Posted on

31 simple tips to protect you from fraud

If you’ve just been offered a generous amount of money over email by an anonymous person half-way across the world or have been asked to furnish your bank account details and passwords, chances are someone’s trying to take you for a ride. Let’s take a look at some simple ways by which you can protect yourself against online fraud.

Sign your card after receiving

Sign the back of your credit or debit cards after you receive them from your bank. Doing this will help ascertain whether the card any merchants return is the one you gave them since card duplication is a common method of identity theft.

Play online games carefully

Don’t give crucial information related to your identity impulsively when prompted by games and memes.

Update your mailing address

While moving places, contact your financial institutions, tax authorities and credit reporting agencies, and keep them updated with all information about your current location. Scammers use outdated personal information to sneak into your accounts.

Online shopping

Always use a trusted merchant while shopping online and make sure your every purchase is secured with encryption, which protects your account information. To ensure that the transaction is secure, check that the web address starts with https://.

Use the block option

If you suspect someone suspicious is trying to contact you, block them or add them to your spam list.

Don’t share bank details

Never share your bank details with anyone. Your bank will never ask you for your account number, PIN or password over email.

Invest in a good anti-virus

Use trusted anti-virus and anti-malware software to protect your computer, phones and tablets. Make sure you check regularly for software updates.

Avoid public computers for bank logins

Avoid accessing your bank accounts from a public or office computer. If you can’t avoid it, make sure to do it in private and log out from the pages after you’re done.

Spread awareness

If you’ve been tricked online, share your experiences with family members, especially vulnerable ones like young people and the elderly.

Check credit reports annually

Review your credit reports at least once a year to ensure that no one is committing identity fraud under your name, such as applying for a loan, etc. Such activities are not reflected in your monthly card statements

Checkbook

Don’t carry your checkbook everywhere. Keep it with you only when you need it.

Use multiple passwords

Never keep the same passwords for online accounts such as emails, bank logins and social media accounts. Also, don’t use your date of birth or address as passwords. Such obvious details make weaker passwords which could be easily decoded. Use password managers like LastPass that keeps track of your passwords.

ATM PIN

Memorize your ATM PIN and never write it anywhere, especially on your card.

Be careful while storing online

Although storing information online or on a shared drive can free up device memory, never use such methods to store financial details such as bank IDs and passwords or personal photographs.

Manage your credit cards

Call your bank and cancel credit cards you don’t use any longer. Destroy old cards immediately after you get a new card.

Public Wi-Fi hotspots may not be what they seem

Scammers can imitate trusted names of Wi-Fi connections, so keep aside online banking tasks while using public Wi-Fi hotspots.

Download apps from reliable source

Always download a banking app from a reliable source, as it requires you to enter a lot of your confidential information.

Delete after reading

Delete all bank-related messages after reading as these carry significant confidential information about your finances

Social security number

Don’t provide your social security number unless it’s absolutely necessary.

Keep your phones password-protected

Keep a pass-code for your phones or tablets to prevent access without your permission. Also, never store your banking details on your mobile phone.

Don’t trust anyone easily

Never share your bank details or credit card information with any random salesperson over the phone.

Say no to unknown links and attachments

Beware of any suspicious link that promises to make you rich instantly, reveals classified information or is pornographic in nature. Never open attachments you don’t trust as these may infect your computer with malware.

Examine monthly statements closely

Check monthly mails containing bank and card statements for suspicious transactions. Inform your bank immediately if you spot one.

Avoid revealing personal details on social media

Avoid putting unnecessary information on your social media accounts, such as your mother’s maiden name, phone numbers or pet’s name. These help hackers break into your bank accounts.

QR codes can be fraudulent, too

Treat QR Codes as you would suspicious links: all they are is a graphical way of sending you to a website.

Treat receipts with respect

Your transaction receipts may reveal a lot more than you think. Keep them safely stacked or dispose of them securely.

Know your billing cycle

Always keep track of your billing and statement cycles and know when you’re due for a payment. Staying up-to-date with all the information will help you spot suspicious transactions faster.

Keep copies of all your cards and documents

Always keep photocopies of your financial documents and cards in a safe place, in case the originals get lost or stolen. You could use them by the time the replacements arrive.

E-bills make sense

Subscribe for e-bills. It will save you the hassles of storing hard copies which, if handled carelessly, may fall into the wrong hands.

Don’t save card details on shopping websites

It may not be convenient to punch in your card details every time you shop online, but really it’s a small price to pay considering it can save your card from being misused.

Be quick to report

A loss or theft of credit cards and other important documents should be taken very seriously. Don’t wait: inform the required authorities immediately.

Posted on

Imgur hackers stole 1.7 million email addresses and passwords

Image-hosting website Imgur discovered at the end of last week that hackers broke into its systems in 2014, and stole the account details of some 1.7 million registered users.

Imgur found out about the historic hack when HaveIBeenPwned‘s Troy Hunt contacted the company on Thursday 23 November, which was a national Thanksgiving holiday in the United States.

  • On November 23, Imgur was notified of a potential security breach that occurred in 2014 that affected the email addresses and passwords of 1.7 million user accounts. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response.

Despite the festivities, Imgur quickly responded to Hunt’s message, confirmed that the data did indeed include the login credentials of users, and the following day began the process of resetting affected users’ passwords.

In a blog post, Imgur confirmed that it had been breached and that email addresses and passwords had been exposed. The site doesn’t ask its users for any additional personal information, so that fortunately was certain not to have been at risk.

At the time of writing Imgur is still investigating how hackers might have been able to breach is security systems.

Imgur did confirm, however, that (at the apparent time of the breach in 2014) it was scrambling passwords with the SHA-256 algorithm – which in recent years has fallen from favour. Imgur says that in 2016 it switched over to the stronger bcrypt hashing algorithm.

Whether you are a registered user of Imgur or not, it has become all too obvious in recent years that it is essential that no-one should use the same password for multiple online services. Reusing passwords is a recipe for disaster – opening opportunities to exploit shared credentials to break into other parts of your online life with a view to stealing identities, personal information, or simply making mischief.

Although in an ideal world Imgur would never have been hacked in the first place, I believe that the company should be commended on two counts.

Firstly, Imgur didn’t ask users when they created accounts to enter any extraneous unnecessary information – such as real names, dates of birth, addresses, or phone numbers that could have made this breach much more damaging to its victims. There’s a great deal to be said for companies limiting the amount of information that they ask from their users – the less they store about you, the less they can lose.

Secondly, Imgur’s response to being notified about the breach is excellent. Despite it being the Thanksgiving holiday in America they responded to the report of the data breach and immediately began work protecting accounts, and offered sensible advice on what affected users should do next.

Posted on

Shipping giant refuses to pay hackers ransom after data stolen

Clarksons, the global shipping firm, has turned the tables on criminal hackers who attempted to extort a ransom payment after stealing confidential information from the company’s network.

The business, which is thought to have suffered a breach at the hand of hackers earlier this month, has warned that the hackers may release some of the stolen data – but that it refuses to give in to blackmail.

Details of the quantity and precise nature of the stolen data have not been made public by Clarksons, but in a statement (PDF), the FTSE 250 company apologised to clients, shareholders, and staff for any concern that the breach may cause them – and said that it was in the process of contacting affected individuals and clients directly.

According to the statement, Clarksons at present believes that the hacker gained unauthorised access to its computer network after compromising the account of a “single and isolated user.” That account has now been disabled by the firm, and “additional security measures” have been put in place to prevent similar attacks in future.

The description of the means by which a hacker or group of hackers gained access to Clarksons’ systems makes me think that the attack may not have exploited a software vulnerability, but rather that a legitimate account holder had login credentials compromised.

The all-important username and passwords that protect so many sensitive accounts are no defence at all if a user has made the mistake of reusing passwords in multiple places, choosing an easy-to-crack or easy-to-guess password, or is duped into falling for a phishing attack or installing keylogging malware.

That’s one of the reasons why more and more companies are waking up to the importance of incorporating additional levels of authentication (such as two-step verification) and IP lookups to reduce the likelihood of malicious logins.

Clarksons says it has, quite rightly, informed the police about the attack, and is accelerating the roll-out of additional security measures. Furthermore, Andi Case, CEO of Clarksons, shares some admirable sentiments:

Posted on

FBI, DHS Issue Warning On North Korea-Linked Malware

The FBI and the DHS issued a joint warning on the “Volgmer” Trojan malware, which has been infecting multiple organizations across industries over the past few years. The FBI has “high confidence” that the IPs linked to Volgmer belong to North Korea.

Volgmer Trojan

The FBI said that the Volgmer malware has been noticed in the wild since 2013 and has targeted government, financial, automotive, and media industries. The primary delivery mechanism for the malware seems to be spear phishing, a type of phishing attack in which a specific individual or organization is targeted. Through it, the attackers can gain higher privileges inside the network and then further infect the network with their malware.

The Volgmer backdoor is capable of gathering system information, updating service registry keys, downloading and uploading files, executing commands, terminating processes, and listing directories. The US-CERT Code Analysis Team also observed in one of the malware samples that Volgmer has botnet controller functionality, too.

According to the government agencies inspecting this malware, Volgmer has been seen in 32-bit executable form, as well as a dynamic-link library (.dll). The malware uses a custom protocol, often with RC4 encryption, to send back data to the command and control (C2) servers. Volgmer maintains persistence by randomly selecting a Windows service in which it can copy itself.

Mitigations

The FBI and the DHS recommend that organizations take a look at the Volgmer-linked IPs and analysis. If they find those IPs connecting to their networks, the companies should take measures to block them and then look for the malware and remove it.

The government agencies have also prepared a list of host-based rules and network signatures that companies can use to detect malware activity related to North Korea. They warned that despite the careful selection of those rules and signatures, some false positives may exist.

The DHS also recommended that organizations implement security best practices, such as:

The agencies would also like to remind companies that a successful network intrusion can lead to loss of sensitive and proprietary information, disruption to regular operations, and financial and reputation losses.

Posted on

Google’s rolls out new, crazy-secure, email

SAN FRANCISCO — Google on Tuesday rolled out a nasty-complicated but insanely secure version of its Google accounts aimed at “those who need it most,” such as journalists, politicians and activists. It’s not pretty but stands a good chance of keeping the bad guys out.

Called the Advanced Protection Program, it requires users to jump through a series of hoops most Internet companies have worked for years to make go away — dongles, extra passwords, locked-down systems that can’t talk to anything else and a non-intuitive sign-up procedure.

This is so not plug-and-play.

What it is, however, is safe. Not “I work for the National Security Agency and print out the nuclear codes every time they change” safe, but more “I’m working on a Senate campaign and we really don’t want the Russians, or anyone else, to get into our email system” safe.

Signing up requires a Google account and then linking not one but two dongles, or small devices that connects to a computer’s USB port or via Bluetooth. Each produces a highly secure code key that uses the standards of the international FIDO Alliance (for Fast IDentity Online.)

These plastic keys are about the size of a regular door key but instead hold codes Google uses to verify that you’re you and that you should have access to the account. The key can go into the USB drive on a computer or via Bluetooth to a mobile device such as a phone.

While the secure accounts are free, the hardware to make them secure costs money. A USB security key runs about $25 while the Bluetooth-enabled keys are about $18.

Once you’ve tied these keys to your Google account, you’ve got to have one of them present in order to access your mail and files.

Otherwise — take note — it’s Do Not Pass Go, Do Not Collect Your Email.

“What I think has changed is that people recognize they may never be able to ‘learn’ how to act optimally in a defensive sense, so this program literally eliminates many sources of humans messing up,” said Joseph Lorenzo Hall, chief technologist with the Washington D.C.-based non-profit the Center for Democracy & Technology.

That means using a locked-down Gmail account which may not have all the functionality a more open one could have, though Google does say it’s exploring adding access to some trusted partners as time goes by.

And about that dongle? You really, really don’t want to lose it, or forget your password. Google hasn’t even said what the recovery process will look like, but it is expected take three to five days.

This isn’t an email system for everybody, Hall said. Those who are considering it should think carefully about the threats they face before they sign on. For most regular email users it will be overkill.
But if someone’s possibly being targeted by a nation state attacker or very determined attackers or organized criminals, the answer is a clear yes, he said.

“Sexual assault and domestic violence victims, billionaires, finance employees, judges and law enforcement officers — they certainly face these threats and should use it,” he said.

The system also doesn’t allow users the freedom that non-secure Google accounts have. Once signed up, their Google account is only able to gather data from a few secure apps so that miscreants can’t get to their inbox or Google drive via them.

In a way, this is an admission of defeat but also of reality. The Holy Grail of online security has long been a system with serious security that was as easy to use as any other program.

With the launch of Advanced Protection, Google is acknowledging that while no one has come up with something that’s both easy to use and secure, there are enough people out there who really need protection that even a somewhat gnarly program is going to find users.

Posted on

Wi-Fi has a serious vulnerability. Here’s how to stay safe

Wi-Fi is the invisible connective tissue of the internet. But on Monday, we all learned of a vulnerability in the method that wireless networks use to secure the information that travels from your router to your device, and it lies in a protocol called WPA2. Mathy Vanhoef, a 28-year-old postdoctoral researcher at KU Leuven, a university in Belgium, discovered the issue, called KRACKs, months ago.

Here’s what you need to know about the problem, and what to do about it.

It starts with a handshake

When a machine like a laptop or smartphone connects to a Wi-Fi network, the two gadgets carry out a multi-step handshake. That process involves confirming that your phone, for example, has the right password to connect to the network. The handshake system also produces encryption keys that keep the data secure, so no one can snoop on you. It’s here where the vulnerability lies—the exploit causes one of those keys to be reused, which is a security no-no.

“We found a weakness in the design of this WPA2 protocol [in which] we can force a victim into reusing a key,” Vanhoef, the researcher who discovered the issue, says. “In turn we can use that to reveal sensitive information that the victim is sending, such as passwords, or usernames, and so on.”

Good news: For this exploit to actually happen, the hacker taking advantage of it must be in range of the Wi-Fi network, so it’s not the kind of attack that can be carried out from the other side of the world. Bad news: if done successfully, the attacker could intercept and see the data that flows from your device to the internet

“When I initially discovered it, it was really surprising to find this,” Vanhoef says. “Because this WPA2 protocol has been around for 14 years.”

For those looking for a more thorough explanation of the problem, Leuven has published a research paper on the topic and also lays it all out in a website about it.

Who’s affected?

The problem lies in the WPA2 wireless protocol—so it’s not something that a specific device-maker created. According to Vanhoef, common operating systems like iOS, Android, Linux, and Windows are all susceptible, but to different degrees. The most vulnerable devices run the Android and Linux operating systems, Leuven says.

Your home Wi-Fi network is less likely to be vulnerable than a big one, like a public Wi-Fi system at an airport or an office

Leuven says it is unclear if anyone has actually used the exploit yet. “We’re not in a position to determine if people are abusing this or not,” he says. But he remains most concerned about smartphones running Android.

So what should you do?

The most important thing you can do—today and always—is install the automatic updates that companies push out. Whether your smartphone or laptop is running iOS or Android, Windows or macOS, the key is to “always install updates,” Leuven advises. No need to change the password on your home Wi-Fi network, he says. (Microsoft is on the ball with this one and patched the issue on October 10.)

And while home networks and routers are less vulnerable than others, it’s also a good idea to make sure your router’s firmware is updated. For example, Netgear published an article listing the routers, cameras, range extenders, and other gizmos that are vulnerable to this exploit, and explains how to get the newest firmware

Karen Sohl, a communications director for Belkin, Linksys, Wemo, says that they are “aware” of the vulnerability. “Our security teams are verifying details and we will advise accordingly,” she says, via email, adding that they “are planning to post instructions on our security advisory page on what customers can do to update their products, if and when required.”

And Apple confirmed to Popular Science that fixes for the exploit are coming to consumers via updates in the next few weeks for iOS, macOS, watchOS, and tvOS; those same updates are already out in either public or developer betas.

“Don’t panic,” Candid Wueest, a threat researcher with Symantec, says. However, he adds, “It is definitely a serious vulnerability which is present in the design of Wi-Fi as we use it, with the WPA-2 encryption.”

Like Leuven, Wueest stresses the importance of updating the software that runs your devices. He also recommends that if you are sending sensitive information, check your browser to make sure the connection is secured with HTTPS/SSL. (Look for a lock symbol in the URL field.) When configured correctly, that protocol protects your information with an additional level of security. The last step to take, for the truly worried? Consider using a virtual private network, or VPN.

Ultimately, a vulnerability like this is “rare,” but compared to malicious code like WannaCry, Wueest says, “it’s not as bad for the internet.”