Hack, ack!

6/7/2012 8:07 AM EDT

Nice article Sylvie, and good points. However I'd point out that if you're trying to hack someone's (eg) bank or email account you can hardly get in 1000 guesses a second, it usually takes 2-3 seconds per try. But you're right, most of us are far too slack about passwords.

And I'd also point out something else useful - if you get a link in an email or a web page, hover your mouse cursor over it and you'll usually see the URL it points to at the bottom of your browser window. If it's not exactly the same as the one you usually use, don't go to it. In fact the advice at the end of your article is right - always work through the site directly.

6/7/2012 9:12 AM EDT

Report phishing attempts to the government.

http://www.us-cert.gov/nav/report_phishing.html

6/7/2012 12:10 PM EDT

Another good practice is to just clicking links in emails unless you are REALLY sure. Hover over the link as David suggests and look at the context surrounding the link for both risk and confidence of its origin.

For anything financial or that might end up requiring a login, rather than clicking the link, open a new browser and manually type in the URL of the place. Unfortunately, this may not help if they use a URL shortener like bitly.

I've recently gotten a couple of the "Someone is spreading bad rumors about you" direct messages on Twitter. They did use URL shorteners but it was still pretty clear to me that it was a hacked account. I looked up the persons email address from a different source and hand typed it into an email to verify any legitimacy to the tweet. Of course it was a hacked account scam.

6/7/2012 8:51 PM EDT

Sylvie, what are you doing in Nigeria? Did you get that big check I sent you? LOL!

6/8/2012 12:39 PM EDT

Ok this crap cost our economy billions of dollars in lost productivity cleaning up the messes made.

Here is how to fix it...

A pop up click blocker or embeded link blocker.

Even if it just adds one more are you sure box that you must click twice on it will save the 90% that OCD'd clicked without thinking.

Better...The embedded link blocker reads the intended site name verifies or flags the hidden link as being differnt than the one shown onthe screen. And if cross-site scripting is employed then it closes link before loading.

reports cross-site scripting phishing attempts to a central security conglomerator and reporting system.

6/8/2012 12:41 PM EDT

also needs to be integrated with email and browser system or the linking of...

6/9/2012 12:52 AM EDT

Excellent article Sylvie, which has encouraged some great suggestions above. For those using the Firefox browser, I can highly recommend the free add-on Noscript (noscript.net), which blocks scripts from running without your permission as well as greatly improving browsing security by blocking cross-site scripting, etc.

For those that have Linkedin accounts (particularly if you have included a CV), if you haven't already changed your password, do so NOW and do it regularly until you hear from Linkedin that they have closed this vulnerability. The password hashes stolen from Linkedin did not use a salt in their generation, making them relatively easy to break.

Regarding keep your (ever increasing list of) passwords secure, the universal password services are indeed excellent (well until the first service is cracked and those responsible have access to ALL your accounts). There is also nothing wrong with keeping your passwords written down provided they are kept in a secure location. (Remember, if they are stored on any network connected computer, attempts can be made to gain access them from anywhere in the world.) Remember, Moore's law means passwords get easier to crack as CPUs and graphics cards get more powerful, so keep your passwords hard to guess and change at least the important ones regularly.

6/9/2012 2:50 AM EDT

Binding you secure operations to your computer ( registering and validation of the Mac address of your computers network card ) could be an added security for carrying out secure transactions.

My broadband service provider does not allow me to use its broad band service from any other PC or Laptop. I can only use it from the computer whose Mac address has been registered with him.

This is sometimes inflexible but always secure.

6/15/2012 3:37 PM EDT

I also worry about phone phishing. On occasion, my credit card has been compromised through no fault of my own. The first thing that happens is that my credit card company calls me to determine whether some charges are legitimate. The call comes from an 800 number not listed on my card, and if I don't answer, leave a message with that unknown 800 number. Then, they try to identify me by having me answer questions from my credit history, like "Did you ever live on Mickey Mouse Lane? What address?", as if I can remember the house number from 20 years ago.

I always call them back via the number printed on the card, and they never understand why I'm concerned about calling random 800 numbers and entering my card number into a machine.

6/18/2012 9:11 AM EDT

Good banks will shut down your accounts after a half dozen or so attempts to unsuccessfully log in. So it doesn't matter if the computer can guess your password in 3 days. It only has six attempts before it gets locked out.