Preventing identity theft online
6th October 2005 (Computimes)

A spelling error occurs in an e-mail from your bank asking you for personal banking information. Noticing that simple mistake may just be enough to arouse suspicion that the e-mail from the bank asking for your account number, login and password may not come from your bank but from a hacker.

"Companies usually don't ask for important information through the Internet. They would ask you to go to their office," says Rozana Rusli, head of Strategic Planning Department, Cyber Security Research at Mimos Berhad.

And the grammar may not be right, as the hacker may not come from an English-speaking country, she adds.

This scam is called phishing, where a hacker tries to trick you into giving your personal identity or financial records.

The e-mail may also provide a Web link for you to visit a Web site to key in your private information but are redirected to a hacker's Web site instead of the bank's official site - another scam called pharming.

These e-mail messages usually come from spam e-mail. However, you may also be giving up your personal user names and passwords if malicious codes are installed to track your keystrokes or to see which Web sites you visit.

Phishing, spam and malicious codes are increasing and at the same time, identity theft is also increasing. A home user has a one -in-three chance of getting hit by a virus, worm or intrusion software, says Rozana.

"These attacks are easy and impersonal. Hackers just send e-mail; there's no need to hack into a company's server to have access to your information," she explains.

More importantly, not clicking on a link on a message from the bank or replying the e-mail is one of the seven ways to protect your identification that Rozana suggested at the e-Secure Malaysia 2005 conference held recently.

Users should also use e-mail wisely and not e-mail sensitive information. "E-mail isn't secure and jumps from one server to another. In between, it can be intercepted," she explains.

Users should also practice safe browsing. "You must know features in a browser and make use of it to make sure of the site you visit," adds Rozana.

For example, use the mouse to scroll down and look at information on the Web site. While original banks will have other information, a false Web site will only contain a form that asks for information.

Look at the address bar. "By right, sovereign banks will not use an IP address," she say. "If you see numbers, be wary."

Also, make sure the bank's Web site has HTTPS in the beginning and make sure there is a picture of a padlock at the bottom of the Window.

"The HTTPS protocol is more secure than HTTP and most browsers denote this security with a padlock," she explains.

Users can also look at the Web site properties to look at more information about the site, such as the source. And if the browser only has the name of the bank, and no logo or branding, then another red flag should be risen.

Another prevention method is to check your credit card statements and bank accounts regularly. Hackers may not take a big amount from your account, but small amounts from many accounts can add up.

Do not forget that technology is available to help prevent spam and phishing techniques, such as anti-virus software and anti-spamming software that you can install on your computer.

You can also see what information about yourself is floating in the Web by keying in your name in a search engine and take a look at the results.

And lastly, if you are affected, report any suspicious activities to the authorities. Niser (National ICT Security and Emergency Response Centre) has an online report (www. niser.org.my/reports.html) that you can file if you are a victim.