Saturday, March 10, 2007

Secure Ecommerce, Banking and transaction on internet

Phishing

Phishing is the term given to the criminal practice of sending random emails purporting to come from genuine companies such as banks and ecommerce organisations. The emails try to convince customers of those companies to disclose personal information on fake websites operated by criminals. The emails often contain emotive messages and claim that it is necessary to "validate" or "update" customer account information. The emails contain instructions to click on a link within the email which takes the recipient of the email to the fake website. Here all information entered is collected by the criminals. Information captured through Phishing may be used to perpetrate different criminal acts. Your funds may be stolen and used to finance other criminal activities such as human trafficking, drugs and prostitution and your identity may be cloned and other criminal acts undertaken in your name.

How to avoid becoming a victim of Phishing?

It is important to remain vigilant and be suspicious of all unsolicited or unexpected emails you receive, even if they appear to originate from a trusted source such as Your Bank. It is important to remember that Your Bank will never ask you to reconfirm any personal information by clicking on a link in an email and visiting a website.

The structure of a Phishing email

Who is the email from?

The structure of the Internet makes it relatively simple for criminals to create fake entries in the "From:" box of an email. This means that Phishing emails often look like they come from a real bank email address.


It is important to remember that the email address you see in the "From" field may not be from the person or organisation that it claims. The message is also likely to contain odd "spe11ings" or cApitALs in the "Subject:" box - this is designed to bypass spam filter software and increase their chances of delivery to a potential victim.

Who are the intended victims?

Phishing emails are sent out randomly using bulk email lists. The criminals are cunning and whilst they may not know your real name or indeed anything else about you they will try to convince you to provide your account details. Because it is unlikely they know your name they tend to address their victims in vague terms such as "Dear Customer". The email may well include grammatical and spelling errors as it is likely that English is not their first language.



Some emails may also contain a login form directly in the body of the email to add authenticity to the scam.

Fake hyperlinks

As with forging email addresses in the 'From' box, it is also very simple to hide a hyperlink's true destination. This means that the link displayed in an email and anything which shows up in the status bar at the bottom of your email programme can be faked.


The Structure of a Phishing website:

The URL

The criminals are clever and use a number of techniques to hide the true location of a fake website in the address bar. The website address may begin with the genuine site's domain name (eg: online-banking.standardchartered.com.hk if you are looking for standard chartered bank's website), but unfortunately that is no guarantee that it points to the real site. Other techniques may include using addresses made up of numbers (IP addresses), registering a similar domain name, or even inserting an image of the real address into the browser window. To add credibility to their fake sites, many criminals create direct links from their pages to the genuine website.


Pop-up windows

Another technique involves loading a genuine website into your web browser and then creating a fake 'pop-up' window over the top of it. Again this technique is employed by criminals to add credibility to the scam. When used you can see the real website in the background, however any information you type into the pop-up window will be captured by the criminals and used for their criminal purposes.

It is important to remember that you should always access your online banking account, by typing the address into a new window.

What to do in the event you receive a Phishing email:

If you do receive a suspicious email, please contact Your Bank by forwarding the suspect email to your bank's official email address.

You can also report the incident directly to your regional organisation who designed to combat electronic incidents including criminal acts such as Phishing.

Hong Kong:
Website: http://www.hkcert.org/
Incident Reporting url: https://www.hkcert.org/incident/home.html

India:
Website: http://www.cert-in.org.in
Incident Reporting url: http://www.cert-in.org.in/incidentreporting.htm

Jersey:
Website: http://www.niscc.gov.uk
Incident Reporting url: http://www.niscc.gov.uk/niscc/reportIncident-en.html

Singapore:
Website: http://www.singcert.org.sg
Incident Reporting url: http://www.singcert.org.sg/incident.html

UAE:
Website: http://www.cert.etisalat-nis.ae/
Incident Reporting url: http://www.cert.etisalat-nis.ae/Incident_Reporting_Form.txt

Korea:
Website: http://www.apcert.org/
Incident Reporting url: report incidents via email: cert@certcc.or.kr ;

Asia Pacific Region:
Website: http://www.apcert.org/


Important points to remember

Your Bank will never send you an email requesting for you to "verify" or "update" your password or any personal information by clicking on hyperlink and visiting a website.
Be cautious about all unsolicited emails and never click on hyperlinks from these emails and provide personal information.
To connect to Internet banking, open your web browser and type the address in Address Bar by yourself. Never use a link to open the website of your bank.
If you are in any doubt about the validity of an email, or if you believe that you may have disclosed information on a fake website, contact Your Bank by sending an email to official address.

Tips for secure Internet Banking

PC security:
It is important to use up-to-date Anti-virus software and a personal firewall. If your computer uses Microsoft Windows operating system, it is important to keep it updated via the Windows Update feature, equally if you use another PC operating system or have an Apple Mac you should check regularly for updates. You should be vigilant if you use Internet cafes or a computer that is not your own and over which you have no control.
Check for Spyware:
In addition to being protected by using up-to-date antivirus software you should also regularly use software to remove Spyware from you computer, as these programs record information about your Internet use and transmit it without your permission. In some circumstances this can compromise your PC security.
Always access your Bank's Internet banking by typing in the correct URL into your browser.
Never click on a link in an email to take you to a website and enter personal details either in the email or website.

Password and PIN security:

You should always be wary if you receive unsolicited emails or calls asking you to disclose any personal details or card numbers. This information should be kept secret at all times. Be cautious about disclosing personal information to individuals you do not know. Please remember that your Bank would never contact you directly to ask you to disclose your PIN or all your password information.

Be cautious of unsolicited emails

Don't be conned by convincing emails offering you the chance to make some easy money. As with most things if it looks too good to be true, it probably is! Be cautious of unsolicited emails from overseas - it is much harder to prove legitimacy of the organisations behind the emails.



Keep your identity private offline:


Your identity can be as easily stolen offline as it can online. It is important that you comply with instructions about destroying new PIN numbers and expired bank cards. You should also consider using a crosscut shredder to destroy unneeded bank and other statements that may contain sensitive personal information. It is advisable to store retained documents in a suitable locked and fireproof container.

Check your statements: back to top

It is important to check your statements regularly; a quick check will help identify any erroneous or criminal transactions that might have been performed on your account without your knowledge.

Check your banking session is secure:

When undertaking any banking on the Internet, check that the session is secure. There are two simple indicators that will tell you if your session is secure. The first is the use of https:// in the URL. Some browsers such as Mozilla Firefox change the colour of the url window when you are in a secure session. The other indicator is the presence of a digital certificate represented by a padlock or key in the bottom right hand corner. If you double click on this icon it should provide you with information about the organisation with which you have entered in to a secure session .

Always completely log off from your Internet banking session:

It is important to completely log off from your Internet banking session; simply closing the window you performed the transaction in may not close the banking session. If your computer is infected with a Trojan, you session may become hijacked by a criminal and financial transactions performed without your knowledge. It is also advisable to disconnect from the Internet if you are not planning to use it.

Monday, March 5, 2007

10 General Computer Security Tips

Use antivirus and Spyware software:

Make sure you have Anti-virus software on your computer! Anti-virus software is designed to protect you and your computer against known viruses but with new viruses emerging daily, Anti-virus programs need regular updates to recognise these new viruses. It is important to update your Anti-virus software regularly - the more often you keep it updated, the better - you should consider updating the software at least once a week. If you use your computer and receive a lot of emails, then updates should be made more frequently. You should also consider using software to detect Spyware. Spyware is malicious software (malware) that is downloaded onto your computer (often without your knowledge). It can be used by third parties and criminals to monitor your Internet activities which could compromise the security of your personal information. As with Anti-virus software you should check your system regularly for Spyware at least once a week.

Don't Open Unknown Emails:

If you receive a suspicious email, especially from a sender you do not recognise, the best thing to do is to delete the entire message, including any attachment. . If you are determined to open a file from an unknown source, save it first and run your virus checker on that file. If the mail appears to be from someone you know, still treat it with caution if it has a suspicious subject line (e.g. "I loveyou" or "Anna Kournikova") or if it otherwise seems suspicious (e.g., it was sent in the middle of the night). Also be wary if you receive multiple copies of the same message from either known or unknown sources. Finally, remember that even friends and family may accidentally send you a virus or the e-mail may have been sent from their machines without their knowledge. This was the case with the "I Love You" virus that spread to millions of people in 2001.

Protect from Internet intruders:

You should equip your computer with a firewall! Firewalls create a protective wall between your computer and the outside world. They come in two forms, software firewalls that run on your personal computer and hardware firewalls that protect a number of computers at the same time. They work by filtering out unauthorized or potentially dangerous types of data from the Internet, while still allowing other data to reach your computer. Firewalls also ensure that unauthorized persons can't gain access to your computer while you're connected to the Internet.
Download security updates from operating systems and other software such as web browsers:
Most major software companies today release updates and patches to close newly discovered vulnerabilities in their software. Sometimes security flaws are discovered in a program that may allow a criminal hacker to attack and or control your computer. Before most of these attacks occur, the software companies or vendors create free patches for you that are posted on websites for download and installation by their customers. It is important to check your software vendors' websites regularly for new security patches or use the automated patching features that some companies offer such as Microsoft and Apple for their respective operating systems.

Password security:
The most secure passwords are those that contain a mix of upper and lower case characters as well as numbers and characters. You should also try and create a password that is around 8 characters long. Ultimately passwords will only keep someone out if they are difficult to guess! As with your PIN number and other private information it is important not to share your password. Try not to use the same password in more than one place. If someone should happen to guess one of your passwords, you don't want them to be able to use it in other places.
Simple Passwords :
1. A password should have a minimum of 8 characters, be as meaningless as possible, and use uppercase letters, lowercase letters, symbols and numbers, e.g., K2v7T5a8.
2. Change passwords regularly, at least every 60 days.
3. Do not give out your password to anyone!

Backup your computer regularly:

It is important to be prepared for the worst case scenarios, losing your information through a virus attack. Try and back up small amounts of data on floppy disks and larger amounts on CDs. If you have access to a network, consider saving copies of your data on another computer within the network. Many people make weekly backups of all their important data. It's also important to retain and store safely your original software start-up disks. Keep them handy and available
in the event your computer system files get damaged.
Limit sharing - don't allow access to strangers :
If you or a member of your family downloads files from the Internet via file-sharing networks, such as Kazaa, your computer operating system may allow other computers to access the hard-drive of your computer in order to "share files". This ability to share files can be used to infect your computer with a virus or allow someone to look at the files on your computer if you don't pay close attention. It is advisable therefore, unless you really need this ability, to make sure you turn off file-sharing. Check your operating system and other program help files to learn how to disable file sharing.

Disconnect from the Internet when not in use :

Disconnecting your computer from the Internet when you're not online lessens the chance that someone will be able to access your computer. And if you haven't kept your Anti-virus software up-to-date, or don't have a firewall in place, someone could infect your computer or use it to harm someone else on the Internet.

Check security settings regularly:

The software and operating system on your computer have many valuable features that make your life easier, but can also leave you vulnerable to hackers and viruses. You should evaluate your computer security regularly. You should look at the settings on applications that you have on your computer. Your browser software, for example, typically has a security setting in its preferences area. Check what settings you have and make sure you have the security level appropriate for you.

How to adjust Security Settings in Internet Explorer:

In the main browser window, select 'Tools' and then 'Internet Options'. When you do this a further pop-up window will open, select the second tab named 'Security', then select 'Custom Level' - from there you can choose an appropriate level to meet your individual needs. Please note that Mozilla Fire Fox is more secure than Internet Explorer.
Educate your family and other users of the computer about basic security
It is important that everyone who uses your computer is aware of proper security practices. All users of the same computer should know how to update the virus protection software, how to download and install security patches from software vendors and how to create a proper password. It only takes one user mistake to infect a computer.