Keeping your personal information personal

rog_london

Esteemed Pedelecer
Jan 3, 2009
764
2
Harrow, Middlesex
Fordulike mentioned that it would be wise to keep personal information away from the eyes of the world at large when on-line - and I've seen what can happen when people get careless:

Computers are a significant part of how I earn my living - and I'm well aware of just how easy it is to come a cropper through even mild carelessness. I've extricated friends from some truly nightmarish situations they've got themselves into usually by just a careless mouse click while the brain was in neutral.

I shudder to think how many computers end up in the cupboard under the stairs because they've got infected and the owners don't know how to deal with the situation, don't fancy trusting to the tender mercies of PC World, and either give up altogether or end up buying new when they should never have been in that situation.

Anyone wishing to defraud on a grand scale can do it on-line far more effectively, and with much less effort, than in almost any other area. Harvesting personal information can be done automatically and anonymously from wherever it might be found. Correlating that information from different sources is also easily done and with little knowledge of the techniques required - there are 'suppliers' of all the software a crook might need for a fraction of the revenue which might subsequently be made.

The less of your personal information you release on-line the better. Don't reveal any part of your address, family or friends' names, phone numbers, birth dates, or any other connections however tenuous. Social networking sites in particular are dangerous places because just chatting to people creates a trail of your footprints which can be followed.

A reputable website will not attempt to make you reveal any crucial information when you register, although there is usually somewhere where you can tell other members about yourself. Resist the urge to fill in such a profile, as it's most likely the other members won't be interested, but people who have designs on your identity probably will.

Rog.
 

flecc

Member
Oct 25, 2006
52,763
30,349
Naturally the most important aspect is protecting your money held in banks etc. If you use the right software and banking institution, theft become impossible unless you release all your banking log-on information and password.

If you don't already have the extra protection, in addition to the usual up-to-date anti-virus, spyware and firewall software, you need to make it impossible for any other internet access to connect into what you are doing with your banking.

To do that, check that your bank or other financial institution supports the Trusteer Rapport software, most good organisations do, then download it from the link below and install it.

What it does when you connect to your bank etc is lock down your communication in a "tunnel" which can't allow anyone else in, so everything you do when logging in and transacting is "blind" to the rest of the internet. This function is automatic the moment you connect to the bank online, no additional separate log-in is necessary. This prevents any phishing such as password reading.

I've been using it for a long time now and have suffered no bugs or blocks, but if it's found to block access to any particular site, it can be switched off and will restart either manually or the next time the computer boots. Read about it here:

Trusteer Rapport protection
.
 

allen-uk

Esteemed Pedelecer
May 1, 2010
909
25
Slightly off the subject: Passwords.

It is rumoured that there are computer programs that can easily crack alpha-numeric passwords of up to 16 characters. Is this true, and if so is it just a question of using an 18-20 length one to confound the code-breakers?

The other thing is this: in 'phrase' passwords, such as the initial letter of well-known phrases, I have used figure 1 for letter I, in an attempt to fog them. Is this worth doing, or just a waste of time? (For instance, Have I Got News For You = h1gnfy).

Allen
 

flecc

Member
Oct 25, 2006
52,763
30,349
Programs can crack much longer alpha-numeric passwords, but it's a question of time, the longer the mix the longer it takes.

Number substitution is definitely worth it, and even better is symbol substitution like " $ % ^ & * ( @ : /.

Another dodge I use is to mix languages and alphabets with symbols and numbers, for example you could use an Italian/German combination word partly spelled with Cyrillic alphabet characters, H instead of N and C instead of S for example. Moscow in Russian is MOCKBa for example.

What all these do is make life difficult for those programs that work on likely combinations.
.
 

rog_london

Esteemed Pedelecer
Jan 3, 2009
764
2
Harrow, Middlesex
If you'd like some idea of what is easily possible, google 'ophcrack'. It's a (mostly) free Windows password cracker. Take particular note of the demo offer. It can crack an XP password up to 14 characters long containing mixed-case alphabetic, numeric, and special punctuation characters. I've used it on simpler passwords (legitimately) and I can vouch for the fact that it usually works in next to no time on a typical moderately specified PC. The password 'lisa40' (without the quotes) took about 20 seconds once the free table had loaded, and I used a Linux bootable CD with the application and tables on it. XP itself was never booted in order to extract the password.

For your information, Windows passwords are not stored (not since W95 anyway) and when you specify a Windows password a non-secret one way algorithm is used to create a hash function, which IS stored. To gain access after that, you need to recreate that hash function - and you can't get back from it to the password which created it. It sounds secure until you see what Ophcrack can do.

Ophcrack isn't the only cracker out there either.

Just to make you feel a little better, a website is rather more secure than you might think as long as you use a 'good' password. That's because a cracker doesn't have access to the hash function or any other information, and there's usually a limit to the number of 'guesses' allowed, apart from the fact that executing each guess can take at least a few seconds.

Rog.
 

allen-uk

Esteemed Pedelecer
May 1, 2010
909
25
Thanks Rog, interesting.

Is there a similar program out there for Apple Mac users? (i.e. which cracks or attempts to crack Mac OS passwords - not that I have any I need to crack, but it'd be interesting to see how secure some of my long ones are. I tend to use the first 20 or so words of a song, or rather just the initials of the words, so there's no real way of a machine 'guessing' the bizarre sequences).

Come to think of it, I know the first paragraphs of some classic novels, too (off by heart), so as long as you really DO have a good memory, it seems a useful method.

Allen
 

rog_london

Esteemed Pedelecer
Jan 3, 2009
764
2
Harrow, Middlesex
Thanks Rog, interesting.

Is there a similar program out there for Apple Mac users? (i.e. which cracks or attempts to crack Mac OS passwords - not that I have any I need to crack, but it'd be interesting to see how secure some of my long ones are. I tend to use the first 20 or so words of a song, or rather just the initials of the words, so there's no real way of a machine 'guessing' the bizarre sequences).

Come to think of it, I know the first paragraphs of some classic novels, too (off by heart), so as long as you really DO have a good memory, it seems a useful method.

Allen
I don't know about the Apple operating system. It depends on whether there's much demand. If you were going to write a password cracker app you'd probably be thinking of maximum coverage, so as usual, Windows is best served.

You might well use a long phrase and that's probably the best safeguard, but for everyone who does that there will be many, many more who use short passwords because they think 'it' will never happen to them.

In my experience the ones who manage to forget or otherwise lose a password are usually using something with no more than eight characters, and mostly it's just a word which might be readily found in an English dictionary.

It's also as well to be aware that passwords can be 'acquired' as they're being typed - the password is not encrypted at the point where it's being typed in to gain access. That's why even a long phrase might not give you total security if you are otherwise careless. The sort of situation I'm thinking of is Internet cafes, public WiFi, and hotel connections.

Rog.
 

allen-uk

Esteemed Pedelecer
May 1, 2010
909
25
Good advice, Rog, thanks. Another good reason for avoiding internet cafes, public wifi, and hotel connections!

Allen.
 

flecc

Member
Oct 25, 2006
52,763
30,349
But as I pointed out above, no acquiring is possible using the Trusteer Rapport program for financial transactions, since the password entry follows the bank site first access and is within lockdown.

In all other situations, using symbols and the like is well worth while since it delays the password cracking function. As Rog says, only limited time is available for cracking so any delay you provide is worthwhile.
.
 

allen-uk

Esteemed Pedelecer
May 1, 2010
909
25
I did glance at the Rapport site, but couldn't find my own bank there (Smile - the Co-operative Bank).

A
 

flecc

Member
Oct 25, 2006
52,763
30,349
I did glance at the Rapport site, but couldn't find my own bank there (Smile - the Co-operative Bank).

A
That's a pity, it seems to be the only leading UK bank not to use Rapport.

Ironically Rapport protects it though, since when I tried to visit your bank log-in page, Rapport wouldn't even let me see it! :rolleyes:
.
 

flecc

Member
Oct 25, 2006
52,763
30,349
True Rog, though not in my sight for many years for a couple of good reasons, probably why the blind spot. :)

Still think the Rapport software or similar is the answer to bank security though.
.
 

rog_london

Esteemed Pedelecer
Jan 3, 2009
764
2
Harrow, Middlesex
I'm always a bit wary of single-company proprietory security systems - the word 'complacency' springs to mind. Naturally they think their system is the finest in the world.

Barclays have a few tricks of their own, which may be of interest:

If you wish to avail yourself of online banking, in order to make transactions they issue you with a free 'pinsentry' device. You put your debit card into it, and enter your PIN. Assuming your PIN has been correctly entered, the device then uses your PIN, along with (I assume) the time and date and a one-way algorithm to generate an eight-digit code which you enter into the web page.

The code is different every time, and can only be used once and immediately. Even if you're using an insecure connection and you are being watched it won't do the watcher any good.

A similar system is used in the branch if you want to carry out a transaction - the teller enters his/her unique code into a pinsentry device, and then inserts your debit card. These are passed to you so you can enter your PIN. When PIN CORRECT has been displayed, you pass them back, and the teller uses the unique eight-digit code to authorize the transaction. Once again, very secure.

All pinsentry devices are identical. You can use any one available to generate your code.

Barclays are listed by 'Which?' as being the most secure on-line banking service. I won't comment on other aspects of their service as they have historically been somewhat difficult when it comes to customer relations, but you can't fault their on-line security.

Oh, one other thing - they give you free Kaspersky security suite for up to three computers if you feel you need it....

Rog.
 

Sevenhills

Pedelecer
Feb 5, 2010
35
0
Hi

I had over £1,000 debited from my Nationwide account, fully refunded by Nationwide.
Can you imagine how many people would close their online account if they were not safe? My number was gained as a result of payment for fuel; using ceiling video cameras. It was in the local papers.
 

Scimitar

Esteemed Pedelecer
Jul 31, 2010
1,772
40
Ireland
I've been using it for a long time now and have suffered no bugs or blocks, but if it's found to block access to any particular site, it can be switched off and will restart either manually or the next time the computer boots. Read about it here:

Trusteer Rapport protection
.
That looks very useful. I've downloaded it and find it offers protection for banksites not on its list, as a general armourplate. Cheers.
 

Advertisers