Archive for October, 2007
Bancorp Phishing Emails
Tuesday, October 30th, 2007
In October 2007, we started to see faked emails pretending to be from Bancorp South, asking users to enroll in the InView authentication system. Checking on several of the scam report sites confim that this is a well known attempt to collection user informtion.
These emails are sent under several different titles, such as
“BancorpSouth Corporate Management E-mail Security”
“Recognize and avoid fraudulent attempts to BancorpSouth customers”
The display url to click is https://www.bxs.com/inview/ , but looking at the html source reveals that clicks really end up at http://www.bxs[…].go234.us/login.htm
This type of attempt is very common. It is highly recommended that you never respond to an email claiming to be from your financial institution by clicking on any links in it. If you want to check, type your bank’s URL directly into your browser address bar - any important announcements will be visible to you when you log in.
No Comments » | 
securityHow many passwords?
Tuesday, October 30th, 2007
A question often arises in security discussions: How many passwords should we use?
The “best practices” answer is that we should use a different password for every site that requires one. If one is compromised, the potential damage is limited. However, there are problems with this. Many of us have dozens of sites that we use regularly - trying to remember 20+ name and password combinations is too much for most of us. This makes people either write them down, or choose very weak easily remembered words. The opposite, using a single password everywhere, is even worse. Unfortunately, the single password method is used by far too many people.
One system to consider is using a smaller number of passwords, using each for several sites of the same level of risk. For example, all the discussion forum logins can be the same - if one is discovered, the risk is that someone can edit and delete posts, or impersonate you in a discussion. The key to this method is to make sure that a high security password is never used on a low security site.
As a general rule, any password used on a SSL protected login (https) should never be used on a regular site (http). Any password used to protect financial information, like a bank account or paypal login shouldn’t be reused for any purpose. Any password that has ever been sent via email should be considered already known to others, and not used anywhere at all.
Copyright © 2007-2008 by ODM Technology. Powered by WordPress and the Blue Blog theme.