This is a guest blog post from VeriSign UK, a Get Safe Online sponsor.

Passwords are not perfect when it comes to keeping your identity safe online. Too many people use the same password for different websites or choose weak passwords that hackers and their software can easily guess.

Choosing strong passwords is always a good idea but perhaps there is a better alternative. OpenID is, as the name suggests, an open standard for authentication. It replaces the traditional user name and password with a digital identity backed up by a choice systems to prove that you are who you say you.

It has several benefits. It’s easier to use. You don’t have to share your password with every Tom, Dick and Harry on the internet. And, it’s easier than keeping track of dozens of different password for different sites.

Millions of sites allow you to login using OpenID, including PayPal, eBay, Yahoo!, Google, Facebook, AOL and others.

Many companies provide OpenID credentials. One option is VeriSign Identity Protection (VIP). VeriSign lets you create your own OpenID digital identity and offers a range of different ways to identify yourself. These include a VIP Access Toolbar for your browser, free software for your smartphone that generates one-time passwords as well as advanced cryptographic tokens.

So, next time you struggle to remember a password, get frustrated at filling in another registration form or (if you are unlucky) fall victim to identity theft, why not try out OpenID instead?

This is a guest blog post from VeriSign UK, a Get Safe Online sponsor.

VeriSign’s new advert is a good reminder that we need to check things before we trust them. VeriSign’s new Trust™ Seal lets website owners confirm their identity and prove that their site is virus-free. When you see it, you know you can buy, browse and share with confidence. For more information see: Trust the Check.

Guest blogger: Sharon Lemon OBE. Deputy Director e-Crime, Serious Organised Crime Agency (SOCA)

Years ago, when Internet dating started, it did have a reputation as being a bit seedy, but things have moved on and now there are a  number of reputable dating sites which advertise their success in putting couples together, many of whom get married. Needless to say though, there are some people who want to exploit this new form of relationship and romance fraud is a growing problem, and can leave its victims financially and emotionally devastated. Make sure you’re aware of the signs so that you don’t fall for Mr or Mrs Wrong and not Mr or Mrs Right – do not become a victim.

For example, when you sign up to a dating website be careful about giving out your private information, especially to people from a foreign country who contact you out of the blue and claim to care deeply for you after only one or two emails or conversations. Always stay on the website, and don’t take your conversations onto instant messaging or private email. Don’t trust anybody who won’t answer basic questions about where they are and what they do.

So far we have only seen this offence being committed against women. A common tactic is for a fraudster to claim that they are a soldier, maybe American, who is based in Iraq and wants to retire with their children to live with you. Once the relationship is established, you will be asked to speak to their friends in a completely different country, which is when you will be asked for money.

When a romance fraudster (actually probably a group of criminals posing as one person) manages to seduce somebody into an online relationship, often over weeks and months, eventually there will be a problem that only you can help with. Maybe they want to travel to see you, and want you to pay money towards a visa or airline tickets. Or maybe they or a family member falls ill, or even dies, and they need money for medical or funeral bills. There may be many different reasons, but with just one purpose – to get your money.

If you do pay, the fraudster will then give more reasons for you to send money, and you will never see any of the things they promise. If they say they are flying to see you, they won’t turn up but will have a problem at the airport requiring your money to sort out. If they say they have large amounts of cash or gold that only requires some customs charge or other fees before you can get a share, this is just another type of fraud designed to rip you off. You may even be asked to fly abroad, so that you can be exposed to these different types of fraud in person. If you do so there is a real risk of kidnap and extortion, meaning your life could be in danger.

To protect yourself, be wary of contact from these romance fraudsters. Never send money to anybody you don’t know or trust, particularly by a money transfer service instead of to a bank account. If something sounds too good to be true, it probably is. If you become a victim, you could end up losing a lot of money as a result – or worse.

If you think you’ve been a victim of romance fraud, or any other type of fraud, cease all contact straight away, don’t send any more money and get in touch with Action Fraud via their website, http://www.actionfraud.org.uk/  or call them on 0300 123 2040.

That’s all pretty serious, but remember – as in real life, most people in the virtual world are good, so enjoy your time in it.

This is a guest blog post from VeriSign UK, a Get Safe Online sponsor.

When you are looking at a website, here are ten signs that can help you decide whether a company is worth doing business with, or not.

1. A well-designed site. If companies don’t take the time to design a website that is easy to use, accessible for people with disabilities, simple to navigate and quick to load, then the chances are they won’t take the time to provide good services or proper privacy.
2. Useful information. Look for a company that provides advice, recommendations and help. In particular, look for information about security – it shows they’re thinking about it.
3. A good reputation. A well-known brand can be a reassurance but a small firm with a good reputation can also be trustworthy. Look for customer endorsements and third party reviews online.
4. Real-world contact details. Look for a phone number, email contact and real-world address. If you feel nervous, call them up and see who answers and how helpful they are.
5. SSL Encryption. Every site should use SSL encryption to protect your confidential information when you enter it or when you checkout during a purchase.
6. Extended Validation SSL certificates. This gives you extra reassurance that the site is genuine and that the company behind it really exists.
7. SSL Certificate matches company details. Click on the golden padlock and crosscheck the company details there with the details on the site. Sometimes, you have to look in the site’s terms and conditions to find the company’s trading name and registered address.
8. Trust marks. Trusted third party signs, such as the VeriSign Secured Seal let you check that a site is safe. Click on the symbol to confirm the ownership of the site.
   
9. Clear policies. Ecommerce sites should offer clear, non-nonsense returns and postage policies. If you don’t understand the deal you’re getting, don’t do it.
10. Support for Get Safe Online. Well, not everybody supports Get Safe Online, but it’s a good sign if they do!

This is a guest blog post from VeriSign UK, a Get Safe Online sponsor.

VeriSign is delighted to sponsor Get Safe Online and to contribute a few guest posts to the blog here. We have number of bloggers ourselves. Check them out:

• Notes from the Cyber Trenches. Rick Howard runs our iDefence Operations centre. His blog is an interesting insight into the biggest threats and most serious internet security issues such as a recent post about cyber espionage.
• Tim Callan’s SSL Blog. Keep up with the latest developments in the world of SSL and ecommerce encryption.
• Blue Ocean: Innovation at VeriSign. Nico Popp’s blog shows where online verification and encryption is heading, for example, his recent post about ‘cloud identity’.
• The VeriSign Infrablog. For IT professionals, this blog is a commentary on infrastructure.
• Online Identity and Trust. This blog deals with consumer identity protection. Written by four people from the VeriSign Identity Protection team, it covers topics such as fraudulent cashpoint access and the security risks of smart meters.
• Web User Experience Blog. Reshma Kumar is the User Experience Design Manager for VeriSign’s websites. Her April 14^th post shows how far website design has come since 1997, when VeriSign launched its first site.
• Bob Angus: The Ecommerce Evangelist. Bog’s blog is a great resource for anyone involved in ecommerce.

This is a guest blog post from VeriSign UK, a Get Safe Online sponsor.

One of the biggest problems people have is spotting the difference between legitimate websites and fake sites that look real but which are fronts for online criminals.

SSL Certificates – the technology that protects your private data when you buy online – are helpful and the latest Extended Validation SSL Certificates also provide reassurance about the owners of the site as well as the strength of their encryption.

However, most web pages are not protected by SSL; only the checkout or registration pages where you enter personal information. So we have developed the VeriSign Trust™ Seal, which website owners can display on any web page to prove that their site is legitimate.

When you see this sign, you know that VeriSign has verified the ownership of the site and checked that the site is free of malware.

This is a guest blog post from VeriSign UK, a Get Safe Online sponsor.

In the last three months of 2009, criminals hijacked 356 well-known brands to create phishing sites, according to AWPG. These sites are designed to trick people into giving away their personal information, such as credit card numbers. It’s identity fraud on a massive scale.

Sometimes, these fake sites are very difficult to detect, even for an expert. But here are a few things to watch out for:

• Pressure. Sites and emails that create a false sense of urgency (‘your account has been suspended’, for example) are a common tactic.
• Promises. Alternatively, you get an offer that sounds too good to be true (such as ‘sign up now and get a free MP3 player’).
• Pretending. Check the website address in the browser bar. If it doesn’t look right, be on your guard. For example, weird variations or misspellings of the company name.
• Poor spelling. Criminals who don’t speak English as their first language are prone to make tell-tale spelling errors.
• Padlock. When you are entering personal information, you should check for the golden padlock in the browser address bar. If it’s not there, beware.

However, sometimes, criminals can create a perfect copy of a real website and so you need some extra help to detect the fakes. This is where Extended Validation SSL certificates come in.

The SSL bit produces the golden padlock and it means that your data is encrypted before it is sent to the website owner. The Extended Validation bit is new and it shows that the identity of the website owner has been checked and that this is really their site and not a fake. It displays a green background and the name of the site owner in the address bar – this is your sign that you’re safe.

Test your skills in spotting fake sites with VeriSign’s Phish or No Phish online quiz. Check out Get Safe Online’s tips on avoiding criminal websites.

Another guest blog from  Richard Hollis

Did you see the news recently that social networking site RockYou suffered a data breach exposing over 32 million user accounts?   If that wasn’t bad enough, it was also revealed that they were apparently storing all that data (user account information) in plain text in their database. This fact came to light only because when RockYou attempted to downplay and dismiss the severity of the incident, the hacker responsible published a sample of the data to prove it and demonstrate that all the user passwords accessible were stored unencrypted.
 
To make matters worse, the published dataset also contained user password and logon credentials for other social networking sites. 

 So however you do the maths, there is a possibility that this hack directly affected you if you use a social networking site. The hacker was able to access this information through a SQL injection vulnerability on the RockYou site.  This hacking technique is old, widely known and does not require a great deal of expertise to execute.  The point being that any online business even marginally concerned with security would have closed off this easily exploited security hole before even thinking of launching their site – but apparently not RockYou.
 
Their attitude towards security is further demonstrated in their published password policies as they only mandate a minimal length of 5 characters for their account passwords.  They have no requirement for mixed case, alpha-numeric characters and in fact enforce password simplicity by not allowing any punctuation at all.  This is where RockYou gets it wrong.  Passwords are the very foundation of online security.  At this time of year we should think of them like underwear- the longer the better.
    
Learn a lesson from this incident – buyer beware! Next time you sign up to a social networking site or any web service for that matter, read the fine print. What is their security policy?  Do they have one?  If they don’t publish it on the site – chances are they don’t. Sending you open text passwords in emails are another indication that their approach to security may be short of your expectations.  Read the privacy statement. Do they inform their customers about losses or breaches?  Do you want to use them if they don’t?  The choice is yours.

Richard Hollis – Orthus Ltd

Guest bloger Richard Hollis

Last week, the United States Congress, House of Representatives, passed the Data Accountability and Trust Act – H.R. 2221.  The bill is now on its way to becoming Federal law.  This is long awaited and very good news for consumers.  It’s similar to the breach notification laws enacted by over 30 over the 50 states sparked by California mandating public disclosure of breaches back in 2003.  Federal public disclosure laws were previously blocked under the Bush Administration.   In essence it mandates that businesses publically disclose breaches of personal information in their possession.  
     
The new law will formally define personal information as, “an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual:

• Social Security number, driver’s license number or other identification number
• Financial account number, or credit or debit card number and any required security code, access code, or password necessary to permit access to an individual’s financial account.

It formally establishes the Federal Trade Commission (FTC) as the oversight body and requires organisations holding data to implement a data protection policy and identify an information security officer.   More importantly, the new law will direct that businesses in possession of personal data establish procedures for identifying security vulnerabilities in the networks that process this data and monitor for breaches.  The FTC would also be tasked with posting breaches on their website.

The bill has some more stringent requirements for “data brokers”, including audits in the event of a breach.  It also requires two years of quarterly credit reports provided to victims at no charge. Third parties are also required to notify customers in the event of a breach, and the actual owner of the data is then required to notify consumers.  It doesn’t get any better than that.

The law will naturally result in a higher level of protection for personal data held by both public and private sector entities and establish the legal framework for consumer legal actions resulting from breaches.  It will also add some degree of consistency for organizations establishing programs to protect personal data and simplify compliance.
 
Good news for consumers everywhere as US law has a way of affecting legislation worldwide.

by Richard Hollis December 16, 2009 – Orthus Ltd

Guest post by Dr. Guy Bunker, Chief Scientist & Distinguished Engineer, Symantec Corporation

I don’t mean how much are you worth, it’s more about your information, your ‘data’. Times have changed and while the average cyber-criminal is still after bank account details and credit card numbers, they are also targeting other information as well. In fact anything that you protect with a username and password is of interest to them. Why? The answer is simple, it’s all about money – to them. At Symantec we have a Global Intelligence Network which monitors the internet for spam, viruses and other malware, however it also monitors some of the underground economy / black market traffic in data – your data. This information is published regularly in our Internet Security Threat Report, available from www.symantec.com. Here are some of the findings on just how much your data is worth to someone else:

Of course, just like any other ‘business’, you can get volume discounts, so you can get 50 credit card numbers for $40 ($0.80 each) or 500 numbers for $200 ($0.40 each)!

The latest ‘attacks’ are not just through email, but through web browsers and plug-ins and increasingly through social networking sites, so the next time you visit a site and it asks to install a plug-in, just do a quick check to see if the plug-in is legitimate – and that you really want it – there is more at risk than you might have imagined.

Dr. Guy Bunker is a Distinguished Engineer at Symantec Corporation. He is responsible for technical strategy for the security and data management group and runs a number of research projects around data loss prevention and intelligent archiving. Guy has worked for Symantec (formerly VERITAS) for more than a decade in a number of different product divisions and roles.

He has been a member of a number of industry bodies driving standards in computer storage and management and is currently an active member of the Enterprise Privacy Group. Guy is a regular presenter at many conferences, including InfoSec, StorageExpo, Transformational Government, Internet Security Forum, RUSI’s Protecting The Critical National Infrastructure, IAAC, Enterprise Architecture and the Symantec user conference, Vision.

Guy has authored a number of books and is currently working on his latest “Data Leaks For Dummies” which is due to be published in early 2009.
Guy holds a PhD in Artificial Neural Networks from King’s College London, several patents and is a Chartered Engineer with the IEE.

Guy’s blog on information security and availability can be found at: www.viewfromthebunker.com

Meet the Team: Richard Ambrose

Richard Ambrose took over from Garreth Griffith as Head of Trust and Safety (T&S) at eBay UK on October 1^st.

What brought you to Trust and Safety?

I’ve been at eBay for four years – I initially joined to manage the Collectibles category and I’ve been in ‘Finding’ for the last couple of years. (Finding refers to the way people find items to buy on eBay and it has its own team inside the company.)  I’ve always been a very passionate about trust and safety and so I was delighted to get the chance to work with the team.

Since you took over, what has been the biggest surprise about T&S?

The global nature of all our challenges was the biggest surprise. Internet crime is a global issue and, unfortunately, there is a small body of professional criminals who attack eBay members in multiple countries. They always try to find the weakest link in our defences so it’s really important that we are consistent wherever we operate. The good news is that if one part of eBay comes up with a brilliant advance to protect members, we can roll it out globally very quickly.

How does eBay work with the police?

We have a close relationship with law enforcement. We have an ongoing training course for police on how to investigate eBay reports and how to prosecute illegal activity on eBay. We have trained thousands of police officers to date. We make ourselves available to appear in court and provide witness statements for prosecutions, but we rely on customers to report crimes in the first place. We’ve seen a steady stream of prosecutions. So far this year, in the UK, we have helped secure 210 arrests and guilty verdicts in 69 different court cases.  

What are your priorities for the next year?

The bedrock is combating professional fraud. We want to make it difficult, risky, time-consuming and expensive for the tiny hardcore of professional criminals to operate on eBay. For example, we can try to stop them getting accounts on eBay in the first place and we can be quicker at identifying fraudulent listings.

 We often find that that a majority of professional fraud exploits the misuse of unguaranteed payment mechanisms like Western Union or personal cheques. This is precisely why we have banned these payment types from eBay. Secure digital mechanisms like PayPal have much less risk.

We’re experimenting with mandating the use of PayPal in certain areas where we think will think it will have a dramatic effect. For example, we required people to offer it as a payment option by anyone who wanted to list an Apple iPhone.

We’ve also launched a telephone support line for our most frequent buyers and sellers. We expect to roll this service out to more people during 2008.

How widespread is online fraud?

Luckily, the vast majority of eBay users don’t encounter it and have a very positive experience with us. 4m people in the UK visit eBay every day and the vast, VAST majority of their transactions are fun, good value and problem-free.

What advice would you give customers?

My number one tip would be to drop the seller a note via the eBay site and ask them a question about the item. It’s pretty much the best way of establishing their bona fides. You can learn a lot from the tone, attitude, the speed and content of a seller’s reply to a question.

What do you buy and sell on eBay?

I collect medieval coins. Last month I bought a very rare 11^th century penny on the site. I was delighted with it. These things are very hard to find and eBay is where I get most of my collection.

Technorati Tags: eBay, Richard Ambrose, Head of Trust and Safety

Here at Get Safe Online, we sometimes get email from people who have had problems buying and selling on eBay. They sponsor Get Safe Online but we are separate organisations. Our resources are limited and we can’t offer individual advice or help. So we asked eBay for some tips about where to get help on their site.

We’re conscious that there’s more we can do to make it easier for our members to get in contact with us and so we are currently in the process of trialling a phone support facility for some of our more frequent buyers and sellers. If successful, we will roll it out to more customers in future.

However, there are still lots of ways to get in touch with eBay and get help if you have a problem:

• Online help. We have an extensive help library. You’ll find solutions to many common problems
• Get in touch. You can use our online contact system to report a problem. Here, you can report a seller if your item was not received or not as described, submit an unpaid item dispute, and report any other problems you may have regarding your account
• Report suspicious emails. If you get any suspicious emails purporting to be from eBay or PayPal you can immediately report them to spoof@ebay.co.uk or spoof@paypal.co.uk. Forward the entire email to us. We will reply promptly letting you know whether or not the email or website is fake or genuine
  (eBay takes immediate action against spoof or phishing websites – through links with the companies that host them, 80% of fake sites that are reported to us are brought down within 24 hours and 90% are brought down within 48 hours)
• Report breaches of eBay’s listing policies. At the bottom of every listing, there is a link where you can ‘report this item’ if you believe it may contravene our listing policies. Every single report made in this way is reviewed by our team in Dublin
• Community boards. The Community Boards on eBay are a useful way for members to share information and get advice from other members on a range of topics. Whether you’re looking for real beginner stuff such as how to list an item for sale or something more complex to do with running a business, you can get the answers from other community members on the boards. For those who are new to eBay we’d recommend you visit the ‘new to eBay’ discussion board

Technorati Tags: eBay, online help, community boards, spoof emails