How to fight online security attacks
Source: Jennifer Waters
That’s the painful lesson from the string of high-profile security breaches at online shoe-and-apparel retailer Zappos and other big companies that hold onto pertinent ― and potentially vulnerable ― information about you.
“There is no such thing as Fort Knox in the Internet,” said John Ulzheimer, president of consumer education for SmartCredit.com.
Just ask the 24 million customers who Zappos has asked to change their passwords and be on the lookout for email phishing scams and other malevolent uses of personal information after an attack on its servers in Kentucky.
The incident may have left many customers open to unauthorized access to their account information that could include name, email address, billing and shipping addresses, phone, the last four digits of their credit card and/or their “cryptographically scrambled password,” the company said.
Zappos, which is owned by Amazon.com AMZN -2.05% , said that the actual password was not discovered, but security experts have said that cryptographically scrambled passwords can be decoded with what is called “brute force attack,” a meticulous key search that checks all possible key combinations until it breaks down the code. The longer and more complicated the password, the more time-consuming the brute force attack will be.
Zappos splattered emails to customers ― meaning some didn’t see one for three days after the announcement ― encouraging them to change their passwords immediately, including any passwords on other sites that might be identical or similar.
It also shut down its phone systems ― it would not have been able to handle even 1% of those affected ― for nearly a week and had an all-hands-on-board initiative for employees to handle customer emails. It also closed out contact with customers outside the U.S., and is only now starting to slowly restore certain parts of the world.
Zappos did not disclose when the attack actually occurred, saying only that it was cooperating with the FBI investigation. A Zappos spokeswoman was uncertain when the phone lines would be back or which countries would be reconnected when.
This Zappos incident is only the latest in a series of high-profile security breaches in the past year.
Sony Corp.’s PlayStation Network was breached last year. And so was email provider Epsilon, which sends out some 40 billion marketing messages for major companies such as J.P. Morgan, Citibank, Best Buy and Kraft. Another attach hit RSA, the cryptography firm that issues SecurID tokens to 40 million people for access to the computer network of 25,000 corporations. Others included Lockheed Martin and NASA’s Goddard Space Flight Center.
“We should be on guard when we shop online,” said Philip Blank, managing director for security, risk and fraud at Javelin Strategy & Research, who encourages consumers to read the privacy and security statements that websites have.
Zappos.com’s for example, notes that the Trustwave Trusted Commerce Seal “is present across Zappos.com as an assurance that we use industry standard measures to secure your personal information,” but Blank couldn’t find the seal anywhere other than the page that told him it was there.
“Unless you are 100% confident of your online retailer’s security procedures, do not store your credit card with them,” he said.
The bigger issue might be should you still be shopping online considering that the bad guys are becoming more savvy, more organized and more centric in their attacks. Ulzheimer, for one, expects cyber attacks to be as common as car accidents.
“It’s like driving in heavy traffic,” he said. “You have to be aware of the guy next to you, the guy behind you and the guy in front of you. Every time you put your information on the world wide web, no matter where you do it, there’s a possibility of someone finding it.
“But that doesn’t mean we’re going to stop doing it,” he added. “And we shouldn’t allow this to put us in a mode of online paralysis. We’re all essentially at risk and need to be more careful.”
Your biggest and most ongoing worry is so-called “spear phishing” attacks. With the same level of promises that you see in emails from rich sultans pledging to wire you millions of dollars for a little help, these phishing attacks are more directed.
Rather than addressing it to “gentleman,” they appear to be coming from a trusted source, like Zappos, Best Buy or Citibank. The letters are personally crafted in hopes that you’ll be duped into believing the authenticity of it and click on the link or give out more information.
Don’t do it. If your curiosity gets the best of you and you must find out what the trusted source wants, go to its website on your own, not on the embedded link in the email. And remember too that legitimate retailers will not ask you for pertinent information in an email.
This is an ongoing worry because it’s not likely that the perpetrators of this attack are going to surface anytime soon, considering 24 million consumers are on watch now. Ulzheimer thinks Zappos customers should keep a close eye out for the next two to three years.
Here are some quick fixes and long-term solutions you should be using from Credit.com, the interactive financial education and comparison site.
Fortify passwords. Create strong passwords for online retailers and personal email accounts. The passwords should have numbers, upper- and lower-case letters, and symbols. For example, “7Catz$$?” is better than “7777.” Never use 123 or 12345.
Divide and conquer. Use different passwords for work and personal email accounts, bank accounts and online retailers. Keep a record in a separate place. If a hacker cracks one password, he or she won’t have access to the others.
Go old school. Use grade school or memory tricks to remember complicated passwords. For example, if you’re a fan of Pat Benatar, then you could turn “Hit Me with Your Best Shot” into the password “Hmwybs2!” that includes a number and a symbol.
Don’t get personal. Avoid using personal information, such as a birthday, mother’s maiden name, a pet’s name or other trivia that can be gleaned from social networking sites.
Be aware of phishy emails. Zappos is communicating with customers by email. Sometimes emails that look official are from hackers trying to phish for your information. To be safe, go to the company’s website for the latest updates.
Check your credit reports. Check your credit reports as frequently as possible, at least twice a year. You’re entitled to one free report each year from each major agency. You might also want to consider a credit-check program, which could cost you as much as $15 a month.
| }
|