Online Banking Security (White Paper)

advertisement
PSA WHITE PAPER
JACK R AMSEY
M ARCH 18, 2013
D R . L EHRFELD – C OMPUTER F ORENSICS & I NVESTIGATIONS
E AST T ENNESSEE S TATE U NIVERSITY
CSCI 5797
Computer Forensics
PSA White Paper
Jack Ramsey
March 18, 2013
INTRODUCTION
As the functionality of the Internet continues to expand to include users who are not necessarily
technology-savvy, the opportunities for criminal exploitation of these more vulnerable people abound. In
order to counter these criminal efforts, it is the responsibility and moral obligation of computer science
professionals to help educate our peers with regard to the dangers inherent in the use of the Internet and
best practices for countering them. The target audience will consist of people with varying degrees of
technological understanding. Public service announcements (PSAs) will provide one avenue for the
dissemination of knowledge and advice to members of the community. Each PSA should focus on a
single topic, should outline the dangers associated with that topic, should provide suggestions to the
listener for countering those dangers, and should include a link to a resource (web, telephone, or both)
that the listener can utilize to further elaborate on the topic. This white paper will focus on the creation of
a PSA whose topic is online banking and the creation of a PSA that will help educate the public with
regard to the dangers associated with online banking and how to counter them.
BACKGROUND
There are ways cyber-criminals can attack. The main method used to be the “man in the middle”
attack, where an attacker would intercept communications between you and the bank to steal your
sensitive information for later use. Banks and financial institutions have started using a secure form of
communications that has done a lot to protect us from “man in the middle attacks.” To ensure that your
connection with your bank is secure, look for the letters “https://” in the address bar (not “http://”)
S HOWS
A SECURE CONNECTION
WITH THE BANK
Web browsers also display a “lock” symbol to show you when your connection is secure. The location of
the symbol differs from one web browser to another, but if it is closed, you are secure.
1
CSCI 5797
Computer Forensics
PSA White Paper
L OCK SYMBOL IN F IREFOX ( NOTICE THE
“ HTTPS ://” IN THE ADDRESS ALSO
Jack Ramsey
March 18, 2013
L OCK
SYMBOL IN I NTERNET
E XPLORER
Even with a secure connection to your bank, you are still at risk if you are on a public network. You
should never do online banking from a public place, on a public computer, or with a mobile device, such
as a smartphone because hackers can still use tools to “sniff” out and steal your information.
D ON ' T
USE YOUR PHONE FOR ONLINE BANKING
Cell phones are particularly sensitive to hackers for a variety of reasons. This is changing slowly, but it is
best not to risk your money on them.
These days, the most common form of attack is installation of virus software on your computer.
One of the most common ways hackers can install viruses on your computer is by using fake email to
trick you into doing it yourself! Computer specialists call this “phishing.” Phishing attacks can be very
convincing, but generally include instructions that should serve as red flags, like a demand to verify
2
CSCI 5797
Computer Forensics
PSA White Paper
Jack Ramsey
March 18, 2013
account information by providing your account identification or number and password, or a “click here”
link in an email. Once the virus is installed, the hackers can use your computer in a variety of ways,
especially to steal your log in information to your bank.
E XAMPLE
OF A
"P HISHING "
EMAIL MESSAGE
You should never click on a link in an email. If you receive an email message that appears to be
from your bank or credit card company that demands some action or tells you to click on a link, call that
company and explain. Ninety-nine percent of the time, they will tell you that the email is a fraud.
3
CSCI 5797
Computer Forensics
PSA White Paper
Jack Ramsey
March 18, 2013
Finally, you should always keep a close eye on your account. Use the convenience of Internet
banking to your advantage. Check your transactions at least once a month. If there are transactions that
you don’t remember or that look suspicious, call your bank immediately and ask about them!
HERE ARE THE THINGS YOU CAN DO TO PROTECT YOURSELF:





Keep your software up to date – out of date software is a hacker’s best friend!
Use strong passwords (including symbols (!, #, %, etc.; upper- and lower-case letters, and
numbers); change passwords frequently
Don’t use public networks or computers for banking
Don’t use mobile devices for banking
Check your transactions online frequently
PUBLIC SERVICE ANNOUNCEMENT
Online bank robbers are after YOUR money! Online banking is a convenient way to manage
your money. These days, you can do just about anything on your computer that you once had to
travel to the bank to do. Pay your bills, balance your check book, or transfer funds between
accounts, online banking can help you do it all!
But there is danger in cyber space. Crooks are able to use the Internet, too. Many of them are
skillful at what they do. But you can protect yourself from their hacks, attacks, and plain trickery
by taking a few simple precautions. To protect yourself from cyber-crooks, you should:
 Make sure your connection with the bank is secure (in the video, show graphics of
“https://” and the closed lock icon to demonstrate how to ensure the link is secure)
 Keep your software up to date – out of date software is a cyber-thief’s best friend!
Update your Windows software and anti-virus software regularly. Both can be set to
automatically update, which is a good idea. Go to our website or contact your computer
company for instructions on how to set your computer to automatically update its
software.
 Be wary of all email. Never click on a link in an email – email links often lead to
malicious software. Remember, just because it looks official, it very well may not be.
 Use strong passwords to protect your accounts (including symbols (!, #, %, etc.; upperand lower-case letters; and numbers); change your passwords regularly.
 Don’t use public networks or computers for banking – they may store your information
for the bad guys to steal later.
 Don’t use mobile devices – thieves can intercept your information
 Check your transactions online frequently – notify your bank of suspicious transactions
immediately
Remember, they are after YOUR hard-earned money. DON’T let them take it! These simple
steps can help keep you safe. For more information, contact _________________.
CONCLUSION
Public service announcements have been aired by broadcast media for decades. Broadcast media
-- radio and television -- are required by the Federal Communications Commission (FCC) to serve "in the
public interest." Most stations use PSAs as one of the ways they meet this requirement. While their
4
CSCI 5797
Computer Forensics
PSA White Paper
Jack Ramsey
March 18, 2013
presence is ubiquitous in the public’s consciousness, skillful crafting of PSAs still leads the listening
public to greater knowledge about their respective topics. Specifically, the world of computing is at the
same time confusing to many users and evolving so rapidly that many users fail to grasp potential dangers
– or the dangers have evolved before information filters out to users. PSAs offer critical information in
small “bite-sized” chunks that are easily digestible for users, yet meaningful enough for them to make
good use of the information. Oftentimes, as in the case of online security, there are several “themes”
(such as email safety or strong passwords) that permeate the entire spectrum of the topic. Thus, repetition
of similar best practices better ensures that listeners will get the message.
It should be noted that PSAs should be accompanied by an outlet for interested listeners to use to
expand on the message and learn more about the topic. This additional resource hub could be a set of
well-researched external links to appropriate web sites or a web site maintained by the PSA’s producers,
which could in turn provide additional information and links to additional sites. Lack of this additional
resource would serve to limit the effectiveness of public service announcements.
There were 314,246 complaints of Internet crimes reported to the Internet Crime Complaint
Center (IC3) in 2011, which resulted in a reported monetary loss of $485.3 million. These figures likely
fail to capture the true number of complaints or financial impact as the dark figure – the number of
unreported crimes – is indeterminate. However, the known numbers highlight the need for public
education to help address the situation. As computer science and information technology professionals,
we must recognize the moral imperative to help the public protect itself from predators. PSAs are a time
proven and effective means to that end.
5
Download