Linux for Travelers - Fraud Prevention Tips

Public Web Surfing Article in the New York Times

LFT — Tue, 31 Oct 2006 22:39:35 -0500

The New York Times ran an article on the dangers of using public Internet access.

While it is hard to say how likely it is that someone is lurking on a public network, many public networks do not have adequate security.

Last fall, InfoWorld magazine published an article about a security researcher who managed to collect more than 100 passwords, per stay, at hotels with lax security (about half the hotels she tested).

Gathering reliable statistics about security breaches is notoriously difficult, since companies are reluctant to reveal this information. Still, the most recent computer crime and security survey, conducted annually by the Computer Security Institute with the Federal Burea Description of Investigation, found that the average loss from computer security incidents in 2005 was $167,713 per respondent (based on 313 companies and organizations that answered the question).

As Jim Louderback, editor of PC Magazine, noted, the statistics may not matter given the problems one data breach can cause.

The article mostly covers wireless computing. You can read the full article here.

Scambaiting and 419ers

LFT — Fri, 22 Sep 2006 19:18:32 -0400

You may have seen emails where someone from a foreign country promised to transfer millions of dollars into your bank account from the late General [so-and-so] if you will just give them your bank account number.

Surprisingly there are people that actually fall for this trick.

It is especially common in Nigeria so it is sometimes called the Nigerian 419 email scam. I belive that the "419" refers to the legal code that is being violated.

Some resources and reading to educate yourself about these kinds of email scams:

I recieved the following scambaiting email today and wanted to post it as an example:

ATTN:

My name is Barrister Anderson Mako I am a private attorney . and I have a client who is interested in investing some good money in your country.

My client is a very important and prominent person who has mandated me to contact you for a very important business transaction my client is by name Mrs. Maryam Abacha and she is the wife of a Late Military head of state in one of the richest african country.

Her husband Late General Sanni Abacha made a lot of money through Oil proceeds during his tenure in office. In fact it was discovered after his death that he was worth well over $4.5 billion in United State Dollars and some of this money was retrieve after he died while some was recovered from officials that served under him during his reign as president of Nigeria.

The truth of this case is that my client despite the problem she is going through now, she still has a lot of money in her possession, which she intends to invest outside her country.

What my client need from you now is reliable account
where she can transfer some money but mind you, all the
money in her possessions cannot leave at once because she need to build confidence and trust.

read more

Phishing Test: Can You Spot the Fake Email?

LFT — Sat, 26 Aug 2006 03:26:02 -0400

Mailfrontier.com has an interesting phishing test. They show you 10 emails and ask you to spot the fake ones.

Give the test a try and see if you can spot the fraudulent emails 100% of the time...

The web page also has some interesting facts about phishing:

5.7 billion phishing emails are sent daily
A successful phishing attack causes a victim to lose an average of $1,200
and more

Beware of Hardware Keyloggers

LFT — Thu, 10 Aug 2006 23:25:10 -0400

It is not common, but computers can have hardware keyloggers attached to them. If a computer has a hardware keylogger on it, it will be able to record your keystrokes even if you are using a Linux live CD.

There is a solution though. While using an on-screen keyboard will not protect you against software keyloggers, an on-screen keyboard should protect you against hardware keyloggers. So the combination of a Linux live CD and the use of an on-screen keyboard to enter your passwords should protect against both hardware keyloggers and software keyloggers.

The Risk of Hardware Keyloggers in Public Internet Cafes

I suspect that hardware keyloggers are not common in public Internet cafes. It is much easier for Internet criminals to use malicious software to do their work for them remotely. Physical devices attached to the computer increase their chances of getting caught.

While most public computers have spyware, viruses, and trojans, very few have hardware keyloggers. In any case, here are some tips:

What Do Hardware Keyloggers Look Like?

I've linked to some images of hardware keyloggers below. The most common hardware-based keyloggers are a physical device that fits between the end of the plug of the keyboard and the box of the computer:

A hardware keylogger that fits between keyboard and computer
A hardware keylogger for USB keyboards
A before and after shot of a computer with hardware keylogger installed. Notice the extra length of cable in the "after" image.
Another hardware keylogger

Hardware Keylogger Lookalikes

Be aware that not every device that fits between a keyboard and a computer is a keylogger. There are similar-looking devices that are made to convert one type of plug to another (for example USB to PS/2). These adapter plugs are harmless.

How to Protect Yourself Against Hardware Keyloggers

It's always good to take a moment to look at the connection between the keyboard and the computer before you use a public computer. That is not the only kind of hardware keylogger though. There are also hardware keyloggers that can be put inside keyboards, or in other hard-to-detect places. By using a Linux live CD in combination with an on-screen keyboard, you should be able to bypass hardware keyloggers.

Phishing

LFT — Tue, 01 Aug 2006 19:55:07 -0400

I mentioned phishing recently. I just got a phishing attempt in one of my email accounts so I have a good example to show.

The following email looks like it might be from eBay, but it is from an Internet criminal. The links in phishing emails usually lead to fake web sites where you are tricked into giving your credit card or other financial information. Notice how the email describes how you will need to update your credit card information.

Because this email is addressed to "eBay user" and not my real name, I know it is probably fake. Another clue that it is fake is that I don't have an eBay account. If I couldn't determine whether it were real or not, I would open a browser and type in http://www.ebay.com and login on the actual eBay site. Never click on links in these kinds of emails.

Phishers Bypass Two-Factor Authentication

LFT — Sat, 15 Jul 2006 23:01:24 -0400

Phishing is a common form in Internet fraud, where criminals send you an email (for example) that pretends to be from a bank, PayPal, eBay, Amazon.com, or another web site. The emails often say things like, "Your password has been compromised. Please click here to login and update your password."

If you click on the link you are taken to a fake web site that looks just like the real thing. The criminals hope that you will enter your password and credit card information into their fake web site.

In a twist on the common form of phishing, a scam has been spotted where the criminal's web site asks you to type in your two-factor authentication code (example) and it automatically logs into your bank account with your credentials.

Browser Security

LFT — Tue, 30 May 2006 18:46:18 -0400

If you are using the Windows operating system, try to use the Firefox Browser because it is more secure. If the computer doesn't already have Firefox on it, you can download Portable Firefox to the desktop and run it without needing admin rights to install it.

Turn Off Auto-Complete

Make sure that the browser is set so that it does not remember your passwords. You can set that option in the settings from one of the menus. The exact location of those settings is different for each browser.

Create Strong Passwords

LFT — Tue, 30 May 2006 10:21:22 -0400

It is important to create strong passwords.

Tips for creating strong passwords:

Don't use words that can be found in a dictionary
Don't use the same password for every site
Do use a mix of upper- and lower-case letters, numbers, and at least one symbol

Password Examples

password (WEAK) — Never use the word password as your password. Believe it or not, this is one of the most common passwords out there.

Fraud Prevention Tips

LFT — Tue, 30 May 2006 10:02:35 -0400

This section contains information on other fraud prevention tips that are not specific to one operating system.

Use the links below to navigate through this section of LinuxforTravelers.com:

Bank Cards vs. Credit Cards

LFT — Mon, 29 May 2006 21:31:37 -0400

If you have a choice, it is usually better to make online transactions with credit cards rather than bank cards.

Bank cards deduct funds directly out of your bank account and if someone steals that card number and drains your account you may be stuck with no money while you are sorting out the fraud claims with the bank. I have seen this happen before.

If you use a credit card and someone steals your credit card number, you still will have your cash in your bank account to live on while your sort out the fraud claims. Just make sure before you use your credit card that the credit card company provides protection against online fraud.