Peter Wood Chief of Operations and Didi Barnes Head of R&D for First Base Technologies is part of a programme on ID Fraud: They Stole My Life on BBC1 at 9pm tonight (Wednesday, January 31).
Identity theft can mean unsuspecting people having their money and lives plundered by criminals. This film has unprecedented access to the the City of London Police identity fraud unit and reveals details on how easy it is for the crooks to copy our lives. If we allow them to.
The programme will cover:
The Dangers of Phishing
Criminals create e-mails that appear to come from legitimate banks, insurance companies, eBay and so on. Unsuspecting people will click on a web link in the e-mail, which then takes them to a fake web site where they enter their name, password, credit card details etc., unaware that this personal information is going straight to a criminal gang. Although there are safeguards in both the processes that banks use and the e-mail software, many people still fall for these scams.
Why can using wireless be dangerous?
There are three basic reasons. Firstly, with the right equipment, your wireless data transmissions can be intercepted in the same manner that a radio receiver can be tuned into radio station broadcasts. If your wireless network doesn’t use encryption, an attacker could easily read that intercepted wireless data. If the “data” consists of usernames and passwords, credit card and bank information, sensitive documents and personal data, the attacker has all they need to commit ID fraud. Secondly, if no authentication is used, an attacker could join your own wireless network and commit bandwidth theft – use your Internet access to launch attacks on other networks or to download illegal content. In that case, the ISP and law enforcement would come knocking on your door rather than the attacker’s. Thirdly, if the computers using your wireless network are insecure (poor passwords, for example) an attacker could use the wireless network to access that computer directly – they could then obtain whatever documents and information that they wish, use it as a store for planting illicit material, or plant a Trojan for example. The problem is that “out-of-the-box” wireless equipment is not generally configured in a way as to prevent such attacks. Whilst organisations access the administrative interface of wireless devices and configure them securely before they are deployed, the majority of home users simply plug and play such equipment with no awareness of the risks! Such home users are then easy prey for war drivers and other miscreants. So get out that user manual and secure your wireless devices before it is too late!
Trojans?
Trojans are malicious programs hidden within apparently benign software, such as screen savers, games and even web pages. Once a PC is infected with a Trojan, the machine is no longer yours. The Trojan software may be designed to capture your passwords as you type them, to capture credit card details off the screen and to harvest your personal, private information – it will then send this information to a system somewhere else on the Internet without you being any the wiser. Another form of Trojan may allow an attacker to remote control your PC, to use your computer to attack another or to act as a conduit for pornography or other illegal material.
10 things you can do to defend against ID theft
1. Don’t let your important documents (e.g. passport, driving licence) and credit/bank details get into the wrong hands and don’t issue photocopies of such documents unless you really have to. Take out document/card insurance such as CPP to assist if these documents are lost/stolen.
2. Don’t use a PIN number with a value that an attacker could find out – using your birth date is asking for trouble and change PINs on a quarterly basis – sooner if instinct tells you to.
3. Use your hand to shield against overlooking your PIN number when using a shop’s card machine.
4. Subscribe to a service such as Equifax to keep an eye on your credit record – if you get black marks, you can quickly track if they are yours or an attacker’s and take action.
5. Use a password safe such as “Password Agent” or similar on your PC to store credit card numbers, bank information, username and passwords for web sites, etc – don’t have them on your PC in plain text.
6. Always read the warning messages that appear when you login to your bank – they are there for a reason!
7. Never click a hyper-text link in an e-mail purporting to be from your bank, credit card or any organisation with which you have credentials that could be stolen. Open your browser and use your favourites, or manually type in the bank or other address (not the address that is in the e-mail) – this will stop you from falling prey to phishing attacks.
8. Never open e-mail attachments – first scan them with anti-virus software to make sure they don’t have a malicious payload. Turn off the preview pane.
9. Always use a personal firewall, anti-virus and anti-trojan software on your computer, select strong passwords and use the best security you can for PDAs & mobile phones. Never use a public PC for anything private or sensitive.
10. If using wireless networking, use an SSID that doesn’t identify you or the location, disable SSID broadcast, use MAC filtering, don’t use DHCP – use static IP addresses instead, use WPA-PSK as a minimum and make sure the router has a strong password set for administrative access.
10 things a corporate should do to protect itself and staff
1. Policy, procedures, standards and guidelines should be written and published for all aspects of security, and kept up to date with evolving technology and workplace practices.
2. Implement thorough vetting procedures for everyone who comes through the door, including cleaners and other sub-contractors.
3. Conduct appropriate security awareness training for all staff. Make the training entertaining, relevant and never condescending – implement the human firewall.
4. A happy employee is a well-behaved employee. Treat employees and sub-contractors with respect, to minimise the chance of malicious activities which may compromise the organisation or other employees’ security.
5. Don’t put your trust in technologies – security products are only as good as the people who install them and maintain them. Ensure that frequent tests and audits are conducted, both by your own staff and third parties.
6. Remember that security is not an IT issue – it’s a business issue. It embraces people, offices, networks and homes. Give your staff the skills and motivation to think securely.
7. Ensure that every new project plan and every third-party contract includes a risk analysis and considers security at every stage.
8. Don’t try to outsource the responsibility for security – it doesn’t work. Lead from the top and ensure that all senior staff visibly implement best practice security at work, at home and whilst travelling.
9. Test all components of your business for secure behaviour – telephone operators, help desks, home and travelling workers, network infrastructure, servers, workstations, laptops, mobile phones.
10. Make security a core business process, not an afterthought or an IT problem.
