Most of the possibilities being considered for market are biometric hardware -- fingerprint and retinal scans, facial recognition, voice or typing recognition. And some are working on better encryption of PII, including passwords and "knowledge based authenticiation."
This is the first real practical application of facial recognition technology that I've heard of being deployed. I believe the technology probably is good enough to say "Is this you, the authorized user of this computer?" You'd need a high confidence of an exact match, but one that could still recognize you if you got a haircut, an injury, or new glasses.
That seems a lot easier than the Superhero Crime Fighter efforts that law enforcement has tried using facial recognition -- can we catch the bad guys who come to the SuperBowl? What about the runaways who go to Virginia Beach?
Ultimately, 19 people were flagged by the Tampa SuperBowl technology, some purely false positives, and a few petty criminals who were wanted for ticket scalping. No terrorists or violent criminals.
And in Virginia Beach, one of the touted benefits of the technology is that it could help identify runaways. But in testimony before the Virginia State Legislature's Joint Commission on Science and Technology, local officials indicated that no runaways had been identified using the technology, although it had been in place for several years.
Better to use facial recognition to prove that we are who we say we are, than to try to find the proverbial "needle in a haystack."
An article from C|Net reports “Internet-based scams are growing and now account for about 41 percent of fraud complaints the Federal Trade Commission receives from people over 50.”
This comes as no surprise after reading the report released by the Pew Internet & American Life Project. The report shows that 55% of Internet users don’t know what Phishing means. In addition, it shows 31% of those over the age of 65 don’t know what the term means. Then add on top of that a stat of an earlier study which “...showed that 35% of email users had received phishing-type solicitations.”
With statistics like that it's no wonder the FTC is seeing more complaints filed by users over age 50. My mother—who just turned “29,” at least that’s what she tells everyone—has no clue what the terms Phishing, RSS, or Podcasting mean.
Knowledge, awareness, and good Internet protection tools (e.g. Toolbar, Spy Audit and TotalAccess) will help you (and your parents) from becoming an Internet fraud statistic.
What you need to know about Internet Fraud and Phishers
The last few days we have received many e-mails with a variation of this statement somewhere in them: "Is this real or a scam?" So, it is clear we need to talk more about Phishers (scam e-mails).
I dug around in our Knowledge Base and found some good information:
EarthLink will NEVER request that you submit your credit card number, password, secret word, PIN, or last four digits of your Social Security number in an email. Most EarthLink requests will direct you to update your personal information on your "My Account" Web page: http://myaccount.earthlink.net
Recently, there has been an increase in fraudulent emails that appear to come from a familiar company or service provider, and ask you to provide sensitive personal information--such as your password, credit card number, or Social Security number--with the intent to steal that information from you.
Typically, these scams, or "Phisher" emails, ask you to click on a link which redirects you to a fake Web site. These sites are usually very good imitations of the real thing, and include logos and fonts of the company they are mimicking.
Fraudulent emails may also ask you to submit your personal information on a form in the actual email, by fax, or by replying to the email.
If you receive a fraudulent email, go to http://securitycenterkb.earthlink.net/fraudmi.asp?route=email to forward a copy to us.
For instructions on how to forward fraudulent email(s) with full header information, and email source click here.
Upon receipt of your email, our Fraud Department will research the issue and take steps to protect other EarthLink subscribers, such as blocking the email or shutting down any associated fraudulent Web site(s).
If you think you've submitted sensitive personal information in response to a fraudulent email, contact your bank or credit card provider immediately.
If you think you've submitted your EarthLink password in response to a scam, please contact EarthLink immediately to reset your password.
Well, you've got to hand it to diaries for one reason in particular—those old-fashioned private books lock! A personal blog on the other hand is available on the Web to anyone with an Internet connection. Total strangers can read your thoughts and comment on them.
World community, yes! And it's nice to share. But should you object when your teenager suddenly wants to work hard at writing, thinking, and self-expression—public self-expression—via their personal blog? Possibly.
A recent article in the Christian Science Monitor encourages parents to think hard about letting a teen blog, because simply describing his or her own life may reveal identifiable information that could allow a predator to locate them—without even realizing they're doing so. And the photos or videos a teen might choose to post—quite innocently—could act as the perfect, unfortunate predator-attention-getter.
Good point! In fact, it seems to me that we all ought to be more careful that we don't reveal full-names, geographic locations, or other personally identifiable details when we blog.
Three unnamed hackers currently under criminal investigation detailed the exploits of their cyberjoyride-gone-bad to Wired Magazine. All three began their careers hacking AOL Instant Messaging accounts (one of them called AOL hacking the “gateway drug” of hacking) and graduated to more complicated hacks such as the LexisNexis database, garnering social security numbers and other personal information of celebrities and other folks. One of the hackers is even under investigation in relation to the Paris Hilton T-Mobile hack.
Wired News has the full story.
In an unusual twist on Internet crime, hackers reportedly locked up a company's files and demanded $200 payment to release them. The computers may have been infected by visiting a vandalized Web site with a vulnerable browser.
Authorities believe this is an isolated incident, but the case raises fears about a potential new threat, already dubbed "ransom-ware".
First surf and now turf—a new era in online scams!
You may be familiar with Phisher emails already. Those emails—that look like legitimate messages from your bank, credit card company, eBay, or even EarthLink!—are sent by unscrupulous scam artists trying to trick you into visiting fake Web sites where you willingly hand over your personal and financial information.
Now, a new type of online scam is out to trick you again—and it's nicknamed "pharming".
"Pharming" plays nasty tricks with your browser, intercepting your legitimate effort to visit a new destination online, and takes you instead to a fake look-alike site. For instance, a recent "pharming" scam targeting people who mis-typed the address of Google—then flooded your I.E. browser with spyware and adware when you tried to search on a page that looked just like the famous Google Web site.
For more information about "phishing" and "pharming," take a look at "New twist on 'phishing' scam—'pharming'" by Gregory M. Lamb in the May 5, 2005 Christian Science Monitor.
Are you part of the 58% who have deleted a cookie? Wanna be?
A recent survey from JupiterResearch says:
"52% of online users indicate a strong interest in stories and articles about Internet security and privacy"
So go now and tell 52% of your friends and family about the EarthLink Protection Blog. What the heck, tell them all. We added an "Email This Post" button to make it easy for you. :-)
More from the Jupiter report... Their survey also says that 58% of us have deleted cookies. OK, time for the inevitable cookie joke; what's your favorite? I prefer chocolate chip, when I'm not dieting. For those of you who aren't familiar with cookies (the type that are in your browser) and how they can impose on your privacy read on.
Cookies (from Netlingo) - A funny name for a noun that describes a small piece of information about you (about your computer, actually). It is a small file that a Web server automatically sends to your PC when you browse certain Web sites. Cookies are stored as text files on your hard drive so servers can access them when you return to Web sites you've visited before.
Adware cookies (as defined by anti-spyware apps) - can track your surfing habits and allow marketing firms to create a user profile based on your information and sell it to other firms. Adware cookies are installed and accessed without your knowledge or consent.
Want to be part of the 58% who have deleted a cookie? OK, if you use IE, see this article from Microsoft. Firefox users try this. Safari users look here. There are other software options available from 3rd parties that can make managing your cookies even easier. For example, EarthLink's TotalAccess software includes a featured called Privacy Tools, you can search Downloads.com for other 3rd party options too. Don't run off and delete all of your cookies, many of your cookies can be valuable. They can remember your login, and preferences for a site. For example when you login to the EarthLink Personal Start Page, we use a cookie to remember who you are and the next time you come back, you don't have to login again.
EarthLink's CTO, Tripp Cox recently attended an anti-abuse conference and was interviewed by the San Diego Union-Tribune. Here are the 5 questions and Tripp's answers:
1. Who is winning the Internet abuse wars, the good guys or the bad guys?
The good guys are winning. We're starting to force more accountability on the spamming community. And as a result, we're getting more insight into how they operate. The Internet industry, including MAAWG, is developing a sender authentication protocol, which is a way to verify the sender of an e-mail. We're merging Microsoft's Sender-ID and SPF, Sender Policy Framework. We're already publishing sender records. (The published record must match the true Domain Name System record of the server that sends the e-mail, to prevent spammers from forging the "From" line in an e-mail.)
2. Do you know anyone who has responded to spam and bought something?
I don't personally know anyone who's bought anything from spam or admitted to it. My parents and family are pretty savvy, so they know better. I would hope that my friends are smart enough not to respond to spam. Unfortunately, the cost of sending spam is so low that even if they get a response of only 1 percent, it can still be profitable.
3. Has the federal CAN-SPAM Act made any difference?
EarthLink takes a three-pronged approach to spam. We push for technical solutions, legal solutions and legislative solutions. We need as many tools as we can get. From our perspective, CAN-SPAM has been a helpful tool. We've filed lawsuits using it.
4. Can technology stop so-called phishing scams (which attempt to trick people into revealing credit card numbers and other personal information)?
Yes. We provide ScamBlocker as part of the EarthLink tool bar. If a phisher tries to send you an e-mail, it gets blocked using the sender authentication I mentioned earlier. In addition, it evaluates the content of the e-mail and the content of the Web site that it links to and filters out suspicious e-mail.
5. What's the most dangerous type of messaging abuse?
There are a lot of different ways people attempt ID theft online. Phishing is just one. It's important for people to remember that there are criminals on the Internet who will try to take advantage of them. People can be a little too trusting of their computers.
Offline Identity Theft and your Friends - Take the Quiz!
A recent report released by the Better Business Bureau and Javelin Strategy, emphasizes the importance of protecting your identity offline and from your friends and family. According to their survey of people who knew how their identity was stolen; 29% was from loss of tangible articles like wallets, checkbooks, and credit cards, 11% from friends and family, 11.6% from the online world. They also created a simple Quiz at http://www.idsafety.net/ where you can test how safe you keep your identity. I scored a 35 (0 is best, 100 is worst, 38 is typical). Oh yeah, what are some of the ways to protect your identity in the offline world? Use a paper shredder (preferably one that is cross cut), use a locking mailbox or check your mail within a few hours of delivery (not easy for me), don't share sesnitive information with friends and family, and check your credit report regularly from an online service, or from the credit bureaus directly; Equifax, Experian, and Transunion.
Since this is my first post to the blog, I will take this opportunity to introduce myself. I'm the director of product management for EarthLink's software team. I work along side many of the other bloggers like Stephen, Scott and Tom. I have been working for EarthLink for over 10 years, originally for MindSpring (I'm a true Atlanta native). I've spent most of my tenure working in the software group, and focus much of my energy on protection related applications. I'm also an avid Mac fan. Many people have written asking that we address Mac related protection, I expect to do this in future posts.
Laura Tisdale from our Fraud Investigations department files this report about phisher threats to WiFi users...
Anyone familiar with soap operas knows all about "evil twins." An evil twin looks like the good twin, and often impersonates the good twin, usually to the good twin's demise. Well phishers have decided to take this old standard of afternoon drama into the world of WiFi.
Although this isn't a new issue, there has been recent buzz about the "evil twin" threat. An article on C|Net's News.com described how attackers could set up their own hotspots that work and act just like a legitimate wireless networks. Basically, their base station may send out a stronger signal if they are near a wireless client and the end user may connect to the fake access point instead of the legitimate one.
One of the ways the phisher attacks, known also as Access Point Phishing, come in to play can be if the fake access point presents a web page similar to a real page from a pay service hotspot provider. Just like in the traditional phisher email, the fake access point uses the phony web site to collect credit card and other personal info. They may also request the user name and password used to normally gain access to the legitimate access point service.
ISS published a paper called BaseStation Clone (Evil Twin) Intercept Traffic back in 2002. I think with the increase of wireless usage and phisher attacks evolving, Cranfield University researchers found the need to bring up this security threat again.
Something else that is a by-product of "evil twin" is that a user's traffic can be sniffed through the attacker's access point. But let's be clear here, this doesn't just apply to the attacker's network. This can apply to any legitimate WiFi hotspots that are regularly used. If a free public hotspot is available and the traffic is unencrypted, then the user's traffic is still available for anyone who wants to listen in on it. Secure Socket Layer (SSL) sessions work to keep info private, so definitely look for it in action as you browse or enter sensitive sites. You should see a (closed) lock somewhere on your browser when it is enabled.
There seems to be some mixed opinions on just what the chances are of actually falling victim to the "evil twin" threat. I don't think people should panic and not enjoy what wireless has to offer because of this, though. I know that I will certainly continue to browse my favorite sites while enjoying some coffee. Well, in warmer weather, anyway. But it should be a reminder to us that we need to make sure that we're protecting ourselves. The bad guys will always be out there, but we don't have to leave the doors wide open for them to come in.
Even Harry Potter can't avoid online scams. JK Rowling, the author of the Harry Potter series, is warning fans to watch out for fraudulent websites claiming to sell electronic copies of her next book, "Harry Potter and the Half Blood Prince." These sites are phisher sites trying to steal people's bank account and credit card numbers. If you're a Harry Potter fan, don't fall for these scams. Wait until July 16 when the real book is published.
On my way to work this morning, I grabbed a granola bar from my kitchen cabinet and my iPod from its docking station next to my computer. I take my iPod everywhere I go. It's like an extra limb for me.
I knew it would be critical today since I was planning to attend a technology conference where a group of stuffy, middle-aged men in blue suits would be talking about "multi-factored authentication" and "client-side enterprise security." Yawn. In case I needed to tune out for a few minutes, I could step into the hallway, slip on my headphones and listen to tracks from the latest Green Day album.
So when one of the suits on stage predicted that digital music players would become the target of computer viruses, I perked right up. My iPod may be at risk? Yikes! I've spent hundreds of dollars downloading songs from iTunes and entire weekends ripping tracks from my CD collection. If my iPod gets infected, I would be devastated. So I listened intently and took notes throughout the rest of the conference.
The theme of today's security summit was clear: The only way to address all the awful stuff we encounter online is though a coalition of government, business and educators. This is exactly how we've dealt with the spam problem. Congress passed laws to prosecute spammers, companies including EarthLink produced spam blocking tools, and marketers informed consumers about fraudulent emails like those Nigerian scams that promise to deposit money into your bank account. As a result, the amount of spam that reaches your inbox should have been dramatically reduced over the past few years.
The folks on the panel participate in this coalition, and it was neat to see them come together, as if the wheels of progress were turning right in front of me. One of the people responsible for building this coalition is FTC Commissioner Orson Swindle, who delivered today's keynote address. "Don't get frustrated," he said to concerned Internet users. "It's going to keep getting better."
As the conference continued, it occurred to me that there was no one on the panel from marketing. It was mostly CEOs and CTOs, so we heard a lot about multi-factored authentication. Whatever that is. With no one representing the consumer education component, I beamed with pride when EarthLink's CEO Garry Betty announced the new EarthLink Protection Blog. Educating consumers is its primary mission. Those of us blogging are now a part of this coalition, and we promise to do our bit. As this blog progresses, we'll tell you about the tools we're building here at EarthLink and we'll let you know how to handle any hazards you may encounter online.
And if a new virus emerges that threatens to destroy your digital music collection, I guarantee we'll be covering it. I owe it to my iPod.
