Archive

Archive for the ‘Authentication’ Category

Important security settings on Facebook

October 29, 2013 Leave a comment

Information security is important. Remember that: Without security there is no privacy!Today, E-Crime Expert presents several security measures Facebook has in place for securing your private data and account.

1. Change your password (Frequently)

i. Log on your Facebook Account, go to (click) “Settings” (1)and then click on “Account settings” (2) from the fold down menu(Fig.1).

Fig. 1

1

ii. Go to and select the “General Settings” menu on the left and then click on the “Edit” tab from the Password field (on the right side of the page). See Fig.2.

Fig. 2

2

iii. Now, you have to follow the three steps bellow:
-type your current password (for security reasons);
-type your new password (check this blog post here on how to have a strong password);
-type your new password again.
Click “Change password” and your password will be changed. (Fig.3).

Fig.3.

15

iv. In order to be sure your password is effectively changed on all your devices, select the “Log me out of other devices” box, click on the “Submit” button from the displayed message that appears after you changed your password. That will enable you to sign out from all the devices you are automaticaley logged on. In this way, once you use them again, you will be prompted to type your new password. This is an extra security measure which enables you to protect your information if one of your devices got lost or stollen or when it is shared with other people (Fig. 4).

Fig. 4.

16

2. Check your active sessions

i. You can also check from where you logged on your account lately.
Click on the “Security settings” tab (see pictures above for how to get there) on the left and then go to the right-bottom of the page and select “Edit” from the “Active sessions” menu (Fig.5)

Fig.5

3

ii. Now, you can check from where you are logged on during the current session (top of the page) and also, you can check bellow from where you were logged on in your previous sessions.
*Note: if you notice that you appeared logged on from countries you never been or you have not been lately or from devices you do not use that means someone else logged on your account without authorization (Fig.6).
**If you notice any unfamiliar devices or locations, click ‘End Activity’ to end the session and automatically log out someone who’s using your account fraudulently.
Change your password immediately as explained under section 1 of this Blog post!

Fig.6

14

3. Secure browsing.

i. Go to “Security settings“, as explained above, find the “Login Notifications” menu and click “Edit“. (Fig.7)

Fig.7

18

ii. Then you can select either “Email” or “Text message“. Or you can always select both! Click “Save changes“.
This will enable you to be notified via email or text message when your Facebook account is accessed from a device that you do not recognize (Fig.8).

Fig.8

17

iii. Furthermore, you could set up a Log in approval used when login into your account from unknown devices.
Go to “Security settings” (see above) and from there to “Login approvals” (bellow to “Login Notifications”). Click “Edit” and then select the box that reads: “Require a security code to access my account from unknown browsers“. Don’t forget to click “Save changes“. Now you are set for receiving notifications or be prompted a code (that will be delivered via your email or text message as a one-time token) before logging into your Facebook account, from unknown devices (Fig.9).
In order to learn what an unknown or unrecognized device means, keep reading this post bellow.

Fig.9

19

4. Recognized devices.

You can always set up the devices of your choice when using Facebook.
Go to “Security Settings” (as explained above), click “Edit” on the “Recognized Devices” menu and see which your recognized devices are. Devices will be assigned to your account as recognized when you will first time log on your Facebook account (using a new password) from a certain device (You will be prompted with a message whether you would like to save a certain devices as a recognized device or not). Be careful; do not select as a “Recognized Devices” a computer from school, work, public library or hotel. For this reason and in order to check which are your recognized devices check that menu and see if the devices listed there are the one you trust. If not, you just simply click “Remove” on the right side of a particular device (for example when there is listed a device you used once in a library).
Don’t forget to click “Save changes” as usually (Fig.10).

Fig.10

22

5. Trusted friends

i. To get set up, visit your “Security Settings” (as explained above), where you can select three to five friends to be your trusted contacts.
Find “Trusted contacts” and click on “Edit” and then on “Chose trusted contacts“(Fig. 11).

Fig.11

23

ii. Type the names of 3-5 of your trusted friends. You can select them one by one.
Don’t forget to click “Confirm” (Fig.12).

To select good trusted contacts:

– Choose people you trust, like friends you’d give a spare key to your house.
– Choose people you can reach without using Facebook, ideally over the phone or in person, since you’ll need to contact them when you can’t log in.
– Choose more people to help you. The more friends you choose, the more people who can help you when you need it.

Fig.12

24

iii. As a security measures you’ll be prompted to introduce your account password (even if you are already logged on). Click “Submit” after you are done ( Fig. 13).

Fig. 13

28

iv. Immediately after, your trusted friends will appear under “Trusted Contacts“. You can now use them all, remove one or all if not pleased with your choice (Fig.14).

Fig.14

29

v. In order to make sure you are the one who made the selection of your trusted friends, Facebook sends you a message (check your mailbox linked to your Facebook account) confirming you added trusted friends (Fig.15).

If you did not do it, then someone most likely hacked into your account. Change your password immediately!

Fig.15

30

vi. Using Trusted Contacts

Once you’ve set up your trusted contacts, if you ever have trouble logging in, you’ll have your trusted contacts as an option to help. You just need to call your trusted contacts and let them know you need their help to regain access to your account. Each of them can get a security code for you with instructions on how to help you. Once you get three security codes from your trusted contacts, you can enter them into Facebook to recover your account.

With trusted contacts, there’s no need to worry about remembering the answer to your security question or filling out long web forms to prove who you are. You can recover your account with help from your friends.

***Note: If you have set up your secure browsing, login notifications and chose your recognized devices and you receive an email from Facebook notifying you that someone tried to log on your account on X day from Y location using Z device (and none of those are related to you), then Change your password immediately (as explained under section 1 of this Blog post), because definitely someone tried or succeeded to fraudulently log into your account! (See example in Fig.16).

Fig.16

2

Any questions can be submitted to: dan@e-crimeexpert.com
Additional information can be found at: http://www.e-crimeexppert.com
To find out more about Dan Manolescu, visit his LinkedIn page here.
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog

iOS7 Security issues give access to your photos and more

October 3, 2013 1 comment

E-Crime Expert brings once again to your attention a security issue, thanks to Jose Rodriguez, from Canary Islands which has found this iOS7 Security glitch that gives access to your photos, and enables the sharing of them via Twitter, Mail, Flickr, Message.

The following demo, pictures and testing is done entirely by E-Crime Expert (Dan Manolescu) on one of our devices. This security issues apply to any Apple device (iPhone, Ipad) that runs on iOS7.

How it works:

From the locked screen menu (Fig.1), pull the “Control center” tab up (Fig.2) and click the “Clock” pictogram (Fig.3)

Fig.1

photo 1

Fig.2

photo 2

Fig.3

photo 3

Then, press the “sleep button” until “turn off your device” (Fig.4) message appears. Instead, press “cancel” and right after double click the Home button (Fig.5).

Fig.4

photo 1

Fig.5

photo 2

The “Multitasking” screen will appear (Fig.6). You can now chose the “Camera” app from there and click the “Camera roll” (Fig.7) and you will instantly have access to your photos (Fig.8).

Fig.6

photo 5

Fig.7

photo-4

Fig.8

photo 1

From here, you can share them via Twitter, Facebook, Mail, Flickr (Fig.9).

Fig.9

photo 2
In order to avoid this security glitch, update your iOS:

Go to “Settings” (Fig.10), then to “General” (Fig.11) and after to “Software update” (Fig.12).

Fig.10

photo 3

Fig.11

photo 4

Fig.12

photo 5

Done Deal!

Again, credit goes to: Jose Rodriguez, from Canary Islands (Spain).

Any questions can be submitted to: dan@e-crimeexpert.com
Additional information can be found at: http://www.e-crimeexppert.com
To find out more about Dan Manolescu, visit his LinkedIn page here.
Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

What to do in case of credit/payment card fraud: real life example!

This weekend E-Crime Expert encountered a financial fraud which happened to us in real life. Money was fraudulently withdrawn from our (Dan’s) account. Luckily, we immediately identified the fraud which enables us to cancel the card and report the fraud in order to be reimbursed.

1.      How it could be detected:

i. Go log into your online banking account (Fig. 1)

(I am using a mobile platform for my online banking)

Fig. 1.

photo 1

ii. Type your user name or card number and password (Fig. 2)

 Fig. 2

photo 2

iii. Select one of your accounts and then go through your transaction records carefully and see if there is any transaction you do not recognize (this is how I identified the fraud in my VISA account).Fig. 3.

Fig. 3

photo 3

iv. Most likely the fraudulent transaction will be from a service provider or vendor that you had nothing to do with it (as it happened in my case) Fig. 4.

 Fig. 4

photo 4

2. What to do if you suspect fraudulent activity:

 Despite your best efforts, there is still a chance that you will become a victim of payment card fraud. You will save yourself time and worry by following the steps below:

  • Call your financial institution immediately. You can find the phone number easily on the back of your card (Fig. 5).

Fig. 5 photo 5

 It may want to cancel your current card and mail you a new one. Check to verify that your mailing address has not been changed.   

  • If you still have your card, but fraudulent purchases have been made on the account, call your financial institution, and ask them to issue you a new one.   
  • Contact the national credit bureaus to let them know you are a victim of fraud. They will place a “Fraud Alert” on your file. You can also request copies of your credit report, which you should review carefully. For North America:                                   Equifax: 1-800-465-7166 or www.equifax.ca
                                                                                TransUnion: 1-866-525-0262 or www.tuc.ca
  • Diligently check your statements in the following months to make sure the problem has been completely resolved.
  • Report the fraudulent activity to the proper authorities, including the police or to the Internet Crime Complaint Center:

i. Mastercard:

To successfully fulfill your mission of how to contact MasterCard fraud,

  • you can call 800-627-8372.
  • If you’re not in the United States, contact MasterCard fraud by calling 636-722-7111.
  • If it’s an emergency related to possible fraud, MasterCard will accept international collect calls.

ii. Visa:

  • Call the bank or other organisation that issued your card, if you know the telephone number. They will immediately block your card and organise a replacement
  • If you do not have your card issuer’s telephone number, use the menu on the Global Card Assistance Directory page for help. 

To use the Global Card Assitance Service Directory Click here.

From the pull-down menu choose the country you are in now. Call the telephone number that appears in the right-hand box. Calls might be free but may carry local telecom fees if one dials using a mobile phone or calls from within a hotel.

If outside the US please make a reverse-charge call to +1 303 967 1096, if within the US, simply dial +1 800 847 2911.

3.  What you need to be prepare to provide when calling:

  • The name of your card issuer
  • The type of card — for example, Visa Electron, Visa Classic, Visa Gold
  • The country where the card was issued

It will help if you can also tell them:

  • Your 16-digit Visa/MasterCard account number
  • If you have your own card account or a partner card
  • Your name as it is printed on the card
  • The address where your statement is sent
  • Your home telephone number
  • How the card went missing or what transaction you find illegitimate
  • Other personal details that will be used as a security check to confirm your identity
  • The identity of the primary cardholder, if you are the secondary cardholder.

4. Tips to stay safe:

i.                    How to prevent identity theft

Identity theft involves acquiring another person’s identification information (such as a social insurance number or any unique identifier) without a person’s knowledge for the purpose of impersonating him or her to commit fraud. The best defense against identity theft is to prevent thieves from getting the information in the first place.

Here are guidelines to follow:

  • Never leave your purse or wallet unattended – keep your personal data and information guarded at all times.   
  • Sign your credit and debit cards in permanent ink as soon as you receive them.   
  • Call your card issuer if a new or reissued card does not arrive when expected.   
  • Don’t carry your social insurance card, birth certificate, or passport in your wallet or purse unless it’s absolutely necessary. Cancel any inactive payment card accounts.   
  • Never throw away receipts in a public trash container. When disposing of receipts or old statements, be sure to destroy the areas where the account number is visible. In general, you should keep all your receipts in a safe place to refer to if you suspect suspicious activity.
  • Check your statements frequently and carefully. Be sure you are familiar with all account activity on the statement. If you find an unauthorized or questionable transaction, call the appropriate organizations immediately.
  • Do not write your credit or debit card account number on a cheque, or use it for identification when paying by other means.
  • If your social insurance card or driver’s license is missing, contact the appropriate agency immediately.
  • Never give any payment card, bank, or social insurance information to anyone by telephone, even if you made the call, unless you can positively verify that the call is legitimate and there is a true need for the information.
  • Keep a list of all your credit accounts and bank accounts in a secure place so you can quickly call the issuers to inform them about missing or stolen cards. Include account numbers, expiration dates, and telephone numbers of customer service and fraud departments.
  • Make a note of when your financial statements arrive each month. If your statements stop arriving, contact your bank immediately.
  • Obtain a copy of your credit report once a year from one of the national credit bureaus. You are entitled to a free copy of your report if you are denied credit. Otherwise, most credit bureaus will charge a small fee. If the report data is incorrect, write the credit bureau immediately and keep a copy of your letter.

 ii.                  How to prevent fraud while using your payment card

Payment cards are used everyday by billions of people throughout the world. By following the steps below, you will significantly reduce the chances of fraudulent activity occurring on your account:

  • When making a purchase, keep your card in view at all times. Retrieve the card as soon as the transaction is complete and make sure it is yours.
  • Memorize your passwords and personal identification numbers (PINs) so you do not have to write them down. Be aware of your surroundings; make sure no one is watching you input your PIN.
  • Never sign a blank receipt slip. Draw a line through any blank amount lines that appear above the total amount line.
  • Save all of your receipts so you can refer to them at a later time. Never discard your receipt in a public trash container.
  • Do not provide your account number over the phone unless you are positive the call is legitimate and there is a legitimate purpose to disclose your account number. Never provide your number over the phone if you didn’t initiate the call.
  • Avoid saying your account number aloud at a merchant location or over the phone if others can hear.

iii.                How to prevent fraud while shopping online

Shopping online opens up a world of choices and convenience – as well as some risks that require extra vigilance. Here are some tips to ensure that your online shopping experience remains safe and enjoyable:

  • Make sure you are doing business with a reputable Internet merchant. Check with the Better Business Bureau or provincial and local consumer agencies to find out about past complaints or experiences from other customers. You can also look for the following information on the website to check if a merchant is reputable:
    • Privacy policy – A reputable website often has a clearly stated privacy policy in an accessible place. Read the privacy policy so you know exactly how the merchant intends to use your information.
    • Information about the offer – make sure you learn all you can about the offer, including the delivery date, terms of warranty, cancellation policies, how to contact the company if you have questions, etc.
    • Information about the merchant – make sure to find the company’s physical address and telephone number.
    • Security – Reputable websites often provide information about how they protect your financial information when it is transmitted and stored.
  • Guard your personal information. Don’t provide information that you are uncomfortable giving. Never give anyone the password that you use to log on to your Internet Service Provider or online bank account.   
  • Keep records. Print out all information about your online transaction and keep it in a safe place to refer to at a later time.   
  • Pay with a payment card – as this is often the safest way to pay online. In North America, the cardholder has the right to dispute charges if the goods or services were misrepresented or never delivered. Also, you are not responsible for fraudulent purchases made on your account.   
  • Make sure the merchant that you are dealing with has proper security measures in place. Your computer browser can tell you if the place where you are about to send the information is secure. Look for an unbroken key or closed lock at the bottom of the browser window. If you cannot determine this, do not put your credit or debit card information over the Internet.
  • Hover the weblink on the browser you are using to see if there is no hidden link from a fake or illegitimate cloned website.

iv.                 Setting up your best security for your Visa Card:

Visa has developed several layers of fraud prevention and detection systems and programs, giving you multiple checkpoints for security to protect your business and make transactions more secure. Visa’s Layers of Security complement each other and work together, so by implementing multiple services you can help reduce your risk of fraud.

The Layers of Security:

Layer # 1 – Chip & PIN

Many Visa cards now contain a micro-computer chip that securely stores encrypted information to complete transactions. As well, Personal Identification Numbers (PINs) are used for cardholder authentication when chip cards are used in Canada. This helps make counterfeiting virtually impossible.

Layer # 2 – Verified by Visa

The Verified by Visa (VbV) program is a worldwide service that confirms a cardholder’s authenticity in real time. This helps protect merchants from fraudulent transactions and chargebacks, while protecting cardholders from unauthorized use of their Visa cards.

Layer # 3 – Three-digit Code (CVV2)

The CVV2 is a three-digit security code on all Visa cards that helps ensure a customer making an online or phone purchase has a genuine Visa card in hand.

Layer # 4 – Address Verification Service (AVS)

When fraudsters try to order online, by mail or by phone, AVS can help stop them in their tracks. Account number information obtained from a receipt or a stolen card does not include an address or postal code. AVS checks a cardholder’s address and/or postal code against the card issuer’s records in real time, giving you the opportunity to stop a transaction if desired.

Layer # 5 – Visa Advanced Authorization (VAA)

Available through most card issuers, VAA lets you immediately identify and respond to emerging fraud patterns and trends. As transactions are processed through VisaNet® Advanced Authorization, VAA evaluates an authorization request data in real time and assesses and assigns a risk rating – helping you better identify potential fraud.

5.      Additional contact numbers for Canada only:

MasterCard Issuer Security Phone Numbers in Canada:

ATB Financial: 1-800-661-2266
BMO Bank of Montreal: 1-800-361-3361
Bridgewater Bank: 1-866-398-4404
Canadian Tire Bank: 1-800-459-6415
Capital One Canada: 1-800-481-3239
CIBC:   1-800-663-4575
Citibank Canada: 1-800-305-7259
Credit Union Electronic Transaction Services: 1-800-567-8111
Direct Cash Bank: 1-888-466-4043
GE Money Canada: 1-800-243-2222
HSBC Bank Canada: 1-866-406-4722
MBNA Canada: 1-800-379-2744
National Bank of Canada: 1-888-622-2783
Peoples Trust: 1-866-452-1138
President’s Choice Bank: 1-866-246-7262
RBC Royal Bank: 1-800-361-0152
Sears Canada: 1-800-288-9965
Walmart Financial Services Canada: 1-888-925-6218
Wells Fargo Financial: 1-888-295-0050
     

 If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

SHODAN, the search engine: is it “scarry” or not?

April 12, 2013 27 comments

E-Crime Expert presents to you today a search engine which is totally different (in functionality and scope) than the ones we are used to (i.e Google, Bing etc).

For us  (E-crime Expert), Shodan has a positive value as it uncovers security vulnerabilities. Used by others (i.e. cybercriminals), Shodan could have a negative side as enables access to different systems (routers, webcams, etc) which have little or no security protection.

According to the description available on their main page here, “SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners”.

Web search engines, such as Google and Bing, are great for finding websites. Rather than to locate specific content on a particular search term, SHODAN is designed to help the user find specific nodes (desktops, servers, routers, switches, etc.) with specific content.

How to use it:

Create and login using a SHODAN account, or Login using one of several other options (Google, Twitter, Yahoo, AOL, Facebook, OpenID).

Login is not required, but country and net filters are not available unless you login.

Basic Operations:

Filters
-country: filters results by two letter country code hostname;

-filtering by country can also be accomplished by clicking on the country map (available from the drop down menu);

-mouse over a country for the number of scanned hosts for a particular country.

-filters results by specified text in the hostname or domain net;

-filter results by a specific IP range or subnet operating system;

-search for specific operating systems port: narrow the search for specific services;

After the search returns some entries (webcams located in a certain area), just click on one of those entries and you will have instant access to what that webcam records live (Fig 1).

Figure 1.

01

Examples:

Note:
E-Crime Expert will try contact all the owners of these vulnerable systems in order to report their security issues and advise how to protect their devices with appropriate passwords and security measures.

Please watch the video or read our material on how to create a stronger password.

1. Run a search for all existing default passwords, as shown in Figure 2.
Having access to the password, one could enter the router’s settings and change them or even more, use the router as a back door to access any device connected to it such as a computer, printer, etc.

Figure 2.

02

2. Once we selected a webcam, click on it and wait for the live footage to play.
What we see is an intersection which could be considered as a public space. The live feeds record everything live (Fig. 3).

Figure 3.

033. The access is granted regardless the geographical location: E-Crime Expert had access to a webcam located in Russia from a computer located in North America (Figure 4).

Figure 4.

04

4. We next tested a webcam which was recording someone’s home front steps for security reasons perhaps. But the issue here is how that camera’s angle is recording as you can also see the next neighbor’s front alley, car and probably anyone entering their house (Fig. 5).

Figure 5.

05

5. Next example is more intrusive as transmits live feeds from a restaurant where clients could be identified along with the staff members. The purpose of this camera is theft protection but due to its non-existing security measures, now anyone on the Internet could check who came at that restaurant and at what time, transforming the purpose of that camera into a monitoring one (Fig. 6).

Figure 6.

06

6. Not surprisingly, the next webcam becomes even more intrusive by showing live the staff member working in a convenience store, with a “from behind the counter” view. Anytime the staff opens the money drawer, everyone having access to this webcam (available worldwide as shown in this blog post) could approximate how much money is available there. Beside the privacy invasive aspect of the clients and also of the staff member, potentially, could also lead to robberies or similar attacks (Fig. 7).

Figure 7.

photo 07

7. Last examples is the most intrusive and concerning one as it transmits live video streaming from someone’s home. It is intrusive because most probably the guests visiting this person are not aware of the webcam, and also because the footage is now available not just to the security company in charge of protecting this home, but also to virtually anyone on the Internet. The second concerning aspect is that anyone could see what is available on the kitchen counter whether a large amount of cash or cheques or other valuable goods. This again, could lead to robberies or other violent crimes (Fig. 8).

Figure 8.

08

Conclusions:

SHODAN aggregates a significant amount of information that is not already widely available in an easy to understand format.

SHODAN collects basic information about the websites, the information “from the inside”, data covering the so-called back-end (simplified information about the type of your server software versions, and so on). On the one hand, it is therefore an excellent data base for those involved in security – but on the other, it is also a source of information for cybercriminals.

The Shodan software runs 24 hours a day. It automatically reaches out to the World Wide Web and identifies digital locators, known as internet protocol addresses, for computers and other devices. For security monitoring teams, Shodan may present some serious challenges. It is highly unlikely that security monitoring teams will ever be alerted to an attack that is using Shodan.

From a privacy perspective, there on the World Wide Web could be some available information accessible to the regular people by simply running a search, which it is not necessarily to be regarded as publically available information, such as the webcam in someone’s home, in a store, gas station etc. This is not publically available information from a legal perspective but it actually becomes available to anyone as some monitoring systems have little or no security measures. According to most international privacy legislation, a surveillance camera should be installed and used just on a legal basis and after a privacy impact assessment is done (as a best practice). That legal basis strictly refers to the purpose of why that camera is used for which definitely does not grant worldwide access to the footage, except where in question is a public space (i.e. park, street, etc).

Even though in question is a public domain under surveillance, there are cases when footage or pictures of those public spaces record more than the public space itself (i.e. Google maps litigations for capturing more than the streets, etc).

The Privacy Impact Assessment is specifically done (among others) to make sure that no unauthorized person has access to the footage recorded by a surveillance camera. Being able to publically find this footage on the Internet, is outside the Privacy and Security requirements and measures in place for a surveillance camera located either within a public space (with the potential of recording private areas as well) and or in a household which is by definition a private space. Probably some of these surveillance cameras are installed by the household owners, aiming to act as a theft protection and consequently be accessible just by the police or other law enforcement entities.

Contrary, by having access globally to this kind of footage, does not align with most of the international existing privacy legislation.

Once again, E-Crime Expert has taken this opportunity (SHODAN – search as a positive tool) to asses current privacy and security issues.

If you have any question you could contact: dan@e-crimeexpert.com

Additional information can be found at: www.e-crimeexppert.com

Hit the “subscribe” button in order to be notified when new videos and Articles are posted on this blog.

%d bloggers like this: