How to keep your financial information safe from cybercriminals

Key credit card details of an unwitting Kenyan could be up for sale for just Sh855 ($10) over the Internet.

Once bought by cybercriminals, the information could be exploited to wreak irreparable damage to your finances.

Operating in the backwaters of the wild world wide web, the sophisticated business is a mirror image of any credible online transaction.

The ease with which deals are sealed is reminiscent of Amazon — the US online retail giant.

The shopping carts in this fraud are overflowing with card security codes, full names, and addresses of Visa, MasterCard, or American Express branded plastic money consumers from around the world.

The criminals even run advertising and marketing wings on YouTube. One such advert seen by Money emphasises the vendor’s good customer relations — ably supported by a 40-person customer care centre tucked in India.

“It is telling how daring these cybercriminals are. The fact that they sell the cards for next-to-nothing also shows you that they are confident that they will have a constant supply of their product,” notes Mr William Makatiani, chief consultant at cyber security firm Serianu.

How is this crucial credit card data acquired despite the caution exercised by consumers?

About five years ago, the answer would have been simple — very simple; your card could be stolen in a noisy and crowded matatu or a pickpocket taking advantage of a drunk.

Fast forward, in today’s Internet age, there are numerous channels through which the data could have leaked, say, a forgotten antivirus update, use of counterfeit software, or through recklessness disclosure of details on a social website.

For some Kenyans, their computers and digital devices have turned against them, becoming part of networks run by cybercriminals — commonly known as botnets.

A bot is a virus that directs an infected computer to take actions unknown to the PC’s owner. An infected PC can be used to funnel your crucial data to a cybercriminal ring.

Often, hackers use bot-infected PCs to create a network which they use to attack third parties. According to data collected by Serianu, many Kenyans are unwittingly abetting Internet crime via their PCs.

“Botnets might be more profitable for cybercriminals in our local context since Kenyans do not yet have enough disposable income to be direct targets,” said Mr Bethwel Opil, country manager of Internet security solutions firm, Kaspersky.

Cyber security experts say that protecting one’s data is straightforward if one can grasp the basics.

Avoid freebies

All the time be wary of applications that come at exceedingly reduced prices or for free, say, free software and movies. A lot of business in downtown Nairobi hinges on selling pirated software and movies. Mr Opil warns that these cheap products might be giving you away.

Counterfeit software does not get automatic updates from the developers. Some users stop their software from updating for fear of being caught running on counterfeits.

Last year, Internet security firm, Symantec, identified nearly 5,000 vulnerabilities in commonly used software. Adobe Reader and Adobe Acrobat applications faced vigorous attacks on various vulnerabilities. Consumers who failed to update them offered enough fodder for hackers.

It is advisable that you beef up your software security by ensuring that their plug-ins are up-to-date. A plug-in is a software that adds specific capabilities to a larger application, for instance adobe flash and ActiveX on Internet Explorer.

Use strong password

“You should never go more than one month with the same e-mail or Facebook password. If your bank allows it, you should also change your ATM PIN with equal frequency,” says Mr Opil.

Waiting any longer, he says, could give a cybercriminal an opportunity to hack into your account, distribute spam, or access important data. 

A research paper by the University of Cambridge this year indicates that 23 per cent of ATM and debit card users use dates in their PINs. Twenty-nine per cent of all dates were the plastic card owner’s birthday.

On the Internet, users tend to use the same password for multiple social network accounts. Sometimes the passwords contain sequential numbers (1234), repeated numbers (1122) or, once again, key dates, say, birthdays.

A secure password, according to today’s standards, should be random and if possible, contain a mixture of letters, numbers, and symbols.
Before carrying out a transaction on a website, ensure that it is secure by looking for the HTTP secured (HTTPS) prefix to the URL.

Further, after online financial transactions, you need to delete all cookies and your browsing history. You also need to disable the “auto complete” function in your browser to prevent others from seeing your personal information.

Smartphones

An average smartphone often carries information on the personal and business life of many Kenyans. It is used for online shopping and is also a work station that may be used more often than the traditional office personal computer.

According to Kaspersky, there were 9,000 new malicious software targeted at mobile devices in the third quarter of 2012. More than 28 per cent of mobile attacks occurred in phones running the Android software.

The malware targeted at smartphones has mostly been in the form of SMS Trojans that, if activated, silently send premium rate SMS from the infected phone, eating into the users airtime. 

Exercise caution on social media

Potential employers, your customers and even spouses are likely to be as influenced by your Facebook account as much as by your CV.
Maintaining a good online reputation is crucial but that can be difficult if your account is hacked and used to spam Internet users. Always divulge only the information that you must.

Listing your employer, your date of birth, your residence is enough for a hacker to assume your identity and wreak havoc.

Adopt extreme discretion when accepting friend requests on Facebook. A mutual friend could turn out to be exactly what a criminal seeking to access to your data.

Additionally, malicious software is also disguised as innocuous applications that if downloaded start feeding sensitive data to a third party.

To protect your phone from these attacks, download mobile security software from a credible app store – Google Play for Android or the iTunes store for Apple. The downloaded software periodically scans for viruses in your phone.

The same rule of thumb that works with PCs also applies to smartphones — always download software from credible sources. Stick to mainstream app stores but even here, it is important to know the terms of use in each store.

Google Play, for instance, vets applications before posting them but its policy leaves the burden of authenticating software to the user.

Further, protect your smartphone with a password and download software that will allow you to remotely wipe its memory should it be stolen.