Search Latest Email Spam Scam
Custom Search
Jan 21, 2008
MyCERT Special Alert - Malicious New Year Card Emails
MyCERT Special Alert - Malicious New Year Card Emails
Original Issue Date: 4th Jan 2008
MyCERT had observed mass circulation of New Year card spam emails on the eve of New Year. The spam contains link that when clicked, will redirect users to to download a malicious program called Happy -2008.exe. Our analysis had shown that.
The subject lines of the spam emails include the followings:
Happy New Year To You!
Wishes for the new year
Opportunities for the new year
New Year Postcard
New Year Ecard
New Year wishes for you
Happy New Year To You!
Message for new year
Blasting new year
As you embrace another new year
It.s the new Year
As the new year.
Happy 2008 To You!
Joyous new year
Lots of greetings on new year
A fresh new year
The messages contained in the mail has simple messages such as the following:
A fresh new year
http://uhavepostcard.com/
New Year wishes for you
http://happycards2008.com/
Joyous new year
http://uhavepostcard.com/
Our analysis have shown that the IP addresses of the malicious domains involved keeps on changing. By employing such technique the attacker makes it difficult for efforts to remove sites serving malicious programs.
The program, happy-2008.exe itself, is a malware known as zhelatin/pearcom or storm worm which uses peer-to-peer technology to as a communication channel.
Attached is the scan-result produced by ClamAV antivirus:
$ clamscan happy-2008.exe.1 No Ubuntu promotion please :-) happy-2008.exe.1: Trojan.Zhelatin FOUND
----------- SCAN SUMMARY -----------
Known viruses: 181122
Engine version: 0.91.2
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.39 MB
Time: 1.578 sec (0 m 1 s)
---------------------------------------------------
Details on the malicious spam emails is available at:
http://www.f-secure.com/weblog/archives/00001350.html
http://blog.trendmicro.com/
http://www.antirootkit.com/blog/2007/12/27/happy-new-rootkit/
We advise members/users to be extra cautious when receiving such emails. We advise NOT TO click on the malicious link attached in the email or delete any such emails received.
Mitigation Steps
As for preventive steps, we advise the followings:
Do not click on any links attached in unknown emails, as the links may redirect to malware sites.
Make sure your PCs and browsers are properly patched with latest patches.
Make sure your PC is installed with latest anti-virus softwares and always updated with latest signature files.
Report to CERTs/ISPs on any suspicious emails that you receive.
Cyber Security Malaysia
RHB Bank Alert : Watch Out for "Phishing" Emails Attempting to Capture Your Personal Information
RHB Bank Alert : Watch Out for "Phishing" Emails Attempting to Capture Your Personal Information.
RHB Bank Press Release :
Dear Valued Customers,
If you have been asked to provide your personal account details through email, please be cautious. This might be a fraud attempt to retrieve your personal account details.
Always be reminded that the Bank will never request you to change or reveal any of your personal banking information (ATM, Internet Banking or Dotcom card) through emails. Please DELETE immediately if you received such emails. Should you have responded to such emails, please call our Customer Care Line 03-9206 8228 for further clarifications.
To know more about online security, visit http://www.rhbbank.com.my/security/index.shtm
Please continue your kind patronage of rhbbank.com.my!
Thank you.
iBank.Online.Everytime.
RHB Bank Online Security Info :
Fraud Cases Involving Contests through SMS.
Please ignore any SMSes received on prizes won for contest such as AF4, Audisi KDI 4, Petronas, Maxis, Digi and Gangstarz. You may be asked to transfer funds to a dedicated account or reveal your personal banking information in order to win a larger sum of money or prizes.
These are bogus contests!
Beware of any SMSes from unknown sources, which uses similar suspicious methods to persuade you to part with your cash or review any personal information.
Phishing Email Scam Alert
Kindly ignore any suspicious emails that request you to click on a link to reveal your personal banking information. The bank has not sent out such emails.
Just be reminded that the Bank will never request you to change or reveal any of your personal banking information (ATM, Internet Banking or Dotcom card) through emails. Please DELETE immediately if you received such emails. Should you have responded to such emails, please call our Customer Care Line 03-9206 8228 for further clarifications
Simple Rules To Remember When Doing Online Banking With RHB Bank :
Keep your personal banking information secret!
Do not disclose your personal banking information – Login ID, Password, ATM PIN number and DotCom card PIN number to anyone including the bank. Regular change of password is recommended at all times!
Enter the correct URL – www.rhbbank.com.my
Do not click on any external links from emails or any other suspicious websites to go to RHB Bank Internet Banking site. Bookmark the site or type in the URL yourself to ensure correct URL at all times.
Log off and clear your PC’s cache when you finish your banking sessions
Logging off and cache clearing could clear all traces of your visits from the PC’s memory.
Never respond to any suspicious email
The bank will never request you to change or update your personal banking information via emails, SMS or phone. You could be misled into entering a fake site that looks similar to your banking site. That's how most fraud cases happen...
Install and update your PC’s security software
Make sure that you have installed up-to-date anti-virus software, personal firewall and anti-spyware software into your PC. Reinstall a later version when it has expired.
Source : RHB Bank
Jan 19, 2008
Better Business Bureau : BBB Warns Consumers of Weight-Loss Schemes that Only Make Your Wallet Lighter
Better Business Bureau : BBB Warns Consumers of Weight-Loss Schemes that Only Make Your Wallet Lighter
ARLINGTON, VA. – January 7, 2008 – Many Americans resolve to lose extra pounds every New Year, but Better Business Bureau is warning consumers that the number of complaints to BBB against weight-loss services and their various policies, procedures and products has increased by more than 40 percent since 2002, and many weight-loss schemes are only making consumers lighter in their wallets.
According to the Centers for Disease Control and Prevention (CDC), more than a third (34 percent) of U.S. adults aged 20 and over are obese. And a year-end survey conducted by the Federal Trade Commission (FTC) found an estimated 4.8 million Americans were taken in by dozens of weight-loss schemes that involved purchasing bogus pills, powders, patches, creams and other products, all of which added up to make fat-fighting fraud the most common consumer scam in 2007.
“Losing weight consistently ranks as one of the top New Year’s resolutions and many people will be looking for fast, easy fixes to get them back into their favorite pair of jeans,” said Steve Cox, spokesperson for BBB. “Unfortunately, an increasing number of consumers are telling us about weight-loss products and programs that made a big dent in their bottom line but had no effect on their waistline.”
To emphasize the very real need for consumers to start their weight-loss research with trustworthy advice, following are examples of companies that BBB has rated as unsatisfactory due to their empty promises and unscrupulous business practices:
Fraudulent Clinical Trials
BBB serving Denver and Boulder has received complaints from consumers in six states who thought they were paying to take part in medical trial tests for a new weight-loss drug. The company, Metacor — also known as Progenics, Inc. — is advertising on the Internet, noting that people who are interested should “enroll” in their program, pay $144 up front, and then take a special new weight loss pill every day for two years. For their trouble, the company promises to refund the $144 after the first month and compensate consumers $319.73 each month. Complainants allege that they paid the required $144, received pills, and never heard from the company again; they never received a refund, compensation, or additional pills.
Weight-Loss Tea
BBB serving Eastern Washington, North Idaho & Montana has received complaints from 19 states for Wu-Yi Source – a company that maintains a Billings, MT drop-box address. Wu-Yi Source offers a 100 percent “iron-clad” refund for their weight-loss tea. But dozens of consumers say that when seeking a refund, company reps provided vague answers, told them to use the products for 4-6 weeks, and questioned whether they were dieting and exercising. Consumers allege that the company is merely using a stall tactic to get them to go past the 60-day mark so the company doesn't have to honor its refund policy.
Hypnosis
BBB serving Dallas and Northeast Texas has received complaints from across eight states for Changes International Inc. The company promises “QUIT SMOKING & LOSE WEIGHT in one brief HYPNOSIS SESSION” and offers a 100 percent money back 10-year guarantee if the hypnosis doesn’t work. Until confronted by BBB, the company attempted to instill trust in consumers by falsely claiming in online and print advertising that they were “the only organization of our kind endorsed by the Better Business Bureau.” Complainants report paying more than $250 for the hypnosis seminar and a set of CDs, and allege that the hypnosis is ineffective and that the company doesn’t honor its refund policy.
Fat-Dissolving Injections
BBB serving the St. Louis metro area has received more than 350 complaints and reports about a company called GO FIG, INC– doing business as fig. and Advanced Lipo Dissolve Center – a company that administered fat-dissolving micro-injections for upwards of $10,000. The procedure is not approved by the Food and Drug Administration (FDA) and complainants allege the injections were ineffective and caused extensive swelling and pain. Reports to BBB also reveal improper billing practices and difficulty obtaining refunds. The St. Louis-based company went out of business suddenly in December citing “economic conditions” and shut 17 of its 18 offices nationwide – however, many other companies across the country currently offer similar procedures.
Given alarming levels, and increasing rates of fraud associated with the weight-loss industry, BBB is advising consumers to research the reputation of companies offering weight-loss solutions before making a purchasing decision.
For trustworthy information on weight-loss companies, consumers can access BBB Reliability ReportsTM online, free of charge, at www.bbb.org.
Reporters and journalists may contact Alison Preszler, CBBB’s Media Relations Specialist or call 703-247-9376 to request an interview or additional information.
About BBB
BBB is an unbiased non-profit organization that sets and upholds high standards for fair and honest business behavior. Businesses that earn BBB accreditation contractually agree and adhere to the organization’s high standards of ethical business behavior. BBB provides objective advice, free business BBB Reliability ReportsTM and charity BBB Wise Giving ReportsTM, and educational information on topics affecting marketplace trust. To further promote trust, BBB also offers complaint and dispute resolution support for consumers and businesses when there is difference in viewpoints. The first BBB was founded in 1912. Today, 128 BBBs serve communities across the U.S. and Canada, evaluating and monitoring more than 3 million local and national businesses and charities. Please visit http://www.bbb.org/ for more information about BBB.
Jan 15, 2008
FTC Staff Seeks Comments on Credit Freezes: Impact and Effectiveness
FTC Staff Seeks Comments on Credit Freezes: Impact and Effectiveness
Federal Trade Commission staff is seeking comments on the impact and effectiveness of credit freezes as part of a multi-pronged approach to combat identity theft.
Thirty-nine states and the District of Columbia have enacted laws providing consumers the right to place credit freezes, and each of the three nationwide consumer reporting agencies (“CRAs”) is offering a commercially-developed credit freeze option. In general, once a consumer initiates a credit freeze with a CRA, the freeze prevents that CRA from releasing a consumer report (i.e., a credit report) about that consumer unless the consumer temporarily lifts or permanently removes the freeze. A credit freeze may help prevent identity thieves from opening new accounts in consumers’ names, because businesses typically will not extend new credit (or provide certain other benefits) without first viewing the consumer’s credit report.
In April 2007, the President’s Identity Theft Task Force (“Task Force”) issued a strategic plan to make the federal governments effort’s more effective and efficient in the areas of identity theft awareness, prevention, detection, and prosecution, www.idtheft.gov/reports/StrategicPlan.pdf. As part of its strategic plan, the Task Force recommended that the FTC, with support from the Task Force member agencies, assess the impact and effectiveness of credit freeze laws and report on the results, in order to assist policymakers in considering the appropriateness of a federal credit freeze law.
Commission staff invites interested parties to submit written comments on the impact and effectiveness of state credit freeze laws, as well as the credit freeze options offered by the nationwide consumer reporting agencies. Comments must be received on or before February 25, 2008. For detailed information on how to submit comments and the specific questions and topics FTC staff would like addressed in the comments, please see: http://www.ftc.gov/opa/2008/freeze.pdf.
MEDIA CONTACT:
Office of Public Affairs
202-326-2180
Appeals Court Affirms Ruling in FTC’s Favor in Q-Ray Bracelet Case
Appeals Court Affirms Ruling in FTC’s Favor in Q-Ray Bracelet Case
The U.S. Court of Appeals for the Seventh Circuit has upheld a district court ruling requiring marketers of the “Q-Ray Ionized Bracelet” to give up almost $16 million in net profits as part of a maximum $87 million they must pay in refunds to consumers.
In a decision issued on January 3 and written by Chief Judge Frank Easterbrook, the court concluded, “The magistrate judge did not commit a clear error, or abuse his discretion, in concluding that the defendants set out to bilk unsophisticated persons who found themselves in pain from arthritis and other chronic conditions.” The court found that the defendants’ claims about how their product worked, for example, through “ionization” or “enhancing the flow of bio-energy” were “blather.” Judge Easterbrook wrote, “Defendants might as well have said: Beneficent creatures from the 17th Dimension use this bracelet as a beacon to locate people who need pain relief, and whisk them off to their homeworld every night to provide help in ways unknown to our science.”
The FTC filed its case in May 2003, alleging that QT Inc., Q-Ray Company, and Bio-Metal, Inc., located in Illinois, and their owner, Que Te Park, also known as Andrew Q. Park, made false and misleading advertising claims that the Q-Ray bracelet provided immediate and significant pain relief and deceptively advertised their refund policy, in violation of Sections 5 and 12 of the FTC Act. In September 2006, the federal district court in Chicago found in favor of the FTC. In November 2006, the court required the defendants to turn over a minimum of $22.5 million in net profits and up to $87 million in refunds to consumers who bought the bracelets between January 1, 2000 and June 30, 2003, when the bracelet was advertised on infomercials and Internet Web sites, and at trade shows. The district court later reduced the minimum disgorgement amount to $15.9 million, which the appellate court has upheld.
The appellate court rejected the defendants’ argument that the magistrate judge had held the defendants to too high a standard of proof for their purported therapeutic claims about the
bracelet and found that the claims must be based on science. The court found that “proof is what separates an effect new to science from a swindle” and that the defendants “have no proof,” stating that the “tests” the defendants relied on were “bunk.” The court also rejected the defendants’ contention that testimonials could support their claims -- the defendants could not show that the testimonialists would not have enjoyed the same pain relief even if they had not worn the bracelet. “That’s why the ‘testimonial’ of someone who keeps elephants off the streets of a large city by snapping his fingers is the basis of a joke rather than proof of cause and effect,” stated the court.
The appellate court also rejected the defendants’ argument that because their bracelet conferred a benefit to consumers through its placebo effect, they were vindicated in making their false therapeutic claims. The court held that the Federal Trade Commission Act “lacks an exception for ‘beneficial deceit’.” The court noted, “Deceit such as the tall tales that defendants told about the Q-Ray Ionized Bracelet will lead some consumers to avoid treatments that cost less and do more . . .”.
The court also found that the defendants deceived consumers who purchased online and received only a 10-day return period when the infomercials promised a 30-day refund and suggested that consumers purchase online. “The disclosure of this shorter period was buried several clicks away in the web site” and did not ameliorate the infomercial time frame upon which “reasonable consumers” could rely, the court stated.
The Q-Ray defendants are currently in Chapter 11 bankruptcy in the United States Bankruptcy Court for the Northern District of Illinois.
Copies of the decision are available from the FTC’s Web site at http://www.ftc.gov/ and the FTC’s Consumer Response Center, Room 130, 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC works for the consumer to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, click http://www.ftc.gov/ftc/complaint.shtm or call 1-877-382-4357. The FTC enters Internet, telemarketing, identity theft, and other fraud-related complaints into Consumer Sentinel, a secure, online database available to more than 1,600 civil and criminal law enforcement agencies in the U.S. and abroad. For free information on a variety of consumer topics, click http://www.ftc.gov/bcp/consumer.shtm.
MEDIA CONTACT:
Frank Dorman
Office of Public Affairs
202-326-2674
STAFF CONTACT:
Heather Hippsley
Bureau of Consumer Protection
202-326-3285
Imad Dean Abyad
Office of General Counsel
202-326-2375
Safety and Security Tips: Buying and Selling on Amazon.com
Safety and Security Tips: Buying and Selling on Amazon.com
Amazon.com is concerned about the safety and security of our customers. Accordingly, we have put a number of technological protections in place to ensure that our transaction process is extremely safe and that our customers' information is secure.
Additionally, Amazon.com takes a number of steps to help ensure that our third-party seller platforms are safe and that our sellers are of the highest quality. However, keep in mind that customer protection is a two-way street. When buying or selling on any online venue, caution must always be practiced.
The overwhelming majority of online transactions are completed without incident. While the possibility of being defrauded by a third-party seller is minimal, there are some risks. Amazon.com has developed the following guidelines to help ensure that your online shopping experience is safe and secure.
Safety and Security Tips
Buyer and Seller Tip: Protect your passwords.
If using a public computer or terminal, always log out when you complete an online session.
Keep your passwords private. Remember, anybody who knows your password may access your account.
When creating a password, use at least 8 characters--a combination of letters and numbers is best. Do not use dictionary words, your name, e-mail address, or other personal information that can be easily obtained. It is also recommended that you frequently change your password. If you need assistance with this, visit our Changing Your Password Help page.
Avoid using the same password for multiple online accounts.
Buyer and Seller Tip: Be wary of unsolicited e-mail and telephone contacts.
Amazon.com will never e-mail or call a customer and ask that they disclose or verify their Amazon.com password, credit card, or banking account number. Such information should only be submitted when completing an order on Amazon.com, registering for Amazon Payments, contacting Amazon.com directly, or when making updates to Your Account or Seller Account areas. If you receive a suspicious e-mail with a link to update your account information, do not click on the link--instead go directly to www.amazon.com and then to your account. You can find out more about How to Identify Phishing or Spoofed E-mails from our Help page.
If you are contacted by, or receive an unsolicited e-mail from an unknown entity, and are asked to confirm or provide your password or personal or banking information, simply disregard the request and report the incident to Amazon.com for investigation.
Buyers and sellers on the third-party sales platform (Auctions and Marketplace) should always carefully review order and shipment confirmation e-mails to ensure that they are legitimate and have been sent by Amazon.com. To do this, simply cross-reference confirmation e-mails with the transaction history found within the Seller Account area.
If you receive a suspected spoofed Amazon.com e-mail, or discover a fake Amazon.com Web site, please report the incident to Amazon.com. You can also learn more about Amazon.com's legal efforts to help stop spoofing.
Buyer Tip: Research your seller.
Buyers should always research a seller's feedback history prior to initiating a transaction. Feedback is the leading indicator of a seller's overall quality. Look for clues within a seller's feedback that indicate the following: The ability to fulfill and ship orders in a timely fashion, a seller's willingness to resolve transaction disputes, and an indication that the quality of the products shipped matches the description supplied by the seller. Learn more about seller feedback.
Buyer Tip: Only use Amazon Payments for Marketplace transactions.
Amazon Payments (paying for items through Amazon.com's Shopping Cart or 1-Click) is safe, secure, guaranteed, and provides buyers with a convenient method of payment. Amazon Payments is the only authorized and recognized form of payment for Marketplace purchases. Marketplace sellers may only use Amazon.com Payments to complete transactions.
Regardless of circumstances, buyers should never pay for a Marketplace item using an alternative form of payment such as wire transfer, credit card, money orders, check, cash, etc.
Marketplace transactions paid for using alternative forms of payment are not eligible for protection under the Amazon.com A-to-z Guarantee; therefore, it is extremely important that buyers only use Amazon.com Payments to complete Marketplace transactions.
Buyer Tip: Always use Amazon Payments for Auctions transactions.
For protection under the Amazon.com A-to-z Guarantee, buyers should only use Amazon.com Payments to complete an Auctions transaction. Because Amazon Payments is the only accepted payment method for Auctions orders, buyers should not use payment methods such as wire transfer, check, cash, money order, or other payment methods for Auctions transactions.
Seller Tip: Ship only to supported addresses.
Auctions and Marketplace orders must only be shipped to addresses supplied by Amazon.com (contained within the ship confirmation e-mails). Sellers should be especially concerned if contacted by a buyer and asked to ship a completed order to an alternative address. In this case, if requested to ship to an alternate address, cancel the order and have the buyer place a new one. Buyers are responsible for providing a current shipping address upon placing the order or creating their account.
Source : Amazon
Amazon.com : Identifying Phishing or Spoofed E-mails
Amazon.com : Identifying Phishing or Spoofed E-mails
From time to time, you might receive e-mails that look like they come from Amazon.com, but they are, in fact, falsified. Often these e-mails direct you to a Web site that looks similar to the Amazon.com Web site, where you might be asked to provide account information such as your e-mail address and password combination. Unfortunately, these false Web sites can steal your sensitive information; later, this information may be used to commit fraud. Some phishing messages contain potential viruses or malware that can detect passwords or sensitive data. We recommend that you install an anti-virus program and keep it updated at all times.
Below are some key points to look for in order to identify these e-mails:
1. Know what Amazon.com won't ask for
Amazon.com will never ask you for the following information in an e-mail communication:
Your social security number or tax identification number
Your credit card number, PIN number, or credit card security code (including "updates" to any of the above)
Your mother's maiden name
Your Amazon.com password
2. Requests to verify or confirm your account information
Amazon.com will not ask you to verify or confirm your Amazon.com account information by clicking on a link from an e-mail.
3. Attachments on suspicious e-mails
We recommend that you do not open any e-mail attachments from suspicious or unknown sources. E-mail attachments can contain viruses that may infect your computer when the attachment is opened or accessed. If you receive a suspicious e-mail purportedly sent from Amazon.com that contains an attachment, we recommend that you delete it and do not open the attachment.
4. Grammatical or typographical errors
Be on the lookout for poor grammar or typographical errors. Some phishing e-mails are translated from other languages or are sent without being proofread, and as a result, contain bad grammar or typographical errors.
5. Check the return address
Is the e-mail from Amazon.com? While phishers often send forged e-mail to make it look like it came from Amazon.com, you can sometimes determine whether or not it's authentic by checking the return address. If the "from" line of the e-mail looks like "amazon-security@hotmail.com" or "amazon-fraud@msn.com," or contains the name of another Internet service provider, you can be sure it is a fraudulent e-mail.
6. Check the Web site address
Genuine Amazon.com web sites are always hosted on the "amazon.com" domain--"http://www.amazon.com/. . . " (or "https://www.amazon.com/. . ."). Sometimes the link included in spoofed e-mails looks like a genuine Amazon.com address. You can check where it actually points to by hovering your mouse over the link--the actual Web site where it points to will be shown in the status bar at the bottom of your browser window or as a pop-up.
We never use a web address such as "http://security-amazon.com/. . ." or an IP address (string of numbers) followed by directories such as "http://123.456.789.123/amazon.com/. . . ."
Alternately, sometimes the spoofed e-mail is set up such that if you click anywhere on the text you are taken to the fraudulent Web site. Amazon.com will never send an e-mail that does this. If you accidentally click on such an e-mail and go to a spoofed Web site, do not enter any information and just close that browser window.
7. If an e-mail looks suspicious, go directly to the Amazon.com Web site
When in doubt, do not click the link included in an e-mail. Just go directly to www.amazon.com and click "Your Account" in the top right menu to view recent purchases, or review your account information. If you cannot access your account, or if you see anything suspicious, let us know right away.
8. Do not "unsubscribe"
Never follow any instructions contained in a forged e-mail that claim to provide a method for "unsubscribing." Many spammers use these "unsubscribe" processes to create a list of valid, working e-mail addresses.
9. Protect your account information
If you did click through from a spoofed or suspicious e-mail and you entered your Amazon.com account information you should immediately update your Amazon.com password. You can do this through Your Account by choosing the option to "Change your name, e-mail address, or password" found under Account Settings.
Please be assured that if someone has been able to look at your account, they are not able to see your full credit card information. However, orders can be sent from your account using your credit card so please contact us immediately if you notice any orders that you do not recognize.
However, if you did submit your credit card number to the site linked to from the forged e-mail message, we advise that you take steps to protect your information. You may wish to contact your credit card company, for example, to notify them of this matter. Finally, you should delete that credit card from your Amazon.com account to prevent anyone from improperly regaining access to your account. To do so, click "Edit or delete a credit card" under Payment Settings in Your Account.
How To Report Phishing E-mails or Request Account Assistance
If you have received an e-mail you know is a forgery, or if you think you have been a victim of a phishing attack and you are concerned about your Amazon.com account, please let us know right away:
Report or Contact Us about a Phishing or Spoofed E-mail
Source : Amazon
Jan 13, 2008
How To Create & Use STRONG Passwords
Your passwords are the keys you use to access personal information that you've stored on your computer and in your online accounts.
If criminals or other malicious users steal this information, they can use your name to open new credit card accounts, apply for a mortgage, or pose as you in online transactions. In many cases you would not notice these attacks until it was too late.
Fortunately, it is not hard to create strong passwords and keep them well protected.
What makes a strong password
To an attacker, a strong password should appear to be a random string of characters. The following criteria can help your passwords do so:
Make it lengthy. Each character that you add to your password increases the protection that it provides many times over. Your passwords should be 8 or more characters in length; 14 characters or longer is ideal.
Many systems also support use of the space bar in passwords, so you can create a phrase made of many words (a "pass phrase"). A pass phrase is often easier to remember than a simple password, as well as longer and harder to guess.
Combine letters, numbers, and symbols. The greater variety of characters that you have in your password, the harder it is to guess. Other important specifics include:
• The fewer types of characters in your password, the longer it must be. A 15-character password composed only of random letters and numbers is about 33,000 times stronger than an 8-character password composed of characters from the entire keyboard. If you cannot create a password that contains symbols, you need to make it considerably longer to get the same degree of protection. An ideal password combines both length and different types of symbols.
• Use the entire keyboard, not just the most common characters. Symbols typed by holding down the "Shift" key and typing a number are very common in passwords. Your password will be much stronger if you choose from all the symbols on the keyboard, including punctuation marks not on the upper row of the keyboard, and any symbols unique to your language.
Use words and phrases that are easy for you to remember, but difficult for others to guess. The easiest way to remember your passwords and pass phrases is to write them down. Contrary to popular belief, there is nothing wrong with writing passwords down, but they need to be adequately protected in order to remain secure and effective.
In general, passwords written on a piece of paper are more difficult to compromise across the Internet than a password manager, Web site, or other software-based storage tool, such as password managers.
Create a strong, memorable password in 6 steps
Use these steps to develop a strong password:
1. Think of a sentence that you can remember. This will be the basis of your strong password or pass phrase. Use a memorable sentence, such as "My son Aiden is three years old."
2. Check if the computer or online system supports the pass phrase directly. If you can use a pass phrase (with spaces between characters) on your computer or online system, do so.
3. If the computer or online system does not support pass phrases, convert it to a password. Take the first letter of each word of the sentence that you've created to create a new, nonsensical word. Using the example above, you'd get: "msaityo".
4. Add complexity by mixing uppercase and lowercase letters and numbers. It is valuable to use some letter swapping or misspellings as well. For instance, in the pass phrase above, consider misspelling Aiden's name, or substituting the word "three" for the number 3. There are many possible substitutions, and the longer the sentence, the more complex your password can be. Your pass phrase might become "My SoN Ayd3N is 3 yeeRs old." If the computer or online system will not support a pass phrase, use the same technique on the shorter password. This might yield a password like "MsAy3yo".
5. Finally, substitute some special characters. You can use symbols that look like letters, combine words (remove spaces) and other ways to make the password more complex. Using these tricks, we create a pass phrase of "MySoN 8N i$ 3 yeeR$ old" or a password (using the first letter of each word) "M$8ni3y0".
6. Test your new password with Password Checker. Password Checker is a non-recording feature on this Web site that helps determine your password's strength as you type.
Password strategies to avoid
Some common methods used to create passwords are easy to guess by criminals. To avoid weak, easy-to-guess passwords:
• Avoid sequences or repeated characters. "12345678," "222222," "abcdefg," or adjacent letters on your keyboard do not help make secure passwords.
• Avoid using only look-alike substitutions of numbers or symbols. Criminals and other malicious users who know enough to try and crack your password will not be fooled by common look-alike replacements, such as to replace an 'i' with a '1' or an 'a' with '@' as in "M1cr0$0ft" or "P@ssw0rd". But these substitutions can be effective when combined with other measures, such as length, misspellings, or variations in case, to improve the strength of your password.
• Avoid your login name. Any part of your name, birthday, social security number, or similar information for your loved ones constitutes a bad password choice. This is one of the first things criminals will try.
• Avoid dictionary words in any language. Criminals use sophisticated tools that can rapidly guess passwords that are based on words in multiple dictionaries, including words spelled backwards, common misspellings, and substitutions. This includes all sorts of profanity and any word you would not say in front of your children.
• Use more than one password everywhere. If any one of the computers or online systems using this password is compromised, all of your other information protected by that password should be considered compromised as well. It is critical to use different passwords for different systems.
• Avoid using online storage. If malicious users find these passwords stored online or on a networked computer, they have access to all your information.
The "blank password" option
A blank password (no password at all) on your account is more secure than a weak password such as "1234". Criminals can easily guess a simplistic password, but on computers using Windows XP, an account without a password cannot be accessed remotely by means such as a network or the Internet. (This option is not available for Microsoft Windows 2000, Windows Me, or earlier versions) You can choose to use a blank password on your computer account if these criteria are met:
• You only have one computer or you have several computers but you do not need to access information on one computer from another one
• The computer is physically secure (you trust everyone who has physical access to the computer)
The use of a blank password is not always a good idea. For example, a laptop computer that you take with you is probably not physically secure, so on those you should have a strong password.
How to access and change your passwords
Online accounts
Web sites have a variety of policies that govern how you can access your account and change your password. Look for a link (such as "my account") somewhere on the site's home page that goes to a special area of the site that allows password and account management.
Computer passwords
The Help files for your computer operating system will usually provide information about how to create, modify, and access password-protected user accounts, as well as how to require password protection upon startup of your computer. You can also try to find this information online at the software manufacturer's Web site. For example, if you use Microsoft Windows XP, online help can show you how to manage passwords, change passwords, and more.
Keep your passwords secret
Treat your passwords and pass phrases with as much care as the information that they protect.
• Don't reveal them to others. Keep your passwords hidden from friends or family members (especially children) who could pass them on to other less trustworthy individuals. Passwords that you need to share with others, such as the password to your online banking account that you might share with your spouse, are the only exceptions.
• Protect any recorded passwords. Be careful where you store the passwords that you record or write down. Do not leave these records of your passwords anywhere that you would not leave the information that they protect.
• Never provide your password over e-mail or based on an e-mail request. Any e-mail that requests your password or requests that you to go to a Web site to verify your password is almost certainly a fraud. This includes requests from a trusted company or individual. E-mail can be intercepted in transit, and e-mail that requests information might not be from the sender it claims. Internet "phishing" scams use fraudulent e-mail messages to entice you into revealing your user names and passwords, steal your identity, and more. Learn more about phishing scams and how to deal with online fraud.
• Change your passwords regularly. This can help keep criminals and other malicious users unaware. The strength of your password will help keep it good for a longer time. A password that is shorter than 8 characters should be considered only good for a week or so, while a password that is 14 characters or longer (and follows the other rules outlined above) can be good for several years.
• Do not type passwords on computers that you do not control. Computers such as those in Internet cafés, computer labs, shared systems, kiosk systems, conferences, and airport lounges should be considered unsafe for any personal use other than anonymous Internet browsing. Do not use these computers to check online e-mail, chat rooms, bank balances, business mail, or any other account that requires a user name and password. Criminals can purchase keystroke logging devices for very little money and they take only a few moments to install. These devices let malicious users harvest all the information typed on a computer from across the Internet—your passwords and pass phrases are worth as much as the information that they protect.
What to do if your password is stolen
Be sure to monitor all the information you protect with your passwords, such as your monthly financial statements, credit reports, online shopping accounts, and so on. Strong, memorable passwords can help protect you against fraud and identity theft, but there are no guarantees. No matter how strong your password is, if someone breaks into the system that stores it, they will have your password. If you notice any suspicious activity that could indicate that someone has accessed your information, notify authorities as quickly as you can. Get more information on what to do if you think your identity has been stolen or you've been similarly defrauded.
Source : Microsoft
Typos Error Can Cost You
Typos Error Can Cost You
Here's another scam you might want to know about.
If you accidentally type the wrong Internet address into your Web browser, you could end up on a site where you might be tricked into entering personal information that could be used to steal your identity or commit other kinds of fraud.
This is because scammers sometimes register Internet addresses (also called "domain names" or "URLs") that are similar to the Internet addresses of popular Web sites or are common misspellings of popular Web sites.
For example, instead of www.microsoft.com, the scammer might create a Web page with the address:
www.micrsoft.com
www.micosoft.com
www.mircosoft.com
This is called "typo-squatting" or "cybersquatting." Scammers register these domain names in order to compete with the popular site or to earn money through advertisements. If you enter the wrong URL you might be taken to a site where you'll see an ad for the site you really wanted. If you click on that ad, you might get to where you want to go with an extra click and the scammer earns some money at the same time.
Typo-squatters and cybersquatters can also be the purveyors of more insidious scams, such as downloading malicious software applications and spyware onto unprotected computers that visit their sites.
The United States and other countries have passed legislation to help challenge cybersquatting registrations, and the Internet Corporation for Assigned Names and Numbers (ICANN) has made efforts to remedy the situation, but cybersquatters are still out there.
How to help avoid being typo scammed:
· Add Web sites you use often and any financial Web sites you use to your Favorites list and only access them through your Favorites menu.
· Use a Web browser that contains phishing protection, like Internet Explorer 7 with Phishing Filter. To enable the Microsoft Phishing Filter, go to Tools and click Phishing Filter.
· Check for an Extended Validation SSL Certificates. Internet Explorer 7 visually displays the validation of this certificate with a green address bar.
For information on how to protect your business from cybersquatting, read Protecting Your Business from Online Threats, a white paper by Craig Spiezle, Director of Online Safety Technologies & Practices at Microsoft and Christian Merida, Director of Congressional & Public Affairs at the U.S. Chamber of Commerce.
Source : Microsoft
Online Scammers Will Follow The Money In 2008
Here are their resulting predictions about the threats that are most likely to affect you and your family in 2008:
1. Phishing e-mail scams. E-mail and instant message fraud increased significantly between the second half of 2006 and the first half of 2007 (27 to 37 percent), and is predicted to increase even more in 2008. This year look for cybercriminals who take advantage of the U.S. presidential election or those who want to donate to the Olympic Games.
2. Electronic greeting card scams. This type of scam became big in 2006 and has increased steadily over time. According to the most recent Microsoft Security Intelligence Report, this type of scam e-mail accounted for close to one in every dozen infected e-mail messages in 2007.
These online cards typically have a subject line such as "You've received a greeting from a family member." When you click the subject line, malicious software installs on your computer.
3. Telephone scams. Microsoft experts also warn that we will see an increase in social engineering attacks that involve e-mail that directs you to verify your credit card or IRS refunds through a phone number. The phone number turns out to be a computerized phone answering system that collects the information provided to use for fraudulent purposes.
To help protect yourself from threats this year, take these four steps:
1. Keep your firewall turned on.
2. Keep your software up-to-date.
3. Use antivirus software.
4. Use antispyware software.
Technology alone cannot stop online crime. We encourage you to follow the online safety and privacy guidance available on the Microsoft Security at Home Web site.
Jan 7, 2008
Paypal - How to Spot a PayPal Phishing Email
Hi, I'm Michael Barrett and I'm back again to talk about staying safe online. I hear from many of our customers who are really confused about how to tell a so-called “phishing” e-mail from a legitimate one sent by an organization or business. Only two or three years ago, phishing e-mails were typically poor quality, with bad grammar and spelling. Watching for these mistakes used to be a good indicator of a phishing e-mail, but unfortunately criminals have become much more sophisticated and this method no longer works well. Phishing e-mails are now often perfect copies of what a company might send out legitimately.
However, all is not lost. There is an extremely reliable way to tell whether or not an e-mail is legitimate or criminal and it relies on a very simple fact – the criminal is trying to get the victim to click on a link in an e-mail. That link will not take the victim to a web server of the organization which the criminal is impersonating, but rather to a web server that is directly under the criminal’s control. However, if consumers have some knowledge of Internet domains, they can spot these criminal links very easily.
This is much easier to demonstrate than to explain, and I recommend that you review a video we produced recently that shows this in action, with a couple of actual example phishing e-mails. We also have good background information about phishing in the PayPal Security Center, and you can take our Fight Phishing Challenge there too.
Source : The Paypal Official Blog
Paypal - Two Things You Can Do to Be Safer Online
Hello,
My name is Michael Barrett, and I am the Chief Information Security Officer for PayPal. I sometimes get asked what my job entails, and I usually describe it along these lines: I have two roles. In one, I have to ensure that all of our customer and confidential data is appropriately protected internally. In the other, I help our customers to do what they can to protect themselves. In this blog entry, I am going to talk about one aspect of the second role – how customers can protect themselves by using safer operating systems and safer browsers.
For anyone who isn’t part of the information technology world, it’s perhaps surprising how many coding errors are made in software. The net effect is that all commercial software has errors, or bugs – despite the strong efforts of software developers and vendors to ensure that it doesn’t. While many bugs affect the functionality or look and feel of software, there is a small class of bugs that are usually described as security bugs. These have the effect that, if your PC has one, a criminal can force it to run software that will give him full control over what your PC does. In the Information Security world, we call this “Game Over.”
I can’t emphasize enough how bad this can be. This is not just “spyware” or “adware” that can slow your PC down and interfere with your browsing experience. Rather, criminals could download software onto your PC that steals the userIDs/passwords to all of your e-commerce or banking sites. Or, they could steal enough information that they are able to impersonate you – i.e. commit identity theft. The obvious question is, therefore, “How can I defend myself against this kind of criminal attack?”
I’m not going to cover the whole topic here. But one important principle I’d like to leave you with is this: simply using software that’s up-to-date and has all of the known security bugs patched makes you much safer. As I hinted in the first paragraph, there are a couple of things you can do to make this happen – and I strongly recommend that you do both.
One way is to use a safer operating system. From the Windows family of OS’s, these would be either Windows XP – with Service Pack 2 – or Windows Vista. In both cases, the auto-update feature of Windows Update should be enabled. On the Mac, the safer variants are Mac OS X “Tiger” (10.4) or “Leopard” (10.5). Not only do these OS’s have far fewer bugs than previous versions, but also they have an automatic update feature that ensures that you will get the security fix installed on your PC very soon after a particular fix is published. That alone will make a huge difference in your online security.
Another way is to use a safer browser. My colleague, Larry Friedberg, has recently created an area within the PayPal Security Center dedicated to educating you on safer browsers. In short, “safer browsers” are modern browsers, such as Microsoft's Internet Explorer 7.0 or Firefox 2.0 and above. The reason that we think these browsers are so important is that they both contain explicit features which help protect you from criminal activities. They both contain features which stop your browser from being directed to a “spoof site” - that is, a site which pretends to be that of an organization or company that you regularly do business with. And, IE 7 also contains support for a very geeky sounding feature called “extended validation SSL certificates” which cause the browser address bar to glow with a green background color when you are using the real PayPal site, for example. Support for this latter feature will be extended into Firefox with version 3.0 – and for all those Firefox fans, we recommend you upgrade to 3.0 when it becomes available.
There’s a lot more I can tell you about how to protect yourself online, and in future postings I hope to cover more of that ground with you.
-Michael
Source : The Paypal Official Blog
Paypal - Let’s Fight Phishing Together
Hi, I’m Larry Friedberg, senior manager of Brand Marketing and Security at PayPal.
Can you spot a phishing email? Sometimes, it can be pretty easy. Perhaps there are obvious spelling mistakes. Or maybe it asks you to click on a link, expressing an urgent need to update your financial information. But more often than not, it’s hard to tell a real email from a fake.
Phishing is a huge problem for consumers and merchants. Last week, Consumer Reports issued a press release suggesting that consumers lost over $2 billion due to phishing scams in the past two years.
I’m sure it’s no surprise to you that we hate phishing. We hate it, because fraudsters are using our brand to dupe you into giving out your personal or financial information. So, we do a lot behind the scenes to go after the fraudsters and to increase your safety when using PayPal. But we realize we can’t do this alone.
At PayPal, we believe that consumer education is critical to our effort to put a dent in phishing. One of the most recent educational campaigns we’ve introduced is the PayPal Fight Phishing Challenge . Go ahead and give it a try. Test your own knowledge of phishing and see if you can score a perfect five out of five. If you do get all five questions correct, send the Challenge over to your friends and family and encourage them to try it. And please let me know what you think of the Challenge -- we’re always looking for ways to improve our education and keep you one step ahead of the fraudsters.
- Larry
Source : The Paypal Official Blog
The PayPal Security Key
The PayPal Security Key
Hello, I'm Bob Palacios, Senior Product Manager for Two-factor Authentication here at PayPal. This past summer, we introduced the PayPal Security Key to PayPal and eBay customers in select regions around the world and consumer response has been overwhelmingly positive.
While PayPal remains highly secure, the PayPal Security Key is an excellent tool for anyone who wants to add an extra layer of protection to their account. Watch the video below to see a quick demonstration of how the key works and if you’re interested, you can get your PayPal Security Key by signing up here.
Source : The Paypal Official Blog
Yahoo!, PayPal and eBay Fight Phishing Together
Hello again, this is Michael Barrett, the CISO for PayPal. I’m back this time to talk about another critical aspect to online safety: safe e-mail. We hear from many of our customers that you don’t like getting all those e-mails that “we” send to you, and “why can’t you do something about it?” I am, of course, referring to phishing e-mail, wherein criminals send out millions of e-mails every day purporting to be from the Internet’s most popular brands, including PayPal and eBay.
Today we announced a new effort with Yahoo! that, through a technology called DomainKeys, automatically detects and blocks these phishing e-mails from ever reaching your Yahoo! Mail inbox. After all, it’s hard to be victimized by a phishing e-mail if you never receive it.
We’re extremely excited that Yahoo! has taken this huge step forward to help protect consumers on the Internet. Many of PayPal’s and eBay’s customers use Yahoo! Mail, so today’s announcement translates into enhanced online safety for millions of customers. In other words, from now on, if you have a Yahoo! Mail e-mail address, you will see a dramatic reduction in the amount of e-mails which purport to come from PayPal and eBay, but which aren’t in fact from us.
There are about half a dozen large Internet service providers around the world which between them operate nearly fifty percent of the world’s e-mail addresses. We’re working with all of them to implement similar technology to what we announced with Yahoo!. Stay tuned for more news from us on this front.
As CISO, I’m paid to be paranoid, so of course there is a caveat here. As I’ve said before, security on the Internet is a classic arms race, and the criminals are always looking for ways to get around everything we do to protect you. For that reason, I still encourage you to follow all of the general safe e-mail rules regardless of whatever e-mail provider you choose – don’t click on links in e-mail, don’t provide personal or financial information in response to e-mail, and don’t download attachments in e-mail. If you haven’t seen it yet, some of you might find my last video blog post helpful in educating yourself about the warning signs of phishing email.
As usual, these few paragraphs don’t cover all of the things we’re doing to keep you safe online or all of the things you need to know. You will hear from more people on the PayPal security team in the coming weeks with more news, tips and tricks to help you stay safe online. In the meantime, let me know what you think of today’s news!
- Michael
Source : The Paypal Official Blog
Avoiding Phishing Emails with Iconix
Hello, its Michael Barrett again, PayPal’s CISO. I’m here to share more ways that you can protect yourself from phishing and identity theft.
As I’ve written before, we’re actively working with the leading Internet service providers (ISPs) to prevent fraudulent email from getting into your inbox. We’re doing this today for consumers using Yahoo! Mail and are implementing this same basic idea with a handful of the other large ISPs. Although I don’t have anything to announce today, we’re expecting more progress in the months ahead. Including Yahoo!, collectively these ISPs represent 50% of the world’s email addresses. After all, it’s hard to get phished if you never receive the email in your inbox. But the obvious question is “What happens if I don’t use one of those ISPs?”
Today, we launched Iconix eMail ID – it’s a free, downloadable tool that helps you visually identify legitimate PayPal email. We’ve been beta testing the software for nearly a year with a select group of customers and the feedback has been overwhelmingly positive. As you can see in the picture below, the tool places an Iconix eMail ID icon in your inbox next to the email. It works with all of the popular webmail clients, as well as with the popular PC email programs. It also identifies trusted email from hundreds of senders, including PayPal and eBay.
To download the Iconix tool, just click here.
I know that not everyone likes to download software onto their PCs. But if you are ok doing this, I recommend that you download the Iconix plug-in and try it out - it really will help protect you against phishing emails.
Source : The Official Paypal Blog
Managing Chargebacks on PayPal
Hi merchants, I’m Colin Rule, the director of online dispute resolution here at PayPal. I hope that you’re on your way to a great holiday sales season. I’m back again to talk about how to handle chargebacks with PayPal.
Chargebacks are a perennial hot topic for PayPal sellers. Get any group of merchants together and ask them about their primary concerns, and you’re sure to hear something about chargebacks. And during the holiday season when sales go up, so does the risk of receiving chargebacks. But before we proceed, let me spend a moment clarifying exactly what a chargeback is.
Many misunderstandings persist around the difference between PayPal’s complaint processes and credit card chargebacks. The word “chargeback” is sometimes used inaccurately to indicate any buyer complaint against a PayPal seller. I’ve had several sellers tell me that they had a chargeback, only to later learn that the buyer had in fact filed a PayPal Buyer Protection claim.
To be specific, a chargeback is the result of a buyer contacting his or her credit card company asking to reverse a charge that had been placed on the card. The credit card company then asks the buyer what kind of chargeback this is: did the buyer not authorize the purchase? Did an item they ordered not arrive? Or did the item delivered not look at all like the item they bought? Most card companies immediately assume the buyer is right, so they grant the chargeback without too much rigmarole. Then they inform PayPal that a chargeback has been filed. PayPal passes along this information to you, and the payment is reversed.
This chain of events a chargeback creates is often a frustrating experience for our merchants – especially if it’s the first time they’ve received a chargeback. Oftentimes, I hear that sellers think that PayPal is responsible for filing the chargeback, because they are informed of the chargeback by us. In truth, we’re just the messenger in this scenario.
Buyers cannot file a chargeback on the PayPal site. Instead, they must file directly with their credit card company. The chargeback process is not designed nor maintained by PayPal, so we can’t change it or reject it. Everyone who accepts, issues or processes credit cards has to abide by these rules - from sellers on eBay to huge retailers like WalMart or Target.
Now it’s important to note that within these rules, sellers can dispute any chargeback. One of the benefits of selling with PayPal is that our chargeback specialists will review any chargeback claim made against you and file a dispute on your behalf if you disagree with the chargeback reason offered by the buyer.
The best way to deal with chargebacks is, of course, to avoid having transaction problems in the first place. In other words, your good customer service and business practices are the best way to prevent a chargeback. For some tips on selling best practices, see my previous posts here and here.
However, chargebacks are an inevitable reality of selling online. If you do get a chargeback, a couple pieces of information can be extremely helpful if you want to dispute it. Proof of delivery, such as online tracking offered by both USPS and UPS, can be critical evidence in reversing the chargeback. A copy of the buyer’s signature confirming receipt can also be extremely effective. Finally, if you did refund the buyer at any point in time, proof of the refund (and/or the shipment of a replacement item) is important. Of course, if you used the PayPal refund tool, we already have the evidence needed to fight the chargeback on your behalf.
Most eBay sellers understand the risks associated with doing business online. Most sellers have set up processes or thought through how to handle these typical business problems, but many sellers on eBay haven’t had the experience of running an online business, or even a face-to-face retail store. In reality, as large merchants have understood for a long time, selling (whether as an eBay seller or a large brick and mortar retailer) always involves some risk. Online, there’s always the possibility that an item will get returned, a shipment will be lost, or even that a buyer may attempt fraud (such as payment with a stolen credit card). Offline, there’s shoplifting, bounced checks, counterfeit currency, returned merchandise, or payments from stolen credit cards.
Businesses grow by understanding how to balance risk with profit. Being too risk averse may limit your buyer pool, and in turn, your total sales volume. Not being risk aware opens you to problems such as chargebacks. Managing these risks intelligently may involve exposing yourself to more chargebacks, but the tradeoff may in fact be worth it.
In some cases, PayPal proactively protects you against chargebacks through our free Seller Protection Policy. The Policy covers shipments of physical goods against claims of unauthorized payment or false non-receipt. As long as you ship to a confirmed address within seven days of payment and get online proof of delivery for your shipment, we will protect you against non-receipt and unauthorized chargebacks. In essence, by following good selling practices and good customer service as captured in the steps of the Seller Protection Policy, you’re giving us the information to dispute the chargeback and re-present the charge on your behalf. The best thing about Seller Protection is that even if the re-presentment of the charge is denied by the credit card company, you keep your money.
Chargebacks are an unfortunate part of life for sellers, both online and offline. However, by getting into the habit of following good seller practices and by working with your customers to resolve their issues and concerns, you can significantly reduce the likelihood that you’ll get a chargeback. In the process, you’ll also increase the odds that you’ll be vindicated should one be filed against you.
I”ll be back again soon to discuss best practices for resolving other types of disputes. In the meantime, please feel free to share any tips you may have for avoiding and managing chargebacks.
Source : ThePayPalBlog
Best Practices for Resolving Disputes on PayPal
So you’ve followed the advice in my prior blog entries, and then one day, lo and behold, you still receive a PayPal dispute. Well, don’t panic. It happens to the best of us. Fortunately, resolving disputes on PayPal isn’t all that complicated. Just follow some of these best practices and you’ll work out most problems without a hitch.
Communication is key
First, I’ve heard from dozens of experienced buyers and sellers that communication is the key to resolving disputes. Once your buyer has expressed a concern or filed a dispute, the best way to respond is to communicate each step of the way in a respectful and courteous manner. It’s better to over communicate than under communicate.
Presume good faith
It’s also very important to start out the process by presuming good faith from the buyer. Don’t assume the buyer is acting unfairly or with bad intentions until you’re certain that’s the case. Most transaction problems result from miscommunication or mistaken assumptions. In your emails and messages, try to focus on the situation you want to resolve and potential solutions -- not your assessment of the character of the other side. It may feel temporarily satisfying to chastise your buyer when you think they’ve acted inappropriately, but it almost always makes the situation more difficult to resolve.
Threats and insults backfire
In the hundreds and hundreds of disputes I’ve reviewed, it is very clear that threats and insults almost always backfire. Threatening a buyer usually stiffens their resolve and makes them less accommodating and cooperative. Escalating to threats can lead to negative outcomes in potentially resolvable situations. In fact, sometimes the “winner” loses in the end, when you factor in wasted time, brand damage, negative feedback, etc.
Look for creative solutions
Think of win-win outcomes where you both get what you’re looking for. Instead of presuming that any gain for your buyer is a loss for you, focus on the goals you share. If you sell the item at a fair price and the buyer gets an item they desire, for example, then you both walk away happy.
Remember the big picture
I’ve seen many sellers get caught up in the “principle” of the issue, insisting upon an apology and an acknowledgment of wrongdoing from the other side, even if the dispute is over a somewhat trivial amount of money. Try not to get caught up in the emotions of the moment – remember, this is just one transaction among many. Make clear to the buyer from the start that you see the problem as resolvable. If you model good behavior, they’ll usually respond by acting the same way.
Be the expert
Be careful not to assume that all your buyers understand the ins and outs of their responsibilities and obligations. Many online purchases are made by buyers who are not savvy internet users. As a result, the best tone to take is usually a professional, knowledgeable one, calmly explaining the situation to the buyer from your perspective, but not in a patronizing way.
A good strategy for resolving disputes is to ask yourself a few questions, such as:
If you were an impartial observer, unaffiliated with either side, how would you suggest the disagreement be resolved?
If you look at the matter through the eyes of the other side, can you understand why they see things the way they do?
If you were in their shoes, how would you like to work out the problem?
The answers to these questions can point you toward a fair and reasonable outcome.
Nobody likes it when a transaction problem crops up. If you follow these simple tips, however, chances are that you’ll protect your reputation and get back to business quickly. I hope you had a great holiday selling season, and here’s to no transaction problems in 2008!
Source : ThePayPalBlog
Why Do I Feel Like Somebody’s Watching Me ?
Spyware is one of the fastest-growing internet threats. According to the National Cyber Security Alliance, spyware infects more than 90% of all PCs today. These unobtrusive, malicious programs are designed to silently bypass firewalls and anti-virus software without the user’s knowledge. Once embedded in a computer, it can wreak havoc on the system’s performance while gathering your personal information. Fortunately, unlike viruses and worms, spyware programs do not usually self-replicate.
Where does it come from ?
Typically, spyware originates in three ways. The first and most common way is when the user installs it. In this scenario, spyware is embedded, attached, or bundled with a freeware or shareware program without the user’s knowledge. The user downloads the program to their computer. Once downloaded, the spyware program goes to work collecting data for the spyware author’s personal use or to sell to a third-party. Beware of many P2P file-sharing programs. They are notorious for downloads that posses spyware programs.
The user of a downloadable program should pay extra attention to the accompanying licensing agreement. Often the software publisher will warn the user that a spyware program will be installed along with the requested program. Unfortunately, we do not always take the time to read the fine print. Some agreements may provide special “opt-out” boxes that the user can click to stop the spyware from being included in the download. Be sure to review the document before signing off on the download.
Another way that spyware can access your computer is by tricking you into manipulating the security features designed to prevent any unwanted installations. The Internet Explorer Web browser was designed not to allow websites to start any unwanted downloads. That is why the user has to initiate a download by clicking on a link. These links can prove deceptive. For example, a pop-up modeled after a standard Windows dialog box, may appear on your screen. The message may ask you if you would like to optimize your internet access. It provides yes or no answer buttons, but, no matter which button you push, a download containing the spyware program will commence. Newer versions of Internet Explorer are now making this spyware pathway a little more difficult.
Finally, some spyware applications infect a system by attacking security holes in the Web browser or other software. When the user navigates a webpage controlled by a spyware author, the page contains code designed to attack the browser, and force the installation of the spyware program.
What can spyware programs do?
Spyware programs can accomplish a multitude of malicious tasks. Some of their deeds are simply annoying for the user; others can become downright aggressive in nature.
Spyware can:
1. Monitor your keystrokes for reporting purposes.
2. Scan files located on your hard drive.
3. Snoop through applications on our desktop.
4. Install other spyware programs into your computer.
5. Read your cookies.
6. Steal credit card numbers, passwords, and other personal information.
7. Change the default settings on your home page web browser.
8. Mutate into a second generation of spyware thus making it more difficult to eradicate.
9. Cause your computer to run slower.
10. Deliver annoying pop up advertisements.
11. Add advertising links to web pages for which the author does not get paid. Instead, payment is directed to the spyware programmer that changed the original affiliate’s settings.
12. Provide the user with no uninstall option and places itself in unexpected or hidden places within your computer making it difficult to remove.
Spyware Examples
Here are a few examples of commonly seen spyware programs. Please note that while researchers will often give names to spyware programs, they may not match the names the spyware-writers use.
CoolWebSearch, a group of programs, that install through “holes” found in Internet Explorer. These programs direct traffic to advertisements on Web sites including coolwebsearch.com. This spyware nuisance displays pop-up ads, rewrites search engine results, and alters the computer host file to direct the Domain Name System (DNS) to lookup preselected sites.
Internet Optimizer (a/k/a DyFuCa), likes to redirect Internet Explorer error pages to advertisements. When the user follows the broken link or enters an erroneous URL, a page of advertisements pop up.
180 Solutions reports extensive information to advertisers about the Web sites which you visit. It also alters HTTP requests for affiliate advertisements linked from a Web site. Therefore the 180 Solutions Company makes an unearned profit off of the click through advertisements they’ve altered.
HuntBar (a/k/a WinTools) or Adware.Websearch, is distributed by Traffic Syndicate and is installed by ActiveX drive-by downloading at affiliate websites or by advertisements displayed by other spyware programs. It’s a prime example of how spyware can install more spyware. These programs will add toolbars to Internet Explorer, track Web browsing behavior, and display advertisements.
How can I prevent spyware ?
There are a couple things you can do to prevent spyware from infecting your computer system. First, invest in a reliable commercial anti-spyware program. There are several currently on the market including stand alone software packages such as Lavasoft’s Ad-Aware or Windows Antispyware. Other options provide the anti-spyware software as part of an anti-virus package. This type of option is offered by companies such as Sophos, Symantec, and McAfee. Anti-spyware programs can combat spyware by providing real-time protection, scanning, and removal of any found spyware software. As with most programs, update your anti virus software frequently.
As discussed, the Internet Explorer (IE) is often a contributor to the spyware problem because spyware programs like to attach themselves to its functionality. Spyware enjoys penetrating the IE’s weaknesses. Because of this, many users have switched to non-IE browsers. However, if you prefer to stick with Internet Explorer, be sure to update the security patches regularly, and only download programs from reputable sources. This will help reduce your chances of a spyware infiltration.
And, when all else fails ?
Finally, if your computer has been infected with a large number of spyware programs, the only solution you may have is backing up your data, and performing a complete reinstall of the operating system.
The Advancement of the Keylogger
A keylogger is a program that runs in your computer’s background secretly recording all your keystrokes. Once your keystrokes are logged, they are hidden away for later retrieval by the attacker. The attacker then carefully reviews the information in hopes of finding passwords or other information that would prove useful to them. For example, a keylogger can easily obtain confidential emails and reveal them to any interested outside party willing to pay for the information.
Keyloggers can be either software or hardware based. Software-based keyloggers are easy to distribute and infect, but at the same time are more easily detectable. Hardware-based keyloggers are more complex and harder to detect. For all that you know, your keyboard could have a keylogger chip attached and anything being typed is recorded into a flash memory sitting inside your keyboard. Keyloggers have become one of the most powerful applications used for gathering information in a world where encrypted traffic is becoming more and more common.
As keyloggers become more advanced, the ability to detect them becomes more difficult. They can violate a user’s privacy for months, or even years, without being noticed. During that time frame, a keylogger can collect a lot of information about the user it is monitoring. A keylogger can potential obtain not only passwords and log-in names, but credit card numbers, bank account details, contacts, interests, web browsing habits, and much more. All this collected information can be used to steal user’s personal documents, money, or even their identity.
A keylogger might be as simple as an .exe and a .dll that is placed in a computer and activated upon boot up via an entry in the registry. Or, the more sophisticated keyloggers, such as the Perfect Keylogger or ProBot Activity Monitor have developed a full line of nasty abilities including:
• Undetectable in the process list and invisible in operation
• A kernel keylogger driver that captures keystrokes even when the user is logged off
• A remote deployment wizard
• The ability to create text snapshots of active applications
• The ability to capture http post data (including log-ins/passwords)
• The ability to timestamp record workstation usage
• HTML and text log file export
• Automatic e-mail log file delivery
All keyloggers are not used for illegal purposes. A variety of other uses have surfaced. Keyloggers have been used to monitor web sites visited as a means of parental control over children. They have been actively used to prevent child pornography and avoid children coming in contact with dangerous elements on the web. Additionally, in December, 2001, a federal court ruled that the FBI did not need a special wiretap order to place a keystroke logging device on a suspect’s computer. The judge allowed the FBI to keep details of its key logging device secret (citing national security concerns). The defendant in the case, Nicodemo Scarfo Jr., indicted for gambling and loan-sharking, used encryption to protect a file on his computer. The FBI used the keystroke logging device to capture Scarfo’s password and gain access to the needed file.
Surfing the Web Anonymously
When you surf the web it is possible to learn information about you even when you don't want to advertise who you are. This is true even if your system contains no virus or malware software. Specifically information that is easily available online includes your IP address, your country (and often more location information based on IP address), what computer system you are on, what browser you use, your browser history, and other information. It gets worse. People can get your computer's name and even find out your name if your machine supports programs like finger or identd. Also, cookies can track your habits as you move from machine to machine.
How do people get this basic information about you?
When you visit another web site, information about you can be retrieved. Basically, information is intercepted and used by others to track your Internet activities.
How do you stop this from happening?
First of all, it is possible to serf the web anonymously and thereby stop leaving a trail for others to find. Note that this is not fool-proof, but it makes it much harder for people to know who you are. There are products called anonymous proxy servers that help protect you. The anonymous proxy server replaces your Internet address for its own. This has the effect of hiding your IP address and making it much harder for people to track you.
How do I get an anonymous proxy server?
There are many vendors who sell anonymous proxy servers. There are also free proxy servers available to you. Two such products are ShadowSurf and Guardster. Guardster offers various services for anonymous and secure access to the web, some paid as well as a free service. ShadowSurf provides anonymous surfing at their site for free. Go to it and you will find a box to enter a URL that you want no one to track. There are many others, but here are two that are frequently used.
Another interesting product, given the recent news about the Google search engine filtering its findings for the Chinese government, is Anonymizer. This company, among others, recently (Feb 1st, 2006) pressed that it "is developing a new anti-censorship solution that will enable Chinese citizens to safely access the entire Internet filter-free".
Does an anonymous proxy server make you 100% safe?
No. Still, you are much better off if you use such technology.
What other things should I be concerned about when trying to keep my private information private?
Three other items come to mind when trying to keep your information private. First, you can use an encrypted connection to hide your surfing. This article does not go into detail on this, but search the web and you will find a lot of information on this. Secondly, delete cookies after each session. Third, you can configure your browser to remove JavaScript, Java, and active content. This actually leads to limitations, so you need to think about the cost/benefit of this course of action.
Anything else?
Wishing you happy and safe surfing!
Subscribe to:
Posts (Atom)
