Subscribe by Email!
December 6th, 2007
Lately, there have been a goodly number of news articles about people having their money stolen from their Costa Rica bank accounts.
As some of you know, several of my companies here in Costa Rica are “high tech” related, especially the web hosting business where we host thousands of customers world wide. Server and computer security are paramount issues as you might guess.
So when I got a phone call yesterday asking me my thoughts about this rash of Internet bank fraud and seeking advice, I decided rather than answer her question immediately, I would BLOG about it and maybe pass on some ideas for my readers. While this relates to the banking thing, it is really germane to ANY Internet transaction that uses passwords, bank information, credit cards or ANY confidential data.
This will not be a “techy” post. I’ll try to keep it very basic so non-techies can understand what they can do (MUST do) to avoid Internet fraud.
I am sorry, but this will be a long post, but I cannot recommend strongly enough that your read this.
If this topic interests you, read on!
First, let me begin with this. Internet banking or for that matter any Internet commerce IS inherently safe if you take responsibility for protecting your computer, protecting confidential information, and learning about Internet safety.
The problem, of course, is that many people either do not know how to do this, think it is too technical, or frankly, cannot be bothered to learn (until they lose some large green, then amazingly, they have all sorts of time!).
Connection to the Internet – Computing Environment
Of course the first thing to discuss is your connection to the Internet. Basically, there are three ways you can connect and variations of those that we won’t get into here.
- Connect via modem
- Connect by cable modem, DSL or another “always on” connection, meaning you do not have to LOGIN each time you use the Internet
- Connect via a wireless connection, meaning you have no wires hanging off your computer when actually on line. You are sending and receiving radio signals from your PC to a box often called a wireless router, most capable of handling a number of wireless computers at the same time.
- Connect via and Internet cafe or other public locations that offer use of a PC to go online.
RULE ONE: YOU SHOULD NEVER FOR ANY REASON CONNECT TO YOUR ONLINE BANK ACCOUNT (OR ANY OTHER WEB SITE THAT INVOLVES YOUR FINANCES OR CREDIT CARD INFORMATION) FROM ANY INTERNET CAFE OR PUBLIC LOCATION USING COMPUTERS OFFERED BY THE CAFE OR PUBLIC LOCATION.
RULE TWO: YOU SHOULD NEVER FOR ANY REASON CONNECT TO YOUR ONLINE BANK ACCOUNT (OR ANY OTHER WEB SITE THAT INVOLVES YOUR FINANCES OR CREDIT CARD INFORMATION) FROM ANY INTERNET CAFE OR PUBLIC LOCATION USING COMPUTERS OFFERED BY THE CAFE OR PUBLIC LOCATION.
RULE THREE: YOU SHOULD NEVER FOR ANY REASON CONNECT TO YOUR ONLINE BANK ACCOUNT (OR ANY OTHER WEB SITE THAT INVOLVES YOUR FINANCES OR CREDIT CARD INFORMATION) FROM ANY INTERNET CAFE OR PUBLIC LOCATION USING YOUR OWN LAPTOP OR OTHER COMPUTER UNLESS YOU HAVE INSTALLED THE NECESSARY SOFTWARE TO PROTECT YOUR COMPUTING ENVIRONMENT.
RULE FOUR: YOU SHOULD NEVER USE A PUBLIC WIRELESS CONNECTION AT ALL.
It is important that you understand that regardless of how you connect, the instant you connect to the the Internet, your computer is vulnerable. Note the word instant. Therefore, you must have your computer protected before you ever connect to the Internet.
If you do not, you are exposed to potentially serious issues.
Your computing environment
What do I mean by “protection”? There are two critical items.
First, you absolutely MUST have a good anti-virus program on your PC. By good, I mean a program that updates itself with new virus, worm, and Trojan horse information every time you log on the the Internet. Many of the best known names say they do. They do not. Most only update what they consider to be critical. The rest are updated once per week. This is nonsense! As it is estimated that between 20-40 new virus’ are released DAILY, updating once per week is just nonsense!
There are two excellent programs available, both from Europe and can easily be configured to update the virus info as often as hourly. On all our business PC’s, we have it set to every three hours.
Kaspersky and F Secure are the names of the software that we use, and you can find links to their web sites at the bottom of this post. Just scroll on down!
**Quick note to modem users! Modems users often login and immediately start reading emails or surfing. This is a mistake. Even if you are using high quality anti-virus programs like the ones I mentioned above, it takes time to download the newest virus information. Depending on when you were last online and your connection speed, from a minute or so to maybe ten minutes! Login by modem… then WAIT until your protection has caught up with you.
The second thing that is needed, whether you have an “always on” connection (cable, DSL, etc.) or use a modem, is a BI-DIRECTIONAL firewall.
A firewall is a program that keeps the bad guys from getting in to your PC over your connection to the Internet. Many users of Windows PC’s use the firewall that is included free in the XP or Vista Operating systems. This is not enough!
Nowadays, the use of keyloggers is everywhere and especially at public locations and Internet cafes. A keylogger is a tiny program that can be installed on your PC without your knowledge. It is ridiculously easy to do this! It can be sent in an email, downloaded from a web site you visit, hidden in a Microsoft Word document… and in many other ways!
Then, every time you touch your keyboard, this tiny program records every key stroke you make! That information is then sent over the Internet to the bad guys!
They key phrase here is: “…sent over the Internet to the bad guys!”
This means that the keylogger program must have outward bound access to the Internet in order to send the information. THAT is why you need a firewall that not only controls (blocks) what wants to come IN to your PC, but also can block what wants to get OUT of your PC without your knowledge or permission. Most firewalls (Windows XP for example) do not do this. There may be other firewalls that do so. I use a product by Checkpoint; again, there are links at the bottom of this post so you can get more information.
Wireless is just that. Your computer transmits and receives just like a little radio station. That means anyone near you can easily intercept those radio signals and can see them on their computer. The software to do this is free on the Internet. While it is a bit more complex than a keylogger, it does not take a computer scientist to do this.
So you may say, “All I do is check my email!” and surf the net”.
OK… so now, the bad guys can have access to your email! THAT means they can now ask for a lost password in your name, then get or change the password and erase all trace they were there!
OK, now some users use a webmail connection! This is very common. Or, they use Tahoo, etc. THEN they leave the old messages stored on their account. NOW, when someone gets access to their email, they can read old emails… and there they can find a treasure trove of things including passwords or lost password email, etc.
RULE FIVE: NEVER LEAVE EMAIL ON A SERVER (your email account online). USE A GOOD EMAIL PROGRAM AND DOWNLOAD THE EMAIL TO YOUR COMPUTER AND STORE IT THERE. Just think of what someone can find reading the past years of your emails.
Also, a really knowledgeable hacker person can get into your PC via a wireless connection! There, they can read, copy files and do other bad things. Every time I go to Bagelmans or Dennys or some hotel lobby, I see people logged on wireless thinking all is well. One day I saw a guy sitting in his car just outside one of these locations obviously using his laptop.
Was he just using the wireless for free? Probably. Right?
While there are ways to 100% protect a PC in a wireless environment, they are simply too complex for this post.
In any case… can you see the problem here? It is amazingly easy to get someone’s confidential information via the Internet.
Couple this with people who still open email that is clearly SPAM (and make no mistake, people open millions every day!) or from unknown persons, and you can see why the burden has to fall on you to protect your computing environment. Now ad a little surfing and this problem begins to take shape.
Want more? Add kids and teens! They surf everywhere and a favorite trick of hackers is to place malware (bad programs) on sites kids will be attracted to as they KNOW the kids are using mom and dad’s PC!
Many think that using a good password and changing it regularly is enough . It is not. However, it is important to know what is a good password. For all my business access, I use complex passwords i.e. “wV1E4GJY18Ct5”. Nasty, but required in my work. Sometimes we throw in random punctuation marks as well.
However these kinds of passwords are not practical nor necessary for an average user who needs to remember the password (as everyone knows it should never be written down, RIGHT?).
So here is a little password trick.
Look around you. Find two items totally at random. From where I am writing, I can see a gourd and a table. Now, think of a number between 19-99. OK so now take that number and place it between the two words thus: gourd79table.
Now randomly capitalize 2-4 letters thus: gouRD79tAble.
You now have a pretty nasty password nearly impossible to guess and even a random password generator will never find it. Whether you use this technique or another, NEVER EVER use birthdays, names, places, ANY ID numbers of any kind for passwords. You would be flabbergasted at how much of everyones private life is already on the Internet.
Those “security test questions”
How many times have you seen a password test question something like, “What was your mother’s maiden name?” used as the test question? How dumb! Your mother’s maiden name (also probably known as your grandfather’s last name) can likely be found on hundreds of genealogy web sites or other public databases! Piece of cake for any good hacker. That is why I use the first name of the second barber who ever cut my hair as my correct answer to what was my mother’s maiden name. Let them try to find THAT out!
You must have your PC protected. I can promise you that Internet Cafes do NOT have this protection. While protecting one PC is not expensive, protecting 20-30 computers is not cheap. Also, they just do not care of course as it is not their responsibility.
- Download, install and learn to use good anti-virus and firewall software and keep them current
- Use proper passwords like those above and change them frequently
- Make sure that any time you are entering private information over the Internet that the web site is using a security certificate. You can tell this by 1. Checking for a little “lock” icon at the bottom of the web page in the browsers border. To see what I am referring to, go here.Now down at the bottom of your browser, you can see the little lock! That indicates a secure web site.Another way is to make sure the URL (web address) begins with https:// and NOT just http:// without the “s”. The “s” indicates that a security certificate is present to encrypt what you type (but remember, NOT over wireless!!)
- Avoid using wireless… period!
- Avoid using any public PC anywhere.
- If you chose to ignore this, never ever use a public PC if you will be entering even ONE piece of confidential information.
- Never open unsolicited email. Sometimes just opening an email can do damage!
- Surfing can be OK if and only if you have ALL the proper protective software installed and current on your PC.
Protection must be on your PC and for that reason, if you MUST use an Internet cafe, install these protections on your PC first and connect your PC (laptop more likely) directly (via cable) to the Internet cafe’s connection. Just about all locations offer this provision as do most hotels nowadays.
Here are links to the companies mentioned above:Banking & Finance, Banking in Costa Rica, Costa Rica, Internet, Internet Fraud, Life in Costa Rica, Living in Costa Rica, Technical Stuff | Comments (23)