Computer-savvy criminals are increasingly setting up fake web sites in order to capture usernames and passwords that can be used to steal funds from bank accounts, for other activities involving identity theft, or otherwise gain unauthorized access to online resources.
Internet users must be on guard against such activities and must exercise special care to protect their confidential passwords.
One of the most important "best practices" when visiting a website that requires authentication is to type in the URL or web address of the desired site rather than selecting it from a saved bookmark which can be altered by spyware.
In particular, one should never log into a site after having clicked on a URL link received by e-mail. It is a common practice (referred to as "phishing") for hackers, to send out legitimate looking email that contains a link to a fraudulent site they've created. Many financial institutions have sent advisories to their customers warning them to ignore such requests.
However, even if the URL is typed in directly, a computer infected by spyware may have been set up to redirect the user to a fraudulent site. One method of doing so is to insert an entry into a Window user's HOST file, telling the computer to send any requests destined for a particular financial institution to an alternative server.
Additional precautions are therefore necessary.
One fraud prevention technique used by many financial institutions is to store a cookie on their customer's computer after the first visit, and then use that cookie to partially identify the customer on subsequent visits and allow the site to display a user-defined message (to help the user confirm that he or she has accessed the legitimate site) or to skip the need to require the user to enter the account number when revisiting the site.
While the latter approach may appear to reduce the level of security, it does help the user confirm the authenticity of the site, and also by not requiring the user to re-enter the account number, it offers partial protection against a "key logger" program installed (by spyware or by an employer) after the user's first access of the site. As users aren't typing in their account number, such software will only be able to capture the password but will not be able to obtain the vital account number.
Prior to logging into a secure web site, it is also prudent to first confirm the authenticity of a site by checking its SSL certificate. SSL certificates are used by all "secure" web sites.
URLs for such sites begin with "https" instead of "http." Such certificates are issued by one of the public certification authorities (such as Verisign, RSA Data Security or Entrust) that vouch for the authenticity of the site.
For computers running Internet Explorer, the identity of the organization that has issued a particular digital certificate can be checked by clicking on (i) file, (ii) properties, (iii) certificates, (iv) details, (v) subject. The name of the organization should be listed on the line beginning with "O" (for Organization Name).
The public certification authority that issues the certificate will usually assume some level of liability if it had issued the certificate improperly. The level of liability can range from $1,000 (for Entrust, used by National Bank and Bank of Montreal) up to $100,000 depending on the "class" of the digital certificate (for Versign, used by Royal Bank and CIBC). Check the "Certification Practice State-ment" for limitations on warranties and the certificate authority's liability.
These techniques are only partially effective and continued vigilance in using up-to-date antivirus and anti-spyware software is still necessary.
Ideally, financial institutions and other sites offering access to sensitive information will eventually offer two-factor authentication mechanisms (such as RSA SecureID) of the type used by many lawyers at large firms in order to obtain remote access to their office systems.
Alan Gahtan is a Toronto-based technology lawyer. Check out his web site at www.gahtan.com/alan