Monday, March 21, 2011

On-line security (updated)

Recently, several of my Facebook friends found their facebook accounts highjacked and advertising posted under their names. It's a useful reminder that for all the benefits of on-line life, it's still a bit of a free-for-all, and there are nefarious characters trying to con you! These risks can be managed with a little bit of knowledge and awareness, which I'll tell you about here. Please be sure to share this post with your friends, especially those newer to the internet, who are often particular targets of the bad guys.

Here are some things to be aware of.

1) Your password. Do you ever find it hard to manage your passwords? most of us do! It's important to have a robust password that is hard to guess--so it shouldn't be your name, your birthday, or anything obvious. The best passwords have a mixture of words and letters, and are at least 8 characters long. To make it unbreakable, consider using simple substitutions: 1 for I, 3 for E, 5 for S, 0 for O, @ for a. Thus, for example, the word "Christian" could be written "Chr15t1@n". (That's still a pretty obvious word, so I'd try something more obscure, like the name of your first grade teacher).

Don't use the same password for "mission critical" online experiences (e.g., online banking, anything linked to your credit card) and more lightweight applications (facebook). You might also consider setting up a second email address, using one of the free providers (gmail, yahoo, hotmail) to use when you sign up for something, to keep your real address more secure and spam free.
Experts say that if you have a robust password, and you guard it carefully, you don't need to change it very frequently. But that assumes that you are careful where you use it. So beware of

2) Phishing. This is the name given to a wide variety of cons that try to get you to enter your username and password on a fake site, so that they can get access to your email, your bank, or your facebook. Generally, this is done by sending you a message, like an email, that has a link in it. The source appears trustworthy--your bank, a good friend--but is almost always "spoofed", or pretending to be from someone it's not. They may try to panic you (your account is being closed down!) or offer you a great deal (free supercomputer giveaway!) but don't fall for it. The link they want you to click may LOOK realistic but is usually coded "under the hood" to take you to a fake site. You may not even notice, when you click on it, that the address in the browser menu bar isn't the same as your bank's.

The solution? Always assume links in an email or a facebook message are tricks, and never, ever enter user information or password on a site you have reached by clicking on an email. Better yet, don't click on links in an email.

If you want to reach your bank, never "click through" from the email, but type in the correct address--less convenient, but reliable. Be suspicious--your bank or your internet provider will never send you an email asking you for your password, so if you get such an email, it's always fake. And if you click a link to a site that should be secure, look for the "https" in front of the address in your browser's menubar--indicating a secure connection. (And make sure the address is correct-- is NOT the same as, and is not!!)

3)Facebook scams. When you choose to go on facebook, you are putting a lot of information out there--some of which is a gold mine for those more ethically challenged. Facebook defaults to expose most of your information to the public at large. Use the Accounts>privacy menu in your profile to restrict who can see what. For example, do friends of your friends need to know your birthdate, particularly the year? Does the world need that info? Err on the side of security and hide it. Remember, phishing can occur here too--messages aren't always from whom they claim to be. (And just because Facebook ASKS you for your hometown, doesn't mean you have to tell them.)

A major problem with facebook is the facebook apps -- you know, the quizzes, games, and other links that pop up now and again. You may not even notice when you do a facebook quiz or click an online offer that you are also clicking something that says, "allow Quizmondo to access your user settings" which could give them access to your wall and your friends' walls. Moreover, if you allow your friends full access to your info, the apps that THEY choose may see more than you like on YOUR wall. If you have 300+ friends, do you really trust all of them to make wise decisions with your info? Consider how much of it they need to know.

If you aren't desperate to play Farmville or other games, you can shut off all apps from accessing your wall. Go to Account>Privacy>Apps, and "turn off platform apps". Be careful if you use your facebook ID to log into another site, because the platform apps will be turned on again, so it's useful to check back regularly. (And resist the temptation to use Facebook as a general login). Given how frequently Facebook changes its privacy policy, it's as well to check back regularly and review all your privacy options, to be sure they haven't switched things around.

By the way, there's an odd tendency to think that the only people who see what you post on Facebook are your actual friends. Remember that if you post something on a friend's wall, all THEIR friends see it too. Facebook allows you to message someone privately; consider doing that, if you want to give them your unlisted phone number or tell them how many weeks you'll be out of the country, rather than post it on their wall.

Finally, you can ask Facebook to use a higher level of security (https). It will also monitor what computer you use to log in, and tell you if a log in occurs from a different computer. Go to account>account settings>account security to set this up.

4. Gmail It turns out that Gmail is also susceptible to scams where unscrupulous vendors can gain access to your account and send emails in your name, which then attack the recipients. I think to most of us, it's a surprise that Gmail allows anyone to gain access the way Facebook does! The most notorious recently is something called "ShoppyBag" in which an email from a friend promised you a photograph.. Again, the usual rule holds true: don't open it if you don't know what it is regardless of who sent it. You can always contact your friend and ask what it is! And as with Facebook, check your Gmail settings regularly to make sure your account isn't compromised.
  1. Sign in on the Google Accounts homepage.
  2. Click the 'My Account' link displayed at the top right of the page.
  3. Click 'Authorizing Applications & Sites'. This page will list all third-party sites you've granted access to.
  4. Click the 'Revoke Access' link to disable access for a site.

Conclusion: You can have a pretty safe on-line life if you maintain a healthy skepticism. Most free offers are probably too good to be true. Guard your passwords, and when in doubt, err on the side of caution. It can be a mean online world out there, but with a little care you can keep on the light side.

Susan Forsburg is the Cathedral blogmaster and an internet geek. She still writes HTML by hand.

No comments: