In the endless debates about Mac security–is the Mac platform inherently safer than Windows? What security measures should Mac users take?–one point is often overlooked: The biggest chink in computer security isn’t necessarily in the computer itself. Rather, the weak spot is often the computer operator –in other words, you.
Gullibility, greed, momentary lapses in attention, and other human frailties can all be easier to exploit than any vulnerabilities in computer code. Which means that, while your Mac and iPhone can indeed be vulnerable, there are things you can do to keep them safe.
In the days that follow, I’ll explain the 13 security threats that I think owners Macs and iPhones really do need to worry about. For each of them, I’ve got advice on how to avoid being victimized. First up: scams, fraud, and financial threats.
The Threat Mail-based cons have existed since the dawn of the postal service. E-mail has simply provided a fruitful new format. Attackers can send out millions of e-mails at practically no cost; if only one person in a million falls for the scam, the scammer turns a profit. Because of identity-hiding technology, lax law enforcement, and the Internet’s global reach, attackers can operate with near-impunity.
Phishing–when a scammer sends e-mail messages designed to trick recipients into visiting a deceptive Website or divulging personal information–is probably the most common e-mail scam. Some phishing attacks rely on nothing more than creative wordsmithing, but many more exploit holes in e-mail and Web technologies.
A phisher can fiddle with header fields so replies don’t go where you think they’re going. If you’ve ever received an e-mail asking you to provide your username, password, or other sensitive details by reply e-mail, that’s probably what was going on.
Or the phisher could embed a URL in the e-mail message–by slightly misspelling the site’s address (www.macwarld.com), say, or adding confusing text at the end of the address (www.macworld.com.ad#$Fadfg%$.iamevilandwillstealyourstuff.com)–that looks like it’s going to a trusted Website, but isn’t. Such links often lead to sites that crafted to look exactly like legitimate site, but aren’t.
What You Can Do Your first line of defense against e-mail scams is a good spam filter; these days, most spam is some kind of scam. Virtually all major e-mail services do some basic filtering before messages hit your Inbox. Many e-mail clients, including as Apple’s Mail, also include filtering tools. If those aren’t good enough, you can buy add-on spam tools, such as the excellent SpamSieve (). I use three separate filters: a special service through which we route our corporate e-mail; a filtering appliance in front of our mail server; and SpamSieve. Despite those layers, I still see one to three spam messages a day.
Your next best defense is wariness. Don’t click on a link in an e-mail message unless you were expecting it. That’s especially true for e-mails that seem to be from your bank, online retailers, or PayPal. If you get a message like that, navigate to the site directly in your browser. If the message is legit, you should see a version of it when you log into the site. And never send sensitive information–especially account numbers, credit card numbers, and usernames/passwords–in e-mail replies. No legitimate site will ever ask you to do so.
Banking fraud, identity theft
The Threat Most cybercriminals are in it for the money to make a profit. Banking fraud and identity theft are two of the ways they do so.
Credit card fraud is common. While it’s possible a criminal could break into your system to steal your credit-card number, it’s more likely that he collected it by breaking into an online vendor where you used the card.
Bank account fraud can be worse. If an attacker breaks into your online account, there’s little to stop him from transferring funds out of your account. Those funds aren’t usually as well-protected as credit card accounts. The bad guys get at accounts any number of ways. They can take advantage of security flaws in the bank’s Website. Or they can use the Automated Clearing House (ACH) system: If they know your account and routing numbers, and have a business banking account of their own (or one they’ve hacked), they can pull funds from your account to theirs without your permission.
Finally, there’s identify theft–when criminals pretend to be you and create new–from cell phones and utilities to home mortgages–in your name. New account fraud is the most common, and damaging, kind of identity theft. You can be held responsible for any unpaid charges on those fake accounts, which can seriously damage your credit rating. Identity theft is particularly bad in the U.S., because we so commonly tie accounts to Social Security numbers; if a bad guy gets hold of your SSN, many of your accounts and your identity are his to exploit.
What You Can Do To
Ward off credit card fraud, be careful who you do business with; before you give out yourcredit card to a new online vendor, do a little research first to make sure it’s on the up-and-up. Check your credit-card statement every month and immediately dispute fraudulent charges, even if they are small. Attackers sometimes charge small amounts to see if a card is active before going for a bigger score. Credit card companies offer excellent fraud protection, and will clear charges and issue new cards at the slightest sign of a compromise.
For bank account fraud, your best defense is also to keep an eye on your statements. Some banks offer fraud controls for bank accounts; if yours does, use them.
To guard against identity theft, request a free credit report from the major agencies (Equifax, Experian and TransUnion) once a year. Or you can subscribe to a service like Debix or IdentityGuard that monitor your accounts and send you alerts when they detect changes.
Retail and auction fraud
The Threat Earlier this year my wife decided to use an Amazon gift card she’d received to buy a new Coach purse. She found a bag for slightly less than retail through an Amazon reseller; she ordered it, and it soon arrived as expected–sort of. It was the first Coach purse she’d ever seen with fake leather, bad stitching, and painted plastic, instead of brass, rings. We immediately reported it to Amazon and received a refund. But by then the store had closed shop.
Craigslist, eBay, and any other site that allows people to auction or sell goods directly struggle constantly with fraud. Buyers will make payments but then claim the item never arrived and initiate a charge back (refund) from their credit card company or PayPal. Sellers will cut and run without delivering items, or request payment using some form of “cash” card or online currency that’s not protected like credit cards or PayPal. Criminal buyers on Craigslist will even present fake cashier’s checks for big ticket items, then disappear.
What You Can Do Common sense is your best defense. When buying online, check the seller’s history and reputation score. Look for the number of ratings, not just the average rating, as it’s easy to fake a good rating with only a few votes. Use credit cards, because they allow you to dispute charges, and always request a tracking number with shipment. When selling, always ship with verified tracking and a signature requirement so you can provide a record if the person disputes the charge. Finally (repeat after me): if an offer looks too good to be real, it probably is.
Rich Mogull has worked in the security world for 17 years. He writes for TidBits and works as a security analyst through Securosis.com.