Security Corner

January 29, 2015  2:19 AM

Ten steps to protect your finances online

Ken Harthun Ken Harthun Profile: Ken Harthun
Credit Card Fraud, Credit cards, Cybercrime, Ecommerce applications, Online banking, Security

piratescopeIt seems like every time you turn on the TV or radio these days, there’s news of another major security breach. Cyber-crime is rampant and the landscape doesn’t seem to be improving much, if at all, despite the good guys’ efforts. So what is one to do? You can avoid shopping online altogether (probably now nearly impossible for most of us), or you can take reasonable steps to be as safe as possible when transacting business over the internet. Here are ten steps you can and should put in place.

  1. Shop only on secure web sites. Before you enter any credit card information into a web site, make sure it is secure. Look for https:// in the address bar of your browser. If you don’t see it, shop elsewhere.
  2. Never transact business over public wi-fi. You have no way of knowing if the connection is secure. There may be others eavesdropping on the traffic, trying to steal your information.
  3. Never transact business on a public computer. Hotels, libraries and airport kiosks, to name a few, often provide free “business services” that include publicly accessible computers. These are safe only for looking up information on the web. Never use them to log into anything, including your email. You have no idea what is lurking there, nor do you know what security measure are — but probably aren’t — present.
  4. Secure your home network. At the very least, install a router between your cable modem and your computer and turn on any firewall capabilities it has. Use a software firewall and antivirus and antimalware software on your computer.
  5. Configure alerts for your bank and credit card accounts. Most, if not all banks and credit card companies have features that allow you to set up email or text alerts for certain transactions.
  6. Use credit cards instead of debit cards. Credit cards usually have fraud protection and will allow you to dispute any charges you feel are unauthorized. With a debit card, the money leaves your bank account immediately and may take months to recover.
  7. Use hard-to-guess, complex passwords. Use hard-to-guess, complex passwords. Use hard-to-guess, complex passwords. There are plenty of articles on this site that tell you how to create and use hard-to-guess, complex passwords.
  8. Never directly answer or respond to an email from your bank. If you need to contact them, use the phone. Criminals have become very good at making their fraudulent emails look legitimate. It goes without saying that you should never click on any links in any email.
  9. Update everything, always. Keep your computers, smart phone, tablets and any other internet-connected device up to date with the latest security patches. This is even more important for the applications you use on these devices to access your financial accounts online.
  10. Stay alert. There is nothing that works better than good old-fashioned vigilance. Review your balances and transactions regularly to make sure everything is in order. If it doesn’t seem right (like that $5.96 charge you don’t remember making), take steps to notify your financial institution immediately.

This may seem like a lot to think about, but it’s really just common sense and once you develop these safe habits, they will serve you without much effort on your part.

Be safe!

January 29, 2015  1:36 AM

EMV is coming to America

Ken Harthun Ken Harthun Profile: Ken Harthun
Authentication, Credit Card Fraud, Credit cards, EMV, Security, Smart Cards

emv_card_300wOn October 1, 2015, the liability for fraudulent, in-person payments will begin to shift to the merchant. If an EMV card is used in a transaction at a business that does not accept chip and pin payments the merchant can be liable for the transaction.

What is EMV, you ask?

Named for Europay, MasterCard,® and Visa,® EMV is a new US card payment technology with a chip designed to enhance security and decrease fraud. EMV chip cards contain embedded microprocessors that provide strong transaction security features and other application capabilities not possible with traditional magnetic stripe cards.

This is a big step toward making it nearly impossible for criminals to clone cards and will reduce the fraud from lost or stolen cards through the cardholder verification method (CVM). According to Wikipedia:

Cardholder verification is used to evaluate whether the person presenting the card is the legitimate cardholder. There are many cardholder verification methods (CVMs) supported in EMV. They are:

  • Signature
  • Offline plaintext PIN
  • Offline enciphered PIN
  • Offline plaintext PIN and signature
  • Offline enciphered PIN and signature
  • Online PIN
  • No CVM required
  • Fail CVM processing.

The terminal uses a CVM list read from the card to determine the type of verification to be performed. The CVM list establishes a priority of CVMs to be used relative to the capabilities of the terminal.

You’ve probably heard the term “chip and PIN” bandied about in conversations about this technology. These are cards that require the cardholder to enter a four- to six-digit Personal Identification Number when making a purchase at terminals that have such capability. The chips in these cards have PIN listed as a priority for CVM and usually also specify a fallback to signature if the terminal isn’t equipped for PIN use.

One of the interesting aspects of these “smart cards” is that the issuer can send commands to them. The commands can be used to update cards, change PINs, block cards, etc.

It’s a fascinating technology and we’ll be hearing more about it as it passes into general use. Probably the best source of information about the EMV standard and its implementation is the Smart Card Alliance site. You might want to check out their white paper, Technologies for Payment Fraud Prevention: EMV, Encryption and Tokenization.

January 23, 2015  9:04 PM

Microsoft sues bogus tech support companies

Ken Harthun Ken Harthun Profile: Ken Harthun
Cybercrime, cyberscams, Lawsuits, Microsoft, Security, Technical support

managing-passwords-2012_06Microsoft is suing Consumer Focus Services, a Los Angeles-based company. They are known to operate under various names including Omni Tech Support, FixNow Tech, and Techsupport Pro. You can read the (PDF) complaint if you have a taste for legalese. In the complaint, Microsoft alleges trademark infringement, unfair competition, false advertising, and cybersquatting among other things. They seek an injunction against the defendants and an unspecified amount of damages.

Courtney Gregoire, Senior Attorney for Microsoft’s Digital Crime Unit posted a video and blog about the action. In that post she says that the company “has received over 65,000 customer complaints” about tech support scams. In the video, Kirsten Kliphouse, Corporate V.P. Customer Service & Support, says that over 3 million customers [last] year alone have been impacted by fraudulent scams.

Ms. Gregoire passes along this advice for avoiding becoming a victim of a tech support scam:

If someone claiming to be from Microsoft tech support, or affiliated with Microsoft, calls you:

  • Do not purchase any software or services.
  • Ask if there is a fee or subscription associated with the “service.” If there is, hang up.
  • Never give control of your computer to a third party unless you can confirm that it is a legitimate representative of a computer support team with whom you are already a customer.
  • Take the caller’s information down and immediately report it to your local authorities.
  • Never provide your credit card or financial information to someone claiming to be from Microsoft tech support.

Also, like some well-known government agencies, Microsoft NEVER cold-calls its customers, especially about technical support.

January 22, 2015  1:48 AM

PayPal proactive security measures

Ken Harthun Ken Harthun Profile: Ken Harthun
Credit Card Fraud, Data security standards, Fraud prevention, Paypal, Security

Received an email from PayPal. Nothing unusual there, I get them all the time because I’m quite active on eBay both as a buyer and seller. The subject line read, “Your New PayPal Debit MasterCard® Is On The Way.” I was a bit puzzled by this since my card is good until 2016. I opened the message and was greeted with this:

We are sending you a new PayPal Debit MasterCard that will replace your card ending in XXXX. This is a precaution we are taking to help protect your funds in light of an account review that indicates you made a purchase at a retailer that has recently announced a data compromise.  Please note that we are not affiliated with this retailer and do not have specific evidence that your account has been compromised. This is an extra layer of security to help you avoid any potential risks.

. . .

Our experienced Fraud Detection team will continue to monitor your account to help identify any unusual activity. However, it is important that you monitor your account closely, and report any unauthorized transactions immediately.

Well, I don’t know who that retailer might have been, but it is good to see PayPal taking such proactive measures.

Do the other card companies take the same kind of care for their cardholders?

January 18, 2015  7:06 PM

No more advance notice on Patch Tuesday fixes from Microsoft

Ken Harthun Ken Harthun Profile: Ken Harthun
Microsoft, Microsoft Patch Tuesday, Security, Windows Patch Management
I'm fed up with Microsoft!

I’m fed up with Microsoft!

Yes, you read that right: Microsoft is canceling its Advance Notification Service (ANS) for regular customers (i.e., you and me). If you want you it, you’ll have to pay for it. The announcement was made in a blog post on January 8, 2015.

We are making changes to how we distribute ANS to customers. Moving forward, we will provide ANS information directly to Premier customers and current organizations involved in our security programs, and will no longer make this information broadly available through a blog post and web page.

So, those of us who rely on knowing what’s coming to plan our response to the frequent bugs that updates seem to cause, will now be forced into waiting.

ANS has always been optimized for large organizations. However, customer feedback indicates that many of our large customers no longer use ANS in the same way they did in the past due to optimized testing and deployment methodologies. While some customers still rely on ANS, the vast majority wait for Update Tuesday, or take no action, allowing updates to occur automatically.

I guess us small fry don’t matter (not that we ever really did).

January 12, 2015  6:00 PM

Getting Locked Out! How much security is too much?

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Access, Business, Customers, home, ROI, Security

Sometime in October of 2014 I got locked out of my house. The back door has a lock in the handle and a deadbolt. For some reason my keys were inside on the counter as I went out on the deck and pulled the door shut behind me. I immediately realized two things.


1 – That my iPhone was still in my hand. Underscoring the results of studies that say more people are prone to leave wallets and bags in taxicabs than they are to relinquish their phones.

2 – That in my quest to make my home more secure, I had ensured that all previous ‘hide-a-keys’ and easy ways into the dwelling were eliminated. No more was there one window left unlocked. No more was there a key under the monument on top of the cat grave in the back yard.

I was locked out. Which then made me do two things. Call my wife and let her know that I was an idiot. Ponder how much security is necessary when everyone is gunning for you. Especially these days when hackers are all out to breach any system they can and thieves are more desperate than ever to steal anything of value.


From a business standpoint, is it wise to lock down your enterprise so well that there are no back-door entrances? Is it smart to streamline your security to the point that it’s like running a gauntlet if you need to access a file or a facility?

Perhaps that’s the future. Businesses that put all their info into an impenetrable vault. But the issue then is productivity/efficiency and access. No one system for locking your facility or data has borne out as the ideal. What works for you might not work for other industries or even your competitors.

The bottom line is to find the system or situation that allows you to function as well as you can while keeping your stuff (and your customers’ data) safe.

BTW, I got back into the house by a method I choose not to share here.

What are you doing to keep your data, your company and yourself safe? Share that here in the comments! Thanks!

January 1, 2015  8:29 AM

Paranoia and Personal Security – Redux

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Data, Mobile, Security, Technology

I got a lot of feedback for my last column of 2014 and not all of it was complimentary. You see, some of the theories I shared and opinions I voiced were based on a decade of being an early adopter of new technology. It placed me in a land where my perspective was polluted because I was too familiar with the apps, gadgets and tech used to track people. I call that being in the fishbowl.

Screen Shot 2014-12-31 at 1.25.29 PM

This placement (ironic) in the fishbowl is akin to navel gazing. A person talks about their experiences and outlook without considering their audience or the general population. In the column earlier this week – and let’s be clear, these are columns not articles – I spoke of how disenchanted I’d become with services like Foursquare. I also indicated that I modified my behavior to not allow location services to track me. Further, I told of how I was less inclined these days to share my location via Twitter or Facebook.

But I’m not normal and neither was my rant. For the most part, being tracked these days is unavoidable. Especially if you plan to lead any type of normal life. The phone you carry tracks your location these days (too bad that wasn’t the case for Adnan or Jay in Serial). Most mobile device apps ask for location to be turned on for them to operate correctly. Browsers ask you to sign in so they can work better. And lots of data gets shared with who knows whom anytime you use a network – wired or wireless – anywhere.

Screen Shot 2014-12-31 at 1.24.21 PM

Want to buy a coffee at Starbucks? Use their app and they immediate can suggest the closest store. Take a picture and post it to Instagram? The service can use metadata on the photo to place you somewhere. Even legacy technology like DSLRs now embed GPS coordinates into photos to presumably make it easier for you to sort, search and create robust photo libraries.

But are people really aware of the dangers of oversharing? The fishbowl crew is. Many friends I know stopped using ‘check-in’ apps like the aforementioned Foursquare and its successor Swarm because of the interface and the privacy concerns. These people – first- and early-adopters – also modified their behavior. For a couple years now, most people I know post their visits to places away from home on a delay.

It’s a bummer that this happens as it makes popping in on someone when they’re in your hometown or near your office almost impossible. But that’s the reality. I’m sharing less about where I’m going because I’d rather not have folks break into my house when I’m away.

I sometimes post my photos after-the-fact instead of during an event, which sometimes hinders the effectiveness of promotional activities. Who’s going to get excited about an event, conference, concert, game or beer tasting if you’re sharing the details and images about it after it’s over?

Screen Shot 2014-12-31 at 1.27.06 PM

And there’s so much more to this location tracking and personal security and technology that I could cover. There certainly are lots of benefits, but a bunch of ways it should scare you.

Suffice it to say that the questions I raised in the earlier piece were valid. You are sharing too much, in my opinion. You are not as safe as you once were. And while location-based apps are NOT the cause of it, they certainly created an awareness in me that led me to write that other column.

What’s the solution to remaining low-key while still connecting with your online networks? Common sense. Don’t share that you’re leaving the country for a month and that you’ve sent your cats away to cat camp because you didn’t feel like paying a cat sitter. Don’t shout out that you’re wandering around Las Vegas looking for something to do with the money you just won. And don’t post so much information about your regular routines that a cursory look could map out the times you’ll be at the office or at home or on the road.

You could also start to trim your networks so the folks who see your updates are actually known to you. Ultimately, the world of location-based services, tracking and connectivity is only going to get more useful AND intrusive. If you want the benefits that come with being connected, then learn how to use and share safely.

If you are leaning toward getting a tin-foil hat and hopping off the grid, good luck to you. The credit car you use to buy the foil, the car you drive to Target to buy the shovel to dig your bunker, and the images from the Google Streetview car that passes as you’re getting the surplus silo delivered are going to be online before you can say “wow the Sony Interview thing wasn’t the North Koreans after all.”

Nothing is as safe or secure as we’d like it to be. So accept that fact and move on…it’s likely someone somewhere will be tracking where you go.

December 31, 2014  5:30 PM

Happy New Year!

Ken Harthun Ken Harthun Profile: Ken Harthun

I wish all of my readers, colleagues and employees of the TechTarget companies a Happy, Safe & Prosperous New Year.


December 31, 2014  5:27 PM

There’s a new, free, CA in town

Ken Harthun Ken Harthun Profile: Ken Harthun
Certificate authorities, Encryption, Open source, Security

It’s called “Let’s Encrypt,” and it’s a joint project of EFF, Mozilla, Cisco, Akamai, and the University of Michigan.

Let’s Encrypt is a new free certificate authority, built on a foundation of cooperation and openness, that lets everyone be up and running with basic server certificates for their domains through a simple one-click process.

This is scheduled for delivery in Q2 2015. With such respected industry leaders working with Internet Security Research Group (“ISRG”), a California public benefit corporation, we can be confident that it will be an effective solution.

The key principles behind Let’s Encrypt are:

  • Free: Anyone who owns a domain can get a certificate validated for that domain at zero cost.
  • Automatic: The entire enrollment process for certificates occurs painlessly during the server’s native installation or configuration process, while renewal occurs automatically in the background.
  • Secure: Let’s Encrypt will serve as a platform for implementing modern security techniques and best practices.
  • Transparent: All records of certificate issuance and revocation will be available to anyone who wishes to inspect them.
  • Open: The automated issuance and renewal protocol will be an open standard and as much of the software as possible will be open source.
  • Cooperative: Much like the underlying Internet protocols themselves, Let’s Encrypt is a joint effort to benefit the entire community, beyond the control of any one organization.

That last item is the best part. We won’t have to rely on any one organization that may or may not have it’s own agenda.

December 30, 2014  6:20 PM

Where are you now? Are you Secure? What about your data?

Jeff Cutler Jeff Cutler Profile: Jeff Cutler
Applications, Data, location, Security, social media, Technology

As we close the year 2014, I was struck by a few thoughts – and I’ll likely post another blog entry tomorrow before we ring in the new year. But for now, I was wondering about location-based services and personal security.

It occurred to me as I spent a few days away from the house that I had actually been a lot better about broadcasting – or not broadcasting – my whereabouts lately. In the past, I was very open about what I was doing, what I was eating and where all this was going down.

In my opinion, now that Foursquare is dead, Swarm is useless and Path is more locked down in nature, folks are being more careful. And that’s a good thing, I think. While I am sharing less, I’m also feeling a little loss.

Screen Shot 2014-12-30 at 1.19.45 PM

I remember a time when I’d be able (and willing) to tweet out my location and my plan for an afternoon and folks would come meet me. It was a nice treat to have that utility and semblance of power. But it was also scary. If I was able to share my whereabouts and people come see me, what was happening to my home, my office, my loved ones, my stuff?

To be blunt, if I’m in one spot saying, “Hi, here I am!” then the bad guys are fully able to use that info to go where I’m not and break into my home and take my stuff. Or harm my family. Or kill my cat. Let’s not get crazy, but it could happen.

Is this a good thing or is it just something that’s happened? From where I sit, I think the shake-out of location-based services and oversharing via social media tools is good. We had some fun, but then serious stuff started to happen. Hackers took away our innocence and fear replaced fun.

Maybe I’m wandering a bit as I talk about how we’re no longer safe, our data is out there for everyone to see and the myth of security is just that – a myth.

The year is wrapping up. How are you wrapping up your persona and data so it’s not out there for anyone to see? Or do you even care? Is home security something of an afterthought to you? Do you figure if your data gets out then the credit card companies will pay off the indiscretions of the thieves? What’s your plan?

For me, it’s going to be less specific sharing and more wariness. But I’m still going to enjoy my travels and I’m not going to stay up at night worrying about data loss. It might be a rough world, but the convenience of technology outweighs (so far) the angst it brings.

Be safe and happy out there. Chat again tomorrow!

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: