Protect Your Identity Online!

In the not too distant past, we spoke of security mainly in terms of our person and property. But with the onset of the internet came the need for another kind of security—web security.

The internet is an extremely useful tool.  Since its commercialization in 1995, it has revolutionized in previously unimaginable ways the way we communicate and share/receive information. The internet has also changed the way we acquire goods and services and do business; and all this at relatively affordable costs.

However, the Internet can also be a very dangerous place. There are many criminals out there, just as there are in real life, that seek to exploit the internet to their own selfish advantage. And usually, these criminals do well in hiding their identity to avoid detection.

In recent times, many of these criminals have been secretly installing malware such as spyware on unsuspecting users’ computers in order to steal personal information. They also employ spoofing and phishing in order to steal identity largely for financial reasons.

Some of my clients have suffered from this phenomenon. And I know many others have. In fact, I didn’t intend to write this article at this time but had to because just last week, I received an email that, but for my awareness of this dastardly act, would have tricked me. So I thought to share this piece of information with readers who may not know how to protect themselves from these predators. I would try to, as much as possible, summarize and break things down to the understanding of the less tech-savvy. Thus before I proceed, let’s understand a few terms that will be recurring in the article.

Terminology

 Spoofing Attack: “In the context of network security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage.”—Wikipedia

Phishing: “Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT administrators are commonly used to lure the unsuspecting public.

“Phishing is typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Phishing is an example of social engineering techniques used to deceive users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures.”—Wikipedia

SSL: “Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet. TLS and SSL encrypt the segments of network connections above the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for privacy, and message authentication codes for message integrity.” – Wikipedia

“Malware, short for malicious software, consists of programming (code, scripts, active content, and other software) designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, gain unauthorized access to system resources, and other abusive behavior. The expression is a general term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.

Software is considered to be malware based on the perceived intent of the creator rather than any particular features. Malware includes computer viruses, worms, trojan horses, spyware, dishonest adware, scareware, crimeware, most rootkits, and other malicious and unwanted software or program.”—Wikipedia

“Spyware is a type of malware that can be installed on computers, and which collects small pieces of information about users without their knowledge. The presence of spyware is typically hidden from the user, and can be difficult to detect. Typically, spyware is secretly installed on the user’s personal computer. Sometimes, however, spywares such as keyloggers are installed by the owner of a shared, corporate, or public computer on purpose in order to secretly monitor other users.” —Wikipedia

Subject: Warning!!!

TO: More recipients

CC: recipientsYou More

BCC: recipientsYou

FROM: yahoo–account–services–ca@cc.yahoo-inc.com  

Message flagged

Thursday, November 23, 2023 9:18 AM

Message body

Your two incoming mails were placed on pending status due to the recent upgrade to our database,
In order to recieve the messages Click here to login and wait for responds from Yahoo.
We apologise for any inconvenience and appreciate your understanding.

Regards,Yahoo Group.

The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material.
Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited.
If you received this in Spam, please kindly move it to inbox.

Please note the following about the email: check out the spelling of receive (recieve) and response (responds) and the statement “If you received this in Spam, please kindly move it to inbox.” It can never happen that Yahoo would send a service email that would be filtered by Yahoo’s own spam filter and sort it as spam.

Some Security Precautions

In order to protect users of the Web from malware attack, spoofing and phishing, authentic web browser such as Google’s Chrome, Microsoft’s Edge browser, Mozilla Firefox, Safari and Opera have built-in phishing and malware protection. That feature warns you about web sites that are illegitimate. All the same, here are some basic stuff to keep in mind:

Whenever you access a web site that requires of you to provide information such as username and password, check in the address bar. The http:// should automatically change to https:// Please note the‘s’ which represents ‘security’. That assures you that the information that you are about to communicate to the server would be transmitted over a secure platform that encrypts that information as it is being sent. That way, phishers are unable to eavesdrop on the communication in order to steal your identity.

Also, depending on the kind of browser you are using and the configuration of its settings, whenever you access a web page that requires personal information, there is a padlock that displays in the status bar. A closed padlock assures you that the information you provide would be secure; whereas an open padlock means otherwise. When you click the padlock, it will give you such information as the authority that issued the SSL certificate, name of the organization it has been issued to (make sure the name the URL is  the same as the one on the certificate), the validity period (usually 1 year. Be suspicious of certificates that have 3 or more years of expiry date. Though usually, an issuing authority’s web site may have up to 10 years.)

However, some attackers fake the certificate and padlock, says the National Cyber Alert System (US).Thus “A more secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information.”— National Cyber Alert System (US)

Whenever you access a web site that requires of you to provide information such as username and password, check in the address bar. The http:// should automatically change to https:// Please note the ‘s’ which represents ‘security’.

In my case, below is the URL the phisher sent me to click and verify my login details: http://www.biharonnet.com/biggboss/ReUpdate/login_verify2.htm. As you can see, the ‘click here’ hyperlink directs to a URL that does not belong to Yahoo. Also, there is no ‘s’ after the http. And even though the page I visited looks exactly like the login area of Yahoo mail, there is no SSL certificate installed, the padlock is thus open.

Implications

What would have happened is that when I enter my username and password, the phisher would collect them on his Web site unencrypted, use them to log into my Yahoo Mail account, and change my password. Then with this accomplished, he would use my account to his advantage such as to send spam to my contacts and others or concoct some story on my behalf that I had travelled abroad and had lost my money and would send that to all on my contact list to send me money to a specific address. Any who is spoofed by that would send the money!

How to Protect Yourself

Apart from following the checks I mentioned earlier on the browser, make your password more complex by using both lower and upper cases, symbols and numbers. Never use words that can easily be guessed such as your spouse’s name or your first child’s name. Also, whenever you suspect that you might have compromised your security, change your password immediately.

Further, never use the same password for all the sites you use.  The spoofer can guess that you are on such popular sites like facebook, twitter and the like and use your identity he stole to gain access and control over the other accounts as well.

As much as possible, avoid using public computers like those at internet cafes. But if you must use them, be sure to log-out or sign-out when done. It is not enough to just close the browser. Otherwise, anyone who accesses that site with the browser you shut down would see you already signed in and can steal your identity.

Similarly, do not share any sensitive information over a free public Wi-Fi. These are usually unsecure and can easily be exploited by phishers to collect your information.

Next, curiosity can kill you. So avoid opening spam e-mails to click on links in the mail. That could easily lead to having spyware installed on your machine secretly.

The author Jules Nartey-Tokoli is Founder and Group CEO at Groupe Soleil Vision, comprising Soleil Consults, LLC, NubianBiz dot Com, ShopNubian dot Com and Soleil Publications. He has lived and worked in both Ghana and the United States, having extensive experience in Strategy, Management, Entrepreneurship, Premium Audit Advisory and Web consulting. He has also published several articles on Strategy, Management, Corporate Governance, Leadership, Entrepreneurship, Economics, e-Commerce, Information Technology, Customer Service and Care, Sales, Marketing, Communication, Branding, Education, among others.