Would you give your house keys to a total stranger?
How about your car keys? Of course not. Yet I've seen several studies done in different countries over the last few years where individuals have been asked to provide their username and password in exchange for some trivial reward. A majority of those sampled do provide their passwords--an amazing statistic. So when I see the numbers of victims of online phishing
, and 419 scams
, I'm not surprised. Rather than write another column railing against the fraudsters who trick us, I think it's time to examine how seriously we each take online security and how freely we volunteer personal information into the ether without questioning the request. We need to consider that our online behavior itself might be contributing to the rise in online fraud. An analogy
Hopefully, we're all well versed in real-world, physical security. The concept of a locked house or a locked car is familiar (or it should be). Yet the idea of giving access to your computer data or--worse--your personal data, such as your social security number or your birth date, is still abstract to many. No matter how many headlines scream about the latest reported online scam racing across the Internet, there will always be someone willing to click the bait. Really, there will be.
As long as we continue to treat our physical possessions differently than our personal data, there will always be fresh victims to online scams and computer crimes.
Don't believe me? One year ago, the BBC reported
on a survey for the Infosecurity Europe trade show. In that survey, 70 percent of the commuters passing through the Liverpool Street Station in London shared their computer login and password information in exchange for a bar of chocolate. Is your password worth only a meager sugary reward? Is your identity no more valuable? As long as we continue to treat our physical possessions differently than our personal data, there will always be fresh victims of online scams and computer crimes. Online security is only as strong as its weakest link: humans. A modest proposal
Say I were to call you--or e-mail you--out of the blue, identify myself as representing a major credit card company, and mention that I see a large credit card balance in your name on another card. I might offer you a lower rate if you transferred the balance to my major credit card. Would you accept my offer?
I would hope you would not accept my offer. Intrigued, you should ask to call me back (to confirm that I really am associated with the major credit card company) or you could have the offer mailed to you--but don't give out your address; if I can see your current outstanding credit balance, I should also have your current address, right? If the caller lacks this info, I would most likely hang up. Meanwhile, the caller merely moves down the list to the next phone number. Trust = Trust
Online authentication only works as long as we each take it seriously. The scam I outlined above has been documented in various other forms by celebrity hacker Kevin Mitnick in The Art of Deception
and most recently by security consultant Ira Winkler in Spies Among Us.
Winkler has performed penetration tests on a number of corporate and government networks over the years and usually begins his surveillance of a system by finding a patsy inside the organization who's eager to help. Mitnick carried out many of his shenanigans without even using a computer, often doing so with just a cell phone and a group of eager-to-please victims on the other end of the call.
When people offer you something that sounds too good to be true in person, you might read their body language, in addition to carefully listening to the tone of their voice; one or the other should tell you whether or to trust them. But over the phone and over the Internet, the person making the pitch could be anyone anywhere. I think, on the one hand, we all know that. But there's still a part of everyone that wants to believe the best in everyone--even strangers we meet on the Internet. What to do?
E-mail from a bank or an organization or an ISP informing you that your service is about to be terminated unless you provide additional personal information is almost always a scam. E-mail addresses can be forged, and the links in the body of the text can appear to be legit but in reality can lead you into a trap. If you feel, however, that the e-mail might be legit, log in to your account using the company's Web site and drill down to the personal account information page yourself. Don't just click the link in the e-mail. Another suggestion: call the company's toll-free support number. Don't believe everything you read in your e-mail.
You might not give a second thought to sharing your user ID and password with someone else, but if that someone else uses the computer to commit a crime, say, steals documents or spreads a new computer virus, you could be held responsible.
Which brings me back to passwords: Take them seriously. You might not give a second thought to sharing your user ID and password with someone else, but if that someone else uses the computer to commit a crime, say, steals documents or spreads a new computer virus, you could be held responsible. An extreme example, perhaps, but the fact remains that passwords exist to protect you and the data you access. One value of password studies such as the Liverpool Street study is that they give us insight into the large number of potential victims there are for online crooks.
Act responsibly online. Get defensive. Ask questions. Fight back against online fraud. Would you simply hand over your wallet to a complete stranger? I didn't think so. How many chocolate bars would it take for you hand over your user ID and password? Talk back to me.