I personally bank at three Costa Rica banks: BAC San Jose,  Scotia Bank and Banco Nacional.  All were subject to various schemes that could easily cause serious security problems, especially if the customer did not use adequate security protection in their computers or worse, used Internet cafes or a wireless connection while banking online.

Now along comes Banco Nacional with a high tech but easy-to-use gadget that all but guarantees your security even if banking from an Internet cafe or using a wireless connection. I got one about three weeks ago and have since been trying to figure out how someone could get into my account. My conclusion?  They cannot or if they can, they are a whole lot smarter than I am.

If this topic interests you, read on!

So how does it work?

Well first let’s look at security at most Costa Rica banks.  Almost all use a password that must be longer than x but shorter than y numerals or numbers.  Because of their antiquated operating systems,  symbols cannot be used i.e. ^%)@ etc. Most require that you change your password regularly. but people being people, folks often choose passwords that can be “guessed”.

All have a login name as well, of course.  Logins are often easy to find, however, as they often are your cedula numbers, email address, account name… whatever.  So, if the password gets compromised (stolen),  entry to your account is not hard and you have issues. All of these things are made far worse if you are using wireless or are on a computer where a keylogger has been installed without your knowledge.

So what has Banco Nacional (BN) done that is so great? Well they still require a login and it is usually your cedula # (dumb),  passport number (dumber) or other and is thus NOT very secure.

After you enter that, you are then taken to a pop-up window that is just silly! (yeah, I know, the good part is coming!). In this window you type 4 characters and use your mouse to click 4 numerals.  Why is it silly? Because it is fully visible to anyone standing or seated anywhere near you while you are typing this stuff…  Then they have (well they had) all they needed to get into your account.

But…. here is the cool part:

If you look at the picture above left at the beginning of this post, you will see what looks like a key fob with a little window.  You get this from BN for 3,000 colones (but see below).

With this gadget BN adds a final login step which makes everything incredibly secure!  After you log in doing the same old useless stuff… you are asked for a code number.  You now press a button on the key fob (llevero in español) and enter that generated number.  Also available is a card type device (see right) for generating the code. You now have access to your account.

Why is this cool and more important, safe?  Because each number generated is “one-use”.  Even if someone sees you entering it or actually sees the number, it can never be used ever again.  This number is mathematically tied to your account, and no other llavero (or card) will work in your account.

This thing is called a token. You can either go to your local BN office and get one for 3,000 colones or, if you have them, you can use your entertainment points that you get for paying bills online.

With this new security option, I would say this places Banco Nacional miles ahead of their competition in terms of keeping your account safe. As I know many of you here must use Internet cafes, shared computers or wireless, this new gadget can now make all the difference in keeping your money safe.  In fact, until the other banks “catch up”, I would suggest using BN as your primary bank using other only for spreading the wealth.

As some of you know, several of my companies here in Costa Rica are “high tech” related, especially the web hosting business where we host thousands of customers world wide. Server and computer security are paramount issues as you might guess.

So when I got a phone call yesterday asking me my thoughts about this rash of Internet bank fraud and seeking advice, I decided rather than answer her question immediately, I would BLOG about it and maybe pass on some ideas for my readers. While this relates to the banking thing, it is really germane to ANY Internet transaction that uses passwords, bank information, credit cards or ANY confidential data.

This will not be a “techy” post. I’ll try to keep it very basic so non-techies can understand what they can do (MUST do) to avoid Internet fraud.

I am sorry, but this will be a long post, but I cannot recommend strongly enough that your read this.

If this topic interests you, read on!

First, let me begin with this. Internet banking or for that matter any Internet commerce IS inherently safe if you take responsibility for protecting your computer, protecting confidential information, and learning about Internet safety.

The problem, of course, is that many people either do not know how to do this, think it is too technical, or frankly, cannot be bothered to learn (until they lose some large green, then amazingly, they have all sorts of time!).

Connection to the Internet – Computing Environment

Of course the first thing to discuss is your connection to the Internet. Basically, there are three ways you can connect and variations of those that we won’t get into here.

• Connect via modem
• Connect by cable modem, DSL or another “always on” connection, meaning you do not have to LOGIN each time you use the Internet
• Connect via a wireless connection, meaning you have no wires hanging off your computer when actually on line. You are sending and receiving radio signals from your PC to a box often called a wireless router, most capable of handling a number of wireless computers at the same time.
• Connect via and Internet cafe or other public locations that offer use of a PC to go online.

RULE ONE: YOU SHOULD NEVER FOR ANY REASON CONNECT TO YOUR ONLINE BANK ACCOUNT (OR ANY OTHER WEB SITE THAT INVOLVES YOUR FINANCES OR CREDIT CARD INFORMATION) FROM ANY INTERNET CAFE OR PUBLIC LOCATION USING COMPUTERS OFFERED BY THE CAFE OR PUBLIC LOCATION.

RULE TWO: YOU SHOULD NEVER FOR ANY REASON CONNECT TO YOUR ONLINE BANK ACCOUNT (OR ANY OTHER WEB SITE THAT INVOLVES YOUR FINANCES OR CREDIT CARD INFORMATION) FROM ANY INTERNET CAFE OR PUBLIC LOCATION USING COMPUTERS OFFERED BY THE CAFE OR PUBLIC LOCATION.

RULE THREE: YOU SHOULD NEVER FOR ANY REASON CONNECT TO YOUR ONLINE BANK ACCOUNT (OR ANY OTHER WEB SITE THAT INVOLVES YOUR FINANCES OR CREDIT CARD INFORMATION) FROM ANY INTERNET CAFE OR PUBLIC LOCATION USING YOUR OWN LAPTOP OR OTHER COMPUTER UNLESS YOU HAVE INSTALLED THE NECESSARY SOFTWARE TO PROTECT YOUR COMPUTING ENVIRONMENT.

RULE FOUR: YOU SHOULD NEVER USE A PUBLIC WIRELESS CONNECTION AT ALL.

It is important that you understand that regardless of how you connect, the instant you connect to the the Internet, your computer is vulnerable. Note the word instant. Therefore, you must have your computer protected before you ever connect to the Internet.

If you do not, you are exposed to potentially serious issues.

Your computing environment

What do I mean by “protection”? There are two critical items.

Anti Virus

First, you absolutely MUST have a good anti-virus program on your PC. By good, I mean a program that updates itself with new virus, worm, and Trojan horse information every time you log on the the Internet. Many of the best known names say they do. They do not. Most only update what they consider to be critical. The rest are updated once per week. This is nonsense! As it is estimated that between 20-40 new virus’ are released DAILY, updating once per week is just nonsense!

There are two excellent programs available, both from Europe and can easily be configured to update the virus info as often as hourly. On all our business PC’s, we have it set to every three hours.

Kaspersky and F Secure are the names of the software that we use, and you can find links to their web sites at the bottom of this post. Just scroll on down!

**Quick note to modem users! Modems users often login and immediately start reading emails or surfing. This is a mistake. Even if you are using high quality anti-virus programs like the ones I mentioned above, it takes time to download the newest virus information. Depending on when you were last online and your connection speed, from a minute or so to maybe ten minutes! Login by modem… then WAIT until your protection has caught up with you.

Firewall

The second thing that is needed, whether you have an “always on” connection (cable, DSL, etc.) or use a modem, is a BI-DIRECTIONAL firewall.

A firewall is a program that keeps the bad guys from getting in to your PC over your connection to the Internet. Many users of Windows PC’s use the firewall that is included free in the XP or Vista Operating systems. This is not enough!

Why?

Nowadays, the use of keyloggers is everywhere and especially at public locations and Internet cafes. A keylogger is a tiny program that can be installed on your PC without your knowledge. It is ridiculously easy to do this! It can be sent in an email, downloaded from a web site you visit, hidden in a Microsoft Word document… and in many other ways!

Then, every time you touch your keyboard, this tiny program records every key stroke you make! That information is then sent over the Internet to the bad guys!

They key phrase here is: “…sent over the Internet to the bad guys!”

This means that the keylogger program must have outward bound access to the Internet in order to send the information. THAT is why you need a firewall that not only controls (blocks) what wants to come IN to your PC, but also can block what wants to get OUT of your PC without your knowledge or permission. Most firewalls (Windows XP for example) do not do this. There may be other firewalls that do so. I use a product by Checkpoint; again, there are links at the bottom of this post so you can get more information.

Wireless (inalámbrico)

Wireless is just that. Your computer transmits and receives just like a little radio station. That means anyone near you can easily intercept those radio signals and can see them on their computer. The software to do this is free on the Internet. While it is a bit more complex than a keylogger, it does not take a computer scientist to do this.

EMAIL

So you may say, “All I do is check my email!” and surf the net”.

OK… so now, the bad guys can have access to your email! THAT means they can now ask for a lost password in your name, then get or change the password and erase all trace they were there!

OK, now some users use a webmail connection!  This is very common.  Or, they use Tahoo, etc.  THEN they leave the old messages stored on their account.  NOW, when someone gets access to their email, they can read old emails… and there they can find a treasure trove of things including passwords or lost password email, etc.

RULE FIVE:  NEVER LEAVE EMAIL ON A SERVER (your email account online).  USE A GOOD EMAIL PROGRAM AND DOWNLOAD THE EMAIL TO YOUR COMPUTER AND STORE IT THERE.  Just think of what someone can find reading the past years of your emails.

Also, a really knowledgeable hacker person can get into your PC via a wireless connection! There, they can read, copy files and do other bad things. Every time I go to Bagelmans or Dennys or some hotel lobby, I see people logged on wireless thinking all is well. One day I saw a guy sitting in his car just outside one of these locations obviously using his laptop.

Was he just using the wireless for free? Probably. Right?

While there are ways to 100% protect a PC in a wireless environment, they are simply too complex for this post.

In any case… can you see the problem here? It is amazingly easy to get someone’s confidential information via the Internet.

Couple this with people who still open email that is clearly SPAM (and make no mistake, people open millions every day!) or from unknown persons, and you can see why the burden has to fall on you to protect your computing environment. Now ad a little surfing and this problem begins to take shape.

Want more? Add kids and teens! They surf everywhere and a favorite trick of hackers is to place malware (bad programs) on sites kids will be attracted to as they KNOW the kids are using mom and dad’s PC!

Passwords

Many think that using a good password and changing it regularly is enough . It is not. However, it is important to know what is a good password. For all my business access, I use complex passwords i.e. “wV1E4GJY18Ct5″. Nasty, but required in my work. Sometimes we throw in random punctuation marks as well.

However these kinds of passwords are not practical nor necessary for an average user who needs to remember the password (as everyone knows it should never be written down, RIGHT?).

So here is a little password trick.

Look around you. Find two items totally at random. From where I am writing, I can see a gourd and a table. Now, think of a number between 19-99. OK so now take that number and place it between the two words thus: gourd79table.

Now randomly capitalize 2-4 letters thus: gouRD79tAble.

You now have a pretty nasty password nearly impossible to guess and even a random password generator will never find it. Whether you use this technique or another, NEVER EVER use birthdays, names, places, ANY ID numbers of any kind for passwords. You would be flabbergasted at how much of everyones private life is already on the Internet.

Those “security test questions”

How many times have you seen a password test question something like, “What was your mother’s maiden name?” used as the test question? How dumb! Your mother’s maiden name (also probably known as your grandfather’s last name) can likely be found on hundreds of genealogy web sites or other public databases! Piece of cake for any good hacker. That is why I use the first name of the second barber who ever cut my hair as my correct answer to what was my mother’s maiden name. Let them try to find THAT out!

Summation

You must have your PC protected. I can promise you that Internet Cafes do NOT have this protection. While protecting one PC is not expensive, protecting 20-30 computers is not cheap. Also, they just do not care of course as it is not their responsibility.

• Download, install and learn to use good anti-virus and firewall software and keep them current
• Use proper passwords like those above and change them frequently
• Make sure that any time you are entering private information over the Internet that the web site is using a security certificate. You can tell this by 1. Checking for a little “lock” icon at the bottom of the web page in the browsers border. To see what I am referring to, go here.Now down at the bottom of your browser, you can see the little lock! That indicates a secure web site.Another way is to make sure the URL (web address) begins with https:// and NOT just http:// without the “s”. The “s” indicates that a security certificate is present to encrypt what you type (but remember, NOT over wireless!!)
• Avoid using wireless… period!
• Avoid using any public PC anywhere.
• If you chose to ignore this, never ever use a public PC if you will be entering even ONE piece of confidential information.
• Never open unsolicited email. Sometimes just opening an email can do damage!
• Surfing can be OK if and only if you have ALL the proper protective software installed and current on your PC.

Protection must be on your PC and for that reason, if you MUST use an Internet cafe, install these protections on your PC first and connect your PC (laptop more likely) directly (via cable) to the Internet cafe’s connection. Just about all locations offer this provision as do most hotels nowadays.

Here are links to the companies mentioned above: