Safe / Secure / Systems : Internet and Data Security for Regular People: Do you have a spare $447,000 laying around?

Wednesday, January 20, 2010

Do you have a spare $447,000 laying around?

Today's topic is not new news - the incident happened last July - but I've thought about it many times since hearing about it. This makes me ever more paranoid about doing any financial transactions online... I still do them just because it's so dang convenient, but I wonder how long the model that's in place (authenticated "secure" browser sessions) can continue to work.

Full details can be found in a Technology Review article, but the gist of this is that a construction company in Mountain View, California was liberated of $447K from its commercial bank account, while one of its employees was signed in to it.

You might think "oh someone got his password" - but the company had implemented what everyone thought was the Safe And Secure thing to do: the account was set up to not only require a normal password, but also a second, "one time" password that is generated by a small electronic device or card that the person logging in has to have in his or her physical possession (I have one that I use with my PayPal account).

Unfortunately, his system had been infected with a malware program that basically waited for him to sign into the commercial account, and then while he was signed in, perform transactions in the background to withdraw and transfer the loot to several Bad Guy Accounts.

So - what to do? I'm going to sound like one of those magical round plastic disc things that everyone used to have, that had music on them (I think they were called "phonograph records") - I've said most of this before... But I feel reasonably secure in doing these things on my systems:

keeping antivirus software updated (I'm now using Microsoft's new and free Security Essentials on almost all of my PCs)
making sure the web browser is up-to-date
disabling scripting (JavaScript and ActiveX) in the browser. I use NoScript in Firefox, which lets me selectively enable or disable scripts on a per-site basis
keeping browser plugins and standalone programs such as Adobe Acrobat and Flash updated
using a one-time password device on all financial accounts that support it, in order to have the magic that's called Dual Factor Authentication. Paypal and eBay, as well as many other banks/institutions support these, and sometimes a device that is obtained from one place can be used elsewhere - for instance, the Verisign device that I got from PayPal is supported by my credit union

I'll close by saying that I think some of my friends roll their eyes when I start yammering about these things - all I'll say is, "don't come cryin' to me when something very bad happens because you weren't taking precautions."

Hmmm, I think my Dad told me that, a long time ago.

1 comment:

Amigo van HelicalJanuary 20, 2010 at 5:16 PM
Yes, Lyn & I shut off all of our electronic banking and bill-paying capabilities. Each month as I write checks (which I drive down to the post office and put in the mail slot myself) I feel hopelessly behind the times. But the alternatives... well, I think that the Bad Guys will just keep getting better and better at ripping us off.
ReplyDelete
Replies

Add comment

Disclaimer

The information contained in this Site is provided in good faith by the author for general guidance on matters of interest only. Given the inherent hazards of electronic communication, there may be omissions or inaccuracies in information contained in this Site. As a result, the information on this Site is provided with the understanding that the author is not herein engaged in rendering any professional advice and services. As such, it should not be used as a substitute for consultation with professional and competent advisors. Before making any decision or taking any action based on the information contained in this Site, you should consult a professional who is competent in providing professional advice in information technologies.
While the author has made considerable effort to ensure that the information contained in this Site is accurate, the author is not responsible for any errors or omissions, or for the results obtained from the use of this information. All information contained in this Site is provided "as is", with no guarantee of completeness, accuracy, timeliness or the results obtained from the use of the information, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, merchantability and fitness for a particular purpose or product safety of any kind. In no event will the author, his or her related partnerships or corporations, or the partners, family members, agents, employees or employers thereof be liable to you or anyone else for any decision made or action taken in reliance on the information contained in this Site, or for any indirect, consequential, special or similar damages including, without limitation, permanent loss or corruption of data, physical or emotional sufferings, moral standard corruptions, damages for loss of goodwill or self-esteem, loss of customers or market share, breach of security, permanent or temporary loss of employment, permanent or temporary loss of connectivity to the Internet, work stoppage, loss of income, computer related fires or other mishaps, computer failure or other malfunctions.
Certain links in this Site connect to other Web Sites maintained by third parties over whom the author has no control. These links are for general guidance on matters of interest only. The author makes no representations as to the accuracy or any other aspect of information contained in other Web Sites. The provision of these links should not be interpreted as constituting any kind of endorsement, whether implicit or explicit, of the views and/or contents of such other Web Sites.

Safe / Secure / Systems :
Internet and Data Security
for Regular People

Wednesday, January 20, 2010

Do you have a spare $447,000 laying around?

1 comment:

Followers

Blog Archive

About Me

Disclaimer