Thursday, January 17, 2013

Online Banking and Purchases

Introduction

This is a topic I get asked about often; "is it safe to bank online?" Closely related is the question, "is it safe to buy things online?" As with everything done on the Internet, there is risk involved. By using the Internet you are opening new possibilities for theft and exploitation. Personal safety is really an individual assessment based on your threshold for risk and the potential impact. The more you have to lose, the greater the risk, and we all have more to lose than we think. But risk can be mitigated to a point which may make you comfortable with moving forward. Risk also requires a threat before it can be realized.

The threat is absolutely there. The threat is bigger, more sophisticated, and more active than you realize. The threat is the same for everyone and yes, you are being targeted whether for direct theft or to be used as an intermediary.

But is it safe? It can be "safe enough" but again that's really a personal assessment which must be made after understanding the threat, the risk, and mitigation options.

Personally, I do bank online and I do make online purchases, however I am very careful and take active measures to protect myself and my accounts as much as possible. That includes being selective with whom I will make online financial transactions with. There are many whom I will not transact with. Let's take a look at a few.


Personally Identifiable Information (PII)

The information that forms your identity or can be used to validate your identity is termed PII by industry. This can include social security numbers, date-of-birth, place-of-birth, address, mother's maiden name etc. Basically anything you use to validate who you are with your bank over the phone. Information that is unique to you. This data is used to prove who you are when opening or creating accounts (banks, credit cards, loans) as well as associate you with medical records or any information which is considered private by industry. Safeguard this information. If with this information you can make financial transactions like opening lines of credit or accessing your bank accounts, then someone else can do the same on your behalf if they have this information. Don't ever transmit or post PII over the Internet unless it's secure and never post PII to a social media website including information you use for your security questions.

Examples of the Threat

There was a recent criminal ring in Long Beach, CA that was cracked and the ring leader (a 15 year old) put behind bars. The fraud ring used common information about customers to access their online accounts. They figured out that to reset a user's password for their online accounts of say Amazon, PayPal, Netflix, and others all you need is your name, billing address, and last four numbers of your social security or credit card on file. Then once they had a new password for the account, they could login legitimately and do whatever they want; copy down full credit cards, order services etc. When they didn't have the last 4 credit card numbers, the ring leader figured out a new trick. He would collect information about a person (name, address, maiden name, security question, personal information like dog's name etc.), then would call the customer support line of a telecommunications provider (say Cox, Time Warner etc.) saying they were a technician dispatched to a customer's home, then they would rattle off the information making it sound like they were there. The tech person on the phone would believe it and offer them more account information or reset the user's password for him. He'd hang up, then login with the temporary credentials to access the account and siphon information like credit card numbers which he'd use to access more accounts.

http://www.wired.com/gadgetlab/2012/09/cosmo-the-god-who-fell-to-earth/all/

The Zeus banking trojan is one of the most prolific pieces of malware out there today. Recent updates have shown thousands of websites have been used to serve Zeus and infect visitors. Hundreds of financial institutions have been affected, and European bank regulators have adopted the assumption that every PC connected to the Internet has been infected with Zeus. Zeus is nasty because it infects your computer silently through your web browser, then monitors your online activity to steal financial information and your passwords used to access online accounts.

http://krebsonsecurity.com/tag/zeus/

Data In Transit

Everything we interact with on the Internet is logged. The data we send, the links and images with click on. The URLs we enter, the searches we make, every tweet, like, comment, message etc. is logged. Running a trace between me and Google (which hosts this blog) reveals there are minimally 15 network routing devices (more likely dozens of silent devices) which handle this session. They are logging, scanning, and inspecting this data while it's in transit. There are unknown copies of this data and session being stored for unknown reasons. Google uses SSL to encrypt my session which means only they can decrypt this data when they receive it. However, if they didn't use encryption, then everything I type would be visible to them. Data while in transit is usually unencrypted which means it is visible to everyone between you and the destination. There are ever increasing government regulations which are attempting to mandate and enforce encryption of sensitive personal information while in transit, but compliance is sketchy.

Data At Rest

Once the data has arrived at it's destination, it is stored for an unknown period of time. Could be days, weeks, months, years, decades, or forever. You and I have no idea. We are forced to trust that those holding our data are securing it appropriately. Securing it includes physical as well as virtual access. Think of all the employees who have access to that data and the fact that it's transmitted online means it can be accessed online by good guys and bad guys. Again, government regulations are increasingly requiring vendors to secure data while it is at rest or in storage on their servers. Securing this data can include physical and virtual access controls, encryption, separation of data, summarization of data etc.

Opening Doors


If you don't have an online account, then the possibilities for abuse via the Internet are just about nil. Once you create that account, you've created a doorway and it's largely up to you to maintain the locks and make sure you traverse that doorway carefully. You've opened a door for exposure of your data while in transit and you've created a place where your data can be stored while at rest.

Your browser is another door between your computer, tablet, or smartphone and the Internet. That door way works two ways. Data and applications are transferred in both directions. For more information about browsers, see my 2012 post titled "Web Browsers." Never enter PII information into online forms that are not encrypted. In your web browser, look at the address bar and make sure it starts with https. That "s" is critical as it implies Secure Socket Layer (SSL) is being used to encrypted the data you transmit between your computer and the website.

Email is another door between you and the Internet. Never ever under any circumstance email PII information unless it is secured. Even if you are in the process of refinancing your home as was recently the case for me. Don't fill out those forms, scan them, then email them to the lender. Email is not secure. There are numerous companies and intermediaries between you and the recipient who copy, log, and store that message. Besides, you have no idea if the other end has a secure computer or not. If you are emailing this information you are allowing the other person to store it on their computer. Entering form data into an online form or physically sending it is always a more secure option. Typically faxes are used by the other party to file away or to record the information in a database of some sort, then they are destroyed. Those databases are typically more secure than an individual's computer. Email is much more easily kept on the recipient's computer and not secured in a database or shredded after use. If you have WinZip or a similar program that can create a self-decrypting archive of the file that is password protected, then that's a viable option to transmit the data, but again you can't control what happens on the other end. Make sure you choose a password that is unique and not easy to guess in the context of your email (don't make it easy to guess) and request the person on the other side to delete the email once they have the information they need.

To help secure your data while at rest, it's best to not allow the merchant to save your credit card number or billing address. These features enable easy return visits and future purposes but also allow the merchant to store your information in their databases (at rest). It's another doorway.

Banking

The convenience of being able to transfer funds, view transactions, and pay bills from the comfort of your home makes online banking a serious draw. However, before you start or even if you already have, there are some steps you should take to limit your risk.

1. Use your own computer only

Never use a computer other than a device you own and if you are using an Android based mobile device, it's probably a good idea to avoid online banking with it. You can't trust other computers and you can't trust the Android app store (that's a discussion for another post).

2. Don't bank from public WIFI

Avoid doing online banking from any public WIFI network or hotspot. Don't do it at Starbucks or while at the airport or anywhere the WIFI network is used by people you don't know. It's trivial for me to setup a listener on a WIFI network from my laptop and copy down everything transmitted, or even route all the WIFI connections through my laptop in a public area. If you are on the road and in a hotel, use a wired connection. These are much more difficult to spy on.

3. Use AntiVirus

Make sure you are running current AntiVirus software on your computer. This includes Windows and Apple OSX users. For more information on AV, see my 2012 posts on that subject. Banking malware abounds and is likely the single most common malware out there. It exists to monitor your online activities, while recording the data you enter (before it's transmitted), to capture passwords, credit card numbers, social security numbers etc., then to transmit this information to an awaiting criminal. Keeping active AV will help keep this malware off your computer.

4. Check the URL for Encryption

Make sure the bank website uses SSL. Check your web browser address bar and make sure the URL starts with "https." This will secure your data while in transit.

5. Use Multi-Factor Authentication

Make sure the bank uses some sort of multi-factor or two-way authentication. Many online financial institutions today use a security key or picture which you choose when creating your account and include multiple stages of authentication. This image is stored by the financial institution to validate they are who they say they are (an anti phishing/spoofing method). Once you enter your user name, you're presented with this unique word or graphic and prompted for a password. This helps you validate the site is what it claims to be so you can send data in confidence. This also helps to prevent automated password guessing tools which constantly scan the Internet attempting to guess your password to gain access to your account. Password cracking is trivial these days.

6. Username not Account Number

Avoid using your account number as your account username. Credit card companies often allow you to use either option - a name or account number to login. Try to use your username to limit exposure of your data.

7. Use a unique password

Use a unique password for your bank account. Never use this password for any other online accounts. If you have multiple banks, use unique passwords for each. I know it's a pain, but you'll be grateful if one of these accounts is compromised.

8. Don't save passwords

Don't let your browser cache or save your password or account name information. Browsers offer this feature to help ease the process of logging into websites, but this information is stored in your browser and trivial to access by a malware or rogue application. Don't do it.

9. Log off

Log off when you are done. Most banks today will use an time-out feature to log you out automatically when you are idle, but it's a good idea to do it proactively.

Purchases

Buying stuff online is great. You might find the best deals for stuff online plus the selections and convenience factor simply make online buying a must for most of us. Before you create that account though, there's a few things to do to mitigate the risks.

1. Secure data in transit

Make sure the merchant website uses SSL. Check your web browser address bar and make sure the URL starts with "https." That means the data you enter into your web browser will be encrypted when it is transmitted to the website. This prevents unintended leaking of data in transit.

2. Secure data at rest

Avoid allowing the vendor to save your credit card number. Again, while this may help to ease the process of performing future transactions, allowing the vendor to save your credit card number means your number is being stored somewhere.

3. Use a trusted system and network

Like online banking, avoid using public computers (Internet cafe's) or even a friend's computer to perform online purchases as well as public networks such as WIFI hot spots.

4. Secure your account

Use unique passwords for online vendor accounts. If you use a common password for multiple websites, minimally separate your financial accounts from your bank account and email accounts.

5. Use trusted vendors

Try to restrict your online purchases to major retailers and avoid sending your credit card information to online versions of mom-and-pop shops. I know this sounds like I'm promoting big business, but these big businesses have more resources to secure your data and typically fall under greater government regulations.

In Conclusion

As I mentioned in the introduction, performing financial transactions through the Internet presents significant risks. These risks can be mitigated to a degree which may make you feel comfortable. The fact is you will probably encounter and become a victim of fraud at some point, no matter how careful you are. I have had credit cards stolen twice. It simply is a symptom of the world we live in. The only way to mitigate this risk 100% would be to avoid the Internet altogether. Since that's likely not to happen, take care and you'll be relatively safe.

No comments:

Post a Comment