Tuesday, December 28, 2010

Security on the Web

(original post 4/5/2010)

There are pervasive criminal organizations that use sophisticated operations via the Internet to exploit a weakness in the U.S. banking system to steal money. Once their highly sophisticated operation is streamlined, it is all but too easy for them to leave churches, school districts, local governments, small businesses, and even individuals destitude.

The large conglomerate U.S. banks, as it turns out, are using procedures for verification and transaction operations that were put into place decades ago. There are serious weakneses in the system that criminal hackers are exploiting without too much trouble. Over the last several weeks the FBI, the FDIC, and the Federal Reserve have all issued warnings about this. It has garnered the attention of several major newspaper publications such as USA Today and The Financial Times of London.

Who exactly is at risk? 

A major portion of those at risk goes to those that do online banking from compromised computers. But even if you never sign up to do online banking, you are still at risk of having your money fraudulently wired out of your personal or business accounts. Small to medium-sized businesses have the greatest level of risk, followed by individual consumer accounts.

What can you do to protect yourself?

There is no black and white answer to this question. It depends on how specifically you are targeted by a criminal. You could have a virus or trojan horse on your computer that has broad-based algorithms that catch usernames and passwords. Or you could have an ex-employee or acquintance that knows everything about your accounts and personal life. There are software-based keyloggers and hardware-based ones. There are unscrupulous individuals at airports and coffee shops catching usernames and passwords on public wi-fi hotspots. I will attempt to explain how to avoid all of these security problems.

Encryption on the web: an overview

Modern banks use asymmetric key encryption, AKA public key encryption, to establish a secure connection from a banking server/terminal to an individual computer. Once this connection is established, all transactions over the web are more or less completely secure, with almost zero chance of any evesdroppers extracting any useful data, assuming they didn't catch your username and password credentials. Modern protocols are SSL 3.0 and TLS 1.0. Any encryption that is 128 bits or higher is considered secure enough for online banking. If you want to find out if your web browser is currently on an encrypted connection to a website, simply look for https instead of http in the URL address bar. That's the bar at the top where the www.(website).com address is located. If you want to dig deeper and find out what the current grade of encryption is your browser can supply that information as well. In Firefox, for example, you would just hit CNTRL+I (or click Tools-> Page Info) and click on the security tab. As an example, I'm currently writing this on a 256-bit encrypted connection to Zoho office. For more information see the Howstuffworks encryption article.

Basics for guarding your log-in credentials

If possible, I recommend that you avoid doing sensitive financial transactions over a public wi-fi connection. The most secure way to connect to the internet is by a wired connection to a router, switch, or other local computer. That said, currently the most secure connection over wireless would be a WPA password-protected connection, where only a limited number of people have access to the wireless network password. There is another wireless protocol called WEP that is much less secure and is easily hacked. A no-password wi-fi setup is the proverbial wild wild west, where anyone with the most basic packet sniffing software can read any unencrypted information you send to and fro on the Internet. This brings me to my next point.

You MUST ensure that your connection to your bank is encrypted before even thinking about typing in your password. Most banks use a two step process now where you only type in your username on the first page, and then it brings you to an encrypted second page for you to type your password. If there is no https in the title bar (URL address bar), then anything you send will be in plain text. Many email systems are set up so that both your username and password are both sent through "plain text", meaining it's unencrypted and evil-doers can pick up your log-in credentials. Once they have your email log-in credentials they can reset your online banking account password and then can subsequently log in to your online bank. You must guard your email account with your life! I reccomend signing out of your email every time your not working on something, or you can alternately set up an email account that you use specifically for registering with your online banks. Many email providers offer a "secure access" option. I highly recommend using this at all times.

How to avoid phishing

Phishing simply refers to fake websites that try to get you to hand them your log-in credentials directly by masquerading as the real website it is trying to emulate. There have been several advances forward in the prevention of phishing, but it is still a major problem. The most common form of phishing involves a seemingly legitimate email that has links in it that take a user to a maliciously constructed website that may look like an exact replica of the real one. They commonly use similar domain names to add to the confusion. For instance, the URL may read www.bank0famerica.com instead of www.bankofamerica.com. Did you catch that one? The difference is between the the letter O and the number 0. Most people could never tell the difference. This is just one example and the possibilites are endless. So how to you know for sure if a website is the one you want to be at? I recommend carefully typing in the web address manually and then saving it as a bookmark so that you will never mistakingly type the wrong address in the future. If you get an email from your bank saying your statement is ready, don't click on the link provided in your email. Instead open up a separate window or tab and navigate to the website on your own.

There is a new security model that invokes a "SiteKey" for authentication. Originally, it was the banks that were feverishly trying to authenticate the users during the log-in process. It was later pointed out that it's just as important for the user to authenticate the bank before giving out their super-secret passwords. Originally, if the user wanted to authenticate the bank they would use a browsers advanced features to view the SSL server certificate and compare the certificate's "fingerprints" to the ones they had on file for that website. This process can still be used today and is extremely effective. But most users wouldn't bother with this process, even if it only takes a couple of seconds. Well, necessity is the mother of invention. Ergo the SiteKey was born. It's basically a combination of a unique picture and phrase that are both displayed on the banking website's page where the user must enter his or her passcode credentials. This is how it works: if the picture and/or phrase displayed are not the ones the user is expecting, a giant red flag goes off and the user (hopefully) does not enter their password without further investigation. It is a great step in the right direction towards reducing the occurences of successful phishing attacks.

It is important to note that phishing attacks are not limited to the internet. They can be done over the phone or even in person. If your bank calls you and wants you to reveal sensitive information to them, you need to hang up on them and call them back using a number from your statement, the bank's website, or even the phone book. But do not call the number listed on your caller ID!

Keystroke loggers

This is a big one. In fact, Keystroke logging attacks may be the single most hazardous attack that criminals use to procure your log-in credentials. The first type is the software-based Keystroke logger. This is the result of viruses, malware, and trojan horses targeting your computer's operating system to allow evil-doers to record each and every keystroke made on the keyboard. I won't get into the nitty gritty of all the different technical ways this is possible. Microsoft Windows is far and away the worst at combating these malicious software programs, and new viruses are discovered each and every day. There are over a million malicious software programs written for the Microsoft Windows platform. It is a constant battle of trying to find viruses in the wild, logging them into anti-virus programs, downloading the lists to individual machines, and endlessly scanning every machine for those viruses. By the time your antivirus program receives the update, there are new viruses in the wild that you are not protected from. Sound a bit like a dog chasing it's tail? The problem is worse than you can imagine. But should you lose hope?

The newspapers, magazines, and TV stations claim they have an answer to the problem. Their solution is that you should by a separate computer dedicated solely to sensitive information handling such as online banking, payroll, etc. On this computer you would not surf the Internet aimlessly and casually like you would on your normal machine. No email, no online chatting, no social networking. It's strictly down to business and nothing more. This machine should be configured to disallow scripts, videos, and/or images to load from the internet. Also, it must have a firewall that is specially crafted to block all unused ports and services. It is, in my opinion, a waste of resources, space, and money.

But why not install a second hard drive with a separate operating system on it? If you really wanted to save money you (or your closest geeky friend) could repartition some free space on your current hard drive to make room for another operating system. You can use one of any number of free operating systems that are much more secure than Windows. In fact I wrote a piece earlier on why I use Linux Mint as my operating system of choice when doing any sensitive transactions on the web. But there are many other free alternatives out there that are just as suitable. If you absolutely insist on using MS Windows, do not install any programs that are not needed to carry out the transactions you need to accomplish, only connect to the internet when you need to, run antivirus programs regularly, and use the latest version of Firefox or Opera (arguably the two most secure) web browsers.

There are also hardware-based keystroke loggers. They are most commonly manifested as a device plugged inline between a computer keyboard and a computer. They can also be built into a keyboard. There is an old saying that any computer can be compromised if physical access to the machine is possible. This is just one example that ringing true. These attacks are not usually broad-based attacks, but are specifically implemented to gain information from a single person or company. In other words, Espionage.

Some institutions are now using authentication by clicking numbers or letters on-screen to mitigate these types of attacks. 

An ounce of prevention...

There are several layers of prevention that can be used to avoid becoming a victim of a phishing attack. The chances of someone gleaning your log-in credentials are exponentially reduced with each step, so I recommend you take all of them.

First of all, use bookmarks. They will ease the temptation of clicking on links in your email and also prevent you from accidentally misspelling the web address.

Second, if your bank supports SiteKey or similar mutual authentication procedures, use them. This system is one of the great triumphs against phishers.

Third, if you run Microsoft Windows, run antivirus software once daily or after surfing the Internet if you don't use your computer daily. If you run any other operating system you don't necessarily have to run antivirus software, but make sure you stay abreast of security news regarding that particular operating system.

Also, there is a dead-simple, yet extremely effective trick I learned that prevents you from becoming the low-hanging fruit for malicious keylogging programs. You simply type your password out of order. For example if your password is 12345678, you would type 5678, then click the mouse to move the cursor back to the beginning and finish typing 1234. If there was a keystroke logging device it would read the log file as 56781234, which is the wrong password. The criminal might be able to figure it out eventually, but they wouldn't waste their time if there was lots of other low-hanging fruit out there. Remember also that if you use your mouse to click on bookmarks instead of typing in a web address, there is a lesser chance that a criminal can figure out which site you are trying to log into.

Wiring transactions

Bank-to-bank wire transfer is considered one of the safest international payment methods, assuming you wire to the intended individual. However, if you wire money to the wrong person, it can be nearly impossible to recall the funds. Once a criminal receives a wire transfer, they have a high rate of success making away with the loot.

I'll give an example of the precautions I normally take involving a wire transfer. When I opened my checking account, I instructed the bank to do a double authentication for wire transfers. This is very common among small business owners. What this means is I can't wire any money out of my bank account without the bank actually calling me and asking me questions that prove my identity and verifying the amount and destination of the wire. It is critical that you get the destination right and also make sure that it is a legitimate enterprise. When I had to wire my life savings to an escrow account to buy my first home, I took many steps making sure the company I was wiring my money to was legit. For example, I checked the BBB (Better Business Bureau), did a phone book search to verify the physical address of the business, did a Google search to find their website, and called the escrow agent and personally verified the routing and account numbers over the phone. You NEVER can be too careful when wiring money out of your bank account. For some examples of what NOT to do head over to this article. 

Special considerations for small businesses

In the United States, if a consumer account is compromised, the bank usually takes the loss. However, if you own your own business and your business bank account is compromised, the law (specifically the Uniform Commercial Code) can require that the business owner prove that they took due care in safeguarding information and access relating to that account. You may find yourself in a corner defending your due care in preventing the losses suffered in your bank account. Therefore, it is imperative that you take at minimum the preventative steps mentioned in this article. If you must write down your password, you have to keep that piece of paper under lock and key.

If you are going to buy a separate computer for all of your sensitive financial transactions, I would have an IT professional set it up for you for that purporse. You will need to disable all drives and ports, configure the firewall properly, configure the browser properly, uninstall all crapware applications, and keep the computer itself in a locked room or cabinet.  

Stay tuned for more...

No comments:

Post a Comment