Posts

6 Ways to halt Online Tracking

“On the Internet, you can be ANYBODY!”

1PNot quite. Remaining anonymous in cyber space isn’t as easy as it used to be. Your browsing habits can be tracked, leading to your true identity. But there are things you can do to remain as anonymous as possible.

  • Don’t feel you must use your full, real name when filling out forms or whatever, just because it’s asked or even a “required field.” Of course, you’ll want to use your real name when registering online with a bank, for instance, or making a purchase. But sometimes, the real name just isn’t necessary, such as when registering with a site so that you can post comments on its news articles, or registering with an online community so that you can participate in forums.
  • Stop “liking” things. Does your vote really matter in a sea of thousands anyways? But you can still be tracked even if you don’t hit “like” buttons, so always log off of social media sites when done. This means hit the “log out” button, not just close out the page.
  • Twitter has options to control how much it tracks you, so check those out.
  • Clear your browser cookies automatically every day.
  • Use a disposable e-mail address; these expire after a set time.
  • Firefox users get a browser add-on called NoScript to block JavaScript. JavaScript gets information on you, especially when you fill out a form. However, JavaScript has many other functions, so if you block it, this may impair ease of use of the websites you like to navigate.

Virtual Private Network

You may not think it’s a big deal that your browsing habits get tracked, but this can be used against you in a way that you cannot possibly imagine.

For example, you suffer whiplash injury in a car accident and want to sue the erroneous driver who caused it. However, your nephew asks your advice on weight lifting equipment, so you decide to visit some websites on weight lifting equipment since you know a lot about this.

The defendant’s attorney gets wind of this online search and can use it against you, claiming you don’t really have any whiplash injuries. How can you prove you were searching this information for your nephew?

A VPN will scramble your browsing activities so that you can freely roam the virtual world wherever you are without worrying you’re being tracked. Your IP address will be hidden. One such VPN service is Hotspot Shield, which can be used on iOS, Android, Mac and PC.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

Can Hackers Use FraudFox VM to Defeat Your Fraud Prevention?

In the last few days, a number of tech magazines like Computerworld and PC Advisor have reported that FraudFox VM poses a threat to the security of online businesses—especially banks and payment services.

4DFraudFox VM is a special version of Windows with a heavily modified version of the Firefox browser that runs on VMware’s Workstation for Windows or VMware Fusion on OSX. It’s for sale on Evolution, the apparent successor to the Silk Road online contraband market, for 1.8 bitcoins, or about $390.

FraudFox VM was created to defeat device recognition, or fingerprinting, which is used in fraud prevention to assess the risk of a device connecting to a business. Web browsers are used to collect data like operating system version, time zone and IP address. Each of these characteristic can be used to assess risk and uncover possible fraud.

So how worried should your business—and customers—be about this new software? I sat down with Scott Waddell the Chief Technology Officer of iovation, the fraud prevention experts, to find out what the reality is behind the media headlines.

  1. How reliant are banks and financial institutions on this kind of technology to stop fraudulent transactions these days? Is fingerprinting used more for mobile than on desktop?
    Banks leverage device reputation solutions with great success in both fraud mitigation and risk-based authentication strategies. Of course, good security is all about layered defenses, so smart banks use these tools as part of a defense-in-depth strategy to avoid over-reliance on any one security technology.Device recognition is used on all Internet connected devices these days, mobile and desktop alike. Mobile transactions are the fastest growing segment being protected with these tools, but the majority still originate from desktop operating systems.
  2. Do you think this would be an effective method for cybercriminals to get around those defenses?
    FraudFox VM may be interesting for its purpose-built virtual machine packaging, but there’s really nothing new in the approach. Tools have been available to fraudsters for years to facilitate changing device parameters, manipulating JavaScript, blocking data collection, obscuring IP address and location, and so on. Many of these capabilities have even migrated into easy-to-use settings in the major web browsers to make testing easier for web developers.Device reputation solutions have evolved along with such tools and continue to provide great uplift in fraud catch in spite of them.

    From the reported attributes that FraudFox can change, it would be unable to evade native recognition tools (those embedded in native desktop apps) and it would stumble over transactional similarity scoring on the web that considers more device attributes along with tagged recognition. So the tendency at financial institutions would be to trigger step-up authentication to one-time passwords through out-of-band channels (SMS, mobile app, voice) that FraudFox could not intercept.

  3. Is possible to fake browser fingerprints manually or using other tools? Does this thing look like a good consolidation of other tools that people might use to defeat fingerprinting?
    As previously mentioned, there are other tools and techniques fraudsters use to evade recognition or to try to mimic the devices of their victims. These often stand out from actual browsers in ways that defeat their intended purpose. A couple years ago, the Gozi Prinimalka trojan attempted to duplicate device attributes of compromised systems much as FraudFox VM aims to do. However, its limitations made it ineffective against modern device reputation offerings that evaluate risk and reputation through multiple strategies including link analysis, profiling techniques, velocity rules, proxy and Tor unmasking, device attribute anomalies, and more.FraudFox VM seems to be relatively limited in its capabilities considering the variety of techniques sophisticated fraud mitigation tools bring to bear.
  4. Any other thoughts?
    It’s certainly interesting to see tools like this for sale on Evolution, which appears to be catering to fraudsters and identity thieves. All the more reason for online businesses to take advantage of collaborative technologies that bring the power of community to the fight against the increasingly organized economy of cybercrime.

Fraudsters will always look for new ways to commit cybercrimes. However, a strategic, multi-layered approach to fraud prevention is the best defense.

6 Tools to protect your Privacy Online

The more advanced that communications become, the more likely your personal information is getting leaked out—every time you search the Web, send texts or e-mails, etc. Your private data is literally “out there.” However, there are six software programs to protect your privacy online.

1PExpiration date tag. Files, photos and messages are tagged with an extinguish date, then erased from your smartphone. The iOS and Android application for this is Wickr and it’s free. The only content that passes the wire is encrypted. The user’s device will encrypt and decrypt.

Block the intrusion. Where you go on the Web is tracked so that advertisers know what to market to you, but this technology is intrusive. How would you like to return the favor? You can with the free Ghostery service, an extension for the main Web browsers. It records who’s tracking your online activity, providing you information on these entities. You can instruct Ghostery to block such activity.

Multi-prong privacy features. This free program produces disposable e-mail addresses; e-mails are forwarded to the user’s main address, but a detection of spam will shut off e-mails; a login and password manager will keep track of multiple passwords and also help generate strong new passwords.

These features come with an extension for the Firefox and Chrome browser and is called MaskMe. Additional masking features come for $5/month, such as a one-time credit card number.

Easy encryption setup. If that can ever be easy, GPG Suite has made it so. With this Mac-only software, you can set up public and private encryption keys. The encrypted message, which works with Apple’s Mail, is sent by clicking a lock. The GPG Keychain Access component searches for and stores another user’s public key, plus import and export keys. The suite is supported by donations.

Stay anonymous. Today’s technology can identify you simply based on your online search history. Your search terms are retained by search engines, but if this data gets in the wrong hands, it could spell big trouble, or more likely, just be plain embarrassing.

DuckDuckGo is the alternative, as it does not record your search terms or leave them with the site you visit. It doesn’t record your computer’s IP address or the browser’s user agent string.

 VPN Use a VPN to be protected from cookies that track where you’ve visited. Knowledge of where you’ve visited can be used against you by insurance companies and lawyers, to say the least; you just never know what can happen when something out there knows your every online move.

A VPN will encrypt your online sessions with an HTTPS security feature, protecting you from non-secure Wi-Fi such as at airports and hotels. VPN will mask your IP address from tracking cookies. Hotspot Shield is a VPN provider that’s compatible with Android, iOS, Mac and PC, running in the background once installed.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.

23% of Online Fraud is “Friendly”

Friendly fraud occurs when a customer makes an online purchase with a credit card and then, once the merchandise has arrived, calls the credit card company, claims never to have received the item, and requests a chargeback. The merchant has no way of proving the legitimacy of this card-not-present transaction, and is forced to refund the customer’s money.

According to a new study released by LexisNexis Risk Solutions, retailers lost more than $139 billion to fraud last year, with friendly fraud accounting for one fifth of those losses.

The problem for you, the consumer, is that banks and merchants tend not to believe identity theft victims, because friendly fraud complicates the reimbursement process. It’s not uncommon for victims to be required to sign affidavits and have them notarized.

Online merchants need a better system. Device reputation offered by anti-fraud experts iovation, would be one step in the right direction. While a customer is placing an order, device identification technology recognizes and re-recognizes PCs, smartphones, or tablets used to access online businesses across the Internet. Then, device reputation technology determines whether or not device the being used has a history of fraud (including histories of friendly fraud) or if high risk is assessed at transaction time. When a particular transaction is reported as fraudulent, that information goes into a globally shared knowledge base and the fraudster’s device and its related accounts are flagged in order to prevent repeated attempts under new identities. This protects the merchant and honest consumers from billions of dollars in losses to fraud.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses identity theft in front of the National Speakers Association. (Disclosures)

Scammer Guilty of $2.7 Million Online Auction Fraud

Auction scams are messy. Consumers who are new to the world of online auctions are more likely to fall victim to deals that are too good to be true. Victims either get stuck with inferior or counterfeit goods, or they are charged and never receive the purchased item at all.

My spouse used eBay to search for skin care products, and was pleasantly surprised by the low prices she found for the products she wanted. Since she doesn’t have much experience with eBay, she called me over to help her complete the transaction. I saw that the seller had no feedback from previous buyers, and suggested that my wife hold off on the purchase. She begrudgingly agreed with me, and the next day when she logged in, the seller had been suspended from eBay. (I told her I’m wicked smart!)

If it looks like it might be fraud, it probably is.

A Romanian man recently pled guilty to charges of wire fraud and conspiracy before a Chicago judge, after having acted as a money mule in a scheme that scammed eBay, Craigslist, and AutoTrader users out of $2.7 million. The man’s associates in Romania used auction websites to sell nonexistent cars, motorcycles, and RVs. Buyers paid by wiring money to the scammers’ accounts, but never received the expensive items they had supposedly purchased.

Online classified and auction websites could prevent fraud and protect their users by incorporating device reputation management. One anti-fraud service getting lots of attention for delivering fast and effective results is ReputationManager 360 by iovation Inc. This software-as-a-service incorporates device identification, device reputation and real-time risk profiling. It is used by hundreds of online businesses to prevent fraud and abuse in real time by analyzing the computer, smartphone, or tablet connecting to their online properties.

While iovation does not collect any personally identifiable information (PII) from their business clients, they have a very unique view into the connections between computers and the accounts they access. For example, what might typically look like one transaction to a single auction site is often a coordinated attack across multiple sites.  When a group of devices hits multiple sites, across various industries, iovation can detect the attacks through velocity triggers and shared experiences across their customer base to alert the affected business and thwart the attacks.

A device reputation check used on a scammer setting up a new account in an online action site would stop him at the front door, leaving no chance to post fake items for sale which would soon cause damage to the business and its customers.

eBay makes safety recommendations for users, and the first rule is to use eBay’s built in payment system, and not to use alternate payment methods, like wiring money.

Never provide sensitive personal information like your account password, a credit card or bank account number, or your Social Security number in an email.

Before you bid or buy on eBay, know your seller. Look at your seller’s feedback ratings, score, and comments to get an idea of their reputation within the eBay marketplace.

I generally recommend using PayPal to help prevent online identity theft. If you use your credit card, check your statements frequently and refute any unauthorized charges immediately.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donnie Deutsch. Disclosures.