Beware of Phishing Scam
Phishing scams attempt to trick people into providing sensitive personal information such as login and password for online banking details.
In order to carry out this trick, the phishing scammers send a fraudulent email disguised as an official request for information from the targeted company and this case is Maybank2U.
Read more on at Beware Of Phishing Website and How to Protect Your Credit Card from Identity Theft
The fraudulent e-mail uses convincing words to trick people into clicking a link that would open up the phishing website or fake e-banking website
This is the sample of the Phishing e-mail content that I received:
Important Update
Date: 10/01/2010
We employ appropriate technical security measures to protect your personal information and ensure that it is not accessed by unauthorised persons. Information storage is on secure computers in a locked information centre and information is encrypted wherever possible.
Our security procedures also provide that we may request proof of identification before we will release personal information to you. We undergo periodic reviews of our security policies and procedures to ensure that May Bank systems are secure and protected
However, your account have been flagged by our security team. We therefore require additional information in order to restore full access to your online banking account
click here to proceed
Failure to comply to the instructions stated above might lead to permanent service suspension.
When the the link “click here to proceed “, it will bring you to a "look-a-like" website that is designed to closely resemble the Maybank2U official site.
The fake website may appear almost identical to the official site. Style, logos, images, navigation menus and other structural components may look the same as they do on the genuine website.
* Never click on Internet Web link within e-mails. Instead type the ink manually.
.
Phishing Scams in Plain English
.
.
* Do not EVER respond to e-mails that ask you to go to a website to verify personal(and Credit Cards) information.
Remember the bank would NEVER send any email, SMS or make telephone calls to customers to request for personal details, account details of TAC number!
Woman loses RM1,900 from online account
—————————————–
ONLINE banking is a convenience to many busy people. However, it brought misery to a 26-year-old woman, who wished to be known only as Jenn, who lost RM1,900 from her one-month-old account on Dec 2.
Jenn said the amount was transferred to a third party account without her knowledge after she had logged into the bank’s system using her logon and password.
“One morning in early December, I received an email from Maybank stating that I had a login with an incorrect password in the Maybank system.
“After closing the email, I logged into the system and entered the correct password that it needed.
“However, on the afternoon of the same day, I received an SMS from Maybank2u.com that RM1,900 from my account that I had opened at the Maybank Taman Midah branch had been transferred to a third party account,” Jenn said at a press conference called by Bukit Bintang MP Fong Kui Lun.
She has since lodged a police report at the Batu 9 Cheras police station.
In the police report, she said when she went to the branch at 2pm the same day, a bank officer named Raymond Lim had given her the funds transfer statement in which she saw that her money had been transferred to an account belonging to a Malay woman named Mayana Muhamad.
Jenn called up the Maybank headquarters to seek an explanation on the issue, and was disappointed that the personnel were not helpful and only provided a written reply to her one month later.
“I had been using another bank, where security was much tighter, before using Maybank’s online banking when I changed job,” she said, adding that she had created the account only in November.
“The RM1,900 was almost all my savings! The officer in the headquarters told me that the police investigation must be completed before action could be taken.
“He also told me that although the bank had contacted the third party, the woman was not cooperating so they could not do anything. Would she cooperate if she is the culprit?” asked the frustrated Jenn, claiming that the bank personnel had even told her there was a queue of other fraud victims.
In Maybank’s written reply to Jenn, virtual banking cyber security manager Baizura Ahmad wrote that following a comprehensive investigation of the said transaction, they had found that a valid user name and password were used to access her account via Maybank2u.com.
“Our findings revealed that the internet banking username and password were used on Dec 2 to successfully make a login to your Maybank account via Maybank2u.com,” Baizura had stated.
“A Transaction Authorisation Code (TAC) was requested through your Maybank2u.com account and a valid TAC was successfully sent to your mobile number. This TAC was then used to create a favourite third party account, and subsequently, the amount of RM1,900 was made to the favourite third party account from your account on the same day.
“Based on our investigation into our system, our records showed there was no system failure, problem or any breach of security of Maybank2u.com in processing the above activities at the mentioned date and time involving the above account.
“In view of this, we very much regret to inform that the bank is unable to accede to your request of the said amount,” the reply said.
In the reply, the bank reiterated that it does not send any email, SMS or make telephone calls to customers to request for personal details, account details of TAC number.
“Customers are also reminded never to disclose their account and banking information to anyone. The bank provides safety information and alerts in Maybank2u.com as well as through our other delivery channels,” the reply stated.
Jenn said she felt helpless on the issue and had since terminated her online account with the bank.
Fong said he would be writing to Bank Negara on the urgent need to monitor the security of online banking.
“Since the matter involved a transfer within the same bank, and the person’s name and account number are known, there is no reason why the bank is unable to do anything.
“The money was transferred without the victim’s knowledge, so it is only right that settlement is made to her.
“I also hope the Finance Minister will respond to this as such a case can result in the public losing confidence in online banking,” he said.
fr:thestar.com.my/metro/story.asp?file=/2010/1/15/central/5451096&sec=central
Boosting the defence against DNS attacks
———–
The Internet domain name system is being made more secure.
EVERY time you use the Internet you are using the Domain Name System (DNS) without even realising it. The DNS is an incredibly important but completely hidden part of the Internet and it is fascinating.
Machines need numbers, called IP addresses, to refer to each other. However, it would be humanly impossible to remember all the IP addresses in the world. Readable names on the other hand, are easier to recall. Domainregistry.my is way easier to remember than 192.228.180.216, for example.
This is where the DNS comes in. It resolves domain names like domainregistry.my into IP addresses. It also acts as a database for all IP addresses currently in use, and no other database on the planet gets as many requests.
These records are stored in a number of domain name servers throughout the world, so no one single central database has to store and process billions of queries a day. There are three kinds of domain name servers — the root server, the authoritative server and the recursive (cache) server.
Let us start at your computer. Say you type “www.domainregistry.my” in your web browser. The query is first sent to a nearby cache server. If a similar query had been made before, the cache server would have the answer (IP address) and will send it back to your computer.
If the cache server does not have the answer, it will look for an authoritative server for all names that end in domainregistry.my. Upon receiving the answer the cache server will send it to your computer while caching the answer.
If the cache server is unable to locate the authoritative server, it will query the root server for a referral list of authoritative servers, send the query to one of these servers and receive the answer, which will be sent to you and cached at the same time. All this typically happens in less than a second.
However, due to the distributed nature of the DNS, its architecture has been built without security in mind and domain name servers can be subjected to attacks and breaches. e-Mail messages can be redirected and copied. Voice-over-Internet Protocol calls can be tapped.
In addition to that, server cache poisoning can be used to direct users to malicious websites, a process called “pharming.” These fake websites usually contain viruses or tools for stealing personal information.
Introducing DNSSEC
It’s estimated that 10% of servers in the network today are vulnerable to DNS attacks. To defend against such threats and attacks, deployment of Domain Name System Security Extensions (DNSSEC) is crucial.
DNSSEC allows for the digital signing of data, as security extensions, within the root, authoritative and cache servers. DNSSEC technology proves the answer you receive can be trusted because it:
• Validates and assures that the data was received from the authorised DNS server (data origin authentication); • Validates and assures that the data received matches data on the origin DNS server and was not modified during transit (data integrity) ; and • Validates that if the answer is not available, it is because the domain or website is genuinely not available (authenticated denial of existence).
In addition, DNSSEC is implemented at various name servers — the root, authoritative and cache — which are maintained by different parties, thus establishing chains of trust that ensure DNSSEC’s effectiveness.
This is the kind of protection that DNS desperately needs.
Where are we with DNSSEC?
ICANN (the Internet Corporation for Assigned Names and Numbers), the global non-profit organisation dedicated to keeping the Internet secure and stable, is working on signing the root server, with the goal for full DNSSEC deployment by July 1.
Although this is important for global deployment of DNSSEC, it is viable for DNSSEC to be effectively implemented within islands of trust, for example, on a national level.
Countries such as Brazil, Bulgaria, Czech Republic, Namibia, Puerto Rico, Sweden and Thailand already have DNSSEC in production, while generic Top-Level Domains (gTLDs), such as .org, .gov and .museum are also DNSSEC-ready.
In Malaysia, .myDomainRegistry is also preparing for DNSSEC deployment. Following the completion of a closed testbed, the organisation will be conducting the DNSSEC Public Trial, which aims to provide first-hand experience on the workings of DNSSEC, encourage adoption of the technology and improve current DNSSEC policies and end-user manuals.
.myDomainRegistry targets for DNSSEC deployment in Q4 this year. Key stakeholders play a very important part in creating a trusted network that will ensure the success of DNSSEC.
These include domain name server administrators of organisations that use the Internet for critical data, such as banks and online stores, and more importantly, Internet service providers (ISPs), who form an important part of the security infrastructure needed by DNSSEC.
Interested individuals and companies who wish to participate in .myDomainRegistry’s DNSSEC Public Trial can register at testbed.dnssec.my.
(Note: The author is technology and innovation manager at .myDomainRegistry.)
fr:star-techcentral.com/tech/story.asp?file=/2010/1/19/corpit/20100119104931&sec=corpit
Cybercrime still a rising concern
KUALA LUMPUR: You are more likely to be a victim of cybercrime than getting your house broken into, according to security solutions provider Symantec Corp said.
“You stand a one-in-thirty chance of having your house broken into but you stand a one-in-five chance of experiencing cybercrimes,” Symantec consumer business lead of Asia South Region, Effendy Ibrahim said at a recent press conference on cybercrime.
These cybercrimes involve the theft and abuse of personal information such as credit card numbers, he said, quoting a Consumer Reports 2009 study.
Choong Wai Hoong, Maybank Bhd’s consumer banking division executive vice-president and head of virtual banking said that 72% of local online scams last year involved people who knowingly gave away their credit card or online banking details.
However Choong did not reveal how many scams took place or how much it cost the consumer.
“The weakest link is consumer awareness,” he said.
Choong explained that people still fall for SMS scams which involve winning bogus contests.
“Some people just call the number provided on the SMS and willingly give out their credit card details to a stranger, as they actually believe that they won a cash prize,” he said.
Choong said that there are even cases of consumers going to the ATM and being guided over the phone by the scammers, on how to wire the money overseas.
Even professionals who earn five figure incomes fall for such scams, he added.
He advised the public not too volunteer information to people that they did not know.
“Even if the person identifies himself as a bank employee, he should be telling you your details, not the other way around,” he said.
fr:star-techcentral.com/tech/story.asp?file=/2010/3/16/technology/20100316162958&sec=technology
This another type of e-mail scam!
Ask you to send money to “unlock” a Huge sum of “Money”!
————————
Pensioner loses RM124,000 to e-mail scam
KUALA TERENGGANU: A 55-year-old pensioner was duped of RM124,340 after he deposited the money into the account of a woman he met online.
The woman who called herself Catherine Khalifa claimed to be the daughter of a wealthy Libyan businessman who needed money to secure her release from a prison in Senegal.
In her e-mail, Khalifa promised that she would share half of her father’s savings of US$5.7mil (RM18.8mil) in Bank of Scotland upon her release from jail.
State Commercial Crime chief Superintendent Azmi Adam said yesterday the victim first received an e-mail from Khalifa in Decem-ber last year.
The victim was provided with the account number where he deposited various amounts staggered over a month.
Supt Azmi said when the sender continued to demand for more money, the victim became suspicious and insisted that Khalifa return the money.
However, when there was no response from Khalifa, the victim decided to lodge a report about two weeks ago at the police headquarters here.
fr:thestar.com.my/news/story.asp?file=/2010/3/23/nation/5912357&sec=nation