But I am Protected?

A problem probably on both sides of the pond. From the BBC of 25 Mar 2007:

Many net users 'not safety-aware'
Fewer than half of the UK's 29m adult internet users believe they are responsible for protecting personal information online, a survey suggests. One in six of the 2,441 people surveyed felt responsibility rested with banks.

The research, for a government-backed online safety campaign, found 12% had suffered online fraud in the last year - at an average loss of £875.

The same number (5%) had experienced fraud while shopping online as had had their bag, wallet or mobile stolen.

What happens if someone gets access to your brokerage account and pilfers it? You are 100% responsible for the losses. Brokerage need not reimburse you for any of $hundreds of thousand in losses. That is the law.

Where are best places to phish for such account passwords? Libraries, hotel computers, etc. Simply put spywear (keystroke recorders) on those computers and wait for a nibble. Keystrokes are recorded, sent overseas, and you brokerage accounts are suddenly empty. Libraries, hotels, and other public computer locations routinely make little effort to clean their machines.

Worse are the so many who automatically assume they are protected.

But tw, what idiot would use a public PC to do their broking or Internet Banking, or Net purchasing? What you say is correct, but that is assuming someone would use a Net café, or one of those pcs set up in shopping malls. Surely no Cellar dweller would be that stupid. :right:

He' preaching to his lurking minions, Dave.;)

bluesdave;326489 wrote:

But tw, what idiot would use a public PC to do their broking or Internet Banking, or Net purchasing? What you say is correct, but that is assuming someone would use a Net café, or one of those pcs set up in shopping malls. Surely no Cellar dweller would be that stupid. :right:

True, but what would happen if you didn't have enough money to buy your own computer?

Most financial institutions are implementing stronger security that will ask annoying key questions if they sense you are at a public terminal or not at your usual IP address range.

Undertoad;326589 wrote:

Most financial institutions are implementing stronger security that will ask annoying key questions if they sense you are at a public terminal or not at your usual IP address range.

This is new. Annoying too.

piercehawkeye45;326584 wrote:

True, but what would happen if you didn't have enough money to buy your own computer?

lol...then perhaps internet broking is not their forte! :)

bluesdave;326489 wrote:

But tw, what idiot would use a public PC to do their broking or Internet Banking, or Net purchasing? What you say is correct, but that is assuming someone would use a Net café, or one of those pcs set up in shopping malls. Surely no Cellar dweller would be that stupid. :right:

"Never underestimate the power of human stupidity." - Robert Heinlein.

You do so at your peril.

Symantec reports

Threats to Confidential Information on the Rise

For the first time, Symantec tracked the trade of stolen confidential information and captured data frequently sold on underground economy servers. These servers are often used by hackers and criminal organizations to sell stolen information, including social security numbers, credit cards, personal identification numbers (PINs), and e-mail address lists. During the last six months of 2006, 51 percent of all known underground economy servers in the world were located in the United States. U.S.-based credit cards with a card verification number were available for between US $1 - $6 while an identity, including a U.S. bank account, credit card, date of birth and government issued identification number, was available for between US $14 - $18.

This blew my mind. I can get your (or somebody's, maybe not "yours") credit card information for a couple of bucks. An "identity" is less than $20.
...

Increase in Data Breaches Help Facilitate Identity Theft

Confidential information used in identity theft is often confiscated as a result of a data breach. During the reporting period, Symantec assessed data breaches that resulted from hacker activity, the theft or loss of computer hardware, and security policy failure. Data breaches and the potential use of confidential information for identity theft can result in a loss of public confidence, legal liability, or costly litigation. The majority of global data breaches affected the government sector, accounting for 25 percent of the total. Government organizations may be considered a prime target as they often store data in many separate locations making it accessible to various people, and thereby increasing the opportunities for attackers to gain unauthorized access.

It doesn't even have to be your "fault". If your data is out there, it's at risk.

Undertoad;326589 wrote:

Most financial institutions are implementing stronger security that will ask annoying key questions if they sense you are at a public terminal or not at your usual IP address range.

AND virtual keyboards to confound keyloggers. i can take a little annoyance, i think

And there are many who just haven't a clue. My MIL has starting using internet banking. It's scary. She wouldn't recognize a phishing email if it stank like a kipper. She would trust anyone who offered to help her. We're sending her to internet security bootcamp when she comes over in a few weeks. it's going to be like teaching the children about stranger danger. I sent my dad some sensitive information by email (coded and split into two), he reassured me that he had got the information and "destroyed the emails" :rolleyes:

12% is a pretty small figure when you think about it. It's like when mass production cars became available and people learned to drive from the manual.

what's her email addy again? i seem to have misplaced it

Speaking of data breaches ... anyone recall the TJ Maxx incident of '06 (someone hacked TJ Maxx's computers just past Christmas and mined all the credit card information)?

I don't know what the other carriers are doing, but Citibank just replaced the cards of every single one of their cardholders that ever made a purchase from TJ Maxx.

lumberjim;326602 wrote:

AND virtual keyboards to confound keyloggers. i can take a little annoyance, i think

Sure. Riiiight.

Here's my take on your observations.

I find the phrase "Virtual keyboard" positively gravid with the potential for the worst kind of abuse, that being a false sense of security. I *think* I can imagine something like you're talking about, that does confound keyloggers, but I can easily think of several ways to call it the same thing that does nothing of the sort.

The sad reality is that convenient and secure practically never live in the same box. They are in inverse proportion to each other. And in those rare scenarios where both values are high, they got that way by adding a lot of money. Convenient, secure, inexpensive. Pick any two, but only two.

What most users find is that something that is annoying will not be used. And the bad guys know this too. Your threshold for annoyance is different than other people's threshold, but it is a difference of degree only. And you have your limit too, as I do, as we all do. Heck, even the lady at the bank told me that she deals with this new level of complexity by answering all the questions, regardless of the question, with the same answer. That's her solution to this security annoyance.

If it sucks to use it, it will not be used. I guaran-damn-tee it.

dude, don't get all bent...it's just for the final password.....after they ask you a question, display your keymark picture with your keymark phrase, which comes after you enter your account number. now take a deep breath

bluesdave;326489 wrote:

But tw, what idiot would use a public PC to do their broking or Internet Banking, or Net purchasing?

Same people who also use the same password for everything.

I created a form so that each can enter (either via Word or using a pen) unique passwords for each web site (along with lock combinations, vehicle key number, etc). Not one uses it.

Meanwhile, public computers are used frequently for anything. Even if not accessing financial records, that common password is obtained.

tw;326695 wrote:

Same people who also use the same password for everything.

I know that some people do, but I have two Net banking accounts (two banks), and each one has a unique id (one bank actually has two), that have nothing to do with my name. These ids must be entered along with the password. One of the banks uses a virtual keyboard for the password. So knowing the password alone, is not enough.

But I agree with you that some people are stupid enough to use the same password for everything. I try to mix mine up, and as far as I recall I do not duplicate a password.

Access Manager is a safe and secure *free* program that I use to store my personal information. It is a Windows program and requires the dot Net framework to be preinstalled, so I know that it will not be usable by everyone here, but many should be able to.

tw;326695 wrote:

Same people who also use the same password for everything.

Meanwhile, public computers are used frequently for anything. Even if not accessing financial records, that common password is obtained.

It's true in my case - I use the same password for virtually everything because I don't want to come back to something a year later and not be able to remember it. And then the username is taken, but I can't get the password sent to my email because that has changed, blahblahblah.

Although I have to point out, the worst someone can do with my details is impersonate me on a forum, get promotional cinema tickets or check train times. Not having a credit/ debit card means I look over my shoulder a lot less. I no longer have an internet banking account (when I did in the 90s the password was my first boyfriend's road name - no connection now!) and I was only ever asked two letters from it, as well as another security question.

The only place someone could do vindictive harm now is my ebay account - which has a separate password.

wolf;326633 wrote:

Speaking of data breaches ... anyone recall the TJ Maxx incident of '06 (someone hacked TJ Maxx's computers just past Christmas and mined all the credit card information)?

I don't know what the other carriers are doing, but Citibank just replaced the cards of every single one of their cardholders that ever made a purchase from TJ Maxx.

That sucks, my wife shops there. :worried:

I bought a djembe there, hand-carved in Ghana, with a genuine goatskin head. They were selling it as home decor.

I just got this today. It's been tagged with a phishing label and includes a message from Panda with what looks like Polish. Thunderbird thinks it might be a scam.:rolleyes:

Another lovely social engineering attack spotted recently, described here:

When you restart your PC after the Trojan is installed, the first image appears.

You can only choose only Yes or No. You can't run Task Manager or any other applications. If you choose No your PC will be shut down immediately. If you choose Yes you'll see the second image.

Now you may think "It can't be true. I have activated my legitimate copy of Windows. MS can't do such a thing!". Surely almost everyone will notice that something strange is going on, and hopefully very few people will actually become victims by inputting their credit card details. But unfortunately even the people who are not tempted to give up their information this time might well become victims the next time. After all, failure to follow the on-screen instructions results in your PC shutting down immediately.

This Trojan teaches us all a good lesson - Trust No One. This is the slogan from the TV show The X-Files, and very much applies when it comes to protecting your personal information. Sometimes the creators of Trojans attempt to impersonate Microsoft, a bank, or even a government organization. Whatever the warning or message says, we must make very sure it is genuine before giving up any personal details, financial or otherwise. It's far better to doubt a genuine request until proper verification is provided, than it is to blindly place your trust in a communique simply because it appears to have come from a trusted source.

There are weak links in the computer's applications, and hardware and also in the users. I'm not pointing fingers, at least I'm not excluding anyone, especially myself. Let's just all be safely paranoid out there, m'kay?

Some companies are changing the way login occurs. For example, login name and password are not on the same page. Others are using graphic login selections. Some are now using internactive questioning for login.

Meanwhile, Kevin Mitnick of the famous book "Takedown" is no[w] doing commercials for an online ID security company. Suddenly the simple password - security from the 1960s - is starting to be replaced by other methods.

Meanwhile the same pathetic companies with completely unacceptable computer voting machines (ie Diebold, Sequoia Voting Systems, ES&S, etc ) have announced nothing.

Did you mean, now doing commercials?