Web concerns

This forum is for the discussion of technology, computers, & problems relating to the web and your computer

Moderator: Scott Danziger

Post Reply
User avatar
gmattson
Site Admin
Posts: 6068
Joined: Wed Sep 16, 1998 6:01 am
Location: Lake Mary, Florida
Contact:

Web concerns

Post by gmattson »

Most of us believe we know enough about the internet to keep out of trouble while surfing, reading our mail or posting to our favorite forums. Turns out that the BadGuys spend lots of time and effort attempting to fool us with some new scheme designed to destroy our computers or worse. . . to empty our bank accounts. For those of you who listen to the preflight instructions, read the manual before assembling a barbaque grill or running a computer program, I offer the following common sense article:
GEM
Imagine that you receive a letter from your Bank inviting you to urgently visit the local branch, due to a problem with your account! Someone appears to have accessed your funds – you’re needed right away.

Leaving work, you race down to the bank, and find a fellow sitting behind the counter.

“Good Afternoon, I need to get your account information – username, password – otherwise I’ll need to freeze your account. We need to make sure, for your own safety that you are who you say you are.”

Sighing deeply – that was a close shave – you pass him your details, and go back to business. As you leave, he grins evilly, takes off his uniform and packs up his fake branch. Maybe he whistles a little as he logs onto your account at the real branch and empties your account.

That couldn’t happen, right? The expense! The audacity! Finding criminals with customer service skills who look good in uniforms!

On the Internet it costs about $10 per month to pull this scam ($5 if you shop around, and FREE! if you hack someone else’s server) – and an hour or two to set up. It’s called Phishing, and the criminals are getting better and better at it.

Phishing is a problem. Your bank wants to send you email because it’s cheap. They want you to use internet banking because that’s cheap as well. If everyone just used internet banking, your fees could go straight to executive bonuses, where they’re needed most instead of expenses like staff or air conditioning bills at your local branch.

Unfortunately, without careful inspection it is difficult to tell the difference between a legitimate bank email and a fake one. Often the first you would know would be when you log on to internet banking and see all your money was mysteriously transferred to Moldova.

My bank has a banking guarantee. It’s great. I won’t lose my money unless I somehow “contribute to the loss”… I wonder if that means not properly securing my computer, or giving a criminal my password. I don’t want to find out.

Criminals are getting more and more devious. Who’d have thought an eBay account had any value? Well, if you have lots of “AAAAAAAA+++ Super!” ratings, a criminal can fleece quite a few punters out of their money when YOU sell them a laptop that doesn’t exist – and when they complain it’s your rating, and you who has to deal with the police when they ask you to “please explain”. Just because you don’t see the scam, it doesn’t mean someone hasn’t thought of it.

What can you do? Since this is being posted at a security forum, most people know the golden rule already – don’t go and click on random links in emails. You bank won’t send them. Even if your bank does send them, don’t click on the links. Go to the web site by typing in the URL.

Your bank will never ask you for your password for online banking. Ever. Not for a security update, not to verify your identity and not to do anything else.

What to do? There are technology solutions that you can use to help you (and depressingly, even some of these are snake oil). Technology only helps to solve part of the problem – the rest is up to you.

Think carefully about what you receive in email, and what you do online. If something looks too good to be true – it is.

Nobody in Nigeria is going to let you have 10% of $20 MILLION UPPERCASED US DOLLARS because of a dead relative, corruption, assassination or any other reason.

Your ISP is not likely to send you a program to run, unsolicited to fix a spam problem you didn’t know you had. However, criminals are likely to send you a spam problem, masquerading as a fix. Email addresses can be faked (which is why when you reply with a tirade of abuse to a spammer, it usually bounces)

Stop, think, ask a friend – or call your ISP. Post in a forum such as Castlecops and ask for advice. Don’t be a victim of Phishing or online scams.

Mike Nash
CEO
Tall Emu
User avatar
eric235u
Posts: 174
Joined: Thu Mar 17, 2005 3:27 pm
Location: Quincy MA, USA

Post by eric235u »

i'm no security expert. just a computer geek. here's a couple steps i take. hopefully it's of some use.

1. my email client, thunderbird, doesn't display html without permission. images and the like can be used by spammers to collect information on you. also, my business email account provider filters for spam and places "BULK" in the header. my junk email filter is turned on in thunderbird. between these two most spam is caught (i receive hundreds of spam emails a day). so use a good email client and make use of it's security features.

2. use your brain. if there is an issue with something that has to do with money, contact a known good representative. such as if i received an email stating there was a problem with my account i would telephone the bank rep i personally know and ask him what the hell is going on. speaking with a stranger would be introducing a vector for exploit.

3. keep your microsoft operating system up to date! keep your antivirus definitions up to date. if you are at all a computer nerd you should be using a unix variant like mac, linux, bsd...

it doesn't take a rocket scientist to avoid the common pitfalls. i think we just need to pay attention. my $0.02.
Last edited by eric235u on Sun Aug 05, 2007 6:49 pm, edited 1 time in total.
User avatar
eric235u
Posts: 174
Joined: Thu Mar 17, 2005 3:27 pm
Location: Quincy MA, USA

Post by eric235u »

Your bank will never ask you for your password for online banking. Ever. Not for a security update, not to verify your identity and not to do anything else.
while this is true for my bank unfortunately not all businesses follow this practice. a prominent web hosting company i was doing business with would, when you entered a trouble ticket, ask via email for your personal information. i contacted their security team about this idiotic procedure. the email itself was not encrypted nor was the smtp server connection. very bad idea. they thanked me for my opinion and still ask for personal info via email. amazingly stupid.

but what this guy in the article you quote says makes sense. know your financial institution's security policy and keep an eye out for aberrations. my online banking also allows notification of any transactions via email. so if somebody makes a withdrawal i'll find out. neat feature.
Post Reply

Return to “Computer & Web Tech Help”