Tech 2013 Hits and Misses…So Far

2013 is turning out to be the “year of the wear”, and mobile payments are looking grrrreat too!

HIT: Glass: Wearable tech is all the rage with Google Glass leading the field. Google Glass is a wearable computer with an optical, head-mounted display that is being developed by Google with the mission to producea mass-market, ubiquitous computer. Google Glass displays information in a smartphone-like, hands-free format that can interact with the Internet via natural language voice commands. Even though Glass hasn’t officially been available for sale on the mass market, the demand for it is incredible.

HIT: Fitness tech: CNET reports:“For example, Fitbit announced a new tracker, called the Fitbit Flex, which is squarely aimed at the Nike FuelBand and Jawbone Up. A wristband-style gadget, the Flex connects to iPhones and Android handsets to share stats such as the number of steps you take and the quality and duration of your sleep. In the same vein, startup company Basis Science finally disclosed plans to bring its Basis Band health tracker to market.”

HIT: Mobile payment: Phys.org reports: “There are players of all sizes in the burgeoning mobile payment systems industry, including big U.S. financial institutions such as Bank of America and small startups such as Square in San Francisco. It has become a crowded field, and some of the bigger players are expanding their products to set themselves apart.”

MISS: Tablets that aren’t running Apples iOS. Certainly, many people are using tablets and there are a few people not using the iPad. But, well, who’s not using an iPad? Where are they? Anyone I see pecking away is on an iPad. I keep reading articles such as “Death of the Windows Tablet”. I think it’s just a matter of time.

MISS: Symbian mobile operating system. Techweek reports: “Nokia has stopped shipping the devices with Symbian. The PureView808, was the last handset to run the Symbian operating system. The OS loved by many Nokia enthusiasts is well and truly dead – though its death warrant was signed much earlier, in 2011, when Nokia pinned its hopes on Microsoft’s Windows Phone OS.”

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

A Digital Life Through the Eyes of a Child

McAfee’s 2013 study, Digital Deception: Exploring the Online Disconnect between Parents and Kidsexamines the online habits and interests of tweens, teens, and young adults. It found there is an alarming and significant disconnect between what they do online and what their parents believe they do.

The study shows that 80% of parents did not know how to find out what their kids were doing online, while 62% did not think that their kids could get into deep trouble online. As for the young people, the study found that 69% said that they knew how to hide what they did online from their parents, and (disturbingly) 44% cleared their browser history or used private browsing sessions to hide their activity from their parents.

While youths understand that the Internet is dangerous, they still engage in risky (and sometimes illegal) behavior. Not only are they hiding this activity from their parents in a variety of ways, but in the study almost half (46%) admitted that they would change their behavior if they knew their parents were paying attention.

86% of youths believed that social sites are safe and were aware that sharing personal details online carries risks, yet kids admitted to posting personal information such as their email addresses (50%) and phone numbers (32%).

48% have viewed content they know their parents would disapprove of.

29% of teens and college-aged youths have accessed pirated music or movies online.

Adding to this problem is how clueless parents are regarding technology and their kids’ online lives: 54% of kids said their parents don’t have time to check up on their online behavior, while 42% said their parents don’t care what they do online. And even worse, only 17% of parents believed that the online world is as dangerous as the offline world, and almost 74% just admitted defeat and claimed that they do not have the time or energy to keep up with their kids; theysimply hope for the best.

Parents must stay in the know

Kids have grown up in an online world. They may be more online savvy than you, but giving up isn’t an option. You must challenge yourself to become familiar with the complexities of the online universe and stay educated on the various devices your kids are using to go online.

Here are some things you can do as parents to get more tech savvy:

Get digitally savvy: Whether you’re using a laptop, desktop, Mac, tablet, mobile, wired Internet, wireless, or software, learn it. Get to know the technology as good as or better than your kids.

Get on social media: By using your devices to communicate with the people in your life, you inevitably learn the hardware and software. This is a good way to learn a key method that your kids use to communicate.

Manage online reputations: Google yourself and your kids to see what’s being said. Teaching your kids what is and what is not appropriate online is a must these days. And as a good rule of thumb, you should teach your kids that things posted online stay there forever.

Get secure: There are more ways to scam people online than ever before. Your security intelligence is constantly being challenged, and your hardware and software are constant targets. Update your devices’ security software and invest in programs to manage and filter their access.

Two great online resources are www.wiredsafety.org and www.staysafeonline.org.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Secure Your Identity When Traveling

As summer travel starts to pick up, consumers need to be aware when they’re preparing for, or going on, summer vacations.

Stealing your mail. While you’re on vacation, your mailbox fills up with credit card offers and bank statements. The bad guy can steal this mail and use it to open new credit cards in your name, or to take over existing accounts. Get a mailbox that locks to prevent thieves from stealing your mail. Have a trusted friend retrieve your mail while you’re away. Opt out of prescreened credit card offers.

Credit card fraud. When you are out and about, anyone who handles your credit card can steal your digits and make unauthorized charges, as can anyone on the other end of an online purchase. Check your credit card statements as frequently as possible. Review them weekly, at a minimum. Federal law requires that credit card companies allow you to refute unauthorized charges for up to 60 days. Keep your receipts and scrutinize those statements.

Internet cafe spyware. Anytime you use any PC other than your own, your identity is at risk. Spyware is software installed on a computer that records every keystroke, username, password, and website visited. Autocomplete is a browser function that remembers your passwords. Autocomplete on a public computer means potential identity theft. If at all possible, avoid business center or Internet cafe PCs. Many mobile phones can function as a temporary replacement for a PC.

Online dating scams. Millions of people use online dating sites to broaden their networks and meet potential mates, but not every person on these sites is sincere—some are scammers hoping to lure you in with false affection, with the goal of gaining your trust and, eventually, your money. Only use reputable sites. The minute anyone asks you to forward them money via wire transfer, delete the message.

WiFi insecurity. Whether you travel for business, or simply need Internet access while out and about, your options are plentiful. You can sign on at airports, hotels, coffee shops, fast food restaurants, and now, airplanes. Wireless networks broadcast messages using radio, and are thus more susceptible to eavesdropping than wired networks. Use Hotspot Shield VPN to protect your data by tunneling through an encrypted wireless network.

Overseas skimming. Card skimming is the act of copying credit card data off a magnetic stripe card, whether on an ATM or in person. US-based cards are more vulnerable because they are mostly magnetic. Overseas, particularly in Europe, EMV or “chip and PIN” cards are standard. Chip and PIN cards are much harder to hack. Many merchants will not, or cannot, accept US cards with magnetic stripes, which could put you in a difficult position when you need gas or have to buy a train ticket.

Check with your bank to see if they offer EMV. JPMorgan Chase began issuing cards with embedded microprocessor chips last year, and more major card issuers have followed suit by incorporating EMV technology. American Express have also announced plans to release chip-based cards in the United States.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

You’re an Internet Celebrity: Deal with It

The quote “15minutes of fame” is about the short-lived media publicity or the celebrity of an individual or phenomenon. The expression was coined by Andy Warhol, who said in 1968 that: “In the future, everyone will be world-famous for 15 minutes.” Unfortunately, that has evolved into daily fame for many people that, frankly, is bad for public consumption.

You can blame the Internet, or social media sites, or e-tailers who offer discounts for your public profile—or you can simply blame yourself. We should all take credit or blame for this. It wouldn’t happen if we didn’t, in some way, support it.

CNN reports: “At its most extreme level, our hunger for sociability can turn minor incidents into major media firestorms, thanks to the Web’s viral capabilities. One minute you’re leaving a crummy tip; the next your message is all over the Web. One minute you’re a bullied bus monitor; the next someone is raising hundreds of thousands of dollars on your behalf . . . But even small pebble drops into the vast pool of the Internet can leave big ripples.”

Managing a digital life means knowing what you are consuming versus what you are expelling, recognizing what you are sharing versus what you are protecting. Is privacy possible? To a degree, yes.

I’m a relatively public person because of the nature of my business, so I made a conscious decision years ago how I’d manage my online persona.

Here’s how to think about it:

#1 It’s unrealistic to have two profiles. Your “pseudo” personality will eventually be exposed. Just have the one and do it correctly.

#2 Look at your online presence as personal and/or professional. To me, it’s the same thing. I’m not posting anything personal that I wouldn’t want to be viewed in a professional manner.

#3 Family member names, relationship status, photos, and activities are all relatively private. If you choose to make them public then accept certain scrutiny and risks.

#4 The words you use, the statements you make—whether profane or not, slanderous or kind—make up who you are. Choose wisely.

#5 Understand that what you post is forever. It doesn’t go away. It will come back to you, whether good or bad.

#6 Know that your data is being mined by advertisers, marketers, complete strangers, predators, everyday people, and your government. Post wisely.

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

How NFC and Security Work Hand in Hand

NFC is an acronym for near field communication, a wireless technology that allows devices to talk to each other. In the case of a mobile wallet application, those devices would be a mobile phone and a point-of-sale device, such as a credit card reader at a checkout counter. NFC can be used in other ways beyond credit card transactions. It can integrate with hardware, such as your car, to lock or unlock a door.

Consumers perceive a lack of security with NFC, but in fact NFC is much more secure than having your data stored on a magnetically striped credit card, which can be more easily compromised. There are numerous layers of security in an NFC payment, including both hardware and software, and major payment networks such as MasterCard and Visa require certification before any payment application or hardware is let loose on the public.

There are important key features that reinforce mobile NFC security:

1) NFC SIM cards storing a consumer’s payment credentials and the payment applications are certified according to security standards. These standards are defined by financial services’ authorities and are comparable to CHIP-N-PIN security.

2) Consumers can choose to authenticate transactions by entering a PIN code on the payment application. Consumers can also request the PIN to be entered for all payments, even for small amounts—providing the end-user with complete control over protection features.

3) Secure over-the-air technology for remote management enables immediate remote blocking of the payment application. This works in a similar fashion to blocking a bank card in opposition mode.

Check out NFC and see if your device offers NFC here and definitely give it a try!

Robert Siciliano, is a personal security expert contributor to Just Ask Gemalto and author of 99 Things You Wish You Knew Before Your Mobile was Hacked! . Disclosures

Choosing an Enterprise eBanking Security Solution

In Gemalto’s eBanking Security Guide, a question is asked: “Banking is changing, are you?”

Banking is a changing business. Since the early 1980’s banking has been going digital and moving online. During the last 10 years, we’ve seen a major shift in the services offered and the behavior of customers.

Gemalto’s Senior Vice President of online banking, Hakan Nordfjell, says, “Secure and convenient eBanking is a key factor in the future of banking.”

The convenience of online banking is what makes it so vulnerable to security threats. And in order to prevent fraud, online banking security must be convenient.

Recent technological advances have been vast and rapid. But after 15 years, online banking remains relatively immature, and this immaturity is reflected in a sometimes-inadequate security posture. You’re ebank is part of your business strategy, ebanking has security issues, therefore security should be a part of your business strategy too.

The security solution you choose should not merely function: it should contribute to realizing that strategy. You might want to offer other online security services remotely associated with people being able to identify themselves. Address change notifications, contract signing and more.

Experience shows that a reliable security solution opens up new business opportunities.

Today we worry about malware, spyware, root kits, phishing, social engineering, and a multitude of scams resulting in account takeover, new account fraud, and identity theft. It’s been less than a decade since the widespread use of broadband Internet took online commerce mainstream, and losses resulting from cyber fraud have already topped a trillion dollars.

Enterprises under siege by criminal hackers need qualified professionals to help plan and develop online banking solutions and to ensure that client information is secure.

These professionals know that most security problems are easily solved, but solutions often sacrifice a certain degree of user friendliness. Securing a system as thoroughly as possible would place unreasonable expectations on customers, demanding that they jump through too many hoops to make a purchase.

The ideal system design finds a happy medium, and incorporates functionality, appearance, and scalability.

When launching any security solution, explain to your customers why the change is necessary, and strive to make changes appealing for users. Be sure that your customer support is adequately prepared. Provide clear information and, if possible, allow customers to select which device to use.

When choosing a security solution for your business, consider a resource that offers more than standalone security technology. A real solution takes future needs and potential threats into account, and, crucially, offers a positive user experience.

Visit www.ebankingsecurity.net to learn how to enhance the security of your online banking system.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto. Disclosures

 

Log Out, Log Out, I repeat, LOG OUT

One of the most common yet underreported causes of data breaches is users’ failure to properly log out of public PCs.

Is your work computer accessible to others, perhaps after business hours? How about your home computer? Does its use extend beyond your immediate family, to your kids’ friends or babysitters, for example? Do you ever log in to a hotel’s business center PC, or take advantage of free Internet at a bank of sponsored PCs at a conference? Or pay per minute at an Internet café? Maybe you’re you a college student; do you use the PCs in the computer lab, or friends’ PCs?

Any shared PC is at an increased risk for spyware, viruses, and other malicious activities of a criminal hacker, the PCs administrator, or just the dude that happened to use the computer before you. But many people increase their vulnerability simply by failing to log out.

A few months ago, my sister-in-law used my family’s PC, logging in to her Facebook account. After she left, I checked Facebook myself, and quickly realized I was still logged in to her account. To teach her a lesson, I changed her profile picture to something she didn’t appreciate. (Being my sister-in-law, she forgave me.)

This past weekend at a conference, a colleague borrowed my laptop to check his email. Four days later, after having turned the laptop on and off a half dozen times, I attempted to check my own email and found myself still logged in to his Gmail account. In this instance, I quickly logged out, since Gmail notifies users when their accounts are open at multiple IP addresses, and I wasn’t about to hack a colleague.

Web-based email services, social networking sites, and other websites that require login credentials generally provide an option to “Remember me,” “Keep me logged in,” or, “Save password,” and will do so indefinitely. This feature often works with cookies, or codes stored in temp files. Some operating systems also include an “auto-complete” feature, which remembers usernames and passwords.

I’m not entirely sure if my colleague left Gmail’s “Stay signed in” box checked, if Gmail left a cookie on my laptop, or if my operating system remembered him. Either way, he was hackable.

Protect yourself.

I may log in to a PC that is not mine once or twice a year. And when I do, I make sure I log out of any program I logged in to. On the rare occasion that I use someone else’s computer to log in to an account containing sensitive data, I make an effort to change the password. Generally, though, I lug around my own laptop wherever I go, and I use an iPhone.

Never check a “Remember me” box, and if it’s selected by default, remember to uncheck it.

If you get an auto-complete pop-up while logging in, read it carefully and be sure to click the “no” option.

Some PC administrators install password managers that prompt the user to save login credentials. If you are on someone else’s PC and get this kind of pop-up, read it carefully before just clicking buttons to dismiss the pop-up.

Most importantly, PLEASE, for heaven’s sake, LOG OUT. Do I need to repeat myself?

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses another data breach on Fox News. Disclosures

Criminal Web Mobs Responsible For Most Cyber Crime

New reports confirm what we’ve been seeing in the news; organized criminals have upped the ante. Global web mobs are tearing up corporations’ and financial institutions’ networks. According to a new Verizon report, a staggering 900 million records have been compromised in the past six years. Up to 85% of the breaches were blamed on organized criminals.

The hackers who infiltrate these networks include brilliant teens, 20-somethings, all the way up to clinical psychologists and organized, international cyber criminals. Many are from Russia and Eastern Europe.

Motivated by money and information, they either exploit flaws in applications to find their way inside networks, or they target their victims psychologically, tricking them into disclosing usernames and passwords, or clicking malicious links.

Flawed web applications often make these types of hacks possible. Criminals use “sniffers” to seek out flaws, and when they find them, the attack begins. Malware is generally used to extract usernames and passwords. Once the criminals have full access to a network, they use the breached system as their own, storing the stolen data and eventually turning it into cash.

To protect yourself, update your PC’s basic security, including Windows updates and critical security patches. Make sure your antivirus software is up to date and set to run automatically. Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through. Run spyware removal software. And set up your wireless network with a “key” or passcode so it’s not open to the public.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses another data breach on Fox News. (Disclosures)

A Viable Solution to Wave of Skimming and Point of Sale Attacks

Officials are reporting a wave of credit and debit card attacks targeting point of sale swapping, skimming of card data, and hacking into payment processors. Reports say the U.S. Secret Service, among others, are in the process of investigating a multistate crime spree.

The Oklahoma Bankers Association commented, “It is beyond apparent our bankers are taking great losses on these cards and we also need to explore creative ideas to mitigate these losses. It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment.”

Organized criminals have long been ramping up and coordinating multiple attacks. They continually find inventive ways to circumvent existing systems.

Electronic funds transfers at the point of sale (EFTPOS) skimming is when the POS is swapped out.

EFTPOS (electronic funds transfers at the point of sale) skimming occurs when the point of sale terminal is replaced with a skimming device. People commonly swipe both credit and debit cards through the in-store machines to pay for goods and services at these outlets. In Australia, fast food chains, convenience stores, and specialty clothing stores are bearing the brunt of the crime. McDonald’s is among the outlets whose EFTPOS machines have been targeted.

Last year, legitimate EFTPOS devices at McDonald’s outlets across Perth Australia were replaced with compromised card-skimming versions, cheating 3500 customers out of $4.5 million. They actually replaced the entire device you see at the counter when you order your Big Mac!

Officials say the problem is so bad they urged people to change credit and debit card PIN numbers weekly to avoid the possibility of having their account balances wiped out, as it was likely more cases would be identified.

Revisiting the Oklahoma Bankers Association’s statement, specifically, “It is in the best interest of retailers, bankers, processors and card providers to find ways to limit these losses so that debit and credit cards can remain a viable method of payment,” it sounds a little desperate to me. Credit and debit cards as we know them, with their magnetic strips, are easily compromised and frequently targeted by criminals. Now that Mexico and Canada are going chip and PIN, getting “creative” to save the mag stripe is going to take a lot more than a class in creativity. Sounds like a serious upgrade is in order.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses credit and debit card fraud on CNBC. Disclosures

Seven Smartcard Keys To The Internet

There has been a bit of buzz lately regarding an Internet “kill switch” and a handful of trusted individuals given the responsibility of rebooting the Internet, should it go down from cyber attack or be shut down for whatever reason.

The operation is born of the Internet Corporation for Assigned Names and Numbers (ICAAN). ICANN was formed in 1998. It is a not-for-profit public benefit corporation with participants from all over the world dedicated to keeping the Internet secure, stable, and interoperable. It promotes competition and develops policy on the Internet’s unique identifiers.

ICANN doesn’t control content on the Internet. It cannot stop spam and it doesn’t deal with access to the Internet. But through its role coordinating the Internet’s naming system, it does have an important impact on the expansion and evolution of the Internet.

Popsci reports that “part of ICANN’s security scheme is the Domain Name System Security (DNSSEC), a security protocol that ensures Web sites are registered and “signed” (this is the security measure built into the Web that ensures when you go to a URL you arrive at a real site and not an identical pirate site). Most major servers are a part of DNSSEC , as it’s known, and during a major international attack, the system might sever connections between important servers to contain the damage.”

The lucky seven holders of the smartcard keys are from all over the world.  Each key has an encrypted number which is part of the DNSSEC root key that by themselves are useless, but combined they have the ability to restart the Internet. The process of rebooting the web requires five of the seven key holders to be in the United States together with their keys. That’s a pretty lofty responsibility for anyone. You can learn more about the card process in this video.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto, discusses the possibility of an Internet crash on Fox Boston. (Disclosures)