The Popularity of Videos

Online videos are popular these days and as with anything popular scams are everywhere. The following two items take advantage of this popularity.

1. A movie called ” Lust, Caution” has been attracting some attention lately. Some websites have been setup (in China) that promise the ability to download a bootleg copy of the movie. What the websites don’t point out is that the download is infected with a virus that steals your passwords.

So don’t try illegally obtaining copyrighted movies, and especially not this one.

2. YouTube Scams – An email has been doing the rounds containing an ad for a video supposedly hosted on YouTube. The email goes on to explain how the video is about two lovers, includes comments and reviews.

If someone was to click on the link in this email (a link that at first sight appears to point to YouTube) they’ll be taken to a fake website made to look a little like YouTube. Then a message comes up saying that a new Flash player is required. Don’t install this player, it’s a virus. Pay close attention to links (URL’s) in emails.

Virtual Theft

Toy FurnitureThe emergence of a new kind of crime is an interesting thing. We’ve had virtual worlds for quite a few years and as their popularity grows so too do crimes such as fraud, or in this case theft.

There’s a game called Habbo Hotel, it’s an online game where people have online characters. Like a few other online games they can pay real money to decorate their characters and the rooms they occupy. Effectively they buy virtual items to enhance their game.

So when some teenagers are accused of stealing username and passwords of other players, logging in with these accounts and transferring items to their own accounts, it becomes theft. The current buzzword is Virtual Theft. A 17 year old Dutch teenager has been arrested over this allegation, and five other 15 year olds are being questioned. What makes the “theft” significant is that the value of the virtual items is around US$5000.

A spokesman for Sulake, Habbo Hotel’s operator, said:

“It is a theft because the furniture is paid for with real money. But the only way to be a thief in Habbo is to get people’s usernames and passwords and then log in and take the furniture.”

The full article is here. It’s important to note that this isn’t an isolated case. Virtual worlds (in the form of online games) have been a growing trend and like most things that can happen in the real world most forms of crime can carry across to virtual worlds.

Virtual Visa Cards

This concept isn’t new, it’s just becoming more easily available. It’s like a prepaid credit card, and the idea is that if it gets lost or stolen there’s only so much credit that can be stolen. It’s not linked to any of your usual bank or credit cards. It could also be considered a disposable credit card. (And the term debit would be more accurate than credit).

In Australia there’s now a new credit card that works in this way called V-Card. It carries the Visa logo and can be used just like any other Visa credit card, only that you can put any value you want into it before you start spending.

Since the whole idea is to avoid online fraud you probably wouldn’t want to buy one online. They’re going to be available at real shops (Mobil/Quix for now), you then activate it online and they send you the security details by email or SMS to make you feel more secure. There’s a $5.50 setup fee on top of the credit.

It’s a good idea for many people, especially those who have avoided online shopping till now. It could also be useful when travelling overseas (so many travellers return with stories of how their credit card details were stolen).

Details here.

The Need For Strong Passwords

Combination LockPasswords have been an everyday part of life with computers, and they won’t be replaced any time soon. It’s a form of authentication, granting you access to a system or service.

When security is based on passwords two pieces of information are required:

1. A username
2. A password

Often it’s not difficult to guess a username. Some computers keep this information easily available to anyone who cares to look, and other times it’s just a matter of guessing.

Passwords are more difficult. The “strength” of a password is critical to keeping out unauthorised people. “Strength” is a measure of how easily it can be guessed. And if you’re wondering who really sits there trying to guess passwords you’re in for a surprise.

Passwords can be made stronger by using a combination of the following tips:

  • Make your password long. Tip: join 2 or 3 words together
  • Have at least one letter in uppercase
  • Don’t put a 1 at the end of your password (it doesn’t help at all)
  • Use a made-up word if you can think of one, or spell a real word incorrectly
  • Try not to use the same password on every website (more on this another day)

If you under the impression that no one will bother trying to guess your password then you’re definitely need to continue reading. Hackers don’t sit there trying to guess passwords (what could be more boring than that?). They write programs that do all the hard work of guessing programs. Then they maliciously install this program on other people’s computers (sometimes tens of thousands of hacked computers) to do lots of hard work for them. They just sit back and wait for the results to come in.

Protecting systems with passwords is a tough battle for the good guys (like you and me). As the progress of technology marches on we have faster computers which means hacking passwords becomes easier.

Now the really interesting part. There’s been some development on all this password guessing technology – where it used to take one computer months to crack a Windows Vista password, by utilising the untapped power of a modern computer’s graphics processor it’s now possible to do the same work with the same computer in 3 – 5 days. That’s 25 times faster just from some clever programming (see this article for the details on how).

So in the real world we have programs running on tens of thousands of computers, guessing billions of password combinations relentlessly, with the expectation that soon they’ll find all the easy ones.

So be smart about passwords. Make it very difficult to guess. And remember that there really are people out there trying to hack into your accounts so always be careful.

What is Search Jacking?

Post No BillsWhat is Search Jacking? And how is it bad?

The term Search Jacking is used when a program or network takes you to a search engine when you type an incorrect address into your web browser (e.g. Internet Explorer). For example, if you enter ffraudo.com into the address bar of your web browser it is supposed to show you an error. The address doesn’t exist (at the time of writing this article). At least that’s how it’s meant to work in theory.

Some people with large marketing ambitions decided that if you enter an address that doesn’t exist it should take you to a search engine that can suggest some websites for you. One prominent company that did this is Microsoft. Microsoft’s Internet Explorer takes you to a search engine and suggests some other sites, and not necessarily the site you really wanted to see.

There have been a few companies that have taken it upon themselves to redirect the general internet user to their search engine of choice. And their choice is decided by whoever’s paying them the most. The technique is similar to domain squatting, where mistyping a web site takes you somewhere unexpected. Cox and Earthlink have also used this technique before.

The latest in search jacking attempts comes from Verizon (an American telecommunications company). If your internet is connected through Verizon and you try going to an invalid web site, you might land on Verizon’s search website (for the moment it’s active on one of their fibre network).

Is there a danger to you? For now there’s no real danger, it’s more of a nuisance. Soon they’ll most probably start putting ads on this search site. It’s a little deceptive, and is called by some as “accidental content delivery”. You accidentally type in an incorrect address, they deliver content of their choice. And of course they’ll make money from it.

It’s more of a nuisance for now, and if it works out for them other companies are likely to follow. If your network has already adopted this search jacking system you could complain to your internet provider. After all, someone’s paying for your internet connection and you shouldn’t expect your internet provider to fill it with ads for you.

Deceptive Template Downloads

Ancient MaskAncient MaskIf you run your own website, in particular a blog such as the one this article is written on, you’ve come across templates. A template may also be called a skin, or a theme. These templates add the design, colour, layout, and feel of a website, and are developed by creative web designers.

Some templates are free, others are bought or custom made. And there are websites that collect free templates to make it easier for non designers to pick and choose.

It’s recently come to light that some of these template collections have been tainted. The person (or people) collecting and hosting the templates have quietly edited them all and embedded some code to suit their own purposes.

One such deceptive template collection is blogstheme.com. They’ve been caught adding code to the footer in the themes they host to collect marketing data. What makes this even more deceptive is that they didn’t actually create any of the templates, they’re modifying other people’s work. Another website previously ousted for doing something similar is templatesbrowser.com.

So if you run a website, blog, or similar and hunt around for interesting templates on these collection sites, always go back to the original developer’s website and download it from there. This way you’re downloading it directly from the person who created it, and not risking downloading a tainted copy.

It’s unfortunate that as the Internet continues to grow there are always new threats appearing where you least expect them. Hopefully by reading this site and encouraging others to do to we can all avoid the dangers and use the Internet to its full potential. Education is always a good solution.

SMS Authentication for Credit Cards

Credit cardCredit cardA few banks have recently introduced SMS authentication for their credit cards. Basically they’ll send an SMS (text message) to your mobile phone (cell phone, or handphone) to confirm a transaction. You reply to the SMS to approve the transaction.

It’s a security model called “Two Factor Authentication“. This means you need to be in possession of two “things” for a transaction to be approved. If someone stole your credit card details and made a transaction, e.g. online, you would receive an SMS on your phone and you’d know it was fraudulent. In this case you wouldn’t reply to the SMS and the transaction would be halted. And if you’re making the purchase yourself you can approve your own transaction.

The idea sounds good at first. And of course it has its own set of problems. More interesting is the reasons why these banks have introduced this technology.

Problems:

  • Only some transactions are protected using this method. It’s up to the banks but generally it seems that a large number of transactions will continue to function as before. 
  • For legitimate purchases it can be a nuisance
  • It’s not a foolproof system
  • As more people use the SMS option the costs to the bank will increase greatly and they would either end the service or pass on costs to their customers

Here’s an interesting comment published in this ZDNet article. Matthew Woodrow, Head of Information Security at Westpac, was quoted saying “It’s not to do with security at all… consumers have expectations of security levels while using their mobile phones to do their banking. So you’re not thinking about security at all, but you’re thinking about the product and what consumers want”. In other words a large bank’s security expert is admitting that SMS authentication is more about how customers “feel” about safety.

It seems to be a temporary fix to credit card fraud. Smart card technologies (chips embedded in the credit card) seem to be a better solution.

In summary security is often more about how it makes people “feel” rather than truly preventing crimes. It helps to see things for what they really are and not believe what you hear in ads.

Technical Definitions

This article summarises some terms used to classify all the different threats out there on the internet.

Terms that end with ware:

  • Malware – a general term that sums up all of the terms below. 
  • Spyware – programs that secretly spy on your computer recording such things as your passwords and sometimes even what’s on your screen.
  • Crimeware – a general term for programs that install themselves on your computer for the purpose of committing a crime (such as stealing your money from your bank account). These are usually controlled by hackers.
  • Adware – programs that cause your computer to display a large number of ads. They have the side effect of slowing down your computer.
  • Trackware – these programs monitor what websites you visit and send statistical data back to a 3rd party (often a marketing company). This is often considered an invasion of privacy.
  • Grayware – a general term for malware that is used for marketing (as opposed to committing crimes).

Other terms:

  • Spam – unsolicited email.
  • Browser Hijacker – a program that changes the settings of your web browser, such as your home page or the error page.
  • Freeloaders – any program that installs itself by fraudulent means.
  • Browser Helper – often seen as a toolbar for web browsers, such as the Google Toolbar or Yahoo Toolbar. Some of the less well known browser helpers monitor and manipulate your browser.
  • Keylogger – a type of spyware that records keystrokes on your keyboard. This will capture your username and password when you log into services.
  • Dialer – a program that makes phone calls using your dialup modem without your permission. Often to expensive premium phone services.
  • Zombie – a computer that has a hidden program allowing a hacker to take it over at any time.
  • Botnet – a large collection of zombie computers. Hackers sometimes need to control lots of computers at once to cause some of the trouble they cause.
  • Vulnerability – Almost all programs have vulnerabilities. Sometimes it takes days and other times it can take years for someone to find a vulnerability. They can then be exploited, e.g. to take control of computers.
  • Zero Day Exploit – when a vulnerability is discovered in any program, if hackers can exploit it on the same day it’s been discovered it’s called a zero day exploit. This means software and antivirus companies have less than 1 day to discover the exploit and update their software to combat it – often a difficult thing to achieve.
  • Phishing – the practice of tricking users into going to a login page that looks legitimate but sends login details to the hackers.
  • Cookies – these aren’t bad, they’re used so web pages can remember you. Some people consider this an invasion of their privacy.

This is only a small set of technical terms used to describe online security threats, most of the others are advanced and relevant to professional IT workers. The descriptions have also been simplified because this is an introduction to security.

Unsolicited phone calls

Phone handsetThis one isn’t about security online but rather over the phone. The same concept could be applied to the online world. In fact, it’s not about a scam but about how some organisations carry out legitimate work without realising how it affects the security of their customers.

From time to time some organisations contact their customers to confirm their details and just to ask if they’re happy with the service. The phone call is often from a call centre (whether internal or outsourced), and the originating phone number is often not provided.

The operator introduces themself, asks if they’re speaking to the correct customer, etc. Then the operator, following their script, goes and asks the customer to verify they’re the real account holder (or other relationship to the organisation).

The operator asks something along the lines of “to confirm you are <yourname>, can you tell me your street address?”, or asks for some other private information such as your password, date of birth, etc.

In most cases there is nothing fraudulent happening here, and I suppose most people would carry on the conversation by providing the correct information. There may even be an incentive such as a prize for completing the phone call. But what just happened here?

The customer received an unsolicited phone call from a private number asking for their personal details.

While this situation (which happens often) may be legitimate, the organisations are asking their customers to throw caution to the wind and to compromise the security of their accounts.

There are two major points to raise here:

  1. People should never divulge private data (passwords, dates of birth) to someone they can’t be 100% sure is a legitimate representative of the organisation.
  2. Companies should never ask their customers to do so.

I have received such phone calls from large service providers and even from the local tax office (government department). When I refused to provide my details the person on the phone was at first surprised, then eventually said they can’t help me any further without following their script.

Now I have no way of knowing whether these phone calls were really from who they said they represented, but I believe they were because in both cases I had recently made significant changes to my account. But I refused to provide this information in this scenario, and anyone who values their privacy (and their money) should also refuse.

What if there’s a good reason to continue with the call? Here are a few suggestions,

  • Ask for the caller’s name and the department they’re calling from. Then find their phone number from a directory service and call them back. Don’t ask them directly for their phone number, this doesn’t prove very much. You need to go to a trusted 3rd party for their phone number (such as a phone book, directory assistance, the company’s web site).
  • Ask them to provide the information in writing.
  • Ask them questions that you consider private and that they should have available in their computer system. Questions along the lines of when and where did you open the account, how much was your last bill, your password. (In my examples above the operator wasn’t allowed to tell me because of their security policy, after which I politely ended the call).
  • And most of all let them know that you have no way of distinguishing them from a scammer and that their phone call sounds suspicious.

It’s up to everyone to be vigilant about security, both you and the service providers.