Subscribe by Email!
Other Stuff
The Blogosphere
Safe Internet Banking in Costa Rica
December 6th, 2007
Lately, there have been a goodly number of news articles about people having their money stolen from their Costa Rica bank accounts.
As some of you know, several of my companies here in Costa Rica are “high tech” related, especially the web hosting business where we host thousands of customers world wide. Server and computer security are paramount issues as you might guess.
So when I got a phone call yesterday asking me my thoughts about this rash of Internet bank fraud and seeking advice, I decided rather than answer her question immediately, I would BLOG about it and maybe pass on some ideas for my readers. While this relates to the banking thing, it is really germane to ANY Internet transaction that uses passwords, bank information, credit cards or ANY confidential data.
This will not be a “techy” post. I’ll try to keep it very basic so non-techies can understand what they can do (MUST do) to avoid Internet fraud.
I am sorry, but this will be a long post, but I cannot recommend strongly enough that your read this.
If this topic interests you, read on!
First, let me begin with this. Internet banking or for that matter any Internet commerce IS inherently safe if you take responsibility for protecting your computer, protecting confidential information, and learning about Internet safety.
The problem, of course, is that many people either do not know how to do this, think it is too technical, or frankly, cannot be bothered to learn (until they lose some large green, then amazingly, they have all sorts of time!).
Connection to the Internet – Computing Environment
Of course the first thing to discuss is your connection to the Internet. Basically, there are three ways you can connect and variations of those that we won’t get into here.
- Connect via modem
- Connect by cable modem, DSL or another “always on” connection, meaning you do not have to LOGIN each time you use the Internet
- Connect via a wireless connection, meaning you have no wires hanging off your computer when actually on line. You are sending and receiving radio signals from your PC to a box often called a wireless router, most capable of handling a number of wireless computers at the same time.
- Connect via and Internet cafe or other public locations that offer use of a PC to go online.
RULE ONE: YOU SHOULD NEVER FOR ANY REASON CONNECT TO YOUR ONLINE BANK ACCOUNT (OR ANY OTHER WEB SITE THAT INVOLVES YOUR FINANCES OR CREDIT CARD INFORMATION) FROM ANY INTERNET CAFE OR PUBLIC LOCATION USING COMPUTERS OFFERED BY THE CAFE OR PUBLIC LOCATION.
RULE TWO: YOU SHOULD NEVER FOR ANY REASON CONNECT TO YOUR ONLINE BANK ACCOUNT (OR ANY OTHER WEB SITE THAT INVOLVES YOUR FINANCES OR CREDIT CARD INFORMATION) FROM ANY INTERNET CAFE OR PUBLIC LOCATION USING COMPUTERS OFFERED BY THE CAFE OR PUBLIC LOCATION.
RULE THREE: YOU SHOULD NEVER FOR ANY REASON CONNECT TO YOUR ONLINE BANK ACCOUNT (OR ANY OTHER WEB SITE THAT INVOLVES YOUR FINANCES OR CREDIT CARD INFORMATION) FROM ANY INTERNET CAFE OR PUBLIC LOCATION USING YOUR OWN LAPTOP OR OTHER COMPUTER UNLESS YOU HAVE INSTALLED THE NECESSARY SOFTWARE TO PROTECT YOUR COMPUTING ENVIRONMENT.
RULE FOUR: YOU SHOULD NEVER USE A PUBLIC WIRELESS CONNECTION AT ALL.
It is important that you understand that regardless of how you connect, the instant you connect to the the Internet, your computer is vulnerable. Note the word instant. Therefore, you must have your computer protected before you ever connect to the Internet.
If you do not, you are exposed to potentially serious issues.
Your computing environment
What do I mean by “protection”? There are two critical items.
Anti Virus
First, you absolutely MUST have a good anti-virus program on your PC. By good, I mean a program that updates itself with new virus, worm, and Trojan horse information every time you log on the the Internet. Many of the best known names say they do. They do not. Most only update what they consider to be critical. The rest are updated once per week. This is nonsense! As it is estimated that between 20-40 new virus’ are released DAILY, updating once per week is just nonsense!
There are two excellent programs available, both from Europe and can easily be configured to update the virus info as often as hourly. On all our business PC’s, we have it set to every three hours.
Kaspersky and F Secure are the names of the software that we use, and you can find links to their web sites at the bottom of this post. Just scroll on down!
**Quick note to modem users! Modems users often login and immediately start reading emails or surfing. This is a mistake. Even if you are using high quality anti-virus programs like the ones I mentioned above, it takes time to download the newest virus information. Depending on when you were last online and your connection speed, from a minute or so to maybe ten minutes! Login by modem… then WAIT until your protection has caught up with you.
Firewall
The second thing that is needed, whether you have an “always on” connection (cable, DSL, etc.) or use a modem, is a BI-DIRECTIONAL firewall.
A firewall is a program that keeps the bad guys from getting in to your PC over your connection to the Internet. Many users of Windows PC’s use the firewall that is included free in the XP or Vista Operating systems. This is not enough!
Why?
Nowadays, the use of keyloggers is everywhere and especially at public locations and Internet cafes. A keylogger is a tiny program that can be installed on your PC without your knowledge. It is ridiculously easy to do this! It can be sent in an email, downloaded from a web site you visit, hidden in a Microsoft Word document… and in many other ways!
Then, every time you touch your keyboard, this tiny program records every key stroke you make! That information is then sent over the Internet to the bad guys!
They key phrase here is: “…sent over the Internet to the bad guys!”
This means that the keylogger program must have outward bound access to the Internet in order to send the information. THAT is why you need a firewall that not only controls (blocks) what wants to come IN to your PC, but also can block what wants to get OUT of your PC without your knowledge or permission. Most firewalls (Windows XP for example) do not do this. There may be other firewalls that do so. I use a product by Checkpoint; again, there are links at the bottom of this post so you can get more information.
Wireless (inalámbrico)
Wireless is just that. Your computer transmits and receives just like a little radio station. That means anyone near you can easily intercept those radio signals and can see them on their computer. The software to do this is free on the Internet. While it is a bit more complex than a keylogger, it does not take a computer scientist to do this.
So you may say, “All I do is check my email!” and surf the net”.
OK… so now, the bad guys can have access to your email! THAT means they can now ask for a lost password in your name, then get or change the password and erase all trace they were there!
OK, now some users use a webmail connection! This is very common. Or, they use Tahoo, etc. THEN they leave the old messages stored on their account. NOW, when someone gets access to their email, they can read old emails… and there they can find a treasure trove of things including passwords or lost password email, etc.
RULE FIVE: NEVER LEAVE EMAIL ON A SERVER (your email account online). USE A GOOD EMAIL PROGRAM AND DOWNLOAD THE EMAIL TO YOUR COMPUTER AND STORE IT THERE. Just think of what someone can find reading the past years of your emails.
Also, a really knowledgeable hacker person can get into your PC via a wireless connection! There, they can read, copy files and do other bad things. Every time I go to Bagelmans or Dennys or some hotel lobby, I see people logged on wireless thinking all is well. One day I saw a guy sitting in his car just outside one of these locations obviously using his laptop.
Was he just using the wireless for free? Probably. Right?
While there are ways to 100% protect a PC in a wireless environment, they are simply too complex for this post.
In any case… can you see the problem here? It is amazingly easy to get someone’s confidential information via the Internet.
Couple this with people who still open email that is clearly SPAM (and make no mistake, people open millions every day!) or from unknown persons, and you can see why the burden has to fall on you to protect your computing environment. Now ad a little surfing and this problem begins to take shape.
Want more? Add kids and teens! They surf everywhere and a favorite trick of hackers is to place malware (bad programs) on sites kids will be attracted to as they KNOW the kids are using mom and dad’s PC!
Passwords
Many think that using a good password and changing it regularly is enough . It is not. However, it is important to know what is a good password. For all my business access, I use complex passwords i.e. “wV1E4GJY18Ct5”. Nasty, but required in my work. Sometimes we throw in random punctuation marks as well.
However these kinds of passwords are not practical nor necessary for an average user who needs to remember the password (as everyone knows it should never be written down, RIGHT?).
So here is a little password trick.
Look around you. Find two items totally at random. From where I am writing, I can see a gourd and a table. Now, think of a number between 19-99. OK so now take that number and place it between the two words thus: gourd79table.
Now randomly capitalize 2-4 letters thus: gouRD79tAble.
You now have a pretty nasty password nearly impossible to guess and even a random password generator will never find it. Whether you use this technique or another, NEVER EVER use birthdays, names, places, ANY ID numbers of any kind for passwords. You would be flabbergasted at how much of everyones private life is already on the Internet.
Those “security test questions”
How many times have you seen a password test question something like, “What was your mother’s maiden name?” used as the test question? How dumb! Your mother’s maiden name (also probably known as your grandfather’s last name) can likely be found on hundreds of genealogy web sites or other public databases! Piece of cake for any good hacker. That is why I use the first name of the second barber who ever cut my hair as my correct answer to what was my mother’s maiden name. Let them try to find THAT out!
Summation
You must have your PC protected. I can promise you that Internet Cafes do NOT have this protection. While protecting one PC is not expensive, protecting 20-30 computers is not cheap. Also, they just do not care of course as it is not their responsibility.
- Download, install and learn to use good anti-virus and firewall software and keep them current
- Use proper passwords like those above and change them frequently
- Make sure that any time you are entering private information over the Internet that the web site is using a security certificate. You can tell this by 1. Checking for a little “lock” icon at the bottom of the web page in the browsers border. To see what I am referring to, go here.Now down at the bottom of your browser, you can see the little lock! That indicates a secure web site.Another way is to make sure the URL (web address) begins with https:// and NOT just http:// without the “s”. The “s” indicates that a security certificate is present to encrypt what you type (but remember, NOT over wireless!!)
- Avoid using wireless… period!
- Avoid using any public PC anywhere.
- If you chose to ignore this, never ever use a public PC if you will be entering even ONE piece of confidential information.
- Never open unsolicited email. Sometimes just opening an email can do damage!
- Surfing can be OK if and only if you have ALL the proper protective software installed and current on your PC.
Protection must be on your PC and for that reason, if you MUST use an Internet cafe, install these protections on your PC first and connect your PC (laptop more likely) directly (via cable) to the Internet cafe’s connection. Just about all locations offer this provision as do most hotels nowadays.
Here are links to the companies mentioned above:
23 Responses to “Safe Internet Banking in Costa Rica”
Hi Time,
Good tips. Couple of follow up questions.
1) Did you mean for your Rules #1 and #2 to be identical (I can’t see any difference)?
2) I could be wrong, but I believe the https connections DO encrypt everything from end to end, so they should be OK over a wireless connection (although, personally, I’d still avoid using any public wireless connection for anything really important).
You could also suggest that people could avoid about half of their headaches, but certainly not all, by getting a Mac 🙂
Seems like some of the recent news about bank thefts in Costa Rica suggested these were inside jobs, and/or hacks directly into the banks’ systems (unless I misunderstood–I just skimmed the news), and the above tips wouldn’t seem to help much if that’s the case. But of course all of your tips are still very good advice.
…Chuck
We have wireless in our house with the security enabled, the wep key to which is about a mile long… what say you, guru grande?
Hi Chuck
1. Well that was me trying to be cute. Looked better when I wrote it than after publishing. Sorry. Kinda one of the location location location things.
2. Yes, you are mistaken.
2.5 Macs are the best computers in existence and are 90% virus free, BUT as much as this applies to ANY computer it was relevant to MAC’s as well. There are keyloggers for MACs.
3. I have read the articles and yes, a COUPLE seem to be inside jobs, but the VAST majority seem not so. They are just people who got burned and had no idea how it happened and have/had no idea how to protect themselves.
There is a big difference between ignorance of all this techy stuff which most people do NOT know. They are not to blame, however… nor is the bank.
Those folks(especially over age 50) were not raised on this stuff and many I know barely know how to surf and read emails. Nobody every taught them this other security junk and that is not their fault.
Then there are those who KNOW/KNEW all this, and fail to protect themselves by using the common sense things in my Post. Those people deserve nobody’s sympathy.
The bank’s advice to not fall for the phishing schemes, while important, does not give anywhere near the total advice needed. Ticos are just now joinng the Internet world in numbers and most have no clue about this stuff. Also, where you might well not use an Internet cafe, most Ticos have no option. Finally, while might not think twice about getting GOOD protection for your PC and paying $75 or so, that same money represents a far greater relative cost for a Costa Rican family.
And another thing… I have Anonymizer – it’s the only way I can log onto my MLS system in the states (it gives me a US IP address). But I have to keep turning it off and on if I want to surf the web because it slows most sites way down and some sites won’t even open…
But it doesn’t have a firewall! I guess I don’t have a question. Just talking. Bye!
Saratica
I was actually thinking about you when I wrote the post. I would suggest a quick review of RULE 4 🙂
Seriously…
I have not much good news for you… The fact that you chose to live where you did most certainly targets you. Pretty pointless to try to do your wireless hacking in Barrio Mexico!
If the bad guys are sophisticated, and it appears they are getting there… they most certainly will follow the (perceived) money and go where the computers are!
Here are two pretty good beginner articles about securing wireless. I suggest you look them over:
http://www.practicallynetworked.com/support/wireless_secure.htm
http://www.pcmag.com/article2/0,1759,844020,00.asp
(The first one is better).
PROTECTION
Nearly all the things that absolutely MUST be done are controlled by the company providing YOUR wireless connection and not by you. You are limited to using a good password (see below).
As this is not your network you can do little if anything to protect yourself (except buy direct cable or DSL service and run your own wireless network IN YOUR HOME) which would be my suggestion!
The security suggestions listed in those two articles above are but the tip of the iceberg. They are the minimums. There are at least several more that MUST be done. I would bet the farm they are not.
About your comment:
1 Using the WEP from hell is OK, but most pros now use WPA and not WEP. WEP is not good technology and can has security issues that are well known.
2. A ton of things must be done from the wireless router that serves the signal to you and frankly, I do not know how many they have done. Certainly, MAC filtering should be part of the security. If all they are offering is WEP password protection, that is not good.
3 A question! Your PC or laptop can search for networks. Can you “see” listed the network you use? Not good. Good wireless systems never broadcast their presence.
There are just too many other variables here and I have no idea just how good at security are the people running that network.
Clearly though, it the network is not cast iron maybe even using VPN technology (not shown in those articles) then that also could explain how the bad guys seem to get so much private information.
You could hire a pro to help you secure it… it CAN be done but it is not cheap and I have no idea if there is even such a person here in CR available for house calls.
Great post. I am a regular reader keep on posting more.
Gracias por todo informatica que es muy importante!
Hi Tim,
I have a CTC ATU R210 router for my DSL connection here in CR
.
My brother-in-law says it has a firewall inherent, very good one, for incoming data. It has NAT, default.
Can you give a second opinion? Is it good enough?
I am sorry but I do not know that brand.
However very few hardware firewalls have OUTGOING firewall protection and that is what is needed to thwart keyloggers (along with other good testing software.
You can avoid all this and just get a Mac.
Santos Marquis: You are completely, totally and 100% WRONG.
Hi Tim and friends,
I would guess that all this great information about wireless computing applies worldwide, not just C.R.
It would be foolish to think that the rest of the world is fairyland and C.R. is the theives’ den. Your thoughts ??
Rocky
Yup… that would be correct!
Actually, I would recommend using a Linux Live CD like Knoppix in internet cafes. Then your OS can’t be tampered with, nothing is saved, and the only keyloggers that can be used must be hardware.
Good post on a subject most people have little knowledge of. As CR develops its Internet infrastructure to the point of having lots of high speed online connections, the problems will grow as well.
There are a lot of offerings out there, free and for pay. Two good products that can be installed for free are AVG anti-virus (there’s a free edition that works well and has frequent updates) and Comodo firewall. AVG is plug and play, and Comodo requires a learning period where you tell it what communications to allow. Every time you update a browser or add new communications software, it’ll ask you to OK the Internet access. Checking “Remeber this” or similar causes it to not ask again.
Security is not easy. 100% security is not possible (even with a Mac!). Your suggestions get someone a long way there.
I have no association with either software company, but have used them both. I’m particularly impressed with Comodo. It was “best of breed” in “hackin9” magazine a couple of years ago.
This is the most informative, candit, honest website on Costa Rica I have ever been. Very informative and straight to the point. Congratulations. You would be the first person I would like to meet upon relocation to Costa Rica and would work for you for free for 6 months.
Indeed buying a mac wont help you. That has nothing to do with transmitting data over wireless internet which can be intercepted. That opinion is only based upon the windows to mac virus infections and such. There ARE infact exploits for osx, like there are for windows.
Actually there a CONCEPT virus’ but nothing more. Sorry.
There has never been anything near a widespread infection of MACs.
Tim, great post.
However I would suggest that you check out a few other security oriented sites regarding anti-virus and firewalls.
There is Virus Bulletin (http://www.virusbtn.com/index) and AV Comparatives (http://www.av-comparatives.org/) for reviews of anti-virus products.
For firewalls, I go to Matousec.com for their reviews and analysis of those products. You might notice that Zone Alarm Pro is only rated as GOOD, but Kaspersky Internet Security is rated Excellent.
There are others, but these sites should give you or others a good start in choosing security software for thier pc’s..
Thanks, Dana
Interesting comments. I would like to mention that I am constantly amazed by the lack of basic security measures used by banks to communicate with clients. For example email should be treated as public domain information, whereby a very secure email system can be used. The fact that you need certain information to access your account, any sending of this info like passwords should include a very high level of security. Using Digipass (changing security key information) or similar systems is a very positive move forward. Also Telephone and chat messages should be secured through encryption.
Great article. I think the one BIG missing piece is keeping your operating system (OS) software up-to-date. Also Adobe Flash and Reader software which is installed on almost all computers (PC, Mac, and Linux).
This is just as important as keeping Anti-Virus software current as there are many same-day exploits when defects are found in the OS. This will help prevent your system from being infected, which is much better than removing the infection after-the-fact with Anti-Virus (although still very important!).
For Windows use Windows Update. Not a Mac user so don’t know how that works. For Linux it depends on your distribution. It is virtually automatic on Ubuntu.
Well written article. Now that we have iPod Touch, iPad with wi-fi, etc. how secure are they with their built in email apps, bank apps etc?
Never use them without a VPN and you will be fine.