Posted by Tim on 27th December 2010
Taking technology on your side…
19. It’s a matter of trust: An important question is, can you trust the site’s certificate to be authentic? VeriSign was guilty of issuing security certificates to sites that claimed to be part of Microsoft not so long ago. The latest versions of browsers, Internet Explorer 7 and Opera 9 will soon be able to provide users with Extended Validation SSL certificates that assure them of being on a genuine site. The address bar shows green for the good guys and red for the doubtful ones.
20. From phishers with greed: Emails can also be spoofed. The only way you can be sure they are not, is to use clients that support S/MIME digital signatures. First check if the sender’s address is correct, and then look for the digital signature. This is a pretty effective anti-phishing tactic as the signature is generated by the client after the mail has been opened and authenticated, and because it’s based on robust cryptographic techniques.
21. Keep up or else: Make sure your operating system and browsers are UPDATED regularly. Check for the latest patches and apply them immediately.
22. Build that fence: PROTECT your computer with effective anti-virus and anti-spam software, and set up firewalls to keep those sneaky Trojan horses out. They are capable of the worst kind of phishing – installing surreptitious key-logging software on your system that captures all your keystrokes and transports them to the crooks in some unknown location. What’s worse is that the infection spreads from your PC to other systems on your network, till all the computers are compromised.
23. Not just a token: Consider using an ID Vault USB TOKEN that encrypts all your user ids and passwords and stores them on a flash drive, which can then be used to securely log onto websites. Most tokens come with a list of legitimate sites and also prevent key-logging software from working effectively. The device itself is password-protected, so thieves have an added layer of encryption to tackle.
24. Hashing to confuse: Software plug-ins are joining in the fight against phishing, an example being the PwdHash, or password HASH tool developed by two Stanford professors that scrambles any password you type, and creates a unique sign-on for each site you visit. Even if phishers are given a password, it’s the wrong one.
25. I spy no spies: Another application developed along the lines of PwdHash, and also created by the same two Stanford professors, the SPYBLOCK tool prevents Trojan horse key-logging programs from stealing your passwords.
26. Extending protection: Browser extensions like Antiphish (used as a plug-in by Mozilla’s Firefox) offer protection against phishing attacks by maintaining LISTS of passwords and other sensitive information, and issuing warnings when users type this information on fishy sites.
Prospective protection against phishing…
27. Sending positive signals: New technologies like the Sender ID Framework (SIDF) are joining in the fight against spoofing websites by verifying the source of each email. In the pipeline from Microsoft and CipherTrust.
28. Not barring trust: TrustBars, which are secure and tamper-proof components of browsers, allow VISUALIZATION of information related to sites. Users are alerted by visible warnings when there is a discrepancy in the visualization on the bar.
29. Slow down those attacks: Another technique, the Delayed Password Disclosure (DPD), protests against pop-up windows that ask for sensitive details (aptly termed doppelganger window attacks). It works against phishing attacks when users enter passwords letter by letter, one following the other only after a corresponding image is recognized.
30. Proof positive: Websites that wish to prove they are authentic can use HTML extensions called PROOFLETS to enhance a server’s contents. These are verified by browsers through the use of special web services.
31. Mobility in scams: As consumers are wising up to their scams, phishers are moving on to newer media to launch their scams. Mobile phones, a necessity in today’s world, are the latest targets. Text messages purporting to originate from your bank warn you that unless you confirm your account information, it will be deactivated. IGNORE these messages, they are always spam.
32. Voicing doubts: Another hot sphere of activity, the VoIP technology, is being harnessed as a phishing tool with alarming regularity. The crooks find it COST-EFFECTIVE to make numerous calls and earn a sum well above the incurred expenses. This is doubly dangerous because people who would look at an email with suspicion, generally tend to believe phone calls.
Make a difference…
33. Join the fight: If you come across a phishing scam, REPORT it at once to the Anti-Phishing Working Group, the U.S. Federal Trade Commission (FTC) and the FBI through the Internet Fraud Complaint Center, both of whom work to shut down phishing sites and catch those responsible.
34. Say goodbye: If any of your accounts have been compromised, CLOSE them at once.
35. Change is good: If you even suspect that your any one of your passwords has gone to the wrong hands, CHANGE all your passwords and pin numbers on online accounts immediately.