How to Protect Your Gmail Account from Hackers

Hackers target online Email accounts for a reason, they know if they can 'own' a webmail account, they can access it from anywhere and at any time, to use it as a tool and to harvest information of value. Fraudsters will often rifle through compromised Email accounts looking for information which will grant them access to more lucrative web accounts. A quick search of pretty much any Email inbox reveals information about various online accounts used by the user, many of which will have potential fraudulent earning revenue to a hacker. Typically Emails containing information about e-commerce websites and online banking accounts will light up a hacker's eyes. In this post I'm going to explain typical techniques employed by online fraudsters, to highlight the vital importance of protecting your main Email account.

No Account Username, No Problem
As a security feature some website accounts don't use an Email address as a username, but invites account holders to create one instead.  However if the hacker has access to the website account, more often than not there will be Emails containing the website account username. Furthermore with most websites ,a username can be requested over Email, which goes straight into the compromise Email account.

Passwords Finding
With an active lucrative website account identified together with a username, which may well be the Email address of the victim, obtaining the password which goes with it is child's play when the hacker is in control of the victim's Email account. Some websites will Email existing account passwords in plain text to the user, therefore the password can be found within account's Emails, or it can be just a question of requesting the password to be re-sent from the website. It can even be much easier for the hacker if the victim has used the same password with all their different accounts, as knowing their email address and online username together with a commonly used password is enough to steal their entire online life.

Password Resetting
Websites which don't Email passwords are still easy to beat if you control the victim's Email account. Nearly all websites provide a facility to reset a password, most ask for basic personal knowledge questions and then send a confirmation link Email to the compromised Email account, which then allows a new password to be created by the hacker. Those security questions aren't much of a problem, as the answers can be found within the reams of Emails and by accessing the victims social networking accounts. And personal details can be obtained from other weakly protected online accounts. Upon accessing an account the hacker just reviews the account profile for the necessary personal information,  sometimes website account profiles has the hacker bonus of listing security questions with the victims answers, the same typical security questions are asked for and used on most websites time and again. 

Your Online Email Account is essential to Protect, as it is the keys to your online identity

Gmail's Added Security Protection
If you are a Gmail (GoogleMail) user, good news, there is something you can do to increase the security of your Gmail account. It is not common knowledge but Google offers a free two factor authentication service called 2-step verification for all Gmail users. 2-Step verification significantly improves the security and massively increases the protection of your Gmail account from being accessed by hackers.

How to Set up Gmail 2-Step Verification wit your Gmail Account
Visit https://support.google.com/accounts/bin/answer.py?answer=185839&topic=1056283

How Does 2-Step Work? Why is it more Secure?
2-Step security works by requiring you have your mobile phone (registered with Google) in your possession each time you type in a password. When Gmail webmail is accessed for the first time on a PC, and every 30 days there after, Google 2-step forces password entry, which also requests a unique one-time verification code, at this point on your registered mobile phone you will instantly receive a text messaged with a one time code to type in.

This means you cannot log into your Gmail account without having possession of your mobile phone, hence two-factor authentication. So even if a hacker obtains your Gmail account password, the hacker cannot log into your Gmail account unless he or she has your phone as well, or are attempting access from your local PC where the password is required every 30 days.  These are not typical scenarios for the online criminal, they access webmail accounts on their devices.

Great for Webmail, but what about Gmail through Outlook, or on my iPad and iPhone?
Devices such as PCs (Outlook), iPads, and Smart phones which need to continuously access Gmail could be a problem with this system, but fear not, Google have thought of that. The 2-step system is able to create a unique and strong dedicated password for each device you have. Once each setup's password has been initially entered, the system doesn't request a mobile phone authentication every 30 days like the webmail access. However you can fully manage these devices and their passwords online, changing them as often as you would like, and you can even revoke the passwords instantly should your device be stolen. The main security advantage, is even if these unique device passwords become compromised, these passwords can't be used to access your online Gmail account, they can't be used to change your Google settings, nor can they be used to change any passwords.

So if you are a Gmail user and care about your online Email account security, consider their 2-step verification.

Flame Culprit Fingered

Flame, also known as Flamer and Skywiper, is a highly sophisticated espionage focused malware, which targets and infects Microsoft Windows systems. Flame is known to spread over the network and by USB thumb drives, and this malware is centrally controlled by 'those' who created and released it onto the world, more on 'those' later. To say Flame is an extremely sophisticated piece of malware is not an understatement,  it can covertly can grab screenshots, log all keyboard entry (think usernames, passwords), record Skype voice calls and even monitor network traffic,  returning all this information is sent covertly to "those" who created it. Those controlling Flame infections can even send specialised control commands, which includes a "kill command", which makes the Flame malware stop running and delete itself, so covering up any evidence of it ever being present on the PC.

Flame: Commendable Malware

Flame is not the product of cyber criminals, it is way too sophisticated, and you only have to look at which area of the world is mostly infected with Flame, which just happens to be middle eastern countries. Cyber criminals tend to target online affluent first world counties like the USA and countries within Europe. You only need to look at the Zeus worm in comparison, which is a worm which targets online banking.  There is a clear difference between a cyber criminal created malware and state sponsored malware, both have different targets, and have different goals following the infection of their targets.

Flame Infection Area

The Flame / Stuxnet Connection
I have to be a little careful how I word this as I don't want a holiday in Guantanamo, so according to this must read New York Times article (http://www.nytimes.com/2012/06/01/world/middleeast/obama-ordered-wave-of-cyberattacks-against-iran.html?) and industry experts I have spoken with off the record, the United States' National Security Agency (NSA) and Israel's Unit 8200 are said to be responsible for creating and launching the Stuxnet worm against Iran's nuclear enrichment facilities. The US government are said to have dubbed their cyber warfare activity as Operation Olympic Games. Now given the great success of Stuxnet in impacting the Iranian Natanz nuclear plant, it was always going to be a matter of time before Stuxnet was followed up.

Kaspersky Labs who have recently analysed Flame, concluded there is a solid link with the development of Flame with Stuxnet (http://www.bbc.co.uk/news/technology-18393985):

"What we have found is very strong evidence that Stuxnet/Duqu and Flame cyber-weapons are connected"

"The new findings that reveal how the teams shared source code of at least one module in the early stages of development prove that the groups co-operated at least once."

"There is a link proven - it's not just copycats.

"We think that these teams are different, two different teams working with each other, helping each other at different stages."

The findings relate to the discovery of "Resource 207", a module found in early versions of the Stuxnet malware. It bears a "striking resemblance" to code used in Flame"

"The list includes the names of mutually exclusive objects, the algorithm used to decrypt strings, and the similar approaches to file naming"

So joining up all the dots, it is an obvious conclusion that the United States and/or Israel are responsible for creating, deploying and controlling Flame, and therefore are using Flame to harvest private information on mass.

I am not clear about the United Nation treaties and rules in relation to cyber warfare/espionage engagements against other nation states, I don't think anyone is which could be the problem. But I'll leave you with some food for thought, the US government said it would respond to any state sponsored cyber attack made on it with military force.

“Congress affirms that the Department of Defense has the capability, and upon direction by the President may conduct offensive operations in cyberspace to defend our Nation, allies and interests." - http://www.fas.org/irp/congress/2011_cr/cyberwar.html

LinkedIn Password Breach: Change Your Password Now

Yesterday we learnt a hacker posted 6.5 Million LinkedIn passwords onto a Russian forum. These passwords were weakly encrypted (that's an unsalted SHA-1 hash for the techies), which means the actual passwords can be recovered by the bad guys with very little technical ability.

Advice to LinkedIn Members
1. Change your LinkedIn Password Right Now
6.5 Million accounts may only be a portion of the total LinkedIn membership, and you may not consider your account as being affected because you have yet to receive a warning message from LinkedIn.  However in my view it is highly likely the bad guys will have ALL the LinkedIn account details and passwords for all LinkedIn users. So assume your account login (Email) and password is known by the bad guys, given this it is essential to change your LinkedIn password as soon as possible.

2. If your LinkedIn password is the same password you use on any other websites, Change Those Passwords
Most people use the same password on different websites simply because it is difficult to remember lots of different passwords on each website. The hackers know this and so target weaker protected websites like LinkedIn to obtain your username, email address and particularly your password. Then they try the same combinations to access higher protected and more valuable websites (money making opportunities for them) such as online banking, Email, Facebook, PayPal, Ebay etc.
The Problem with Website Passwords

3. Assume all your LinkedIn Personal Details as Compromised
If the hackers can obtain the password field within the database, it is safe to assume they will have harvested all the other unprotected fields in the database as well, which unfortunately will include a full profile of your personal information. LinkedIn aren't the the first website to neglect security and lose your personal information to hackers, and they won't be the last. So always be cautious of criminals trying to use your personal information against you, typically they try to make money from it.  This can manifest as identify theft or as an elaborately personalised phishing Email, always be suspicious and be cautious of non-face-to-face (Email/Phone) communications, and check your finical transaction statements for signs of foul play on a regular basis. 

The problem of Securing the New iPad 3 within Business

Apple announced the latest edition of their fantastic iPad today, not only is this device irresistible for consumers, but it has become irresistible for business.  This presents a new challenge for information security professionals, as the iPad has been bred for consumerization not for business usage, yet the business application capability of tablets are undeniable. Within main stream businesses up and down the land a change is afoot, it is no longer about giving the odd few magpie like senior executes the latest shinny new toys, as there is an unquenchable thirst for Apple’s latest tablet gadget emanating across entire businesses.

This is not a time to have heads buried in the sand and wishing for risk aspects of business usage of tablets to go away, the tablet is coming to a business near you. In a few years from now they will be as common place on office desks as laptops, and will be smugly grasped by the majority of attendees within meeting rooms. But let us not forget, a corporate used and connected iPad will have the very same type of confidential information to that of a corporate laptop, therefore you would expect the same policies and controls to apply, right? Well perhaps not.

The information security problem is not a problem of control even though iPads are a consumer led invention, as there are third party solutions from the likes of MobileIron which can centrally enforce security controls on iPads within the enterprise. No, it is a problem of risk acceptance.

One of the key fundamental appeals of a tablet is its accessibility, namely it’s “pick up and go” ease of use. But in applying best practice mobile device information security policies and controls to tablets, we find this seriously starts to hinder the device’s accessibility. This trade off kills a key advantage of having the device in the business in the first place. For example a typical best practice mobile device information security policy applied to laptops, which is typically centrally enforced in large businesses, requires users to have an at least 8 character password consisting of upper/lower case alpha, numeric and special characters, and an automatic password lock timeout of ten minutes when the laptop is unused.  We could use a third party solution within the enterprise to enforce the same mobile device policy onto the business’s iPad estate. However in forcing a complex long password to be entered every time someone picks up their iPad, will no doubt be a trade off too much to stomach by many, as it kind of defeats the advantage of having an iPad in the first place.

So what if we were to weaken the mobile security policy to accommodate a better accessibility of iPads, for example enforcing 4 digit passcode with a 30 minute lockout. The question now is shouldn’t the same policy now apply to the laptop and desktop estate as well? I don’t have the answer, and there isn’t really a best practice business tablet security standard to follow at present, so it would come down to a business’s own risk assessment, and ultimately risk acceptances. As this is a business decision, and it was the business that decided to considerably invest cost in bringing the tablets into the enterprise in the first place, it is more than likely we will see security policies and enforced controls will be more relaxed on iPads than on laptops.  Hats off to any security manager which maintains the same mobile device standard on iPads and laptops. I think accepting lack security controls on tablets will be more the typical approach taken by business. The lack of IT enforcement on the iPads transfers risk over to the user, the problem here is most businesses still don’t do employee security awareness very well.

SmartPhone App Security Advice

Smartphones really are a fraudster’s paradise, there are so many opportunities for fraudsters to monetise from them. From Rogue Malicious Apps sending premium rate text messages costing up to £6 a text, to stealing the personal information and passwords held on them. And there are even further fraud opportunities with smarphones being increasingly used for making Payments and with Online Banking. These factors together with a general smartphone user security naivety, are a major incentive for the bad guys to target these little handheld cash cows.

So it is no surprise cyber attacks targeting smartphones are rapidly increasing in the UK, "800% increase in cyber attacks on smartphones" (Nov 11) http://www.mirror.co.uk/news/top-stories/2011/11/07/800-increase-in-cyber-attacks-on-smartphones-115875-23543307/.   In this post we will look at how to go about protecting against one of the most commonly successful attacks at the moment, namely safeguarding against rogue malicious Apps.

Rogue Smartphone Apps
Most malicious or "Rogue" Smartphone Apps are Trojan Apps. A Trojan App can look very professional within the AppStore and once downloaded may well operate as expected and serve the purpose you wanted it for. However once downloaded and used, a Trojan App will perform malicious operations without your knowledge in the background. So the App may well be an entertaining game you play, but as you play the App sends premium rate text messages, suppressing all text message notifications on your phone, so you don't know its happening. The monetisation of the scam is the text messages are going to a premium rate line operated by the fraudsters, costing you £3 each time the App texts. You may not find out until your mobile phone company gets in contact or you clock very high text message costs on your bill. Of course by this time the bad guys will have cashed out and closed the text line.

Rogue Trojan Smarphone Apps can potentially appear within any of the major AppStores, whether it is operated by Apple (iPhone), RIM (Blackberry), Microsoft (Windows 7) or Google (Android).  Most of these suppliers do perform security testing against Apps for malicious elements before allowing them to be placed in their AppStores.  However it is fair to say the majority of rogue Apps have appeared on Google's Android, with Google removing 27 Rogue Apps just last month (Dec 11). http://www.bbc.co.uk/news/technology-16177013.

Given the 100,000s Apps in AppStores today, and the 1,000s of new Apps which are released every week, there is always the potential new rogue Apps could slip through any of these smartphone heavyweights AppStore security nets, therefore user vigilance is necessary.

5 Steps to Protect Against Rogue Apps

1. Be sure to update your Smartphone (operating system) software as often as possible. These updates often add security features and resolve security vulnerabilities, which can prevent Rogue Apps successfully operating.

2. Before downloading a new App, check and read through the reviews of the App. If the App is dodgy and has been around for a while, no doubt someone will have complained and added a warning in a review.

3. Be careful when allowing an App access to functions and information on your smartphone. Most smartphones have a security feature built in which requires the user to agree to provide an App with access to the various smartphone functions. For instance it doesn't bode well if an App is requesting permission to access your phone book when it is just a game. Don't blindly tap yes on such requests, always ask yourself whether the App really needs the function or information it is asking for, in order for it to work.

4. Rogue Trojan Apps perform functions in the background.  These functions can have a great impact on your smartphone's performance and battery life. So if your battery is draining much quicker than usual, or your phone is becoming more sluggish following the installation of a new App, be suspicious.

5. Check your mobile bill regularly. Typically most rogue Apps in the UK today, secretly send text messages to premium rate lines, therefore it is prudent to check your phone bill for any unusual or unexpected charges. Make it a habit to check your bill at least once a month or straight away if you suspect something is amiss.

Other Related Posts:

Securely Wiping your Personal Data from the iPhone

iPhone Security Guide

Why PCI DSS is good for Information Security

There is a growing consensus within the Information Security Community that the Payment Security Industry Data Security Standard (PCI DSS), is actually proving to be detriment to the general information security across the business. One point regularly made is the Payment Card Industry standard is responsible for diverting precious funding and resource away from the overall business information security strategy, where the breach risks can be much greater for the overall business.  That well maybe the case in larger enterprises which rightly regard best practice information security as a business priority, but consider the medium to small businesses, this is the land where information security ignorance is bliss. Within such SMEs 

PCI can be a real InfoSec wake up call, as in merely attempting to comply with the many PCI DSS requirements, it can provide benefits across the business, where before the business were previously completely unaware of the risks, or perhaps hadn't being treating risks with the proper regard. Forcing them into action to meet the specific PCI requirements, often results in security improvements across the entire business, so not just tightening the security of credit card data in their possession, but personal and confidential information as well.

Love it, Or Hate, PCI does business good

The truth of PCI DSS is most of its laid out 260 odd individual requirements, which set the minimum baseline for PCI compliance, are just best industry information security practices anyway. So businesses are supposed to be doing the lion share of them already. What PCI DSS does in the small to medium business environment (when taken seriously), it forces businesses to take note and ultimately implement these best practices, and in most cases  applying security improvements holistically across the business. For instance measures such as establishing a good patch management process, Anti-Virus deployment and information security policies are applied and benefit the entire business, not just within the cardholder environment, so the business ends up killing many data protection birds with one stone.

Today 90% of the card fraud in the UK occurs within level 4 merchants (the smallest of businesses), specifically due to web application vulnerabilities, vulnerabilities which have been around for over 10 years. Yet if these businesses were PCI DSS compliant, it would be fair to say the majority of these breaches just wouldn't occur This statistic is actually testament to the success of PCI DSS in medium to small businesses, in that larger companies (level 1 to 3), have been chased and forced to address compliance with PCI DSS by acquiring banks, opposed to the highly breached small businesses which have yet to be vigorously chased for compliance, but given the latest fraud stats, they soon can expect to be chased for compliance.

I am not saying PCI DSS is perfect, lord knows it isn't, and I do understand the arguments made by infosec leaders working within larger enterprises, which already focus on information security as a business service priority. But I find it very hard to argue that PCI DSS is not helping medium to small businesses not only protect cardholder data, but to improve their general information security, even if they aren't strictly fully compliant with the standard. As in trying to comply and to meet most of the PCI DSS requirements, it seriously reduces their breach risks, not just of cardholder data, but with the personal data they hold as well.

One final point I want to be crystal clear on, a business cannot be considered PCI DSS compliant if they are not meeting all of the PCI DSS requirements, not just on the date of PCI assessment, but for 365 days a year ,7 days a week, 24 hours a day. The QSA's successful Report on Compliance will not save a business from fines, if a breach were to occur due to the business not meeting just a single compliance requirement. How many businesses are truly compliant in this way is up for debate.

Securely Wiping your Personal Data from the iPhone

It seems like every year Apple release a better 'must have' version of the amazing iPhone, sparking a rush to upgrade by the masses. Ensuring all your precious personal information is securely removed from your old iPhone is an essential step to take before trading in or selling your old iPhone on eBay. Like any smartphone, the iPhone hoards all types of sensitive information about you, not just your embarrassing ABBA playlist and dodgy drunken pictures from the weekend, but all your Emails including access to future mails, username and passwords for websites and social media, and even sensitive financial information such as bank account and credit card details are often stored. So unless you are putting your iPhone through an industrial crusher, you really need to ensure you erase all the data from it before passing it on, this post explains how.

This data erasing advice and method also applies to the iPad and iPod Touch

If your old iPhone is a 3GS or an above model, then securely erasing your personal data is simple enough. The 3GS and above iPhone models comes with built in hardware encryption by default (not that you can switch it off), namely the iPhone uses AES-256 encryption, which encrypts all data stored on the iPhone to a strong industry accepted standard. This is not to say your personal data is safe if your iPhone is lost or stolen, due to the way Apple have implemented this encryption, however that is the subject of another blog post, the important thing here is all the your personal data that is stored on the iPhone, is strongly encrypted, therefore by merely deleting the encryption key securely from the iPhone (and everywhere else), will render all the personal data inaccessible.

Built into the iPhone iOS is an option to erase all the data on it and restore it to factory conditions. Apple states the encryption keys are removed (which doesn't take long) and then a series of ones are written to the entire data partition, which is why it takes a couple of hours to complete the process.

"When you opt to “Erase All Content and Settings,” the process can take up to several hours. The time this process takes will vary by device:

Devices that support hardware encryption: Erases user settings and information by removing the encryption key to the data. This process takes just a few minutes.
Devices that overwrite memory: Overwrites user settings and information, writing a series of ones to the data partition. This process can take several hours, depending on the storage capacity of your iPhone or iPod touch. During this time, the device displays the Apple logo and a progress bar." - Apple

The overwrite of the entire data partition with ones post encryption key removal makes the process secure enough to trust in terms of general third party data recovery risk in my personal view, however military organisations and some industries (and the paranoid) may well require further overwrite passes of the data partition with further 1s and 0s, for which there is commercial software available, such as iShredder. If anyone has managed to recover data from an iPhone following Apple's erasing process, I'm yet to hear about it.

How to Erase your Personal Data from the iPhone
1. Backup your iPhone in iTunes, you may well want to restore your personal information to your new iPhone.
2. Make sure the iPhone has power, this process might take a couple of hours to complete, you don't want the iPhone to run out of battery life before finishing.
3. On the iPhone go into "Settings"
4. Then select "General"
5. At the bottom tap "Reset>"
6. Select "Erase All Content and Settings"

6. Tap "Erase iPhone"
7. Wait a couple of hours and you are done.

Finally don't forget to remove the SIM card. The iPhone doesn't store any data on the SIM card but it is a wise precaution just in case your mobile operator doesn't de-active it properly, also its not like the person you are selling the iPhone to needs it anyway.

Internet Troll Stomping

I was featured in The Sun newspaper today in relation to Internet Trolls.  Trolling or a Troll is net slang for an individual who intentionally posts inflammatory, insulting or threatening remarks online. Pretty much anywhere where people can feedback comments on the Internet, such as on Forums, Facebook pages, Twitter, YouTube, Newspaper comments, is often subject to abusive comments. People can say the most extreme things when they think they are protected with the shroud of anonymity, words they’d never dream of saying to anyone face to face. However there are increasingly individuals that post abusive comments which go well beyond the boundaries of decency and taste, these are the individuals which are really regarded as the trolls under the definition.

Recently a troll was convicted for abusing tribute websites of deceased girls, bringing the whole trolling issue into the public arena - http://www.bbc.co.uk/news/uk-england-14907590

You're not as anonymous as you might think
Forget China, the UK is one of the most high-tech surveillance counties in the world, we are most certainly not as anonymous as we might think online.  Many of the suggested workarounds to provide anonymity I hear about just don’t work. For instance Google stores every search you type in, these searches are linked to your physical computer(s), or if you have a Google account, direct to you individually. Google covertly provide all this info to the Police and our government security agencies when requested.  Apple monitor your movements and usage, while phone network providers, Internet Service Providers (ISPs),  Social Network websites all record every little detail about what you do and when you do it.  We do live in an Orwellian 1984 society, just accept it, there is no going back, there is no escape and there is no hiding place online, they’ll catch up with you eventually. All this is not quite as exciting as portrayed by Hollywood blockbuster movies or CSI Miami, just thousands of lines information which is being collected, recording what we are doing online, however the real life law enforcement is just getting to grips in using this vast amount of information, aside from the troll conviction, terrorism prevention and several murder cases, the many arrests and convictions for incitement of riots by individuals online is another example. If you ever did want to disappear and live anonymously, the first thing you should do is stop using the Internet!

Here are my comments on The Sun article today (Page 9/15-Sept-11)

"Idiots are very easy to locate
These twisted individuals are idiots — they assume they are anonymous online.
But their internet service provider can track their IP address and hand over their details to the cops.
Everyone has an IP address for their internet account which is linked to their name, address and any other details they gave to set up the account.
If the police want to track someone posting abusive messages, they simply speak to the internet service providers who have a record of everything which is written online.
There are some things you can do to limit the chances of being attacked.
Only be Facebook friends with people you know and trust. Parents can also make themselves friends with their kids, to monitor anything going on.
There are no instant answers to eradicating this kind of cyber-bullying, but if kids get educated about the internet they can avoid it much more easily.
The internet has the very best of life, but also the very worst."

Trolling Advice

1. Prevention
Trolling can be simple to prevent in certain circumstances. If you have at webpage at risk, which has the ability to enable comment pre-screening, namely you or other trusted individuals approving all comments before they can be posted, do it, as it will almost certainly prevent trolling. Trolls won’t even bother to make a remark if they know their comments are going to be checked before they are posted.

2. Dealing with Trolling Incidents
Trolling is most definitely illegal as per the Communications Act 2003, Section 127.  Therefore if you are a victim of trolling, by that I mean abusive comments which go beyond the pale of decency, consider reporting them to your local Police. http://www.police.uk/

http://www.legislation.gov.uk/ukpga/2003/21/section/127
127Improper use of public electronic communications network
(1)A person is guilty of an offence if he—
(a)sends by means of a public electronic communications network a message or other matter that is grossly offensive or of an indecent, obscene or menacing character; or
(b)causes any such message or matter to be so sent.
(2)A person is guilty of an offence if, for the purpose of causing annoyance, inconvenience or needless anxiety to another, he—
(a)sends by means of a public electronic communications network, a message that he knows to be false,
(b)causes such a message to be sent; or
(c)persistently makes use of a public electronic communications network.
(3)A person guilty of an offence under this section shall be liable, on summary conviction, to imprisonment for a term not exceeding six months or to a fine not exceeding level 5 on the standard scale, or to both.
(4)Subsections (1) and (2) do not apply to anything done in the course of providing a programme service (within the meaning of the Broadcasting Act 1990 (c. 42)).

Evolution of UK Home Banking Security - In progress?

I was featured in an article by MSN Money titled "Online Banking Security gets more Complex"

http://money.uk.msn.com/news/crime/articles.aspx?cp-documentid=159017310

Nothing ground breaking, but it would appear UK banking consumers are starting to feel the pain of increased online banking security trade-offs, due to UK banks trying to save money by cutting previously acceptable losses from online account fraud.

"One person, one bank: three devices

But despite the evidence that new measures are more than just inconvenient, many banks are pressing ahead. Lloyds, Barclays, Cooperative Bank, RBS and Nationwide Building Society all require customers to use a card reader when amendments are made to standing orders, direct debits or when setting up payments.

"This is called two-factor authentication," said independent bank security expert Dave Whitelegg.

How two-factor authentication works
The idea is that no fraudster can access your account, however much they know about your life, your pets and your mother's maiden name, unless they also physically possesses the device. "It's the same theory as for chip and pin," Whitelegg told MSN.

Chip and pin dramatically cut credit card fraud, and banks are hoping that two-factor identification will have the same effect on online bank fraud.

The biggest worry for banks is phishing attacks, by which fraudsters send emails hoping to get customers to log into cloned bank websites and enter their details, which are then captured and used to empty the real accounts.

"Phishing emails are sent out by the million, so even if 0.1% of recipients fall for them, they are a success," Whitelegg said.
Most such phishing attempts are easy to spot, failing to address the customer by name and littered with bad grammar and mis-spelling. But a new generation are more convincing. They may not only have your name, but much more convincing cloned websites.

Mobile banking: a worrying new frontier
The next frontier in banking fraud is coming with smartphones, which are increasingly enabled for transactions, but which experts say add a new vulnerability.

"They have never been targeted before, so they have never matured with fraud in the same way that PCs have," Whitelegg said.

Sending a text to confirm payment changes, which Santander among others allows, will become less secure if the entire transaction was originated from a stolen mobile.

So who are the people behind online fraud? There is a whole ecosystem out there, with software masterminds writing key logger and phishing programmes and devising convincing copies of bank websites. Then there are communities of hackers and fraudsters who meet online, and buy this software off the shelf, Whitelegg says.

"You have the people who steal cards, or personal data, who can be from anywhere, and then there are the Far Eastern networks of botnets, clusters of remotely controlled computers, which actually generate the phishing attacks," Whitelegg said.

The result is that just a few clever people have seeded a whole crime industry for thousands of criminals who would never have the brains to devise the whole process themselves.

How you can protect yourself
There are no absolutely foolproof ways to avoid data or identity theft but here are a few sensible precautions.

1) Treat your personal data like cash: Don't leave it lying around. Shred unwanted documents, don't disclose financial details or potential answers to security question (eg your mother's maiden name) except on verifiable and encrypted sites.

2) Use reputable anti-virus software and keep it up to date.

3) Never download an attachment from an untrusted source as it may contain viruses.

4) Phishing attempts usually begin with alarming warnings about a breach of your security. Banks never alert their customers this way. Even if you are concerned by an email, either ring your bank, or type in the web address from a bank statement. Never follow a link on the email.

5) Change your email address so it's not identical to your real name as used in any financial accounts, so you can easily spot crude phishing attempts which address you by your email name.

6) If you must write down passwords or security details, disguise them. This is particularly important if they are kept on a computer. Use a long and secure password to 'lock' laptops.

7) When inputting details onto a bank website, don't input them in the same order as the questions appear, and use the mouse rather than tab buttons to move around the screen. This can help foil key loggers and other trojan devices.

8) Go ex-directory: keeping your phone details out of circulation stops most phone-based frauds as well as irritating sales calls.

9) If your bank phones you unexpectedly, protect your interests by asking THEM a security question. Ask what your balance was on the date of your last statement, or a recent transaction that you can check. Banks will not ask for online security codes by phone, so don't give them. If in doubt say you are going to ring them back on the usual customer service number."