SiteBuilder

Click the TV to take a Tour...

Phishing attacks work by the scam artist sending "spoofed" emails that appear to come from a legitimate website that you have online dealings with such as a bank, credit card company or ISP - any site which requires users to have a personal identity or account. The email may ask you to reply with your account details in order to "update security" or for some other reason.

The phishing email may also direct you to a spoofed website or pop-up window which looks exactly like the real site, but has been set up for the sole purpose of stealing personal information. Unsuspecting people are then often fooled into handing over credit card numbers, passwords or other details.

According to the Anti-Phishing Working Group, phishers are able to convince up to five per cent of recipients to respond.

How to protect yourself:

• Never respond to emails that request personal financial information
  Banks or e-commerce companies generally personalise emails, while phishers do not. Phishers often include false but sensational messages ("urgent - your account details may have been stolen") in order to get an immediate reaction. Reputable companies don't ask their customers for passwords or account details in an email. Even if you think the email may be legitimate, don't respond - contact the company by phone or by visiting their website. Be cautious about opening attachments and downloading files from emails, no matter who they are from. Sophos uses SPF (Sender Policy Framework). This is an anti-forgery solution which involves publishing a list detailing which servers are allowed to send Sophos emails.
   
• Visit banks' websites by typing the URL into the address bar
  Phishers often use links within emails to direct their victims to a spoofed site, usually to a similar address such as mybankonline.com instead of mybank.com. When clicked on, the URL shown in the address bar may look genuine, but there are several ways it can be faked, taking you to the spoofed site. If you suspect an email from your bank or online company is false, do not follow any links embedded within it.
   
• Keep a regular check on your accounts
  Regularly log into your online accounts, and check your statements. If you see any suspicous transactions report them to your bank or credit card provider.
   
• Check the website you are visiting is secure
  Before submitting your bank details or other sensitive information there are a couple of checks you can do to help ensure the site uses encryption to protect your personal data:
  
  Check the web address in the address bar. If the website you are visiting is on a secure server it should start with "https://" ("s" for security) rather than the usual "http://".
  
  Also look for a lock icon on the browser's status bar. You can check the level of encryption, expressed in bits, by hovering over the icon with your cursor.
  
  Note that the fact that the website is using encryption doesn't necessarily mean that the website is legitimate. It only tells you that data is being sent in encrypted form.
  
  
• Be cautious with emails and personal data
  Most banks have a security page on their website with information on carrying out safe transactions, as well as the usual advice relating to personal data: never let anyone know your PINS or passwords, do not write them down, and do not use the same password for all your online accounts. Avoid opening or replying to spam emails as this will give the sender confirmation they have reached a live address. Use common sense when reading emails. If something seems implausible or too good to be true, then it probably is.
   
• Keep your computer secure
  Some phishing emails or other spam may contain software that can record information on your internet activities (spyware) or open a 'backdoor' to allow hackers access to your computer (Trojans). Installing anti-virus software and keeping it up to date will help detect and disable malicious software, while using anti-spam software will stop phishing emails from reaching you. It is also important, particularly for users with a broadband connection, to install a firewall. This will help keep the information on your computer secure while blocking communication from unwanted sources. Make sure you keep up to date and download the latest security patches for your browser. If you don't have any patches installed, visit your browser's website, for example users of Internet Explorer should go to the Microsoft website.
   
• Always report suspicious activity
  If you receive an email you suspect isn't genuine, forward it to the spoofed organisation (many companies have a dedicated email address for reporting such abuse).
   
• Further reading
  For more information about how consumers and businesses can protect themselves against online fraud read the information published by the British banking industry and advice from the Australian Bankers Association.

Are you being sensible about your passwords?

Computer passwords are a way of life these days, and most of us have dozens of accounts, each with a different (or potentially different) password. There are costs in forgetting any of these passwords, ranging from the personal inconvenience of being unable to read useful news articles to the business problem of being unable to buy or sell products.

The most obvious solution to this hassle is simply to choose one password and to use it everywhere. Indeed, a survey conducted during April 2006 by Sophos reveals that 41% of respondents do just that. Additionally, 75% of the respondents to a separate part of the survey admitted to the use of weak, easy-to-guess passwords. Presumably this means that 31% of users (75% of 41%) have no accounts at all with satisfactory passwords.

Clearly, this is bad news. But is it safe to be a monopasswordist at all? Even if you pick a long, randomized, unguessable pass-phrase, commit it to memory and then eat the paper you wrote it down on? Can you rely on the theory that if a password is good enough for your company's most secure network, then it is obviously more than adequate for the website of the local football league?

The answer is that you most certainly cannot. Different account providers implement their password protection for a range of reasons, using a range of technologies. The very act of using a password renders it liable to being compromised - and this compromise may happen because of the account provider's behavior, not just your own.

If you have only a single password, then none of your accounts are more secure that the one which treats your password with the least confidentiality. You need to divide your accounts into different categories, based on the security you require and the password confidentiality which the account offers.

Types of account

We consider three types of account:

A casual password, for example for a registration-only website, is usually considered the least important. If you forget it, then with many websites you can simply re-register and get back on line within minutes. Indeed, you may even forget that you ever registered, and re-register entirely by mistake. It gives some indication of the purpose for which the site operator is using the password if anyone can get one at will.

A corporate password is much more important. If you are not the owner of the business, then it may feel less important that those passwords which protect your personal life. But someone who knows your company logon can impersonate you - often remotely, using a dial-in, ADSL or wireless connection to access the company's systems. If they send an ill-tempered email to your manager, a copy of the customer database to your webmail account, and a letter of resignation to the board, who just stormed off the job under dubious circumstances? You, or the unknown hacker?

This brings us to the personal password. To most people, this is the most important sort of all. Your income, your mortgage, even your good character, may be at risk if someone else accesses one of the accounts by which you operate the financial aspects of your life.

The password dilemma

Passwords which you have to type in from memory present the dilemma we discussed at the outset. If they are too hard to remember, or too hard to type in, then they may be useless at the critical moment. But if they are really easy to remember then they may be easy for someone to guess. This means you need to be wise in how your passwords are chosen.

Unfortunately, even passwords which are complex and effectively impossible to guess may be useless for security. You may be unable to remember them (and who can quickly memorise 1d88-965b-9827-13a9-e0ca-2b5c-b305-c959?), leading you to write them down, making them insecure. Or you may use them on a system in which the passwords themselves are not handled securely, allowing them to be mechanically and automatically recovered. This means you need to be aware of the password technology used by all of your account providers.

Choosing passwords

Writing down your passwords is not an option, unless you can keep them secure after doing so. You could keep the written versions in a decent safe (and many companies do just that for emergencies), but this does not satisfy your need to keep them handy.

Choosing the same password for all your accounts makes it easy to remember all your passwords without recourse to paper, but this is extremely dangerous because your password is then only as strong as the weakest account. For example, many websites require you to use passwords, but validate them using protocols which leave the actual passwords open to eavesdroppers and crackers. You should assume that any password used on this sort of account is already compromised. Do not use it, or any similar or related password, for any accounts where security is important.

Choosing easily-remembered passwords is another way to simplify your job. But for accounts which you wish to keep secure, this is a bad idea because passwords which are easy to remember are often easy to guess, or to work out with little effort. Trying ten thousand million likely passwords is beyond the scope of human manual endeavour, although a modern PC may be able to do the job in a few minutes.

The Diceware project

An interesting project, at www.diceware.com, helps you to choose decent passwords without using a computer or any other expensive technology. It uses dice as secure random number generators and standardized code lists to convert the strings of digits produced by the dice into easy-to-remember word combinations. Apart from being a refreshingly low-tech solution, it sums up the requirements of a self-chosen secure password very handily as follows:

However, for casual accounts for which your passwords are intrinsically insecure, such as non-HTTPS web servers which use accounts for registration and tracking, not for proper identification and security, complex passwords can be considered unnecessary.

Simplifying your casual passwords

If you know that a site is using casual (and fundamentally insecure) HTTP authentication, you can consider using a casual password derived directly from the name of the site, such as news4example7com3 for the site news.example.com (using the domain name with the length of each component instead of a dot). Just be certain to use this technique for casual passwords only.

Do take great care never to enter one of your corporate or personal passwords by mistake when connecting to a casual account. This would compromise one of your secure passwords - and the fact that the password was incorrect simply confirms to a hacker that the password probably fits somewhere else, especially if it is obviously different from the password you subsequently use for the casual login.

Further password advice

For additional security, you (or your company, or your bank) can use a one-time password system which provides you with a different code which you need to provide - usually in addition to your password - every time you login. This makes your password useless on its own for any future logins. Additionally, if you have a token-based system and you can see your own token, for example on your keyring, then you know it is extremely unlikely that anyone else could be logging in as you at that moment. You rarely get this assurance from a traditional password.

Beware of software which offers to remember passwords for you so you only need to type them in once. Unless you are certain that it keeps your list of passwords secure (and you may not be able to rely on the vendor to tell you), and unless that security is based on a strong "password of passwords" which you need to enter at least once in every session, then avoid such features.

Lastly, remember that anything you type, click or view on a PC you suspect (or later find out) to be infected with malware should be considered lost to the criminal community. This includes any passwords you have entered during the session, even if those passwords were transmitted securely and not echoed to the screen.

Rise above the survey

Don't be like 75% of the 41% of people in our survey -- universally protected by a single, crackable password. The simple precautions described here will help to lift you well above that careless 31%.

About the author

Paul Ducklin joined Sophos from the South African Council for Scientific and Industrial Research in 1995.

He has held a variety of roles within Sophos, including heading up Sophos's global technical support operations, before becoming Head of Technology, Asia Pacific.

One of the world's leading virus experts, Paul has given papers and presentations at various industry events including Virus Bulletin, ICSA and AVAR conferences. He has also written several articles on the virus threat and is a respected industry spokesperson.

About Sophos

Sophos is a world leader in integrated threat management solutions, developing protection against viruses, spyware, spam and policy abuse for business, education and government. Sophos's reliably-engineered, easy-to-operate products protect more than 35 million users in more than 150 countries. Through 20 years' experience and a global network of threat analysis centers, the company responds rapidly to emerging threats - no matter how complex - and achieves the highest levels of customer satisfaction in the industry.

If you suspect that your personal information has been misused to commit fraud or theft, act immediately, and keep a detailed record of your conversations and correspondence. Your first three steps should be:

FIRST, contact the fraud departments of each of the three major credit bureaus:

• Equifax: www.equifax.com
  To order your report, call: 1-800-685-1111
  or write: P.O. Box 740241, Atlanta, GA 30374-0241
  To report fraud, call: 1-800-525-6285
  and write: P.O. Box 740241, Atlanta, GA 30374-0241
• Experian: www.experian.com
  To order your report, call: 1-888-EXPERIAN (397-3742)
  or write: P.O. Box 2104, Allen TX 75013
  To report fraud, call: 1-888-EXPERIAN (397-3742)
  and write: P.O. Box 9532, Allen TX 75013
• TransUnion: www.transunion.com
  To order your report, call: 800-916-8800
  or write: P.O. Box 1000, Chester, PA 19022.
  To report fraud, call: 1-800-680-7289
  and write: Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790

SECOND, close the accounts that you know or believe have been tampered with or opened fraudulently.

THIRD, file a police report with your local police or the police in the community where the theft took place.

If you become a victim of identity theft involving federal education funds or suspect that your student information have been stolen, contact:

• U.S. Department of Education, Office of Inspector General Hotline: e-mail oig.hotline@ed.gov, 1-800-MISUSED (1-800-647-8733)

• Federal Trade Commission, 1-877-IDTHEFT (1-877-438-4338)
• Social Security Administration, 1-800-269-0271
• National White Collar Crime Center, http://www.nw3c.org

Our society generates an enormous amount of data. Most users of that information are honest, legitimate businesses. But no one, including students, is immune from being a potential victim of identity theft. The financial and emotional consequences of this crime are long term and long lasting. The information provided in this document gives you a number of steps for safeguarding your personal data, and there are many other resources available on the Internet.

Following are a series of forms that will be useful if, despite your efforts, you become a victim of identity theft.

• Chart your course of action
• ID theft affidavit
• Fraudulent account statement