Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Identity and Authentication Services

Putting order into things (Part I)

Created: 10 Dec 2008 • Updated: 08 Aug 2012
yeinav's picture
0 0 Votes
Login to vote

By Yohai Einav, Senior Fraud Analyst

A deserted street, night, a frightened old lady hops towards a policeman who just left the bar.
Old lady: "Please officer, this e-mail is trying to phish me!"
She shows a laptop to the Policeman.
Old lady: "My grandson gave it to me for my birthday, and he warned me of such things. Now it is trying to phish me!"
Policeman: "Let me see this".
The Policeman looks at the screen. He sees a phishing email.
Policeman: "Lady, do you have any idea what this is? This is identity theft! Wait a second; I must report this to my superiors right away!"

The policeman talks into his walkie-talkie:
Policeman: "Jim, I want to report an identity theft on 8th and Houston.... Yes, an old lady again.... Yes, her grandson... no, I didn't get the IP..."
The policeman leans toward the old lady.
Policeman: "You are lucky to still have your identity. Now go home and be sure to lock your firewalls."

The lady walks away. 2 minutes pass. Suddenly we see an old man running towards our policeman.

Old man: "It's a Trojan horse! He is coming for me!"

End of scene

(Taken from the new Harrison Ford movie, "Firewall 2: revenge of the firewall")

This scene (based on a true event), illustrates the pervasive confusion many of us suffer with all these security buzzwords flying around. This entry level post will try to answer such questions as "what do these buzzwords mean", and "how do they fit into a bigger picture".

Let's start with the bigger picture.

Bad people want your money
When bad people want your money they usually have such a plan in mind:
1. Steal your personal credentials
2. Penetrate your online financial accounts using these credentials
3. Move money from your accounts to other accounts
4. Take the money and run

That's the very big picture. Now let's get down to point [1] - steal your banking credentials. There are few common buzzwords that fall under this category: phishing, identity theft, Trojans.

"Identity theft" is certainly a very scary term: who wants his own personal identity to be stolen? How can you function as a human being without your identity? Well, you can't function, but luckily, the problem is not with you, but with the term. It is not inherently possible to steal an identity, only to use it. "Identity theft" is a misnomer, which actually has the meaning of our point [1] - bad people want to steal and use your credentials. So, when you are "a victim of identity theft", all it means is that bad guys stole some of your credentials - login, password, SSN, driving license number, birthday, etc.

Now, how can bad people steal your credentials? Two of the most popular means are also two of the most popular buzzwords -

Phishing and Trojans.
Phishing and Trojans are two ways of stealing your credentials. Phishing does it using mostly social engineering, while Trojans uses brutal force, and less social engineering. In a "phishing scam" (a.k.a "phishing attack") you receive a fake email, navigate from it to a fake banking site, and there, typically if you are a naïve person, you give away your credentials to the bad guys. And that's it.

In a Trojan scam, your computer gets infected with a Trojan horse - a type of malicious software which makes your computer perform undisclosed malicious functions; one of these malicious functions is to send personal credentials that were found on your computer to the bad guys. The exact techniques of how this is done are out of scope here, but the important thing is that you, the victim, give away your credentials without knowing you're doing so.

So we have two very different techniques that achieve the same goal - stealing credentials ("identity theft"). Yet the ways to protect yourself from these vicious means are completely different. In order not to be a victim of phishing you simply need to be less naïve and more aware of the threats of phishing. You could use software tools that filter and warn about phishing, but if you fall to social engineering, this wouldn't help you.

Trojan protection doesn't require a personality change. You can remain naïve, but you must install an anti-trojan/anti-virus software on your PC, and keep it updated at all times. In 99% of the cases, this ensures that no behind-the-scenes malicious function action is being performed on your computer.

So what should you do if an email tries to phish you in the middle of the night?

Exactly, call the cops.