[IS&T Security-FYI] SFYI Newsletter, November 29, 2010

[Monique Yeaton]

In this issue: Cyber Monday Protection Tips


1. The Latest Electronic Scams

2. Password Protection Software: No More Remembering



----------------------------------------

1. The Latest Electronic Scams

----------------------------------------


It's Cyber Monday! Happy shopping!


So maybe you don't fall for those emails from Nigerian royalty asking you to wire money, but digital criminals are getting sneakier each year. "These guys are constantly thinking of new ways to swindle you, some of which are quite sophisticated," says Brian Krebs, a computer security expert and author of "Krebs on Security."


Here's a list of some of the latest, sneakiest scams and some tips to protect yourself during this shopping and holiday season:


 *   Smishing: "Phishing" is when you get an email from a supposedly trustworthy source, asking for your personal information, a user name or a password. Smishing is the latest twist on this scam, and is a combination of "SMS" (short message service, aka text messaging) and "phishing." In these text messages the receiver is asked to call a toll-free number, which is answered by a bogus interactive voice-response system and tries to fool you into providing your account number and password. If you get a text alert about an account, don't respond until you've verified it's legitimate. You can Google search on the phone number to see if it matches your financial institution. Or you can call the customer service number listed on the paper statements you have on file.
 *   Skimmers: These are devices attached to ATMs or gas pumps to steal your debit account number and password. They are placed at the mouth of the slot and record the data off of the magnetic strip on the back of your ATM card. The new version of these skimming devices allows the criminal to send account information via wireless technology to his cell phone or laptop. To protect yourself, use credit cards or cash for purchases and avoid using non-bank ATMs. Check the card slot in the machine. If there's a plastic strip or plastic film sticking out, or anything glued to the card reader, go elsewhere.
 *   Membership Programs: You purchase a product from a reputable website and before you click "confirm" a window pops up offering to enroll you into a merchandise discount program for a 30-day trial period. The program is not run by the site you are on, but by a separate company. If you agree, a membership fee will appear on your monthly credit card bill, even though you never gave that company your credit card number. The catch is, you may realize you even signed up because of the confusing 'yes' and 'continue' buttons placed at the end of your purchase transaction. Prevent this by being wary of pop-up windows. If you can, disable them in your browser preferences. Scrutinize your credit card statement and question any unfamiliar charges. Check your email inbox because the programs often send a notification email before they start charging your card and you might still have time to cancel.


For more information on scams and how to protect yourself while shopping this holiday season, check out these resources:


 *   FTC.org - Federal Trade Commission has lots of consumer information
 *   Safeshopping.org - sponsored by the American Bar Association
 *   Onguardonline.gov - this site has tips on Internet shopping and is sponsored by government agencies
 *   Antiphishing.org - industry sponsored association called the Anti-Phishing Working Group
 *   web.mit.edu/infoprotect - this MIT site lists a few tips and resources for consumers


This information came in part from the following article:

<http://shopping.yahoo.com/articles/yshoppingarticles/448/the-sneakiest-new-shopping-scams/>



-----------------------------------------

2. Password Protection Software

-----------------------------------------


As you navigate the Internet to find gifts for your loved ones this holiday season, you are logging in to sites such as Amazon.com or eBay either with an existing account or perhaps a new account. For each of these sites you sign into, you now have a user name and password.


Over time, you may have created so many user names and passwords for various sites that now you can't remember them all. Maybe you have selected to have the sites save your information so that the next time you visit, it's already entered in the fields. Or maybe you have one user name and password that you use for all your shopping sites. But are those solutions really safe?


Not really. If you get hit with a computer virus, those passwords could be collected by a cyber criminal. Or if you use a public computer, a dishonest person would be able to go to those same sites and log in using your credentials. If you have just one user name and passwords for all your sites, and it's been discovered, that thief now has access to ALL your online accounts.


Enter a better solution: password managers. The top of the line product I have seen is called LastPass. (This is not an IS&T recommendation! But I can personally recommend it, because I use it.) LastPass is a plug-in for your browser and stores all your internet login information inside an encrypted vault, accessible only with a master password. There are various benefits to using LastPass, but the best one is that you no longer have to remember all your passwords or write them down and keep them near your computer, or put them in a document on your computer. Instead those passwords are encrypted within your PC, which only you can access with a master password.


Another great selling point is that there is a very robust free version. Learn more about the LastPass features here:

<http://lastpass.com/features_free.php>


Try it out and let me know what you think!


===========================================================================================


To read all current and archived articles online, visit the Security-FYI Blog at <http://securityfyi.wordpress.com/>



Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://ist.mit.edu/security


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/ist-security-fyi/attachments/20101129/77c89071/attachment.htm