Guest Blogger: Martin Holste, @mcholste
Security is about people and their motives, and understanding the underlying goals of criminals can help you better understand how to stay safe online. Several years ago, the online criminal world shifted into a fully-fledged black market carrying commodities for sale between criminals. As in the physical world, understanding what is valuable to a criminal is critical for prioritizing your defenses. In addition to your funds, other assets such as your online accounts, use of your computer, and even your geographic location are all a commodity to be traded and sold to the highest bidder.
Protecting Your Accounts
Most online accounts have a password reset function that sends a new password to the email address registered in case you forget your password. That means that if a criminal can gain access to your personal email, then he or she has access to all of your other accounts by way of password reset. For this reason, a valid email account belonging to someone with financial accounts is a highly valuable commodity on the black market. This means that protecting it is vitally important; it’s the linchpin of your online identity.
The easiest, best way to protect any online accounts, including your email, is to enforce two-factor authentication. This means that in addition to knowing the password for an account, a second method of authenticating is required, such as typing the short number that shows up on your smartphone. Most large sites offer such a service, including Facebook, Twitter, Gmail, Yahoo Mail, as well as Microsoft Outlook online. Many financial institutions also offer two-factor authentication, with things like sending an SMS message to your phone when you log in.
If they don’t offer two-factor authorization, most financial institutions will have additional questions to answer when you log in. These “secret questions” are supposedly only answerable by you, but be wary of information you make public which may aid in answering these questions. Since most public records are available online, the answers to many such secret questions can be found with a simple Google search. Also note that social media can be searched to find answers, so be careful what you publicize.
Protecting Your Devices
Two-factor authorization is important, but if a criminal can load remote-control software on your computer, even two-factor authentication will not be enough because you will simply be logging in for the attacker. For this reason, exercising a few basic online hygiene principles can help protect you and keep your computer crime-free:
- Do not allow browser plugins to run by default.
- Keep any program or plugin that you use online up-to-date, especially Java.
- Run anti-virus software.
Anti-virus software is only about 25% effective at blocking criminals. For this reason, it’s vitally important not only to keep your system up-to-date, but also not to allow unfamiliar websites to run plugins (such as Adobe Reader, Shockwave Flash, or Quicktime), because attackers misuse these plugins to gain access to your machine. There is an easy way to enforce this: On Firefox, use the No-Script plugin which provides a convenient way of whitelisting which websites can execute Javascript and plugins. On Chrome, use the setting for “click-to-play” which can be found under advanced settings in the privacy/content section. Internet Explorer still does not have a feature like this, and so for that reason, use a different browser. For more information on these settings, please refer to security expert Brian Krebs’ excellent site. Mr. Krebs is one of the foremost authorities on the online criminal underground, and I recommend his site to anyone wishing to stay safe online.
Monitor Your Financial Accounts
Sometimes, the best online security in the world is not enough to stop a criminal from stealing your identity or cash. This is often the case with old-fashioned identity theft in which a crook will use a social security number and a few other easy-to-obtain pieces of personal information to take out credit cards in a victim’s name or wire money from a victim’s bank account. Vigilance is the only true protection against this kind of fraud, and even when paying close attention, it can still be a significant hassle to recover any stolen assets if financial institutions do not act quickly when notified of fraudulent activity. As a rule of thumb, the closer an eye you can keep on your financials, the better your chances are of avoiding any losses.
Paying close attention to financials is critical for small businesses, as they tend to have more cash in their accounts than individuals but lack the sophisticated accounting resources of larger businesses.
For individuals, there are many credit monitoring services available which can provide a more in-depth protection against identity theft. In addition to monitoring credit scores in case fraudulent accounts are opened, I recommend checking your financial institution’s online tools to see if it has things like auto-categorization of purchases or usage alerts. Both can be very handy for spotting fraudulent usage of existing accounts. Be aware, however, that many fraudulent charges are for intentionally small amounts of money that are difficult to spot by dollar amount, so having the ability to see purchases by online retailer or geographic location can be extremely valuable. Some services, such as Mint.com, will allow you to aggregate your financial records across multiple financial institutions, in addition to providing per-account alarms and statistics.
What You Are Worth
In addition to your dollars, your computer and even your geographic location are valuable. Your computer can be used as a jumping point for criminals who wish to mask their true location when perpetrating crimes. Criminals don’t use their own machines for hacking into banks, guessing passwords, and trading contraband. Instead, they rent time on an unwitting victim’s computer from a vast underground marketplace. Computers in the US are the most valuable because they are less likely to raise suspicion when accessing bank accounts at a US bank. Computers that are found to be within educational or governmental institutions are considered the highest value because they often have access to sensitive records and usually have excellent bandwidth available for attackers to siphon.
Be safe
Like physical security, online security is a tradeoff between usability and protection. The tactics outlined above have the fewest drawbacks with the most protection. So, to be safe, use two-factor authentication whenever possible for Facebook, Twitter, email, and any financial sites, use a browser with click-to-play plugin settings, and monitor your finances.
If you suspect that you have been the victim of online fraud and/or identity theft, contact your local police department and report the incident. They will process the report and escalate it to the appropriate authority. You can also report cybercrime directly to the FBI by filing a complaint online through the Internet Crime Complaint Center (IC3).
Martin Holste has worked for over a decade in computer security incident response. He is the founder of the Enterprise Log Search and Archive project, an open-source tool for finding security incidents in event logs, and he maintains the security blog, Open-Source Security Tools.