Identity Security Techniques - Monday, February 2, 2009

Alright, so, it has been a while since my last post, and today I have an email to share. I sent this email around to my family quite a while back. Be warned that there are most likely typographical errors, and this was written at a time when I was tired. I don't have much time to proofread it now, but I'll do what I can. If you have any corrections, leave a comment and I will give do my best to give you credit for spotting them. Enough said, here it is:

I'm sure you are all well aware of the fact that there are many active people/groups today that would love to steal your identity. This is intended as an informational aide, to help you make your online experience safer.

1. Don't be stupid - Never give out any type of personal information willy-nilly, especially if you get a pop-up that says something like "Enter your SS# here and get a free pizza from Papa Johns!" Okay, that was a lame example. In reality, these types of things can be very hard to detect. There are also sites that look like a legitimate site, such as Paypal, but it really could be a site set up specifically to fool you into entering your personal information, and then using it as the owner(s) of the fake-Paypal-site choose. Often, with these types of sites, your personal information may even be sold to other criminals to be used even more.

2. Don't fall for social engineering. This is probably the hardest one of all. Consider the following situation: A co-worker knows your personal email address. One day, you go out to eat with them, and have a casual conversation. It goes something like: Co-worker: "So, you say you like animals?" You: "Yeah, our pets are treated better than our relatives, sometimes. CW: "Well, what kind of pets do you have?" Y: "We have three dogs right now. We had one cat, but it died about five years ago." CW: "Oh, that's too bad... Was it an old cat?" Y: "Oh, yes. It was fifteen years old, and it was also the first pet I ever had." CW: "Oh, I see. What kind of a cat was it? Was it a nice cat" Y: "He was a very nice cat. I don't know what kind it was, we found him on the street and decided to name him 'Bob'" ***RED FLAG HERE!!!*** Okay, so it seems like an innocent conversation, right? Well maybe, but consider this: Almost all (if not all) email providers have a feature know as a "Password Reset". When you first got your email, you probably filled out a form, and on that form was something often known as a "Security Question". A popular security question, and sometimes even the default one, is "What was your first pet's name?" Making sense yet? Okay, let's say you forgot your password. You go to sign into your email, can't remember the password, and then notice a little link near the "Sign In" button - it says "Forgot password?" Guess what this link does? You guessed it, it takes you to a page that displays your security question, and has a couple of text input boxes: One for your answer (Bob), and one for the email address you want your password reset information to be sent to. Whoops. (Note: This particular bit may no longer be valid due to the security threat it would pose.)

3. When giving out personal information online, look for signs that the website you are giving it to might be illegitimate. One common sign that is fairly well-known is the "lock icon". When you go to an online retailer, at the payment screen, there is almost always a lock icon. (A picture of a locked padlock, usually brownish/goldish in color.) The location of the padlock can vary, depending on many factors, but usually the browser being used and the website being visited are the two biggest ones. I usually look for the "ends" and/or "corners". In the "address bar", (where you type in the web address,) the lock icon sometimes shows up on one end of it. In other situations, a common spot is the "status bar" - the bottom bar of the web browser (below the web page). Its location can vary, but typically I find that it tends to be in the far-right fourth (quarter, whatever,) of the status bar (if the status bar is where it is contained). The lock icon might also be found places such as one end of the menu bar (the one with the words File, Edit, View, History, and so on). Note, however, that it should be somewhere within the "frame parts" of the browser; id est, if it is an icon/picture **on the web page itself, but not on the "browser frame" somewhere**, there is a greater chance that you are dealing with a fraudulent site. Some sites, sadly, are as secure as can be, but lack the lock icon. (Not sure about that, either.) Look in the address bar: it starts with something like "http://" or "https://" - the second one, with the "s", means it is secure. In case you were wondering, HTTP(S) = Hypertext Transfer Protocol (Secure). Two more things to watch out for, both involving the text in the address bar. First, look at the part of the address immediately before the ".com", ".org", ".gov", whatever. It should be the site you think you're on. So, if it is "payment.paypal.com", it is owned by the owner of "paypal.com". But if it is "paypal.payment..com", it is owned by the owner of "payment.com" - which should send up a ***RED FLAG*** if you are planning on making a Paypal payment on that web page. Finally, watch for "tricky lettering" in the address bar. For instance, something like "g00gl3.c0m" might seem ridiculously obvious, but something like "paypa1.com" or "paypaI.com" might not, especially depending on the font used.

4. What you should do if you receive a phishing email.. Okay, first off, for a definition of "Phishing", read the first paragraph or two at http://en.wikipedia.org/wiki/Phishing Got it? Okay, good. Common examples of phishing scams (well, like the ones I always get) are ones that start out by saying something like (but worded *much* more professionally): "Hey, you are the person on the will of this dead guy we just found, Tim Jiminy. It says to give you all his money. He was a millionaire, so, because of the large amount of money we need to give you, we need you to send an email to 'jimjohnson@specialtylawfirminsomerandomcountry.com' and include the following information: your name, date of birth, address, phone number, and checking account number that you want your money deposited in, along with the password to it, to avoid any glitches along the way. Oh, and you (legally) only have seven hours from the time this email was opened, or the money will not be distributed." Okay, so what have you all been told to do with this type of email? Probably something like "delete it, and don't reply". Well, this might work, but it's not the best thing to do. Think about it: How are the cops supposed to even think about catching this psycho if they don't know he's doing it? Here's what I do, and encourage you to do, too. **Firstly, never reply.** Sure, if everyone that got this email replied to it, it would be a massive flood coming to the spammer/phisher's account, trigger the attention if his ISP (Internet Service Provider), and get their internet access terminated. But, since there's no way to make sure that that is what will happen, (and I guarantee you that, likely, no one else would reply,) it will confirm to the criminal that the email address he has sent the bogus email to exists. Then guess what? All of his buddies get to know it, they sell it to others, and eventually, you get spam like this from hundreds of senders. **Secondly, (if it is a phishing email,) forward it to the Anti-Phishing Workgroup.** Look at http://www.antiphishing.org/report_phishing.html for a nice (and short) tutorial on how to submit such emails to them. What I do is right-click on the email, and select "view full headers". (Yours might be a bit different.) After they are displayed on my screen, I click somewhere in that box and hold the [Ctrl] key and tap the [A] key, then release the [Ctrl] key. This selects the full headers. Next, I right-click on the highlighted text (the headers) and select "Copy". Then, I click the "forward" button and type in "reportphishing@antiphishing.org" (without quotes) as the "To:" address. Then, above the (to-be-)forwarded email, I type in something like "The headers are:", and press the [Enter] key a couple of times. Finally, I right-click where the cursor is, and select "Paste". Wha-laa! The headers of the original email are there for the wonderful APWG workers to use to track down the culprit of the spam. **Third, (optional, but builds karma,) send a copy of the email's headers to the company that was being impersonated (if applicable).** So, if instead of getting an email about some dead guy, it ends up looking like it came from a bank, and is asking you for personal information, look on the bank's website, and find a link with something like "Contact Us" as the title. From there, look for an "Abuse" section, or something similar. Email the spam with the headers (as described above or on the APWG's website) to the email listed on the bank's website for such occasions. **Finally, if you really want to, file a complaint with the FBI's Internet Crime Complaint Center (IC3).** For more information on that, visit: http://www.ic3.gov/default.aspx