By MH Staff - Posted on 15th May 2014
Use these basic tactics to ensure that you don’t fall victim to a viral attack.
“Being up-to-date eliminates 80% of the problem,” says Robert Gabriel, a local hacker, explaining that (standard, downloadable) software updates include patches or fixes for known vulnerabilities. Many hackers simply rely on our laziness – and exploit easy gaps in older versions of standard office programmes and Internet browsers.
Gabriel and Basie von Solms, director of the University of Johannesburg’s Centre for Cyber Security, agree the best defence is “end-user training” – teaching people not to click on suspicious links, or download software or apps from an unknown source (this caution should apply to “known” sources too, like your Facebook or Twitter buddy sending you a link that promises to be an embarrassing photograph). Basic phishing scams are easy enough to pick up simply by hovering your cursor over the supplied “link”, which shows up as something completely different to http://mybanksecuresite and may look more like http://rubbishlink.com.br/clip/copyofyourbank. Although this, too, is becoming more complicated: syndicates are starting to use a “Man in the Browser” attack, which infects your web browser and is able to modify web pages so that the URL looks like the real thing. The solution is to never access any secure accounts (online banking, e-filing, even your social media profiles) through a link. Rather type the address directly into your browser.
Von Solms says the “best money a company can spend on security is making staff members more security aware. You can have the best firewall and antivirus [software] in the world, but if your workers don’t understand the importance of not reacting to a suspicious email or attachment, all of those will fail. Even if you only employ five people, you should get an expert in to give a proper course on Internet awareness.”
Even if (you think) you’re too smart to share your banking PIN, many of us still have an overly casual approach to sharing another critical identity signifier: our login details. What might be intended as a good-buddy gesture – forgot your password? No worries, use mine – could be a dismissible offence. This could involve straightforward abuse of privileges (downloading the entire last season of Game of Thrones on your company’s bandwidth) or a violation of office policy (distributing a naked photo of the Khaleesi) under your user name, or unwittingly providing a backdoor entrance to your company’s network.
“There’s no use just having a little screen that appears after you log in saying ‘you shouldn’t do this’,” says Von Solms, who adds he is “not well-liked by some banks, because I’m saying they are hanging their customers out to dry.” As a pre-emptive measure – and in response to the increase in phishing/sim swop scams (where a sim swop is used to give the phisher access to the OTP [One Time Pin] you receive on your cellphone) – Von Solms has made changes to his accounts, basic steps which would, “bring down cybercrime in banking immensely”, if more people did it. And if more banks encouraged it. “I forced my bank to cancel the facility on my Internet banking profile that creates new beneficiaries and does OTPs,” he says. “The only thing I can do on my profile is pay existing beneficiaries. Even if someone cracks my profile, they can’t get the money out.” Initially, his bank told him such a thing “could not be done. I had to force them.” This does mean each time Von Solms needs to make a payment to anyone not on his list, he has to physically go into a branch. For people who need to make more frequent once-off payments, Von Solms agrees a separate bank account – with no credit or overdraft facilities, and not linked to any other account – could be created for payments only, and that you could pay money into this account (which would be listed as a beneficiary on your primary account) when you needed to make outward payments. It’s a bit more labour intensive, but safer. If your primary account is hacked, no new beneficiaries can be added; if your “payment” account is hacked, there’s nothing to take… “Banks need to come up with more ideas like this to help their customers,” Von Solms says, “but they don’t. It’s like talking to a blank wall.”
Von Solms says we need to develop new approaches to being cybersafe – by creating separate systems or networks for customer or sensitive information, networks which allow data in but not out. He also advises making “sure the computer you use for sensitive transactions is for that purpose only – don’t let it get infected by malware. If you use the same computer to play games, surf the Internet… you will get infected.”
Matt, a system engineer, advises simply: “Instead of worrying too much about the big picture, start with things that you can accomplish. Protect what’s important to you. Make sure you have everything backed up properly and that you communicate and store data in the safest way possible.” And if all else fails, buy the nice hacker guys a coffee.