Small business or large, studies show that all companies are at risk of attack by hackers. Government agencies including the FBI have suggested using a separate computer for all transactions involving money or sensitive information, but from a business view, that isn’t scalable or practical. So we’re gonna spill the beans for you. We’re not claiming to bullet-proof your enterprise, but a few minor tweaks may deflect attack, because – as we’ve seen – the lowest hanging fruit is usually what gets picked off. Let’s raise up your proverbial tree and get that fruit out of reach, shall we?

1. Beware the man (or woman) behind the curtain. Spear phishers are looking for quality, and they’ll do their research well. Often though, they won’t go for the high profile target directly, they’ll go to someone who pushes the buttons for that person – an executive assistant, general counsel, staff attorney. They are more likely to be phished than, say, the CEO or CFO. These folks need to be super vigilant about the links they click on and the sites they login to, in a sense, expecting that someone will try to dupe them. And that is why they should follow the next advice.
2. Look for non-obvious clues. Anyone can duplicate a logo or make a look-alike login page. But a vast number of attacks come from non-English speaking countries. If an ‘official’ communication uses rotten grammar and is overly casual, be suspect. Hover over links and read the entire link source before clicking – is the format what it should be? Trust your gut. If something seems odd, don’t click. And just like dad always told you, if it seems to good to be true, it probably is.
3. Be cautious of downloads. Certain people – like lawyers – deal with downloads all day. PDF’s and other documents are sent back and forth, passed around, read and re-read. Are you aware that PDF’s can contain malicious payload that compromises your computer? Don’t download PDFs thinking they’re just harmless documents. Note the sender (or host), make certain it’s something you requested or critically need. And if you’re unsure, confirm the credentials before downloading.
4. Use unique email addresses if you can, only giving out your ‘real’ email address to people you trust. It’s easy if you have your own domain – myspace@jennycramer.com, travel@jennycramer.com, amazon@jennycramer.com. If you don’t have your own domain, you can at least set up a public email address and a private email address. The public one would be the one you use on websites that require opt-ins, on forms for store loyalty programs, etc. And you would know that anyone can gain access to that account.
5. Don’t click on anything in an email. If you think about it, you hardly ever receive something vitally important in an email that requires a click. There’s the occasional “click to verify your account” message, but let’s be honest – you expect those, they come right on time, and you were told in advance when and where it would come. So if you didn’t ask for it, don’t click on it.
6. You know those patches for software? Ever wonder if they’re for real? Well, they are. Use them. They’re there to protect you, so let them.
7. Avoid P2P – person to person – download applications. BitTorrent, Rapidshare, you know what I’m talking about. If you want to do it at home, go for it. But there’s no place for it on an enterprise computing network. Those things are rife with malware.
8. Switch your company and your home router’s DNS resolver to use OpenDNS. Do it right now, I’ll wait. There’s no reason to use the default DNS provided by your Internet service provider. OpenDNS has a gigantic cache that will speed up your queries and a free Website filtering service that might interest some companies. Even if you don’t want the filtering, its robust and secure DNS infrastructure can shield you from well-known attacks at the DNS level.
9. “Bob” saying so doesn’t make it so. We’ve all had that experience where ‘Bob’ says that if we download that patch or install the new version or upgrade the antivirus software, application xyz will fail to work and the entire business will crash. Are you really going to let ‘Bob’ put your entire network at risk? If the mission-critical application needs to be tweaked for upgrades, tweak it. And silence Bob – your enterprise security is more important than Bob’s personal opinion. Sorry, Bob.

We have to thank CIO magazine for the tips here – many of them came from their informative article on enterprise security. And to conclude, if you have influence over your business’ security procedures, make sure you have policies in place to inform your people about what’s acceptable and what’s not. It doesn’t take militant enforcement – your people want their computers to be safe. They just need to know how.

When we talk about the authentication space there are really 3 things we have to balance. It boils down to 1. Real security, 2. Perceived security, and 3. Price. What we’d hope is that all players in the space would have strong real security. I mean, that’s the business we’re in, isn’t it? But when it comes down to it, not all login systems are created equally.

And unfortunately perceived security combined with an effective pricing model can equal success, regardless of the level of actual security. What that means is the industry is open to clever fox-types who can swindle their way through a sales presentation based on slick ideas with little real security provision. Yikes. And our consumers are left vulnerable, but worse – with the perception that their information is secure.

And then there’s me. And my colleagues. See, we’re sticklers for real security. We’re those geeky types who aren’t satisfied with merely protecting our clients authentically from current threats while providing perceived security through positive user experience. We’re the crazy guys who are determined to get it right, without cutting corners. We have this crazy notion that we won’t stop improving our technology as long as there are still hackers out there finding ways to compromise consumers. Of course, that means we have a team of geeky types just like us on payroll. And our pricing strategy can’t compete with the fake-it-till-you-make it guys. We believe you get what you pay for, and even though our prices aren’t much higher than the other guys, cost-cutting measures can mean that the contracts go to the cheap solutions, even when those solutions offer cheap quality.

That’s ok though. We’re creating a safety net. When the merchants out there are disappointed with their lack of actual security, when the hackers seem to be winning the battle, we’re here to catch you when you fall. It’s like the commercial for Office Depot when a barber sees a competitor open shop across the street for “$6 haircuts.” Our barber puts up a sign saying “We fix $6 haircuts.” That’s us. We fix $6 haircuts authentication.

What’s different this time is Google’s response to the attack, as well as a number of governments (like France and Germany) that made public announcements recommending that their citizens stop using Internet Explorer, since the attacks were targeting this browser’s vulnerabilities.

Online security is a lot like an inflatable balloon.  If you squeeze a balloon, the air will extend the part with the least resistance.  When it comes to security, attackers will most likely go the path of least resistance that promises the greatest rewards at minimum risk.  In this situation, I really don’t understand why advising millions of people to stop using a specific browser will somehow protect them from future attacks.  Let’s say everyone starts using only Firefox, or Chrome.  Are hackers going to give up and never write another exploit again?  Not only this boycott of IE is not going to be effective for the general public, but since governments usually use IE as their default browser in all of their institutions, imagine the logistics required to make the changes across the board.

Tricerion protects its users in a way that is completely independent of browser functionality and vulnerabilities.  Our graphic passwords are stored in a database in such a way that this information is not possible to interpret and reuse from the outside.  Effective authentication methods should not rely on specific browsers, nor should they be threatened by the vulnerabilities in other companies’ software products.

There are these clever little ways to send money through text messaging – Yele does it to help humanitarian aid after the quake in Haiti. Just text “Yele” to a specific number to donate $5 bucks to relief efforts. What’s wrong with that? In this case it’s for a good cause, but the very same technique could be used by others with less-than-honorable intentions. Misplace your phone? Before that was a hassle of immeasurable proportions, but now it could mean more – the same level of financial vulnerability as losing your wallet and credit cards. You can read more on the worrisome tactics of post-disaster funding scams at CNet’s post by Caroline McCarthy.

And what about email? Did you know that you can be held responsible for transactions over email? These annoying post-transaction marketing ploys are promoted by sites like VistaPrint who offer seemingly countless offers after completing a sale, all of which will lighten your wallet a bit (or more). The offering site already has your payment information saved, and their ‘special offers’ from affiliate sites push transactions through that were never authorized, or were authorized through the sharing of an email address, but no disclosure of credit card information.

It makes me wonder… when will authentication for mobile phones actually make sense – for security and usability? And will there ever be a day when the majority of companies have scruples? I’m just sayin’.

Photo Credit: Antonion Lupetti, Flickr

The sad thing is that there are actually products like this still out there, encouraging people to write down and maintain a paper trail of their various passwords – especially for ‘important’ information. Those most likely to fall for it? Seniors, who are already taken advantage of by a host of crooks and scam artists.

All the more reason banks, e-commerce sites and other login-based websites owe it to their patrons to switch to image-based passwords that are near impossible to disclose (but also easier to remember than tradition alpha-numerics).

In the last two years hackers have stolen over $40 million from small to medium enterprises that typically don’t have the resources or tech expertise to protect themselves from such attacks. They often do business with small banks and credit unions, which are typically considered “low hanging fruit” for hackers. Channel-Pro SMB interviewed our very own Stuart Morris about this issue, and the write-up points out some key issues – like the impact this can potentially have on small to medium businesses.

The solution the feds propose is a dedicated computer used only for banking. They recommend it because malware is often installed when surfing the net, gaming, emailing, and downloading programs. It isn’t fool-proof though. Crooks are smarter than we like to think and a computer dedicated to online banking isn’t a surefire way to stop them. And logistically, unless we’re talking about sole proprietors, it becomes both a hassle and prohibitive expense when every person who needs access to banking information requires a separate computer to do so.

Hey! I have an idea! What if banks, e-commerce sites, and other agencies requiring sensitive login procedures found a way to protect their users and consumers from this type of fraud? Is it possible? Is it plausible? What is this, 1976? Of course it is! And it has been for years.

The only real way to stop keyloggers is to stop typing passwords. You know how you use your mouse to click on buttons on the computer screen?  There’s no reason banks couldn’t use a clickable keypad on the screen to replace password typing, or even credit card entry. And guess what? It’s already being done. There’s a system that first recognizes the user and generates a customized keypad for them. If your keypad doesn’t look right you know you’re on a fraudulent site. When you see the keypad you recognize, you use your mouse to key in your password. Easy, breezy. And keyloggers don’t have a chance. (Neither do man-in-the-middle, man-in-the-browser, or any host of other hackers.)

Wanna give it shot? You can. Go ahead – try it now. I’ll give you a buck – a whole greenback for the minute you spent – if you think it’s too hard to use.

In our own minds, we can all spot a criminal, a bad website, or a fraudulent scheme. When it comes down to it though, any decent law enforcement officer will tell you that people are generally unobservant. Ask witnesses what they saw and you’ll get contradictory answers from all of them, or ‘I don’t know… it was reddish car… I think…’ Some psychologists did an experiment showing how incredibly unobservant we are. Watch how every single person is tricked.

What does this teach us about preventing fraud online? Why are people still getting tricked into giving away their information to crooks? Here’s our list.

1. We’re unobservant. So, when I go to my bank website, if the look and feel is mildly similar to what I expect I’m likely to go ahead and try to login. Wouldn’t it be nice if my bank’s login process protected me from my tendency to be oblivious?
2. We’re trusting. In the experiment in the video, someone trusted told subjects to complete a task. They completed it. When the authority figured changed, they didn’t question. We don’t expect to be deceived, so we aren’t vigilant to protect ourselves.
3. Crooks look like us. There’s this little expectation we have to be able to judge a book by its cover. Ever seen a gorgeous woman on trial for something horrendous? Listen to people. “She can’t be guilty. She looks so… normal!” What they really mean is that criminals (and the websites they operate) should look mean and ugly and unprofessional. People who look like us are supposed to be like us. Websites that are attractive and well designed are supposed to be trustworthy. Or so we naively think.
4. We’re opportunists. Yes, we know that if it’s too good to be true, it probably is. That’s why we delete any Nigerian “I want to split my $5 million with you” emails that make it through our spam filters. That said, we’re trying to save time, save money, and find more efficient ways to do things. And we think others (like vendors, retailers, or whoever) are trying to do the same thing. So if a process suddenly becomes easier or we’re enticed with a discount or otherwise convenient offer, we want to believe. Why? Because we’re opportunists. And we’re trusting too.
5. It won’t happen to me. Identity fraud is something that happens to other people. I’m not in danger, and I don’t need to worry. I shred my bills, I don’t write down my passwords, and besides – people generally have my best interest in mind (remember? I’m trusting too).

The good:

• if you’re trying to save dough, this could be a positive means of accountability – you spend frivolously and your friends immediately know it.
• couponing and bargain-hunting gone wild. If your friend found something on sale, this could be a valuable alert.
• a marketer’s dream. This takes ‘keeping up with the Jones’s’ to a whole new level.

The bad:

• it requires you to store your credit card information and login information on their site. Um… is our memory for corporate financial data leaks really that short? Are we fool enough to divulge this? If so, maybe we deserve to have our identities stolen…
• surely no burglar, criminal, or otherwise mischievous soul would ever use this for ill. And if you believe that, I have a bridge to sell you.
• are we really so materialistic and driven by instant gratification that we need a whole new social networking site to help retailers manipulate our spending habits?

Here at Tricerion, we think a site like this has the potential for more harm than good. It would certainly be useful to hackers to gain access to the data stored there, and we haven’t seen anything from Blippy to allay our fears about their site security. Maybe we’re just overcautious (or maybe we just know who we’re fighting really well).

How about you? What do you think of Blippy? Would you blip (or is it bleep? maybe bleet?)?

He proposes, based on extensive knowledge of the market, that most IAMs are focused on one of two things – either purely securing access to data, or on the other hand, understanding all aspects of the access event. I think we’ve got something a little different going on here.

When I walk through the office the buzz I hear from my colleagues takes on three very distinct tones.

1. Usability. Yes, real security is why we’re in business. But perceived security is what sells solutions and makes them popular. If our clients’ customers are happy with what they see and how user-friendly it is, we’ll succeed. Of course, that assumes that we do a rock-on stellar job of actual security, but hey, in my office that’s a non-issue. What we’ve got rocks the house.
2. Staying ahead. We can stop man-in-the-browser attacks. We have a handle on phishing, in all its many varieties. Key-logging – done. Password-stealing malware? Bam! Take that! (as Batman would say). But what’s next? What are the criminals working on next, and how can we beat them to the punch? For us, it isn’t enough to protect our clients from today’s problems. We want to protect them from tomorrow’s too.
3. Your gramma, or Gram, as we like to call her. Can she use our product? Can she do it easily? Can someone trick her into using it to divulge sensitive information? Does this protect Gram? Does it do it in a way that will leave her satisfied at the end of her transaction, looking forward to her next online interaction? See, knowing that Joe Techie can use our system means nothing to us. He can do all sort of things online, and if he has issues he knows where to go for help. We want to make sure Gram is taken care of, happy with her interaction, and ready to tell all her friends that she doesn’t know what all this hullabaloo is about – her bank (or favorite online store) is easy to use and entirely worthy of her trust.

That’s what we talk about in our office. Well, that and the new curry place down the street. They’ve got a mean Tikki Masala. Ok, fine. So we also talk about which fair trade coffee we’re going drink this afternoon and who’s going to the cricket match this weekend. But that’s just us.

Fake or rogue security software was the most prevalent threat of 2008. It seems criminals know that we as a population have a weakness for security products. We want to be safe, so they hit our vulnerability with security products that are far from secure. This malware product has the look and feel of McAffee, only it’s not quite right.

Email phishing seems to be on a decline, but phishing as a whole is increasing, with internet-based scams leading the pack. Our awareness campaigns to caution customers about email phishing paid off – the customers grew email-savvy, but the criminals grew more sophisticated.

As for 2010, CA expects to see an increase in Malvertising (advertising malware), threats to social networks, and – not so surprisingly – denial of service attacks like we saw this year in political showdowns in Moldova and Iran. Banking trojans are expected to be on the rise as well, and we’d be fool to think criminals would ever really back off financial institutions, since the carrot at the end of the stick is so big.