Don’t worry, it’s as secure as Chip and PIN!

MBNA (Bank of America) customers getting new credit cards might notice a new feature thrown in for free: A card that does not require the owner to insert the card anywhere, but instead communicates with the payment terminal wirelessly.

The cards come with an A5 sheet of paper explaining the new features:

You may be thinking – what about security?

The asterisk points to the following footnote:

Let us go through some of these statements:

“Even though you aren’t entering a PIN, your transaction is still completely secure as your card has the latest chip in it…”

This, on its own, is hogwash.

“…and uses the same payment technology as a Chip & PIN transaction.”

Here the bank is saying that *not* using your PIN is secure because you’re using the (presumably infallible) Chip & PIN technology. It’s like saying it’s okay not to use your seatbelt, because your car has got power brakes & seatbelts. Only with Chip&PIN it’s worse, since the security of the whole system falls apart without the PIN.

Further down we read:

“To speed up the transaction you generally won’t be given a receipt…”

Great. There are very good reasons receipts are mandatory for any kind of transaction, whether it’s buying a toothbrush or electing the next president of a nation. Let’s teach the next generation that receipts are pesky pieces of paper that slow us down.

“You will also still be covered for any fraudulent activity on your card just the same as chip & PIN transactions”

Fabulous. All these “completely secure” systems and they’re slapping this warranty on top! It’s just too good to be true.

“…providing you let us know as soon as you notice any unrecognised transactions on your statement or notice your card is missing.”

Ahh, here’s the catch. You need to check your statement every month, putting the onus on you to find the fraudulent transactions. If you don’t, it’s your fault and the bank will not refund the money stolen from your account.

Doesn’t look like such a hot deal after all.

The banks are using the term “Chip & PIN” as a magic wand – hoping that some of its “complete” security will spill over to the new contactless, PIN-less world. They are using something that is already broken to argue that a not-obviously-related product is also secure. If this is really the foundation these systems are built on, it’s not sound.

How is that not a harbinger of trouble for consumers?

Tracking good samaritans

I got the following email from hotels.com the other day, asking me to provide feedback on their service and the last hotels I stayed at.

Nothing wrong with that – I have no direct benefit from this but believe in the power of community feedback etc. So I thought what the heck, let’s take the time to complete a quick survey.

So I clicked on the “write a review” link in the email, which directed me to this URL:

http://click.mail.hotels.com/?qs=d022f9b41a16aff5d6ebfc436e6bb406416e73ed4926ea9826856a4c9a1a5fe9571b8d186c7913567898645f30c4bdb9

…which redirected me to:

http://ad.doubleclick.net/clk;229503547;53487117;m?http://www.hotels.com/submitreview.html?lastName=mylastname&itineraryId=53807570&intlid=review&rffrid=eml.hcom.UK.400.00.2011.01.18.src00.00.00.0000.0000.00.0000&pos=HCOM_UK&locale=en_GB&et_jb=2&et_j=17173477&et_e=my_email_address&et_l=1935712_HTML&et_u=196887636&et_mid=198875&_dc_ck=try

…which finally takes me to a webpage that demands I download and execute Javascript code in my browser before displaying anything:

http://reviews.hotels.com/7014h-en_gb/7310/writereview.htm?format=embedded&user=6bf4d77c00a3e7254a885e86b510cf53646174653d3230313130313138267573657269643d35333830373539305f2d3130342650726f6475637449443d37333130264850726f706572747949443d32373431363226545049443d2d31303426545549443d3533383037353930264c6f6249443d33264974696e49443d3533383037353930264c69643d32303537264272616e6449443d39264f726967696e3d73697465&submissionurl=http%3A%2F%2Fwww.hotels.com%2Fsubmitreview.html

Asking for the “Privacy Policy”, takes me here:

http://ad.doubleclick.net/clk;229503547;53487117;m%3Fhttp://www.hotels.com/customer_care/privacy.html?rffrid=eml.hcom.UK.400.00.2011.01.18.src00.00.00.0000.0000.00.0000&pos=HCOM_UK&locale=en_GB&intlid=FTR.TR.SUR.eml.privacy&et_jb=2&et_j=17173477&et_e=my_email_address&et_l=1935712_HTML&et_u=196887677&et_mid=198875

(I substituted my real information for the red text in the above URLs)

It’s an Orwellian world when requesting a privacy policy sends one’s personal information to a DoubleClick tracking page…

PS: If you want to know & control which websites your browser connects to, use Firefox with the RequestPolicy addon.

How do I clean up my computer after a virus infection?

Good question.

There is ample information on the Web chastising people for doing this and that wrong, for clicking on things, for being tricked into agreeing to install a “plugin update”… reams of articles saying “DON’T DO IT – whatever it is, JUST DON’T!”

But realistically, with drive-by malware attacks picking up and malware being created to specifically evade traditional antivirus programs, people don’t have much chance… it’s just too easy to get infected with malware.

What nobody out there seems to have an answer to, is the simple question: What do you do on the day after?

I am also unaware of a simple answer.

Microsoft publishes a Malicious Software Removal Tool every month. Commendable effort, but it doesn’t stand a chance against resident malware.

Online articles that advise you to “scan your computer with the latest antivirus software” are dangerous because they lead to a misinformed public. The truth is that there are simply too many ways to avoid detection and too much money to be made in the online crime industry. This means that highly skilled, organised and motivated people are writing malware to avoid all known safety nets. Malware has it much easier than all the defenders in the world – the attackers need only one way in, and they have control of your computer for good. And running all the antivirus scan in the world won’t change that.

The only thing you can do, is backup your important data (you do have backups, don’t you?), find your Operating System installation discs, erase your entire hard drive and then re-install everything from clean, trusted media, being extremely careful not to be re-infected by your old files or devices. E.g. infected USB sticks can re-infect the new installation.

To (hopefully) avoid this, follow these rules:

  1. First thing you do after reinstalling the Operating System: Connect the system to the Internet and immediately download and apply all critical updates. Don’t even check your emails.  Update, update and then update some more until everything is at the very latest version.
  2. Users of Windows, disable the automatic execution of stuff on USB sticks and disks. (KB967715 for details)
  3. Install *working* antivirus software. Not the cracked version of Kaspersky your cousin gave you on a CD and said “it’s okay, you don’t need to pay for it”. Not the nod32.exe you downloaded off some “free downloads” site. You may think such pieces of software protect you, but they don’t. They just lie to the users about operating properly and install malware behind your back. They are the enemy.No, you need to get a *legitimate* antivirus solution. See this blog post for free antivirus software that actually detects malware (or at least tries to).
  4. Only after you’ve successfully completed these first 3 steps, may you reconnect your old media (like USB sticks or disks) to restore your files. Before you touch any of those files, you will run an exhaustive scan (that will take hours) on the removable media you used. This will increase your chances of not getting re-infected straight away. After the scan, you may start restoring your files, reinstalling programs etc.
  5. At this point, you have a clean slate and your files back. You should proceed to follow safe computing practices, especially when you’re on the Internet, and hope that someone, some day, will actually improve this sad state of affairs of being unable to trust your own computer and having to be vigilant all the time to not be infected soon again.

Free antivirus software for Windows

As of January February July 2011, there are at least three four perfectly legitimate free antivirus products for Windows. In my order of preference they are:

  1. Microsoft Security Essentials
  2. Avast Free Antivirus
  3. AVG Free
  4. Avira Free (why?) (fallen from grace due to user pestering)

These are the ones I have used. There are at least 6 more to choose from.

Please note that the following products are NOT free to use:

  • Norton
  • Symantec
  • McAfee
  • NOD32
  • Sophos
  • Kaspersky
  • etc…

If you’re using one of them and not paying for it (unless of course your organisation has paid for it), you are at risk, as malware authors use warez and similar types of “freebies” and “cracked versions” and “key generators” to infect your computer with the very software you’re trying to defend against.

The only (temporary) exception to this is time-limited versions of antivirus software you usually get with brand new computers, but you must do something about those as soon as the gratis period expires: either buy the product or uninstall it and install one of the free ones.

Remember, an expired antivirus that is not updating its definitions is almost useless.

Spam email statistics

Symantec’s State of Spam report makes fascinating reading.

Did you realise that during a typical day in August 2010, around 200 billion spam emails were sent? In a single day!

I didn’t.

Apparently there is now reason to be optimistic, as the volume of spam over the past month (December 2010) has been hovering around 70 billion spam emails per day.

More about it on Symantec’s blog.