 |
Rates | GCFlash | Contact Us | Assets for Sale | Search | Site Map |
| About GCF | Online Banking Center | Personal Banking | Commercial Banking | Tools | Favorites | Our Communities | Contact Us |
|
||||
|
||||
|
|
||||
 |
||||
 |
SECURITY CENTER
It's that time of the year again. What time, you may wonder? Doesn't matter. Whatever the time or event may be, you can count on scammers using it as a ruse to ply their trade.
One favorite Halloween ploy is attached to a video of a dancing skeleton that is too funny to resist downloading. But while you're laughing at the skeleton's antics, botnets are invading your computer and stealing your personal information.
Paris Hilton is not accepting your Halloween party invitation, nor is Superman sending you an email. Those who open either message find their holiday joy short-lived as the attached adware renders their computer virtually useless.
Merely avoiding Halloween-related downloads isn't enough.
The 2010 Census is right around the corner, but the phishing e-mails supposedly from the Census Bureau have already begun. The U.S. Census Bureau will not request personal information via e-mail, such as PINs, Social Security numbers, or banking and credit card numbers phished for in the current wave of e-mail scams.
A triple-payload e-mail attack comes packaged in a fake shipping confirmation notice. The recipient is asked to open the attachment to print the shipping label. The attachment is a .zip file, once opened the executable (.exe) file is disguised with an Excel icon. Three different pieces of malware are deployed when the .zip file is opened.
This threat can be averted by someone paying close attention to the file discrepancies. But to do so, your file extensions must be displayed as defined in your Windows settings. If you're running XP, open Explorer by clicking on the "My Computer" or "My Documents" desktop icons. Click the Tools menu, and choose Folder Options. On the View tab, uncheck the box next to "Hide extensions for known file types" under the Files and Folders menu. Vista users start with Organize, then choose Folder and Search options. Regardless of your operating system, be sure to click "Apply to all Folders" button so the change applies to more than the folder you're currently viewing.
Links appearing on well-known Web sites aren't necessarily safe anymore, either. Two such exploitations appeared last month in articles reporting the death of actor Patrick Swayze and against the New York Times Web site. Both occurrences tricked visitors into believing their computers were infected, urging them to download fake anti-virus software. Visitors who took the bait were bombarded with popup ads until they were convinced the threat was real, and provided credit card information to the perpetrator believing their fake software would remove the offending program.
While the result was the same, different tactics were used on each site. Scammers claiming to represent Internet phone provider Vonage placed what appear to be legitimate display ads on the New York Times online newspaper. Sometime over the weekend, the legitimate ads were switched for pop-up warnings of a supposedly infected computer.
Patrick Swayze fans wanting to learn more about the late actor suffered a similar fate by merely rolling their mouse over the same type of display ad.
Meanwhile, visitors to the Curious George children's TV show section of the PBS Web were getting a fake error message page when logging in to the site. That page contained JavaScript that hijacked the visitor to a malicious domain where attempts to exploit the user's installed applications were made. Such attacks are routinely directed towards common programs like Acrobat Reader, ActiveX controls, Apple QuickTime and others. Patches to correct these vulnerabilities are issued regularly. Yet many users ignore their importance and fall prey to the very danger they protect against.
Corporate data breaches create an equal hazard. According to the Identity Theft Resource Center, as of September 22 there have been 379 data breaches reported in 2009 alone, affecting more than 13 million records. Companies include schools, health care operations, travel companies and financial institutions. It's a large-scale problem, not a simple matter of one or two companies with lax standards. Scam techniques proliferate at a faster rate than methods to halt them.
There is some good news to all of this, if it can be considered such. There is safety in numbers. Online attackers have information on millions of people, far more than they can conceivably scam.
Fraud artists have existed throughout history. There's a snake oil salesman lurking around every corner. How do you know the waiter who just took your credit card isn't jotting down your account number? Is there a pickpocket standing behind you in the checkout line?
These seemingly small-time criminals actually pose a bigger threat than their online counterparts. They target you specifically, not randomly select your name from a list of over a million potential victims. And you can take steps to keep your online identity safe. Not so when you trust your surroundings.
Use caution before submitting sensitive information. Most businesses don't need your Social Security number unless you're applying for credit. Be suspicious of any Web site requesting it without a legitimate purpose. Supply the minimum amount of information necessary to complete your transaction. Don't fill out a form field if there's no reason to provide that information.
Read the fine print. That's where a Web site must reveal their privacy policy. Some you would never suspect will share your information with a third party whose security measures can't be vouched for. If you click that box without reading it completely, you have agreed to allow the intrusion.
Conduct a regular search for yourself online. You may have not posted any personal information about yourself, but a friend may have unknowingly published a picture he took while visiting you that shows your address or license plate number.
Check your credit report regularly. You are entitled to one free report annually from each of the three major reporting bureaus. Spread them out throughout the year to stay current with reported activity. Visit annualcreditreport.com for the copies without strings attached. The others are only available to those who subscribe to their credit monitoring services.
Only vigilance can reduce any damage that may occur should you become an identity theft victim.
A recent survey of U.S. and U.K. computer users revealed that 25 percent did not know whether they had any privacy protection. Over half admitted they had no idea what the privacy settings on their browsers were. Do you know what keeps your computer safe?
As the name implies, the firewall serves as a boundary to restrict information traveling between your computer and a network or the Internet. If used properly, the firewall is your defense against someone trying to hack into your system. If it's configured wrong, you're opening the door for an identity thief.
Here's how they work: An unsolicited request is generated whenever someone tries to connect to your computer. This happens when you did not initiate the contact. Your firewall will alert you to the request and ask if you want to allow access or block that particular program or Web site. If you approve the request, the site or program is added to your exception list. It will be recognized the next time it wants access and you'll get no further alerts. Block it and you've slammed the door on potential fraud.
You should have two different kinds of firewalls protecting your home computer. A software firewall protects the computer and a hardware firewall will protect your Internet connections. If you use a PC, the Windows firewall will handle the software protection quite well. The $75 routers you can buy at any electronics store usually include a great hardware firewall.
To be safe, simply set the Windows firewall to Enabled and check the "Don't allow exceptions" box. To find these properties, open Control Panel and choose Windows Firewall from the menu. You'll see the firewall properties box that display these options. You'll now be prompted if any program or Web site not on your exception list is trying to gain access to your computer.
If you misconfigure your firewall, you could inadvertently allow anyone on the Internet to access your computer and read your stored files and other personal information. That's why it's best to simply configure it to block everything.
Many security products on the market offer their own firewall, you don't have to use the Windows version. Examine what each product offers and choose the solution that's best for you. But make sure you only have one product enabled or they'll conflict with each other.
A firewall offers a degree of protection, but there are certain things that it cannot do. It can't detect or disable computer viruses and worms already present on your computer. You'll need antivirus software for that. It will ask permission before granting connection requests, but it won't stop a dangerous email attachment from opening. You'll have to use discretion in deciding what can be a threat. If you don't know the sender or the subject line doesn't make sense, don't open it. It can't block spam. Your email client may offer a spam filter that will help in this regard.
Your firewall can create a security log to record successful and unsuccessful attempts to connect to your computer. This can be helpful if you need to troubleshoot a problem. If you're using the Windows firewall, click the Advanced tab on the properties box described above. The Security Logging option appears on this screen. Choose Settings to select what type of instances you want logged and the file location to do so.
Cyber criminals are continually trying to find new ways to ply their trade. Take your protection into your own hands and stop them in their tracks.
Back in the late '90s, when we installed our first computer network at GCF, there was much debate over whether we really needed all that fancy stuff. Technology was for the big guns at the time. An institution our size didn't REALLY need such automation.
I can remember one department head that was meticulous in her job. She was a wonderful woman with a dedication and work ethic that's hard to find today. She would run numbers forward, backward and sideways if she could to validate her conclusions. That is, as long as she used a pencil and a ledger sheet. Holding that paper firmly in hand was material proof of a job well done.
I sometimes wish life was that simple once again. Sure, that piece of paper could have been compromised. It could have missed the shredder and gotten thrown directly into the trash where a cleaning person could have stumbled on it. A disgruntled employee could have intercepted it and used that valuable information to make the bank look bad. But that would have been the worst of it.
Fast forward a millennium and it's now universally accepted that data doesn't have to be in paper form to be legitimate. Electronic communications and transactions all leave a footprint that serves as their version of a paper trail. But their path extends much farther than any piece of paper ever could, for they leave a footprint that can be traced all around the world.
I never was concerned with privacy issues. While I knew my frequent visits to NASCAR.com would result in race-related display ads when I logged on to Google, who really cared? My name, address and phone number have appeared in the local telephone book for decades. What's the harm in their appearance online?
So I sat down with information security expert Mike Chapple, CISSP, whose books have helped aspiring Internet security professionals prepare for the challenging Certified Information Systems Security Professional certification. I questioned him as to how easy it is to gain access to our private information, and why we should even care. His response was frightening.
Marketing databases are widely available for sale, and can tell you all sorts of things about people. The data isn't integrated, one would have to purchase several different lists to create a complete profile. Yet one can retrieve plenty of information on your habits and interests by simply searching for your Social Security number, address, or even your 9-digit zip code. A lot can be surmised by the demographics of your community. Enough for some deranged person to stalk you or steal your identity. Someone wanting that information badly enough needs to do nothing more than hire a private investigator who can readily access the appropriate database.
Damage can be done even without the help of a private investigator. Once someone has your address and learns where you were born, they have enough information to pull a birth certificate online for $1.95 and find your mother's maiden name. What information does your bank and other institutions ask for to verify identity? Now they've got access to your accounts.
Public tax records can give someone that has your private information enough knowledge to take out a loan in your name. You can easily learn what someone paid for their home and how much they still owe. They show the name of your mortgage holder and when the mortgage was written. These questions are often used to prove the identity of someone applying online. A soft credit check is run, presenting you with questions about your credit history that presumably only you would know.
In the few minutes I sat speaking with Chapple, he was busily plugging away at his keyboard while answering my questions. He paused twice: the first time to tell me my full name, age, place of birth, address, length of residence, current and previous places of employment. The second time his fingers stopped he told me when we bought our home, how much we paid, who holds our mortgage and for what amount, the color I painted the railing on my front deck and the make and model of my neighbor's minivan. He admitted to not being able to clearly read the license plate. He also went on to describe what kind of harm could befall me if this basic, public information fell into the hands of someone not quite as honorable as himself.
The worst part is that there's absolutely nothing we can do to prevent this from happening. We could limit our risk somewhat if we purchase goods only with cash, avoid the Internet completely and become a hermit. But any electronic transaction or action can and does result in a profile.
Chapple suggests you always keep a record of what you do and where you do it. Pull your credit reports regularly to limit any damage in case you have been compromised. You are entitled to one free report per year from each of the three major reporting bureaus, and so is your spouse. If you pull a report from one bureau at a time and intermix those of your spouse, you can keep watch every two months. The only federally sponsored web site to provide your free credit report is annualcreditreport.com. Don't be misled by those with catchy jingles you see advertised in television commercials. You'll need to subscribe to their service to access the free report offered.
Remember that villainous eyes are watching... you best be, too.
Three Florida men were arrested for credit card fraud, and charged with the Heartland Payment systems security breach reported in last week's edition of GCFlash. More arrests are expected to follow. The men hacked into the processor's SQL database that stored credit card information and stole names, credit card numbers and expiration dates. No other personal information was compromised.
To understand the full implications of this breach, let's first review the processing of credit card transactions. A customer walks into their favorite store, or visits an online merchant, and purchases an item. The merchant swipes their card, submitting the information electronically to the financial institution or organization they use to process the service and verify the transaction. Authorization is returned to confirm the transaction is valid. The information is then stored in a batch, which the merchant transmits to the processor later in the day to collect payment.
The processor sends the transactions in that batch through to the card provider; VISA, MasterCard, American Express or Discover. The provider will then debit the customer's account and pay the processor, who in turn credits the merchant's account.
Many merchants will use the services provided by the bank that holds their business accounts for convenience. But they're free to choose whichever processor is best suited to their particular business, budget, or whatever other factors come into play. And the competition is fierce. For the first two years my husband owned his business, we were flooded with marketing calls from processors competing for his account.
A data breach on the processor level has effects that reach far beyond the scope of any particular financial institution.
We can hope that the remaining suspects are apprehended and the story comes to an end. The reality, though, is that particular types of crime are often seen in waves. The criminal mind reads about a successful method and tries to take advantage of it before adequate prevention methods can be put into place.
The Federal Trade Commission (FTC) has put together a one-stop national resource to learn about identity theft, providing detailed information on how to avoid it and what to do if you become a victim.
File a report with the police. Keep a copy to use as an Identity Theft Report that validates your situation to any company you do business with. If your local law officials are reluctant to file an identity theft report, try your state police or your state Attorney General's office.
Place an immediate fraud alert on your credit reports. This prevents the thief from opening any more accounts in your name. Contact information for the three consumer reporting bureaus appears on the Security page of our web site. You only need to contact one of the agencies. The one you call is required to contact the other two.
Once the fraud alert is active, you're entitled to one free copy of your credit report from each of the three consumer reporting companies. Get the report and review it carefully. Look for inquiries from companies you're not familiar with, accounts you didn't open, or inconsistent information like your Social Security number, address(es), initials or employers. If you find any fraudulent accounts or inaccurate information, correct it immediately. By sending an Identity Theft Report and explaining your request, you'll get the quickest action. Continue to check your credit reports periodically.
Close any accounts that have been compromised or opened fraudulently. Call and ask for someone in the security or fraud department. You'll have to follow up each call in writing to protect your rights.
File a complaint with the FTC online. This allows a coordinated effort to track down identity thieves and stop them. This complaint, along with your police report, entitles you to certain protections. They enable you to permanently block fraudulent information from appearing on your credit report, ensure that debts do not reappear on your credit report, prevent a company from continuing to collect debts that result from identity theft and place an extended fraud alert on your credit report. An extended fraud victim alert will remain on your report for seven years.
If your personal information has been stolen but not yet misused, you can place an initial security alert on your credit records for 90 days.
For more resources on identity theft, visit ftc.gov.
PHISHING FOR TROUBLE
Despite efforts to curb phishing attacks, more aggressive tactics and black market tool kits have led to an increase in the crime according to a report by U.K. security firm MessageLabs. Their September 2007 report reveals that one in every 87.2 e-mails is a phishing attack, up from one in 93.3 in January 2007. The company finds phishing e-mails comprise 56 percent of all malware threats reported, such as viruses and Trojans.
One factor contributing to the rise is the availability of phishing kits that make sophisticated attacks simple to carry out by even the most non-technical criminals. The technique allows each compromised computer within a botnet to host multiple phishing sites at the same time. These sites are then replicated across the entire botnet, making them harder to shut down.
The report also found senior management executives are increasingly becoming targets of new attacks. One such threat involved an e-mail assault portraying a message from a recruitment company. A Microsoft error message appeared when the e-mail was opened, luring the victims to click on an .rft attachment that dropped two files onto the user's computer. The files then passed sensitive information back to the perpetrator.
Paul Wood, senior analyst at MessageLabs, said "Two years ago the number of such attacks accounted for one to two incidents per week. One year ago this rose to one to two per day. This year it has risen to around seven to 10 per day."
These numbers may be conservative according to information compiled by the Anti-Phishing Working Group (APWG). The global pan-industrial and law enforcement association received 28,888 incident reports in June '07, a 23% increase over the previous month. New phishing sites reached a record high of 55,643 in April.
As large companies became more diligent in securing their perimeters, cyber criminals turned their focus to smaller businesses to find new victims. Fresh blood attracted even more criminals to the arena, made especially easy with the proliferation of tool kits now available.
The tool kits are easier to find than one would expect. You can purchase a "Certified Ethical Hacking toolkit" on eBay for $10 to $20. Certified Ethical Hacking, CEH, is a certification provided by the International Council of E-Commerce Consultants awarded to security professionals trained to test systems as real hackers do. But such courses focus on technique rather than hacking kits, leading experts to believe the tool kits are more likely used for criminal activity.
Huge profits, the anonymity of the Internet plus a tool kit that makes sophisticated attacks easy to carry out equals an opportunity that crooks can't resist. And their numbers are growing by staggering proportions.
One security professional went undercover in an effort to understand the mindset and technique behind these crimes. He described the phishing community as being made up of specific roles and jobs.
The spammer creates and sends e-mail messages with a link to the phishing site. They often use botnets, zombie machines, to send messages in bulk within a short period of time in order to hit inboxes before spam filters can catch them.
The casher is a person who cashes out compromised bank accounts. With methods in place to extract currency from specific institutions, they advertise their services to others in the community through channel blogs.
And then there's the ripper, a person who rips off the phisher by keeping the sensitive data for their own activity rather than send it as agreed when obtaining the kit.
After a few weeks getting accustomed to the process and lingo, the undercover spammer convinced users to send him tools and phishing kits. He was to deploy the tools and send the gathered information back to the phisher. He was surprised to find common backend files with the same names in a variety of kits.
He also discovered that the phishers themselves are actually being scammed... by advanced phishers who hide code that e-mails the stolen information not only to the perpetrator of the attack but also back to the originator who sold them the kit.
Read the complete article.
With such a large community and huge profits to be made, this crime won't go away anytime soon. Don't let your guard down by thinking your spam filter is enough to keep you protected. Be certain the e-mail you open does, in fact, originate from a trusted source.
HOW TO AVOID A PHISHING SCAM
Never provide your personal information in response to an unsolicited request, whether it is over the phone or over the Internet. If you did not initiate the communication, you should not provide any information. If you question whether the message is legitimate, contact the institution yourself using phone numbers and web sites found on your monthly statements. A financial institution would never ask you to verify your account information online.
Review account statements regularly to ensure all charges are correct. If your account statement is late in arriving, call your financial institution to find out why. Online banking provides an excellent tool for early fraud detection. Frequent monitoring of your account activity allows you to stop a thief before the damage is out of control.
Contact Steven Botto, GCF's Security Officer, at extension 359 if you believe your personal information has been compromised.
STOP SPYWARE BEFORE IT STOPS YOU
Are you inundated with constant pop up ads? Is your computer performing sluggish? Has your home page changed seemingly by itself? Your computer could be under the control of spyware.
Spyware, and its counterpart adware, are computer programs that install themselves without your knowledge. While most offenders are advertising ploys that are merely annoying, others can suck up valuable computer resources or track your keystrokes and send your personal info back to their creator to steal your identity.
Spyware is downloaded through various methods. Those little pop up boxes warning that your computer may be infected with spyware can actually download the culprit into your system if you click for details. Are you really a free winner? You'll end up the loser if you let your curiosity get the best of you. A lot of the free downloads on the web come with a steep price, including file-sharing programs such as BearShare and Kazaa. Screensavers, emoticons and desktop features are often accompanied by unwanted marketing tools, i.e., adware. Even some free spyware removal tools are actually installing the very programs they claim to detect and remove.
Not every free download or pop up box contains a threat. Some adware can actually be beneficial. Companies you do business with could collect demographic data or track which sites you visit to customize your online experience. If you come across a product or tool that you're interested in, feed its name, vendor or other key information into a search engine. You'll instantly see in the results whether or not it is legitimate. The Better Business Bureau maintains information on over two million business. Check out the company online at bbb.org.
Congress has three bills on the table to enable prosecution of violators. But to date, only one charge has been levied against a perpetrator. The best defense lies in the hands of an informed pc user.
Download tools or features only from a trusted web site. Know that links appearing on the right frame of your Google search results are paid advertisements, not an endorsement of legitimacy. Read the terms and conditions of anything you download. While this can seem dull and lengthy, how the vendor handles your personal information is hidden in the fine print. Resist the urge claim that free prize. Don't follow links sent in an e-mail.
There are several good, free tools online to rid your computer of unwanted programs. The editors of PCWeek magazine tested product offered at several of the most common spyware removal web sites. Read their results.
INTERNET SECURITY THREATS BECOMING MORE SOPHISTICATED
The Federal Deposit Insurance Corp. (FDIC) was once again the target of a phishing attack, this time the deception was so authentic that even savvy internet users fell victim. Experts are alarmed by the level of sophistication displayed in this recent episode.
The e-mail falsely claims that the FDIC has developed a new program that will track suspicious activity on accounts linked to consumers' ATM, credit, debit and check cards in an effort to prevent identity theft. The e-mail contains an authentic-looking FDIC logo and a link to a spoofed Web site located in China.
Consumers are told that most major U.S. banks are participating in the program, and urged to register their cards immediately on the spoofed site.
The e-mail message is well-written, in contrast to other such deceptions that we've gotten accustomed to recognizing as fraud. And the spoofed site is nearly identical to the FDIC's actual site, including a page describing this "new program".
Tracing these spoofed sites back to their developer is very difficult. The average lifespan for these fraudulent sites is 2.5 days. Just enough time to e-mail millions of unsuspecting recipients... and reap the benefits of the 3% that fall prey.
Beware of anything announced via e-mail. If an offer sounds interesting, research it further before offering your personal information. Call the company directly using a telephone number you already know. Or visit the company's official Web site by typing in a known URL rather than using the link provided in the e-mail. Just clicking on that link can cause you problems, even if you don't submit personal information. Bogus e-mails can set cookies on your system that allow the sender to track information about your online habits, including capturing your keystrokes and relaying your login information back to the perpetrator.
New threats emerge almost daily, most prey on human curiousity. Resist those images of sexy, young female athletes or the Saddam Hussein hanging. They're often a tool used to download malware. Know that legitimate banks, lenders and government agencies will not ask for personal information via e-mail. Updated operating system and anti-virus products are essential in avoiding risk. Education and preventive measures are your best defense.
FOOLING KEYLOGGERS
Keeping abreast of current events just might be the greatest benefit seen from the advent of global communications. Even if you live on a faraway tropical island, you're connected to the rest of the world through the Internet. And also prey to the same scams, threats and trickery you tried to escape when you chose to leave the "real" world.
Informed readers already know that the greatest online identity theft risk comes through keyloggers. This type of software was developed to help companies monitor employee computer usage to assure they were using it for business purposes. But it didn't take long for crooks to see its potential. By installing the software without the user's knowledge, they could capture login names and passwords to a text file they could email back to themselves.
While different forms of keylogging software use various techniques to capture your valuable data, there are tricks you can use to avoid the most common methods.
The most efficient way is to maintain high security standards, preventing the download of the intruding program in the first place. But if your system was compromised before you configured the latest and greatest spyware prevention tools, your information is still being captured.
Most keylogging programs are designed to recognize nothing more than actual keystrokes, not mouse activity. So one way to fake them out would be to type extra characters into your password in the box, then click just to their right and backspace to delete them. The software would capture the fake password and backspaces, but not where they were located. This method works best if you insert the fake characters in the middle of your password, or better yet, throughout it. Putting them at the end makes it easier to guess which characters you're eliminating.
This technique isn't foolproof, more sophisticated programs could still figure out your password by trial and error since they would have the key elements. But it would do the trick in most cases.
Another method even more effective is to copy and paste your login name and password where required. Using keyboard shortcuts Ctrl-C to cut and Ctrl-V to paste, the only keystrokes captured would be C-V-C-V.
Store your user names and passwords on a text file saved to a removable drive, then plug it in and copy/paste only when you need it. Or write yourself a little paragraph that includes the letters, numbers and symbols you need and copy/paste each character as necessary. Here's an example assuming your password is hard to crack such as "re%G42k."
Your paragraph could read something like:
"Last year we saw a 20% increase in Green Mountain trees. We took our 4 kids to Jupiter."It doesn't have to make sense, and contains all the characters you need to cut and paste where needed. To cut and paste, use your mouse and click to highlight the character you want to copy. Hold down your Control key while tapping the letter "c." That character is now saved to your clipboard. Click in the password field of your login box. Again hold the Control key while tapping the letter "v." The character you saved to your clipboard is now pasted into the password field. Continue until your entry is complete.
This method is a bit tedious, but effective. And well worth the trouble it takes to safeguard your good name and credit.
One tool I find to be especially effective in preventing unwanted downloads is McAfee's Site Advisor. They test the links embedded on every site and report whether they find them safe or alert you if they're known to download unwanted adware, spyware or malware. In conducting research for this article, I came across a link for a keylogger detection scanner program. The information came from a reliable source so I thought it might be good to pass along. But first I wanted to check it out. I stopped immediately when a big red box appeared. The warning included which specific links on the Web site were known to be troublesome.
Site Advisor also works with Google to warn you at a glance whether any sites returned in your search results should be avoided. Each listing will be marked with either a big green check mark if they found the site safe, or a red X for those that aren't. For more information, visit siteadvisor.com.