1. Encrypt your personal files. If you choose to do just one of the two things on this list, choose this one.TrueCrypt is a good, non-scary encryption utility.
2. Install tracking software. LoJack and Prey were both mentioned in a recent Economist article, and they seem like reasonably good options.

The Economist article tells the story of a laptop getting stolen and then tracked down without police assistance:

Tales of stolen phones and laptops being successfully retrieved are the exception to the rule. One widely publicised case (perhaps because it was so rare) concerned a Canadian web consultant, who had a bag containing his laptop, mobile phone, health card and copies of his birth certificate lifted while on a business trip to New York. Fortunately, the owner had taken the precaution of installing an open-source tracking tool called Prey on his MacBook Pro beforehand.

Several days later, back in Ottawa, the owner got a message from his stolen laptop, saying it was being used in a restaurant in the Soho district of Manhattan. The tracking software not only sent the location details, but also transmitted screen-shots of what was running on the laptop at the time. It even turned on the user-facing camera and transmitted video of the user to the owner 500 miles away.

In this case, the owner was luckier than most. He had some 12,000 followers on Twitter to call upon for help. Meanwhile, the thief made the mistake of logging onto Skype with his real name. The laptop owner saw all this happening before his eyes and tweeted the details to his followers. He also called the New York police and asked, to no avail, for help. The missing laptop and other items were recovered only when a friend, aided by a Twitter follower in New York, rushed to the restaurant and confronted the staff with the evidence. The stolen laptop was handed over without a struggle.

Being able to track your laptop is a great idea in theory, but if the police aren’t willing to do the potentially dangerous work of confronting the criminal, I suspect the software will be useless to most people. That’s why encrypting your data is priority number one, and installing tracking software is nice to have but not something to rely on.

If you’ve seen one of those semi-transluscent, green card slots with an image of a padlock on it, you know that banks are aware of the problem and are doing something to prevent it. Still, it seems like banks and other ATM owners could be doing more to let their customers know, at each ATM machine, how to avoid getting suckered by a skimmer. A picture of an unsullied model on the side of every ATM would be a big help. That way, you could compare the real-life model you’re looking at with the image, and hopefully you would notice any material discrepancies. I suppose evil-doers could simply replace the image with their own, but at least their jobs would be made more difficult for having to take that step. And it would provide ATM users with one more chance to notice a sloppy installation of an add-on to the machine.

Another option is a bit more high-tech, and would involve the ATM flashing a number on the screen that should match a number being displayed on the lip of the ATM card slot. This could be hacked, of course, but it would require gaining access to the ATM’s guts. Anything that increases the cost to would-be thieves in time and technical know-how is a good thing.

Anyhow, in the event that banks and other ATM owners do not put in a lot more effort than they currently do to stop this problem, what should you, the average ATM user, do?

Tips for avoiding ATM skimmers

I wish I could give some really solid advice here, but there are no foolproof methods. Here are the things I do to avoid card skimmers:

1. Try to use ATMs inside banks, where it’s less likely that someone will install a skimming device.
2. Quickly look at the parts of the ATM. If you see cheap looking components that seem like they could come off with a slight tug, beware.
3. Cover the keypad with your non-typing hand as you punch in your PIN. Scammers need the information on the magnetic strip of your card and your password to gain access to your bank account. If you deprive them of your password, they’ve only got half of the information they need. Watch out for fake keypads placed over the real keypad, though, since this can allow scammers to get your password no matter how well you cover up when you key it in.

You are the victim of identity theft and the fraudster calls your bank to transfer money into their own account. But instead of asking them for your personal details, the bank assistant simply presses a button that causes the phone to produce a brief series of clicks in the fraudster’s ear. A message immediately alerts the bank that the person is not who they are claiming to be, and the call is ended.

But there are still a few hurdles before the technique can be used, including this one:

“It has to be able to reliably recognise people over long time periods,” he says. “For example, a fingerprint taken from a 20-year-old is still valid when they are 60.”

The Nigerian scam (also called “419″ or “advance fee fraud”) is, I was surprised to discover via Snopes, a very old one:

The Nigerian Scam has been emptying the pockets of victims for decades, first through letters, then with faxes, and now via e-mail. In its earliest incarnation, which dates to the 1920s, it was known as ‘The Spanish Prisoner’ con. In that long-ago version, businessmen were contacted by someone trying to smuggle the scion of a wealthy family out of a prison in Spain. But of course the wealthy family would shower with riches those who helped secure the release of the boy. Those who were suckered into this paid for one failed rescue attempt after another, with the fictitious prisoner continuing to languish in his non-existent dungeon, always just one more bribe, one more scheme, one more try, away from being released.

The typso are intentional

Who is falling for these scams? The website for London’s Metropolitan Police says it’s not who you might expect:

The letters are often littered with spelling mistakes and bad grammar. This is a deliberate ploy by the fraudsters to induce the potential victim to believe that he is dealing with uneducated people who would not have the ability to defraud him/her. Nothing could be further from the truth! The majority of victims prove to be professional business people, doctors and lawyers.

Low success, high yield

The 2006 Internet Crime Report, prepared by the National White Collar Crime Center and the FBI, shows that the Nigerian scam accounts for a small percentage – just 1.7% – of reported total dollar losses due to cybercrime, but that seems to be a function of a few people losing a lot of money. The median loss for someone tricked by a Nigerian scam is $5,100, seven times greater than the median dollar loss for other referred cases of fraud, including auction fraud, failure to deliver merchandise or payment, and check fraud.

Spin-offs

The Nigerian scam is so popular it has engendered a new cyber-sport called scambaiting. The goal is to “enter into a dialogue with scammers, simply to waste their time and resources”, as well as to entertain fellow scambaiters with the resulting correspondence, photos, and recorded phone conversations.

A Recent Parody

I AM MINISTRY OF THE TREASURY OF THE REPUBLIC OF AMERICA. MY COUNTRY HAS HAD CRISIS THAT HAS CAUSED THE NEED FOR LARGE TRANSFER OF FUNDS OF 800 BILLION DOLLARS US. IF YOU WOULD ASSIST ME IN THIS TRANSFER, IT WOULD BE MOST PROFITABLE TO YOU.

Read the rest of the spoof here.

The Economist, reporting research by Symantec, has an interesting chart of the most common goods and services offered by cybercriminals.

You can use the prices on the right of the chart as a sort of risk indicator: if a criminal steals your bank account details, you can expect to lose the amount another criminal is willing to pay (plus the value of the second criminal’s time) to get those details. Keep in mind that these values represent the average (mean) amounts victims will lose and criminals will gain – in reality, some victims will lose a lot more and some a lot less.

Most interesting feature of the chart: email passwords sell for more than full identities. If you think your email password isn’t very valuable, you should know that cybercriminals think otherwise!

A Chinese-language version of Skype scans users’ chat messages for keywords such as “democracy,” and sends a copy of the offending message to the company’s servers, according to a report released Thursday by a Canadian online human rights group.

That’s despite adamant claims by the Ebay-owned company that its software offers encrypted, safe communication.

Emails, too, often prove less than private. The hacking of Governor Sarah Palin’s Yahoo account is only the most recent example.

Bottom line

if you would be unable to bear the consequences of your communication getting intercepted, you probably shouldn’t send it by Skype, email, or any other electronic medium. Of course, even snail mail can be intercepted, face-to-face conversations recorded. No communication method is perfectly secure, and, as always, you must make make tradeoffs between security and convenience. Few of us would be satisfied to go the tin foil hat route.

There are bulletproof leather jackets and bulletproof polo shirts. Armored guayabera shirts hang next to protective windbreakers, parkas and even white ruffled tuxedo shirts. Every member of the sales staff has had to take a turn being shot while wearing one of the products, which range from a few hundred dollars to as much as $7,000, so they can attest to the efficacy of the secret fabric.

This is a nice touch: if you get shot and live while wearing one of the garments, you can join the company’s Survivor’s Club.

Part of the protective value of bulletproof clothing is its scarcity, which is why the company screens customers to keep criminals from buying. A world where innocents wear protective gear and bad guys don’t is the safest of all for the innocents, since criminals can stick to low-powered weaponry.

If, on the other hand, criminals start using the bullet-proof clothing, their foes will probably upgrade their shooters. That’s already happening to some extent. “In some parts of Mexico,” the New York Times points out, “drug assassins have used rocket launchers and grenades to wipe out rivals.” That could become more common if criminals stop dying from pistol shots.

Last month a US court ruled that border agents can search your laptop, or any other electronic device, when you’re entering the country. They can take your computer and download its entire contents, or keep it for several days.

[...]

Encrypting your entire hard drive, something you should certainly do for security in case your computer is lost or stolen, won’t work here. The border agent is likely to start this whole process with a “please type in your password”. Of course you can refuse, but the agent can search you further, detain you longer, refuse you entry into the country and otherwise ruin your day.

You’re going to have to hide your data. Set a portion of your hard drive to be encrypted with a different key – even if you also encrypt your entire hard drive – and keep your sensitive data there. Lots of programs allow you to do this. I use PGP Disk (from pgp.com). TrueCrypt (truecrypt.org) is also good, and free.

The article goes on to talk about the importance of using strong passwords, as well as the limits of depending on strong passwords to protect encrypted data.

Edited to add (19 May 2008): The quoted sections of the Guardian article have been trimmed due to a complaint from one of the editors.

Have you used a debit card in Vancouver, Canada recently? If so, check your next bank statement carefully and contact your bank immediately if there are any unauthorized transactions.

The Vancouver Sun says

Police fear that thousands of people may be caught in a sophisticated financial scam that used “parasite” handheld debit machines to skim PIN numbers and steal cash.

The suspects are alleged to have switched retail debit PIN pads — unbeknownst to cashiers and business owners — with tampered ones. Police suspect these machines were then collected and the information stolen in order to steal money.

If you want to be extra cautious, go to your bank and change your PIN on your ATM card. It’s a good idea to change your password every once in a while anyway.