Safe on the Web: Defeating Hackers Part 3
Hackers will steal your identity.
Do you know exactly what information hackers need to steal your identity? Most people don't. Would it help if they knew your birth date, or which county you last lived in? What about your pet's name, or mother's maiden name? Your zip code, or phone number? All the above can help a seasoned hacker steal your identity. Hackers are mining social websites and forums right now, inviting strangers to be their "friends", and contacting random members via email, all for the purpose of collecting enough of your tidbits to sell to another fish in the sea of identity theft. Maybe it will take several hackers working separately, each selling a piece of the puzzle for many random users to the highest bidder, until your personal data collection is large enough to strike.
So why put your birthdate in Facebook? Do you really need the attention--if you know some of it might be from a hacker? In July 2009, a Computer Science research center announced they found a way to compute your SSN from your birthday--provided you're young enough to get a SSN at the hospital after you were born--in fewer than 1000 tries. Do you know how fast a computer can make 1000 guesses over the web? It's a lot faster than guessing one in a billion, which is the chance of guessing your SSN if they start from scratch.
Rule #0: Know Thy Source:
Like this writer? Like adventure/ fantasy? Try:
This applies to nearly all the following rules. If you don't know the source of the email you received, or the web page your browsed to, be suspicious. You need to treat these much more carefully than emails sent (not forwarded) by your friends, or web pages of companies you frequently do business with. It's about trust—don't offer any to unknown sources.
Rule #1: Fudge the Numbers—be smart with your private data
If your birthday is May 6, 1977, don't merely change it to ‘76 or '78...hackers suspect this, and guess the same day on multiple years to reach your real birthdate in a small number of tries. Instead, change the month and day of your birthday by a random number. Let FB think you were born on April 27th, 1978 instead--would it really kill you to get your "happy bday" emails a week early? Then the hacker would have to guess variations of you month, day, and year to find your real birthdate: he might as well start from scratch.
If a social website you joined wants to know your hometown, ask yourself if it's worth the risk. Or at least up the game a little and misspell it.
Rule #2: Email and Images
The most common questions I get from the "101-level web users" are, "Can I get a virus just by reading an email?" and "Can I get a virus just from browsing to a web site and looking?" Unfortunately, the answers are not as simple as yes or no.
Viewing email through a web browser and through a program that resides on your local computer (like Outlook) work differently. In both scenarios, you need to worry about attachments more than anything else. Remember, an attachment could be an image or a document, or a program such as a virus. If you don't trust the original source of the email, don't mess with the attachments. If your friend forwarded an email he received from a non-trusted source, it still isn't trusted. Spam email often comes with attached images you automatically view through your browser, or an image viewing program on your computer.
Microsoft once announced a vulnerability in the part of their Windows Operating Systems that displays images. The right type of image could cause the image-viewing software to do things it wasn't designed to do, and you could end up with a virus or hacker gaining access to your computer. Soon after the announcement, hackers started blast-o-graming spam emails containing carefully crafted image files that would do just this. Microsoft made available free patches to fix this problem years ago, and frankly, if you are still running a version of Windows that hasn't been updated* since then, you've got much bigger security worries (see rule #8).
My point is: it happened once and it could happen again. Do you really need to know what image is attached to your spam? Just hit the delete button and go on your merry way. Most likely it's an image of plain text, giving you a bad stock tip, or porn—after all, most of the traffic on the internet is porn.
Rule #3: Email and HTML
If you read your email through a browser, you've got a little more to be concerned about. Most web-based email services (Gmail, Yahoo, Hotmail, etc.) By default, most of these readers will display HTML imbedded in email, which in effect turns every email you read into a web site. All the rules that apply to non-trusted web sites then apply to non-trusted emails. I recommend disabling HTML in your emails. Otherwise reading an email will automatically display images (remember rule #2) and can even run scripts on your computer. You need to be aware of the security setting on your browser, which I'll talk about in rule #5. This brings us to the most important rule using the Web:
Rule #4: Web Links in Your Email
Using tricky links in emails is the second largest financial attack out there. There are a few facts you need to learn on this subject.
- It’s easy to fake the “From” address in emails. The sender can make the email appear to come from anywhere he likes.
- It’s easy to stick a link in an email that appears to link to your online backing site, but really takes you to a hacker site.
- It’s easy to make a login page look just like your online banking login page.
Notice the pattern here? Add them up, and you’re looking at an email you think is from your bank that leads to a login page that looks like your bank’s, with one subtle difference: when you send your account name and password to the web site, you’re really sending it to a hacker, who will quickly put it to use.
Don’t ever click on a link in an email you don’t trust!
The clue to look for in this attack is an email that appears to be from PayPal, eBay, your bank, etc, with a warning that tempts you to login right away, with a convenient link right in the email text, to take you to your “trusted” login page.
Most companies large enough to be a target for this type of mass-email hacking attempt are smart enough not to send such emails. If they suspect fraud to your account and want you to login, they won’t include the link in the email—they’ll ask you to login through the link you normally use.
If you do receive such an email, and you think it’s legit, then open a new browser and use the “favorites” link you normally use, or type in the URL yourself (such as Citi.com, Paypal.com, etc.) This extra step can literally save you months or years of work and thousands of dollars.
Why is this? It’s the very nature of HTML to allow the displayed text of a web link to be text other than the link address. As new browser safeguards come out, and new hacks to sidestep them, the exact details change. In my opinion, this hacking technique will never disappear, no matter how hard the browser designers try to kill it.
Rule #5: Ratchet own your Browser Security Settings and Use Caution on Web Sites
For web-based email and web pages in general
Web browsers are powerful tools. Web Applications (tools used through your browser: email services, games, social websites, java applets, client-side scripts, etc.) allow you to do more and more right from your browser. The more control you relinquish, the more danger you are in of allowing a script from a web page you visited automatically run in the background, doing all sorts of things on your computer. This is why you should use the list of exception sites in your browser’s security settings to allow apps to run from websites you trust (you type them into the list, or select the “always trust this website” when the annoying popup comes around. Be very distrustful of all other websites.
This goes back to “Know Thy Source!” Don’t allow scripts or apps to run from web sites you don’t trust.
If you believe you are on the right website and not a hacker’s look-alike, use this cautionary checklist before entering your password or credit card #:
- How is the page protected? If the address doesn't begin with https:// instead of http:// (make sure the ‘s’ is in there—it stands for “Secure”) you need to investigate further. The web site should have a link explaining their alternate security method of sending your data.
- Look at the URL again to be sure. Look especially at the letters just before the “.com”/ “.net”/ “.org”. Everything but this preceding section (the domain name) means nothing to you. For example: the first URL below looks good and (if it were real) would be controlled by paypal.com. The second URL looks like a hacker site and (if it were real) would belong to a site registered to the IP addr 220.127.116.11, not to PayPal.
- REMEMBER: Your account name is as important as your password: hackers need both, so they are both equally valuable to them. Protect them both.
Rule #6: Keep it Safe = Keep it Secret--Use Temporary credit card #s
Today, most credit card companies offer free temporary credit card #s that can work for only 1 charge, and if needed, for refunds. You can obtain them in a minute or two from your credit card company’s web site. It has a 1-time 16-digit number, a short-lived expiration date, and a 1-time 3-digit “security code” that many online sellers now require. They’ll never know it’s a temporary number, and in reality, they don’t care—it actually limits their liability.
Using a temporary number protects you in more ways than 1: if someone is “listening in” on your network, or on your Internet Service Provider’s network, they can only use it once—and they’ll have to beat you to the punch—you already tried to use it. It also protects you from dishonest merchants, and from merchants with databases that are not hacker-proof. And no one is truly hacker proof. If the booty’s big enough, they’ll get hacked eventually.
There are two corollaries to this rule (assuming you must use real credit card numbers at some point).
Corollary 1: Small Limit, Small Risk
Keep a credit card with a low limit—say $300—and use it for small web purchases. I called my bank and asked them to put the following note on such a card: “If I ever, ever ask for the limit to be raised, cancel the card and put a fraud alert on all my accounts immediately. This request will only come from a hacker trying to defraud my accounts as well as your bank.”
Corollary 2: Check your Bill and Disable Foreign Charges
Even being as cautious as you can be, hackers will eventually steal your credit card numbers—often through no fault of your own. So check your monthly bill for suspicious charges. Usually hackers will find your numbers from some leaky database, and make many attempts at small charges that fly under the radar of the bank’s fraud-alert rules (under $5). They do this to guess you expiration date, and the failed attempts are logged at your bank with each incorrect attempt. Once they guess the date, the hackers go for the big charges. The charges usually pay an offshore vendor (gambling or porn most commonly), so if your bank allows it, disable charges from foreign accounts if you don’t travel outside the US often.
Rule #7: Get your Credit Score Free Online, from the Right Source
Changes are, you were surprised by some of the seemingly random data items in the first paragraph that can help a hacker steal your identity. You need to familiarize yourself with the type confirmation questions the three credit report agencies will ask you. The first time to try to obtain your free report, you might just fail. The questions are detailed and seem arbitrary, such as, “Which of these county names have you ever resided in:…”. Once you are familiar with these questions, you will begin to grow suspicious when a free, harmless social website or forum asks you for some of this data. Nurture that suspicion; let it grow until you are distrustful of any site asking for private data.
Don’t pick just any advertisement on the web to request your free report: some may be hackers, with websites waiting for you to give them the data they need to change your credit for you. There are 3 official agencies which track your credit rating. Each of them will provide you with 1 free credit report per year at your request, by federal law). If you apply with 1 agency every 4 months, you can keep an eye your report for suspicious activities for free, year after year. The websites for the 3 official agencies are: www.experian.com , www.transunion.com , and www.equifax.com . If you every apply for a loan and are denied, you can also request a full Credit Report for free within 60 days. You can also get your credit score over the phone from any of the 3 above by calling Equifax at 1-877-322-8228; you will be prompted during the call to select which of the 3 companies you would to mail you your report.
Note: Be careful not to mistype; less reputable websites posing as these 3 agencies purchased the website domain names that are common typos of the above listed site names.
Rule #8: Keep Your Computer up to Date
OK, Mac users, it’s time for your little victory jig again: Mac OS needs to do this much less frequently. If you run Windows, you need to apply Microsoft’s security patches pretty regularly. I don’t need to tell you how to do this; Windows barely asks you permission, and will bug you repeatedly if you don’t allow it to update itself.
To the delight of Microsoft’s stockholders, the need to update Windows frequently prevents you from using an older computer very long unless you need to buy a new version of Windows. They can’t take all the credit for this: the world of hackers is mostly responsible. You see, new security holes are found every week. This mostly isn’t due to sloppy programming; it’s a dance between the security experts trying to stop hackers, and the hackers they’re trying to stop. Once Microsoft decides to stop supporting an old version of Windows—say Windows 95 or Windows 2000—they will stop releasing fixes to the new security holes hackers keep inventing. Then, if you ever put your older computer on the internet, it becomes a giant target to all the script kiddies in the world. Script kiddies are the pimply-faced-teenagers of the hacker world. Not smart enough to find and exploit their own hacks, they download scripts from the internet that do all the hard work for them. They just need to point the scripts at the internet and click. If you plan to keep an old computer alive for your toddler to play games on, don’t put it on the internet.
Rule #9: Use Free Anti-Virus Software
Obviously, you need to run anti-virus software on your computer—the discussion above concerns those security holes and hacks too large for anti-virus software to handle—the hacks so big that Microsoft needs to replace a tiny piece of Windows to fill in the security gaps. There are plenty of free anti-virus software packages, so stay away from anti-virus (or any other) software from fly-by-night, never-heard-of companies. Hackers will squeal with delight if you install their viruses thinking you’re really installing anti-virus software.
There are easily-found free anti-virus packages out there, written by the same large and reputable companies who run their business by selling robust upgrades to their free products. Do I recommend the fee-based upgrades? If you have to make a choice, I recommend spending your time working on the steps I’ve outlined for you. It is my firm belief you’re far better off following my guidelines than buying the most expensive anti-virus software available.
If I have to name a brand, I’ll recommend Symantec. Norton was once a stiff competitor you would have needed to consider, but Symantec took care of that choice for us with a simple merger.
Note: Free Anti-virus and anti-spyware software isn’t really free: it takes time and resources to run on your computer. It will peg your hard drive during lengthy file-scans, and takes up memory whenever your computer is running. In short, it slows you computer down, but not as much as spyware and other malware will. This is by far, the lesser of two evils.
Rule #10 Place a free Fraud Alert your Credit Report…Regularly
This is 1 step further than 99% of consumers are willing to go, but will buy you a lot of protection for a little hassle. Placing a Fraud Alert on your credit report is a less drastic step than placing a full Credit Lock on your report, but also easier. Let’s look at some requirements for placing a full Lock on your credit report, which denies credit reports to all requesting institutions:
It isn’t available in most states
It costs money to lock and unlock in some of these states
In TX, IL, WA, VT, you can only place the lock after identity theft. You must provide a police report to prove your identity was stolen.
Placing a free Fraud Alert on your credit lasts 3 months, and will result in a phone call to you to confirm you gave permission for an entity to obtain your credit records. Give them your cell# and remember to take it with you the next time you enter the financing room when shopping for large items.
To place an Initial Fraud Alert, contact Equifax at 1-800-525-6285; they will contact the other two agencies for you within 48 hours. Then set a reminder in Outlook to remind you to call again in 3 months. Take courage when you call; it will take a while to get to the Fraud Alert option, and in the meanwhile Equifax will repeated try to sell you fraud and credit monitoring services.
If you ever fall victim to credit fraud, you can request a free extended alert, which lasts for 7 years. Be aware, you must provide a copy of the police report that confirms your credit data has been compromised. I highly advise this option. If this hasn’t happened yet, just wait. The financial giant which run my company’s 401k accounts loses a laptop with all employees financial data every couple years. You can request a copy of the police report from them.
Note: Many employers now obtain your credit report when you first apply for a job. Some car insurance companies obtain your credit report when you request a rate—and it may drastically affect your premiums.
Summary: The Most Dedicated, Smartest Minds on the Internet
Sorry if this is a surprise, but I wasn’t talking about you. Hackers are the most dedicated, smartest minds on the internet. The White Hats and the Black Hats are forever at war: inventing new “hacker-proof” protocols and encryption methods, and finding the “non-existent” hacks that beat them. There are more hackers out there than White Hats, and some of them are backed by big money, like the Chinese government.
I attended a lecture by a world-renowned internet security expert a few years ago. He described client after client he’d tested: banks, government agencies, financial institutions, every type of company with valuable data to protect. He hacked into all of them.
At the end of one such story, another attendee asked him for the name of the bank he found so “ripe for the plucking”. I fully expected his reply.
“Come on guys: you know I can’t say. Every lecture, someone asks…”
What I didn’t expect was the follow-up question.
“O.K. then, just tell us this: Where do you do your online banking?”
The lecturer let a wide grin creep across his face before he answered.
I was shocked, then disturbed when I realized every financial asset to my name is accessible online. He re-assured us; he was merely paranoid, and probably a target for some vengeful hackers out there. But he also assured us with a concept I’ve come to call the Giant Pot of Gold.
“There are plenty easier targets out there than your national online banks,” he explained, and he was right. In fact, it’s truly an understatement. The Giant Pot of Gold theory is this: If the online Pot of Gold is big enough, it will get stolen… eventually. But as long as there are fools out there who are willing to email their credit card numbers to place an order on a insecure site, as long as there are small businesses on the web who don’t know a lick about security, as long as there’s enough people who don’t know the rules I’ve just given you, you’re so far down the line of big, easy targets, the hackers won’t even care about you.
Link back to beginning of article, Defeating Hackers Part 1: