Defending The Kingdom

Last year, I was annoyed (and, admittedly, impressed) that someone hacked into my Hotmail account. There were only two ways someone could have got in: they read my mind or they set a machine to guessing for a very long time and the machine eventually guessed right.

At the time, I implored Hotmail to change their security system so that guessers would have to enter a CAPTCHA with every few wrong guesses. That would slow them down enough to make it nearly impossible to brute force their way into any account with a reasonably strong password.

I doubt the Hotmail folks read this blog and decided pull up their socks as a result, but I was delighted to see, upon my most recent Hotmail login attempt, a similar change to the one I recommended (see picture below). My account is obviously still under siege, and Hotmail is preventing too many password guesses. The only downside is that they won’t let me into my account, either.

So I feel satisfied that Hotmail now has security features that will keep my account safe, even without the strongest possible password. Just in case, though, I’ve updated my password to be ultra-strong. It’s more than 16 characters long (I don’t want to say exactly how long, because that would make it easier for a hacker to guess), contains numbers, letters, and freaky characters. It looks something like this: gA4wL[l0iX+yJ$j1. Hackers, I wish you good luck .

If spam emails didn’t sometimes encourage people to click through and make a purchase, it wouldn’t exist as a business. The fact that we all get spam means that, despite the costs of doing so, somebody still finds it profitable to send out all of those emails. The truly amazing thing, though, is the number of emails spammers have to send in order to capture a single customer. The Economist had an article a few weeks ago that provided some data:

In 2008 researchers from the University of California at Berkeley and San Diego posed as spammers, infiltrated a botnet and measured its success rate. The investigation confirmed only 28 “sales” on 350m e-mail messages sent, a conversion rate under .00001%. Since then, says Mr Peterson, the numbers have got worse.

Given how good my Gmail account is at filtering out spam and assuming that other email software is rising to that standard, I’m not surprised that the conversion rate is so low. So what are spammers doing now?

Well, Twitter seems to be a breeding ground in rude health:

…researchers from the University of California at Berkeley and the University of Illinois at Champaign-Urbana show that 8% of links published [on Twitter] were shady, with most of them leading to scams and the rest to Trojans.

And I suspect we’ll see Facebook become an increasingly important launching pad for similar threats. The security arms race continues.

Happy holidays, dear readers!

I’ve heard of and personally encountered a number of e-commerce websites like the one described in this NYTimes article. The proprietor of DecorMyEyes.com promises the cheapest designer eyewear on the net, intentionally delivers something other than what customers order (a cheaper or counterfeit model, for example), and then stalls, threatens, cajoles, and harasses people who try to get their money back. He makes money when customers give up trying to get a refund, allowing him to pocket the difference in the amount he charged their credit cards and the value of the goods he shipped.

I believe that the majority of e-commerce websites deliver what they say they will, but you need to know how to avoid the few that won’t. Interestingly, the huckster who runs the site described in the NYTimes article provides the answer:

Selling on the Internet, Mr. Borker says, attracts a new horde of potential customers every day. For the most part, they don’t know anything about DecorMyEyes, and the ones who bother to research the company — well, he doesn’t want their money. If you’re the type of person who reads consumer reviews, Mr. Borker would rather you shop elsewhere.

Mr. Borker doesn’t want cautious, conscientious customers because those customers reduce his hourly wage. Why bother selling to these people when there are plenty of shoppers who will give up trying to get their money back without much fuss? That is why, amazingly, the owner of this scam website isn’t troubled by the bad publicity that makes it easy to protect yourself.

Before clicking “Buy”

Just as changing your password to something marginally more complex than the typical internet user’s password makes you an undesirable target, doing a bit of research on the net makes you vastly less likely to fall victim to an e-commerce scam.

When I say “a bit”, I really mean it. It takes two seconds to type “decormyeyes fraud” into Google’s search engine. Every search result I got when I did that clued me in to the fact that this website is bad news:

A Better Business Bureau search piles on the evidence:

So that’s it. The next time you are thinking of buying from an online retailer, just do a quick Google search like “companyname fraud” or “companyname scam” and then check out the Better Business Bureau rating. Most people spend a good amount of time researching their internet purchases — allocating just a couple of seconds to protecting yourself from fraud should not be too much of a burden.

I can’t. Not always, anyway. Take a look at all the clever ways scammers skim ATM cards and PINs.

If you’ve seen one of those semi-transluscent, green card slots with an image of a padlock on it, you know that banks are aware of the problem and are doing something to prevent it. Still, it seems like banks and other ATM owners could be doing more to let their customers know, at each ATM machine, how to avoid getting suckered by a skimmer. A picture of an unsullied model on the side of every ATM would be a big help. That way, you could compare the real-life model you’re looking at with the image, and hopefully you would notice any material discrepancies. I suppose evil-doers could simply replace the image with their own, but at least their jobs would be made more difficult for having to take that step. And it would provide ATM users with one more chance to notice a sloppy installation of an add-on to the machine.

Another option is a bit more high-tech, and would involve the ATM flashing a number on the screen that should match a number being displayed on the lip of the ATM card slot. This could be hacked, of course, but it would require gaining access to the ATM’s guts. Anything that increases the cost to would-be thieves in time and technical know-how is a good thing.

Anyhow, in the event that banks and other ATM owners do not put in a lot more effort than they currently do to stop this problem, what should you, the average ATM user, do?

Tips for avoiding ATM skimmers

I wish I could give some really solid advice here, but there are no foolproof methods. Here are the things I do to avoid card skimmers:

1. Try to use ATMs inside banks, where it’s less likely that someone will install a skimming device.
2. Quickly look at the parts of the ATM. If you see cheap looking components that seem like they could come off with a slight tug, beware.
3. Cover the keypad with your non-typing hand as you punch in your PIN. Scammers need the information on the magnetic strip of your card and your password to gain access to your bank account. If you deprive them of your password, they’ve only got half of the information they need. Watch out for fake keypads placed over the real keypad, though, since this can allow scammers to get your password no matter how well you cover up when you key it in.

Have you ever heard that free anti-virus programs skimp on their virus definitions so you aren’t as protected as you would be if you were using the paid version? It seems somewhat plausible as an incentive to get the free users to become paid users, right?

I’ve heard that claim from friends, but I’ve always been a bit skeptical. I haven’t seen any published reviews of free anti-virus programs that mention this sort of issue, nor have I seen any anti-virus company highlight advanced threat detection rates as a feature of their paid products that isn’t available in their free products. And if they want people to pay to upgrade to more advanced detection, they would have to actually tell their customers that there is a difference in that realm, wouldn’t they?

Anyway, I thought of that claim when I read this portion of an interview with AVG’s CEO:

The basic detection rates in our free product and our paid product are exactly the same. We’re not giving you less protection. We’re just giving you less functionality. The paid products have antispam and firewall and a few other bits. But the core features–the Web protection, the cloud protection, the virus protection–is all the same between free and paid.

I have no way of knowing for sure if that’s true for all free anti-virus providers, but I’ve used and been very happy with a number of free anti-virus programs including AVG, Avast, and, recently, Malware Bytes. Each of these, incidentally, is currently in the top five of CNet’s most popular downloads list, which is an excellent source of suggestions for high quality software.