Vancouver Sun

B6

THE VANCOUVER SUN, THURSDAY, SEPTEMBER 11, 2008

ONLINE SECURITY

BREAKING NEWS AT

vancouversun.com

Combating security threats online Canadian banking industry invests in infrastructure to keep clients’ information secure on the Web Tips for online banking clients

BY JEFF BUCKSTEIN

O

nline banking clients are a potential target as increasingly sophisticated Internet attacks aim to grab critical financial information. Today’s attacks are taking place more frequently and faster than ever before. Banks and other protectors of sensitive online information now face threats from so-called “zero-day” attacks, says George Kerns, president and chief executive officer of Fusepoint Managed Services Inc., a managed IT solutions provider headquartered in Mississauga, Ont. “The whole point of a zero-day [attack] means that within 24 hours of most things being known, they’re exploited. [Consequently], there’s very little time to be able to fix it before there’s some kind of impact.” The banking industry in Canada devotes substantial time, effort and money to combat such threats, stresses Maura Drew-Lytle, director of media relations and communications with the Canadian Bankers Association (CBA) in Toronto. According to the CBA, clients of the six largest Canadian banks alone — RBC Royal Bank, BMO Bank of Montreal, TD Bank, Scotiabank, CIBC and National Bank of Canada — went online to record nearly 394 million financial transactions in 2007. In 2006, those same banks spent a total of $4.4 billion on their technology infrastructure; between 1996 and 2006, inclusive, they invested $37.6 billion. “The banks have a lot of personal financial information on their customers, so they understand that protecting that is certainly one of their most important jobs,” says DrewLytle. “The banks are always implementing new security procedures” to ensure customer safety, she adds. BMO Bank of Montreal, for instance, offers clients a number of protective measures. These include enhanced sign-in security to help prevent unauthorized account access, multiple levels of firewalls, and 128-bit encryption to ensure the safety of data passing between parties, among other features. Lee Dunn, vice-president and chief

Here are some tips from the experts on how online banking clients can protect themselves against phishing attacks — phoney e-mails that attempt to extract valuable personal financial information. ■ Be aware that authentic banks will never request that their clients divulge personal information, such as account numbers and passwords, in an e-mail. ■ Authenticate the website you are going to is genuine by verifying that it has a secure sockets layer (SSL) certificate. ■ Never click on a link in a suspicious email. Instead search out an official bank URL site via your browser bar. ■ Never download an attachment from a suspicious e-mail. It may consist of a virus or spyware. ■ Contact your bank immediately if you suspect somebody has tried to emulate them online.

MALCOLM TAYLOR/CNS

Stewart Wolfe, KPMG LLP’s leader of security services for the Greater Toronto area, says online banking customers need to arm themselves by becoming aware of the security threats they may face. information security officer at BMO, says the enhanced sign-in features include a personalized graphic and customized phrase users select to appear after they enter their card number. This graphic and phrase combination helps identify the website’s authenticity, after which the user can sign in with their personal identification number. This works two ways: “It gives the customer a confident feeling they are at a legitimate website” and also provides the bank with assurance the customer is who they purport to be, she notes. BMO also monitors sign-in patterns. If, for instance, a person signs on to their account away from the computer site they normally transact from, the bank will prompt them with a series of supplementary, pre-select-

ed personalized questions to make sure that it is indeed the client who is attempting to sign on, explains Dunn. But firewalls alone don’t provide enough security. While a firewall can act as an infrastructure layer to try to prevent unauthorized access for certain services, “most hackers today break into the web applications,” which in an online, worldwide banking environment allows them to more easily bypass firewalls, says Stewart Wolfe, KPMG LLP’s leader of security services for the Greater Toronto area. “Although application layer firewalls provide a level of protection, the secure coding of applications from initial development to production release is key to providing Internet banking web applications that are more resistant to malicious penetra-

tion attempts,” Wolfe adds. This is one reason why additional protection, such as a secure sockets layer (SSL) certificate issued by an authorized third party to certify that a web server belongs to the company it purports to be is essential. Such certificates include 128-bit encryption. Customers can also arm themselves by becoming aware of the threats they may face and what to do about them. Phishing attacks, for instance, are a prime example of a malicious attempt to exploit banks and their customers. The idea of a phishing e-mail is to get users on to a so-called “spoof site” that mimics the appearance of an authentic site, says Darrell MacMullin, country manager for PayPal Canada, an online payment solutions provider in Toronto.

Often such correspondence involves urgent requests for banking clients to validate their credentials or register for a type of service when they log onto a false site with their user name and password, so perpetrators can capture the sensitive personal information needed to commit further crimes, adds Wolfe. “A bank will never send you an email asking you to verify your personal information,” says Drew-Lytle. “They already have it.” Consequently, it’s essential for users to authenticate that the website they enter is genuine, and never give out sensitive financial information unless they are certain it is. The best way to do this, Wolfe says, is to verify the SSL certificate by clicking on the lock displayed by the Internet Explorer browser. A lock icon will appear when the address prefix in the browser bar changes from http to https. If clients are contacted by somebody phishing for information illegally, they need to contact their bank immediately, the experts say. For Canwest News Service

Never fear, safer Internet is here. ASHLEY FRASER/CNS

Social media advocate Ben Watson cautions that social network users, such as his 14-year-old son Sawyer, need to be wary of what private information they post online.

Social networking online comes back to bite users BY JULIE BEUN-CHOWN

Get the most secure High Speed access. Feel invincible online with the most comprehensive suite of security services. Protect your personal information with our Firewall and Anti-Spyware, automatically detect and delete harmful viruses with Anti-Virus software, and rest easy with added security features like Parental Control and Anti-Fraud. Best of all, there’s no extra cost.

Add High Speed to a bundle and save over 15%.*

Call 310-1144 or visit telus.com/bundle or your nearest TELUS authorized dealer. *Offer available until November 3, 2008 to residential clients in select locations who have not subscribed to TELUS High Speed Internet services in the past 90 days. Minimum system requirements apply. Regular bundle rate starts on month 13. © 2008 TELUS.

It’s the kind of story usually dismissed as urban legend — but this time, it’s true. In June, 20-year-old Joshua Lipton was found guilty over a drunk driving incident that seriously injured another driver. That he was charged wasn’t surprising. What was shocking was that the prosecutor in the case found an incriminating Facebook picture of Lipton at a Halloween party held two weeks after the accident, showing him dressed as a jailbird and sticking out his tongue. In court, the prosecutor offered it as evidence of Lipton’s unrepentant ways. The judge concurred and gave the Rhode Island man a two-year sentence. It wasn’t the first time personal content on social networking sites such as Facebook, MySpace, YouTube, Bebo and even blogs have been used by employers, police and institutions to keep tabs on individuals and take action against them. In March, a Ryerson University professor accused an 18-year-old computer engineering student of cheating for administering a Facebook study group for his course, and gave him an F. For the generation brought up

with the Internet as their playground, such as 18-year-old K ayl e i g h K r i s t i a n s e n , s u c h actions are akin to a stranger loitering at the gate. “People my age aren’t worried about privacy issues, because we’re so used to having everything about ourselves on the Internet. But it’s being turned around on us. We use social networking to express ourselves,” says the student from Oromocto, N.B., “and the fact that employers or the police will use that against us is detrimental.” It’s the price we will continue to pay for the Age of Internet, says Ben Watson, a social media advocate who has worked on networking for giants like Yahoo, Microsoft and Adobe, and is currently vice-president of marketing for the Ottawa-based start-up, Overlay.TV. While he admits the potential collision between social network users and those who would use their online revelations against them grows daily, the responsibility ultimately lies with members themselves. “The Internet is an echo chamber that amplifies your voice and everything you do, times 100. So if you’re an idiot, it’s no longer just your neighbours, but the world that knows it. We absolutely need to be more careful about

what we put out there,” says Watson, who has a 14-year-old son, Sawyer. “It’s not that people don’t have embarrassing moments, but neither should we record them and share them with the world.” It’s a point made more poignant by that fact that every post, uplink and video added leaves a permanent Internet fingerprint that can be impossible to erase, says Riel Roussopoulos, CEO of the Vancouver-based Internet marketing and development company IXLD Media Inc. “This is critical,” he says. “Young people are not thinking about the fact that, 20 years from now when they’re a CEO, a video they posted of themselves dancing drunk at age 18 will pop up on YouTube, with the 1,100 messages it accrued in the ensuing years. You may take it down, but if it’s been patched and replicated on other sites, it’s impossible to delete forever.” It’s a situation that begs for definition between public and private lives, he adds. “Now, it’s not just celebrities who are subject to public scrutiny, but everyone. Our privacy is being eroded daily, period. That’s what the Internet is, and it’s changing the dynamic between public and private information.” For Canwest News Service