Stay Safe Online: RCNA warns of attempted phishing attack

PhishThe Royal Canadian Numismatic Association sent email to its members notifying them that on April 24 someone attempted a phishing scam trying to impersonate the RCNA Executive Secretary trolling for information. The RCNA did not send out an email note asking for information and recommended deleting them email.

Phishing is the term used to describe the attempt to convince someone to reveal personal information by sending them an email that looks like it came from a legitimate source. In this case, the attacker made their email look like it came from the RCNA hoping that members would give up their personal information.

When I am not blogging, meeting with other numismatists, or being with my family, I work in information security for the United States federal government. In my professional life, I have seen a lot of attempted and successful attacks against both government and commercial systems. However, the one attack that is the most difficult to defend are those where humans are convinced to act against their own best interest, such as a phishing attack.

Social engineering attacks are my favorite attacks. One reason is that it helps demonstrate to the organizations that I try to help that security is more than controls, encrypted communications, or anything else you might have read in the news. Security is a process that requires diligence, the same as it does in the real world.

The following are four rules that you can follow to help keep safe online:

Rule #1: Unless you are 100-percent certain that the email is legitimate, do not click on the link!

You will be never 100-percent certain that any email you receive is legitimate so make sure that you are as close as 100-percent certain as possible. One thing you can do is to move your pointer over the link, stop, and wait for the tooltip to show you the address.

Tooltips are those balloon-like popups that will tell you something about the link or element before you press the mouse button. One way to tell that a link is bad is that if the address is not what you think. For example, if the link is supposed to send you to the RCNA website, the tooltip better say that it will send you to rcna.ca. If it does not, then do not click on the link.

When you check the link, the address of the server is the first part of the address. If what should be the server name is not in that area at the beginning of the address, do not click on the link.

One trick the phishers use is to show you what looks like a complicated address in the message, but the link behind it will send you to another website. This is where tooltips can help. If you hover over the address and they do not match, it is an attempt to trick you and you should not click on the link.

If you are using a web-based email client, you can check the address on the status line at the bottom of your browser window. Check to see if the address makes sense is also a good tool. For example, if the link is supposed to be from the RCNA and “rcna.ca” is not the address of the server in the link, then it is a phishing attempt and you should not click on the link.

If you are unsure about the link, then go to your browser and type in the address yourself. Rather than clicking on a suspicious link, you can visit the RCNA website by typing “http://rcna.ca” directly into your browser’s address bar.

Anatomy of a Phishing email(courtesy of the University of California-Davis)

Anatomy of a Phishing email
(courtesy of the University of California-Davis)

Rule #2: No legitimate company or organization will send you a form to fill out and email back

One of the tactics that the phishers use to try to trick you into giving them your personal information is to create a form that looks like it is legitimate. Just as it is easy for someone with moderate skills to fake a web page, they can create a counterfeit form. Not only will the form be counterfeit, but they could also embed programs in that form to steal your information.

Embedded code in documents is called macros. Macros are used to command programs to do something for the user. When used in productive environment, macros can be a wonderful tool to create dynamic documents. But the same instructions that can make macros a productive tool can also be used to do bad things.

Unless you are certain about where the document came from, then do not open a document. If you open the document and the program asks if you should enable or run macros, do not enable macros.

This is not just a problem with word processing document. PDF documents can also deliver very nasty malware (malicious software). Not only can an attacker add macros to a PDF document, but someone can embed the technology called Flash in those PDF. Flash is the technology that helps you see videos and add enhancements to the visual interface of some websites. But Flash can be used to attack your computer system. Opening a PDF file sent by someone you do not know can be as dangerous as a word processing document.

Rule #3: Do not open suspicious attachments

Another trick the attackers try to use is adding an attachment named in a way to try to trick you into opening the file. File names consist of the name of a file followed by a period followed by a file extension. The file extension is used to tell the computer the type of program to open to allow you to work with the file. There are three file extension that very dangerous and should never be opened unless you are absolutely sure who sent them to you: .zip, .exe, and .dmg for Mac users.

The .zip file extension tells the computer that the file is something called a Zip archive. A Zip archive is a file that is formatted to allow it to store many files that are compressed. Zip files are used for many legitimate purposes including being the default format of Microsoft Word’s .docx file. Unfortunately, it can contain files that can be used to attack your system.

One of the types of file that can be included in a Zip archive is an .exe or executable file. Simply, these are programs in the same way that Microsoft Word is a program. Once an executable file is opened, it will do whatever it is programmed to do. Among the things that the program can do is key logging. A key logger reads what you type on your keyboard, what you click on the screen, and in some cases what is displayed on your screen. The key logger will be able to capture the user name and password you entered when you visit any website including your bank’s website. The problem is that when a key logging program is run, you do not know it is watching what you type. Nor do you know that it connects to a server somewhere on the Internet to send the information to the attacker.

While Macs are more difficult to attack, they are not immune. Mac users should never open a file with a .dmg file extension unless you know who sent the file. The Macintosh .dmg file is a disk image file. A disk image file is formatted to look and acts like a disk so that when you double click the file, it will mount on your computer as if you plugged in an external disk drive. Because .dmg files are commonly used to install legitimate software, sometimes the installation can be automatically started. If you allow the installation to continue, it you can install software as dangerous as what I described for the Windows .exe file.

Rule #4: When in doubt, throw it out!

delete-messageWhile all this seems simple to me, I have been in this industry for over 30 years and am used to the complication. The problem with email is that it was developed as a way for researched to communicate by plain text across the Arpanet, the forerunner of the Internet. Essentially, email is a text-based service that has been extended in so many ways that it has created a complicated series of standards that requires a degree in computer science to analyze.

Even if you cannot fully analyze whether the message is spam or legitimate, if you have any doubt, then just press the delete button. If the message came from a source you know, contact them off line and ask if the mail is legitimate. If you think the email is from your bank, call the bank and ask. If you think the email is from your credit card company but not sure, call the credit card provider and ask. If you think the email sent from the RCNA is suspicious, call them and make and ask.

A little intuition can be of great help in these circumstances.

Stay safe online and have a good weekend!

Image courtesy of Duke University.
Anatomy of a phishing attack courtesy of UC-Davis.

My coins are geo-what?

SatellitesComputer and online security has been a topic for the news lately. This was because of a mistake made in software that was being used to try to keep your password from being seen by criminal hackers was making it visible to those criminals. In the wake of the news, the Doug Davis of the Numismatic Crime Information Center sent out a message to his list of contacts that had one central message for every dealer and collector:

Shooting simple photos from your smart phone or personal camera can lead criminals right to your location… with pinpoint accuracy using GPS satellites.

You might have heard the term “metadata” in the news in the context of its collection by the National Security Agency. For those who do not know what metadata is, think of it as a description of the data. Think about an exhibit in a museum. The exhibit contains several artifacts arranged in a certain way to try to tell a story. But the story is incomplete because a little more information is needed to put it into context. But the information cannot be shown as an artifact in the exhibit, so the person setting up the exhibit adds a description added to the exhibit to make it more understandable. That description would be the metadata to the exhibit.

Example of what you can find out about your image in the file's Properties under Windows

Example of what you can find out about your image in the file’s Properties under Windows

Embedded within the pictures you take with your digital camera is a description of the picture that is not visual on the picture. Within this description is the type of camera you are using, the shutter speed, and other exposure information. One of the descriptive items that your camera can record is where the picture was taken. This is called geotagging or geocoding.

Modern cameras, cameras built into smartphones, and even some memory cards that can be inserted into older cameras can determine where you are located and record that in the metadata in the picture you take. And contrary to what you have read, new technologies do not have to use the Global Positioning System (GPS) to figure out where you are located. There are services that use WiFi to record your position. It is called WiFi Positioning System (WPS). Basically, WPS determines where it is located and communicates that to WiFi connected services so that it could be used to determine your location.

I know geotagging can be a lot of fun. A few years ago when my wife and I drove from Portland, Maine to Canada, I had taken pictures of the scenery along the way hoping to find a moose. After all, how can you go through the woods of Maine without seeing a moose?! When I loaded the pictures on my Mac in iPhoto, it was fun to see the plot of where the pictures were taken on the built-in map. I was able to follow the road into Canada just based on the geocodes.

What I did not do is post those pictures while on the road. Aside from the lack of cellular connectivity, posting those pictures would advertise to evil doers that I was not home and too far away to do anything.

If you take geocoded pictures of your coins and post them online, whether it you are posting them to a social media site or a discussion forum, you are advertising where the coin is located. This might not be a problem if you collection consists of what dealers would call ordinary or common coins. But if that 1937-D Buffalo nickel has only three legs, that geocoded picture announces that you have at least one high value coin that someone might want to acquire through less than legal means.

The problem is that I love to see pictures of interesting coins. This is one of the reasons I love Pinterest. Aside from sharing my own picture, Pinterest allows me to pin coin images from around the Internet to create virtual scrapbooks. Do you have an interesting coin? I want to see it. Different types of tokens and medals are excellent artwork.

However, when you take the pictures of your prized collection, make sure you turn off geotagging!

Unfortunately, I cannot tell you how to do it on every camera because the process is different. To help, I found the following two articles that provides an overview of how to turn off geotagging on the common smartphones:

  1. How to Disable Geotagging on Your iPhone, Android Phone or Blackberry
  2. “How to disable a smart phone’s geotagging feature

For other cameras, you need to find the manual that came in the box to figure out how to do this.

In the meantime, stay safe online and let’s see those beautiful coins!

Rethinking Safety and Security

With the news coming from Arizona this past weekend, I was thinking about personal security and the security of our collections. It may seem like a gruesome topic to discuss in the aftermath of the shooting, but as long as our attention is on the situation, we need to take a look at our own security.

Last June, I discussed the Safety and Security Traveling with Coins after the robberies of dealers traveling to and from shows. One the key points I made is the beware of your surrounding, what we call “situation awareness.” It is not typical to think like this, but if you have numismatics that seem to be desirable, you need to consider your environment. Does the area “feel right?” Do you feel comfortable in the area? Are you worried about the strangers around you? What is your gut feeling? If you are not comfortable and just have that feeling that the area is not safe, go with that feeling and take appropriate actions.

We would like to think we live in a safe neighborhood, but at least once per week I see a news report with someone saying, “Nothing like this has happened here. This is such a safe neighborhood.” Unfortunately, there is always a first time, why be the first victim. How secure is your property? Are you coins on display in your home? If they are, do you have a security system?

Whatever you have for security may not be enough. You have to think like a thief and figure out how strengthen your defenses. Sure, strengthening your defenses may stop 95-percent of the thefts, but what about the other five percent? What about the amateur thief who gets lucky?

One of the best resources you have is your home insurance company. After many years of protecting property all over the country, they know what works and where to find the best people to help. Most insurance companies will help you with the risk assessment and share with you what their company knows about the risks in your area. They can also tell you about savings that you could see if you added additional security to your home.

Aside from the security of your personal property, you also need to considered what to do with your collection when you are no longer able to enjoy it. In my post, What Will Your Heirs Do With Your Collection, I discussed the necessity of estate planning with your collection. Remember, “It may be difficult to admit that the niece or grandson that appears to love to see your coins when they visit or is excited to receive a special numismatic gift may be more happy because of their interaction with you rather than your collection.”

Be honest with yourself, does your family really want the coins or what the coins are worth. If you are not going to mind that they will sell your coins, then leave it to them. However, if they are not going to keep the collection and their disposition really matter to you, then you should figure out how to deal with them while you still can make the decision.

While we pray that Rep. Gabrielle Giffords and the others who were injured a complete recovery; and we join with the families of Judge John Roll, 9-year old Christiana Green, Dorothy Morris, Phyllis Schneck, Dorwan Stoddard, and Gabriel Zimmerman in grieving their losses, we should take this opportunity to heighten our own security awareness to protect ourselves, our loved ones, and our collections.

Safety and Security Traveling With Coins

During the last week, there were two more stories of dealers being robbed. One occurred in Witchita Falls, Texas and the other in Parisippany, New Jersey. In both cases, the dealers stopped at a restaurant after the show ended, had the windows broken to take what was in the car. The incident in Wichita Falls also involved an assault on the dealer and his wife.

Earlier this year, a coin dealer was robbed in Acton, Massachusetts after leaving a coin show in Westford. Also, a coin dealer from Jacksonville, North Carolina was robbed in Wilmington when he went to visit someone’s home he thought was interested in purchasing coins.

These incidents show that it is time for dealers to step up their security awareness and learn to protect themselves from the risks of robberies. Dealers with store fronts have a lot of options to protect their assets, although some have fatal ramifications. For the dealer who travels to and from shows, the security of their vehicle is very important.

During the holiday season we are reminded not to leave anything in the car that would invite someone to break in. Sometimes, you cannot fit everything in your trunk because between your clothes and inventory everything does not fit. Since many shows are one or two days, consider using a small, flat suitcase that could fit on the floor of the back seat and place it under the floor mats. It is not the best hiding place but it attracts less attention.

Aside from the usual precautions of locking doors and hiding the valuables, be particular where you park. Since thieves do not want to attract attention to themselves, park in well-lighted, crowded areas. Park close to the building especially close to the entry door. Avoid areas with trees and bushes that could be used to hide from view. Look around and think like a thief. If you can think of how to hide yourself around your car, then the thief can, too. Either find someplace else to park or another establishment for dinner.

Better security requires an investment into additional protection for your car. Car alarms are popular options and also the most hated. If not installed correctly, car alarms are prone to false alarms that can annoy everyone around. Since early car alarms did sound for seemingly no reason, some have learned to ignore them. However, the noise will draw attention to the car and scare away the thief breaking in to rob the contents. If you find an alarm with a distinctive sound you can also be quickly alerted if something happens. Car alarms range from the inexpensive that are installed by the car’s owner to a theft deterrent that could cost thousands of dollars. The website eHow.com has a good section about Car Alarm Systems to get you started.

Since many of these robberies start with someone smashing the car’s window, consider technologies that strengthen the windows. Bulletproof glass is an option, but that may be too expensive for many of us. An option is installing a laminate made from a material called polycarbonate thermoplastic over the windows. Polycarbonate thermoplastic laminates are thin, clear sheets that are sturdier than glass that does not break like glass. When installed over glass, the underlying glass will shatter but the laminate will remain intact. Thinner sheets will prevent break-ins while thicker or multiple layers can be use to make the glass bullet resistant. An auto service specializing in aftermarket add ons for cars in the Washington, D.C. metropolitan area said that it could cost from $600 to over $2,000 depending on the product used and the amount of window surface that has to be covered. There are local businesses in every major metropolitan area that can install these laminates.

Another security add-on that was recommended by the dealer was reinforced locks. A local locksmith described how easy it is to break into most cars just by using force in the right places—especially for the thief not interested in maintaining the car’s look. Although we rely on them to secure our cars, locks are a weak area in the metal and the ringed design around some locks can be pried off and the locks pulled out with a pair of pliers. Simple plates secured over the locks may act as a deterrent but may also advertise that the car may have something of value inside. Locksmiths and auto security companies can install tamper resistant locks and reinforce the area around the door, trunk, and tailgate latches to prevent someone from prying into your vehicle.

The downside to installing aftermarket tamper-resistant locks and reinforcing around the latches is that it will void the structural warranties of most vehicles. Also, poorly installed car alarms will not be covered by most vehicle warranties. Professional installation by a dealer or a qualified aftermarket seller can prevent these issues.

One call you should make is to your auto and business insurance companies. By increasing the security of your car, both insurance companies may offer discounts for lower their risk exposure. Laminates will prevent broken windows and potentially reduce the amount of money that would be necessary to fix your car to just the shattered glass and the laminate and not other items. Your business insurance may also find the lowered risk appealing since you have taken steps to prevent a potential loss. The savings may be an incentive to purchase better security for your car.

Finally, dealers must consider their situational awareness—what their surroundings look like and quickly assess what is around them. Some people may not think like this, but if you are going to carry expensive inventory and cash to and from a show you have to consider the environment. Thieves like the dark because it is easier to hide. Traveling in daylight is better than traveling during the night. But if you travel at night, stay in well lighted areas and crowded areas. What is the neighborhood like? Is it a travel stop that is used by a transient clientele? That type of movement is also inviting the thieves who knows that people traveling through those areas may have something worth stealing. Will you go into a restaurant where you cannot watch your car or should you consider a restaurant where your car is visible from within the restaurant?

Does the area “feel right?” Do you feel comfortable in the area? Are you worried about the strangers around you? What is your gut feeling? If you are not comfortable and just have that feeling that the area is not safe, go with that feeling and try another place. Consider bringing nonperishable snacks in the car so that if the first place you stop at makes you uncomfortable, you have something to tie you over until you find someplace with more comfortable surroundings.

Security is an ongoing process. Thieves will adapt and find other ways to rob you. But if you take the time to prepare yourself and pay attention to your surroundings, you should be able to reduce the risk of being robbed. Stay safe!

Pin It on Pinterest

%d bloggers like this: