fraud Online

By Chris Novell, with Philip Chen

Philip Chen, of Hi-Link Computer Corporation, displayed a bar graph to the audience showing that email that people want and are expecting to receive are only a small fraction of what actually arrives at most people’s email addresses. The rest is spam. The volume of spam has been increasing dramatically. Using auto preview may “count” as opening the spam so it may be wiser to turn this feature off if it is available through your email preference settings.

One of the big ways that crooks try to steal identities on the Internet is through a method called phishing. This occurs when a bogus email or instant message asks you for personal information such as a password or bank account number. The story or manner of request may seem convincing, e.g., using your name, or offering a seemingly sound reason for disclosing the information. In essence, if an email or a website seems to be a bit different from the way it has typically been over time, be wary. If an organization you do business with has addressed prior communications using your name and suddenly addresses you as “Dear Valued Customer,” you may want to stop in your tracks.

Conversely, if emails you have typically received generically addressed start using your name, that information may have been obtained fraudulently. The best way to interact online with a company or organization is to type the website into the browser, rather than go there from an email or other website link. Banks will not send emails or instant messages asking you for account numbers or passwords.

What are some of the signs that something could be falsified on the Internet?
An address bar could have an appearance of kind of “floating.”
Another example of deceit that Phil specified is where two letter “v.'s” could be used in sequence to give an undiscerning eye reading the email the impression that it is a “w,” a ruse that could misrepresent real website names starting with “www” for World Wide Web. The letter “a” could appear to be a bit “off” when it is really a letter from another language. PayPal is an example of a site that could be misrepresented this way.

Phil also recommended that people use either Internet Explorer 7 or Firefox 2.0 as their browser. Note: While preparing this review I asked Phil to elaborate on this point and he kindly provided the following additional detail:

“Internet Explorer before version 7 suffers from many security problems. Some of the biggest issues are buffer-overflow vulnerability, no built-in pop-up blocker and little control over Java or active-x scripts. Buffer-overflow is specially a huge security concern because it potentially allows an attacker to crash the Internet Explorer or even compromise the host computer by using crafted, malformed data packets. IE7 is securely locked down out of the box. It is much more security conscious by design and a big improvement over the previous releases.

Firefox has always been a much more secure and versatile web browser from the beginning. Version 2.0 continues that tradition by including built-in phishing protection. It checks local or online lists of known phishing sites and warns you accordingly. It also has a cult-like following and extensive supports for your every security need by way of add-ons and plug-ins. At version 2.0, Firefox is a solid and very mature web browser.”

While most thinking for security seems to go in the direction of applying layers upon layers of protection, Phil took the position that less can be more. “Understand what you are using,” he said. “ Make sure you use it.” Most of us probably know of some humorous account where a person bought a PC that “came with antivirus” but what the unknowing new computer owner did not realize is that the antivirus had to be installed on the computer, and scheduled, and updated. However, if someone tries to overprotect his PC with redundancy upon redundancy, too many protections could cause the system to breakdown. Phil uses Norton Symantec, with its anti-phishing option turned on.

From the audience, Jeff Setaro, DACS member and former president, offered the caution to never use a kiosk or library computer. Indeed, even an https address that includes the words “you are now entering a secure site” is not foolproof. If a person uses a public computer where a miscreant has installed keylogger hardware or software, every keystroke could be recorded, including those that represent passwords and account numbers.

The PowerPoint of Mr. Chen’s presentation is available HERE. You can also try out the website described during the What’s News segment to test your ability to detect phishing URL’s:
http://cups.cs.cmu.edu/antiphishing_phil/quiz/index.html.

.