Management

How safe is your money when online?

In the vein of current political upheavals regarding phone tapping and effective data theft amongst our allies, commercial entities are not excluded.

Mobile phone technology makes tracking of individuals dead simple. As we move our phones select the nearest phone tower to maintain our service. So if one knows the location of each tower that has its own unique ID then we can play “join the dots” to track our movements and whereabouts. As the television meerkat ad says: “Simple!”

Internet security has become the largest threat potentially confronting not only large organisations but also you and me. This point was driven home as the Christmas period approached.

A string of rather spectacular and major security breaches were discovered in fairly quick succession. The first of these was Adobe. We all probably use their PDF reader but others in the graphics business or code development stream use quite a number of what are deemed to be the top of the range products for these applications.

In October 2013 the estimated number of customers affected was revised to 38 million from the earlier assumption of 2.3 million, a staggering number; and to make matters worse Adobe’s most current advice indicates that data stolen included customer passwords, ‘encrypted’ credit card numbers and the source code for some of its products. Source code theft leads to future problems as it allows malware to be written so that it readily interfaces with the official software thereby creating a further level of breach sophistication.

Nobody is ignored. Users of online dating website Cupid Media were advised that a breach of its customer data, from as far back as January 2013 has been discovered, involving as many as 42 million customer records. The records stolen include customer names, email addresses and unencrypted passwords. The stolen data was discovered in November 2013, in the same location where data dumps from other recent breaches were found, including the recent Adobe breach. Cupid Media has indicated it initially took action following the January breach to reset customer passwords and introduce password encryption but, following the current publicity, it has stated it is now, “double checking that all affected accounts have had their passwords reset and have received an email notification”.

Cupid Media also indicated that the 42 million records likely included old and inactive user accounts. Users of Cupid Media were advised to change their password.

Users were sensibly advised that if they used similar logon information for other online services, they should also change these – ensuring they are unique.

The frightening fact, which was quickly revealed, showed that nearly 2 million accounts for Cupid Media used the weak and easily guessed password “123456”.

As with other large scale breaches such as the Adobe breach, the likelihood of people reusing their password on other services is also, unfortunately, high; and when combined with a name or email address, it is a simple matter for hackers to seek other online services where these credentials are enough to gain access.

And then there are botnets! Cyber criminals have used a botnet to steal logon information for approximately 2 million people affecting a variety of sites including Facebook, LinkedIn, Twitter, Google and payroll service ADP. The stolen credentials are not believed to have been publicly posted, they were discovered by researchers from security firm Trustwave, who were able to access a command and control server used by the attackers to administer the botnet.

Botnets are networks of computers, called bots, that have been compromised by cyber criminals. The computers could belong to anyone connected to the Internet, from home users to businesses – including yours.

Unlike a more traditional breach where data is stolen from a company’s website by hacking the site, this botnet stole the logon information from each of the individual computers in the botnet and then sent that information back to the command and control server. In this case, malware known as Pony was used to compromise each of the computers to form the botnet. The malware captures information as the user enters it online.

It is for these kinds of reasons that I have long ceased the practice of scattering my financial information all over the web as would happen particularly when shopping on line. I use PayPal to pay for my purchases and also use it to invoice my clients. It really is all very simple for both ends of a transaction. Logon and have a look if you are not familiar with this service.

And this is where my story really starts.

The value of this service was demonstrated when clients attempted to pay my invoiced amounts. It did not take long before several complained that they were unable to pay me via PayPal. Ha! Was this another version of “the cheque is in the mail”? I know and trust my clients and therefore this couldn’t be avoidance or a coincidence. But what was going on particularly since two of them were veteran users of PayPal?

The story spun out with emails from PayPal quoting secret numbers to be used as email subject lines or, as in one case, a phone number that would only be answered once after which time the line would shut down. Another episode required my client to prove his identity by presenting passport and social security information at the post office. All this for a few small amount transactions?

This was becoming quite James Bondish and was very cloak and dagger stuff.

Frustration to start that became an appreciated act when things were explained by PayPal. The transaction amounts turned out to be unusual for these users and were picked up by PayPal’s monitoring system. That in turn resulted in the debit side of the transaction being blocked. All to ensure that my clients financial records had not been compromised and not now used for nefarious purposes. My clients ended up being quite impressed despite their initial ire. Once satisfactory ‘proof of legitimacy’ were provided things again flowed smoothly.

To me this hiatus gave considerable comfort in at least this web based system. I had assumed that larger amounts may have to be involved before such actions occurred; but no, amounts of less than a hundred dollars also rang bells. I hope that all financial dealers have their electronic inspectors on the ball just as PayPal demonstrated.

This pleased me immensely since quite a number of clients have had such payment setups included in their web sites. Now I can vouch for their effectiveness and value.

I would urge you all to be warned and reassured by this little real life tale whilst I wish you a very happy New Year!

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button