Phishing scamswhere hackers ask for personal information such as passwords, birthdates, and social security numbershave a better success rate than one might think.
About 10 to 15 percent of people still respond to these scams, said Randy Marchany, information security officer in Virginia Tech's Information Technology (IT) Security Office and a nationally recognized computer-security expert.
Many users like to think that they're safe, surfing the Web while shielded by anti-virus software. Most of us think we know the basics to protect ourselves from identity theft. We safeguard our ATM PINs and don't download random files from strangers. But how safe are we, really?
Campus experts shed light on what's lurking in the dark recesses of the World Wide Web.
"Your password is your first line of defense," said Marchany. Once a hacker gains access to your password, he or she is the new you online. If a user has one password for multiple accounts, a great deal of data is at stake.
Marchany stresses a few basic concepts. One: Email providers will neverrepeat, neverask users for their passwords via email. Those emails that ask you to confirm your password or change it? Not legit.
France Belanger, a professor in the Pamplin College of Business specializing in IT security, said that one of the biggest mistakes people make is a low-tech one: writing their passwords on sticky notes.
Marchany recommends that users change their passwords regularly, at least once a year. At Virginia Tech, password changes have become mandatory. All Tech-account users were required to change their passwords by July 1 and must continue to change them at least annually.
"You'll never make [the password] so that it's uncrackable, but most programs are looking for the easiest ones they can get." Marchany noted that a strong password will contain letters, numbers, and symbols. He encourages users to choose a phrase, composition title, or a line from a poem or to randomly string family and friends' names together. Then, choose a syllable from each word in the phrase, and change a letter to a symbol or number: "Jumpin' Jack Flash" might become jump!nj@ckf1@sh.
Many people now make so much information about themselves public and accessible via social-networking sites that common and simple passwords, as well as secret questionsoften used to confirm user identities should a user forget his or her passwordare thin barriers between an account and hackers.
Consider many of these common answers to "secret" questions: mother's maiden name, the name of your elementary school, your hometown, or your anniversary. Much of this information is now available on Facebook, posted by you, a family member, or a friend. "If you post it on Facebook, don't make it your secret question," Marchany said.
Janine Hiller, a Pamplin professor specializing in Internet law, noted that, in an increasingly connected society, people are far more willing to give away information about themselves.
"The one danger that we just don't recognize is that we're being numbed to giving away our information," added Belanger, the IT security expert. "We're asked to compromise between security/privacy and convenience/advantage." For example, users can save credit card information and addresses on retail websites, adding ease of use for future purchases and opportunities for discounts and special deals. Belanger advises consumers to remember that, in some situations, they can choose security over convenience.
Both Belanger and Marchany agree that updating software on a regular basis is one of the best forms of prevention. Indeed, you don't even have to click on a link or download a file to have your machine infected with viruses or malware.
"A more popular method of infecting machines these days is for hackers to attack the webcode for advertisements on legitimate sites," said Marchany. A user visits a trusted website, such as The New York Times, but some of the information on that site is actually advertisements being pulled from advertiser code. Hackers replace legitimate ads with their own code, and the user's machine is infected simply by viewing the page.
Once on the machine, the virus or malware takes effect, recording keystrokes to capture usernames and passwords or searching for credit card or social security numbers.
The best prevention for these attacks, said Marchany, is to keep all software up to date and download all patches, which will ensure that any known vulnerability in a computer's operating system or software is dealt with.
What happens if your data is compromised? Unfortunately, "There's no magic legal button you can press," Hiller said. The Federal Bureau of Investigation, the National Security Agency, and the Federal Trade Commission websites offer information for victims of identity theft. The three major credit-reporting agencies are also required to investigate any complaints by consumers of errors on their credit reports, she noted.
Ultimately, the largest share of responsibility falls to the user to exercise caution on the Web, create passwords with care, judiciously share information, and be aware of the rapidly changing threats.