The application of 3rd party certification programme in Malaysia: VeriSign

VeriSign helps those companies and consumers to engage in trusted communications and commerce and its leading Secure Sockets Layer (SSL) Certificate Authority enabling secure e-commerce, communications, and interactions for Websites, intranets and extranets.

VeriSign is the most trusted mark on the internet because its secures more than 1 million web servers worldwide. The world's 40 largest banks and over 93% of Fortune 500 companies choose VeriSign SSL certificates such as ebay, PayPal, Pioneer and PC World.

The successful key of e-commerce is gain the trust from online customers in order to increase theirs sales and profit so that the e-commerce business should increase customer confidence at the transaction time. Normally, the online shoppers will cincerns about the credit card fraud,k identity theft, sharing personal information and spyware because the fraund and identity theft have created an awesome effect on e-commerce. For examples, there only has 65% of online consumers shop at sites they know and trust but there also haven 65% of onlie shoppers have discarded online shopping because they did not trust on the transaction.

Secure Sockets Layer (SSL) protects the websites and makes it easy for the website visitors to trust and gain the confidence. An SSL Certificate enables encryption of sensitive information during the online transactions and contains unique, authenticated information about the certificate owner. Besides this, the Certificate Authority verifies the identity of the certificate owner when it is issued.

How SSL works?
(1) An SSL Certificate establishes a private communication channel and enabling encryption of the data during transmission. When encryption proceed to the data immediately will create an envelope for message privacy. Besides this, each SSL Certificate consists of a public key and a private key. The public key is used to encrypt information while the private key is used to decode it. When a web browser points to a secured domain, a SSL will grip authenticates the server ( website) and the client (web browser).

(2) Every VeriSign SSL Certificate is created for a particular server in a specific domain for a verified busienss entity. When the SSL grip occurs, the browser requires authentication information from the server by clicking the closed padlock in the browser window or SSL trust marks. In high-security browsers, the authenticated organization name is prominently displayed and the address bar turns green when an Extended Validation SSL Certificate is detected. If the information does not match or the certificate has expired, the browser displays an error message or warning.

(3) The SSL Certificate is issued by a trusted source known as the Certificate Authority (CA). VeriSign verifies the existence of the business, the ownership of domain name and authority to apply for the certificate. Besides this, VeriSign Extended Validation SSL Certificates meet the highest standard in the Internet security industry for website authentication. The high-security web browser's address bar turns green and show the name of organization that owns the SSL Certificate.

By using the VeriSign, its can helps to improve customers trust and increase confidence of consumers because visitors will feel more secure to make their transaction and also to confirm the identity of the website owner.

For more information, please refer to http://www.verisign.com/

Above information is adopted from http://www.verisign.com/

(2

HOW TO SAFEGUARD OUR PERSONAL AND FINANCIAL DATA??????

Personal and financial data are important for an individual. When personal and financial data have been stolen, these data might be abused by the data theft due with illegal transactions. Therefore, we must be very careful in protecting these data and aware of the possibility to become the next victim. The following are some tips that i would like to share with you all in helping you guys to safeguard his personal and financial data:

• Use a credit card with a small limit for online purchases or online shopping. It is because the likelihood that a dishonest sales clerk to use your credit card information. If the card you use for these purchases has a low credit limit, at least thieves won't be able to bulk credit purchase at a single time.
  


• Review your monthly statements. Try to keep your receipts and thoroughly check your account statements as soon as they arrive. So next time when you are going to shopping, don’t you forget to put your receipts in your wallet. By reviewing your monthly statements not only will alert you to possible fraudulent charges, you may also find legitimate charges for services that are either redundant or no longer necessary.

• Don't use the same password everywhere. It is believed that almost people are using the same password everywhere. The email address and password combination could get the same thieves into every account you hold if you routinely use the same email address and password at all locations.



• Avoid saving credit card info, etc on shopping sites. Most of the websites today, such as Amazon, eBay, Orbitz, give their buyers the option to save their credit card information so that they don’t need to retype in all the information each time they want to buy something. That’s great for them, easy money and more sales, but their buyers’ credit card numbers and bank account numbers may be hacked and download by someone. It is just taking an extra minute to type your information all over again, but it is better to not save your information on any shopping site.

• Keep your personal and sensitive data off your computer. Try your best to keep bank account numbers, passwords, etc off your computer. If you want to keep it in electronic format for easy access, that’s fine, simply buy a flash drive or pendrive and store all the sensitive files there. Keep it in a safe place and if you need to refer to the documents, then just plug in your drive.
  


• Choose your PIN wisely. While you want to select something you will remember, you don’t want it to be something that a clever thief could figure out just by learning your birth date or your child's name. A combination of uppercase and lowercase letters, numbers, and symbols will offer you more security.



• Protect your computer's security. Use as many tools as you can (anti-virus software, spyware, firewalls, and passwords) to guard your computer information from being hacked by hacker.



• Always think before providing information when solicited. If you ever sign up an email that required any personal information, make sure that you go to the website yourself manually and provide only necessary information about yourself. A web site exists does not mean it is legitimate! If you’ve never heard of the site before, just type it into Google once and see if anything like “XXX IS A SCAM” pops up!



• Keep your e-mail private, use encryption. Many people perceived that email is not a secure medium. It is said so because email can be easily accessed and read by unintended third parties. Presently, there exist technologies that allow you to encrypt your messages before you send in order to protect your privacy.

• Turn your computer off or on standby when you’re not using it. This is kind of tip, if your computer is not on, then what can a hacker, virus, or anything else possibly does? Nothing! So make sure you shut down or put your computer into sleep mode when you are not there.



• Don't trust threats. Your bank will never contact you via email with any threat of legal action or security breach. They also won’t offer you earn money via email. If there is some threat for action in an email message, assume it is bunk. Otherwise call the business that supposedly sent it and get customer service on the line. If you are still not convinced the email isn’t real. The operator will provide you information about your account and will be happy to make you comfortable with your account status.
  


• Lock your computer at home and at the office. When you are out for lunch from your office, it is believed that most of the computers are just on without a password-protected screen saver, it might be easier for a co-worker to get into your computer and look through your data. Therefore, it is better to lock your compute or put password on your screen saver.



• 
  
  

• Don’t use the same usernames. It also wise to use different usernames when possible. It is an advice to pick a unique username for your bank, eBay, your credit card company’s site and other website that has personal financial data about yourself.

Failing to protect your data is just as bad as leaving your door unlocked, your windows wide open, and a sign on the mat, saying, "Burglars, come on in."

No need to make the thieves' jobs any easier. Though they're not foolproof, these simple tips will help ensure that your personal and financial data is a whole lot safer.

---------->prepared by: Lyon :)

Phishing

The word of "phising" initially emerged in 1990s. The early hackers often use 'ph" to replace "f" to produce new words in the hacker's community, since they usually hack by phones.

Phishing is a new word produced from ‘fishing’, it refers to the act that the attacker allure users to visit a faked Web site by sending them faked e-mails (or instant messages), and stealthily get victim’s personal information such as user name, password, and national security ID, etc. This information then can be used for future target advertisements or even identity theft attacks (e.g., transfer money from victims’ bank account).

In general, phishing attacks are performed with the following four steps:

1. Phishes set up a counterfeited Web site which looks exactly like the legitimate Web site, including setting up the web server, applying the DNS server name, and creating the web pages similar to the destination Web site, etc.


2. Send large amount of spoofed e-mails to target users in the name of those legitimate companies and organizations, trying to convince the potential victims to visit their Web sites.


3. Receivers receive the e-mail, open it, click the spoofed hyperlink in the e-mail, and input the required information.


4. Phishers steal the personal information and perform their fraud such as transferring money from the victims’ account.

Although the attacker has the method to phishing the user, user also has the several (technical or non technical) ways to prevent it:

1. Educate users to understand how phishing attacks work and be alert when phishing-alike e-mails are received;


2. Use legal methods to punish phishing attackers;


3. Use technical methods to stop phishing attackers. In this paper, we only focus on the third one. Technically, if we can cut off one or several of the steps that needed by a phishing attack, we then successfully prevent that attack.

In what follows, we briefly review these approaches.

Detect and block the phishing Web sites in time:

• If we can detect the phishing Web sites in time, we can block the sites and prevent phishing attacks.

Enhance the security of the web sites:

• The business Web sites such as the Web sites of banks can take new methods to guarantee the security of users’ personal information. There have one method to enhance this security is to use hardware devices. For example, the Barclays bank provides a hand-held card reader to the users. Before shopping in the net, users need to insert their credit card into the card reader, and input their (personal identification number) PIN code, then the card reader will produce a onetime security password, users can perform transactions only after the right password is input.


• Another method is to use the biometrics characteristic (e.g. voice, fingerprint, iris, etc.) for user authentication. For example, Paypal had tried to replace the single password verification by voice recognition to enhance the security of the Web site.

Block the phishing e-mails by various spam filters:

• Phishers generally use e-mails as ‘bait’ to allure potential victims. SMTP (Simple Mail Transfer Protocol) is the protocol to deliver e-mails in the Internet. Information that related to sender, such as the name and email address of the sender, route of the message, etc, can be counterfeited in SMTP. Thus, the attackers can send out large amounts of spoofed e-mails which are seemed from legitimate organizations. Therefore, if anti-spam systems can determine whether an e-mail is sent by the announced sender (Am I Whom I Say I Am?), the phishing attacks will be decreased dramatically.

Install online anti-phishing software in user’s computers:

• Despite all the above efforts, it is still possible for the users to visit the spoofed Web sites. As a last defense, users can install anti-phishing tools in their computers. The antiphishing tools in use today can be divided into two categories: blacklist or whitelist based and rule-based.

• The threat of online security: How safe is our data?

Viruses, hacker attacks and other cyber threats are now a part of daily life. Malware spreading throughout the Internet, hackers stealing confidential data and mailboxes flooded with spam are the price we pay for computing convenience. Any unprotected computer or network is vulnerable. Real vulnerable indeed.

For instance, home users can lose valuable personal data with one click to the wrong website. Children trading games also exchange viruses unknowingly. You receive an email requesting an update to your payment details, and a hacker gains access to your bank account. A backdoor is installed on your machine, and your PC becomes a zombie, spewing out spam.

On top of that, it's not just home users who suffer. For businesses of all sizes, the risks are manifold. Crucial data distorted by viruses, financial data misappropriated by cyber criminals, and mountains of spam reducing ROI on human and technological resources.

Some of the popular threats these days are crimewares, viruses, hackers, spam, spyware, and the list continues to grow larger. To start with, crimeware is malicious software used to initiate a crime that is typically Internet-based. During the past two years, crimeware attacks have increased at a far greater rate than the normal virus. International gangs of virus writers, hackers and spammers are joining forces to steal information and collect huge profits illegally. For example, a bank login ID and password may be collected and sent back to an attacker. The attacker typically will use this information in order to collect illegal profits.

The term “virus” on the other hand is often loosely used in reference to any type of malicious program, or it is used to describe any negative event that a malicious program causes to a host system. In the simplest terms, a virus is defined as program code that replicates from one host file to another.

“Hacking” a computer which is another threat is the act of exploiting vulnerable operating system functions, applications, and peripherals to gain unsolicited access to a computer or network. For example, a phisher who is also called a hacker may send an e-mail using the façade of a major bank, credit card or E-money service like PayPal. The email will not only look official, but will also have an official-looking network domain name and return address. The body will contain an innocuous message such as: "Your account information requires updating".

Spam is the equivalent of physical junk mail and unsolicited telemarketing phone calls. It has become one of the largest nuisances to computer users for both home and business users. n 2003 and 2004 spammers sent the majority of spam messages from machines belonging to unsuspecting users. Spammers use malware to install Trojans on users' machines, leaving them open to remote use. Methods used to penetrate victim machines include:

• Trojan droppers and downloaders injected into pirate software which is distributed via file sharing P2P networks (Kazaa, eDonkey etc.).
• Exploiting vulnerabilities in MS Windows and popular applications such as IE & Outlook.
• Email worms

Spware is as those that “impair users" control over material changes that affect their user experience, privacy, or system security; use of their system resources, including what programs are installed on their computers; or collection, use, and distribution of their personal or otherwise sensitive information.” “Spyware” is something of a grey area, so there’s no copy-book definition for it. However, as the name suggests, it’s often loosely defined as software that is designed to gather data from a computer and forward it to a third party without the consent or knowledge of the computer’s owner. This includes monitoring key strokes, collecting confidential information (passwords, credit card numbers, PIN numbers, etc.), harvesting e-mail addresses, or tracking browsing habits. There’s a further by-product of spyware where such activities inevitably affect network performance, slowing down the system and thereby affecting the whole business process.

Although all these seem frightening, there is a way out too. Online security is for the purpose of protecting e-commerce customers and their information by continuing to enhance e-commerce systems and processes as e-commerce transactions evolves. Because no single solution can ensure online security, a layered security approach with industry-leading solutions had been developed. Two major objectives in selecting the right electronic safeguards are:

• Protecting customers’ informations and assets.
• Minimizing customer impact while providing multiple layers of protection wherever customer transactions call for added security.

Are our data secured by just these online securities? It depends whether the consumers are aware enough about the threat they might faced if necessary steps isn’t taken to prevent them.