We are the members of Eproject

Friday, June 20, 2008

Phishing



Phishing(fish for information) is one type of criminal activities which use social engineering technique attempt to trick people in order to get the personal sensitive information such as account username, password, credit card information fraudulently through the internet.

User receives an e-mail that is pretend a true company or bank like paypal, ebay, HSBC bank and etc sent by phisher. In the e-mail, it provide link to a fake spoof websites. The users feel that they are login in to the real company or bank’s website. The user unknowingly provides the personal information to the phishers.

Some identification of phishing mail:

1."Dear customer"- normally,if the company or bank send to you,they will use your full name.

2. most companies wouldn't ask or confirm personal information through the e-mail or phone.

3.most companies wouldn't require customers to reply in a short period.

4.you can type the company's website yourself , it is more safety than click the link in e-mail.

5.e-mail maybe in poor grammar or misspelling.







Some latest examples:


































prevention methods:

1. Use firewall, anti-virus and anti-spyware software to protect your computer system. Some phishing e-mail contains virus, trojan, other threats.
2.To ensure your browser, system software and other applications have the latest security updates available. it can reduce the risk.
3.alert the address of the page should start with "https://" not just "http://" and the Lock icon should be displayed in the browser's status bar.
4.Don't want click on the link in the e-mail which is to access banks or companies' websites in order to login in with personal information.Eg. passwords, username
5.Use anti-phishing software which can disable all links in suspected phishing emails or can check with some websites help you to determine whether it is a phishing mail.


Some reference websites:

http://anti-phishing.org/

http://www.millersmiles.co.uk/

How to safeguard our personal and financial data?

The internet security issues are always being discussed due to the development of technology. Besides provides convenient, internet also become a channel for illegal activities such as unauthorized access to others information. The following are some of the suggestions that can be used to safeguard our personal and financial data.

For individual, we are always advised to keep our password and username privately and only enter it in the secure and creditable website. Before give out our information and password, it is better for us that read the website's Privacy and Security Policies and look for the “locks” icon, especially for the financial site; we should trust the “https” website rather than the “http” and check the valid certificate icon. Beside that, the software such as the firewall, antispyware and antivirus programs are also able to increase the security level by filter the unauthorized websites. Other than that, to prevent become a victims, you are advised not to open any mystery attachments because it might be a trap to lure you.

For the organization, it is essential to protect customers, employees and organization information confidentiality. Ways to enhance security included set up an authorization such as password to authorize certain people to access certain database, set up authentication to allow authorized employees to maintain the database or server and function with the useful and up to date antispyware and antivirus software. Furthermore, the business with e-payment, its website must contain an encryption function to protect the payment transactions undisturbed.

The following links are other guidance that may help in protecting your information when using the internet, hope these are useful to you:


The application of 3rd party certification programme in Malaysia

When conducting e-commerce transactions, do you have sufficient confidence on the security? Can you sure that the web page is the official web page? Therefore, there is a practices called certification programme. This is performed by the third party in order to verify and authenticate the web site.

The “third parties” who issue the digital certificate to verify and authenticate the we
bsite is called certificate authorities. Digital certificate actually can be considered as an electronic “credit card” that establishes the credentials when conducting business or performing transactions on the Web and normally it contains the holder’s name, validity period, public key information and a signed hash of the certificate data. There are some famous certificate authorities (CA) such as VeriSign and MSC Trustgate in Malaysia which is established in 1999.
____________________________________________________________________________________
VeriSign- www.verisign.com




MSC Trustgate- www.msctrustgate.com




____________________________________________________________________

Normally, the certificate requestor’s computer generates the public and private keys. After that, the company keeps its private key in its local system and sends the public key to the CA just above mentioned. Then, the CA will verify the company’s identity and make sure that the requested certificate is valid for the given requestor. If it is permitted, the CA signs the public key and binds it to a certificate. Lastly, the CA will issues and manages the certificate until its expiration or in the situation of revocation.

Basically, the application of third party certification programme is able to enhance the reliability of the e-commerce site and therefore improve the customer trust.

Notes: In my opinion, we need to confirm that we are performing the transactions in the “real” website when we are conducting the e-commerce transactions, one of the method is we can check the website have the certificate icon or not, or the website have been verified by those CAs or not.