In the current age of the IT revolution, more and more people are getting hooked into the cyber world for their various needs. There is a distinct reliance on computers and the internet now for email, entertainment, shopping (online shopping), airline and rail tickets, banking, trading and the list goes on. While it does make our lives simpler and convenient, it also poses dangers to us in an unprecedented way by exposing their identity in the public domain. Details of our personal information, such as name, addresses, passwords and bank accounts are in the process of being attacked by various fraudsters, hackers, terrorists and criminals freely roaming the cyber world.
It makes perfect sense for users to understand the online security threat they are exposed to while surfing the web. Just what are those risks and threats that we are talking about? Among dangers are hostile viruses, hackers accessing your system and stealing vital information like credit card details and committing fraud, unsecured wireless networks, spyware on your system, and identity theft.
As a user, how can you enhance your online security?
In the following section, we will discuss the kind of risks that you are exposed to and the ways in which you can tackle those risks. There is no fool-proof system, but it doesn’t hurt to be a little careful while on the internet.
How to protect personal and work data
- Protect yourself with relevant software from viruses and trojan horses that may steal or modify data on your own computer. A trojan horse program is software that claims to do something genuine, but does exactly the opposite. For example, a program that claims it will speed up your computer may actually be sending personal PC information to a hacker.
- Update your PC with the latest anti-virus software and operating system patches. Make sure these updates happen automatically.
- Install a personal firewall and anti-spy ware to protect your PC.
- Periodically change your online passwords.
- Check your credit card and bank statements regularly and report any irregularities to the relevant authorities.
- Modify Internet Explorer or other browser security settings to limit the amount of information you are willing to accept from a web site. Microsoft recommends to set the security settings for the internet zone to medium or higher.
When you use the internet, you view web sites in a browser. A browser is a program that accesses and displays files and other data available on the internet and other networks. Browser programs are frequently updated to add functionality and address problems. If you are using an older version, there could be security issues (someone could hack into your computer).
How to do it?
Download the latest or updated browser you are using from the company’s web site over the internet. It might ask for information about your computer such as what operating system it uses — Vista or Windows XP. Then follow the instructions on your screen.
Save it to your computer, it will be saved as an executable file. Once the download is complete, go to the file where you saved it, and double — click on it. This will automatically install the new browser on your computer.
Be careful while doing online shopping
- Shop online only with known and reputable merchants; enter their URLs yourself, and do not click on links in emails; these may very well contain hidden commands to trick you
- Do not respond to any emails asking for personal information
- Make sure your data is encrypted. Many sites use SSL, or secure sockets layer to encrypt information. Indications that your information will be encrypted include a URL that begins with https: instead of http: and a lock icon in the bottom right corner of the window.
- In case you doubt the legitimacy of the certificate, refrain from entering any personal information. If the site does not require you to enter sensitive information, it probably won’t display the lock icon.
- Use a credit card instead of a debit card, because credit cards have pre-defined limits and in case your credit card details are compromised this will minimize possible losses. Use credit cards with a low credit line.
- Check your statements to keep an eye on any unusual transactions
While you browse the internet, information about your computer may be collected and stored fraudulently. To increase your level of security, adjust your privacy and security settings to block or limit cookies in your web browser. Make sure that other sites are not collecting personal information about you without your knowledge by choosing only to allow cookies for the web site you are visiting. Block or limit cookies from any third-party. If you are using a public computer, you should make sure that cookies are disabled to prevent other people from accessing or using your personal information. In such a case, if you had been using Firefox, press [Shift] + [Ctrl] + [Del] and use the dialogue box that pops up to clear all personal data and history. It is not so straightforward in Internet Explorer, but, depending on the version, you can do the same thing under the menu Tools Internet Options.
Unsecured wireless networks
These pose a real security threat as seen from the recent misuse by terrorists to send email warnings about imminent terror attacks. Wireless networks allow criminals or hackers to intercept an unprotected connection. War driving involves individuals equipped with a computer, a wireless card, and a GPS device driving through areas in search of wireless networks and identifying the specific coordinates of a network location. Criminals with malicious intent could take advantage and access your computer and steal vital information or use your internet connection to commit acts of fraud or terror.
Tips to secure wireless networks
- Change the default passwords as most network devices have a pre-configured default password and these are easily found online.
- Install a firewall directly onto your wireless devices (a host-based firewall). Attackers who directly intercept your wireless network may be able to by-pass your network firewall and so this does not offer sufficient protection.
- Restrict access — only allow authorized users to access your network. Each piece of hardware connected to a network has a MAC (media access control) address. Restrict or allow access to your network by filtering MAC addresses. The MAC address is a unique identifier for networking hardware such as wireless network adapters. A hacker can capture details about a MAC address from your network and pretend to be that device to connect to your network. MAC filtering will still protect you from majority of the hackers. Find the MAC address for your network adapters on your devices by following these steps:
(A) Go to Start > Run
(B) Type command and press [Enter]
(C) Type ipconfig /all in the command prompt window and press
(D) You can view the physical access address in the information displayed.
- Check the user documentation to get specific information about the MAC Filtering process if you have any more queries.
- Encrypt the data on your network. Encrypting the data would prevent anyone who might somehow be able to access your network from viewing your data.
- Protect your SSID (Service Set Identifier — An SSID is the name of a WLAN). The SSID on wireless clients can be set either manually, by entering the SSID into the client network settings, or automatically, by leaving the SSID unspecified or blank. A network administrator often uses a public SSID that is set on the access point and broadcast to all wireless devices in range. You can disable the automatic SSID broadcast feature to improve network security.
- To avoid outsiders from easily accessing your network, avoid publicizing your SSID. Consult user documentation to see if you can change the default SSID to make it more difficult to guess.
Normally, when browsing the web, URLs begin with the letters http. However, over a secure connection, the address displayed should begin with https.
- Spoofing attacks are as common as phishing frauds. The spoofed site is usually designed to look like the genuine site, using a similar look and feel to the legitimate site. The best way to verify whether you are at a spoofed site is to verify the certificate.
- “Lock” icon – check for the lock icon in the lower-right of the browser window. This tells you that the web site uses encryption to protect sensitive personal information — credit card number, ATM PINs, Social Security number, etc. The lock only appears on sites that use an SSL connection, which is typically used only on sites where you enter sensitive information. The secure site lock icon when closed means that the site uses encryption. Double-click the lock icon to display the security certificate for the site. This certificate is proof of the identity for the site. While checking the certificate, the name following “Issued to:” should match the site you are on. In the event of the names not matching, you are on a spoofed site and should quit.
SSL stands for “Secure Sockets Layer”. It is a protocol designed to enable applications to transmit information back and forth securely. SSL is accepted on the world wide web for authenticated and encrypted communication between the computer and servers.
Identity theft could result from both offline and online fraud. Offline frauds occur as a result of theft of your mails, credit cards, debit cards, and cheque books. You should be cautious while receiving, storing and disposing information pertaining to cheques, ATM / debit and credit cards. Identity theft can happen even to those who do not shop, communicate, or transact online.
Can others on the internet access my information?
Only if a secure session is established and the information is encrypted during transmission, are you safe. However, some web browsers store information on your computer even after you have finished surfing. This phenomenon is called caching. Close your browser once you have finished surfing, especially secure sites to conduct financial transactions.
Disable active content
Web sites use scripts that execute programs within the web browser. This active content can be used to create “splash pages” or drop-down menus. These scripts are used by hackers to download or execute viruses on a user’s computer. However, you can prevent active content from running in most browsers resulting in limiting some functionalities and features of some web sites. Therefore, before clicking on a link to a web site that you are not familiar with or do not trust, disable active content.
Safeguarding online trading
The risks involved in online trading are high. Brokerages have information about you and this information is under attack by fraudsters. To gain access to these databases, attackers may use trojan horses or other types of malicious code.
Tips to safeguard online trading
- You should thoroughly check the brokerages you are trading with.
- Check through offline methods about brokerages.
- Check privacy policies of the site you are trading with.
- Check about the legitimacy of the web site by checking their certificates.
- Check your accounts regularly for any suspicious or unusual transaction.
Often you are guided to fraudulent web sites via email and pop-up windows in order to collect your personal information. You can detect such web sites if you type the said URL into a new browser window. If it does not take you to a legitimate web site, or you get an error message, it is a fake web site. Never click on a link in an email to a site involving financial transactions. Either enter the URL by hand, or you will likely already have your bank, eBay and other such sites bookmarked. Use those links instead.
Some Downloading tips
- Download programs from legitimate and trustworthy sites. Enter the program in a search engine to check whether the program has been reported for spyware issues.
- Be cautious when downloading free music, movies, software, and surfing file sharing sites.
- Read the privacy statements and licensing agreements of the software you download
- Never enter financial information in pop up windows.
Although its demise has long been predicted — and wished for by many — the password is still the most common form of identity authentication in use. At first sight, the use of a password for authentication seems straightforward and secure; but in practice the system has many limitations and inherent problems. We are forced to continue to use them for the foreseeable future, so in this article we will have a look at some of the problems and suggest some solutions.
The single most important problem, of course, is memorability. One person known to us, we’ll call him John, can illustrate the worst way to use passwords. Until recently, he used exactly the same user name and password for any internet site that required registration. One day he wanted to look something up on a specialist knife site in the US. It required registration, and he used his usual login. Luckily for him, he very quickly discovered that orders were being placed using his eBay account for items to be dispatched to Africa. Also luckily for him, Ebay responded quickly in freezing his account and preventing any real harm from being done.
What had happened appears to have been this: the knife site had some kind of automated system that would collect user names and passwords and then try them out, against eBay, Amazon, banks and other such online stores. Once it found a hit, it then started making orders — probably by alerting one or more humans with the successfully stolen login information.
The first rule with passwords clearly has to be to differentiate between sites that involve financial transactions and any other kind of important personal information, and all others. For example, you may well need to register to access some newspaper sites, or other general information sites. These organizations request registration in order to keep a check on the number and types of people visiting their sites in order to give a better service. It hardly matters if you use the same login and relatively simple, easy to remember, passwords with these sites. There is usually no risk of loss of personal information that might lead to theft of goods or money.
However, the situation is very different with sites that involve financial transactions. These need to have strong passwords — that subject will be discussed shortly — and preferably a different password for each site. These passwords should also be changed at reasonable intervals. Make sure that you do not use the same password that you have for a transactional website for any other website — news, email, and so forth. Keep them secure, and do not write them down. Ever.
A strong password is one that is difficult to guess or search for automatically. The problem, of course, is that the stronger and more random a password is, the more difficult it is to remember. Simply using long words from your natural language is not good enough. You count this in different ways, but it is commonly considered that the English language consists of between one and two hundred thousand words. It does not take a modern computer very long to go through such a list. One email company had a reasonable attempt at improving on natural language passwords about 20 years ago: each password issued to users consisted of eight letters in pairs, forming four syllables. The structure was like this: “gedovozu”. This was relatively easy to remember and was not part of any natural language set. Such passwords are suitable for use with low risk websites, but are not really strong enough for financial sites.
The strength of a password lies in its entropy, or randomness. A similar method to the one just described that produces much stronger passwords involves the use of mnemonic phrases — these tend to be relatively easy to remember, and highly entropic. For example, the phrase “Robert likes to have two sugars in his coffee” would yield “Rlth2sihc”. That has nine characters, one is upper case, and one other is a numeral. This is much stronger than the more simple “gedovozu”.
The entropy of a password depends on the number of possible combinations. If you just stick to lower case letters, a four character password has a total of 26^4 (26 to the power 4) combinations: 4,56,976. This seems like a large number, but a computerized search could zip through these in little time, and anyway, most combinations would be difficult to remember, and so would end up not being used. You increase the entropy by increasing both the number of characters in the password and the number of character sets from which they are drawn. So, a strong password should include at least eight characters, drawn from both upper and lower case letters, numerals and other characters, such as &, @, %, where permissible.
You also need to be protective of your password once you are satisfied that it is strong and have memorized it. In 2004, a survey was conducted at a London railway station in which people were asked for their password — presumably in the interests of scientific enquiry — in return for a chocolate Easter egg. 71 per cent cooperated. Of course, we cannot know how many lied, but even so this is a disturbing figure. It had been 90 per cent the year before, but then the gift had been an obviously more attractive cheap pen. There is no reason why you should ever give your password to anybody — that defeats the whole object of having a password in the first place. Some companies — utility companies have been known to do this, for example — ask for passwords over the telephone. Always refuse to comply. Never tell your password(s) to anybody.
It is well worth taking the trouble with financial sites to memorize a couple of passwords that are specifically difficult to remember — without any common phrase or letter combination. But what if you need to remember more than just a couple? Many banks nowadays are requiring two passwords — one for login and one for transactions — you also may well have more than one bank account, perhaps also a credit card account or two, and then there are shopping sites like eBay. It can soon become quite a list of sites that require strong passwords, and the last thing you want to do is write them down.
The present writer was once asked to help a colleague with a problem concerning his laptop. This was a senior executive in a publishing company; such people often consider technical writers to be extensions of the IT department. This chap’s password for his email system was written in indelible ink on the outside of his laptop. That is the worst example, but also writing passwords down anywhere is a bad idea; a small piece of paper kept under your mouse mat, or maybe in your wallet, and so on. Never write them down. Never.
One possible way of recording a multiplicity of strong passwords is in an encrypted file, produced with software such as WinRAR. With compression and archiving software such as WinRAR you have the option to password protect the file so that only somebody with the password can open it and view the contents. However, you need to use a strong password. A useful exercise to go through is to download password cracking software and try it out. This is software that is usually described as helping people who have forgotten their password. It will run through all possible combinations using the character sets and password lengths that you define.
Try one of these out with a file protected by a weak password; once you have seen how quickly this can be done, you will take much more care to use strong passwords in future. One further point with this method is that when you view the file, do just that and only that, and do not extract to disk unless you need to edit it and add something new. If you do have to do that, also make sure not only that you delete the file after it has been rearchived, but that you immediately create a new file of the same name and at least the same size in the same directory — this can simply consist of rubbish, and should ensure that the information in the file will be removed from the hard drive. You can immediately delete it. There are also utilities that you can download that will do this for you, when you wish to delete a sensitive file; they are probably more certain to delete all data, but the method just given should work on most occasions. And one final point, do not name your archive “my_passwords.rar” or anything even remotely similar.