Primer on Internet Security

As you're all now aware, your ICL Board has embraced the overwhelming advantages and efficiencies of publishing via the Internet rather than in print, and requires all new ICL members to have Internet access. This decision carries with it a need, one could argue even an obligation, to help members become educated in matters of Internet security. From time to time we read about individuals and even whole groups of people who have experienced "identity theft" when their personal information has been stolen. It is a common misconception that identity theft is a phenomenon exclusively, or mainly, confined to the Internet. There are just as many ways to have your identity stolen if you don't use a computer. In fact, with the safeguards now available, and the application of a little common sense, it is arguably less likely that your identity would be stolen online than in a non-electronic transaction. It is therefore appropriate for all current and future ICL members to devote some effort to improving their security awareness in both electronic and non-electronic transactions, and for those current ICL members without Internet access to acknowledge that avoiding the Internet does not guarantee protection from identity theft or other scams.

Avoiding Identity Theft

In order to steal your identity, thieves need your personal information (name, age, address, birthdate, Social Security number, passwords, bank account information, credit card numbers, and so on). One way they can do this is to break into the databases of third parties, such as your bank, credit card company, employer, or a vendor with whom you have entered into a transaction. There is not much you can do to prevent this other than withdraw completely from society, but these entities use extensive security measures to avoid compromise of their databases, so security breaches of commercial databases are relatively uncommon. (An article in the Statesman Journal on June 15, 2009 suggested that these security measures have been inadequate, but the fact remains that relatively few of the nation's 50 billion annual credit card transactions have been compromised. In my own experience, security at my credit card company has been excellent.)


I cannot overemphasize that you don't have to be using the Internet for your personal information to be stolen. Mail theft, loss or theft of a wallet or purse or credit card or checkbook, skimming of credit card information by a dishonest vendor employee to whom you give your credit card in the course of making a purchase, or giving personal information over the phone, can all allow your personal information to fall into the wrong hands. So, use a secure mailbox, shred unwanted documents that contain any personal or financial information, keep your personal effects secure, check your credit card and bank statements carefully every month (the Internet allows you to check these statements as frequently as daily if you are paranoid). Use a credit card with your picture on the front (the Bank of America provides this service), and instead of signing the back of the card print "ASK FOR ID" on the signature line. Never give personal information over the phone unless you initiate the call. Avoid giving personal information using a cell phone or cordless phone, which are susceptible to eavesdropping. Check your credit report at the credit rating agencies (Transunion, Experian, Equifax) every four months. You are allowed 3 free credit reports a year, so you can request a free report from one of the three rating agencies every four months. None of these measures can be called rocket science.

What specifically can you do to safeguard your personal information when you use the Internet?

  1. Do not reply directly to e-mails requesting ANY personal information.
    No legitimate organization should make requests for personal information by e-mail. If you receive an e-mail requesting you to reply with personal information, even threatening ones that appear to be from the IRS or collection agencies, you should assume this is a scam (this type of scam is known as "phishing"). This can be done in subtle ways, such as asking you to click on a link in the e-mail that takes you to a legitimate-looking web site where you enter the information. Never give out personal information by replying to e-mails or clicking on links in e-mails. Always exit from the e-mail, open your browser (Firefox, Safari, Chrome, Netscape, Internet Explorer, etc.), enter a known genuine URL (web site address) of the organization into the address line near the top of your browser window (if you don't know the URL, use Google to find it), and go to their web site independently. This is a little less convenient than using the link in the e-mail, but a lot safer. AND, whenever you enter personal information on a web site, be sure to check that the URL starts with https:// rather than http://, and that the image of a closed lock appears in the panel at the bottom of your browser window.

  2. Know whom you're dealing with.
    Be particularly cautious with e-mails from sources you don't personally know. Not all such e-mails are scams, but by using techniques such as those in the above paragraph, you can reduce your chances of opening a dialog with a scam artist.
  3. Be careful on social networking sites
    (Facebook, MySpace, Friendster, Classmates.com, hi5, LinkdIn, Plaxo, Twitter, etc., etc., ad nauseam). Limit the amount of personal information you post on such sites, and allow access only by people you know.
  4. Use available security measures.
    Implement the regular security updates provided by Apple, Microsoft, Mozilla, and other software companies for their operating systems, browsers and other software. Gmail even offers the option of automatically encrypting all your e-mail (you'll see https:// at the beginning of the gmail URL if you make use of this free option). Some credit card companies allow you to generate a new, temporary credit card number for an individual purchase on the Internet, a number that can be used only for that specific purchase.
  5. Read about computer security.
    I have not read it myself, but "Computer Security for Dummies" is available from Amazon.com (and most likely from your local bookseller) for a modest investment (Amazon sells used copies for two bucks plus change). There are many other books, and articles in computer and financial magazines, as well as on the Internet, dealing with this topic.

  6. To learn more...
    about identity theft and what to do if you think your personal information has been stolen, go to: http://www.ftc.gov/bcp/edu/microsites/idtheft/ (the government's web site on this topic).
  7. Identity theft insurance
    is available for those who do not feel up to the challenge of protecting themselves from this hazard.

Avoiding "Malware" (Computer Viruses, Trojan Horses, etc.)

Safeguards against computer "malware" and online scams include items 1 through 4 in the above paragraph, but here are some additional steps to consider:

  1. Choice of computer.
    Although there has been considerable debate about the reasons, Macintosh computers have much fewer problems with viruses and other malware that do Windows computers. One security expert has commented that a Windows computer is compromised within 20 minutes of being connected to the Internet. In 27 years of using Macintosh computers, I have never had my Mac's anti-virus software detect a virus on my Mac. The Internet is full of posts from Windows users such as "I need help my computer is infected." I've never seen such a post by a Mac user. The Macintosh operating system is based on Unix, a very mature, very secure operating system. In addition, there are fewer Macs than Windows computers. Hence Macs are less attractive targets for hackers.
  2. Buy and use anti-virus software
    for your computer, even if you use a Macintosh, and keep it current with the vendor's updates. (Macintosh users need anti-virus software to avoid passing viruses on to Windows computers.) Gmail automatically scans all e-mails and attachments for viruses. I use it most of the time. 

  3. Use the "firewall" included as part of Apple's and Microsoft's operating systems
    to reduce the chance of unauthorized access to your computer when you are online.
  4. Use strong passwords
    and keep them secure. Use a combination of letters and numbers and avoid words in the dictionary. The strongest passwords have a combination of upper and lower case letters and numbers. Never share your passwords with anyone.
  5. Avoid high risk sites.
    "Adult" sites, sites offering free screensavers, sites offering free software (though versiontracker.com is safe), are notorious for being sources of malware. Certain file sharing sites (which allow you to download music or movies for free) are also high risk. I have not had a problem with sites such as americangreetings.com and bluemountain.com, which offer free electronic greeting cards.

Avoiding Other Assorted Scams

  1. Use anti-spam filters.
    Many e-mail programs include spam filters which filter out the unsolicited "spam" (commercial offers) infesting the Internet. You can usually set your own filter level (none, weak, medium or strong) and even establish your own specific filters (such as accepting mail only from certain sources). Gmail used to be near perfect in filtering out spam. It became less effective during 2009, as spammers kept changing their messages to avoid filters, but since January, 2010 it is once again highly effective. Spam is a much easier problem than viruses and trojan horses, however, as spam is very easy to recognize and easy to dispatch into the trash.
  2. Before making any purchase on the Internet,
    do some research on the vendor. You can always find online customer reviews of reputable vendors. Never send cash, checks, or money orders to pay for an internet purchase. Use only a credit card, or if possible, pay through PayPal (eBay's payment transaction subsidiary, which can also be used to pay for many non-eBay purchases). Using PayPal prevents the vendor from getting access to your bank or credit card information. Know the vendor's return policies before making a purchase (just as you should when buying in a store).
  3. Be careful on eBay.
    I have made many successful high-discount purchases on eBay, and have never been cheated, though I had a narrow escape once. The web sites of eBay and PayPal have much educational material about making your eBay transactions secure. If you buy only from sellers with high feedback scores (by itself not a perfect safeguard) plus follow the other recommendations on the eBay and PayPal web sites, you should be pretty safe. If a transaction goes bad, eBay and PayPal will often recover your funds or reimburse you, within certain limits which are described on their web sites.
  4. If it sounds too good to be true...
    it almost certainly is. Scam artists take advantage of the greed of many Internet users, by offering prizes, sweepstake winnings, a share in a decedent's estate, merchandise at ridiculously low cost and other "money for nothing" deals. Such e-mailed offers are virtually ALL scams. The classical example of this genre is the Nigerian scam which has induced many Americans to give up huge sums in misguided and fruitless attempts to help a "distressed" Nigerian get money out of Nigeria in return for a share of the loot.

Summary

Now that ICL is making increasing, and in some instances exclusive, Internet use, and is requiring all new ICL members to have Internet access, it is important for members to become educated in matters of Internet security. This article provides basic steps we all can and should take to protect ourselves from the unscrupulous individuals who use the Internet to prey on the unwary and uninformed. While I am not a security expert, I am always available to help ICL members improve their Internet security awareness. With the relatively straightforward measures detailed above, and a certain amount of reading and self-education on the subject (isn't self-education what ICL is about?) one can look forward to a safe and productive Internet experience.

Peter Ronai
Director of Information Services