I was never too comfortable having my credit card information stored by small and medium businesses.
Here is why: I thought to myself, what kind of information security measures and procedures would a small flower shop take to protect my information? Where are they storing my credit card info? How long do they store it for? Yes there is PIPEDA here in Ontario, but what if they are out of the country or in another province. How do I know they follow the guidelines? I don’t see anything on the website. These are questions I would probably never get the answers to – but I need to order flowers right?
A flower shop’s specialty is flowers, not IT right? The McAfee and GeoTrust badges they show on their website aren’t any comfort to me either. Reason being is it doesn’t speak to the human equation when it comes to information security. An employee can easily copy my number down over the phone or an employee could unwittingly download a piece of malware and their computer could become a mecca for credit card info to whomever controls that piece of malware.
Another situation I wasn’t too comfortable with was when I realized a popular bike rental service here in Toronto was storing my credit card info – I was allowed to log in to their website and edit my information. I can’t leave it blank, but luckily I could fill in random numbers.
In the case where you can’t fill in random numbers and are forced to enter a valid credit card, I recommend getting one of those pay per use credit cards and charge it up with $5. This way, if the online retailer were to be compromised, your credit can’t be affected because the hackers would have the wrong info and a credit card that’s not really tied to your name.
Small and medium businesses are low hanging fruit for anyone in a criminal enterprise. The majority of small and medium businesses don’t have to worry about state sponsored attacks because they have nothing to gain from them, unless its a small boutique shop offering designs in nuclear reactors. Small and medium businesses would have access to credit card and bank account information, which is what would attract many criminal enterprises.
A securityphile reader recently submitted a question regarding LinkedIn and I thought I would share it with the rest of the readers:
“I’d created a Linkedin profile a year ago, but now I feel that the information on that site is just *too* much. Do you agree? I’m in the process of deleting every detail that I wrote about myself on that site… and just wanted to know your thoughts on the uses/potential for misuses of that site.”
Our anonymous reader agreed to let me post the question and response so that other readers can benefit from she learned.
My recommendation is to limit the amount of information you place on LinkedIn. By default, LinkedIn makes your profile available to search engines like Google, Bing, Yahoo. You can turn this feature off.
I would only enter the name of your employer and your position, nothing more into LinkedIn. No details about accomplishments, projects etc (you could be breaking confidentiality clauses you might not be aware of either you or your employer are liable for).
The more information you provide, the easier it is someone can build a profile of you. Since it’s the Internet, you have no control who can view your information. It’s easy to create a fake profile on any social networking site, people can use that fake profile to monitor you.
If someone is legitimately interested in contacting you regarding your experience, they can contact you further (make that known on LinkedIn).
Potential misuses could lead to identity theft, fraud or plain theft.
Depending on your employer and your position, you could be targeted by hackers (who may be employed by hostile governments etc.) who try to make you install software on your computer at work. If someone can see who you use to work with in the past, they could potentially pose as that person therefore gaining your trust.
It’s all about risk and the likelihood that that situation happens. If you are an administrative assistant to a high level executive in the auto industry or Canadian government, you could be a target. Those industries contain secrets and intellectual property that other countries may find very valuable. If you were the financial controller of a small business, you might be targeted because you have online access to your business’s bank accounts. If you are a receptionist at a high school, its unlikely a hostile government would try to hack you, but maybe one of the students might target you.
Threats to personal safety
If you have run away from an abusive husband and he has hired a private investigator to find you, one of the places he might look is LinkedIn. LinkedIn gives away information about location and name of employer. Your information may be unnecessarily exposed.
If someone was trying to steal your identity, they could call up one of your previous employers and pretend to be a new employer doing a background reference check. Depending on the person that is asked, they may unknowingly give up personal information about you. While you might not share such information, you can’t vouch for what another would do in the situation.
My guest post about “Sharing Too Much Online” is up on With Love… I was honoured that Marta asked me to write this piece for her readers. I thought it was a great opportunity to cross over into the world of fashion blogs and hopefully share my knowledge about online safety with the fashion community. I was glad to see from the comments, quite a few people enjoyed the article and found the information valuable.
If you are interested in having me write a guest post for your blog, please don’t hesitate to let me know.
I recently saw a post on Twitter where someone extolled their love for the password manager software they use. They also mentioned the information that was stored in it, the type of information that is the secret sauce to a person’s identity: user names, passwords and banking information.
While I think the use of password management software isn’t entirely a bad idea (as long as you have other defenses in place), I do believe it’s a bad idea announcing WHAT YOU USE to store the recipe for your secret sauce, particularly when it’s on a social networking website, for everyone to see. That’s akin to announcing to the whole world the name and model number of the safe I use at home, what’s stored inside and where it is. But I’m still using a safe, so I’m secure right? No!
Posting critical information like that to a social networking website will make you a likelier target for hackers. It will be easy for them to build a profile of people based on their blog, Twitter and Facebook accounts, then plan a social engineering attack. The attack may come in the form of gaining your trust, then sending you a malicious file for you to execute. A general search of 1Password or Keepass on Twitter, will show you lots of users who are using the software.
While the secret sauce maybe encrypted, if a computer is infected with a trojan horse that has key logging features, the encryption no longer protects you and it becomes a moot point. If you don’t keep your operating system up to date, use anti-virus and a firewall that just makes you even more susceptible to your secret sauce being revealed.
The other question to ask yourself is, where do you store this information? Is that encrypted file on a laptop or desktop? What if the laptop is lost or stolen? Hopefully there is a back up. And a back up of that back up.
Rule of thumb: The more information you reveal about your computer’s defenses, the more vulnerable you become.
What concerns me, is how easily this lack of knowledge is spread via Twitter, and it will give people who aren’t as technically savvy, the wrong idea. I can guarante a lot of people will try out the password manager but forget to do everything else, like update their browser, anti-virus, operating system and install a firewall. If that’s the case, they will have all their eggs in one basket, and be ripe for the picking.
Has Your ATM Card Been Skimmed Before? This Is How It’s Done!
Information security is important even when you aren’t in front of your own computer or using your smart phone.
Remember, ATMs are computers as well, except you have no control over them.
In the video you’ll see a before and after picture of the ATM. Notice any differences?
When you are out and about, always try to use an ATM that is owned by an established bank and not the random machines you see in convenience stores etc. Try to be familiar with the location of the ATM as well.
You should really use your own bank’s ATM machines, so you avoid the unnecessary charges.
The video comes from the US version of the show ‘Real Hustle’, as it originally started out in the UK, much like many other TV shows.
Keep in mind, its not just ATM machines that are compromised. ATM pin pads are also affected by thieves attaching a device that is connected to the pin pad, reading all of the pertinent information as you enter it.
The article goes on to discuss the results of a survey conducted by the Pew Internet & American Life Project regarding reputation management and social media. One conclusion that was drawn was that 18-29 year olds were the least likely group to trust social networking sites.
On one hand, I understand the need to manage one’s own reputation online. People must protect themselves from people that feel the need to discriminate or gossip, have loose lips or become judgemental about things that don’t concern them.
On the other, I find it disappointing that people have to resort to censoring themselves and monitor everything they do, just to ‘fit in’, wherever it might be. It sounds a lot like high school, but I think it’s actually the other way around: high school is a lot like life.
At the end of the day, I do believe that if pictures, blogs or personal information are freely accessible on the Internet, it’s fair game for any one to view it.
That is why people must protect themselves.
This is what I suggest:
- Google yourself to see what content “your name” is associated with.
- Continually monitor your name by creating ‘Google Alerts’ that are sent via email or RSS
- Create an extra account on Facebook for professional (work) use only, separating if from your personal life.
- Get your name as a domain name. If you have a common name, you may be mixed up with someone else. Get it before someone else does.
- Check your friend’s social networking photo albums to see if they have any photos of you that could be considered ‘inappropriate’ (your friends may not have strict privacy settings)
- Review your privacy settings on all social networking sites and lock them down if necessary. Remember to test it out to see what it looks like.
- Think about what you want to say before posting it as a comment on social networking sites, discussion forums or news articles. Could your comments be used against you in the future?
I enjoyed this quote from the article…
Stefanie Juell, a 28-year-old in Westchester County, N.Y., has become increasingly aware of this. So she recently opened an extra Facebook account after her supervisor and people she’d met through work started to friend her on her personal account.
“You don’t exactly want to reject your supervisor,” she says. “Nor do you want him or her to see everything that your friends write on your wall or the pictures that people tag of you.”
As a site note, Googling yourself use to be referred to as ‘ego surfing’. CNN also reported about the same Pew Internet report but it wasn’t as extensive as the Toronto Star article that I posted.