Phishing and Pharming: A guide to avoid getting scammed online

You just got an urgent e-mail from your credit card company or your bank requesting you to verify your log in or user name and password. The e-mail says it is from accounts@citibank.com or auction@ebay.com or payments@ paypal.com.

Hopefully by now you know that no trusted financial institution will ever e-mail you to request your user name and password or your mother’s maiden name. The best thing you can do is to simply delete these phony messages. This technique of scamming people with fake e-mail is known as phishing. The name is derived from using the e-mail as bait and if you (the phish) bite you are reeled in and lured to provide personal details that can leave your finances vulnerable.

If phishing was not bad enough, a new scam called pharming is so sneaky and potential damaging that you must educate yourself before you enter any financial data online ever again.

Pharmers hijack domain name servers (DNS) and route you to a fake look-a-like site that requests your log in and password. For example, you type www.paypal.com into your Internet browser. The browser address block shows www.paypal.com but what you do not know is that some clever hacker has hijacked PayPal’s domain name server. Just watching the address bar on your Internet browser will not be enough to know if your site has been hijacked. The URL that is displayed and the look-a-like financial site will appear normal.

What should you do?
Besides running an up-to-date antivirus program and strong firewall, a little knowledge can go a long way.

Most financial sites run on secure servers (look for the closed lock icon on the bottom of your Internet browser) so if you want to visit www.paypal.com type https://www.paypal.com instead. The https indicates a secure server and by typing it you force the browser to go only to an SSL-enabled version of the Web site. If the PayPal site has been hijacked, your browser should issue a pop-up box alerting you that the site SSL certificate does not match the URL you typed. You, being very observant (and hopefully slightly paranoid), do not accept and log off your attempt to visit the hijacked site. Use the telephone to call and alert the financial company.

Secure sites must have a digital certificate issued by a trusted third party source such as Verisign or Thawte and, to date, no widespread security problems have come from this side of Web security.

I found advice on CNET.com to make sure that your Web browser properly validates SSL certificates. Set the following options in Internet Explorer 6 (users of other browsers will find comparable settings somewhere in their browser configurations):

Tools > Internet Options
Advanced tab
Under the Security section, make sure these options are checked:
• Check for publisher’s certificate revocation
• Check for server certificate revocation
• Use SSL 3.0
• Warn about invalid site certificates

Make sure that the option “Use SSL 2.0” is not checked because there are problems with the SSL 2.0 protocol which can make it possible for a pharmer to defeat SSL certificate verification.

Please be safe out there in cyberspace.

Terrence O’Hanlon, CMRP is the publisher of Reliabilityweb.com. He is the director of strategic alliances for the Society for Maintenance & Reliability Professionals (SMRP). He is also the event manager for CMMS-2005, The Computerized Maintenance Management Summit on July 26-29, 2005 in Indianapolis, IN

Internet Tip: Call me

If you get enough of your friends and family to download Skype.com, a free Internet-based telephone-like service, you may never have to pay for telephone services again.

Mark Hill of Companion Products sent me the Skype.com link and I have been slashing my phone bill ever since. You can even make calls to people who are not in the Skype.com network for super low rates.

You do need a computer with a microphone and headset or a USB phone to make this service work. It works on Windows, Linux, Apple OS, and Pocket PC devices.

Please visit www.skype.com to download a copy and give me a call.

New Job Site

ReliabilityResumes.com offers a free job posting for positions that seek maintenance and reliability professionals. The site offers a job description summary and requires that the detailed job description be posted at the employer’s Web site and a link is provided for job seekers to learn more.

Additional links are provided to larger job posting sites such as Monster.com (of Super Bowl fame) and Yahoo! Hotjobs.com. The site even offers resources for making sure that job seekers’ resumes represent them in the most professional light.

You can impress your boss or enhance your job search by sitting for the Certified Maintenance & Reliability Professional (CMRP) exam offered by SMRP. Earning CMRP certification demonstrates that you have the knowledge and more importantly the experience to be a reliability leader.