~welcome to e-commerce world~

Post by Jaeme, 26 June 09 @ 9:26pm

In order to ensure that our personal and financial data are being safeguarded appropriately, we need to take certain precautions while conducting online transactions. There are certain safety measures that one can choose from depending on the confidentiality of information exchanged and the level of security required by each individual or organization. Below are 7 types of precautions to ensure protection while conducting business online.

1. Antivirus and anti-spyware software.

• Antivirus is software designed to protect your computer against malicious software. Malicious software includes viruses, Trojan Horse, worm and other codes which can steal any unsecured information from your computer. In order to make an antivirus software an effective defense, users are required to scan through their computer regularly and keep the antivirus software up-to-date to recognize the version of malicious software. Therefore, with the right antivirus software, it can provide protection for computers to fight against viruses that can cause damage to computers and more importantly, to ensure that any personal and financial data will not be stolen.
  
• Anti-spyware is a program designed to detect and prevent unwanted spyware installation and remove those program that have been installed. Adware and Spyware are dangerous programs that will enable website developers to access users personal and financial data from their computers. Spyware can be activated while downloading certain files from the internet. This software should be included on the internet as a security measure and should be able to update automatically.

2. Firewall software.

• A firewall is simple program or hardware device that filters the information coming through the Internet into ones private network or system. Firewalls are used to prevent unauthorized internet users from accessing to a private network, especially an intranet. All messages entering or leaving the intranet will pass through the firewall which will examine each message and lock those messages that do not fulfill specified security criteria.
  
  
  

3. Message encryption.

• A popular technique for protecting messages in transit is called public-key infrastructure (PKI) cryptography. PKI is a scheme for securing e-payments by using public key encryption and various technical components. PKI confers integrity (the data haven't been manipulated), authenticity (the identity of the sender is known), nonrepudiation (the data can't be disowned) and privacy on the data. Any one attempting to corrupt or damage the contents will cause the initial binary digits sent by the computer to be messed up and when the receiver receives the message in normal text, it will also be a clutter when the recipient views it. Therefore, the recipient will know the message will have already been corrupted.

4. Browsers encryption.

• The actual way for encrypting the Web-based information interchange is by using the Secure Sockets Layer (SSL). It can be used to encrypt email messages using a symmetrical one-time electronic key. This key functions when the server and browser connection is opened. When the connection ends, the encryption expires with it.

5. Digital signature.

• An identifying code that can be used to authenticate the identity of the sender of a document. It is equal to a personal signature and cannot be easily repudiated or imitated. There is a simpler PKI process using the same algorithms referred to above as `sign' a message whereby the private key of an individual can be used to `hash' the message. This can then be verified against the sender's public key. This ensures the data's authenticity and origin without conferring privacy, and is called a `digital signature'.

6. Password.

• You should choose a password that is difficult for someone to crack. A strong password should consist of a combination of letters, symbols, and numbers in order to secure your personal and financial data. Furthermore, you should not use passwords such as license number plate, IC number, birthdates or phone numbers as passwords and always make sure you change your password occasionally.

References:

http://www.howstuffworks.com/firewall.htm

http://www.jmir.org/2002/2/e12/HTML

How to determine a phishing e mail?

1. Generic Greeting.

• Phishing e mails usually are sent in a large batch. Phishers usually will use such generic greeting such as “Dear customers”. The phishers do not to type all the customers’ name out and sent one-by-one. This is because it takes a lot of time, and they wish to get as much information as they can in a short period. If you receive such an e mail that does not contain your name, please do not click on the link and always be on the alert of such schemes.

2. Spelling errors.

• Phishing e mails usually will contain some spelling error. Once you see any errors in the e mail, it is clearly a phishing e mail.
  
  

3. Requests for personal information.

• The reason why phishers send phishing e mails to users is to track their personal information. If you receive such an e mail that requires you to provide personal information, usually it is an attempt to be a phishing email.
  

4. Sense of urgency.

• Phishing e mails usually will contain “If you do not update your personal information by clicking the above link, your account will be suspended or terminated”. They want you to provide information right away. Therefore, you will be afraid that if you do not act fast, something will happen to your account. The faster you provide information to them, the faster they can move on to the next victim.

5. Fictitious Link.

• Usually phishing emails will have a link for you to go to the website. However, the link that appears in that e- mail may not be the link that constitutes to the real organization. Roll your mouse over the link and see whether it matches the link that appears in the e mail; do not click on the link if there are any discrepancies. Websites that is safe to enter personal information will begin with “https” (s stands for secure); do not proceed if the link does not contain “s”.
  
  
  

How to determine a phishing website?

1. Poor resolution.

• Since phishers created the phishing website urgently, the website will be in a poor quality and will have a short lifespan. Be aware if the resolution of the logo and text strikes you as poor.

2. Fictitious URL.

• Although the link contains the name that you recognize, it may not necessarily the real link to the real organization. Read URLs from right to left – the real domain is at the end of the URL. Websites that are not safe to enter personal information will NOT begin with “https”. Be aware of such URL’s that begin with an IP address such as: http://12.34.56.78/firstgenericbank/account-update/ -- it is likely to be phishers.
  

References:

http://www.phishtank.com/what_is_phishing.php

http://www.phishinginfo.org/how.html

Examples of Phishing:












Process of phishing:

1. Planning.

• Phishers will determine which business to target and then determine how to get the customers’ e mail address of that business. They usually use the same mass-mailing and address collection as a technique.

2. Setup.

• The phishers will create a method of delivering the messages and collecting the data once they have determined which business to spoof and who their victims are. The phisher usually do this by sending e-mails which has the link to the fake web page.

3. Attack.

• Phishers will send false messages that would look like it is from a recognized source.

4. Collection.

• Phishers will then collect the information from the victims when they click on a link and perform any updates as stated in the link which they were brought to.

5. Identity theft and fraud.

• Phishers will then use the information they have gathered from the victims to make illegal purchases or commit fraud.

Ways to Prevention Phishing.

1. Awareness and Education.

• The main reason criminals can conduct phishing is because of the internet users’ lack of education and awareness of the existence of financial crimes targeted on them.
• Besides that, internet users may not know what are the internet policies and procedures when it comes to the confidentiality of consumers account information and maintenance issues. The company can distribute the general information on phishing in the company email or company’s website.
• Furthermore, companies also can remind the customers about their corporate policy and procedures when contacting customers regarding their account information. Both customers and employees need to have an understanding on how phishing works, understand how to determine whether an online transaction is secure and if it is authentic.

2. Targeting Hosting site.

• This method may be useful for those who seek to shut down the phishing site. The phishing e mails are used with the same method of mass- mailing infrastructure such as spam, affecting institutions and even law enforcement systems are made aware of a site hosting, resulting in the site to shut down.
• Companies that are affected have to implement ways to allow customers to submit the phishing e mails that they have received. These e mails, along with the web access logs for monitoring any suspicious activities, can help to indicate the existence of new phishing site. According to Anti-Phishing Working Group’s trends reports, it showed an approximate decrease of 10% in the average time online for a phishing site between the months of October 2004 and April 2005.

3. Web browser toolbar.

• A web browser toolbar has the ability to identify if a customer is viewing a possible phishing site. This toolbar functions by referring to a database of known FQDNs and IP address that have been reported as hosting phishing sites. It requires the phishing site to be observed and reported to the database.
• Certain toolbars offer a detection of potential phishing site by checking for certain heuristics that usually indicate that the site is not a legitimate commercial site. Example: the server IP address belongs to a network associated with a broadband service provider in a different country, other than the user.

4. Strong Authentication and Authorization.

• Two-factor authentication is a mechanism requiring two or more authenticators, usually consisting of something you know (such as a password or PIN) and something you have (such as a credit card or hardware token). For online transactions to be carried out safely, two-factor authentication is being implemented by providing the customer with a hardware token for generating a continually changing component for their authentication credentials. The goal is to protect the users if their authentication credentials have been captured by an attacker via electronic surveillance. The timeliness of the ever-changing component limits the attacker’s ability to use the credentials in the future.
• Another countermeasure being implemented by certain banks is the use of transaction numbers (TANs) for authorizing individual transactions. Customers will be sent a list of TANs with their monthly statement, and they are required to enter the next unused TAN when authorizing a transaction online. In addition, banks use another way whereby users receive a request for their TAN via an out-of-band mechanism, such as an SMS message on their cell phone.

5. Virus, Spyware, and Spam Prevention.

• With the marked increase in phishing malware, products that detect, prevent and execute the installation of malicious codes are an essential part for an environment of secured home computing and online buying and selling. These products must enable and, in the case of anti-virus and anti-spyware products, they must have up-to-date signatures. A large portion of recent malware attempts were done before a detection signature was able to detect and neutralize the malware. Furthermore, the attempts was to disable anti-virus and anti spyware software.
• Spam prevention has also contributed to the fight against phishing. Phishing emails use the same distribution mechanism as spam and they usually have several of the same characteristics. Email filtering based on content blacklisting, Bayesian filtering, blocking mail from known spamming/phishing relays, anti-forgery solutions such as Sender Policy Framework (SPF) and Sender ID, and other heuristics specifications towards phishing can help prevent a great number of phishing emails from reaching potential victims in the first place. However, spammers are continually evolving their tricks for bypassing filters [Schmidt] and the phishers can leverage this.

References:

http://computer.howstuffworks.com/phishing.htm

http://www.us-cert.gov/reading_room/phishing_trends0511.pdf

http://www.phishtank.com/what_is_phishing.php

http://www.phishinginfo.org/how.html

• An independent program that has the ability to self-replicate, which consumes the resources irrespective of the computer program being run or turned off.

2. Trojan Horse.

• A program that appears to be useful information but it contains hidden functions that presents a security risk and causes damage to your computer.

3. Marco virus.

• Macro viruses infect files that are created using certain applications or programs that contain macro viruses or worms. These mini-programs run a series of operations so that they are performed as a single action, thereby saving the user from having to carry them out one by one.

4. Denial of service attacks. (DOS)

• DOS attacks are growing to be very sophisticated. It attacks on websites where the attacker uses specialized software to send the data packets to the targeted computer or business with the aim of overloading their resources. Traditional DOS attacks usually attacks from one computer to another. It causes the network to shut down, thus making the websites inaccessible by users.

5. Distributed denial of service (DDOS) attack.

• DDOS happens when the attacker usually sends a list of IP addresses to the targeted computer. The attacker will then instruct the computers to send data packets against the given IP address by using false source address when all components are ready. The target servers can only survive DDOS attacks if they disconnect from the internet. This usually takes around 4 to 6 hours of recovery time for large corporations.
  
  
  

6. Identity theft and online fraud.

• Personal identity theft on internet happens when attackers gain and use information retrieved from the victim to make illegal purchases or commit fraud. The most common forms of online frauds are the sale via Internet of counterfeit documents; such as fake IDs and diplomas, and recommendation letters sold as credentials.

7. Data theft.

• Data theft occurs when there is stealing of information and also exploitation of personal data.

8. Social engineering.

• An attack using social pressure to trick computer users into compromising computer networks to which those individuals have access into. For instance, a phishing e mail would consist of such phrase: “Please update your personal data by clicking the above link within 48 hours, otherwise your account will be terminated”.

References:

http://www.bsagovernment.com/downloads/MajorOnlineThreats.pdf

• It is a fully integrated service offered by Trustgate which is intended to protect intranet, extranet and Internet applications. It is done by combining presentation, flexibility, and magnitude with impressive availability and security. Besides that, companies are able create a strong PKI and Certification Authority (CA) system with full control over security policies, PKI hierarchies, authentication models, and certificate lifecycle management which can be done efficiently and effectively by reducing time and cost when MPKI is used. This service also enables a quicker operation and less operating costs while providing an arena that is able to integrate with software solutions that can be easily purchased from outlets or vendor.
  

2. MyTrust.

• Using MyTrust, users are able to transform their SIM cards into Mobile Digital Identity for a secured and trusted financial services performed online. MyTrust application can be conveniently done with a digital signature where users can digitally place their signature when conducting transactions simply via their hand phones.

3. SSL Certificates.

• Another type of third party certification is the SSL Certificate which is used for Internet, intranet and server security which is offered by VeriSign. VeriSign is the world leading SSL provider.

i) Global Server ID (GSID)

• It is by far the strongest encryption programme available in the market for protected communication via Server Gated Cryptography (SGC) technology. This technology validates your web sites to secure communications and transactions carried out on the site. Furthermore, GSID comes with a VeriSign Secured Seal that can be shown on your website. This seal is a verification that your web site is authentic, giving your customers assurance that any business carried out on that website is safe from intruders.

ii) Secure Server ID

• Using Secure Server ID, users can transfer sensitive and confidential information on intranets, web sites, and extranets. This programme also comes with a Verisign Secured Seal.

iii) Managed PKI for SSL (Multiple Server Certificates)

• It is designed for companies which have 5 or more SSL Certificates in the organization. It can be used specially for numerous servers.

4. Personal ID

• This application can be applied for the use of transactions, documents, and e-mails. The types of Personal IDs are:-

i) Secure Transaction with Digital ID.

• Users can secure private and confidential information by using Digital ID to sign and encrypt transaction details. Digital ID uses a private key and public key application for authentication, authorization, and integrity.

ii) CryptoSuite.

• CryptoSuite is used to protect your files and documents by merely clicking the mouse once. It applies the Digital Certificate to encrypt files and documents so that only the proposed recipient with the public key can have access by decrypting it.

iii) Secured E-mail.

• It also uses Digital ID to sign. Furthermore, it also encrypts your e-mails so that no one can have unauthorized access to it. The Digital ID is an electronic replacement for a handwritten signature and it provides assurance to your intended recipient that the e-mails are from the actual sender. The encrypted e-mail secures them from being read by intruders.

5. MyKad PKI.

• It enables the MyKad holders to carry out online transactions with the government and private organizations. In order to do so, users will need MyKey which works with their MyKad to authenticate themselves and to digitally sign transactions.

6. SSL Virtual Private Network for Remote Access Services (SSL VPN).

• Trustgate’s SSL VPN solution is based on the Secure Socket Layer (SSL) which can be organized to access several intranet sites with only a sole sign-on. All a user needs is a basic browser and Internet connection. This is practical if suppliers, partners, and customers need to access the organizations network from remote areas. Furthermore, this solution has a policy to authenticate users and the type of devices they use. This policy may be extended to two-form authentication. For example, tokens, downloaded Java applets, challenge-respond or static password stored in your device, or a one-time password which will be sent by SMS to your mobile. This provides extra security features for an organization.

References:

http://www.msctrustgate.com/