In Part 1 of Is Your Email Private, We covered the basics of most current email systems, including how they work and why they are not secure. We then started into the topic of encryption and provided a link to PGP (Pretty Good Privacy), considered by many to be the default standard for email encryption on the Internet.

PGP is an encryption tool that uses public key cryptography (that is, cryptography that uses a public / private key pair to encrypt messages so that no other security is needed when sending messages across the Internet…) to maintain secure communications. To send someone a secure message, you "scramble" it using his or her public key before transmission. Then only the correct recipient can "un-scramble" the message using their private key. The same works for you. Someone would use your public key to encrypt a message, send it to you and then only you can decrypt the message using your private key.

If you missed Part 1, you can get your copy of PGP from here: http://www.pgpi.org. It’s free and there are many download sites available. Then walk through the following steps to start guarding your privacy…

1) This may sound simple but, step 1 - install the software! I would suggest that you use the defaults that the install program sets up for the installation. Wait until you’ve got more experience with the program before you modify anything.

2) Once the software is installed, it will walk you through creating your first public / private key pair. Go ahead, walk through the process - there’s nothing like getting you feet wet right away. Besides, you need to create this key pair before you can start using PGP. If you want to wait, you can create the key pair later by using the PGPkeys application.

3) Now that you’ve created your key pair, you need to pass out your public key. Since the key is simply a block of ASCII text characters, you can copy and paste it into the body of an email message or send it as an attached text file. Or you can post it on a public "key server" where anyone can get it anytime they need it. You also have access to other people’s public keys in this same manner.

4) OK - you’ve posted your public key and downloaded the public keys of all the people you want to send encrypted email. Now you need to validate these keys. Why? Because you want to make sure the key you downloaded belongs to the person you want to send email to. You can do this by comparing the unique fingerprint on your copy of someone’s public key to the fingerprint on that person’s original key. When you are sure that you have a valid public key, you sign it with your private key to show that you feel safe using it.

5) Now the fun begins! Once you have created your public / private keys and have downloaded the public keys of others you can start sending and receiving encrypted email.

If you are using one of the email applications supported by the included PGP plug-ins, you can send encrypted messages right from your email client by clicking on the appropriate buttons on the PGP toolbar. You can also decrypt messages right in the client.

If your email client is not supported by plug-ins, you can encrypt or decrypt your email using the functions from PGPtray or from PGPtools. Both of these applications are available by clicking on the PGP icon in the system tray of your Windows OS.

There are many other options available inside the PGP program. I suggest you read the user’s guide from top to bottom. You don’t want to miss out on any of the functionalty and versatility available to you from the FREE application.

Next time - Online encrypted email services…

Michael Ameye has been developing web sites since 1995. He started writing about online privacy issues to answer questions from family, friends and co-workers. He is also the chief editor of PSS Online, A Privacy, Safety and Security eZine dedicated to bringing important information to people in order to foster a safer more secure environment - online and off. Visit http://www.pssonline.info to subscribe.

In Part 1 of Is Your Email Private; We covered the basics of most current email systems, including how they work and why they are not secure. We then started into the topic of encryption and provided a link to PGP (Pretty Good Privacy), considered by many to be the default standard for email encryption on the Internet.

In Part 2 of the series, we covered in more detail what PGP is and how to use it with your email client. Now we’ll move on to online email services.

Over the past couple of years a new kind of secure, online email tool has become available. Companies like HushMail.com, MuteMail.com, S-mail.com, CeritfiedMail.com, and StrongPost.net. offer products and services that combine strong encryption with easy to use web-based interfaces that allow anyone to send and receive secure email and attachments.

With these services, the encryption process is hidden from users so working with public / private key management is a snap. And since they are web based, they can be accessed from any computer, anywhere in the world that has an Internet connection and a browser.

So, how does it work? A user, when they first register for the secure service, are walked through a process that creates their key. Then after logging into the secure site, they compose secure emails just like any other email message. The content of the message is then encrypted with their key and transferred over the Internet via a secure connection. Just like the connections used on ecommerce sites. Here’s the twist… a message is secure as long as it is sent to another user of the system. This is how these companies can provide "end to end" security for your email. If you send a message to someone outside the system, it is sent in plain ASCII text and can be compromised as if you didn’t use a secure service at all.

However, this is just the flip side of PGP. With PGP you can send an encrypted email to a non-PGP user and the message is scrambled from "end to end" however, it will probably be trashed by the recipient since most users have no clue what to do with an encrypted message. At least with the online systems the recipient of your secure email can also sign up for the service and secure their communications without the learning curve of PGP.

One question you may be asking yourself is, "How secure is my key and my email if someone else controls the key creation process?" In other words, will the online service provider turn my email over to anyone in it’s unencrypted form? For most services, the key creation process relies on random data that you generate during the registration process. It is actually under you control and not the service provider.

As for turning over your email… Read the user agreements for each service provider. I personally like the way HushMail.com states their policy:

"What if my message is subpoenaed? Hush, like any company or individual, is legally bound to respond to court-issued subpoenas. However, because not even HushMail can access the encryption keys of individual users, in the case of a subpoena HushMail would only be able to provide the encrypted (coded) version of the transmitted email."

In other words, yes they would have to turn over your email if required by law but it would be worthless since it would be in encrypted form. And since they don’t know your key, they can’t decrypt your messages.

PGP - vs. - Online Secure Email

PGP Pros - Local key control. Key size control. End to end encryption of email and attachments without going through 3rd party.

Cons - Steep learning curve. Email recipients confused with encrypted messages. Encryption not available from every computer.

Online Secure Email

Pros - Easy to use. Available from any computer with Internet connection, End to end encryption within the system. Secure file storage. (most providers offer this service.)

Cons - No key size control. No encrypted messages outside the system. (however, some providers do provide PGP integration - still need to learn PGP)

With the proliferation of the Internet, online bill paying, and the transfer of personal or financial data across the web, it just makes sense to do everything in your power to protect your privacy. Considering how easy to use and effective PGP or online encryption can be, these services just may be the answer you’re looking for to keep people out of your business - personal or otherwise.

All in all, for ease of use and easy access, I would suggest using one of the online secure email providers. Most offer basic service for free. Upgraded services and increased storage space can be had for a small monthly fee.

Michael Ameye has been developing web sites since 1995. He started writing about online privacy issues to answer questions from family, friends and co-workers.

He is also the chief editor of PSS Online, A Privacy, Safety and Security eZine dedicated to bringing important information to people in order to foster a safer more secure environment - online and off. Visit http://www.pssonline.info to subscribe.

What do you do if you have received a suspicious email from a reputable company that you often do business with? Many online users are finding their inboxes packed with strange messages from Ebay, PayPal, their banks, credit cards, and even schools and hospitals. If you are receiving requests for information or further action that you don’t feel comfortable with, use the steps outlined below to help sort out the spam.

1. Don’t click it, use impressions - Impressions are used to tell the link location of an item without clicking through. A link in the body of a text email may look reputable at first. But if you wanted to see where the link will take you without clicking, just point your cursor over the word and the location will show up at the bottom of your brower window. If you don’t see anything at the bottom of your browser window, then your window may not be maximized (opened as large as it can.) Click the Box in the middle of the three icons at the top right-hand corner of your screen. (There should be one to minimize, open full screen, and close or X). If the link starts with anything other than the source it claims to be, don’t click. For example an Ebay buyers warning may say that it is from Ebay, but when you check the impression, it may say that it is from http://sales.site.XX.hpgjs (not an official ebay site.)

2. Don’t reply - This is self explanatory. Replying to the message lets the sender know that you are out there, and checking your emails. Since they are randomly spamming millions of emails (not knowing which emails are still in use), replying is an invitation for more trouble. While it is tempting to let them know that you don’t appreciate the emails, this will only encourage more activity. If you have a yahoo account or something similar, you can hit the "This is spam" button, and it will send it to the trash and flag the sender as a spammer.

3. Don’t unsubscribe - This is for reasons similar to above. If they offer a link to remove you from further mailings, they are wanting to know that you are an active user. Don’t take the bait.

The moral to the story is that if you are in doubt, you can do without. If you just can’t let the email go without taking some action, call your bank or other institution and verify that the request is bogus. And just remember that they aren’t picking on just you. The senders of fraudulent email send out millions of emails a day, it’s nothing personal.

Linsey Knerl is a writer and homeschooling mother of three who enjoys parenting and all of life’s blessings with her husband in rural Nebraska. Her work can be see at http://www.LinseyBKnerl.com

Most organizations over look this very important security tool. How can an organization or an individual verify the authenticity of an in coming mail? Attaching a signature to your mail should be a standard practice. Your E-mail Signature is an electronic business card and as such is a very important security tool in e-mail verification.

Here is a sample of an e-mail signatureCustomer Consideration Ltd info@customerconsider.comhttp://:www.customerconsider.comNo 20 Ibadan Road, Opposite Yemi Book Shop,Kaduna, Nigeria, West Africa.GSM:, Tel No:We Sell Affordable Baby Clothes 

This is an example. The design of the e-mail signature is based on choice. The e-mail signature must contain the following;

All the ways by which your organization can be contacted; phone numbers, fax number, mailing address, e-mail address, url address.

The particular designation of the individual or the department’s name sending the mail. Example if it’s the CEO of a bank it should be stated. ceo @ xyzbank.com

Every e-mail address must have an e-mail signature. Example ceo @ xyzbank.com

info @ xzybank.com Each e-mail address should have an e-mail signature.

The organization’s logo and slogan should also be added.

As A Weapon Against E-mail Fraud
A mail stating that, they must not honor any mail not containing the attached e-mail signature must be sent to all clients. A copy of all e-mail signatures must be forwarded to the company’s lawyer.

How Do You Set Up An E-mail Signature
All standard e-mail programs come with the ability to set up an e-mail signature. The e-mail programs also give you the option of attaching the e-mail signature to every outgoing mail.

Advantages Of E-mail Signatures
Any Organization or Individual, claiming to have received a fraudulent mail from a well established organization, should be made to send a copy of the fraudulent mail for verification. Once the e-mail signature is not attached to it. The lawyer can always sue for name defamation, if the said organization is not aware of the company’s e-mail signature.

Advice:
In information security, the little things we over look counts. How many companies in Nigeria are aware of e-mail signatures?

A copy of the e-mail signature or signatures must be registered with the appropriate copyright organization.

Website development must be accompanied by an it security consultant. Recently a disclaimer Advertisement was placed in one of the widely read newspapers stating "scams involving illegal reference".

The question now is, how can people identify legitimate mails?

Christopher Okoh
CEO
Computer Security & Network Associates
Website:http://www.compsana.com

It’s wise to remember how easily email — this wonderful technology — can be misused and misdirected, sometimes unintentionally, with serious consequences. Unless you are using encryption, the privacy of your message cannot be guaranteed nor the authenticity of your correspondent.

Consider the case of a man who left the snow-filled streets of Chicago for a vacation in sunny Florida. When he reached his hotel, he decided to send his wife a quick email, who was planning to meet him there the next day.

Unfortunately, when typing her address, he missed one letter, and his note was directed instead to an elderly preacher’s wife whose husband had just passed away. When the grieving widow checked her email, she took one look at the monitor, let out a wail, and fell to the floor in a faint.

At the sound, her family rushed into the room and saw this email note on the screen:

"Dearest Wife, Just got checked in. Everything prepared for your arrival tomorrow. P.S. Sure is hot down here."

What actually hurts here is that the email was not being intercepted but rather, inadvertently directed to the wrong location. The nickname feature in many mailers can cause accidental emails being sent to co-workers instead of family members, or vice-versa. It’s a strange new kind of miscommunication, where you can misdirect emails a dozen times before lunch. At least with misdialed phone numbers it becomes apparent after a few moments and you usually stop before saying too much. With email, it is now possible to quickly send a completely coherent message that is nonetheless nearly incomprehensible to a mistaken recipient.

Bigger mistakes can come from an accidental “reply” or even worse, “reply all” instead of “forward”. A recent example would be when a congressional staffer accidentally hit “reply all” when intending to forward a comment to fellow staffers on a “Support the Captive Primate Safety Act” email he’d received from an animal rights group. The original email was supporting legislation to prohibit the keeping of primates such as monkeys and great apes as pets, and asking for co-sponsors to protect not only animals but humans as well, as there are inherent dangers in keeping such pets. The staffer’s comment was meant to be funny, and read: “Does this deal with those kids out in Ohio(?) who were kept in cages?” However, this email went out to the legislators behind the Captive Primate Safety Act instead of being forwarded as an inside “joke”, leading to a very sticky political exchange.

Other instances of email misdirection puts organizations In legal and/or financially risk, causing a number of compliance issues. A 2005 Harris Interactive® for Fortiva poll, shows that 68 per cent of U.S. employees who use email at work have sent or received email via their work email account that could place their company at risk.

While all these examples may be a good arguments as to why you should disable the “reply all” function altogether, the fact remains that the way a standard, unprotected email is sent out is very akin to the mailing of a postcard. With the wrong address attached there is nothing, not even an envelope, to dissuade an unintended recipient from reading about, for instance, the naughty things you did while in Vegas. Even worse, the mistaken recipient can in turn “reply” and you could be end up with unsolicited correspondences for the lifetime of that email address.

Use it wisely, and email is indeed a wonderful tool. Email is fast, easy to use and has become a cultural method of propelling personal and business communication. The bottom line is this - do not trust confidential information to email unless you are using security such as encryption or rights management. Whether it’s due to misdirected email or breach of email etiquette, your email could be exposing yourself to more than you know.

Schwarz is the director of creative marketing at Essential Security Software and is responsible for worldwide creative marketing strategy and execution, corporate branding, and public relations. Essential Security Software (ESS) is a provider of document and email security solutions. ESS has developed a premier, easy-to-use, peer-to-peer content protection and user rights management solution that enables small business owners and individuals to securely distribute sensitive email messages and documents while protecting the privacy, integrity and authenticity of their intellectual property. ESS believes that people have the right to affordable security software technology that is powerful, flexible, and easy-to-use.

Email Fraud is no more news. We regularly, hear of successful frauds committed on the Internet through the use of fraudulent mails. 419 fraud is a code name for an Email Fraud originating from Nigeria.

Take note, do not be deceived 419 fraud is a code name for an email fraud that promises contracts involving large sums of money. It is not peculiar to Nigeria alone but mostly originates from Nigeria.

WHY ARE PEOPLE FALLING VICTIMS TO 419 FRAUD

The 419 fraudster, uses social engineering neglected by most information security consultants to gradually convince the unsuspecting victim that the fictitious contract dangled before the victim is legitimate.

People are falling victims everyday why?

• They get close to you through regular chats over a long period of time, developing a kind of bond (friendship).

SAMPLE OF A TYPICAL 419 MAIL (EMAIL FRAUD)

This sample 419 Mail is Original(no correction of spelling mistakes).

Mr. Felix Afuwa
ECOBANK
Credit control Manager
Victoria - Island Branch
Tel.: 234-1774-8735
Fax: 234-1759-3019

Attention: XXXXXXXXXX

I am Mr. Felix Afuwa, the Credit Control Manager of ECOBANK - Victoria Island branch in Lagos Nigeria.

I am in charge of credit finances in the bank. The banking sector has a peculiar nature in my country as it concerns financial transactions; anything is possible for you to stay afloat with the enormous competition therein.

There was this foreigner Mr. John VanderPloeg who came at a time to deposit the sum of US$15.8million United States dollars in several installments on behalf of some multinationals for the prosecution of the Late General Sani Abacha to succeed himself as the civilian President of my country. What happened to this plot is left for prosperity to judge.

My reason for contacting you is because I want to find out if you could assist me with this situation.

This money has been in the bank for some time and due to the manner and purpose for which it was deposited, there was no next of kin provided for this transaction. Mr. John VanderPloeg I have on good authority was just an agent used for this purpose and has fled the country following a series of revelations on how the Abacha’s plundered the Nigerian economy and more revelations coming up at the present Oputa panel 3years after the death of the dictator. At the end of this year the bank would mob the money up if nobody comes forward to lay claim.

Taking into cognizance the foregoing, I am in a position to make all necessary arrangement to portray you as the next of kin as it affects this transaction at the bank, so that this money can be immediately transferred on your request to another bank account abroad.

I am willing and ready to offer you 10% of the funds for you assistance.

Call me so that we can discuss further

Yours truly,
Mr. Felix Afuwa

TIPS ON HOW NOT TO BE A VICTIM OF 419 MAIL (EMAIL FRAUD)

• Do not open a mail you didn’t solicit or request for.

Advice

Fraudulent mails are sent out daily. Do not fall a victim by getting regular education on fraudulent mails through newsletter subscription, audio seminars, security e-courses, purchase of security ebooks. Don’t be the next victim take security awareness education serious.

Christopher Okoh
CEO
Computer Security & Network Associates.
Website: http://www.compsana.com
He has written over 100 computer security articles. He also writes for computer security magazines and newspapers. He specializes in security awareness training through free articles, audio seminars, newsletters, e-course, and e-books. The wave making title released by him is “419 Fraud Is a Reality. Don’t Be Caught Off Guard”. Over 5,000 downloads the first week of its launch. Several Information Security Consultants recommend it a must read.Visit http://www.compsana.com for a copy of this wave making e-book. His main pre-occupation is to create enough security awareness on the web to drastically reduce the number of cyber fraud victims.

Ample media attention has been focused on security issues such as viruses, phishing attacks and theft of sensitive customer information from large databases. The proliferation of Spyware and Malware (malicious software) has also garnered media attention. Another major, yet seldom discussed threat which goes on largely ignored outside the IT community is the theft and redistribution of email.

To make a product which best addresses the quiet rise in email thuggery, sometimes we have to think like a criminal or mal-doer. How would these digital thugs hunt for Personal Identifying Information (PII), company assets or secret email conversations intended to be read ONLY by the recipient? Consider this article a security instructional on how-to get inside the mindset of those "bad guys."

Your occupation influences the number and type of emails you create and send each day. Most of the email you send contains harmless, benign material that you wouldn’t mind anyone else reading or sharing with others. However, there are portions of your online communiqué each day that probably shouldn’t be forwarded. These messages and attachments contain information that if stolen and/or re-distributed could harm yourself and/or your business. The following are just some ways a thief could intercept your email.

Interception of your wireless signal -

If you use an unencrypted wireless to log-on the internet or your local server, you are running a high risk of having your information stolen. The majority of wireless networks are completely unsecured.

Although it only requires a click to enable wireless security, most users do not encrypt their wireless transmissions. Intercepting these unsecured messages is trivial, making it easy for hackers to gain access to email as well your files stored on your laptop.

Be cautious of local hotspot café. Hotspot hijackers may also utilize wireless networks to insert viruses, spy-ware, or malware on the computers of those who connect unsecured to the hotspot network.

Access to your email account is stolen -

Once and outsider has gained access to your email account, they not only have access to all of your messages (and potentially your on-line passwords) but can also use it to distribute spam, viruses and other harmful information that appears to come from you. Three methods are typically used by outsiders to gain access to your email account:

1.) Theft via interception
2.) Password cracking
3.) Key loggers

Your email password and username can easily be intercepted if you log-in via an unsecured connection. To ensure that you are logging-in securely, look for the https: prefix on the web address. Doing so will greatly reduce the possibilities for password interception.

If you use a simple password consisting of a single word that exists in the dictionary, your email can be easily hijacked. If they want your information bad enough, motivated hackers can either guess it or crack it by using software tool to try every word in the dictionary until access is gained.

The best way to prevent password cracking from happening is to choose a strong password which is a combines different cases, letters, numerals and symbols such as "4JeIw#Tr&2".

Diligent email hackers can also gain access to your email by installing key-logging software on your computer. Key-logging software silently records all of your key strokes and sends them to an interested individual or group. Your usernames and passwords can be parsed and then used to steal your on-line access to your email, credit card, bank information, shopping accounts or any other means of PII (Personal Identifying Information). The best means to thwarting key-login is to use anti-spyware and firewall protection and always keeping them up to date.

Insider leaks and Redistributing Sensitive Content -

Employees are the leading cause of corporate security breaches. According to a 2005 study by the FBI and CSI.(1) Insider abuse accounts for approximately 50% of all security breaches. You may only have to look out across your SMB’s office to see a digital thief among you.

The Ponemon Institute’s "Survey on Data Security Breaches" reveals that 69% of all serious data leaks occur as a result of employee activities, whether intentional or unintentional (2). Of those leaks, 14 % involved intellectual property including software source code. Other findings by the Ponemon institute cross into business-client best practices area and are as follows:

* 39 % involved confidential business information.
* 27 % involved personal information about customers
* 10 % involved personal information about employees

Dissemination of sensitive information can happen all too easily. An accidental click of the "Forward" or "Reply All" button can send proprietary information to unwanted parties.

Interception on Your Company’s Network -

Many companies do not have security protocols in place to prevent the interception of interoffice email. Before email is transferred to the internet it typically travels through the corporate intranet first. If your local network is not secure, it is a trivial matter for an employee with packet sniffer software to intercept all of your intra-network communications.

Company Scanning of Outbound and Inbound Email Content -

According to a 2004 survey by the American Management Association and ePolicy Institute (Workplace E-Mail and Instant Messaging Survey,) 60 % of American Companies use software to monitor the content of inbound and outbound email messages (3).

Email containing everything from inappropriate language, file types and other data are often flagged by a company’s IT Department. While monitoring employee email can reduce a company from liability, this policy can have a different, malevolent result. In a worst case scenario, unscrupulous IT insiders may be tempted to gain access to a company’s email logs, thereby compromising executive and other departmental communication.

Interception at the ISP Server -

While most Internet Service Providers (ISPs) have very sound security policies regarding access to their servers, it is possible for an ISP insider to get a hold of your email and attachments. Your email is stored in a queue for a split second while being transferred from server to sever on its way to your recipient’s inbox. In most cases your emails are deleted as soon as they arrive at the next stop. As in the previously mention "Company Scanning" scenario it is just as plausible that your email could be hijacked by a malicious ISP employee who decides to mirror all of the ISP’s contents on his or her own server. This may be of particular concern when sending email to countries that do not enforce individual privacy protection policies.

Cross-Border Interception -

When emailing internationally there are few legal safeguards to keep your email and attachments from being stolen. In many developing nations your proprietary information could provide a financial windfall for the employees of the local ISP. Your email will likely reach your recipient but it have also have been copied, sold or sent elsewhere. Without added security measures, neither you nor your company will have knowledge of the ill-effect until the damage has been done.

If foreign laws do not allow your recipients to install encryption software, find another way to transfer your important information.

Diligency About Your Online Safety Pays -

Hackers, digital thieves, thugs and general internet mal-doers strive to intercept your email with the goal of financial gain or to cause havoc. Avoiding them will inevitably save your company’s assets. Staying abreast of the newest ways to steal your PII and paying attention to Security and Technology news in general is key to a best practices business policy.

SMBs (Small and Medium Businesses) in the technology sector are seeing security and encryption as the forefront of their IT priorities. In July 2005, Forrester Research released its SMB findings after surveying nearly 800 technology decision-makers on their IT services priorities. Among Forrester’s findings, 71 percent of SMBs will buy security software, similar to the 75% that said they would invest in 2004 (4).

Isn’t SBRM (Small Business Rights Management) Expensive? -

Compliance as it concerns digital data is finally catching up to the widening commercial sector which is highly impacted by the success of small businesses. Small firms dealing with compliance issues can turn to specific SBRM solutions to bridge the gap between staying current with industry regulations and staying in business. ERM (enterprise rights management) software has itself has begun to slim down in price in acknowledgement of the budgetary constraints of small businesses. Current SBRM software can be as vastly robust as common ERM solutions, but as they are specified for the needs of smaller business entities, are more affordable too.

Using encryption will ensure secure transmission when sending email. However, the best way to prevent your email and attachments from being intercepted and redistributed is to use Digital Rights Management (DRM) software, which is often described within the business sector as Enterprise Rights Management (ERM). DRM for the Enterprise and Small Business sectors gives content authors the power to determine how recipients may use their email and documents. For example, senders can prevent unauthorized distribution (no forwarding, printing) and prevent unauthorized editing (no cut, copy, paste) of content, i.e. copy prevention.

When taken into account, the countless hours put into building your company, protecting your company assets from online thugs is a necessary tool to ensure your business survives from this year to the next.

- - - - - - - - - -

End Notes:

1.) Gordon, Lawrence A., Martin P. Loeb, William Lucyshyn and Robert Richardson, "CSI/FBI Computer Crime and Security Survey" http://www.cpppe.umd.edu/. July 2005, 13.

2.) Ponemon Institute - as cited by DRM Review), "Leading Cause of Data Security Breaches Are Due to Insiders, Not Outsiders" DRM Review February 10, 2005 http://www.dmreview.com/article_sub.cfm?articleID=1019828 December 1, 2005.

3.) Virginia Business Magazine Online "Email Snooping" May 2005 Issue, Virginia Business Magazine, December 1, 2005, http://www.virginiabusiness.com

4.) Michael Speyer, and Liz Herbert, "Software And Services in the SMB Market - Business Technographics," Forrester Research. http://www.forrester.com

- - - - - - - - -

Ms. Veniegas is an alumni of the University of Washington Marilee joined the Marketing team at Essential Security Software, Inc. in 2005. She also serves as one of the ESS site editors for I Want My ESS! a stolen work and SMB resource site.

I receive 3 to 5 emails from Paypal asking me to update my details. Some of them are very believable because they look professional with the company’s header. The emails also seem to come from trusted sources such as service@paypal.com.

I will use a fake paypal email here as an example:

——————–
As part of our security measures, we regularly screen activity in the PayPal system. We recently noticed the following issue on your account:

We would like to ensure that your account was not accessed by an unauthorized third party. Your account is our primary concern, we have limited access to sensitive PayPal account features. We understand that this may be an inconvenience but please understand that this temporary limitation is for your protection. Case ID Number: PP-072-838-560

https://www.paypal.com/cgi-bin/webscr?cmd=_login-submit

For your protection, we have limited access to your account until additional security measures can be completed. We apologize for any inconvenience this may cause.

To review your account and some or all of the information that PayPal used to make its decision to limit your account access, please visit the Resolution Center https://www.paypal.com/. If, after reviewing your account information, you wish to seek further clarification regarding your account access, please contact PayPal by visiting the Help Center and clicking "Contact Us". We thank you for your prompt attention to this matter. Please understand that this is a security measure intended to help protect you and your account. We apologize for any inconvenience.

Sincerely, PayPal Account Review Department

PayPal Email ID PP648769005
——————–

As you can see, the email is written professionally and the links seem to come from paypal. The chances of falling into the fraud is high for unsuspecting readers.

How to Detect Fake Emails
1. If you move you mouse over the links in the email, you will have a clue of what is going on. For example, the url https://www.paypal.com/cgi-bin/webscr?cmd=_login-submit actually points to http://www.google.com/url?sa=p&pref=ig&pval=2&q=http://64.72.193.9:82/login/index.php. If you click on it, you will arrive at a page that looks exactly like paypal.com. Will you be tempted to enter your details?

2. Look at the url in the address box of your toolbar. The url reads http://64.72.193.9:82/login/index.php. Now, it is pretty obvious that you are not in the official PayPal website. Whatever details that you enter will reach the hands of the hacker.

3. Try logging in with a fake password and you will go through. The fake website will not have the actual PayPal database and therefore, cannot verify your identity. Any password that you enter will get you into the admin area.

Who Are The Victims
There are many complains of stolen paypal accounts or credit card numbers everyday. My personal experience tells me that most of the victims are new internet users and aged people. Busy IT professionals also make up a small percentage of it. I believe anyone can be a victim if they are not careful.

Hackers Are Intelligent
Once your paypal email, password and credit card details are obtained, the hacker will make payments using the details provided. Making large payments will be suspicious. So they like to make small payments, perhaps fifty to a few hundred dollars a month so that busy people like you and me will not take notice of that. Your credit card number might already been stolen but you are not aware of it. Checking your monthly bank statement carefully is a good way to detect unauthorized payment.

Prevention Is The Best Cure
What should you do when you realised your paypal account was stolen? Contacting PayPal might help but I am quite pessimistic about it. The thing that annoys me most is that alot of hackers are getting away from their act with no action taken. Perhaps, it just takes too much time and effort to track down the hacker.

I would suggest everyone to learn more about internet security especially if you are running an online business or want to make online payments.

Conclusion
Though Paypal is a great payment system, it is abused by many unethical people. The same could have been done to other payment systems such as 2checkout, moneybrookers…etc. Internet scams are everywhere and anyone with an email should becareful.

Bernard Peh is a great passioner of web technologies and one of the co-founders of Sitecritic.net. He works with experienced web designers and developers for more than 5 years, developing and designing commercial and non-commercial websites. During his free time, he does website reviews, freelance SEO and PHP work.

Where do the lines of public and private messaging cross? In an increasingly saturated Information Age, those lines become blurrier and blurrier. Even the fashionistas of Glamour Magazine have commented on how email has become a public space by simply hitting the "forward" button. In Glamour’s September 2005 issue, their Ask Jake column queried, "Do You Kiss and Email?" This article discussed the truism that more often, due to that pesky forward button, email is a public announcement.

With each touch and forward an email its subject line becomes as obtrusive as the National Enquirer’s bold screamer of a headline "Bat Boy Sighted!" The fundamental quality of the email, internet, IM is its potential binary permanence to be pondered and discussed, replied to and posted on the net. "Western history is full of …words consulted and puzzled over as if they were Scripture"(1) Email living a new life beyond it s intended recipients is an extension of what the Information Age is – being connected and staying connected.

The lure to online communication and communicating via email is its immediacy, but that too is deceiving. When the send button is hit, your message appears to instantly pass from your computer to the recipient’s inbox.

This seems instantaneous, but it really isn’t. Nearly all email messages make transitory stops along the way as they are directed by proprietary servers to their final destination. As messages arrive at each of these stops they are often stored, and sometimes copied or even scanned before being sent on. Information interception isn’t just about who forwards your message on, but is also about who may seize that message when it’s en route.

Even if an email is stored for a microsecond during transfer many emails can be classified as "stored communications" The United States Courts recognize that stored communications are subject to an “inherent loss of privacy” and can legally be read by the owner of the server on which they were stored (2). Neither the sender nor recipient has to be informed that their email message and attachment’s were read.

Utilizing strong encryption for the transmission of content largely solves this problem. If an unwanted party happens to intercept an encrypted message (unless they have somehow gotten the encryption keys) they will not be able to decipher the message. If the interceptor attempts to break any one of the commonly used encryption algorithms, they would be hard-pressed to do so within their lifetime. They would be better off trying to crack the cryptographic code in Edgar Alan Poe’s "The Gold Bug.’

If it encryption works so well why don’t more people encrypt their sensitive information? For certain types of communiqué and transactions, encryption is already used, such as with banking and purchasing online. Encryption for email and documents on the other hand has largely remained the luxury of the large enterprise businesses using Enterprise Rights Management (ERM) software and the technically elite.

At this time, due largely to complications resulting from key exchange effectively folding encryption software into ones daily workflow turns out to be quite arduous. Encryption just hasn’t been easy enough for the average small/medium sized business enterprise or individual computer user. Yet for any business enterprise no matter the size of the organization, keeping tabs on email and document communiqué is a necessity.

Implementing encryption solutions doesn’t have to be a financial burden. Rights management solutions can now be for small to medium-sized businesses or sole-proprietorships too. Small Business Rights Management(SBRM) solutions provide businesses of a smaller scale an equal level of user rights management and encryption previously available to large enterprise business.

Standard ERM or SBRM software gives content authors the power to determine how recipients may use their email and documents. For example, senders can prevent unauthorized distribution (no forwarding, printing) and prevent unauthorized editing (no cut, copy, paste) of content, i.e. copy prevention.

Email and document security is no longer simply an option for companies, it is a necessity. According to a 2005 FBI study regarding computer crime, financial losses stemming from the unauthorized distribution of digital information doubled from the year before. The study went on to specify that businesses are most concerned that confidential messages (75.7% of participants) and intellectual property (71.4%) will leave the organization via email. Couple those facts with the reality of costly user licensing charged by enterprise software solution developers, and many small business operators can be locked out due to budget constraints. This prevents them from taking advantage of best practice strategies that ensure the security of their intellectual property and the privacy of their communication.

Compliance as it concerns digital data is finally catching up to the widening commercial sector which is highly impacted by the success of small businesses.

Small firms dealing with compliance issues can turn to SBRM solutions to bridge the gap between staying current with industry regulations and staying in business. Client proofs, patient/client information, private communiqué, and proposals can stay discreet with SBRM solutions; smaller firms don’t have to worry that their email content becomes a public announcement. SBRM solutions keep it like a secret, tuning the amplitude of the message down for only its intended recipients to receive.

- - - - - - - - -

End Notes:

1.) Patricial Nelson Limerick, Eds. Julie Bates Dock, "Making the Most of Words: Verbal Activity and Western America." The Press of Ideas, ( Bedford Books of St. Martin’s Pres, Boston: 1996.) 219.

2.) "You’ve Got Mail" New York Times, July 6, 2004

- - - - - - - - -

Additional Business Resources:

1.) Wikipedia Articles:

- Copy Protection – http://en.wikipedia.org/wiki/Copy_prevention

- Small Business Rights Management (SBRM) - http://en.wikipedia.org/wiki/Small_Business_Rights_Management

2.) Small Business Administration - http://www.sba.gov/

3.) President Bush’s Small Business Agenda - http://www.whitehouse.gov/infocus/smallbusiness/agenda.html

4.) Business.gov Business.gov guides you through the maze of government rules and regulations and provides access to services and resources to help you start, grow, and succeed in business - http://www.business.gov/index.html

The article "Email Doesn’t Have to be a Public Announcement" was a collaboration between Marilee Veniegas and Zachary Price. Ms. Veniegas joined the Marketing team at Essential Security Software, Inc. in 2005, she also serves as an editor for "I Want My ESS!" a stolen work site and Small/Medium Business(SMB) business resource site. Mr. Price, a co-founder and organizing shareholder of ESS, where he serves as the company’s Product Manager.

I received an email from ebay, asking me to do a simple survey for 20 dollars. Google had conducted similiar surveys and it is not surprising that ebay could do the same. The survey was very tempting because I had nothing to loose and I believed many people would think the same way like I did. The email was written professionally and there was nothing suspicious about the links.

Like the paypal email scam that I wrote earlier, http://www.sitecritic.net/articleDetail.php?&id=89, the latest ebay email scam looked really believable and I almost fell for it. Many people are used to receiving scam emails asking them to update their details but this one is more tricky. I hope this article can prevent unwary internet users from being cheated by unethical people. The email looks like this:

—–
eBay’s Survey Department

Dear eBay Member,

You have been chosen by the eBay’s Survey Department to take part in our quick and easy 6 question survery, In return we will instantly credit $20 to your account - Just for your time! Helping us better understand how our customer’s feel benefits everyone. With the information collected we can decide to direct a number of changes to improve and expand our online service. The information you provide us is all sensitive - No part of it is handed down to any third party groups. It will be stored in our secure database for a maximum of 7 days while we process the results of this nationwide survey.

We kindly ask you to please spare 2 minutes of your time in taking part with this unique offer!

To Continue click or copy and paste the link below : http://signin.ebay-survey.com/.ws/ebayISAPI.dll%3fSignIn/index.htm

Regards, eBay’s Survey Department
—–

If you click on the link, you will arrive at signin.ebay-survey.com and there is nothing wrong with the site(Ebay logo, header, footer…etc). You might think that ebay-survey.com belongs to ebay. Wrong! If you type in the url ebay-survey.com, you will arrive at a totally different site.

Upon entering signin.ebay-survey.com, you will be asked to do a simple survey, then you are asked to sign in. The site looks real because it actually checks if your userID and password are valid. If you enter the userID as "blar" and password as "12345", the login will not work. You should be able to login with any fake userID and password (more than 8 characters for each). After that, you will be given a very good reason to reveal your credit card details.

—
Why do we need your credit card information?

Please enter your credit card information linked with your eBay and/or Paypal account. We will deposit the $20 cash back directly to your account within three business days of your next purchase.

The Credit will appear as "eBay Reward Survey" on your next billing statement.
–

If you enter your credit card details, then "bye bye". The fake ebay email uses the popular idea of "getting paid for doing surveys" to cheat unwary internet users. The email is tricky, tempting, well-planned and believable. I am pretty sure that this scam is going to claim alot of victims. If you have friends using ebay services, make sure you warn them before it is too late.

Bernard Peh is a great passioner of web technologies and one of the co-founders of Sitecritic.net Website Reviews. He works with experienced web designers and developers for more than 5 years, developing and designing commercial and non-commercial websites. During his free time, he does website reviews,freelance SEO and PHP work.