[August 16, 2011] Gone PHISHING [Winnipeg Free Press (Canada)] Tweet (Winnipeg Free Press (Canada) Via Acquire Media NewsEdge) It's up to you to foil cybercrooks who want to get your personal data The online universe offers consumers many conveniences and advantages over the old paper world. We can bank, trade investments, shop, download, watch movies and much more from just about anywhere, thanks to wireless technology. But there is a downside to this technological convenience. Because we are sharing more and more of our personal information with the businesses and organizations that provide online services, this important personal data is increasingly at risk of being stolen by cybercriminals. The most notable breach in recent months has been the hack into Sony's network. Three times, hackers managed to access its network, taking the personal data of more than 100 million users. But Sony is not alone as a target. Many other organizations, governments and corporations have had their databases hacked and information stolen. The intentions of the hackers remain largely up for debate: Did they hack into these systems to point out flaws in the system, or are they using the stolen data for illicit gain? Regardless of their intentions, anyone with an online presence should be concerned, says a U.S.-based Internet security expert. "Once the data is exposed, it doesn't really matter what the intentions were," says Robert Siciliano, CEO of www.idtheftsecurity.com, a consultant and identity-theft expert. "Are you going to trust that he's keeping your information safe and secure?" Because of the sheer size of the data stolen in many high-profile hacks like Sony, safety in numbers offers some assurance for consumers who may have had their data stolen. "It's probably a long shot because we're talking about millions of people, so the chances of you being hacked is exactly that -- one in however many users who have had their info compromised," says Alan Castell, an IT expert with Winnipeg-based Alpha Technologies. Still, consumers who believe they may have had their personal data stolen in a hacker attack against a company should take precautions so they don't end up being the unlucky sap with a credit card bill, courtesy of a criminal half a world away. A little caution never hurts, Castell says. "If you hear about that happening, the first thing you should be doing is contacting your credit card provider," he says. And do it in writing. Send an email so you have a record you alerted your bank about a possible breach in security in another organization's database that may have led to your credit card or banking information being stolen. "With phone calls, it's hard to have a record," he says. "It's just so the bank can't go, 'Oh, we don't recall that phone call,' and you can go, 'Here's the email that I sent you on this date prior to my account being lifted for a thousand bucks.' " In many instances, financial institutions will reimburse their customers who lose money as a result of credit card fraud and other unwanted charges as a result of cybercrime. But it's really up to consumers to keep on top of their transaction records on a monthly basis to make sure they haven't fallen victim. "Quickly identify if anything is out of the norm," says Liz Redstone, a spokeswoman for RBC. "As soon as you see something that is potentially out of the norm, we have ways that you can go online to see that transaction." In many cases, clients have forgotten about a charge they made to their credit card and no theft has occurred. "If you have lost money to a genuine fraud situation, then we will reimburse you for sure," Redstone says, "but there will be some degree of investigation and discussion with you to verify which transactions are legitimate." In other instances, your bank may be less inclined to help, such as if you offer your username and password freely to a fraudster. This is called social hacking, and it's the most common method for online theft of funds, Castell says. "More of the hacking is of this nature -- social hacking -- than brute-force hacking." Brute-force attacks involve a hacker using special software to systematically crack your password to an account. The better your password, the harder it is to hack into an account this way. Incidentally, when hackers break into databases and take your basic personal information, they often use this data as a launch pad to crack passwords, because people often use birthdays, addresses and the names of their spouses or children as passwords. Most of the online theft for individual users is through email phishing or other unsolicited contact in which the caller on the phone or sender of the email poses as someone from your financial institution and entices you into giving them your password and username. "They've got very good at sending emails that look like any bank or company, but what people need to know is all financial institutions are not going to ask for personal identifying information over the Internet, stating, 'Please send us your info because we're updating our records,' " Redstone says. For consumers, it's difficult to ensure the company you give personal information to is safeguarding it properly. Yet most corporations are always tightening their security as hacker organizations such as Anonymous and the now-disbanded Lulz Security break into their networks and point out their security flaws. As consumers, we too can do a better job of protecting our data, and that really involves basic common sense, such as using anti-virus and anti-spyware software and ensuring they are updated for the latest viruses and malware. It's also important to install the latest updates for operating software such as Windows and other programs such as Adobe Reader. "These are all the fundamentals of protecting your own network," Siciliano says. Of course, effective passwords are at the top of that list. "Make sure you never have the same password for multiple accounts," he says. "If you have 10 accounts, you should have 10 different passwords." And passwords shouldn't be created because they're easy to remember. "If you've got a stupidly simple password, it's kind of like having security doors inside your house, but the outside door is made of paper," Castell says. "You can have the most secure credit card on the planet, but if you link it to an insecure password, it's open season on you." [email protected] How to keep your online info safe -- Too many passwords? Remembering 10 different passwords is often too much for one brain to handle, so many tech-savvy consumers are turning to encryption-key software to help ease the burden. Using software like BitLocker Drive Encryption, you can create a master password you store on a USB key. Plug the USB drive into your computer and you are then prompted with a password. After entering the correct password, you can open the USB drive to find a text document with all your usernames and passwords. "Now you're remembering one password and that gives you access to all of the other ones that you may have problems remembering," says Alan Castell, IT consultant with Alpha Technologies. Just be sure to have a backup USB key stored somewhere safe in case you lose the other key. -- Safety through variation: Cracking a password often boils down to statistical mathematics. It's all about the variables. The higher degree of variability in your password's makeup, the harder it is to crack. Castell says passwords are most effective when you use a combination of numbers, upper- and lower-case letters of the alphabet and symbols. Some of the latest security software allows for phrases to be used as passwords that are difficult to crack but often easier to remember. Castell also says you should change passwords every six months, just as you would at your workplace. -- Protect your router: It's been well-documented people need to encrypt network access, meaning you need a password to access the Internet through their home wireless router. But all too often, people set up the router without setting up a password for access to the settings of the router. A hacker could potentially pull up in a car beside your home and with a little know-how, access the router settings, disable the network password and access the Internet. "If you set up the best password in the world for me to get onto your router to get on the Internet, but you leave no password for the router to set it up, I can change that great password for Internet access, and then I can use your router to get on the Internet for whatever purpose." -- Hire protection: Besides maintaining up-to-date anti-virus and anti-malware software, ID theft prevention expert Robert Siciliano says paying for credit monitoring services is a good preventive step to be sure no one has stolen your identity and is opening up credit accounts in your name. Credit-monitoring services are usually sold by firms that provide credit reports, such as TransUnion and Equifax. -- Get a web email account: When signing up for anything online, you're normally required to provide an email. It's always best to use a web-based account such as Hotmail or Gmail rather than your email address provided by your Internet service provider such as MTS or Shaw. "Keep your Shaw one or whatever just for family, because that one points back to you," Castell says. "You can get a home address, if you know what you're doing, off a Shaw email address." -- Passwords for the whole family: Each family member using the computer should have a password to access the computer. "If you have five family members, have five user IDs," Castell says. "If little Billy gives his friend his password, who knows what friends they're going to be a couple of years from now?" (c) 2011 F.P. Canadian Newspapers Limited Partnership [ Back To TMCnet.com's Homepage ]