Security Awareness

Are you being asked to act in a way that deviates from the usual way of doing things? If you are, then you should exercise some scepticism. When things go wrong and result in financial loss, it is often the case that the vendor asked for something out of the ordinary, and at the time, it would have sounded plausible for whatever reason. There are many examples of this, yet there are far more examples of people losing vast sums of money because a transaction required them to deviate from the norm.

Being asked to pay upfront fees, to receive something of higher value should be met with scepticism. Winning a lottery prize is just one example. To obtain the winnings, the scammers ask people to pay administration fees.  They have £100,000 to give you, but you must pay them a £350 fee. Putting the fact aside that if you never bought a ticket, you would not be a winner, then even if you had genuinely won the prize, receiving a net payment of £99,650 is obvious.

Society has not evolved yet to a point where it can operate without cash as it is often cost-prohibitive for small transactions. Consequently, for businesses where all transactions are small, cash payments are still a requirement. However, it is unusual these days for the cash to be mandatory for medium or large transactions. It could be something as simple as a means of reducing taxation, but it is worth asking questions and being aware of the risks, more so if the vendor will deliver goods or services at a later date. There are cases of businesses taking cash orders after they become aware that a bankruptcy declaration is imminent; high street travel agency being one example. Again, at a time when payments for goods and services are predominantly with a bank card or credit card, cash Only for whatever reason is a deviation from the norm.

Bank Transfers to people or businesses where no existing relationship exists is asking for trouble, but this still happens. Again, payment by bank card or credit card is a well-established practice. Other established payment options, such as WorldPay and PayPal, have fraud-prevention measure in place. These established payment services protect consumers, but far too often people are asked to deviate from this norm and transfer money directly to a bank account, only never to receive goods or services, and even worse, never be able to contact the recipient.

Reasons which sound plausible for needing to deviate from the norm include:

• The suggestion that there is a legal or official requirement for it to be different. For example, an alleged policy that consumers must pay a deposit on a holiday in cash. In practice, this circumvents all the protection offered by Visa or MasterCard if something goes wrong.

• ‘This is how we do it with all our customers, and you save money.’  An attempt to convince you that the ‘deviation from the norm’ is the usual practice that everyone uses.

• Time constraints such as a theatre ticket valid this week and you must transfer payment immediately to get the tickets in time for the performance; creating a sense of urgency to deviate from the norm.

• The card machine is not working today, and sadly this offer will not be available tomorrow. Creates the fear of loss while offering deviation from the norm as a viable solution.

• Discounts offered for bank transfers or cash payments because of card payment fees. Creates financial incentive to deviate from the norm.

• ‘We only have two left.’ Using scarcity as a means of pushing a deviation from the established ways of doing things.

These examples are very familiar to many readers, as stories keep resurfacing, but that is because the problem is far from being resolved. The suggestion here is to take a more holistic approach and be suspicious whenever a transaction deviates from the usual way of doing things in society.

It is easier to commit fraud against you if you are a willing participant. If you are complicit in making payments to fraudsters, financial institutions will use this as a means of denying any refund claims. However, the definition of ‘complicit’ is gradually changing in favour of consumers, and more safeguards are in place, along with greater awareness.

This article is not a suggestion that every deviation from everyday practices is an attempt to commit fraud against you, but rather encouraging you to be sceptical and make judgement whenever something does deviate.

Protecting personal information is a serious concern for everyone. When choosing suppliers online for whatever purpose, it will be necessary to share some info to avail yourself of the services. It is your responsibility to determine who you trust with your personal information.

• Does the business have an established brand and reputation to protect? Although we often hear about big names involved in large scale data breaches, it is reasonable to say that a business with a lot to lose will make more effort to protect your data than those are here today and gone tomorrow.

• How did you arrive at the website? If it was in response an advert, did it create a sense of urgency such as offering something at a discount that is only available today? There is always a reason why someone wants you to make a decision quickly. Businesses wishing to establish themselves in the marketplace will be happy for you to make your own decision in your own time.

• Has this business been involved in security incidents and loss of data? Information is often available about such events on the Internet and easy to find with search engines.

• How secure is the website? Does the site use HTTP or HTTPS in its website address? Other factors, such as how password reminders work. If your password is sent to you as plain text by email, it demonstrates how they feel about your security.

• Does the website have a privacy policy and information about the use of cookies?

• Does the website clearly show how to contact the business, the registered address, trading address, contact telephone numbers and contact email addresses?

• How much information does the site ask for while signing up? I have observed a significant increase in websites demanding more information than is needed. Please stop and think about why they need such information and be ready to walk away. National Insurance numbers, for example, are required only when dealing with HMRC and employment-related matters, so no other business has any legitimate purpose in requesting such information.

Being suspicious can be a healthy attitude to take. Avoid impulse-buying scenarios. Ask yourself, if you didn’t know you needed ‘this’ yesterday, do you need it right now? It won’t hurt to take your time, speak to other peoples, think about it more, sleep on it, and make a decision later.

Last year I wrote an article called ‘The Website Credibility Test’ which contains more information relating to this article.

Phishing emails continue to trick people into giving away personal information which can be used by fraudsters to inflict harm and financial losses on their victims. Emails can be compelling, made to look like they come from anyone, and with just enough bait on the hook to easily catch people. Fake websites are easy to set up and look like the real sites, and fake emails are easy to send, which can look as though they came from your bank.

Using simulated phishing emails within an organisation for testing employees’ security awareness proved that even experienced information security professionals were susceptible to some phishing emails.

Here are some thoughts to prevent you from becoming the next victim:

• Never reply to emails asking for passwords, PINs or other logon credentials. No legitimate business will ever ask for these details. Never give your password to anyone, regardless of the circumstances.

• DO NOT open attachments unless you are 100% sure about the origin of the email

• DO NOT click on links in emails. Always go directly to the real website and log in to your accounts in the usual way

• Phishing emails often have poor spelling and grammar along with non-personal greetings such as ‘Dear customer’. However, if they obtained your name and email address from another source, personalised phishing emails will look more authentic.

• DO NOT reply to any SPAM or Phishing emails.

• Phishing emails will often create a sense of urgency.  For example, if an offering is too good to be true, or a deal is only available for a short period, or the email informs you of account deactivation if you don’t log in within a specific timeframe.

• DON’T assume that because the link is HTTPS:// that it is genuine. The fact is that anyone can buy a certificate or set up a certificate authority. Personal details you disclose may be encrypted when sent, but that means nothing if you send encrypted information to a fake website set up by fraudsters.

• Report phishing emails to the imitated organisations and delete them

• Phishing emails will often use current events as a means to get your attention and encourage you to take action. People injured in an earthquake, for example, will likely trigger phishing emails asking for financial support and playing on people’s natural empathy for those in need. Likewise, if the deadline for tax returns is approaching, a phishing email would attempt to exploit that urgency.

• Links in phishing emails will often be hidden behind the text so that it appears to be a link to one site, but the actual URL is for a different website. Hovering over the link will reveal the correct destination.

In terms of the economic viability of phishing emails, with emails sent to millions of potential victims, it only takes a small number of catches for the operation to be profitable.

The strange thing about writing a password blog is that most of the topic is the same as what I wrote about 20 years ago, so the challenge is not writing about passwords, but making the subject of passwords interesting to read. The difference is that during these 20 years, the use of computing technology has increased significantly, and a new generation of people need to know more about how to take their safety and security more seriously. So, it is OK for me to repeat myself on this.

I didn’t think I would write another blog about passwords, but I was recently in a queue for a local cash machine when a teenager in front of me told her friend, ‘Mine is just 1234, so I can easily remember it’. A few laughs followed. I thought it was a joke initially until I saw her type ‘1234’. Even though I was standing 2 meters away, it was impossible not to see and hear what happened.

If the wrong person was in the queue, they could have inflicted serious harm to acquire the bank card. It also reminded me about how often people use Chip and PIN in an unguarded way and how often it is easy to see PINs just by being in the queue. Simple advice here is to frequently change your PIN and be more careful when using your PIN to make a purchase or withdraw cash from an ATM. Simple advice for banks could be to prevent commonly used and easy to guess PINs from being used.

Using weak passwords introduces lots of risks, and with the continually growing use of social media and personal information available online, the ability to guess weak passwords is more effortless. A dictionary attack on a system can take time. If your Facebook page shows that you are a Star Wars fan, they could start with Jedi1 or Jedi1!, or 1000s of variations on this theme, which would be more efficient than a brute force attack with an entire dictionary. Same applies to any information available in the public domain. It gets worse with security questions because if answered truthfully, you are providing immutable facts for security purposes. Your place of birth is unlikely to change, for example, and it is available on a large number of Facebook profiles.

Passwords need to be extremely difficult to guess, and unrelated to anything about you that anyone else would know or be able to find out using a search engine. There are no set rules for how this should be, and there are probably as many options as are there are security consultants. A mixture of upper case, lower case, numbers and symbols is an excellent place to start, and with a password of 8 characters or more. I am being intentionally vague here and not recommending a specific approach. As soon as it becomes an approach, refinement of hacking tools quickly follows, so you should think about how you will make strong passwords and take responsibility for your safety and security.

Someone a long time ago thought it was a good idea to replace some letters with numbers such as replacing ‘I’ with ‘1’, ‘A’ with ‘@’ and ‘E’ with ‘3’. It quickly became popular, but in practice, it means a small change to password-cracking software. If someone is known to be a Star Wars fan, then ‘J3d1Kn1gh+’ could be used along with variations of any other word using the same convention. Even a dictionary word brute-force attack can use these variations. Consequently, replacing letters with numbers has been insecure for a long time. To recap, decide how complicated and obscure your passwords will be.

Avoid using the same password for multiple purposes. Large, established systems, with an extremely security-conscious ethic, could have implemented their system security model in a way that not even the company’s staff can find out customer passwords. The extent that organisations will go to is relative to the value of what they are trying to protect, so other systems will still have their passwords stored in plain text and sent out by email in plain text as password reminders.

In recent years, more and more websites require registration before allowing purchases, and far fewer sites allow one-off purchases. Consequently, people need to have far more user accounts now than they did a few years ago. Using the same password for high-security and low-security systems allows hackers to compromise high-security systems with far less effort. Also, websites can sell cheap widgets, for the primary purpose of harvesting email addresses, passwords and other personal information to compromise higher security systems such as Bank Accounts, Social Media accounts and Email Accounts. Access to a primary email account makes it easier to compromise other sites and services.