x Abu Dhabi, UAETuesday 25 July 2017

Casting a prying line

The internet allows fraudsters to target tens of thousands of people with a single click of a mouse.

You don't know who is watching; use secure passwords and encrypted sites for online financial transactions.
You don't know who is watching; use secure passwords and encrypted sites for online financial transactions.

I admit that until recently I was quite lax about protecting my accounts against online predators. Like many, I believed numbers protected. My thinking went something like this: out of billions of people out there, what are the chances that I will become a target? I'll take the risks and not get all worked up and concerned. I was wrong. Unfortunately, the odds are not on our side. The internet allows fraudsters to target tens of thousands of people with a single click, and the bad guys rely on only a handful of successful hits to make it worth their efforts. Basically, you are getting attacked weekly, if not daily, and you never know when one of the intrusions will harm you. I learned the hard way that you cannot take anything for granted. A few months ago I found that a bank account with which I had no association had been linked to my retirement investment account. What made it worse was that I did not learn about the incident until a month after it had happened. I felt that someone had broken into my private life, and it was very unsettling. Many people and institutions do not become serious about security until they fall victim to an unauthorised attack. The breach of ATM accounts across the country earlier this year demonstrated that the UAE has found a place on the radar screens of criminals, and as a result banks learnt that they needed to increase their security measures. "The ATM issue was definitely a wake-up call for banks here," said Jaweed A Gaya, the head of operational risk management at Commercial Bank of Dubai. The breach led to consumer panic and inconvenience as banks asked customers to change their PINs (personal identification numbers) and denied thousands of ATM transactions. Consumers, not institutions, are the usual targets of cyber crimes, and no matter how many precautions financial services companies implement or the guarantees they offer - most banks reimburse their customers for any money withdrawn from their account if you inform them about the breach in a timely fashion - you, the consumer, must take the driver's seat when it comes to your own security. "It ultimately comes [down] to consumers doing their due diligence," said Ahmed Mohammed al Naqbi, the head of electronic banking at National Bank of Abu Dhabi (NBAD). However, you can take some simple steps to protect yourself against intrusion, or early detection in case of a fraudulent action. Securing your computer and closely monitoring your accounts is a good way to start improving your chances of keeping prying eyes out of your personal information. Most experts will tell you not to ever share your personal information - with anyone. Most importantly, do not disclose your account information over an e-mail or text message to someone who claims to be from your financial institution. "No bank would ever ask for personal information over an e-mail or text message," Mr al Naqbi said. Before making payments for any online shopping, make sure that the internet address is "s-http" or "https", which indicates that the transaction will be encrypted to ensure safety. Basically, look for the magical "s" in the internet address protocol. The most common way that fraudsters steal personal financial information is through a technique known as phishing, where tricksters direct consumers by e-mail or instant messaging to a website that looks trustworthy and prompts them to enter their username, password and other personal information, usually by telling consumers of great deals. Often the e-mails purport to be from popular sites such as YouTube or Facebook, auction sites such as eBay, financial institutions such as PayPal, or even from your bank or a government entity. Phishing has become increasingly rampant. According to the AntiPhishing Working Group, a global pan-industrial association dedicated to eliminating internet fraud, in the first half of this year phishers' spam e-mails purported to be from more than 47,000 companies and brands. "It's become a mature business. It's very cheap to buy phishing kits, just a couple of hundred dollars," said Nick Holland, a senior analyst at Aite Group, a Boston-based independent consultancy on business, technology and regulatory issues. "It's a numbers game. You go hit as many people as you can and a very small percentage of people will give you their card number and personal information, but if it wasn't successful they wouldn't do it." You should not open links from e-mails or instant messages. When you get an e-mail message from your financial institution, make sure it is genuinely from your bank and that it is directing you to a genuine web site by looking at the sender's address and what site opens in the browser. Conversely, to be more secure, just type in the URL to your institution yourself instead of clicking on the link in the email. However, you could still be under attack by a technique known as pharming, which is when you are redirected from a legitimate site to a bogus site that looks official but is in fact a predatory site that, once opened, installs a spying virus onto you computer to scan for vital data, including passwords. By far the best way - in fact the only way - to protect yourself against phishing and pharming is by installing and regularly updating anti-virus software such as the popular applications from MacAfee and Norton. "Most consumers don't pay for PC security. They use what they get for free, but they really need to keep their PCs secure," said Avivah Litan, a security analyst at Gartner, a US-basedtechnology research firm. You should also equip your computer with anti-spyware programs. Spyware gets into your computer with the sole purpose of collecting data from it. One recommended program to deal with this issue is Ad-Aware. If you do not have these programs - especially anti-virus protection - on your computer, you should think seriously about getting them, and here is a suggestion: don't waste time, get them now before your computer is infected. Hackers are always an e-mail away. If your computer is not equipped with anti-virus software, or is using security software that is not updated, the damage inflicted may not be reparable, because some malicious programs can disable or subvert an outdated anti-virus program or subsequent instalment of one. Remember, despite the conveniences that computers afford us, they also offer a tool to criminals. Securing your PC is an absolutely integral part of protecting yourself against online attacks. Fraudsters use several methods to exploit unsecured PCs. Beware of files you receive - some of them may be infected with programs called Trojan horses, which can capture your login identity and password. Ms Litan explained that fraudsters can then use that information to log into your account, change your e-mail address and telephone number and even contact your financial institution to reset your secret question and answer that serves as the security patch when you need to reset your password. Having gained almost complete control over your personal information, fraudsters then transfer money from your account. A simple example of a Trojan horse would be when you receive an executable file such as a screen saver. When you run it and your computer is not adequately secured with anti-virus software, it unloads hidden programs, commands, scripts or other commands without your knowledge or consent. Some banks offer an extra layer of protection that almost completely keeps the hackers out, although it is sometimes at the expense of your convenience to easily access your account. National Bank of Abu Dhabi account holders, for instance, have to enter an extra PIN from an RSA device, which generates a new code every couple of seconds. Other banks such as HSBC use several different personal questions as passwords, such as your birth city or favourite book, and the question changes each time you try to log in. Mr Naqbi advises consumers to use banks that require another factor other than ID and password to access accounts. Most institutions, such as my retirement investment institution, only require an ID and password to log in. If your computer is penetrated and fraudsters successfully get the personal information that you use to access your account, the next line of defence is your financial institution. The security policies of your bank are what stands between criminals and your assets. Would your financial institution reset that information easily? In my case, fraudsters successfully linked a bank account to my retirement plan. When my institution could not reach me - because I had not updated my contact information, a mistake - it blocked all access to my account, thus stopping criminals in their track. Another factor that appears trivial, but is quite serious, is choosing a secure password and guarding it. Experts recommend against using your birthday or the names of your loved ones and pets, because fraudsters may have used social networks such as Facebook to learn them. It is also important that you do not use the same password for multiple accounts, because if one of them is compromised hackers have essentially gained access to all your accounts. MasterCard recommends setting passwords that are eight characters long and a combination of letters and numbers, and changing it regularly. Everything you have read so far should drive home the point that you must also regularly monitor your accounts, and know your financial company's policies and security practices. "[Consumers] need to check their bank account at least once a week so they can report the crime right away and stop it before too much damage happens. You should not wait for the monthly statements in the mail," Ms Litan said. In fact, many consumers wait until the statements arrives, and a significant many do not open theirs right away. Keeping a close eye on your accounts, by reviewing your statements and checking accounts online weekly, is important, because many, if not most, institutions have a statute of limitations on reporting fraudulent activities. "People who are lax about checking their accounts don't always get their money back," Ms Litan said. In the case of a fraudulent transaction that your bank has agreed to remedy, MasterCard recommends that you check your statements diligently in the following months to make sure it has been resolved properly and completely. While you were reading this article, you most likely received at least one spam e-mail, if not a dozen, and chances are that one of them was a predatory e-mail. While the age of information has provided us with immense convenience, it has also made us vulnerable to an extent unimaginable a decade or so ago. Criminals may not pick your pocket for quick cash, but they can tap into your bank account from thousands of kilometres away. You must protect yourself by knowing your institution's standards, keeping your personal information private and building a gate around your computer. Never trust anything that sounds too good. The problem is that online fraud is almost a game, where the financial institutions and technology on one side and criminals on the other are always trying to be one step ahead of each other. mjalili@thenational.ae