It’s Banking Day at the Ranch and a Linux Live CD is in the Saddle!

I’ve maintained for years, that I treat my Windows machines as if they have already been compromised – a position that has left me open to some criticism. I’ll take the criticism – I’d rather be safe than sorry.

If you’re a regular reader of Tech Thoughts Daily Net News column then, you’re probably aware that the following items from last week (below the break), are not in the least unusual. In fact, notification of security breaches, or unpatched vulnerabilities that are weeks or months old, are now commonplace.

A legitimate question is – how likely were you to have been affected by any of the unpatched flaws – as noted below – or, the scores of similar long-standing vulnerabilities published in Tech Thoughts Daily Net News over the last few years?

I’ll grant you that “not very likely”, is a reasonable assumption. Still, the question remains – how do you know that you’re not already compromised by a yet to be disclosed vulnerability? Something to think about.

————————————————————————————————–

Eight-month WordPress flaw responsible for Yahoo mail breach: Bitdefender – A cross-site scripting flaw that saw some Yahoo email users lose control of their accounts has now been traced back to a WordPress installation that was not patched for at least eight months.

Serious security holes fixed in Opera – but Mac App Store users left at risk again – It should go without saying that if you use Opera, you should update to version 12.13 as soon as possible. But… what if you didn’t get your copy of Opera from the official website? What if, instead, you acquired your version of Opera for Mac from Apple’s Mac App Store?

Symantec denies blame after Chinese govt hacks The New York Times – After one of the world’s most famous newspapers points the finger at Symantec for failing to protect its network against a four-month long Chinese cyberattack, the security firm returns fire –

Symantec:

“Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security.”

I found Symantec’s response more than interesting. This is the first time that I can recall, that a major security vendor has gone on record and suggested that their product, as a stand alone solution, should not be expected to identify and contain each and every conceivable threat.

I couldn’t agree more and, I have made that point consistently, for years.

—————————————————————————————————

Initially, I had no intention of writing such a long introduction to a simple review – but, my continuing disappointment in the computer technology industry as a whole, whose overall response to an epidemic of criminal activity, runs along the same lines as that old time movie – Jaws – in which one of the plot lines revolves around keeping people in the water (despite the evident danger from a Great White shark) since to do otherwise, would be bad for business, got the better of me. Perhaps not the best analogy – but, it works for me.

I have a sign on the wall above my desk that reads – Bullshit in = Bullshit out. I can’t think of a more fitting epitaph for the current state of affairs in an industry rife with misinformation, misdirection, hype, and sheer outrageous bullshit.

I’m not a gloom and doom guy – but, market forces are such, that a little crystal ball gazing has convinced me that the status quo is as stable as the Rock of Gibraltar. In other words, if you want to be safe on the Internet, then accept the fact that you’re on your own.

—————————————————————————————————

It’s Banking Day at the Ranch and a Linux Live CD is in the Saddle!

While connected to the Internet, just like you, I face exposure to Trojans, spyware, viruses, phishing scams, identity theft, scam artists, schemers and cyber crooks lurking in the shadows, just waiting to make me a victim. Even so, the odds of me picking up a malware infection, or being scammed, are fairly low. Am I just lucky, or is it more than that?

To some extent I might be lucky – but, it takes much more than luck to stay safe on the Internet. For me – it really boils down to prevention. Preventing cybercriminals from getting a foothold by being vigilant and adhering scrupulously to fundamental security precautions, including –

A fully patched operating system.

A robust firewall.

Automatically updated anti-virus and anti-spyware software.

Increased Internet Browser protection through selected add-ons.

Encryption where necessary.

and, most importantly never forgetting to – Stop. Think. Click.

Despite all those security precautions though, there’s one connected activity that still concerns me – online banking. Regardless of the fact that I choose my Internet banking provider based partially on it’s low profile, I’m not entirely relying on this low profile as a guarantee that cybercriminals will not target my provider.

The inescapable fact remains; I am my own best protection while conducting financial transactions on the Internet. Frankly, I’m not convinced that financial institutions are where they need to be when it comes to protecting their online customers.

Despite my best efforts, it’s possible that malicious code may be installed on my computer – ready to pounce on my banking user account names, and passwords. Which is why, I have long made it a practice to conduct my financial affairs on the Internet via a self-booting Linux Live CD. Since a Linux Live CD is read-only media, the environment (running entirely in RAM), should be more secure than Windows.

I’m not suggestion that Linux systems are impervious to malware (I know better than to make that claim) – but, since the majority of malware is Windows specific, banking online through a Linux Live CD should offer a more secure environment.

If you can click a mouse – then, you’re good to go. It’s that easy. Today’s Linux distros are not your Granny’s Linux.

I’m not suggesting that you replace your Windows operating system and jump with both feet into Linux. That’s impractical. What is not impractical however is – running with Linux on those occasions when you do your Internet banking.

Recommended Linux Live CDs:

Puppy Linux – A complete operating system with suite of GUI apps, only about 70 – 140MB, and boots directly off the CD. I should point out that Puppy is my personal favorite.

Damn Small Linux – Damn Small Linux is a very versatile 50MB mini desktop oriented Linux distribution.

Fedora – Fedora is a fast, stable, and powerful operating system for everyday use built by a worldwide community of friends. It’s completely free to use, study, and share.

Ubuntu – Fast, secure and easy-to-use.

Lightweight Portable Security (LPS) – A Linux distro from the US Department of Defense. Lightweight Portable Security (LPS) creates a secure end node from trusted media on almost any Intel-based computer (PC or Mac). LPS boots a thin Linux operating system from a CD or USB flash stick without mounting a local hard drive.

Bite Back Against Banking Bandits With Puppy Linux

Woof, Woof! That’s the sound of Puppy Linux as it starts. A good sound as it turns out; it reminds me as to why I’ve just booted my computer from this amazing little Linux distro – safety, security, and a substantially increased chance that I’ll hang onto the paltry funds in my bank accounts.

Puppy Linux is not a one trick pony – although, I tend to use it for one thing only (at the moment) – Online Banking. More on this in a moment*.

This is a very well trained Puppy:

Easy – Just use a CD or USB flash to boot a PC. Puppy Linux is downloadable as ISO, an image that can be burned to CD or DVD.

Fast – Because Puppy is small, it can live in your PC’s memory and be ready to quickly execute your commands, whereas in other systems, programs are first read from drive storage before being executed.

Save Money – Even if your PC has no hard disk (ex, broken hard disk), you can still boot Puppy via CD or USB and continue working. Old PCs that no longer work with new systems will still work good-as-new with Puppy.

Do More – Puppy boots in less than a minute, even in old PCs, and it does not require antivirus software. Administering Puppy is quick and minimal. With Puppy, you just have to take care of your data, which you can easily save to USB flash (Then forget about your operating system!). Your data can be read by other computers.

Do Magic – Help your friends suffering from computer malware by booting Puppy and removing malware from their PC (use antivirus that is built-in or can be installed in Puppy). Example – bad Autorun.inf is easily removed by Puppy (Just delete it as well as its companion exe program). If your friend thinks that she has lost data from her corrupted hard disk, boot Puppy and try saving her data!

Carry Anywhere (Portable) – Because Puppy is able to live in CD/DVD or USB flash, as well as save data to these same devices, you can carry your programs and data with you.

The Puppy Desktop – Not flashy; not eye candy – but functional and efficient.

In the following illustration, I’ve clicked on the Browser icon (SeaMonkey is the native Browser), to open this site. I considered showing my online banking connection – in a moment of madness.  

*Not to be argumentative – wait, I will be argumentative. The Internet, and its related technologies (connected devices, and so on), has become a massive playground for outrageous hype and sheer BS. It’s like listening to a used car salesman. Nowhere, is this more evident than in the orbit of security technology.

Outrageous claims of “total protection” based on stale data; ranking security suites as if # 1 was truly more effective than # 2……

As if the premise is – system security is a static environment in which knowledgeable users operate in their own best interests.

As if cybercriminals are sitting still, and not releasing highly sophisticated attacks on a daily basis.

As if application vulnerabilities are not discovered virtually on a daily basis.

So, am I being argumentative just for the sake of it? Not bloody likely.

Qualys Inc. releases a Consensus Security Vulnerability Alert @RISK Newsletter on a weekly basis (to which I subscribe), that sets out the most recent vulnerabilities for which exploits are available in the cybercrime marketplace.

Here’s a small sampling of the latest –

Title: Trojan uses new C&C obfuscation technique
Description: The Polish CERT has observed a new Trojan spreading in the
wild via a number of different social media techniques. While not
particularly novel in that regard, this particular piece of malware is
interesting in the way that it contacts its command and control servers.
Instead of using the address provided in a DNS query response, the
malware takes that value and transforms it into a different IP address,
which is then used to contact the C&C. This technique, if it becomes
widespread, has interesting implications for malware detection at the
network level.

Title: Symantec PcAnywhere 12.5.0 Login and Password Field Buffer Overflow
Vendor: Symantec
Description: The host-services component in Symantec pcAnywhere 12.5.x
through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka
12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and
authentication data, which allows remote attackers to execute arbitrary
code via a crafted session on TCP port 5631.

Title: Banking trojan spreading via phishing attacks
Description: The Sourcefire VRT has discovered a new Trojan being
dropped on users via a large-scale UPS-themed phishing attack. The
Trojan, which attempts to steal credentials for several major financial
institutions, also drops other malicious binaries on the infected
system. Its C&C communications are of particular interest, as its
authors chose to use the hexadecimal string “0xDEADBEEF” – which is
commonly used by attackers and researchers alike as a way to follow user
input through system memory – as a protocol marker of sorts.

Note: input through system memory.

It’s this last type of vulnerability (though not exclusively), which drives my need to logon to my banking site via a self-booting Linux Live CD – in this case – Puppy Linux. Since Puppy is read-only media, the environment (running entirely in RAM), will be much more secure than Windows.

Yes, I admit that it’s a pain (occasionally) to shut down and reboot just to complete an online financial transaction but, I’d rather be safe than sorry – I’m into an ounce of prevention.

Since the majority of malware is Windows specific, banking online through a Linux Live CD is my ounce of prevention. It should be yours as well.

Minimum Hardware Requirements for Puppy Linux 4.2.1:

500MHZ processor
128MB RAM
512MB free hard drive space to create an optional save file
No hard drive required to boot a Live Disc.
CD-ROM any speed

Download at: Puppy Linux

More information is available on the publisher’s site.

Secure Your Online Banking With A Linux Live CD

While connected to the Internet, just like you, I face exposure to Trojans, spyware, viruses, phishing scams, identity theft, scam artists, schemers and cyber crooks lurking in the shadows, just waiting to make me a victim. Even so, the odds of me picking up a malware infection, or being scammed, are low  – not 0% but…… Am I just lucky, or is it more than that?

Well, to some extent I might be lucky – but, it takes much more than luck to stay safe on the Internet. For me – it really boils down to prevention. Preventing cybercriminals from getting a foothold by being vigilant and adhering scrupulously to fundamental security precautions, including –

A fully patched operating system.

A robust firewall.

Automatically updated anti-virus and anti-spyware software

An aggressive HIPS (host intrusion prevention system).

Increased Internet Browser protection through selected add-ons.

and, most importantly never forgetting to – Stop. Think. Click.

Despite all those security precautions though, there’s one connected activity that still concerns me – online banking. Regardless of the fact that I choose my Internet banking provider based partially on its low profile (four branches as opposed to the usual 3,000/5,000 branches common in Canadian banking), I’m not entirely relying on this low profile as a guarantee that cybercriminals will not target my provider.

The inescapable fact remains; I am my own best protection while conducting financial transactions on the Internet. Frankly, I’m not convinced that financial institutions are where they need to be when it comes to protecting their online customers.

Despite my best efforts it’s possible (though unlikely), that malicious code may be installed on my computer – ready to pounce on my banking user account names, and passwords. Which is why, I have long made it a practice to conduct my financial affairs on the Internet via a self-booting Linux Live CD running Firefox. Since a Linux Live CD is read-only media, the environment (running entirely in RAM), will be much more secure than Windows.

Yes, I admit that it’s a pain to shut down and reboot just to complete an online financial transaction but, I’d rather be safe than sorry – I’m into an ounce of prevention. Since the majority of malware is Windows specific, banking online through a Linux Live CD is my ounce of prevention.

Recommended Linux Live CDs:

Lightweight Portable Security (LPS) – A Linux distro from the US Department of Defense.

Ubuntu – fast, secure and easy-to-use.

Puppy Linux – A complete operating system with suite of GUI apps, only about 70 – 140MB, and boots directly off the CD.

KNOPPIX – Live Linux file system on CD.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Free BufferZone Pro – Maybe The Best Surfing Virtualization Application At Any Price

Back in December, regular reader John W, pointed me to a free license giveaway for BufferZone, a virtualization application which creates an isolated environment called the Virtual Zone, while you surf the Internet.

Based on John’s recommendation, I wrote an informational only article, since I had not had an opportunity to test the application. I’ve spent some time in the interim testing this application, and there’s just one word to describe it – brilliant, exceptional, splendid, superb.

OK, that’s more than one word – but I’m more than just a little enthusiastic about this program. Best of all, this application is now free – as in FREE.

This is not 1985 when the only thing you had to worry about was the crud that might be on the floppy disks you exchanged with your friends. Today, your Browser is the conduit into your computer – that’s the route by which the majority of malware spreads, and intrusion attempts take place.

A case in point:

While surfing the Net, a user mistakenly accepts an invitation to install a scareware application but realizes, after the fact, that this is a scam. Operating in a “real” environment, the damage, unfortunately, would already have been done.

Operating in a “virtual” environment with BufferZone active, system changes attempted by this parasite would simply not occur.

So, controlling malware intrusion, while surfing the Net, through the use of a ‘”virtual” environment rather than operating in a “real” environment, makes sense given the escalating level of cyber criminal activity on the Internet.

From the developer’s site:

BufferZone Pro keeps you surfing, downloading, e-banking, sharing, chatting, and e-mailing to your heart’s content – basically, using the Internet as it should be used. The Virtual Zone gives you total freedom, peace and security on the Web. With BufferZone Pro, you can do absolutely anything on the Internet threat free.

With BufferZone, all programs or files that enter your computer through downloading, browsing, or uploading with external media devices, are redirected to a Virtual Zone (C:\Virtual). And, since any intrusion attempt occurs within this virtual environment, there’s nothing in that summary that I can disagree with. BufferZone’s Virtual Zone does protect a PC from all forms of known, or unknown, attacks originating from the Internet, or external devices.

It does so in a non intrusive way, and after initial setup, requires a minimum of user intervention – perfect for the average user. Installation is hassle free – it’s just a matter of  following the on-screen instructions.

BufferZone sits in the Taskbar and can be fully controlled from there.

Once the application is installed, and after a re-boot, you will be taken to the developer’s site (this is a one time occurrence), for a point by point introduction to Buffer Zone. The following screen captures (taken from the developer’s site), provide a clear explanation.

Clicking on any screen shot will expand it to the original.

In the last few months we’ve looked at operating system virtualization – Shadow Defender, Returnil Virtual System, Wondershare Time Freeze, and a number of other similar applications. As well as alternatives to OS virtualization – specific application virtualization running in a sandbox. For straight out ease of use while surfing the Internet though, BufferZone has become my favorite.

If you’re unsure as to whether you should operate in “virtual mode” while surfing the Net, then take this free security test at the developer’s site.

On my “unprotected” test machine, the following is the result of the simulated Trojan attack. The “stolen” files were on a non-system partition so the Trojan doesn’t restrict itself to just the (C:) drive.

Actually, I forgot to turn off ThreatFire, which picked up the attack in progress. This shows the benefit of a layered security approach.

System Requirements: Windows XP, Vista, Win 7 (32-bit).

Download at: the developer’s site (Trustware.com).

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Think You’re Immune From Online Fraud? Maybe Not!

Guest writer Dave Brooks, a vastly experienced computer Tech from New Hampshire, who is an expert at online safety, shares this chilling story on why even exercising proper security measures won’t guarantee your online financial safety.

Bill is constantly trying to pound security into his reader’s heads, and with good reason, but unfortunately, no matter how careful you are, there are things that are beyond your control when buying stuff online.

Case in point: at Bill’s request I’m going to relay a recent unnerving personal experience, if only to show that even the most security conscious are still at risk.

I’m very online safety/security conscious and I buy online only from reputable, well known stores. My online bank account password looks like an alien language, my ATM pin is 8 digits long (compared to 4 or so many people use), and I monitor my account closely.

Even so my ATM card number was recently used, in the middle of the night, in Georgia, while I was sound asleep in New Hampshire. Luckily Bank of America has decent monitoring, and I have a ton of alerts set up to email me when certain things happen with my account.

I woke up in the morning to find an alert that my card was used while I was asleep, and an email from Bank of America that they had detected suspicious activity on my account, had frozen the transaction, and placed a lock on my account to prevent further activity.

The charge was for the amount of $1.22; it’s apparently common practice by those that use stolen card numbers to make a small charge such as this to confirm that the number is good before using it to make larger purchases.

Thanks in part to my diligent monitoring, and Bank of America’s account monitoring system, the thieves were never able to get to step two and spend my hard earned cash on god knows what.

A call to the number provided in the alert email I got from the bank (after confirming it was in fact their number by matching it up on the Bank of America website; phishing emails are pretty convincing nowadays!), confirmed the illegal activity. Bank of America cancelled my ATM card, and cancelled the charge, and a trip to my local bank branch netted me a new ATM card.

My number was likely stolen from a hacked online database of a company that I had made an online purchase from in the past, but there’s no way to confirm this – it could have just as easily been a dishonest employee from a local store where I used my card.

I have since opened a second account with an ATM card, and use only that account for online purchases, (I had been contemplating doing this for a year or more or more, but never did),

I keep a balance of about 5 bucks in it, and when I want to buy something online, I transfer the purchase amount from my main account to the “internet” account to cover it. At least that way, my main account is less exposed, and if it happens again I’ll be able to determine if it was the “internet” or “local purchase” that led to the compromise.

Bottom line here is, even though you think you’re safe, if you purchase stuff online, your bank or credit card info is out there for the taking. The best you can do is keep a close eye on your accounts for suspicious activity, and try to minimize possible damage that might be done if your card number is stolen.

Guest Writer: This is a guest post by Dave Brooks a professional computer technician from New Hampshire, USA. Dave has become a regular guest writer, who’s articles are always a huge hit.

Pay a visit to Dave’s site at Tech-N-Go, and checkout the Security Alerts.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Online Banking Do’s and Don’ts

While it’s true that the Internet, despite its fundamental design flaws, has the “potential” for safe and secure financial transactions, safe banking online relies on you making good choices, and decisions, that will help you avoid costly surprises, or even carefully crafted scams and phishing schemes.

Despite all the positive hype surrounding financial institutions’ system security, we have learned, much to our detriment, that there are no absolutes in computer system security.

The inescapable fact remains; you are your own best protection while conducting financial transactions on the Internet. So it’s important that you learn about, and take advantage of, the active security features offered by your financial institution.

Examples of security features offered by financial institution:

Encryption is the process of scrambling private information to prevent unauthorized access. To remind you that your transmission is encrypted, most Internet browsers display a small icon on your screen that resembles a lock, or a key, when you conduct secure transactions online. Look for this symbol so that you have reason to believe your connection is, in fact, secure.

Passwords, or personal identification numbers, should be used when accessing an account online. Your password should be unique to you, and this is extremely important, you should change it regularly. Do not use birthdates or other numbers or words, that may be easy for others to guess.

Always carefully control to whom you give your password. For example, if you use a financial company that requires your password in order to gather your financial data from various sources, make sure that you are aware of the company’s privacy and security practices.

General security over your personal computer such as virus protection and physical access controls should be used and updated regularly.

Tips on safe computing practices when conducting your online banking at home, or at a public computer:

Never leave your computer, even at home, unattended, once you have signed in to online banking.

After completing your transactions, ensure that you sign out, clear your cache, and close your browser. Often, it is easy to forget to sign out of an online banking session

Keep your password and card number safe. This seems like a no brainer, but surprisingly, many users do forget this critical step in the process.

Do not share, disclose, or provide your bank card number, or password, to another party, or website, other than your bank. Most banks will not send you an email requesting this information. If your bank practices this very unsafe routine; you should change banks.

Do not save your bank card number, or password, on a publicly accessed computer.

If you do use a public access computer such as at an Internet café or public library, (absolutely NOT recommended), to be safe, change your password after completing your session by calling your bank’s telephone banking number.

When selecting a password, choose a series of characters that cannot be easily guessed by someone else. The best passwords are made up of an alpha-numeric combination that are more than eight characters long, and a combination of capital and lower case letters.

This is an example of an Online Banking email phishing attempt.

Final words – don’t use:

A password you use for any other service.

Your name, or a close relative’s name.

Your birth date, telephone number or address, or those of a close relative.

Your bank account number, or bank card number.

Do not share your personal verification question answers with anyone, and do not disclose them in any emails. It’s simple; giving your password answers to another person, or company, places your finances and privacy at risk.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Online Dangers – Even a Tech Can Get Taken

Think you’re immune from online fraud? Do you believe – “It could never happen to me”? Read what guest writer Dave Brooks, a vastly experienced computer tech from New Hampshire, has to say about what happened to him.

Bill is constantly trying to pound security into his reader’s heads, and with good reason, but unfortunately no matter how careful you are, there are things that are beyond your control when buying stuff online.

Case in point: at Bill’s request I’m going to relay a recent unnerving personal experience, if only to show that even the most security conscious are still at risk.

I’m very online safety/security conscious and I buy online only from reputable, well known stores. My online bank account password looks like an alien language, my ATM pin is 8 digits long (compared to 4 or so many people use), and I monitor my account closely.

Even so my ATM card number was recently used, in the middle of the night, in Georgia, while I was sound asleep in New Hampshire. Luckily Bank of America has decent monitoring, and I have a ton of alerts set up to email me when certain things happen with my account.

I woke up in the morning to find an alert that my card was used while I was asleep, and an email from Bank of America that they had detected suspicious activity on my account, had frozen the transaction, and placed a lock on my account to prevent further activity.

The charge was for the amount of $1.22; it’s apparently common practice by those that use stolen card numbers to make a small charge such as this to confirm that the number is good before using it to make larger purchases.

Thanks in part to my diligent monitoring, and Bank of America’s account monitoring system, the thieves were never able to get to step two and spend my hard earned cash on god knows what.

A call to the number provided in the alert email I got from the bank (after confirming it was in fact their number by matching it up on the Bank of America website; phishing emails are pretty convincing nowadays!), confirmed the illegal activity. Bank of America cancelled my ATM card, and cancelled the charge, and a trip to my local bank branch netted me a new ATM card.

My number was likely stolen from a hacked online database of a company that I had made an online purchase from in the past, but there’s no way to confirm this – it could have just as easily been a dishonest employee from a local store where I used my card.

I have since opened a second account with an ATM card, and use only that account for online purchases, (I had been contemplating doing this for a year or more or more, but never did),

I keep a balance of about 5 bucks in it, and when I want to buy something online, I transfer the purchase amount from my main account to the “internet” account to cover it. At least that way, my main account is less exposed, and if it happens again I’ll be able to determine if it was the “internet” or “local purchase” that led to the compromise.

Bottom line here is, even though you think you’re safe, if you purchase stuff online, your bank or credit card info is out there for the taking. The best you can do is keep a close eye on your accounts for suspicious activity, and try to minimize possible damage that might be done if your card number is stolen.

Guest Writer: This is a guest post by Dave Brooks a professional computer technician from New Hampshire, USA. Dave has become a regular guest writer, who’s articles are always a huge hit.

This article is Dave’s response to today’s article “How to Conduct Online Banking Safely”.

Thank you Dave for such a quick response – a great article, crafted quickly.

Pay a visit to Dave’s site at Tech-N-Go, and checkout the Security Alerts.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

How to Conduct Online Banking Safely

I’ve noticed a surge recently, in search engine referrals to this site on online banking fraud, so it’s time for a refresher on how to safely carry out your online banking.

As use of the Internet continues to expand exponentially, banks and other financial institutions have increased their use of the Internet to deliver products and enhanced financial services, or simply to improve communications with consumers.

The Internet, despite its fundamental flaws, does offer the potential for safe, convenient, and new ways to shop for financial services and conduct banking business, any day, any time.

While it’s true that the Internet has the “potential” for safe and secure financial transactions, safe banking online relies on you making good choices and decisions that will help you avoid costly surprises, or even carefully crafted scams and phishing schemes.

Despite all the hype concerning inpenetrateable system security, we have learned, much to our detriment, that no such inpenetrateable systems exist.

The inescapable fact remains; you are your own best protection while conducting financial transactions on the Internet. So it’s important that you learn about, and take advantage of, security features offered by your financial institution.

Some examples are:

Encryption is the process of scrambling private information to prevent unauthorized access. To remind you that your transmission is encrypted, most Internet browsers display a small icon on your screen that looks like a lock or a key, when you conduct secure transactions online. Avoid sending sensitive information, such as account numbers, through unsecured e-mail.

Passwords, or personal identification numbers, should be used when accessing an account online. Your password should be unique to you, and this is extremely important, you should change it regularly. Do not use birthdates or other numbers or words that may be easy for others to guess.

Always carefully control to whom you give your password. For example, if you use a financial company that requires your passwords in order to gather your financial data from various sources, make sure that you are aware of the company’s privacy and security practices.

General security over your personal computer such as virus protection and physical access controls should be used and updated regularly. Contact your hardware and software suppliers, or Internet service provider, to ensure you have the latest in security updates.

Tips on safe computing practices when conducting your online banking at home, or at a public computer:

Never leave your computer unattended once you have signed in to online banking.

After completing your transactions, ensure that you sign out of online banking, clear your cache, and close your browser. Often, it is easy to forget to sign out of an online banking session

Keep your password and card number safe. This seems like a no brainer, but surprisingly many users do forget this critical step in the process.

Do not share, disclose, or provide your bank card number, or password, to another party or website other than your bank. Most banks will not send you an email requesting this information. If your bank practices this very unsafe routine; you should change banks.

Do not save your bank card number or password on a publicly accessed computer.

If you do use a public access computer such as at an Internet café or public library, to be safe change your password after completing your session by calling your bank’s telephone banking number.

When selecting a password, choose a series of characters that cannot be easily guessed by anyone else. The best passwords are made up of an alpha-numeric combination that’s more than four characters long and a combination of capital and lower case letters.

This is an example of an Online Banking email phishing attempt.

Don’t use:

A password you use for any other service.

Your name or a close relative’s name.

Your birth date, telephone number or address, or those of a close relative.

Your bank account number or bank card number.

Do not share your personal verification question answers with anyone, and do not disclose them in any emails. It’s simple; giving your password answers to another person, or company, places your finances and privacy at risk.

For an article on Phishing and how to protect yourself see Gone Phishing? Protect Yourself – Stop · Think · Click , elsewhere in this Blog.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Online Banking Safety Tips

As use of the Internet continues to expand exponentially, banks and other financial institutions have increased their use of the Internet to deliver products and enhanced financial services, or simply to improve communications with consumers.

The Internet, despite its fundamental flaws, does offer the potential for safe, convenient, and new ways to shop for financial services and conduct banking business, any day, any time.

While it’s true that the Internet has the “potential” for safe and secure financial transactions, safe banking online relies on you making good choices and decisions that will help you avoid costly surprises, or even carefully crafted scams and phishing schemes.

Despite all the hype concerning inpenetrateable system security, we have learned, much to our detriment, that no such inpenetrateable systems exist. The inescapable fact remains; you are your own best protection while conducting financial transactions on the Internet. So it’s important that you learn about, and take advantage of, security features offered by your financial institution.

Some examples are:

Encryption is the process of scrambling private information to prevent unauthorized access. To remind you that your transmission is encrypted, most Internet browsers display a small icon on your screen that looks like a lock or a key, when you conduct secure transactions online. Avoid sending sensitive information, such as account numbers, through unsecured e-mail.

Passwords, or personal identification numbers, should be used when accessing an account online. Your password should be unique to you, and this is extremely important, you should change it regularly. Do not use birthdates or other numbers or words that may be easy for others to guess.

Always carefully control to whom you give your password. For example, if you use a financial company that requires your passwords in order to gather your financial data from various sources, make sure that you are aware of the company’s privacy and security practices.

General security over your personal computer such as virus protection and physical access controls should be used and updated regularly. Contact your hardware and software suppliers, or Internet service provider, to ensure you have the latest in security updates.

(Click pic for larger)

Tips on safe computing practices when conducting your online banking at home, or at a public computer:

Never leave your computer unattended once you have signed in to online banking.

After completing your transactions, ensure that you sign out of online banking, clear your cache, and close your browser. Often, it is easy to forget to sign out of an online banking session

Keep your password and card number safe. This seems like a no brainer, but surprisingly many users do forget this critical step in the process.

Do not share, disclose, or provide your bank card number, or password, to another party or website other than your bank. Most banks will not send you an email requesting this information. If your bank practices this very unsafe routine; you should change banks.

Do not save your bank card number, or password, on a publicly accessed computer.

If you do use a public access computer such as at an Internet café or public library, to be safe change your password after completing your session by calling your bank’s telephone banking number.

When selecting a password, choose a series of characters that cannot be easily guessed by anyone else. The best passwords are made up of an alpha-numeric combination that’s more than four characters long and a combination of capital and lower case letters.

(Click pic for larger)

This is an example of an Online Banking email phishing attempt.

Don’t use:

A password you use for any other service.

Your name, or a close relative’s name.

Your birth date, telephone number or address, or those of a close relative.

Your bank account number, or bank card number.

Do not share your personal verification question answers with anyone, and do not disclose them in any emails. It’s simple; giving your password answers to another person, or company, places your finances and privacy at risk.

Public Proxy Server Danger – Web Site Spoofing

In the article immediately following this article, “OperaTor and XeroBank – Surf the Internet Anonymously”, I stated, “You have a number of choices when it comes to anonymous surfing. You can use a free proxy server service; not my personal first choice – but that’s fodder for another article!”

Well, there’s no time like the present, so here is that article.

In some cases public proxy DNS’s, the database that associates numeric IP addresses, e.g. (206.4.XX.XXX) with URLs, have been known to have been modified.

The modification consists of changing the legitimate association for a fraudulent one, so that when users type a specific URL, they are redirected to a fraudulent page. For example, if users try to log onto their banking web site, the server could redirect them to a phishing site which resembles the legitimate page, but which is designed to steal their bank details.

The following graphic shows a spoofed banking site.

(Click pic for larger)

The danger of this type of attack is – even users with malware-free, up-to-date computers with a good firewall, etc. could easily fall victim to these attacks.

To reduce the risk of phishing attacks it’s important not to use anonymizer services if you’re accessing sites on which confidential data (e.g. online banks, pay platforms, etc.), is being transmitted.

It’s equally as important that you use a browser add-on such as WOT (Web of Trust), so that you have a first line of defense against this type of attack. I strongly recommend that you use WOT as your primary Internet Browser protection. For more information, read “Love WOT And It Will Love You Right Back!” on this site.

If you’re interested in learning more about web spoofing, there is an excellent article at Princeton University’s web site entitled Web Spoofing: An Internet Con Game.