People who Christmas shop on the Internet need to protect themselves as criminals bump up their scams for the season
Peter Wilson
Sun
An e-commerce clerk takes a call from an online customer. Cyber criminals have created websites that duplicate store sites to fool buyers into revealing their credit card numbers. Photograph by : Joe Raedle, Getty Images
Better watch out, better not to pout when Santa Claus comes to the Internet this holiday season.
Now’s the time to learn how to protect yourself because jolly old St. Nick is sure to be accompanied by spams, scams, fake websites and even evil-twin wireless networks.
Last Christmas 3.5 million Canadian adults spent an average of $228 each on presents. And, as always at this time of year, Net nasties simultaneously bumped up their cash snatching schemes to match e-sales activity.
“It’s Christmas, so this is absolutely going to happen,” said senior analyst Gregg Mastoras of security firm Sophos Inc, which has a major spam lab in Vancouver. “Unfortunately, it’s a bit like clockwork.
“In 2004 we saw a tripling in the number of spams that were offering Rolex watches and other luxury goods,” said Mastoras. “So expect to see more spam offering that kind of thing.”
As well, said Mastoras, there will be a rise in what are called phishing attacks — especially e-mails containing fake offers of the likes of loans, credit cards, increases in credit card limits and lines of credit.
Phishing was estimated by Financial Insights to have cost global financial institutions at least $400 million U.S. in 2004.
Phishing, said Mastoras, takes on two aspects. The first is simply an e-mail that asks you to forward such information as passwords, identities and account numbers.
“The second sends you to a website that looks like the one that belongs to your bank or your credit card company. It’s going to ask you for information there.”
A recent e-mail, carrying the logo of the Royal Bank of Canada, said that there was a suspicion that the recipient’s account might have been “accessed by an unauthorized third party.”
The e-mail continued:
“We are asking you to immediately log in and report any unnoticed password changes, unauthorized withdrawals or deposits, and check your account profile to make sure no changes have been made.”
Clicking on to the link led to a website that was an exact duplicate of that of the Royal Bank. Once the user signed in, of course, the account number and the password would go straight to the phishers.
As well, there are false stores and the usual fraudulent eBay sites.
“Another thing is that you’ll see is a lot of people writing viruses, trojans and worms trying to take advantage of the holidays,” said Mastoras.
These will seem innocent enough, with subject lines like “Open me, holiday jingle” and “funny card.”
Last year at about this time the Zafi-D worm, which accounted for 16.7 per cent of all viruses reported to Sophos in the last 12 months, began appearing with such subjects as “Merry Christmas,” “Joyeux Noel,” and “Feliz Navidad.”
Some e-mails, perhaps appearing to come from an online bookstore, will ask people to “click here for your rebate” or offer some other enticement. And those who have recently shopped at the site represented in the e-mail may do just that.
“You click on them and the next thing you know is you’ve downloaded a virus,” said Mastoras.
This is a particularly dangerous problems because downloading viruses could lead to much bigger problems than the user’s computer being rendered inoperative.
“There are some viruses out there that if they do get into your system they actually do things so that they know, for example, when you’re typing in www.ebay.com and they’ll basically take that information and redirect you [to a fake site],” said Mastoras.
And, as with the sites that took advantage of Hurricane Katrina, there are certain to be others that pluck at your heart strings to give money to sites purporting to help the down and out and the homeless, said Mastoras.
Then there’s the chance, if you’re sitting in a coffee shop with a wireless connection that, if you don’t have protection in place, your hard drive could be available to someone else on the network or someone could be operating an evil-twin network that captures everything that you’re doing online, including paying for goods with your credit card.
All of this evildoing, and reports of the evildoing have tended to make Canadians nervous about buying things online and far more apprehensive than their counterparts in the United States.
“I think what we’re starting to see is a little bit of fear, which is causing people to wonder if they should do online shopping to begin with,” said Mastoras. “Maybe it’s gone a bit too far in pushing people away from using the Internet as a tool.”
And Mastoras looks to be correct. A recent survey, conducted for the Canadian Alliance Against Software Theft, showed that 40 per cent of Canadians will back away from cyber shopping this Christmas because of their fears about a lack of Internet security.
That figure compares with just 24 per cent of those with Internet access in the U.S. who say they’ll be avoiding online shopping for security reasons.
Of those Canadians who do shop online there are some who do so despite being worried, because 88 per cent of us say we feel some Internet retailers haven’t done enough to protect their online customers.
Strangely, it’s not that Canadians aren’t doing anything to protect themselves.
Ninety-six per cent of survey respondents said they believe it’s important to protect themselves online and 68 per cent said they have at least three to five security software products on their computers.
Anti-virus software leads the way at 85 per cent, followed by firewalls used by 67 per cent of Canadians , e-mail filtering by 64 per cent and anti-spyware software at 60 per cent. Just 33 per cent report they have Web content filtering or blocking software.
That sounds impressive, but the survey, conducted by Forrester Research, also showed that a huge 81 per cent of Canadians aren’t confident in their own ability to protect themselves from losing information to an online threat.
And 74 per cent say they’re not confident they can protect themselves against unsolicited e-mail or spam.
And that could be because, although people like the convenience of computers and the Internet, when it comes to their inner workings they’re just not sure of what to do.
“Most people focus on the functionality and the features of their computer,” said Simon Tang of the consulting firm Deloitte, which provided much of the security information in the accompanying story.
“If it’s working, then why touch it.”
But to really combat this, people need to develop a real sense of online awareness, said Tang.
“Most, if not all, banks have come on and said that they would never ask someone to send back their credit card information or their account numbers,” said Tang, Toronto-based senior manager of Deloitte’s security services practice. “So, if in doubt, always call the financial institution.”
Tang also warned about wireless networking problems in the home, considering that a lot of users never bother to turn on encryption on their wireless modems. This, he said, is especially a problem for those who have large houses and have used signal boosters to beef up their networks.
“Then you can send signals out up to a kilometer or two or more surrounding the radius of your house.”
A wireless security expert from California was recently in town for a security conference and made an interesting discovery.
Sheila Luskin, western regional manager for AirMagnet, said that while she was demonstrating her products in Vancouver she was approached by a British Columbia retailer who had discovered a hacker outside a store, wirelessly collecting credit card information on purchasers.
“I think that Canada is more lax with security and I think that’s why people are concerned,” said Luskin.
SAFE HOLIDAY SHOPPING:
Tips from Deloitte on safe online shopping during the holiday period:
– Make sure the firewall and anti-virus software on your computer are updated and running. Scan the computer to detect any malicious programs (Trojan horses, spyware) that may have been planted to disclose sensitive information or to misdirect you to a fraudulent website.
– Verify that your browser has the latest security upgrades and that it supports 128-bit encryption. Your browser’s encryption level can be found in the tools menu under the “about” option.
– Make sure your wireless network has strong wireless security and controls built in such as wired equivalent privacy (WEP) or Wi-Fi protected access (WPA).
– Never respond to e-mails requesting that you log into a shopping-financial transaction website, claiming that your login credentials need updating or that your account is in arrears.
– Type in the URLs of websites that interest you and avoid clicking on those sent in an e-mail link.
– Confirm any online seller’s physical address and phone number in case you have questions or problems.
– Never send your financial information via e-mail because it is not secure.
– If you want to send your financial information through a website, look for indicators that the sight is secure, like a lock icon on the browser’s status bar or an URL that begins with https: (the “s” stands for secure. However, be careful, no indicator is foolproof.
– Don’t open e-mail attachments, even if it seems to have come from a friend or co-worker, unless you are expecting it or know what it contains.
– Consider shopping at sites that offer strong encryption (128-bit vs. 40-bit). You can find out the level of encryption by clicking on the lock item in the browser’s status bar.
– Avoid opting for the “remember password and user name” option. Although this can be a convenience, anyone who uses your computer can then gain access to your account and personal information.
– Print and save records of all your online transactions, including the product description and price, the online receipt and copies of correspondence with the seller. Read your credit card statements as you receive them and be on the lookout for unauthorized charges.
Edited tips based on information provided by Deloitte’s security services group.
PHISH OR CUT BAIT:
How to avoid the costly hook of phishing:
– Be suspicious of any e-mail with urgent requests for personal financial information.
– Unless the e-mail is digitally signed, you can’t be sure it wasn’t forged or “spoofed.”
– Phishers typically include upsetting or exciting (but false) statements in their e-mails to get people to react immediately.
– They typically ask for information such as user names, passwords, credit card numbers, social security numbers, etc.
– Phisher e-mails are typically NOT personalized, while valid messages from your bank or e-commerce company generally are.
– Don’t use the links in an e-mail to get to any web page, if you suspect the message might not be authentic.
– Instead, call the company on the telephone, or log on to the website directly by typing in the Web address in your browser.
– Avoid filling out forms in e-mail messages that ask for personal financial information.
– You should only communicate information such as credit card numbers or account information via a secure website or the telephone.
– Always ensure that you’re using a secure website when submitting credit card or other sensitive information via your Web browser.
– Regularly log into your online accounts:
– Don’t leave it for as long as a month before you check each account.
– Ensure that your browser is up to date and security patches applied.
Edited version of suggestions by the Anti Phishing Working Group at www.antiphishing. org
© The Vancouver Sun 2005
