A while back, I posted an article dealing with internet security and protecting your identity:

http://www.delawarewebdesigner.com/rants-raves/protecting-your-computer.htm

http://www.delawarewebdesigner.com/blurbs/the-information-you-should-never-share-online.htm

Recently I have been advising clients on certain basic steps they can take to ensure they do not become a victim of identity theft. It has happened to me before, and it is a complete pain in the ass to reverse everything. Fortunately I caught on fast on the day it was happening (while my bank account was being drained, when 5 figures goes to 2 you know something’s up.) and was able to reverse and resolve the situation in 2 days, recover my money and my good name. I did however have to obtain all new bank account, credit card numbers, checks and the like. Others haven’t been so lucky.

Identity theft is the fastest growing cyber crime in the world. The Internet is still a very young technology, and all things considered, still somewhat of a lawless frontier. With so many ways to remain anonymous online, its easy for people to hack, steal, and dupe people out of personal information such as financial info, credit card numbers, bank accounts, or even simple address and phone number. Almost 99% of the time, unless its easily traceable and/or major damage, law enforcement does not have either the time or resources to help you.

If you think you are safe while using services and sites like Paypal, Ebay, Amazon, or online banking, think again.

The most common way people lose their identity is through an email phishing method. Occasionally you will get an email that seems legitimate from a well known company, like Bank of America, Paypal, WaMu, or Hotmail. Check the ‘From:’ field, the email address looks real. Hmm, so you open it up, and it reads something like:

“Please update your personal information for our records” … with a lot of other corporate sounding reading material. Typically followed with “http://www.somecompany.com/login”. It’s second nature for us IT people to just click delete, but most people will believe this is a real email, and click whatever link it tells you to click. A simple hover on the link with the cursor will display where that link ACTUALLY links to, so, while the link appears to be “http://www.somecompany.com/login”, its actually masked and ends up at a hackers website. You can easily tell by hovering on the link, because most fraudulent links will look like jibberish or not even have the correct parent domain.

For example, ‘http://somecompany.secure.foo.bar.2.com/login/index.php’ would be the actual destination of the link in the email. What does this mean? This means that, while you think you may be clicking a link from SomeCompany, and going to SomeCompany’s website, you are actually being directed to another place, most likely the site has been setup to look just like where you intended (or thought) you were going in the first place. What happens then is you try to log in on the fake website, and it tells you login failed, check your password. Really, what just happened was you sent your login credentials to the hacker running the site, who then goes and uses it to log into your account at the real website, change your password, and bam you just lost your account to someone who is going to do whatever they want with it. This is quite common with PayPal and eBay, as I have seen many emails like this (I frequently use both services).

So, how can I protect myself?

There are a few simple steps you can do to protect yourself.

1. Email
   If you receive an email from a company advising you to update account information, or to verify your identity, the best thing to do is go directly to their website (don’t click any links in the email, do this yourself in the browser), log in, and check your account yourself. Especially for something like PayPal, this is the quickest way to determine if any account activity has occurred or administrative messages/alerts are pending for you.
2. Validate the Website
   If you wind up at a login page, check to see that it is SSL secured (most, if not all, are) who issued it, and what the URL is. If something seems strange, don’t do anything further. Your best bet, like above, is to go to the parent site and log in from there. Don’t follow any links from other sites or search engines which can easily be spoofed.
3. Use a Secure Browser
   By default, most users use Internet Explorer 6 or 7. You can take additional steps to protect yourself from various types of hacks by using Mozilla Firefox or Opera browsers. For example, when visiting a secure web site, Opera encrypts data using either SSL 3 or TLS, both of which are highly secure encryption protocols. It then adds information about the site’s security to the address bar. Users may also click a button on the address bar to check if a web site is a fraudulent or “phishing” site. Both companies ensure the browser actively protects you, and are extremely quick to patch any vulnerabilities found. In comparison, Internet Explorer was left to sit over a year before receiving any security patching or updates.
4. Invest in Software
   You should have some form of protection on your computer to guard against malware, spyware, and adware. Like phishing, these are other methods that hackers use to not only get personal information, but gain backdoor access to your PC and execute commands. Typically they include keystroke loggers and other things that retrieve data and send it back to the source. Norton and Symantec are the most ‘known’ names, but there are more alternatives out there that surpass both. Trend Micro, LavaSoft, AVG, and Panda Security all are excellent solutions for anti-virus and *ware handling. Add in a firewall like ZoneAlarm, and you’ve stepped up security by a huge degree. Don’t simply rely on Windows Security or Windows Firewall (Windows XP), it simply cannot protect you enough.
5. Consider a Monitoring Service
   Services like LifeLock will protect you against someone attempting to use your name or social security number in order to do things like apply for credit at a bank. LifeLock is awesome.

I will have part 2 ready in a few weeks, where I will cover software usage, and what software to not use to protect your identity.

April 18th, 2008    posted by: Kevin Quillen of Inclind, Inc

This entry was posted on Friday, April 18th, 2008 at 1:40 pm and is filed under Blurbs, Delaware Web Design, Delaware Web Development, Delaware Website Design, How To's, Inclind Management, PHP, Security, Tech Stuff, Web Applications. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.