Monday, June 30, 2008

Don't be phooled by phishing

I got an email on Friday which went: "From HSBC. Dear Sir, We have detected fraudulent charges on your credit card. Please verify your account information by clicking the following link." Looks familiar? This was one of a thousand "phishing" scams going on as you read this article.

Phishing, a deliberate twist on "fishing", is a very simple scam. Scammers throw out a net, using email, luring as many fish as they can. Those who fall for it soon become victims of fraud.

How does phishing work? An email is sent stating account suspension, fraudulent charges, scheduled maintenance or even refunded charges - anything to warrant your attention. You are requested to "verify your account" by clicking a website link in the email. The website is fake, dressed up identically as an e-banking website. You naively submit your account number, password, birthdate, security code, etc. and the site says "Your account is verified". You have just been caught. In seconds, your account information will be traded for cash through underground Internet channels.

Last year, almost 30,000 phishing incidents were reported every month! Phishing websites last for a day or two, enough to ensnare millions. Most emails target financial organizations. A few target eBay, PayPal and Google AdSense. Others offer free software - screen savers, smiley icons, e-greetings, which installs viruses that monitor every keystroke.

Phishing is a psychological attack. It succeeds because we trust electronic media without verification. Here are some simple tips on how not to get phished:

1. Do not click on website links in emails. If unsure, call your bank or card company about what the email says.

2. Phishing is not limited to just email. Voice phishing, via phone calls, is on the rise. If you receive a call asking for account information, get the caller's name first and ask for a toll-free number to call back.

3. If you are adventurous, deliberately fill in bogus account information in such websites. If it is accepted, you know you have interacted with a phishing site!

4. Do not rely entirely on anti-phishing browser toolbars. They work for a majority of phishing sites, but newer sites slip through.

5. Certain email providers, such as Gmail, issue phishing warnings. Verify if your email provider offers such services.

Lastly, stay well informed. The Anti Phishing Working Group (APWG) at has reports on the latest phishing activities, vigilance tips and self-help resources for phishing victims too. I hope this helps you avoid the dark alleys of the information super highway!

Published: Times of India, Ahmedabad, 2-Jul-08

Monday, June 23, 2008

Are you a victim of Credit Card fraud?

"I wasn't in Japan on August 23. In fact, I have never been to Japan in my life!" My friend finally managed to convince his credit card company that the USD 1200 cellular phone charges on his account weren't his. I have shared the same woes before, almost every two years. Fraud can befall any credit card user today.

Credit cards are the most convenient form of payment worldwide. Petrol points, air miles, cash back and many other rewards encourage us to swipe frequently. But rewards and convenience come with their own risks. I may be bold to state that after five years, the only credit card customers not affected by fraud will be those who never activate and use their card at all.

One question that I have been asked at every security conference that I address is: "How do I use my credit card securely on the 'net?" Well, let me ask you: "How do you drive accident free on today's streets?" The sheer volume of credit card transactions, coupled with multiple locations of data storage and exchange increases the probability of credit card "accidents" on the information superhighway.

Ever wondered how fraudsters obtain your credit card information? The first technique involves "harvesting" large transaction databases. Merchants are required to store transactions for a couple of months until they get paid by the card company. The largest transaction theft in history occurred with U.S. retailer T. J. Maxx (TJX). TJX's breach recovery costs exceeded USD 500 million, affecting 100 million accounts. Another method involves stealing card information directly from end users, using trojans and malware that recognize website forms and intercept keystrokes. A third method - "phishing" - fools users in interacting with fake websites disguised as real e-banking websites. Users get fake emails of account suspension. Clicking them lures users into divulging their account information to fake websites. Credit cards are also actively traded for cash on underground Internet Relay Chat (IRC) channels.

Here are some tips for "defensive driving" on the information superhighway.

1. Never use your Debit Card for online transactions. Your bank's marketing tells you that debit cards work "just like credit cards". They may look the same, even carry Visatm or Mastercardtm symbols, but the similarity ends there. With credit cards, merchants are not paid immediately. The onus lies on the merchant to prove a transaction's authenticity. Credit card companies have to investigate the fraud with the merchant before holding you entirely responsible. With debit cards, cash is immediately debited from your account without a grace period. Only use debit cards for ATM withdrawals, nothing else. Avoid getting Visa or Mastercard branded debit cards if your bank allows a non-branded option. For details, visit

2. Don't get caught in the "phishing" net. If you get an email from your bank or someone claiming to be your bank for re-establishing your identity and account verification, simply delete the email. If in doubt, call your bank and ask.

3. Delete emails containing credit card statements. Card companies have gone paperless to save money, but from a security standpoint, print and destroy these emails immediately.

4. Ask your credit card company about online fraud protection options and policies. If it lacks them, take your business elsewhere.

5. Change your credit card number every year. This cumbersome method may be the most effective fraud protection technique for frequent online shoppers. I destroy my card every year, and ask for a new one. New cards have different numbers. So even if old transactions are stolen later, the chances of the card being valid are minimized.

6. Ask for notifications for large transactions. Many banks and card companies provide email and SMS notifications if transactions exceed a certain amount. However, when a tank of petrol costs Rs. 2000, I wonder what amount limits to set without being SMSed everytime I swipe my card!

Lastly, nothing works better than common sense. If you are shopping at a new website, try paying over the phone. Read reviews posted by other users. Verify transactions in your statement meticulously. And when surfing idly on the Internet, look up the Web Hacking Incidents Database (WHID) at WHID tracks all media reported security breaches.

Do you have any tips or experience to share regarding combating credit card fraud? Write me at cyberwatch at net-square dot com

Published: Times of India, Ahmedabad, 26-Jun-08