Saturday, March 20, 2010

Tips for Debit Card Security

Debit cards look, act, feel and work like those other plastic payment cards called credit cards. But think twice before using them in some places, according to this little blurb from

Unlike credit cards, debit cards directly access your bank or checking account. That means, if maliciously used, they could be a siphon right into your bank account.

The top ten list are the following:

1) Online
2) Big-ticket items
3) Deposit required
4) Restaurants
5) You're a new customer
6) Buy now, take delivery later
7) Recurring payments
8) Future travel
9) Gas stations and hotels
10) Checkouts or ATMs that look "off"

The last two are particularly interesting. Gas stations are particularly vulnerable to skimming operations at pumps, and ATMs that don't look right can end up unexpectedly in some popular locations.

Remember the bogus ATM planted last year at Defcon right as you went down the hall before the entrance?

Wednesday, March 17, 2010

Should Users Reject IT Security Advice?

Writing on the TechRepublic's IT Security blog, Michael Kassner has an interesting point here. There seems to be an endless drumbeat of security advice dumped on users, ranging from more frequent password resets to watching for phishing e-mails and invalid certificates.

But does the information sink in? And, if not, why? It doesn't catch not only because there are too many rules, and among those too many to follow to the letter, but because users don't see a cost benefit, or sometimes any tangible benefit, at all.

Kassner was quoting a paper by Microsoft researcher Cormac Herley, "So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users".

Here some highlights of the recommendations from Herley's work:

  • We need an estimate of the victimization rate for any exploit when designing appropriate security advice. Without this we end up doing worst-case risk analysis.
  • User education is a cost borne by the whole population, while offering benefit only to the fraction that fall victim. Thus the cost of any security advice should be in proportion to the victimization rate.
  • Retiring advice that is no longer compelling is necessary. Many of the instructions with which we burden users do little to address the current harms that they face.
  • We must prioritize advice. In trying to defend everything we end up defending nothing. When we provide long lists of unordered advice we abdicate all opportunity to have influence and abandon users to fend for themselves.
  • We must respect users’ time and effort. Viewing the user’s time as worth $2.6 billion an hour is a better starting point than valuing it at zero.

Identity Theft: Census Scams and Young People

Here's something to think about for those of you in the United States. As those Census forms start arriving in the mail, just make sure they're legitimate and not phishing scams -- either by e-mail or paper mail -- looking to steal personal information.

According to the Better Business Bureau, fraudsters are taking advantage of the Census to steal financial information, like bank and credit card account numbers. Legitimate Census forms have 10 questions about your household and its inhabitants, not about your financial information.

The fraudsters are mailing out fake forms, sending phishing e-mails, pretending over the phone to be Census takers and even visiting homes. The BBB recommends you compare any Census form you get in the mail to the official version online. As for phishing e-mails, phone calls and visits to your door, the same rule applies: the questions should match the official form and not ask anything about personal finances or accounts.

Along the same lines, The Washington Post reported today that 18- to 24-year-olds are the most at risk for identity theft. The Millennial Generation is just too comfortable giving out personal information, whether online or in person, making them easier targets for identity theft than older, more discrete, generations more accustomed to a bit more privacy.

Seemingly anonymous information, such as movie preferences in Netflix, for example, can be misused to identify people. And, that's beside the information gathered from a photo of last night's party at a bar posted on a social networking site.

Wednesday, March 10, 2010

The Security Dangers of Social Networking

You can try and lock them down, but no matter how you look at it, social networking sites remain security risks. But it's not just about application security, meaning the sites themselves as vectors for malware, but the information on them. They can be used for reconnaissance and intelligence about people for setting them up for spear phishing attacks.

Bruce Schneier had some interesting commentary
on the subject recently, referencing research about using group membership on sites such as Facebook and LinkedIn to "de-anonymize" users. Even after locking down every possible piece of information on these sites, group memberships are often still visible.

As if that's not enough, posts by users after hours with information from their employers can lead to the leakage of inside information. The line between personal and professional lives, at least on social networking sites, is getting more blurred.