Financial Fraud and Internet Banking
McAfee recently released a comprehensive report on the array of threats facing banks and their customers. It includes topics such as card skimming, money laundering, the Nigerian 419 fraud, auctions, and online banking. The report also provides a good overview of current countermeasures.
Highly recommended reading!
The full report is available for download here.
Domain registration: Caveat Emptor
The Internet has been around so long that domain registrations have become a commodity. The competition is fierce, and margins are small. Registrars compete for your business not only on price, but also on added features like bundled hosting and DNS service. And among the sales tactics is the offer of free domain registrations.
The reality, of course, is that there is no such thing as a free domain registration. Somebody pays for it. And while there is nothing wrong with giving a customer a “free” domain when they purchase other services, as one of my colleagues recently found out, ethics among hosting services greatly vary.
My colleague purchased a hosting plan for $5.95 per month with HostPapa.ca that included a free domain. According to the terms of service posted on their web site, there shouldn’t have been a problem:
“You have all rights to transfer, sell, or modify your domain name to another person or individual. If you decide to sell or transfer your domain name and HostPapa is the domain name registrar, please request our “domain name transfer instructions” by sending an email to support@hostpapasupport.com. We will send you the specific details and information about transfer of ownership.”
But, when my colleague decided to transfer his domain to another registrar, he found out that it wasn’t that straight-forward. Host Papa had registered the domain in their own name. In email, he was told,
“The $100.17 you paid upon sign up with HostPapa was for a hosting account. We included a FREE domain as a thank you for creating an account with us. This domain is only free as long as you are a HostPapa customer, hosting the domain on our servers.
If the domain was not free, you would have been charged $126.37 for hosting and a domain purchase. Now that you wish to cancel your services and take your domain away, the invoice I have created for your domain in the amount of $26.20 covers the cost of HostPapa registering this domain on your behalf when you signed up with us.
This is standard for anyone cancelling their account and wishing to retain their domain.”
During his email discussion with them, at one point a representative of HostPapa wrote chillingly, “Legally, the domain name is ours.”
We contacted HostPapa and inquired, and they explained,
“Yes, you can transfer your domain name to another host at a later date, however, there will be a fee of $24.95 + GST for Canadian clients to release the domain, since it’s only free as long as you are hosted by us.”
Your domain name is key to your Internet presence, and losing it can have a significant impact. Assuming you maintain a backup of your web site, you can easily move to another hosting company if you control your domain.
So what can you do to protect yourself?
First, keep in mind that virtually anyone can become a ‘registrar’ through a simple reseller agreement. The fact that a company can register a domain for you doesn’t provide any indication of business ethics. Search the web, read their agreements carefully, and do your best to check our their reputation. Be cautious if transferring your domain requires emailing or telephoning support or the description of the process is vague.
Second, check your domains to ensure that they are registered in your (or your company’s) name, not a provider’s. If you don’t already have a favourite “whois” tool or web site, try allwhois.com. If the domain is not in your name, contact the registrar immediately and ask that it be corrected. If they refuse, indicate that you wish to transfer your domain to another registrar. But keep in mind that as far as the domain registration world is concerned, the owner is the entity listed in the whois database.
Third, consider using a separate registrar from your hosting provider. If you’re more technically inclined and have a number of domains, you might consider opening your own reseller account with a large registrar like Tucows and becoming your own registrar. It also might make sense for you to use a third-party DNS provider like dnsmadeeasy.com. Ideally you want control of your domain information including the contact names, addresses, and DNS servers. Your registrar should allow you to update at least your DNS information through a web-based interface.
Protecting Corporate Assets
Non-profits, co-ops, and other organizations that depend upon volunteers often have challenges when it comes to protecting corporate information assets against individuals who leave the organization.
For example, I’ve recently been dealing with a situation involving the use of Yahoo Groups. While it’s a great way to share information with a group of people, here’s what can happen:
- A volunteer sets up a group on behalf of the corporation, bearing the corporate name.
- The volunteer runs the group for a while but subsequently decides to leave the role.
- The volunteer refuses to turn over control of the group to a board member.
- When pressed on the issue, the volunteer claims that the group is inaccessible because it hasn’t been used for a while.
- When pressed further, the volunteer deletes the group including all content.
Unethical volunteers (and employees) can create disruptive scenarios. In this case, they have the potential to impact communication with group members and information can be quickly lost. While criminal and civil proceedings can be initiated after the fact, the disruption has already occurred.
In an ideal world, there would be services available that take these issues into account. For example, one could have multiple administrators and require two of them to approve sensitive transactions. But until services like that exist, your best defence is to recognize what can happen, ensure that someone other than the group administrator has a copy of all documents and maintains a list of participant’s email addresses so that they can be contacted if an issue arises.
Have another suggestion? Please comment and let me know!
How about a date?
Sometimes in security, and life in general, it’s the seemingly small issues that cause problems. As the saying goes, “The devil is in the details.”
Take dates for example. If I were to suggest we meet for a 10:00 coffee on 07/10/09, when should you show up? Most of you would assume that 09 is 2009. Then you’d hope to infer from other information whether I meant July 10th or October 7th. Those who know I’m a night owl might wonder if I mean 10 p.m., while my old army buddies would assume that if I meant 10 at night I’d write 22:00.
About ten years ago, software developers and IT managers were in hectic race against the clock. In many cases they just didn’t know what would happen when computers using two digit dates rolled from 99 to 00. Or 100. And it appears that in the past 10 years we’ve learned very little about standardization.
Of course there are those who don’t bother with the year at all. The yogurt in my fridge reads JL13. At least I can figure out that they mean July 13, and I can hope that this container didn’t somehow get shoved to the bottom of the pile for a year. Or even worse, the dreaded “Best before 08/01.” Is it good for another month and a half, or should I carefully double bag it and put it in the trash without disturbing whatever new life form might dwell beneath the lid? It just doesn’t make sense to force product manufacturers to put a date on something if we can’t be positive what it means.
Fortunately there is a simple solution: Adopt the international standard, ISO 8601. Unlike many ISO standards, it isn’t all that complex. June 22, 2009 is 2009-06-22 or 20090622. 10:00 a.m. is 10:00:00, and 10:00 p.m. is 22:00:00. Provisions exist for omitting seconds, etc., if they aren’t required.
Isn’t today a good date to become part of the solution?
PCI Security Presentation
There’s a lot of information about the Payment Card Industry Data Security Standard (PCI DSS) on the Internet, but if you’re looking for a good overview, check out eNable’s Quick Guide to PCI Compliance video. Their fifteen minute presentation is both technically correct and presented in language that anyone can understand – a refreshing change from many security presentations.
If you accept credit cards, you’re required to comply with the PCI DSS standard. There are ways to simplify PCI compliance requirements, especially for small businesses, but it all starts with understanding what those requirements are. If you business accepts credit cards, you owe it to yourself to watch this video.
Keep in Touch
Kudos
Recent Comments