These days, people do their shopping, banking, investing, and retirement planning from the comfort of their home using their computer. A large percentage of those folks use wireless access points at home to get their internet connectivity. I know our neighbors certainly use wireless. When I connect to our home wireless access point I get a list of somewhere between 7 and 10 other wireless networks, depending on the time of day, in addition to seeing our own network.
I can imagine that at least some, if not all, of our neighbors use their internet connection for something financially related. By doing a few simple things, you can keep casual observers and attackers from getting easy access to your bank account information. And in any case, who wants to have your next door neighbor’s son using your open wireless connection to search the Internet for who knows what online.
Being the good neighbor, I informed my neighbors that they might have insecure wireless networks because I had seen several networks without encryption. Having some experience in this area, I offered up some advice on how to secure their networks.
Here are 6 steps to secure wireless connections:
- Make sure that your wireless access point has a good administrative password. Don’t just use the default, or a password that comes from the dictionary. If you have trouble remembering passwords, checkout Password Corral.
- Use Wireless Protected Access (WPA). WPA is the recommended method for encrypting traffic on your network. WPA Pre-Shared Key is what you should select for most home networks. This allows you to set a pre-shared key, or passphrase, that is required for a user to be able to login to your network, or to see any of your traffic. If your wireless access point only supports Wired Equivalent Privacy (WEP) for protection, you should buy a new access point or upgrade the firmware. WEP is worse than not using any encryption (at least when you don’t have encryption, you know where you stand). WEP can trivially be hacked and is no longer recommended for protecting your wireless network.
- Use a strong passphrase to protect your network. Your passphrase is different from the administrative password we set in step 1. The passphrase is the key you will use when connecting to your network. Most wireless clients, like the default one in Windows, will cache your passphrase so you only have to enter it the first time you connect. I highly recommend you choose a passphrase that is intentionally long, contains numbers, letters, and special characters so as to make it incredibly difficult for someone to guess. Maybe something like
Man12This!!is@an&incredibly()long-passphrase. Your access point may or may not allow all of those characters, so get creative with the characters you can use.
- Use MAC address filtering. Your Media Access Control (MAC) address is the hardware ID of your wireless network adapter. You can limit what computers can visit your network by their hardware identification. A savvy attacker can find ways to bypass this, but it does put a stumbling block in place for the casual observer of the network who wants to try and easily get access to your network.
- Change your wireless network’s ID. Your network ID, or network name, is also known as a Service Set Identifier (SSID). By default, it might be set to something like “linksys” if you use a Linksys access point. Using the default name might indicate to hackers that you haven’t secured your network. Don’t choose something that identifies who you are (your name, address, or phone number for instance), or contains anything from the password (or passphrase) you set for the system.
- Use SSID cloaking. When you cloak your SSID, you keep certain default wireless messages from broadcasting the ID to anyone and everyone. This doesn’t keep someone from getting your SSID, but it can stop the casual observer from seeing your network easily. If someone is watching while you actively use your network, they will likely see your real SSID. This isn’t a problem, but if someone is just driving by and gathering wireless network information (a process known as War Driving), there is a chance they will pass right by your network.
The list isn’t comprehensive, but if you follow the recommendations, you’ll be better off than many of the networks I’ve seen. The last two are of debatable importance, but they are something I do as a best practice. You only gain a little more anonymity rather than security, but I prefer not showing off my network by broadcasting anything about it.
For the truly concerned, many wireless access points will have some way for you to get logs of attempted connections. Check the manual for your access point if you want to use this feature.
Even if you don’t do any of your banking or financially related activities over wireless, following these steps to protect your wireless network will still provide some security and peace of mind.
Let’s face it, some of the best deals you’ll find on the stuff you need (or want) can be found online. You could find yourself shopping all over the Internet at online stores you’ve never even heard of before finding fantastic bargains. But then you have to wonder if the sites are legitimate. Do they have good security? Will my credit card information be safe?
There are things we can do in the virtual world to protect ourselves from credit card fraud. You’ve probably read a story or two about credit card information being stolen from an online store. In some of these cases, hackers were able to break into the store’s databases by exploiting various insecurities in the shop’s website or network setup. In other cases it could have been an employee stealing this information. Either way you could be at risk. If you shop online and you use a credit card for purchasing there are ways to minimize the impact. One of those ways is to use virtual credit cards.
Virtual credit card numbers, also called one-time use, single-use, controlled payment number, or disposable credit card numbers, are an easy and effective way to help avoid the hassle of dealing with fraudulent charges. A virtual credit card number is basically an alias for your real account number, keeping your real account number private. If that store happens to get compromised, they won’t even know what your real account number is. Your virtual credit card number can be customized to restrict the credit limit or expiration date.
Depending on your bank, you may or may not even have the option to use a virtual credit card. If you shop online, I recommend you look for this feature when you are evaluating credit cards. My credit card is with Citibank and they support the use of virtual credit card numbers. Other banks, such as Discover and Bank of America, also have these capabilities with their cards. With Citibank, you can use their software applet in Windows to create a new card, or their online web interface if you need to generate a card number with a Mac or Linux box.
Generating a virtual credit card number is simple. Here is a short example of using a virtual credit card generator, specifically Citibank’s version.
Using a Virtual Credit Card Generator
After you login, you will get a screen which shows you all the options available, including viewing past cards and generating a new card. We start by clicking on “Generate Virtual Account Number”.
If you click “OK” on the next page, Citibank will generate a virtual credit card number with no spending limit which expires the following month. I rarely use this option. Instead, at this menu I select “Advanced Options” at the bottom.
With the “Advanced Options” menu, you have two options. You can create a card with a spending limit (which I always set) or you can create a card that has a spending as well as a time limit (which I select for cards I am using for recurring expenses such as Vonage).
Once you generate a card, you get the 16 digit card number, a CVC (3 digit card verification code), and the expiration date. If you are using Windows and the Citibank applet, you can have the applet automatically enter the payment information into the shopping checkout form you have up in your browser.
Although the example uses Citibank, Discover seems to use the same software (according to Wikipedia, they both use Orbiscom).
You may be thinking, “but why would I do this when I’m not liable for fraud on my card anyway?” For me, this feature adds peace of mind. If a virtual credit card number is stolen, I can look back at the logs and see exactly which merchant I used that card to purchase from. On top of that, they are restricted in how much they can charge due to the limits I set on the card. I don’t have to worry about someone maxing out the card and screwing up any automatic charges I have set up on it.
Using a Debit Card Online
If you normally use a debit card, I highly recommend you don’t use it online. Not only is this tied to your banking account with your real money, these cards don’t always offer the same protections as credit cards. If someone gets a hold of your debit card information and manages to spend all the cash from your bank account, you may be unable to access it until the bank finishes their investigation into the matter. It’s your money on the line, not necessarily the bank’s.
If you aren’t using virtual credit card numbers for your own online shopping, I highly recommend you give them some serious consideration. Now I feel I can be even more frugal by selecting the best deals I find online without having to worry as much about my credit card number being stolen. If you don’t have a card with one of these banks, or can’t use virtual credit card numbers for some reason, my recommendation would be to avoid using your credit card online except for at established online stores. In the end, you should only be liable for a small amount, but dealing with the hassle just doesn’t seem worth it to me. You can make your own decision as to how much risk you are willing to take with your credit card. We’ve got a friend who’s had her credit card number stolen 3 times from online stores. 3 times. Now, she only uses virtual credit card numbers online. For me, it’s a feature that is indispensable and I wouldn’t shop online without one.
Virtual credit cards – don’t shop online without one.
Pay attention! There will be a quiz at the bottom of this article.
Phishing, as defined by Wikipedia :
In computing, phishing is a criminal activity using social engineering techniques. Phishers attempt to fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity in an electronic communication. eBay and PayPal are two of the most targeted companies, and online banks are also common targets. Phishing is typically carried out by email or instant messaging, and often directs users to give details at a website, although phone contact has been used as well. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, and technical measures.
Typically, phishers try to get sensitive information like account numbers and passwords by sending emails that appear to be from a trusted source like Bank of America. Sometimes the emails have subtle (or even obvious) mistakes that can give you a clue that the email isn’t really from the trusted source, and other times they look convincingly real.
These emails will usually encourage you to visit the website to update some information. For instance, they might say that your account has been compromised and you need to click a link to contact them. That link will take you to a page that the criminals own and prompt you to give up account details or personal information they can use to steal your account or identity. After going through all the work to save your money, invest wisely, and plan for the future, you definitely don’t want to lose it to a phishing attack.
A few things to look for to determine if the email is a phishing email :
- Does the URL point to the website you would expect (e.g. if it’s from Chase, does it point to chase.com, or something else?)
- If you look at the contents of the URL, does the start of the URL appear odd (are there characters like :,% or @ near the beginning? learn how to recognize URL obfuscation)
- Does the email contain misspellings or grammatical errors?
- Are you sure you even have an account with the bank or institution that sent the email? (I get these for places like SunTrust bank where I’ve never had an account)
Most folks are savvy enough to understand that when an email comes to your inbox from Paypal, or maybe eBay, and it’s filled with misspellings and strangely worded sentences, that it’s probably not legitimate. I just read a story at the Frugal Law Student where a phisher attempted to trick him into entering his Paypal information so that they could steal his account information. It was easy to spot in his case, but the criminals are getting better with their emails, and some of them look downright legit. It takes more than a keen eye to spot some of the more advanced phishing that has been going on. Note: I wouldn’t recommend clicking on any links you get that look like they are from phishers as many times these sites also attempt to install malware or spyware.
According to the stats at Phishtank, there are over 10,000 verified phishing sites on the net right now.
Protecting Yourself Through Email
Email readers like Microsoft Outlook and Mozilla Thunderbird have phishing protection services that can sometimes identify phishing emails. These services usually look for a few key things :
- Is the link sent in the email from the same source as the sender of the email (e.g. www.paypal.com is the website, and the sender is firstname.lastname@example.org)
- Do the email headers show what appears to be a legitimate route for the email to follow (e.g. it’s from www.paypal.com and used Paypal’s email servers)
- Do the links in the email look suspicious? There are many things that phishers do to make their links look legitimate that can be spotted by knowing what to look for
The best advice I can give, and the advice I give my family and friends, is to avoid clicking on links in your email at all. Even if they look legitimate, unless you absolutely know the source to be legitimate and even then I still wouldn’t recommend clicking on the link directly from your email.
If your bank sends you an email and says that you need to update your profile or update information on your account, don’t click on the link they provide. Go directly to your bank via the URL for bank (usually pretty easy to find in Google if you don’t know it for sure). If your bank truly needs that information to be updated, they should indicate it somehow when you log in by going to the site directly.
I would also recommend that you avoid calling the numbers that might be included in some phishing emails. The ease with which a phisher can setup a fake phone front-end that appears to be your bank when you dial-in is reason enough to avoid calling. Go find your last statement, or look at your credit card, call information, or Google for the phone number yourself. This new form of phishing is relatively uncommon (at least for now), but it’s definitely something to watch out for. It’s getting easier and easier for criminals to setup.
Protecting Yourself Through Your Browser
If you do happen to click on a link (didn’t you hear what I just said?!?!), your browser can help you determine if you’ve hit a phishing site. Internet Explorer 7 has some built in phishing features, and Mozilla Firefox provides built-in protection as well as a myriad of extensions to help protect you from phishing. To test your Firefox built-in protection, you can visit this site at Mozilla.com (WARNING: this site will tell you that it is a phishing site – it’s not, it is for testing, and you will see that behind the warning. However it might surprise you if you aren’t expecting it).
I personally recommend Mozilla Firefox. It’s what I use everyday. You can get it here :
You can also download a toolbar from Netcraft that will help identify when you might be on a phishing site.
These tools can tell if you are on a phishing site by comparing the URL you are currently viewing with known potential phishing sites (they have marked this particular site as a phishing site or possible phishing site), or in some cases from the unusual parameters that might be in the URL itself.
There are several great quizzes put together to test your ability to spot when you are being phished. I highly recommend visiting these links and testing yourself. You may be surprised how hard it can be to spot a possible phishing attempt.
http://www.onguardonline.gov/quiz/phishing_quiz.html WARNING – this one has sound.
Additional Resources :
What could be more frugal than protecting your hard-earned money?
A wise man once asked (OK, it was Tony Robbins, but he has some really good advice sometimes!), would you work harder to save $1000, or to keep someone from stealing $1000?
His point was that most of us would do more to protect their money than we would work to save it up. I feel like I’m in that category myself. I love saving money, but protecting money I’ve already earned is very important to me.
Over the next few days we’ll cover things you can do to protect yourself online from some of the scammers and criminals out to get your money. Cybercrime is growing leaps and bounds and there are ways to protect yourself online. Doing things just a little differently, and thinking more about what you are doing online, can help save you from being taken advantage of.
I’m a big believer in defense in depth (a layered approach to security). Applying as many of these concepts as possible in your daily life will provide you greater security than adopting just one.
I hope to see you back tomorrow when we’ll begin our series on Securing Your Money Online!