Friday, 16 September 2011

Internet Troll Stomping

I was featured in The Sun newspaper today in relation to Internet Trolls.  Trolling or a Troll is net slang for an individual who intentionally posts inflammatory, insulting or threatening remarks online. Pretty much anywhere where people can feedback comments on the Internet, such as on Forums, Facebook pages, Twitter, YouTube, Newspaper comments, is often subject to abusive comments. People can say the most extreme things when they think they are protected with the shroud of anonymity, words they’d never dream of saying to anyone face to face. However there are increasingly individuals that post abusive comments which go well beyond the boundaries of decency and taste, these are the individuals which are really regarded as the trolls under the definition.

Recently a troll was convicted for abusing tribute websites of deceased girls, bringing the whole trolling issue into the public arena -

You're not as anonymous as you might think
Forget China, the UK is one of the most high-tech surveillance counties in the world, we are most certainly not as anonymous as we might think online.  Many of the suggested workarounds to provide anonymity I hear about just don’t work. For instance Google stores every search you type in, these searches are linked to your physical computer(s), or if you have a Google account, direct to you individually. Google covertly provide all this info to the Police and our government security agencies when requested.  Apple monitor your movements and usage, while phone network providers, Internet Service Providers (ISPs),  Social Network websites all record every little detail about what you do and when you do it.  We do live in an Orwellian 1984 society, just accept it, there is no going back, there is no escape and there is no hiding place online, they’ll catch up with you eventually. All this is not quite as exciting as portrayed by Hollywood blockbuster movies or CSI Miami, just thousands of lines information which is being collected, recording what we are doing online, however the real life law enforcement is just getting to grips in using this vast amount of information, aside from the troll conviction, terrorism prevention and several murder cases, the many arrests and convictions for incitement of riots by individuals online is another example. If you ever did want to disappear and live anonymously, the first thing you should do is stop using the Internet!

Here are my comments on The Sun article today (Page 9/15-Sept-11)
"Idiots are very easy to locate
These twisted individuals are idiots — they assume they are anonymous online.
But their internet service provider can track their IP address and hand over their details to the cops.
Everyone has an IP address for their internet account which is linked to their name, address and any other details they gave to set up the account.
If the police want to track someone posting abusive messages, they simply speak to the internet service providers who have a record of everything which is written online.
There are some things you can do to limit the chances of being attacked.
Only be Facebook friends with people you know and trust. Parents can also make themselves friends with their kids, to monitor anything going on.
There are no instant answers to eradicating this kind of cyber-bullying, but if kids get educated about the internet they can avoid it much more easily.
The internet has the very best of life, but also the very worst."

Trolling Advice
1. Prevention
Trolling can be simple to prevent in certain circumstances. If you have at webpage at risk, which has the ability to enable comment pre-screening, namely you or other trusted individuals approving all comments before they can be posted, do it, as it will almost certainly prevent trolling. Trolls won’t even bother to make a remark if they know their comments are going to be checked before they are posted.

2. Dealing with Trolling Incidents
Trolling is most definitely illegal as per the Communications Act 2003, Section 127.  Therefore if you are a victim of trolling, by that I mean abusive comments which go beyond the pale of decency, consider reporting them to your local Police.
127Improper use of public electronic communications network
(1)A person is guilty of an offence if he—
(a)sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or
(b)causes any such message or matter to be so sent.
(2)A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he—
(a)sends by means of a public electronic communications network, a message that he knows to be false,
(b)causes such a message to be sent; or
(c)persistently makes use of a public electronic communications network.
(3)A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both.
(4)Subsections (1) and (2) do not apply to anything done in the course of providing a programme service (within the meaning of the Broadcasting Act 1990 (c. 42)).

Thursday, 1 September 2011

Evolution of UK Home Banking Security - In progress?

I was featured in an article by MSN Money titled "Online Banking Security gets more Complex"

Nothing ground breaking, but it would appear UK banking consumers are starting to feel the pain of increased online banking security trade-offs, due to UK banks trying to save money by cutting previously acceptable losses from online account fraud.

"One person, one bank: three devices

But despite the evidence that new measures are more than just inconvenient, many banks are pressing ahead. Lloyds, Barclays, Cooperative Bank, RBS and Nationwide Building Society all require customers to use a card reader when amendments are made to standing orders, direct debits or when setting up payments.

"This is called two-factor authentication," said independent bank security expert Dave Whitelegg.

How two-factor authentication works
The idea is that no fraudster can access your account, however much they know about your life, your pets and your mother's maiden name, unless they also physically possesses the device. "It's the same theory as for chip and pin," Whitelegg told MSN.

Chip and pin dramatically cut credit card fraud, and banks are hoping that two-factor identification will have the same effect on online bank fraud.

The biggest worry for banks is phishing attacks, by which fraudsters send emails hoping to get customers to log into cloned bank websites and enter their details, which are then captured and used to empty the real accounts.

"Phishing emails are sent out by the million, so even if 0.1% of recipients fall for them, they are a success," Whitelegg said.
Most such phishing attempts are easy to spot, failing to address the customer by name and littered with bad grammar and mis-spelling. But a new generation are more convincing. They may not only have your name, but much more convincing cloned websites.

Mobile banking: a worrying new frontier
The next frontier in banking fraud is coming with smartphones, which are increasingly enabled for transactions, but which experts say add a new vulnerability.

"They have never been targeted before, so they have never matured with fraud in the same way that PCs have," Whitelegg said.

Sending a text to confirm payment changes, which Santander among others allows, will become less secure if the entire transaction was originated from a stolen mobile.

So who are the people behind online fraud? There is a whole ecosystem out there, with software masterminds writing key logger and phishing programmes and devising convincing copies of bank websites. Then there are communities of hackers and fraudsters who meet online, and buy this software off the shelf, Whitelegg says.
"You have the people who steal cards, or personal data, who can be from anywhere, and then there are the Far Eastern networks of botnets, clusters of remotely controlled computers, which actually generate the phishing attacks," Whitelegg said.

The result is that just a few clever people have seeded a whole crime industry for thousands of criminals who would never have the brains to devise the whole process themselves.

How you can protect yourself
There are no absolutely foolproof ways to avoid data or identity theft but here are a few sensible precautions.

1) Treat your personal data like cash: Don't leave it lying around. Shred unwanted documents, don't disclose financial details or potential answers to security question (eg your mother's maiden name) except on verifiable and encrypted sites.

2) Use reputable anti-virus software and keep it up to date.

3) Never download an attachment from an untrusted source as it may contain viruses.

4) Phishing attempts usually begin with alarming warnings about a breach of your security. Banks never alert their customers this way. Even if you are concerned by an email, either ring your bank, or type in the web address from a bank statement. Never follow a link on the email.

5) Change your email address so it's not identical to your real name as used in any financial accounts, so you can easily spot crude phishing attempts which address you by your email name.

6) If you must write down passwords or security details, disguise them. This is particularly important if they are kept on a computer. Use a long and secure password to 'lock' laptops.

7) When inputting details onto a bank website, don't input them in the same order as the questions appear, and use the mouse rather than tab buttons to move around the screen. This can help foil key loggers and other trojan devices.

8) Go ex-directory: keeping your phone details out of circulation stops most phone-based frauds as well as irritating sales calls.

9) If your bank phones you unexpectedly, protect your interests by asking THEM a security question. Ask what your balance was on the date of your last statement, or a recent transaction that you can check. Banks will not ask for online security codes by phone, so don't give them. If in doubt say you are going to ring them back on the usual customer service number."