Tag: web security

How to secure your digital transactions

How to secure your digital transactions by Abhijit Ahaskar.  Available from <http://www.livemint.com/Leisure/eAqnDAFMqB4Vfxe7yyOfgO/How-to-secure-your-digital-transactions.html> [Last Modified: Mon, Dec 19 2016. 06 16 PM IST]

Demonetisation and the subsequent cash crunch has compelled people to use their debit or credit cards. Many are using payment wallets such as FreeCharge and Paytm to avoid using their cards all the time. Many of these first-time users are not fully aware of what is secure and what is not. This makes them an easy prey for hackers and people with malicious intent. According to Norton’s Cyber Security Insights Report (published in November 2016), 55% of users born between 1980 and 2000 have been victims of cyber crime.

Here are some tips that you can keep in mind if you are using one of the digital platforms for making your next cash transaction.

Be more cautious with public WiFi networks

Easy and fast access to internet through public WiFi networks such as at railway stations, airports and coffee shops attracts many users. Users need to keep a few things in mind before connecting to any public WiFi network. One of them is to make sure you know the right SSID (service set identifier) name of the WiFi network you are connecting to. Hackers often set up WiFi network with almost similar SSID names making users believe that there are two such networks and they can connect to any of them. Any communication made using such dubious networks will be at risk of malicious activity. It is safer to avoid WiFi networks that are not protected by a password.

Use VPN

Using a Virtual Private Network (VPN) not just sidesteps geographical restrictions on online content but can also add a layer of security to your online communications. It is widely used as a tool to secure web browsing sessions by enterprise as well as individual users. You can add a VPN on your smartphone or your WiFi network at home. For a smartphone, you will have to downloaded and install a VPN app. Most VPN apps charge a monthly subscription, while some like Opera VPN are completely free to use. Deploying a VPN in wireless router will transmit all online communication through an encrypted tunnel created by the VPN.

Use OTP during transactions

During online transactions made using a credit or debit card, banks ask users to enter their 3D secure PIN (personal identification number) or request for an OTP (one-time password). Using the latter will prompt the bank to send a six-digit number through a text message on the user’s registered mobile number. This is a unique number and is generated only for one transaction. Using a 3D secure PIN on a public WiFi can be risky. Paying through an OTP is still a safer option.

Identify secure webpages

Most websites rely on certain security protocols such as HTTPS (Hyper Text Transfer Protocol Secure) to protect users and keep their transactions secure. These websites can be identified with a green sticker and through the browser url, where the link address will start with https instead of http or www.

Alternative to online transactions—Use NUPP for transaction

Another way of bypassing the risk of online fraud during transactions is using National Unified USSD Platform (NUPP) for sending money directly to the other person’s bank account. NUPP is based on USSD (Unstructured Supplementary Service Data) technology which uses GSM networks for communication with the user and the bank and this makes it free from the risk of online hacking. To use it, dial *99# in your phone and enter and type the three letters used to identify your bank or the IFSC (Indian Financial System Code) of your bank in the next pop-up page. This will open another page with options to pay using MMID (Mobile Money Identification Number) or IFSC.

If you are paying through MMID, enter the seven-digit MMID code and the beneficiary’s mobile number. In case you are using the IFSC, enter the IFSC code and the bank account number of the beneficiary and the amount that you are paying. To complete the transaction, you will be asked to enter your four-digit mobile banking PIN number issued by your bank. For every transaction, users will be charged a nominal fee of 50 paise.

How to secure your digital transactions by Abhijit Ahaskar.  Available from <http://www.livemint.com/Leisure/eAqnDAFMqB4Vfxe7yyOfgO/How-to-secure-your-digital-transactions.html> [Last Modified: Mon, Dec 19 2016. 06 16 PM IST]

Top 12 Tips for staying safe online

Top 12 Tips for staying safe online by Kuwait Times.  Available from <https://www.zawya.com/mena/en/story/Top_twelve_tips_for_staying_safe_online-ZAWYA20161215052009/> [14 December 2016]

As the popularity of online shopping increases in Kuwait, so does the likelihood of falling foul of cyber crooks, not necessarily because they are putting in extra effort during the festive season, but simply because more of us are doing more online shopping at this time of the year, and we’re on the lookout for the hottest deals.

Sophos has put together the following cyber security tips to help you focus on family, food and fun over during this season, rather than dealing with the headache of stolen credit card details or important documents lost to ransom ware.

1) Clean up your passwords before you start shopping
Don’t use the same password on more than one website. If the crooks get one password, they’ll immediately try it on all your other accounts. Make your passwords as long and complex as you can; in fact, consider using a password manager, which will come up with a unique password for each website automatically.

2) Update your devices
When patches come out, most of them fix security holes that the crooks either already know about or will find out about soon. Don’t put off security updates because “later will be fine”. Follow our advice: patch early, patch often.

3) Back up your files
Whether you’re taking your laptop on holiday, or staying at home with your faithful desktop this festive season, don’t forget to back up your precious documents on all of your devices. That way if your files are lost, stolen, “reconfigured” by a teenaged “expert”, or, worst of all, held for extortion by ransom ware, you can still get your data back.

4) Watch out for booby-trapped ATMs when shopping on the High Street
Watch out for modified ATMs when you withdraw money. Crooks often glue fake parts onto or around ATMs in the hope of covertly reading both your card data and your PIN. If you see an ATM with any components that look as though they don’t belong, report it to the bank and the police. That way you protect yourself and everyone else too.

5) Beware of login links in emails
With so many emails flying around over the festive shopping period, it’s a popular time for cyber crooks to use fake ‘phishing’ emails to trick you into handing over personal data. When an email urges you to click on a link to login to your account and change your password, or some similar sort of subterfuge, it’s probably crooks trying to trick you onto a fake site that will look exactly like the real thing, except that the crooks get your password, not the real website. If you want to check a transaction on one of your accounts, open your browser and browse to the website yourself.

6) Look for the padlock in the URL bar when shopping online
A padlock in the address bar and a URL that starts with “HTTPS” means the website uses an encrypted or secure connection. All major websites, not just financial institutions, use HTTPS these days, so if you see a site that’s asking for personal information but doesn’t have the padlock, you can be sure it’s a fake.

7) Watch out for bogus courier emails
During this time, you may very well get products delivered to your home, so you’ll be expecting a visit from a courier company. Crooks know this and send fake emails about bogus delivery problems, hoping to draw you into their web. If you want to contact a courier company to check on a delivery, look up their phone number or email address yourself – don’t use any links or information from an email.

8) Don’t email your credit card details
Sometimes you’ll try to buy that special gift , but your credit card won’t go through. In perfectly good faith, the seller may ask you to email through your card details to try again later. But that email could end up in the hands of cyber crooks, even if the seller handles it with care once they’ve received it. Remember: if in doubt, don’t give it out!

9) Turn off Flash on your devices
Want to do one single, simple thing to improve your security, now and forever? Turn off Flash, or uninstall it altogether if you can. Booby-trapped Flash files are still a popular way of spreading malware, and with fewer and fewer sites actually requiring Flash, it’s safer to do without it altogether.

10) Change default passwords before using any new home video devices
Whether it’s a new baby monitor, home surveillance system, or any other internet-enabled camera, it probably has a default password. If you don’t change the password then you are making it easy for a cybercriminal to hack in and watch whatever you’re filming. That could be you, your house, your baby, or something else that you’d prefer to keep away from prying eyes.

11) Think before you share on social media
Maybe it sounds obvious, but over sharing on social media is a bad idea, and there is no better time to remind you of this than the party season. Whether it’s photos of other people, your credit card details, the fact that you’re holding a really amazing party on Friday night or anything else, stop and think before you share. Once you post it, you’ll never be able to take it back.

12) Upgrade the software on any new devices before using them
Even “new” computers and hardware devices usually need updates right away. After all, between when they were made and when you first use them, the crooks have had time to find new security holes to attack. If you want to protect your new devices, always patch before using them, even if it’s Christmas Day and you’re dying to try out your brand new present.

Finally, make sure your computers at home are secure. Sophos Home is free and allows you to protect up to 10 Windows and Mac computers from malware, ransom ware, phishing and more. You can have different settings for adults and kids, and the web filter lets you block ads. It’s an easy-to-use solution that takes minutes to download and get started. And remember, when 2017 comes around, all of these tips will still be valid. In other words, as much as we’re urging you not to let your computer security guard down over the festive season, we’re also encouraging you to keep your security guard up every day. Cyber security is for life, not just for this season.

Top 12 Tips for staying safe online by Kuwait Times.  Available from <https://www.zawya.com/mena/en/story/Top_twelve_tips_for_staying_safe_online-ZAWYA20161215052009/> [14 December 2016]

How To Get Powerful Website Protection – SSL Certificate

How To Get Powerful Website Protection – SSL Certificate by Natasha Miranda.  Available from <http://www.valuewalk.com/2016/12/ssl-certificate-tips/> []

As a website owner or manager, knowing the advantages of using an SSL/TLS certificate will be essential. It will also be important to understand that this is just one part of a full range of cyber security technology options that will keep your website safe from hackers and from a breach of data security to your system.

Before going any further, it will be important to address a simple factor that is often overlooked. The purpose of an SSL certificate is to have an approved third-party, a recognized Certificate Authority (CA) to verify the website is authentic and trustworthy. This means choosing a recognized and trusted Certificate Authority. A good example of this is the Comodo SSL products that are recognized worldwide and can be found on websites of large multinational and global companies as well as smaller local ecommerce businesses.

There are two other options in SSL certificates that can be found on the market through any quick online search. While these will both be available at no-cost, there are risks associated with these certificates that should be carefully considered if website protection and protection of transmitted data is ultimately your major consideration and concern.

Free Certificates

You may have heard the term “you get what you pay for” and this is certainly the case with many of the free SSL certificates out there. The recognized CAs offer very cheap SSL certificates at the domain and organization validation levels that are far superior in customer service, support and security.

Remember, with a certificate, as with any information technology security tool; it needs to be recognized by the different systems it interacts with. The recognized CAs have their root certificates embedded with all major browsers and devices, ensuring that the certificates they issue will be accepted as trusted sources.

Unfortunately, the free SSL certificates are often not recognized by the different browsers and devices. From a 99.9% recognition rate with an SSL/TLS certificate from a trusted Certificate Authority, you may find that the majority of your customers either have to manually add your certificate to the device or browser trusted list or they will see the security warning displayed every time they try to access the site using a free SSL product. This is because there is no root certificate embedded in the device or browser, meaning the certificates they issue are also not trusted.

Self-Signed Certificates

These types of SSL products are even more problematic and less trusted by browsers and devices. As suggested by the name, the self-signed certificate is created by the website owner and basics is a case of vouching for yourself.

This creates trust issues for browsers and devices as there is simply no root certificate and no recognized Certificate Authority that is verifying the information. It would be possible for anyone to set up a website and create a self-signed certificate, even if the information on the certificate was invalid and the website was a spoof site.

The good news for legitimate website owners is that if you have an SSL certificate from a recognized Certificate Authority, there is no way that this type of situation can occur. The hacker cannot access the private key to your site or your certificate, which means your website is the only entity that the key and the certificate will work with. The private key is always kept secured on your server. Only through
authenticating the certificate and the public key with the private key can data be decrypted for use.

No Eavesdropping or Hacking Risks

If your website uses a login and password combination, which is true for social media sites and many types of paid subscriptions or memberships to blogs or forums, using an SSL certificate protects your site from hacking through eavesdropping.

Without the customer, client or user’s login and password data being encrypted, it could be easily intercepted and read. This could include if an employee or customer used a public Wi-Fi hotspot or even used a connection at home that lacked basic wireless network security features.

Once the hacker had that information, he or she could then go into your data through a legitimate login using that stolen information. It would be virtually impossible for you to detect the data breach as it would appear to come from an actual, valid customer.

Through the use of encryption to send the data, all the hacker will see is a random string of code that is illegible and unreadable. With full 256 bit encryption, which is considered the internet cyber security standard, it is virtually impossible for the hacker ever to be able to break the encryption.

It is important to carefully consider how much of your website needs to be secured through the use of SSL technology. Any web page collecting information or transmitting what is considered sensitive information needs to have this level of protection.

Logins, passwords and even email may also need to be protected depending on the type of use, the data transmitted and if the information is considered sensitive. Determining which level of SSL technology is required and which pages should be secured starts with assessing your cyber security risks and then providing the right types of protection.

How To Get Powerful Website Protection – SSL Certificate by Natasha Miranda.  Available from <http://www.valuewalk.com/2016/12/ssl-certificate-tips/> []

How to Protect Yourself from Cyber Attacks

How to Protect Yourself from Cyber Attacks  by Kevin Graham  Available from <https://www.quickenloans.com/blog/protect-cyber-attacks> [ December 7, 2016]

Remember last month when hackers were briefly able to disrupt service to popular websites such as Netflix, Twitter, Spotify and Etsy for several hours? Whatever their motivations, there’s no doubt the hackers had a plan and were skilled. Still, even when something happens that affects large portions of the internet, there are things we can learn to help protect ourselves as individuals now and in the future.

As we enter a time of year when everyone’s going to be doing a lot of online shopping, we thought we would give you some tips to help you keep your information secure. Let’s start by going over exactly what happened last month and what we can learn from it.

Anatomy of an Internet Takedown

So what exactly took down so many websites last month? It was something called a distributed denial of service (DDoS) attack. The attackers picked a major internet hosting service on the East Coast and sent a bunch of traffic to the sites it hosted – so much that it overloaded the servers.

The first job of any internet server is to take your request (to go to, say, QuickenLoans.com) and translate that into a request the computer can understand. You type in your web address, and the computer turns what you typed into a series of numbers called an internet protocol (IP) address. In your web browser, when you enter QuickenLoans.com, the server goes and looks up the IP address associated with that domain, maybe 10.168.64.9, and gets you to the right place. It’s like a giant phonebook, except we don’t throw it out as soon as it arrives.

Normally, all this traffic gets routed, and everything goes smoothly. When a server gets thousands of requests to go to a particular website, though, it creates a traffic jam. The server is overloaded, and the site is unreachable until the host is able to identify the attack and take mitigating measures. But what measures did they take?

We have a thousand devices connected to the internet these days. It’s not just computers, but also DVRs, webcams and even our thermostats. The attackers were able to get into these newly internet-enabled devices and use them to send a bunch of traffic to sites and overload the servers. I don’t mean to say that the webcam in the nursery was sending a request to Netflix to watch “Zootopia.” This was unsophisticated nonsense traffic – uploads and downloads meant purely to flood the servers. There’s been lots of really good, detailed analyses of what happened in the attack, but what’s more helpful for those of us trying to protect ourselves is knowing exactly how they did it.

Tyranny of the Default

So what was the weak point in all of these devices that allowed them to be so easily taken over? No one ever changed the password.

Most of these internet-connected appliances have a default password listed in the manual so you can easily get them set up. Unfortunately, many people never think to change the password. If you find yourself in this situation, follow your device’s instructions to get back into the settings and change the password if possible.

In some instances, depending on the sophistication (or lack thereof) of a particular device, there may not be a way to change the default. In these instances, manufacturers will sometimes send updates that patch the software and help to secure the device. Always run these updates, particularly if they mention anything about fixing bugs or improving security.

As we enter the holiday season and you’re looking at getting that new flat-screen TV on Cyber Monday, make sure you’re using strong passwords. You can even get online password generators like LastPass or 1Password that will enable you to have one password that unlocks all your accounts but still maintains the security of having many different passwords.

Secure Your Wi-Fi

Securing your internet connection is key if you want to keep your internet browsing to yourself. Without a secured connection, hackers have the opportunity to get on the network and put themselves between you and your hotspot or router. Instead of going directly to your connection point, your data goes through the hacker first, and they get a peek at what you’re doing before your data goes on to its ultimate destination. Depending on how your sharing settings are configured, a nefarious actor may also be able to get malware onto your computer.

The level of encryption used can be changed, and it’s up to you. At the very least, your router should be password-protected.

Security in Public

The other thing you should know is how to take steps to secure yourself in public. When you need to check your bank account, sometimes the only available connection is the coffee shop.

When you find yourself in these situations, the most important thing to remember is that websites asking for sensitive information should be secured and encrypting your data as it’s passed through. While someone with malicious intent might still be able to see your activity, usernames, passwords and credit card numbers, it usually ends up looking like unintelligible gobbledygook unless it can be decrypted. Most hackers don’t want to take the time and effort to do this.

How do you know if you’re on a secure site? In the address bar, you should see a green HTTPS mark at the beginning of the web address. If you choose, you can also click on this mark to see who owns the security certificate and make sure you’re giving your information to the right people.

It’s always a good idea to check for the secured symbol whenever you’re putting in sensitive information like credit card numbers. Here’s what it looks like:

You should also make sure that any time you log into a public connection, you select the public option when you connect. Your operating system will put certain security protocols in place that you might not need for a home network – just to give you a little more protection. A lot of the settings have to do with your ability to share files on the network.

Device and App Permissions

While we’re on security, it’s a good time to talk about the smart phones that now hold the keys to so much of our lives. Your phone is equal parts Rolodex, wallet, health information repository and camera. If the wrong person were to get ahold of all that, it could cause you a serious headache.

With that in mind, you should take some reasonable precautions to protect your phone from prying eyes.

First, make sure you set a passcode on your phone. Not only will this prevent your little sister from getting into your phone, but on newer iPhones, setting a passcode automatically encrypts the data against anyone who doesn’t have your code or fingerprint. By default, this is a four-digit numerical password, but you have the option to switch to a longer alphanumeric key.

Since device manufacturers have much more control over the look of the Android interface, the name of your encryption setting may vary. That said, it should be with your security settings. If encryption isn’t enabled by default on your device, there are some things you should be aware of before going through with the process.

Be sure you know the permission you’re giving apps when you use them. If you’re on iOS or newer versions of Android, your phone will ask you permission before accessing something like your photos, camera or contacts. It can be tempting to answer yes to everything so the app stops bugging you. I’ve been guilty of this, too. If you’ve ever given an app access to something and later regretted it, there are ways to reverse it.

If you go into your iPhone’s privacy settings, you can control which apps have access to your location, your media library, and your health and fitness data, among other items. Android versions Marshmallow and up include the option to control the permissions under the apps tab of your settings.

In older versions of Android, the permissions were listed when you went to install the app. Unfortunately, you don’t have control over individual permissions by default.

Finally, one special note regarding Android: In addition to installing apps from the Google Play Store, you have the option of installing apps from third parties. This is OK if you know what you’re doing, but if you’re not careful, it opens your phone up to malware. You can disable this option in your security settings.

Depending on the types of things you do on your phone, you might want to limit what gets backed up to the internet and keep local control on your phone. There’s always a bit of a push-pull relationship between security and convenience. You have to decide what works for you.

These basic security measures are important because they can help you avoid the hassle and inconvenience associated with identity theft.

How to Protect Yourself from Cyber Attacks  by Kevin Graham  Available from <https://www.quickenloans.com/blog/protect-cyber-attacks> [ December 7, 2016]

FBI Tells Users to Change Passwords Frequently, Experts Say This Is Bad Advice

FBI Tells Users to Change Passwords Frequently, Experts Say This Is Bad Advice by Bogdan Popa.  Available from <http://news.softpedia.com/news/fbi-tell-users-to-change-passwords-frequently-experts-say-this-is-bad-advice-510528.shtml> [Nov 27, 2016 07:16 GMT]

You’d normally expect the FBI to provide us with the most efficient security tips, but a tweet published recently by the Bureau made many security experts raise their eyebrows and wonder who is actually behind these posts.

Specifically, the FBI tweeted on November 25 a piece of advice that’s supposed to help people stay secure during the holiday shopping season when cybercriminals are also very busy trying to steal our information.

“Shopping online this holiday season? Keep your accounts secure, use strong passwords & change them frequently,” the FBI posted.

And while keeping accounts secure and using strong passwords are indeed good recommendations, it’s the last part that caused controversy. Changing passwords frequently has been often described as bad practice, especially because doing this repeatedly can eventually lead to users turning to easy-to-remember passwords that can be quickly compromised by hackers.

Furthermore, it’s been proved that corporations forcing their employees to change their passwords on a frequent basis are actually more exposed because of the same reasons: workers end up using simpler passwords that are easier to remember, and this can’t lead to anything good.

Security experts: Nope

Security experts have questioned FBI’s tweets, and one of those who recommended exactly the opposite is Per Thorsheim, who founded his own password conference to discuss the importance of passwords.

In a statement for Motherboard, Thorsheim explained that changing passwords frequently is a thing that you shouldn’t do and there are other ways to remain secure online.

“I am surprised and sad to see that the FBI continues to give out bad advice when solid academic research, numerous organisations, corporations and the US government themselves have said for at least half a year now that frequently changing your passwords is a bad idea,” he said.

“While I don’t know who at the FBI is in control of their Twitter account, the people behind it do not seem to be in control of current best practices. I do expect better than that from the FBI.”

So how exactly can you protect yourself online without actually changing passwords frequently? The easiest way to do this is to use a password manager that can help generate complex passwords that are difficult to compromise. Furthermore, make sure you enable two-factor authentication whenever it’s possible, and avoid using the same password for more than a service.

FBI Tells Users to Change Passwords Frequently, Experts Say This Is Bad Advice by Bogdan Popa.  Available from <http://news.softpedia.com/news/fbi-tell-users-to-change-passwords-frequently-experts-say-this-is-bad-advice-510528.shtml> [Nov 27, 2016 07:16 GMT]