Defending The Kingdom

Consumer Reports published its 2007 State of the Net assessment last month in September, and one of the experts they interviewed made an astonishing claim: for organized crime groups, phishing (see Wikipedia definition of phishing) is more profitable than drugs:

The Anti-Phishing Working Group says that the number of phishing sites stood at 37,000 in May. Roughly 23,000 attacks occurred in that month.

Scammers’ phishing techniques are improving. “A year ago, phishing consisted of random spam,” says Art Manion, a top vulnerability analyst for CERT, an Internet emergency-response group based at Carnegie Mellon University. “Today, the e-mail looks like it’s from my bank or my company, with better grammar, more believable stories, and better URLs.”

Popular social-engineering techniques that entrap consumers include associating the mail with a holiday or event, such as the World Cup; spear-phishing, where the sender appears to be someone inside the company you work for; or telling you that your bank account has been compromised, and then urging you to enter personal information into a fake site that looks like the bank’s.

The profile of phishers is changing. “In 2002-2003, organized crime groups figured out this is a better way to make money than selling drugs,” says Alan Paller, director of research at the SANS Institute, which trains security professionals. He adds that some terrorists are “exhorting young jihadists to use computers to bring the U.S. to its knees.”

Every so often, it helps to remind ourselves why security and privacy are important. In late 2006, Consumer Reports published its third annual State of the Net, which I think is an excellent summary and forceful reminder of why, exactly, security and privacy should be high priorities for everyone.

(continue reading…)

Phishing, according to the Wikipedia entry on the topic, is a term that combines the words “password” and “harvesting”. Typically, phishing takes the form of a phone call or email where the perpetrator poses as a trustworthy source (your bank, for example) and uses this trust to request private and profitable information.

This post will provide advice on how to avoid getting phished over the telephone, but first I’m going to describe how it almost happened to me. If you get a call like the one I got, I hope it sets alarm bells ringing before any damage is done.

I almost got phished

In February 2006 I got a phone call from someone named “Mark,” who ostensibly works for Rogers Wireless, my cell phone provider. The conversation went something like this:

Him: “Hello, sir, this is a courtesy call from the accounts receivable department to confirm your personal information in our files. The credit card we have for you is no longer active.”

The first thing I think is: “that makes sense, because I lost my credit card about two weeks ago and cancelled the account. I just got a new credit card.”

Him: “I’d just like to confirm your name and address as well as some other information. Can you confirm your current address?”

Me: “Sure, it’s 5959 Glen Stree… Wait! Why are you asking for this information over the telephone? No reputable company would do that. I’m going to call Rogers with a phone number I trust to make sure that I’m not getting scammed.” (continue reading…)