Recently in Awareness Category

Apparently I'm several years behind on the Internet meme of Rick Rolling. Its recently invaded one of the forums I frequent. The regulars are split on whether its as funny as "your shoelace is untied, ha ha, no it isn't I made you look" or if it is actually kind of funny.

For the uninitiated, a rick roll according to wikipedia is "a classic bait and switch: a person provides a link they claim is relevant to the topic at hand, but the link actually takes the user to the music video for the 1987 Rick Astley song "Never Gonna Give You Up"

When people first heard the Rick Astley song they might think it sounds like a black guy is singing, then you see the music video and its MC mighty white. Its not what you expect. So when someone says they have a link to XYZ and instead you don't get what you expect, you've been rickrolled.

The purpose of all of that backstory is simple. I've been wondering if the rickroll phenomena will succeed in educating users to be careful about links in a way that security awareness training never could.

In February, Postmaster General John Potter sent a letter presumably to all addresses and enclosed a Identity Theft brochure from the Federal Trade Commission (FTC)

The Postmaster General's letter reported that according to a FTC survey only 2% of all identity theft victims believed the theft of their identity was related to mail. Even so they sent this letter to educate consumers.

So many times when dealing with users the response is "I've got nothing to hide" or "I wont be a victim" or "I've got nothing worth protecting". The Postmaster Generals letter points out that if someone steals your identity, it can effect your credit standing, your ability to buy a car or home, get a job or obtain medical care. Once victimized it is not easy to clean up.

The FTC brochure has a link to the FTC's Identity Theft Site.
The brochure has three key sections.
Deter

• Shred financial documents and paperwork before you discard them


• Protect your social security number. Do not carry it in your wallet or write it on a check. Give it out only where necessary, or ask to use another identifier.


• Don't give out personal information on the phone, through the mail or over the Internet unless you know who you are dealing with.


• Never click on links in unsolicited emails. Instead type in a web address you know. Use firewalls, anti-spyware and anti-virus software to protect your home computer; keep them up to date. Visit onguardonline.gov for more information


• Don't use an obvious password like your birth date, your mother's maiden name or the last four digits of your social security number


• Keep your personal information in a secure place at home, especially if you have roommates, employ outside help or are having work done in your home.

• Bills that do not arrive as expected


• Unexpected credit cards or account statements


• Denials of credit for no apparent reason


• Calls or letters about purchases you did not make

Defend
Defend against ID theft as soon as you suspect it.

• Place a "fraud alert" on your credit reports.


• Close any account that has been tampered with or established fraudulently.
  
• File a police report


• Report the theft to the FTC

Common Ways ID Theft Happens:

1. Dumpster Diving.


2. Skimming - skimmers are a special device that steals your credit/debit card numbers.


3. Phishing


4. Changing your address


5. Theft of wallet/purse, mail, records

The CA Security Adviser Research blog has an interesting entry today following the trail of suspicious credit card charge.

Do you review your monthly statement for suspicious charges? Do you look over every charge or just the bigger ones? A fraudster may fly under your radar with a $5 charge. That can accrue to quite a bit of money if they hit enough people.

Review your bills. Whether its fraud or when the phone companies tacks on a monthly fee for long distance, you want to know about it as soon as possible.

The condo board asked all owners to update their contact information. This time I decided to give them my email address. As I gave it to them, I asked them to please use the BCC function to preserve our email address privacy. I dont need all my neighbors knowing my email address.

The property manager didn't know about BCC, but she certainly knew of the dangers when BCC isn't used. Previous they had difficulty with "reply all" storms.

Since she didn't have access to a listserv (and that would have been too complicated for her) I showed her how to use BCC in Outlook. Hopefully that will prevent future issues. I left feeling like I've done my security good deed for the day. Sometimes its hard to put yourself in the users shoes and realize they just need some gentle suggestions to do the right thing. (of course my spidey sense is telling me that I'm going to be the new helpdesk/security guy for her whether I like it or not).

Tonight, I saw a public service announcement educating viewers about online scams. The U.S. Postal Inspection Service has put up a site fakechecks.org. They have fraud tests, videos and prevention advise.

I thought this was a really cool site. Its pretty easy to make fun of the rubes that are losing this money this way. Be a better person than that and educate them so they aren't taken advantage of by online con men.