Personal security!

Protect yourself!

home > homewatch > personal security

New threats | Financial transactions | Scams | Emails | Wi-Fi | Dialup frauds | Social & Community web sites | Virus checkers | Firewalls | Broadband security | Methods | Credit checking | Telephone calls |

HMRC data loss scandal

These security pages are not provided by Cheshire Constabulary - see foot note.

This document refers to PCs running Microsoft XP. While many of the problems are common across other operating systems the solutions may be different for those systems. The application of common sense is valid across all systems! There is also information on separate pages regarding identity theft and telephone security.

Home pageBack

The problem with online abuse is that the crooks are playing on the PC user's gullibility, lack of knowledge about the systems – his PC, the internet and the banking systems – and plain old psychology. Let me offer some guidance that should keep most people out of trouble:

Financial transactions

1.         You will get many messages that claim to be from your, and many other, bank(s) and very plausible they are too, requesting you to reply with account and password information or to click on a web link for a security check or confirmation.

NO BANK will ever ask you to do this because it would be totally insecure.

DELETE the message; DO NOT reply and don’t bother to forward it to your bank – they have seen millions of them already.

2.         All online financial transactions are carried out through web pages - NEVER through emails. The trader or bank may send you a confirmation email after a transaction but that should not require any reply from you.

NEVER approach financial transactions from an email.

ALWAYS use the web link provided when you signed up for the service, NEVER one provided in an email.

Use a Verified credit card for online transactions.

The latest scam! Don't fall for this one!

3.         Before you logon to any financial service check that the LOCKED PADLOCK or UNBROKEN KEY is displayed at the bottom right of your browser window. These should remain there throughout the session.

4.         Always LOGOUT from financial sites using the appropriate button or menu link. This is especially important on a shared computer. In fact, avoid using a shared computer for financial transactions.

5.         NEVER give your name, account number, password or PIN number in response to any email. Emails are never secure (unless you have set up an encrypted conversation - I have never been offered the opportunity on a domestic transaction).

6.         These rules are valid for all online transactions whether they be banks, share trading, online shopping, eBay, Amazon or similar trading sites.

7.         There are still many minor online shopping sites that do not display the lock or key at the bottom right. They may be completely insecure or secure with a small set up error; only an expert can tell the difference. Best advice is DO NOT use them.

Emails

8.         NEVER respond to emails offering you the chance to make easy money! If you do respond, even to tell them to go away, you just confirm that you exist and the crooks will then target you with ever more convincing messages. These messages are designed to steal your money. NEVER, NEVER reply to them.

9.         IF YOU SHARE your computer with anyone else, or you use a computer at an Internet Café, in the Library, Bridgend Centre or similar public place, remember that almost everything you do, including your passwords, may be LOGGED. It is fair to say that many perfectly responsible establishments won't even realise that their systems are logging user information and you information will not be at risk unless or until the PC goes for repair or second hand sale and is looked at by someone who knows what he is looking for.

DON'T allow the system to 'REMEMBER' your access id's and passwords, even if it may be convenient; learn how to erase your browsing history (but this won't get rid of all logging information). Best advice is not to use a shared computer for financial activity – it is simply not worth the risk. Methods, Clear your browser history.

10.     You've won the Lottery! The scammers write and tell you that you have won a huge amount of money on a lottery somewhere - even though you never bought a ticket. They offer to recover your winnings for a fee. You have to provide the fee up front. DON'T. This is another version of the transfer funds scam that has been used by the Nigerians for many years. If you get one JUST BIN IT. Example text.

Have a look at Crimes of PersuasionExternal link for more information on all kinds of computer based fraud. Scotland Yard's SCD6 Economic and Specialist Crime unitExternal link also have plenty of advice.

Dialup frauds

11.     If you use dialup (not broadband) check the number being used by the dialup routine to see that it is the number provided by your service provider. Some malicious emails and web pop-ups contain programs to change these numbers so that you un-wittingly dial a premium line number before being routed to your provider. This technique also allows the crooks to monitor your activity and record userids and passwords. This can seriously damage your wealth both in any bank account you access online and when your next phone bill arrives. Methods, Check dialup number.

Virus checkers and firewalls

12.     Many problems can be avoided by using a virus checker and a Firewall. VIRUS CHECKERS are only any good if their signature data is updated at least once per month, sometimes more often; some, like Mcafee, offer you an update every day. They must be running whenever you are connected to a network – the internet or a local network. Methods, Virus checkers.

13.     Some Internet Service Providers (ISP) virus check all your email before they pass it down the line to you. In theory this means that you do not need your own virus checker, but remember they are only checking your email – if you import files through any other means, such as a data stick, then it won’t be checked. If your ISP claims to virus check for you make sure they check email attachments, zipped files (if you use them), and so on.

14.     A FIREWALL is designed to prevent trouble makers from getting into your computer without an invitation. This is especially important if you are on broadband - your computer is by default open to the world 24 hours a day. Get a firewall to make it invisible to the outside world. Methods, Firewalls.

15.     Windows XP comes with a built in firewall which is now considered to be adequate provided you have SP2 installed (see 20 below) and keep your system up to date with Microsoft's security updates. However, in older systems (pre-SP2) it is installed to be switched off by default – you need to take action to switch it on. Methods, Windows XP firewall.

16.     Microsoft released a major update for Windows XP, known as SP2, and you are advised to consider applying this to your system. It includes all security updates then made to XP plus a major improvement to the firewall. The firewall is switched on by default in SP2. This firewall operates in both XP Home and XP Professional versions of Windows XP.

Once you have installed XP-SP2 and you have broadband, it is recommended that you enable automatic Windows updates. Microsoft will then advise you when system updates, especially security updates, are available for download and installation. Methods, Automatic Windows updates.

17.     If you are buying networking equipment it is a good idea to get a network box that also provides the ADSL interface to your broadband AND has a built-in firewall. Ensure that you configure the encryption feature otherwise anyone around the outside of your house may be able to get onto the internet via your line. They may also be able to access the data on your PC!

18.     There are web sites that will test your vulnerability through the network. See security tests.

New threats

19.     Looking at videos has become very popular. The malicious crew have wasted no time in using this popularity as a means to getting inside your PC. Read this item on BBC NewsExternal link. The short advice is be cautious in your use of YouTUBE or any other populist video sharing service – they are risky. Perhaps the virus defence industry will come up with a method of controlling them.

20.         A popular scam! Emails are being sent out purporting to be from a bank or building society and inviting you to open a new account - the deal is you deposit £500 and they will add £200 to your new account! Don't believe a word of it! They are really after your existing bank details and your cash. You send them £500 and that will be the last you see of it. And they will probably empty your existing account as well. JUST DELETE ALL MESSAGES OF THIS KIND. Do not reply to these messages.

21.         Broadband Routers and wireless network boxes. These devices are permanently connected to the internet. They can be approached from both sides - you, the user, can access out to read web pages, for instance, off the internet. Others, unknown, can try to get into your PC by addressing your broadband line which has a unique address. One of the purposes of the router (and wireless network boxes) is to provide a firewall between the internet and your PC.

However, it is possible to access the program within the router from either side provided that you know the password. Every router comes with a factory set default password. That password, though possibly different on every make of box, is common knowledge for those who want to know it. Therefore it is essential that this is changed to something known only to the user at installation time.

My first box came without a password set but did have installation instructions that emphasised the importance of setting the password and gave clear instructions on how to do this during the installation. Unfortunately it also provided the option to leave the password blank.

If you have the BT Broadband box the setup forces you to set up encryption, and some other makes now do this as well.

If you can't remember whether you set your password then you should check it. You will have been given a web address to put into your browser in order to maintain the settings in your router. Enter this now and when the maintenance home page comes on the screen look for Security or Password and click on that. On the password screen it will provide the opportunity to type in your password. To find out whether you set one, leave it blank and press enter. If you get to the next screen without complaint of a bad password you will know that you are not protected. Look for the Password setting option. Make sure you use a high quality password at least 10 characters in length and containing a mixture of letters and numbers. Remember that the hackers have all the time in the world to test your system with every common password, in fact the entire dictionary, until they find a match with your password. The more complex you make it the more likely they will be frustrated.

What can they do with your router? Once the hackers can access your router they can install their own software into its memory. This will be designed so that you don't notice any difference in its performance. However, they may have changed it so that every internet access you initiate is first sent instead to the hacker's own system where they will extract any use full information such as bank details and passwords, credit card numbers, your name and address, and so on, before re-routing your information to the web site that you intended it to go to. This will respond to the hacker's site which will repeat the operation of data extraction and forward the page on to you. This all happens so fast that you will never notice what has happened.

22.         Misuse of popular sites such as Amazon and eBay. The hackers are now misusing these well known and popular names for phishing activities. They send you an email that looks exactly like one from Amazon or eBay with questions or statement regarding your account. They provide a link for you to pursue the matter online. This link, of course, is fraudulent and takes you to the scammer's own web site where they extract information from you such as account name and password.

If you get such a message always approach your account via the web address originally provided by Amazon or eBay, NEVER use the link in the email message.

Wi-Fi

New technology, new security problems. The wi-fi boxes themselves appear to be generally well designed from the security point of view. Every wi-fi box description that I have read shows that there are two important security features available - a firewall and encryption over the airwaves. Provided that these are configured correctly and maintained in use (switched on) then they should provide the essential protection that the domestic user needs.

The weaknesses with wi-fi are brought about by its very purpose - to make the internet accessible from a PC or laptop without the use of wires. This is achieved by low power radio waves. The range is supposed to be limited to around 10m. Depending on the location of the box and the structure of the house this range can be more or less. What is certain is that access can be obtained from outside the house as well as inside. While resolving problems in a friend's house I found that I could pick up a signal from my own wi-fi. Our houses are in line of sight but well over 200m apart!

Problems. If you leave the access password as the manufacturer's default then anyone can get in and re-configure your box and help themselves to information from your machine. It is possible to install a logger in the box that will provide the attacker with everything you transmit in or out of your PC including all userids, passwords and account information from bank or other financial bodies you happen to access.

ALWAYS change the default password to something of your own. Make it a strong high quality password. You don't have to remember it because you will very rarely need it but do record it off the PC, somewhere where you will look for it when you do need it.

A second problem will only concern you if you are working with highly sensitive information which should be more strongly protected than the average domestic data. The encryption used by wi-fi boxes is rather limited in its protection capability. You will be given the opportunity to create a personal key when you set up the box. Two methods are used. The easiest is the encryption phrase. You are asked to type in a phrase of your choice and this will be used by the software to generate a 128 bit encryption key. The second method is to type in a key of your choice. This latter method is prone to typing errors because it is hard to see whether you have typed it in accurately. The key will be displayed in hexadecimal - it will be composed of the digits 0-9 and letters A-F. 128 bit encryption is OK for basic use but can be broken by brute force on a modern high powered PC in about 10 minutes. The seriousness of this is that unless you change it this key remains in use continuously.

More advanced encryption systems use longer keys and constantly change them so that brute force takes much longer and then only discloses one packet of data. This strength of security has not yet reached wi-fi. The mobile phone networks use security similar to this.

Another potential problem with wi-fi is that a passing PC (and its user) can detect your network and attempt to connect to the internet through your broadband link. They can only do this if your wi-fi is not password protected or they know the password. They will also need to know the encryption key. It is a criminal offence under the Computer Misuse Act to obtain access to the internet via someone else's connection without their authority to do so. There has already been a successful prosecution for doing this. Why would anyone want to do this? Well it is usually those who choose not to afford to pay for their own broadband service. Nowadays you can look for networks in any built up area and find several, if not many, networks, and there is often one or more that are not protected. Access to the wi-fi box also provides access to the attached PC.

This widespread wi-fi availability has resulted in an obvious service to those who spend their lives out and about with their wi-fi enabled devices; not just laptop PCs but also hand-held PCs, mobile phones, navigators and no doubt countless portable electronic gizmos yet to be invented. The proposal (10/2007) is to invite domestic broadband users to authorise the use of a part of their broadband capacity by passing subscribers to an open wi-fi service. Present advice is that the security of such a system should be considered suspect until such time as the experts have thoroughly tested it. This advice goes for both domestic broadband capacity providers and to those who would use the service. In fairness, the company proposing the service say that the public users will be kept entirely separated from the domestic user and that there will be no crossover access.

Note that even though your broadband box has a wi-fi facility, your main (desktop) PC should be connected to it by a cable. This not only improves performance - no encryption required - but also improves security by avoiding transmitting data from your main PC to the ether.

Security - absolutely essential with broadband

Broadband is an open network service. Its users are permanently connected and open to the internet. Each user has a fixed address in the form nnn.nnn.nnn.nnn . Your address is unique in the world. Anyone on the planet who has internet access, including all of the world's hackers, can access that address - your PC! If you don't have adequate security they can, entirely without your knowledge, read from your PC and write to it - they can copy all of your programs and data, they can delete your files and overwrite your hard disk with rubbish or worse - such as running their programs designed to use your computer to do their hacking for them.

Hackers run automatic programs designed to test every possible internet address to see if they can access the computer attached to it. There are so many of these programs running that it is said that every address is likely to be tested every ten minutes on average! Once they find a suitable machine they can turn it to their own use. They are also doing the same attacks on internet routers with even worse results possible - see 21 above.

Viruses and worms. The hackers continuously identify weaknesses in Windows security and attack through these. Viruses come in with the email. They usually hide in attachments - you open the email and click on the attachment and instantly the virus is executing in your system. Worms are more insidious because they attack without you calling in any email. They can access your system as soon as you connect to your internet service. Viruses can be killed by using a virus checker which must be up to date. Worms can be deflected by using a firewall and some can be killed with a virus checker.

Hacking is a criminal offence in the UK under the Computer Misuse Act. But you could inadvertently become involved in criminal activity. Only an expert could prove that it wasn't you who had set in motion activity seeming to have originated from your computer. Do you know what your computer does while you are asleep at night? Would you recognise in the morning that it had been hard at work throughout the night - for a well known terrorist group, for instance? You would not. Perhaps you should switch it off at night, and save some electricity as well.

Methods

Clear your browser history

In Microsoft Internet Explorer – click on the Tools command at the top of the screen, then Internet Options, the General tab. Look for the section in the middle titled Temporary Internet Files, Click on the Delete Cookies … button and OK out of the window. In the same section click on the Delete Files … button, set the Delete all off-line content check box and OK out of the window. Look for the History section and click on the Clear History button. OK out of the window. Return to section.

Check the dialup number

On Microsoft Windows – click the Start button, Control Panel, Network Connections, then right click on the file which is your normal dial up connection and click on Properties. Find the Phone number section in the middle of the window displaying the Phone number. This should be the number given to you by your Internet Service Provider (ISP). If not, then type in the number you were given and click OK. If it was correct Cancel or press the Esc key.

Be especially suspicious if the number begins 09... (premium rate number) or 00... (International number). You can have both these types of calls barred from your phone if you wish - call your telephone service provider for details. There may be a fee for this service.

If you are not sure which file you should be looking at look for a name that relates to the service you use; for instance, if your ISP is BT Openworld then look for those names in a file name.

If you have been defrauded by this scam you may be able to claim some recompense. In October 2004 ICSTISExternal link, the Independent Committee for the Supervision of Standards of Telephone Information Services, ordered the phone service companies, such as BT, to disconnect a list of lines that were being used for this fraud. Customers who have been subjected to fraudulent charges should get in touch with one or both telecoms complaints services which are OTELOExternal link, the Office of the Telecommunications Ombudsman, and CISASExternal link, the Communications and Internet Services Adjudication Scheme. Return to section.

If you are a broadband user then this fraud won't trouble you. BUT be sure that when you have converted over to broadband you have disconnected your old modem. If it was an external device then remove it completely from your system - keep it away from your machine for use as a backup should broadband fail. If the modem is built into your processor, disconnect the telephone line from the back of your system.

Virus checkers

It is essential to use a good quality virus checker, either on your machine or one provided as a service by your ISP (see 17 above). A large proportion of emails are infected with viruses and worms and if these get into your system some of them can be very destructive. A maintenance agreement is also essential so that you get virus pattern updates at least once a month, preferably more frequently. Two well know and respected virus checkers come from Symantec AntiVirusExternal link and McAfee VirusScanExternal link. The free (for personal use) AVG virus scannerExternal link is also very well regarded.

It may also be worth considering a service provider that filters spam and viruses out of the mail before you get it. I use such a service (BTYahooExternal link) and the incidence of both spam and viruses has fallen dramatically since they provided this service, which is free. You do need to check the emails that they pull out as spam because they sometimes remove messages that you would wish to receive. This review is easily done via a web page without downloading the messages. Return to section.

Firewalls

A security firewall is absolutely essential for your protection when connected to broadband! Windows XP SP2 contains a good and reliable firewall and it is switched on by default. However, you might consider a proprietary firewall which has more management capability. A good place to start is at Zone Labs Inc.External link who, for instance, supply three different versions of their security firewall. The most basic version, Zone alarm, is free and highly rated by technical reviewers for its fundamental ability - keeping the hackers out.

Many anti-virus product providers also supply a firewall option.

 
If you use Windows XP Professional or have SP2 installed on either XP Professional or XP Home there are some built-in firewall capabilities. These should be configured whether or not you use broadband because they can provide protection at any time that you are connected to the internet regardless of the technology employed.

Windows XP with SP2 applied (available September 2004) provides a much better level of firewall security and it is recommended but see the notes under item 20 above.

Because of the prevalence of hacking it is now recommended that PCs have a firewall even if they use only dial-up connection to the internet. Hackers can abuse systems by making use of the short logged on period that you use to get email and set their programs to work waiting for your next online session before they spit out the results - such as virus laden emails to every email address in your system for instance.

All other versions of Windows have no built in firewall and some protection should be employed regardless of the means of connection to the internet. In short, every internet connected PC should have a firewall. Return to section.

It is not recommended to have more than one firewall operating in your system at any one time. Some firewalls don't interact very well and can interfere with each other's action to the detriment of your security.

Broadband routers and wireless network boxes normally contain firewalls which should be configured tightly - see 21 above. Note that it is still worth configuring the PC's firewall even when you have a router/wireless network firewall in operation. This will help to protect you from other PCs on your wireless network.

Windows XP firewall

If you don't have SP2 installed (and you should have) then to activate the firewall, click the Start button, Control Panel, Network Connections, then select (hold the mouse pointer over) the connection file you wish to protect. Look at Network Tasks in the left hand column and click on Change settings of this connection.  Click the Advanced tab and look for the Internet Connection Firewall section then select the Protect my computer and network by limiting or preventing access to this computer from the Internet check box. OK back to the Network Connections window. Return to section.

This procedure may differ where Windows XP update SP2 has been installed but the firewall is on by default so you shouldn't need to do anything more.

Spyware, usage trackers, keyloggers

These are all undesirable routines that create insecurity in various ways. Spyware are small programs that search your system for information that others consider to be useful. But if this information includes account numbers, passwords and other personal information it can really only be of use to those who would steal your identity and attempt the defraud you. Usage trackers are designed to log the web sites you visit so that advertisements, particularly popup ads, can be targeted at you. Keyloggers are perhaps the most dangerous because they are designed to record you typing your userid, account numbers and passwords and then transmit them to another place from which they can be misused.

These are not viruses. Some of these routines get into your system as a result of you clicking on links in popup adverts. For instance, an ad may come up and demand that you click on the yes button to get rid of it. Unfortunately that click sets a small program in motion that downloads and installs the malicious program in the background. Many of the problem routines save the information they want in cookies and this is extracted by rogue code in web pages. It should be said that cookies are an important and useful tool to you. Many web sites simply won't work if you switch them off - and I don't recommend that you do. It is much better to bring the misuse under control.

And all of these miscreants can be brought under control. Have a look at Spybot Search & DestroyExternal link. This shareware program will identify these types of malware in your machine and give you the option of getting rid of it, and protect you from catching it again.

Alternative web browser

Because the Microsoft Internet Explorer 6 is so popular - 90%+ users employ it - it stands out as a target for abusers. They seek out its weaknesses for exploitation. This suggests that users could avoid the problems by using another browser. You could have a look at Mozilla FirefoxExternal link, a free browser very highly rated by aficionados but not liked by me. It is faster than MS IE6 and is said to be immune to the kinds of attacks aimed at IE.

However, the easiest thing to do is to upgrade to MS IE7. Released in October 2006, this is by far the best browser yet published. I now use nothing else. It has some really excellent new features that are better implemented than on Firefox, but above all – the security is said to have been very much improved. How long this will remain so only time will tell. But for now it is the best (writing on 31 Oct 2006). If you have Microsoft updates switched on in your PC you will be automatically invited to update to IE7. Take the opportunity but make sure there is nothing else running in your machine before you start and allow up to 20 minutes and two reboots for the installation!

Security tests

Try looking at GRCExternal link. There is no need to read and understand all the technical stuff - just click the test buttons. The responses are pretty clear. If your system is not invisible then you are at risk. These tests are checking just your firewall. Return to section.

Verified credit card transactions

Most internet card frauds occur when cards or card details are stolen in the real world and are then used by criminals to buy valuable items online.

By signing up to Verified by Visa or MasterCard SecureCode you can protect your card details from online misuse by fraudsters. You can arrange with your card issuer passwords for use when shopping on the internet. These provide two way control as an additional level of security and make it much more difficult for a fraudster to buy online using your card details.

With Verified by Visa and MasterCard SecureCode cardholders register their personal details together with a Personal Assurance Message and a personal password with their card issuer.

The Personal Assurance Message will be displayed every time your password is requested during an internet transaction to prove that the password request has come from your card issuer. Having checked your Personal Assurance Message, you are required to enter your password to authorise the transaction. This security technique ensures that you know beyond doubt that the transaction is being carried out by your card issuing company and is not being faked by a fraudster in order to obtain your card details.

Many of the UK's biggest online businesses have now joined these security schemes. Visit Verified by VisaExternal link or MasterCard SecureCodeExternal link and you can view demos of the systems and lists of participating online shops.

When shopping online look for the relevant Verified by Visa or MasterCard SecureCode logos. Keep records of all transactions. Print out orders and keep copies of the retailer's terms and conditions for delivery and returns. When buying from other countries remember that it may be more difficult to recover your money if problems arise.

You can also visit the following web sites for more details about fraud prevention: Get Safe OnlineExternal link; CardWatchExternal link; Identity TheftExternal link; Bank Safe OnlineExternal link; CifasExternal link. Return to section.

Automatic Windows updates

To check and, if necessary, set automatic Windows updates first click the Start button and then Control Panel. In the left hand panel it should say See Also, Windows Update. Click on Windows Update and you will see the Windows Update home page loaded into your browser. Look at the top box on the right side. It will tell you how Automatic Updates is set on your PC. If it is set off there will be a link to enable you to turn it on (recommended). If it is already on it will say so. Other information on the page will also vary depending on the status of your PC. If you have not updated the system for a while I suggest you click the Express button and Microsoft will list all the updates that are relevant to your system. After downloading and installation it will most probably be necessary to re-boot the system.

Further advice

More information on scams can be obtained from a web site provided by the Office of Fair Trading (OFT) and called Consumer DirectExternal link.

The author ...

... is a retired Information Security Manager. I give no warranty that the advice given will prevent your system from suffering from viruses, worms, spam, spyware, usage trackers, keyloggers, abuse or any unauthorised programs or macros of any kind introduced by any means. It must be accepted that the subject is not fully explored in this document and descriptions of problems and solutions are necessarily brief and incomplete. New security problems are regularly being discovered in PC operating systems and other software and users need to be constantly alert to the latest threats. Nor do I give any warranty regarding personal identification protection, use of social networking web sites, or calls to or from banks and finance houses. Neither do I take any responsibility for any third party web site nor for any products offered or supplied by those sites or any retail outlet or the companies promoting them. If in doubt ask for advice for your specific system or problem from a company offering such advice or service. Always follow the specific advice of hardware and software suppliers, banks and finance houses as appropriate.

© Copyright 2007 Tim Boddington