Positive Research Center

Syndikovat obsah
Positive Researchhttp://www.blogger.com/profile/12273696227623127095noreply@blogger.comBlogger23513
Aktualizace: 40 min 1 sek zpět

Protecting Money On The Internet. Five Tips To Secure Your Online Transactions

15 Duben, 2019 - 18:53
Image credit: UnsplashAccording to Positive Technologies research data, security of financial applications keeps growing. Banks make serious investments into improving security of their products. In the end hackers find it easier not to attack the banks, but rather go after bank clients and people shopping online.

Here are some useful tips from Positive Technologies experts to help you protect your money online.

Make transactions only using secure sites
A basic rule of online payments security is to never use your cards on untrusted sites. If you use a service for a long time and feel sure it is safe, you can make a transaction, but you should still stay cautious. For instance, check for encryption. Data must be transmitted via HTTPS, a secure protocol, rather than via HTTP.

Often attackers create copies of trusted sites, and sometimes such resources may be even higher in the search results than the original sites. That's why it is important to remember the exact URL of the resource you need and type that into your browser's address bar, rather than use a search engine. The best option is to add your bank's site or the site where you make a payment to your browser's bookmarks. Before you make any transaction, double-check the URL. It must not contain any extra symbols or replaced symbols (1 instead of I, for instance).

Get a separate card for online shopping
Using your primary card for online shopping is a bad idea. If that card is compromised, attackers could steal a lot. So it's better to use a special card where you keep a small amount, ideally transferring funds right before the transaction. Another option is to set a daily limit for operations with the card in your online bank settings. Then, even if an attack is successful, the hackers won't be able to steal all your money at once.

Some banks allow creating virtual cards for online shopping. That's a good function to use, if available.

Beware of phishing
Financial institutions nowadays make serious investments into improving security. They perform audits, use new software and hardware to detect attacks. Often the attackers find it easier to attack bank clients than the bank itself.

One of the most efficient ways of such attacks is phishing. Hackers may send letters to bank clients, allegedly from the bank's staff, and it is not so easy to tell at a glance if it is a fake. You need to remember the key rule: if the communication is from the bank, call the number on the back of your card to get clarification from the bank personnel and confirm their intent.

Control security of your devices
In addition to phishing, hackers can attack devices of the bank clients, too. To keep your computer and gadgets secure, make a habit of never downloading files from untrusted sites, never following suspicious links, and never downloading attachments from unknown senders.

When you launch a new app, it's important to check and analyze the permissions it requests. If a regular game wants access to your phone book, it should get you thinking why the app developers would need this.

Using antivirus on all computers and gadgets you use for online banking and online purchases is a must. Keep the programs on those devices updated. Often hackers get into a computer through vulnerabilities in obsolete software. Regular updates reduce the probability of such attacks.

Do not make online purchases from someone else's devices and using public Wi-Fi
Using someone else's computer for online payments is risky. There's no way to know what viruses may be found in a computer, for instance, in a cybercafe. Don't log into your online bank using public Wi-Fi, either. Your data can be easily intercepted by hackers.

How Not To Help Hackers: 4 Common Security Mistakes Of Office Workers

24 Březen, 2019 - 20:28
Image credit: Unsplash
More and more often cybercriminals target office staff, knowing full well that people are the weakest link in the corporate protection systems. Today we'll discuss mistakes in information security made by office workers, and how to avoid becoming an unwitting accomplice to hackers in compromising company infrastructure.

Carelessness when following a link
According to Positive Technologies research, the most efficient method of social engineering in attacks targeting company staff is an email with a phishing link. The study showed that 27 percent of users followed such links.

Employees are often careless when reading the URL address of a link in a message. Attackers can register domain names similar to those of well-known organizations or partners of a specific company. Often the only difference is one or two symbols in the address.
They use this address to create a fake site that looks like a legitimate web page. When a careless user gets on that site, he or she may provide data that can be used in a successful attack on the user's company—such as login and password for entering corporate IT system. An antivirus can block malicious attachments, but there's no protection against a user who willingly discloses his or her password.

Solution: users must be vigilant and think before following links received in the mail. Make sure you check the sender of the letter, see if you are really the intended recipient, verify if the URL in the message matches the address of the company actually owning the site. If in doubt, don't follow the link.

Downloading suspicious files
Another common method of penetrating corporate infrastructure is sending messages with malicious attachments. When someone downloads and opens such a file, it installs a virus or a backdoor on the victim's computer, which gives the attacker full access to the computer and he or she can use it as a foothold to further infect the infrastructure.

Attackers play on fear, greed, hope, and other emotions to improve the efficiency of their attacks. So in the subject line of their message they use words like "list of staff to be discharged" or "annual bonus payment". Curiosity as to how much a colleague earns or fear of getting fired can be a powerful thing causing one to forget basic security rules. In an experiment conducted by Positive Technologies, almost 40 percent of mock phishing emails with "layoffs" in the subject line spurred users into taking a potentially dangerous step.

Users who received a suspicious file in a message not only open it, but often forward the message to colleagues (for instance, from IT department). Since the colleagues know the forwarder, they also open the file, and as a result the virus quickly spreads through the company infrastructure.

Solution: just like with phishing links, you can counter emails with malicious attachments by staying as vigilant as possible. Never download and run files from unknown senders, now matter how intriguing the file name may sound. Don't ignore antivirus warning messages, either.

Carelessness when speaking on the phone
It turns out that Internet attacks are not the only way attackers can fool gullible office staff. Often intruders use a phone call as a means of social engineering. Attackers call company staff, posing as colleagues from IT support, for instance, and elicit sensitive information or force the person to take an action they need to launch an attack.

A classic example is a call early on Sunday morning requesting someone to immediately get to the office. Few people would be happy to go, they may not even be able to, and then the caller suggests they simply give their password so that an "expert" takes care of everything. Many people are happy to oblige.

Solution: under no circumstances provide confidential data over the phone. If "someone from IT department" calls you and asks for your password, this should be enough to raise suspicion, because in reality IT staff do not need to get this information from the user in order to do their job.

Use of public Wi-Fi networks for work
Another popular way of stealing confidential user data is using a public Wi-Fi networks. Attackers can create a "lookalike" of popular public networks operating in the vicinity of the company's office.

Names of such fake access points usually sound like legitimate ones. If a user's device is set to connect automatically, it is very likely to connect to this fake access point. If the employee uses his or her cell phone for work or sends important data from it, the attackers can get that data.

Solution: avoid using public Wi-Fi networks to connect to corporate resources without VPN. If, for whatever reason, you can't use VPN, but you really need to log on right now, make sure the target access point uses WPA/WPA2 encryption. If it does, your device should display a message when you connect.

Insecure password storage
An attack is not always launched from the outside. In many cases confidential data is stolen by an internal attacker. According to a study by Positive Technologies, 100 percent of such attacks result in full control over the network. Employees contribute to that by incorrect handling of passwords. Recently many companies have implemented password security policies requiring the users to change their passwords regularly and make them complex enough. But many people don't want to memorize a complex password. Often they write it down on a paper and keep it next to their computer. In this case the attacker easily gets access to the employee's account.

Solution: never keep passwords in cleartext. If you want to write down a password, use the method suggested by Bruce Schneier, where instead of your password you write down some clues which will help you recall it.

Human factor is one of the main issues in ensuring security of corporate systems. More and more often attackers choose to slip into the corporate network by attacking the employees, rather than hacking into the infrastructure directly from outside the perimeter.

To prevent attackers from getting inside your company's infrastructure, follow the basic information security rules. Do not follow suspicious links, be careful when downloading email attachments, don't provide important information over the phone, and don't store passwords in cleartext.