Archive for the 'security' Category

So long, and thanks for all the phish

My bank sent me an email recently warning of an increase in phishing attacks. Today I heard a director of the bank talk about the attacks on the radio, stating that the fake website targeting their users not only asks for account number, PIN number, password etc but also for the user’s email credentials – and reportedly, users are falling for this!

The reason these credentials are being asked for is because the internet banking system sends out a one time password (OTP) via SMS or email when certain transactions are conducted – so if the attacker can own your inbox as well as your login, they can transfer all your money to an account of their choosing.

However, I disagree with the bank’s advice. The email stated:

Remember, it is safer to type Standard Bank’s web address ( into your browser instead of clicking on a link in an email.

For sure, don’t click on a link in an email to get to your internet banking – but typo-squatters are just waiting for you to mis-type such an important URL and if you got it wrong, would you notice if the site looked just the way you expected it to?

My advice, for all important websites: The first time you go there, type the address – and make very sure you are on the right site. Then bookmark it, and only use the bookmark to get there. This will avoid the risk of spelling it wrong when you are a bit more relaxed and ending up at a fraudulent site.

Even better: Use the petname plugin for Firefox. This will clearly show you if you are visiting the same site (with the same SSL certificate) as you visited before.

Insecure kiosks at security conference

The kiosk PCs at the RSA conference are running Windows XP, logged in as Administrator. (Updated: Wired has pictures) Any user could install spyware to intercept the next users’ passwords and data. You’d think a security conference would have… secure infrastructure?

In related news, Microsoft says Vista is the most secure version of Windows so far – yet not perfect – but blames the users for security issues. Craig Mundie, now responsible fo security at Microsoft, said at RSA:

“The challenges we face in building our products, and the challenges everybody faces in administering and using them, is that humans are humans and they make mistakes.”

What we need then is software for human beings.