(security) protecting yourself against phishing

[feel free to pass this on to whoever you wish to. This is written at a "user" level]

SImple rules to avoid phishing and such scams, as much as possible:

(1) Do not ever click on any links sent via email. Ever. No respectable bank or money related site will do that anymore. If they do, stick to paper dealings with those banks -- don't do anything online with them!

(2) Typing in the URL yourself everytime is good, but beware of "typo-squatters", who register domains with similar spellings to the legitimate site in the hope that someone will mis-type the URL and come there.

(3) The best method is to type in the full URL once and bookmark it. From then on, use the book mark.

(4) Do not use IE. Even if you are forced to use Windows for whatever reason, at least install Firefox. Get the latest firefox and keep it updated. Firefox does this automatically anyway.

(5) Do not browse to any unknown sites while logged in to the bank site. In fact the best way to access your bank site is to do this:

- close all tabs
- click on "tools", then "clear private data" (or use the Ctrl-Shift-Del shortcut keys)
- in the prompt that comes up, select ALL the boxes except the first one ("Browsing History")
- open the bank site using your bookmark, complete your work, and log out of bank site when done
- (do not open other tabs with any other sites while logged into the bank site)
- once again "clear private data" as above
- surf other sites normally

This will protect you against any (unintentional) Javascript vulnerability in the bank site or malicious (intentional) Javascript in other sites.


All this will still not protect you from any viruses or trojans, or key loggers that may have been installed in your computer without your knowledge, if you're running Windows. A lot of programs that are supposedly "free" (but not open source) and "useful" are actually spyware, and in many cases the user himself has installed it without knowing there is something bad. Such software can track your keystrokes, and mouse movements. Coupled with tracking your web accesses, this kind of software can get your password regardless of what precautions you take. Some examples of spyware are here.

No comments: