From the category archives:

security

Vehicles Of Financial Frauds: Phishing, Vishing, And Other Social Engineering Methods

by golbguru on September 28, 2007

Over the past few weeks, I have been getting increasing number of messages from readers about some Bank of America scam emails and related fake websites. As such, I though it would be in order to discuss some of these issues by the way of a dedicated post. Although, the content below is by no means a comprehensive compilation of methods of financial fraud, it should be a fairly useful starting point to generate awareness about this topic.

Also, since most people who read this blog (and other personal finance blogs) are probably financially savvy to some extent - that is, they probably conduct a lot of financial transactions online, are aware of the risk of identity theft, etc - it’s all the more important that they are aware of the information discussed below.

This post became a bit too lengthy for my taste, so here is a little table of contents to help you navigate if you don’t like scrolling too much:

~$$~

Phishing

This is an internet-based activity in which attempts are made to fraudulently extract sensitive financial and personal information from unsuspecting victims. The most common method for perpetrating this criminal activity is generating fake emails that direct readers to counterfeit websites designed to look like authentic ones. The thieves pursue pieces of information like: credit card numbers, CVV or CVC codes (those three digit numbers at the back of your card), ATM card numbers and passwords, and login ids and passwords to transaction sites like eBay, Paypal, bank accounts, etc.

Here is an example of a Bank of America phishing email that I received several months ago - since then, there have been many instances of people almost being fooled by similar BoA emails (check the comments in that post).

Here is an YouTube video that explains a bit more about phishing using a specific example:

[youtube]n2QKQkuSB4Q[/youtube]
[Feed readers, click here to watch the video]

A rich source of information on phishing and related issues is the Anti-Phishing Working Group. Some essential guidelines from this website to avoid being a victim of a phishing scam are as below:

  • Be suspicious of any email with urgent requests for personal financial information.
  • Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t know the sender or user’s handle.
  • Avoid filling out forms in email messages that ask for personal financial information.
  • Regularly log into your online accounts.
  • Regularly check your bank, credit and debit card satements to ensure that all transactions are legitimate.
  • Always report “phishing” or “spoofed” e-mails to the following groups:
    1. Forward the email to reportphishing@antiphishing.org
    2. Forward the email to the Federal Trade Commission at: spam@uce.gov
    3. forward the email to the “abuse” email address at the company that is being spoofed (e.g. “spoof@ebay.com”)
    4. When forwarding spoofed messages, always include the entire original email with its original header information intact
    5. Notify The Internet Crime Complaint Center of the FBI by filing a complaint on their website: www.ic3.gov/

In addition to these measures, read below about protection against spoofing and ransomware - all the measures should go together for increased effectiveness.

~$$~

Spoofing

There are different types of spoofing, but for our purposes, let’s restrict to website spoofing - that is, the creation of fake financial websites designed to imitate authentic ones… again for the purpose of stealing financial information. Spoofing goes hand in hand with phishing - a phishing email, with all it’s fake links, is designed to lure the recipients to a spoof website.

Here are links to two sample images: 1. Bank of America Spoof Site, and 2. Bank of America Authentic Site. You can see how good this spoofing business can get.

Two quick ways of catching most spoof sites are:

  • Look at the URL in the address bar of your browser. Authentic financial websites are secured and their URLs must start with “https” not with “http”.
  • Look for the padlock image in the status bar of your browser - no padlock image means site is not secured. In fact, go ahead and click on the padlock image and see if it displays a valid security certificate - in all probability, spoof sites won’t have one.

If you are looking for automatic protection, Firefox 2.0 and Internet Explorer 7.0 have some built-in spoof/phishing detection measures in them. To add an additional level of security, you can use browser extensions or other programs that will do the job for you. Here are a couple of such free programs that can be really valuable:

~$$~

Vishing

This is an offshoot of phishing, specifically coined to describe the attempts to steal financial information using voice plus phishing - with the “voice” term coming from VoIP (Voice over Internet Protocol) technology. Criminals are attracted to this method of scamming because VoIP offers a good measure of caller ID spoofing - calls made from VoIP terminals are difficult to trace back to their origins (protects the identity of identity thieves!), which is unlike calls made from a land line or a cell phone.

Here is the modus operandi according to Wiki:

When the victim answers the call, an automated recording, often generated with a text to speech synthesizer, is played to alert the consumer that their credit card has had fraudulent activity or that their bank account has had unusual activity. The message instructs the consumer to call the following phone number immediately. The same phone number is often shown in the spoofed caller ID and given the same name as the financial company they are pretending to represent. When the victim calls the number, it is answered by automated instructions to enter their credit card number or bank account number on the key pad.

A simplest thing to do to avoid being a victim of this scam is to make sure that you never give your personal information on the phone to unsolicited callers. Don’t compromise on this for any reason.

~$$~

Pharming

This is essentially phishing, but it goes beyond simple tricks like fake emails filled with bogus links. Phishing can be remedied by simple security measures that you can observe while using your computer, however, pharming is not that easy to contain.

Here, the fraudsters attack the flow of information on the internet - such that, even if you type in the real authentic URL for a financial institution in your computer, you will be illegally redirected to a scam website designed to steal your information. Due to the technical complexity involved in rigging up such a system, pharming scams are not as popular as phishing scams - as of yet; but fraudsters become smarter by the minute, so this will be something to watch out for in future.

A particularly ominous pharming tactic is known as domain name system poisoning (DNS poisoning), in which the domain name system table in a server is modified so that someone who thinks they are accessing legitimate Web sites is actually directed toward fraudulent ones. In this method of pharming, individual personal computer host files need not be corrupted. Instead, the problem occurs in the DNS server, which handles thousands or millions of Internet users’ requests for URLs. Victims end up at the bogus site without any visible indicator of a discrepancy. Spyware removal programs cannot deal with this type of pharming because nothing need be technically wrong with the end users’ computers. (source)

~$$~

Ransomware-ing

This is a relatively new beast. In this, attackers remotely access your computer and steal photos, documents, or encrypt all the data (so that you can’t access anything). Then they send you a ransom note demanding money if you want your data back or you want access to your computer again. Call it “data kidnapping” if you want.

Here is a video that explains it all:

[youtube]CO3pWtcaKpA[/youtube]
[Feed readers, click here to watch the video]

The malicious programs or “ransomware” that is used in these cases, comes via some stupid email attachments or automatic downloads from untrusted websites. The best defense against such attack is to have your computer security updated with the latest antivirus, spyware, and firewall protections. Some popular free security tools are listed below:

~$$~

Dumpster Diving

On yeah! low tech means to achieve rich results. This has nothing to do with computers or internet, but it can be equally damaging in terms of losing valuable financial information. And the sole reason why this is still going on? people have still not learned to shred their financial documents before disposing them in the trash.

If you don’t yet have a shredder, go get one right now. Now-a-days, you can get a shredder in the cost of a couple of burgers.

There is a technological side to dumpster diving which raises it’s head occasionally. It’s dumpster diving for electronic data. Don’t throw your used hard drives in the trash without wiping them off (completely stripping them of residual data). Simply deleting data or formatting a drive is just not enough. Read this article to learn more about this issue - wiping your hard drive clean before disposing it. Personal finance enthusiasts who maintain spreadsheets, or software programs to manage their finances should especially be aware of how they dispose their hard drives.

~$$~

Social Engineering

This is defined as follows:

… social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system. (source)

“Hacker” means any unauthorized person wishing to steal your sensitive information - not restricted to just computer hackers.

From this definition, it is obvious that all the methods used to perpetrate financial fraud, as discussed above, are subsets of this huge thing called social engineering. Be very wary of social engineering - it inevitably ends in identity theft and loss of valuable and sensitive financial information.

~$$~

Apart from using the technological tools to fight social engineering, the best thing we can do is to train ourselves to look at things with a critical eye. Knowledge and awareness are your best friends towards mitigating the risk of becoming a victim of social engineering and financial fraud. Hope this post gives you a head start in that respect.

Additional useful resources:

{ 10 comments }

HSBC Finally Introduces New Login Security Feature For Online Banking

by golbguru on November 8, 2006

hsbc hsbcWhen I logged in to HSBC today, I was greeted with a message about it’s security feature update and the “migration” from the old interface to a new one. I say “finally” because I have been getting this update message since 11th October saying that I will come across some of these features when I log in…but that never happened until today. In case you haven’t logged in after the change, here is what to expect:

- A long..very long agreement/disclosures document with an “I Agree” button at the bottom.
- You will be asked to create a keypad-style security key. Most of you must already have a security key in place for the “bank-to-bank transfer” module of the old interface. You can use that as a new one (read below why this is ok).
-You will be asked two security questions. Sorry, no creative stuff here; its a rigid list of 4 or 5 questions to choose from.
- You can use your old security key as the new login key because, in the new interface “bank-to-bank transfer” module does not require a separate security key anymore. It’s a pity they did that; I liked the old system better because somehow having a separate security key for “bank-to-bank transfer” made me feel more secure.
-For future logins, you will need a username, password, and the security key to login to your account.

By the way, in case you miss reading this detail when you next login to HSBC, there are only three login instances and a deadline for you to accept the terms of the new interface and enroll using the new features.

{ 1 comment }

How Secure Is Your Information On Yodlee?

by golbguru on October 4, 2006

When I tell people about how great Yodlee’s MoneyCenter is, the first concern they express is “Did you say it saves all your passwords? Doesn’t that sound risky?”. I then try to alleviate their fears by mentioning a word on Yodlee’s security measures. Also, mentiong Yodlee’s customer base has helped in the past. This post summarizes some of Yodlee’s security measures. I am hoping this will encourage more people to get their financial management in order through Yodlee. This is NOT pay-per-post, just in case it sounds like an advertisement.

Here, I will quote an Yodlee employee’s response to a query on it’s security (with minor typographical edits). This and more useful information can be obtained from Yodlee Forum.

  1. We encrypt everything between your browser and our servers using industry standard 128bit SSL encryption.
  2. After it gets to our side, it is protected by multiple layers of firewalls - the number of which I cannot tell you for security reasons, nor the vendors, but we use many and many vendors.
  3. All sensitive field data is encrypted and stored in our databases encrypted internal to the tables with multiple rotating keys.
  4. All databases are protected from employee access both physically and logically.
  5. All databases are encrypted physically, and all drives and tapes are encrypted with different keys.
  6. No employee can put any content on any unsecure machine (i.e., nothing can be taken from the database and put on a
    laptop).
  7. All servers are customized and utilize an ultra locked down version of linux.
  8. Multiple layers of intrusion detection systems both software and people running 24×7.
  9. Automated software auditing of our source code to check for problems in the code.

From a process point of view we’re constantly audited by all of our customers to ensure that we have the utmost security policies and practices, including:

  1. Background checks for all employees.
  2. Auditing of all servers.
  3. Continuous security training.
  4. Dedicated security office with the authority to shutdown any system to investigate a breach.
  5. Systematic engagement of ethical hackers to attempt to break into our systems.

In another response from Niall Browne, Yodlee’s Director of Information Security:

Yodlee goes through in depth audits and examinations on an ongoing basis from:

  • Our clients as per the list above.
  • Leading security consultants including KPMG, Deloitte, Verisign Consultants, amongst others.
  • Federal Examiners including the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC) as well as the Federal Reserve.

The client list that he mentions above can be found here.

Information about Yodlee security on their website can be found here.

Tags: , ,

{ 13 comments }

Computer Security 101 for the Financially Enlightened

by golbguru on September 4, 2006

After my sudden awareness about my financial situation, I have been accessing incredible amount of financial data on the internet. With so many fake websites and phishing scams floating around, it makes me a bit uneasy every time I type my password for access (may be that’s because I am a bit paranoid by nature..whatever). I am pretty sure computer security is a no-brainer in the PFblogging community by now, but I still feel like pitching in my two cents on the topic. Here are Golbguru’s steps to securing your computer before accessing financial websites on the internet.

  1. Make yourself aware of phishing and fake websites scams. Take the MailFrontier Phishing IQ Tests. Click here for Test I and Test II. You will be surprised with the results. This test was partly responsible in convincing me that I require some additional tools to protect my computer, on top of my observational skills.
  2. Get a good antivirus program. Check PC World for reviews and try to get the one that suits your needs. Over the years, I have convinced myself that free antivirus programs are no match for subscription ones (I used the free AVG for a long time). Some of you may have had better experience with free stuff. [Good choices: Symantec Norton, Bitdefender, McAfee, Trend Micro PC-cillin]
  3. Get a good antispyware program. Contrary to popular perception, not all good antivirus programs are good at removing spyware. Get a standalone antispyware module that really knows it’s job well. [Good choices: Webroot Spy Sweeper, PC Tools Spyware Doctor]
  4. Get a good firewall. Most of you might know this, but Windows built-in firewall is not good enough. Fortunately there are many free (and good) firewalls available, so you don’t have to spend on this one. Read about firewall reviews here. Once you install your firewall there are some free (and excellent) firewall tests available at www.grc.com (Click on their Shields Up! module) to see how kick-ass is your firewall. Also, make sure you test your firewall with the “Leak Test”. [Good choices: Comodo Firewall, ZoneAlarm]
  5. Get a verification engine. Most of you might not know about this. These engines verify the authenticity of the padlock symbol you see at the bottom right corner of secured websites. It will recognize fraud websites instantly. You can use Comodo Verification Engine or Cloudmark Anti-Fraud Toolbar.

I haven’t tried using any anti-spam software, but I have heard Comodo and Cloudmark offer decent products in this department. If anyone knows about them please enlighten me.

All these things don’t mean you are 100% safe, they just mean you are less likely to be taken advantage of; you still have to be aware all the time and cultivate your sense of smelling fishy things.

My personal picks are as follows:

Antivirus: Bitdefender 9.0 (2 year subscription $39.95)

Antispyware: Webroot Spy Sweeper. This thing also has a keylogger shield (2 year $14.95, click here to see how I got it for $14.95)

Firewall: ZoneAlarm (Free). I tried Comodo Firewall, but after the last auto-update it started giving problems, so I am back to ZoneAlarm.

Verification Engine: Comodo (Free). Gives a green border to secure websites (sometimes there is also an irritating green cursor). But its more visible than Cloudmark’s smiley symbols.

Secured browsing: Priceless. (Well…a total of $55 for two years of safe browsing is not that bad anyways)

Other useful resources:
1. PC World ( Article: Bigger Threats, Better Defense)
2. Anti-phishing Workgroup
3. AntBlog701 (Article: phishing websites? Fake websites)
4. Federal Trade Commission (Article: How Not to Get Hooked by a ‘ Phishing’ Scam)

{ 0 comments }

Get Webroot Spy Sweeper for $4.95

by golbguru on August 31, 2006

I just got a 2 year service of Webroot Spy Sweeper latest version for $14.95. Check out the information on Fatwallet

You can get a one year service for a measly $4.95 ! Go directly through Webroot and this thing retails for $29.95 !

For convenience, this information is posted here.
-Connect to Webroot via Fatwallet by clicking here.
-Add Spy Sweeper to the shopping cart for $14.95 (one year service)
-Use the coupon code: ISCSPY to get $10 off.
-You can stop here to get the one year service for $4.95.
-To get a 2 year service for $14.95, select the “Add a Year Only $10″ option.

If you have 2 computers, buy one copy first as described above and then buy the second copy in the same way. If you try to buy 2 copies at once, it becomes much more expensive.

See the Spy Sweeper reviews at PC World. Seems like it does it’s job well.

{ 3 comments }