AllThingsD » phishing

Email Giants Move to Slash "Phishing"

Ben Worthen — Mon, 30 Jan 2012 12:30:30 +0000

Email-service providers Google Inc., Yahoo Inc., Microsoft Corp. and AOL Inc. are backing a new effort intended to dramatically reduce “phishing” emails — which attempt to trick recipients into thinking they come from a legitimate source.

The companies — along with others such as financial-service companies Bank of America Corp., FMR LLC’s Fidelity Investments and eBay Inc.’s PayPal — are hoping to create an environment that allows the recipient of an email from, say, a bank, to feel secure that it isn’t a trick.

Read the rest of this post on the original site »

Lookout Inks Deal With Sprint, Launches Safe Browsing Service

Ina Fried — Wed, 15 Jun 2011 13:00:50 +0000

While consumers are trained to look for tell-tale signs of a phishing attack on the desktop, spotting a scam from a mobile e-mail program or browser can be a lot more difficult. It’s often hard to tell where a link will take you before clicking and there is no “green bar” to tell you that a site is indeed who it purports to be.

Lookout Mobile Security, a software company that specializes on smartphone security, is announcing on Wednesday its effort to make browsing on mobile devices a little safer.

The new “safe browsing” feature works by checking all links against its cloud-based database, including those within text messages, Facebook and e-mail messages and offering a warning when users click on a link suspected of being a scam. The company began developing the feature as a proof of concept back in February and on Wednesday it is being added as part of Lookout’s premium paid service.

“You can browse the web with confidence and we are here to cover your back,” CTO Kevin Mahaffey said in an interview. The company provides basic antivirus and antimalware software for free, with other features such as locating a lost device available as part of the paid service.

Lookout points to a recent study that shows that mobile users are three times more likely to submit their login information on a mobile device as they are from the desktop, where they are better trained and have better tools to determine which links are safe. Many desktop browsers have their own safe-browsing tools with features similar to those Lookout is bringing to Android.

Separately, Lookout is also announcing a deal with Sprint in which its app will be featured from within the Sprint tab of the Android Market as well as within the Sprint Zone app.

Google Discloses China-Based "Hijacking" of Gmail Accounts

Amir Efrati — Wed, 01 Jun 2011 20:42:39 +0000

Google Inc. said hundreds of users of its email service were tricked into sharing their passwords with “bad actors” based in China, potentially further complicating relations between the Internet giant and the country with the highest number of Internet users.

Google, which has blamed China for a previous attack on the company’s computer networks, said its security and abuse detection systems recently discovered that users of its popular Gmail service had fallen for what are called “phishing scams.” Such exploits trick users into sharing their passwords, and that the campaign “appears to originate from Jinan, China” and targeted specific individuals.

Read the rest of this post on the original site »

Worries About Phishing Attacks Rise as Epsilon Data Breach Mess Goes On

Arik Hesseldahl — Wed, 06 Apr 2011 23:01:16 +0000

The collateral damage from the data breach of the email marketing firm Epsilon continues to spread.

I’ve just heard from someone who says they’ve received an email from Crucial.com, the Web retailer of computer memory owned by the chipmaker Micron, that data on its users was compromised. I’ve also heard form customers of Fred Meyer, Fry’s, Brookstone, 1-800-Flowers and the recruiting firm Robert Half International saying they’ve received similar emails.

However, now we’re getting into phase two of this mess. Whoever the original attackers are, they may be starting to carry out phishing attacks against the people whose information was taken from Epsilon. There’s been at least one report out of North Carolina of emails going to customers of a Chase Bank that aren’t really from that bank. Given that phishing attacks are a daily occurrence, however, it’s hard to specifically pin down this one as being related to the Epsilon breach. But the fact that it’s being mentioned at all indicates how much anxiety about phishing attacks has escalated in the days since the breach was disclosed.

It being the height of tax season, Intuit, maker of Turbotax, the most popular tax preparation software on the market, published a security alert to its customers today. Though it’s not an Epsilon customer, it said that–given that so many banks are among those affected–it thought it should offer some tips on how to detect a phishing attack and what to do and not do. Its advice bears repeating: When in doubt, don’t click on links in an email sent by a bank, retailer or other institution.

Meanwhile, shares in Epsilon’s parent company, Allied Data Systems, don’t seem to be feeling any further ill effects from all the negative attention. Its shares finished the day up 38 cents to close at $84.12, and the stock is up about 16 percent since the start of the year. The company was in damage control mode today, saying that it was working with federal authorities and outside computer forensics experts to investigate how the breach happened and who did it and to ensure that additional security measures are put in place to make sure it doesn’t happen again.

And even though Epsilon represented about 22 percent of Allied Data’s revenues last year, the company said that it expects the incident to have “minimal if any impact” on its overall financial performance for the foreseeable future, and that the breach affects only about two percent of Epsilon’s total client base. That may not sound like a large number, but when you consider that Epsilon has about 2,500 clients, and that two percent of that is 50 companies, most of them large, household name companies, it’s hard to minimize the number of people potentially affected. Allied Data’s biggest concern now, it says, is to regain the trust of its clients–that is, the companies on whose behalf it sends marketing email messages.

RSA Explains How It Was Hacked

Arik Hesseldahl — Mon, 04 Apr 2011 14:00:07 +0000

In the end, even computer security companies suffer from the kind of human failings that make securing computers such a challenge. That’s at least one lesson to draw from the explanation from RSA, the company which makes the widely used security tokens like the ones in the picture. It disclosed last month that it had come under an “extremely sophisticated attack,” and that some information concerning the tokens has been taken by unknown attackers.

Initially, it released no details about how the attack was carried out. Now, RSA–which is a unit of storage giant EMC–has gone into some detail concerning how its systems were breached, in a blog post by Uri Rivner, whose title is Head of New Technologies, Identity Protection and Verification. It all started with phishing emails. Over the course of two days, two groups of emails were sent to a small group of employees, none of them high profile, nor apparently especially senior. Though RSA doesn’t spell out who received them, the emails may well have gone to the human resources department or some other quiet corner of the company. The emails contained an Excel spreadsheet attachment entitled “2011 Recruitment Plans.” Naturally it was created to look just believable enough that one of the employees who received it fished it out of the spam folder to which it was initially directed and opened it. You can probably fill in most of the blanks from here.

The spreadsheet contained a Zero-day exploit that took advantage of a weakness in Adobe Flash, which has since been patched. Through that hole, attackers were able to install anything they wanted on the target machine. They chose a version of a program called Poison Ivy RAT, and in this case RAT stands for “remote administration tool,” a program that is used to control one computer from another in a different location.

Armed with remote access to the target machine, the attackers then set about gaining deeper access to RSA’s corporate network. Like a person masquerading as a real employee searching a company’s building for a set of master keys, these attackers carried out a series of attacks designed to escalate the level of access they had to the system. They gathered login credentials from the relatively low-level accounts they compromised at first, including usernames, passwords, and domain information, then went after higher-value accounts with more access.

Once that was done, they started working on the real job: Finding the data they wanted to steal, and then extracting it from RSA’s systems. They gathered what they wanted, collected it in a “staging area,” compressed it, and then downloaded via FTP.

Still unexplained at this point: What information was taken, and does it in any way affect the integrity of its own security products? When the attack was first disclosed, the company said that some information about its SecureID products was taken by the attackers. This has led to a lot of questions and speculation by security pros who naturally have to think about the worst-case scenario, and frankly, there are many for which the adjective “worst” would apply.

The big looming question is whether or not the attacker gained access to the seeds–the random keys embedded in each token–that are used to generate the constantly changing numeric codes that appear on the device’s display. For instance, in one scenario described by David Scheutz of the Intrepidus Group, the attackers might have found a list of seeds and token serial numbers. Once you have the serial number of an individual token, you can then create your own token that would allow you to impersonate that user on whatever systems they use.

That scenario, which is only one of four on Scheutz’s list, is potentially pretty scary. As of 2009, some 40 million RSA tokens were in use securing networks at companies large and small and at numerous government agencies. And aside from the hardware tokens, software that mimics them runs on some 250 million smart phones.

When it first revealed the attack, RSA said it was “confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers,” though it did say it thought the information taken would make attack easier. Hopefully RSA has more to say about all this in the coming days.

Separately, EMC said today it has acquired privately held NetWitness, which specializes in network security analysis. NetWitness provides “precise and pervasive network visibility” which gives companies the ability to detect and cope with “advanced threats” while automating the investigation process. NetWitness will operate within RSA. Financial terms have not been disclosed, but judging by the description of this attack, it seems like a timely acquisition.

Google Apps Adds an Anti-Spam Weapon to Its Arsenal

Arik Hesseldahl — Thu, 06 Jan 2011 17:05:04 +0000

One of the most frustrating aspects of the battle against spam over the last several years has concerned overly aggressive filters. You can be a perfectly innocent person sending a perfectly routine email, yet the spam filter on the other end of the line treats your message as if it came from a dodgy pharmaceutical company in Kazakhstan, and diverts it to the spam folder. There are lots of reasons this can happen, but one of the most common is when those who are actually sending spam falsely place your email address in their “reply” field.

The way to solve that problem, and this is especially true of companies, governments and nonprofits whose domains are often used for the purposes of spamming, is to vouch for the messages you do send, making it easier for spam filters to correctly catch the ones that really are spam.

One widely used method of doing this is by using DomainKeys Identified Mail. DKIM is an industry consortium that over the years has absorbed similar email security work done by Yahoo and Cisco Systems. One key problem is that it’s tricky to put DKIM in place.

Google announced today that its Google Apps customers will get a new feature that easily enables DKIM-certified mail. Google has long supported the DKIM standard, and in 2008 worked with eBay and PayPal to authenticate inbound messages from those domains. Now Google Apps customers can get the same certification. DKIM-signing for outbound messages will be enabled for Google Apps customers who turn on the feature in the “Advanced Tools” tab of their dashboard. Take that, spammers.

Millions of Honda Owners Victims of Yet Another Data Breach

Arik Hesseldahl — Wed, 29 Dec 2010 18:25:38 +0000

Carmaker Honda is warning more than two million of its customers in the U.S. that an email database containing some of their personal information has been stolen.

It’s not yet 100 percent clear if this breach is connected to the recent breach of the email marketing firm Silverpop Systems, but it sure looks that way. Honda was an enthusiastic Silverpop customer as recently as 2009, according to this press release. It’s the same company whose data was breached in thefts of customer data from McDonald’s and deviantArt. A similar incident was reported concerning the drugstore chain Walgreen’s, but it hasn’t been tied specifically to Silverpop.

The list contained the names, login names, email addresses and–get this–vehicle identification numbers of more than two million Honda owners. Another list, this one containing only the email addresses of nearly three million Acura owners, was also taken.

Honda has contacted all the customers via email. The worry is that affected owners, especially those on the list with the VINs, may be targeted for some kind of phishing attack. Imagine getting an email from someone pretending to be your local Honda dealer who correctly identifies the car you just bought and asks you to give up more personal information so that you can get “special offers.”

The Real iTunes Fraud Vulnerability: Gullible Users

John Paczkowski — Mon, 23 Aug 2010 20:55:56 +0000

So these reports of a major security hole in iTunes, one through which people have had their PayPal accounts drained?

Not much to them, I’m told. Or, rather, not much to their assertion that Apple (AAPL) is at fault here. There’s no security hole in iTunes, and if you’ve been unfortunate enough to have hundreds of dollars in unauthorized purchases charged to your iTunes account, it’s likely because you’ve fallen victim to a bot attack or phishing scam–a variation on the one that’s been around for years now. Sources close to Apple tell me iTunes has not been compromised and the company isn’t aware of any sudden increase in fraudulent transactions.

As for an official comment, Apple offers this bit of common sense advice:

“ITunes is always working to prevent fraud and enhance password security for all of our users. But if your credit card or iTunes password is stolen and used on iTunes we recommend that you contact your financial institution and inquire about canceling the card and/or issuing a chargeback for any unauthorized transactions. We also recommend that you change your iTunes account password immediately.”

PayPal declined comment on the issue, but told me that any unauthorized charges sent through its service will be reimbursed.

[Image credit: Ars Technica]

EBay CEO John Donahoe at D8: More Mobile Shopping and Payment Options

John Paczkowski — Wed, 02 Jun 2010 18:25:09 +0000

A few years back, John Donahoe’s position was an unenviable one. As incoming CEO of eBay, he was taking the reins of a company that, while the clear leader in the online auction space, had seen growth stall amid increased competition from formidable rivals like Amazon.com, as well as from upstart auction sites like Etsy. And his first efforts to reinvigorate the company’s business by tweaking its marketplace and auction listings to be more like Amazon’s met with some vociferous blowback from eBay’s core sellers.

But much as they irritated, those changes seem to have had a positive effect on eBay’s business. In its most recent quarter, eBay (EBAY) showed modest growth, narrowly beating analysts’ estimates thanks to some impressive growth in its PayPal online payment business. Add to this Donahoe’s unloading of most of Internet calling service Skype, a much criticized acquisition engineered by his predecessor, Meg Whitman, and his revamp of the company seems to be gaining momentum. But is it enough to reinvigorate eBay’s business and fend off Amazon (AMZN)?

Liveblog

11:31 am: A first question from Walt. You’re viewed by people as a sort of Web 1.0 company, and you’re all about auctions. Today you seem to be morphing into more of a no-haggle auction store, a buy-it-now venture.

Donahoe: We’ll never be a retailer. Initially, eBay started selling long-tail inventory and they sold it in an auction format and that made sense at the time. Today, eBay is 30-35 percent auctions. A lot of the inventory on eBay today is brand new. Now they’re not necessarily the same items you’d get in a retail store….But what you have on eBay that you don’t have anywhere else are items that have been returned or refurbished, items that are cheaper. EBay gives you a choice of inventory.

11:36 am: Walt–Do consumers get that? Do they understand that you’re only 30 percent auctions now?

Donahoe says they do. “I think perception does lag reality; I think there’s more inventory than people are aware of, but we’re correcting that….What eBay is very good for is if you have bulk inventory, we’re a good way to get rid of it.”

11:37 am: Walt asks about eBay’s other businesses: PayPal and Skype. Skype seems to be bigger than ever these days. Why couldn’t you make that work?

Donahoe says Skype is a fantastic business. But the challenge was one of focus. “In the Internet today, you can’t be all things to all people….And we didn’t have synergies with Skype…so we sold a portion of it.”

Walt–Well if there wasn’t synergy, why did you buy it?

Donahoe says that at the time eBay made the purchase there appeared to be synergies and the company hoped to make good use of its technology, but that didn’t quite pan out. “I’m not sorry we made the acquisition,” he said. “And I’m not sorry we divested it either.”

11:41 am: What’s the point of PayPal, asks Walt.

Donahoe: What PayPal’s done is to provide consumers with a safe way to make purchases online.

Walt jumps in and notes that it’s just as easy these days for people to use their credit cards. So why bother with PayPal?

Donahoe notes that things like cash and credit cards can be lost. PayPal cannot. “It’s a digital wallet,” he says, adding that he expects mobile payments to come into broad use within the next three years.

11:44 am: Continuing his riff on PayPal, Donahoe talks about the PayPal iPhone app, which allows people to “bump” payments to one another. “I think the idea of the digital wallet will facilitate digital commerce growth and PayPal’s growth as well.”

11:46 am: Walt–How big is your phishing problem? I get emails fairly often warning me that my PayPal account is in trouble for some reason. You are the target of a lot of phishing, aren’t you?

Donahoe: Phishing was an issue for eBay a few years ago. But over the last five years, we invested quite a bit of money fighting it, and I think we’ve done a good job.

11:48 am: Walt–So who’s your main competitor?

Donahoe says the usual suspects–Amazon, Etsy, Wal-Mart (WMT).

11:49 am: Donahoe–Wal-Mart is the largest offline retailer in the world. Costco (COST) competes in the exact same segment with the exact same business model very successfully. So does Target (TGT). The same thing can happen online. Amazon can be successful and eBay can be successful, too.

11:50 am: Is the iPad another big platform for you, Walt asks.

“I think more devices are becoming part of the shopping experience,” says Donahoe. The line between online and offline is blurring and I think these new devices are enabling that. He adds that he thinks eBay’s iPad app is the best eBay experience he’s seen to date.

11:52 am: A quick poll of the audience–Who has an iPad? Quite a few folks, evidently.

11:53 am: Walt–You say the iPad app is the best eBay experience, but this is a new device. You’ve been on the Web for years. Why isn’t that the best experience.

Donahoe: The core eBay Web experience–in the last few years we’ve gone from a [score of] 2 to a 4. But we’ve still got a long way to go, and we’re still focused on making it the best eBay experience in the world. But these new devices allow us to start over and make new customized applications that help us serve users in the way that they want to shop.

11:55 am: Why so much focus on fashion?

Donahoe says eBay is the largest seller of fashion in the world. What we’re doing is driving more vertical shopping experiences on eBay, he adds. We’re trying to offer more customized experiences in different categories.

11:56 am: Walt asks about StubHub. There’s a lot of controversy over the secondary ticket market.

Donahoe: StubHub is a marketplace. It never buys tickets. What it’s doing is enabling season ticket holders to resell the tickets they aren’t using. Sometimes for above-market prices, sometimes for below-market prices. What StubHub has done that the scalper market never could, is that it’s completely transparent. You know who the buyer is, who the seller is, and StubHub guarantees every purchase. It provides complete transparency.

Q & A

Q: Can you talk about PayPal’s role in paying for content?

A: Digital is going to be a big opportunity for PayPal. If you go on Facebook, you can buy game credits with PayPal. In the media world, we’ll have payment solutions such that content providers can have a PayPal button on their content and people can use it to purchase it. It will provide a seamless experience inside the content itself. Digital’s going to be a big opportunity.

Q: What do you tell sellers who feel they’re being nickel-and-dimed by eBay’s many fees?

A: I think for years, eBay was nickel and diming. But over the past few years, we’ve restructured our fees. Today, consumers can list for free and businesses can list in the fixed-priced format. We’ve tried to simplify and streamline our pricing. We’re still cheaper than Amazon.

Q: Why do my PayPal purchases default to my bank account when I’d like to use my credit card? Will you move toward a model where consumers can choose how they pay through PayPal?

A: Consumer choice is important to us, says Donahoe, adding that the vision is to offer multiple means of payment.

A note about our coverage: This liveblog is not an official transcript of the conversation that occurred onstage. Rather, it is a compilation of quotes, paraphrased statements and ad-lib observations written and posted to the Web as quickly as possible. It is not intended as a transcript and should not be interpreted as one.

Start-Up Hopes to Stop Phishing With Certified Email

Ben Worthen — Tue, 13 Apr 2010 12:00:09 +0000

The number and sophistication of phishing attacks–scam emails that appear to be from the IRS or a Nigerian prince–has made it difficult for banks and other businesses to use email to communicate with customers. In an effort to reclaim the channel, several financial institutions and email providers are working with a startup to implement an authentication service for electronic messages.

The startup, eCert, confirms that an email is from the company it says it’s from. The company maintains a list of every server that participating organizations send emails from and shares the information with Google (GOOG) and Yahoo (YHOO), which operate popular email services. If a server isn’t on the list, messages from it don’t get through. The company also has other ways of testing an email’s authenticity, as well.

“We can now verify that a message came from a domain,” says Kelly Wanser, eCert’s CEO.

Read the rest of this post on the original site

Twitter: We Reset Some Passwords as Security Measure

John Paczkowski — Tue, 02 Feb 2010 13:31:23 +0000

According to Sophos’s 2010 Security Threat Report, there has been a dramatic rise in attacks on social networks in the past year. So reports this morning from a number of Twitter users claiming they’ve received an email from Twitter asking them to reset their passwords after a suspected phishing attack are certainly cause for concern–either because they have indeed fallen victim to a phishing attack or because they’re about to fall victim to one by following the email’s instructions (see text below; click to enlarge).

Certainly, it’s difficult to determine if the email is genuine. After all, its subject line is “Please change your twitter password,” and conventional wisdom is to never click a password-reset link in an email. That said, Twitter users who received it and followed its instructions have regained access to the service after being locked out.

So, if you’ve received such an email, tread carefully.

As of this writing, Twitter has not commented on these reports on its blog or status page, though that doesn’t necessarily mean anything. In any event, I’ve asked the company for an explanation and will update here if and when I receive one.

UPDATE: Twitter just sent me the following comment:

As part of Twitter’s ongoing security efforts, we reset passwords for a small number of accounts that we believe may have been compromised offsite. In one case, a number of accounts posted updates indicative of giving their username and password to untrusted third parties. While we’re still investigating and ensuring that the appropriate parties are notified, we do believe that the steps we’ve taken should ensure user safety. We’ll continue provide updates as warranted at @safety and @spam. We do, as always, encourage our users to read our help pages on what to do if your account is compromised: http://twitter.zendesk.com/forums/10713/entries/31796 and how to stay safe on Twitter: http://twitter.zendesk.com/forums/10711/entries/76036.

[Image credit: Andrew R.H. Girdwood]

"Phishing" Scams Cast Net on Mobile Banking

Aleksandra Todorova — Mon, 01 Feb 2010 13:00:40 +0000

The next generation of “phishing” scams, focused on mobile banking, has begun, and it has the potential to do much more damage than earlier versions.

As mobile-banking applications have increased in popularity, so has the risk of downloading and installing a fraudulent app that could draw your account information and, potentially, any other data stored on your mobile device.

The trend still is in its infancy, but there already have been instances of potential fraud. In December, Google Inc. (GOOG) pulled 50 applications from its Android Market online app store in response to concerns that they may be malicious. All the apps were uploaded by the same developer and claimed to offer access to bank accounts from a wide variety of institutions, from big companies like J.P. Morgan Chase & Co. (JPM), HSBC Holdings PLC, U.S. Bancorp (USB), USAA and ING Groep NV to local credit unions.

Read the rest of this post on the original site

Hotmail Phishing Attacks Spread to Other Email Services

Andrew LaVallee — Tue, 06 Oct 2009 19:16:11 +0000

Phishing attacks that affected customers of Microsoft’s (MSFT) Hotmail Monday have compromised more than 30,000 email accounts, including those of Gmail, Yahoo (YHOO) Mail and other services.

Microsoft blamed phishing, in which cybercriminals try to trick consumers into revealing personal information through fraudulent emails, for a list of Hotmail account passwords that appeared online. The company recommended Hotmail customers change their passwords and said it’s helping phishing victims fix compromised accounts.

But security firms and the BBC said Tuesday that the attack extended to other services, including those run by Google (GOOG) and Yahoo as well as AOL, EarthLink (ELNK) and Comcast (CMCSA).

Read the rest of this post on the original site

Liveblogging the Facebook Our-ToS-Is-Your-ToS Press Conference

Kara Swisher — Thu, 26 Feb 2009 19:14:56 +0000

BoomTown is impatiently cooling heels, waiting for a press conference to begin about “new steps Facebook is taking to improve user understanding and ownership of the Facebook terms of service and, more generally, the policies of the Facebook service.”

The Yahoo (YHOO) reorg finally announced this morning is positively thrilling in comparison!

But we’re liveblogging it anyway!

Here’s what I got in the morning mail:

Hi Kara–

You are invited to participate in a press conference call with Mark Zuckerberg today at 11am PT where he will announce the new steps Facebook is taking to improve user understanding and ownership of the Facebook terms of service and, more generally, the policies of the Facebook service.

For more and future updates we encourage you to join the Facebook Group called the Official Group for Media & Analysts Following Facebook.

Also this:

Subject: Facebook Opens Governance of Service and Policy Process to Users

Today we’re announcing new opportunities for users to play a meaningful role in determining the policies governing our site. We released the first proposals subject to these procedures–The Facebook Principles, a set of values that will guide the development of the service, and Statement of Rights and Responsibilities that governs Facebook’s operations. Users will have the opportunity to review, comment and vote on these documents over the coming weeks and, if they are approved, other future policy changes. We’ve posted the documents in separate groups and have invited users to offer comments and suggestions. You can find these groups here:

Facebook Principles

http://www.facebook.com/group.php?gid=54964476066

Statement of Rights and Responsibilities

http://www.facebook.com/group.php?gid=67758697570

For more information and the full press release, please check out the recent news section of this group.

As always, you can feel free to email us with any questions at press@facebook.com

Thanks,
The Facebook Team

11:11 am:

Facebook PR honcho Elliot Schrage opens up the conference, but I am honestly only hear: “Blah, blah, blah.”

Then, Facebook Founder and CEO Mark Zuckerberg comes on.

“Openness and transparency is not just an end state,” he said. “It’s also a process.”

Say what, Willis?

Soon Zuckerberg is explaining how he wants to craft Facebook’s rules of the road going forward. It’s like being at the Constitutional Convention, except for geeks.

Alert! Comment! Notify! Transparency! Oversharing!

11:17 am:

“We want to be as clear as possible that we do not own user data,” said Zuckerberg. “We feel really bad about that.”

Us too!

11:21 am:

I get to ask the first question, which is about how this whole mess happened.

Zuckerberg said Facebook had made previous changes all the time to its Terms of Service to complex legal documents. This time, in trying to make them simpler, “we made a few mistakes,” which in turn set off a firestorm.

Ah, the mistakes-were-made defense!

“A lot of the feedback was fair,” acknowledged Zuckerberg, who then talked about the new notification and feedback and comments options, so it will not happen ever again. Except next month.

Also, there will be a vote. Well, only on some issues that get people all hot and bothered, presumably. But who decides what gets voted on and who wins the vote?

Unclear. But vote early and often.

But, said Schrage: “We underestimated the sense of ownership” that Facebook users have for the service.

11:25 am:

A question about whether or not Facebook should have known better after its Beacon advertising debacle.

Not the same thing, said Zuckerberg. But point taken!

11:27 am:

More legal stuff. Zzzzzz.

Then a question on phishing scams. Off topic! Schrage cuts it off tout de suite. Sorry, fella, but this is about one screw-up at a time.

Another shouldn’t-you-have-known-better related question, referring back to the News Feed debacle of 2007. That was before the Beacon debacle of 2008. Which was before the ToS debacle of 2009. (Is anyone noticing a pattern here?)

In other words, Facebook should have known better.

Radical transparency, said Zuckerberg: “This is all about us trusting our users.”

He might start that ball rolling by not sneaking up on us all the time.

11:33 am:

More about rules of the road. More about the transparent community.

Zuckerberg is now fully channelling Casper the Friendly Ghost.

Call ends.

Boo!

Facebook Slow to Respond to Phishing Scam

Marisa Taylor — Thu, 22 Jan 2009 21:00:29 +0000

The latest phishing scam on Facebook has raised the question yet again as to whether the social-networking site is dropping the ball on security measures and properly responding to privacy complaints.

Facebook faced consumer fraud charges in 2007 for allegedly responding too slowly to user complaints about harassment, pornography or nudity from the social-networking site. The probe into the company’s safety procedures by New York state Attorney General Andrew Cuomo resulted in a settlement requirement that Facebook respond to such complaints within 24 hours.

But in a recent string of phishing attacks in which hackers have broken into a user’s Facebook account and hit up his or her friends for money with the online chat tool, pretending to be stranded or robbed, complaints have emerged that the privacy team at Facebook hasn’t responded to users in a timely manner.

Read the rest of this post

Twitter Off to a Rough 2009

Ben Worthen — Tue, 06 Jan 2009 20:38:01 +0000

You might be familiar with phishing attacks, those messages sent by criminals that look like they’re from a bank or Nigerian prince. But what about Twishing?

The term may enter the tech lexicon this week, thanks to an attack targeting the Web site Twitter, which runs a popular service that lets people share short updates about what they’re doing. (Blame Brian Krebs of the Washington Post if it sticks.) Over the weekend, cyber baddies sent phishing messages via Twitter’s service to other account holders. The message directed people to a Web site that looked like Twitter’s homepage, but was really operated by the bad buys. As people logged in to the fake Twitter site, the bad guys captured their user names and passwords. Twitter warned account holders Saturday about the scam in a post on its blog, and advised those concerned to change their passwords.

Read the rest of this post

How to Avoid Cons That Can Lead to Identity Theft

Walter S. Mossberg — Thu, 01 May 2008 00:01:00 +0000

When most people think about Internet security problems, they focus on viruses and spyware — technological attacks that can usually be mitigated by technological defenses. But the most insidious Internet security problems today rely on human gullibility, not tricky software. While technological defenses can help you fend off these newer types of attacks, your best weapons against them are common sense, alertness, and careful email and Web-surfing practices.

These types of attacks are called “social engineering,” and they are used by criminals to steal your money and identity, and to plant on your computer malicious software that can be used to keep ripping you off. Social engineering is the online equivalent of an old-fashioned con game, in which a crook frightens people with false warnings, or tempts them with false promises, and then robs them.

[ See post to watch video ]

While viruses and spyware overwhelmingly afflict Microsoft’s (MSFT) Windows users and spare users of Apple’s (AAPL) Macintosh computers, social-engineering schemes can ensnare Mac users as well. There’s nothing inherent in Macs that makes their owners more resistant to falling for social-engineering scams.

The most common form of social engineering is called phishing, a one-two punch using both email and Web browsing to trick people into typing confidential information into Web sites that look like the sites of real companies, especially financial institutions. But these phishing sites are actually skillfully designed fakes that transmit your sensitive data to criminals, often in distant countries. Once these creeps have your passwords and account numbers, they can loot your funds and steal your identity.

Here are some tips to help you avoid being the victim of social engineering, updated from a similar column I wrote in 2006. It includes information on some antiphishing software that wasn’t available back then. But remember: Security software alone can’t save you from scams.

1. Never, ever click on a link embedded in an email that appears to come from a financial institution, even if it’s your own bank or brokerage and even if it looks official right down to the logo. The same goes for payment or auction services, like PayPal or eBay (EBAY). Don’t do this even if the email asserts that your account has a problem, or that the bank has to verify your information. And certainly don’t enter any passwords, Social Security numbers or account numbers directly in an email.

These types of emails are almost always fakes, and the links they contain almost always lead to phony Web sites run by criminals. The only exception might be a confirmation email from a brokerage firm concerning a trade you know you made minutes before. Even legitimate-looking addresses in emails or in the address bar of Web browsers can be fakes that hide the crooks’ true Web addresses. The lock icon on a Web site can also be falsified.

If you are truly worried about your account, call the bank or company, or go to its Web site by manually typing in its address or by using a well-established bookmark in your browser that you created yourself.

2. Don’t click on links to offers for free software or goods that you receive in an email, especially from a sender or company you’ve never heard of.

3. Never download software from unfamiliar Web sites unless you are absolutely sure you need it and it’s legitimate. Even if it claims to be a useful program, it may very well be a malicious application like a “key logger,” which can report back to crooks everything you type into your computer. If you really want the program, do a Web search on it first, to see if others have reported it as a malicious fake.

4. If a Web site tells you that you need to download special viewing software to see its videos, don’t do it. Even if it claims to be giving you legitimate viewing software, like Microsoft’s Silverlight, Adobe’s (ADBE) Flash or Apple’s QuickTime, don’t download it there. Go to the official Microsoft, Adobe or Apple Web sites to get these viewers.

5. Use a Web browser, like Internet Explorer 7 on Windows, or Firefox 2.0 on Windows or Mac, that includes built-in features to warn you about, or block access to, known phishing sites. The next versions of these two browsers will have even stronger features that will detect sites that are not only fake, but which are known to distribute malicious software.

Unfortunately, the third major browser, Apple’s otherwise excellent Safari for Mac and Windows, lacks any such antiphishing detection, though I expect Apple to add the feature in a future version. So, for now, Mac users worried about phishing should rely on Firefox.

6. Consider security software that tries to detect and block phishing sites. McAfee’s (MFE) free Site Advisor and paid Site Advisor Plus products do a good job. Symantec (SYMC) has similar features built into its large security suites, Norton 360 2.0 and Norton Internet Security 2008.

7. Educate yourself by reading about social engineering and phishing and how to avoid being a victim. Microsoft has a very good guide at: microsoft.com/protect/yourself/phishing/identify.mspx and Symantec has one at: symantec.com/norton/clubsymantec/library/article.jsp?aid=cs_phishing.

Follow these tips and you’ll be a happier — and safer — surfer.

Find all of Walt Mossberg’s columns and videos online, free, at the new All Things Digital Web site, http://walt.allthingsd.com.

Email him at mossberg@wsj.com.

In Related News, PayyPall.comm Has Endorsed Safari for Exactly the Same Reason

John Paczkowski — Fri, 18 Apr 2008 21:24:26 +0000

“There is of course, a corollary to safer browsers–what might be called ‘unsafe browsers.’ … Letting users view the PayPal site on one of these browsers is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts.” This according to PayPal (EBAY) Chief Information Security Officer Michael Barrett, who says the company plans to block browsers that lack anti-phishing features and support for EV (extended validation) certificates.

In the interest of public safety, of course. Among those browsers, older versions of Microsoft’s (MSFT) Internet Explorer and Firefox and, presumably, all versions of Apple’s (AAPL) Safari browser that PayPal recently cautioned users against. “Apple, unfortunately, is lagging behind what they need to do to protect their customers,” Barrett said this past February. “Our recommendation at this point, to our customers, is use Internet Explorer 7 or 8 when it comes out or Firefox 2 or Firefox 3, or indeed Opera.”

UPDATE: PayPal now says it never planned to block Safari.

PayPal is developing features to block customers from logging in to PayPal when using obsolete browsers on outdated or unsupported operating systems. An example of such a browser/OS combination might be, for example, Internet Explorer 4 running on Windows 98. In doing so, we better protect our customers from viewing a phishing site through their browser. We have absolutely no intention of blocking current versions of any browsers, including Apple’s Safari, from our Web site.”

So to recap:

PayPal Chief Information Security Officer Michael Barrett warns against using Safari.
PayPal publishes a paper, authored by Barrett, saying the company will soon protect users against unsafe browsers that lack phishing protections like blacklists, anti-fraud warning pages and Extended Validation SSL Certificates.
Safari lacks these protections.
PayPal says: Go ahead and use Safari. We have absolutely no intention of blocking it. But God forbid, don’t use IE4 on Windows 98.

Know what IE4′s share of the browser market was in 2007?

0.01%.

I’d imagine its share of the market on Windows 98 machines in 2008 is quite a bit less than that. You might as well warn against using IE4 on MS-DOS.

Microsoft Upgrades Internet Explorer -- But Not Much Is New

Walter S. Mossberg — Thu, 19 Oct 2006 00:01:00 +0000

Microsoft’s Internet Explorer Web browser is one of the most-used software products in the world. It is the main tool through which most computer users view the entire Internet.

But IE hasn’t had a significant overhaul in five long years. That has allowed competitors like Mozilla’s Firefox and Apple’s Safari to leap ahead in terms of features. In fact, many of the savviest Web users have abandoned IE in recent years, partly because of the growing feature gap and partly because of IE’s persistent security problems.

Now, finally, the software giant has produced a major new version of the browser, called IE 7. It’s a fundamental rewrite, especially in the areas of user interface and underlying security.

But competitors haven’t been standing still. Mozilla is almost done with its Firefox 2.0, a more minor update of its browser than Microsoft’s undertaking.

I have been testing IE 7, and I agree with Microsoft that it’s much improved. If you are a confirmed IE user, upgrading to this new version makes perfect sense, because it is likely to be more secure and its new features make Web browsing better. But if you are already using Firefox, IE’s main competitor, I see nothing in IE 7 that should make you switch. It’s mostly a catch-up release, adding to IE some features long present in Firefox and other browsers. The one big feature in IE 7 that wasn’t already in Firefox, a built-in detector that warns against fraudulent Web sites, is being added to Firefox in version 2.0.

The new Internet Explorer, which is free, runs only on the latest revision of Windows XP and the forthcoming Windows Vista operating system, while Firefox offers nearly identical versions for Windows, Macintosh and Linux computers. IE 7 will be offered automatically to Windows XP users — gradually over the next few months — via the Windows update program. Microsoft will also make it available for manual download.

The biggest change in the new IE is tabbed browsing, the ability to open multiple Web pages in a single window, and to switch among them by clicking on tabs at the top of each page. This allows you to quickly scan a whole bunch of Web sites at once. It’s especially useful if you group bookmarks (which Microsoft calls Favorites) into a folder, and then open all the pages in the folder at the same time.

In my view, tabbed browsing is the best improvement to Web browsers in years, and it has long been built into Firefox, Safari and other browsers. Microsoft’s implementation is OK, but is curiously inconsistent. You can open all of the sites in any folder in your Favorites list in tabs, with a single click. But this works only if you are viewing your Favorites in a side panel at the left of the screen. If you have a folder of Favorites in the Links toolbar at the top of the screen, as many power users do, there’s no way to open all of the pages it contains with one click, as you can do in Firefox.

The other big change in IE 7 is that there is now a search box built into the user interface itself, which allows you to perform searches without first navigating to the home page of the search service. You can choose which search engines this feature uses. Again, this feature is old news for Firefox and Safari users, but it should eliminate the need for add-on toolbars, like those offered by Google and Yahoo.

The overall interface of IE has also been cleaned up and simplified. The menus are now hidden, and the little animated flag in the upper right-hand corner is gone. You can make the menus appear if you like, and you will need to do so to get to some features, such as the screen that lets you organize your Favorites.

The only really notable new interface feature in IE 7 is something called Quick Tabs, which lets you view, on one page, thumbnails of all the pages you have open in tabs. You can quickly switch among them, or close any of them, from this view. It’s very nice, but reminiscent of an Apple feature called Exposé.

On the security and privacy front, Microsoft says it has made many changes under the hood to harden IE against hackers and the authors of malicious software. The browser now warns you when you are at a Web site that may be a fake (called a phishing site) and moves you off that page unless you insist on going back to it. There is also a much easier way to clear out all traces of your Web activity, another catch-up feature.

But the most important new security feature in IE 7 — something called Protected Mode, which stops Web sites from changing your computer’s important files or settings — will work only in the new Vista version of Windows, due next year, not in Windows XP.

Ironically, the improved security in the new version may erode IE’s greatest strength: its broad compatibility with Web sites. Some sites may not work properly in IE 7 because techniques they used are blocked by the new security features.

In addition to matching IE 7′s antiphishing warning feature, Firefox 2.0 will feature a spell checker, a system for suggesting popular search terms, and a way to resume where you left off after a crash, among other things.

The new Internet Explorer is a solid upgrade, but it’s disappointing that after five years, the best Microsoft could do was to mostly catch up to smaller competitors.

Email me at mossberg@wsj.com.