They say there’s one born every minute. Painfully, I have to tell you last Tuesday I happened to be that one. I left my office to go to my regular lunchtime stretching class and returned to find a security alert on my computer. My machine was infected. I needed to download the latest version of Internet Security 2010 to address these problems. What happened next was an education for me on the risks associated with eCommerce. Despite nearly 30 years in the IT industry, and an arrogant belief that I could spot an online hoax a mile off, I fell for this con trick hook, line and sinker.
I can assure you that the screen that greeted me looked highly plausible. Take a look at the picture at the top of this blog and ask yourself who you think authored this software. I mean it even has the Microsoft icon. Or does it? Who else but Microsoft could call their product the XP Security Tool 2010? XP was my operating system. Who else but Microsoft would know that? I suspect if I took the time to look in fine detail the word Microsoft would be nowhere to be seen.
Anyway, the product advised me to register if I wanted to get rid of the security breeches on my system. There was an option that offered me the opportunity to register later. Since I already had the CA Security suite I selected that option. Unfortunately, this option gave me no respite. The reality was that the only way it seemed that I could get round this screen was to register. This entailed buying the product. I had a busy schedule in front of me. I cursed the apparent aggressive marketing of Microsoft which seemed to make an assumption that there was no alternative solution to my needs than their application. I was though re-assured by a 30 day guarantee allowing me to return the product if I wasn’t happy.
No sooner had I paid my money than I got an email from the other party complete with my registration details. As soon as I registered the apparent security breeches were deleted. Moreover, an option appeared asking me for any feedback. By now I was ropeable so I sent off an email, to Microsoft I assumed, complaining bitterly about my experiences. I got a response with a fairly incoherent message in rather poor English. Bloody offshoring was my instant reaction to it.
However, I now proceeded to compound my stupidity. The response did sympathise with my predicament. It told me that these pop-ups were not related to the Antivirus program but were created by a partnership company whose services had since been discontinued. The email offered me the ability to disable these annoying pop-up screens. All I had to do was to run an attached program. Like a lamb to the slaughter this is precisely what I did. I ran a program which didn’t appear to do anything and only then did I start to suspect something might be up.
I went looking for XP Security 2010 on the Internet. My worst fears were confirmed. This was a bogus program. Moreover, it slowly dawned on me that I had given the culprits my credit card details and had executed a program they had sent me which had probably impregnated my computer with Spyware. In effect, my computer was the IT equivalent of up a creek without a paddle. I began to appreciate that my only surety would be to re-initialise my hard disk. Bang goes my long weekend I thought.
However, there were to be other lessons in this episode for me. In particular, I was surprised to discover that several of those who I had thought would be on my side in this matter projected indifference. I notified CA of my plight as soon as it happened. I was critical that this program had slipped through the firewall and been undetected by my security program. I am still waiting a response to this email five days after the event. I have not even received an acknowledgement from the company that they have received my email. This contrasts dramatically from the support I have received from Sophos, another IT security vendor.
When I realised that CA would offer little immediate assistance in determining if any Trojans or Spyware were on my computer I went looking for help on the Internet. Sophos offered a free 30 day trial of their security suite. Moreover, their support team deciphered the program I had inadvertently loaded and re-assured me somewhat that it was probably not Spyware. The impression I very much gathered from these two responses was that if you valued IT security then you should enlist the services of a specialist company rather than a generalist. It was clear to me that Sophos live and breath IT security and that they were as interested in learning from my experiences as helping me address the problems I had encountered.
I was also somewhat disappointed in the initial response I got from my bank, Westpac. As soon as I realised the implications of what I had done I contacted their fraud squad to outline the circumstances. After all I had been hoodwinked so I expected some support. However, their fraud squad advised that because I had voluntarily given my details, albeit under false pretences, they did not regard it as fraud. Instead they told me the disputes department would be in touch. After three days they hadn’t so I went back to Westpac. Finally, I did get some re-assurance from an attentive staff member but she was the third person I spoke to about the matter. I must say I was surprised by the nonchalant response. I had expected that banks would be much more passionate about securing the integrity of Internet commerce. After all it is very much in their commercial interest for it to grow isn’t it?
The final discovery was that the Secure Sentinel credit card protection I had acquired several years ago did not offer quite the security I had perceived when I took out the cover. Fraud and deception were not covered under its arrangements. I only had protection if I lost my card and someone discovered it and used it pretending to be me. I’m now very much questioning the value such cover really gives me.
However, probably the most important lessons I learned are personal ones. In retrospect, I realise that my first action should have been not to get frustrated and to shut down the computer. This would definitely have given me time to think. Moreover, it would have enabled me to go to another computer to do some background checks on the XP Security tool 2010. Even if I had to go to someone else’s place to do this check I’m quite sure the time to do all this would have been a lot less than the time needed to cancel my credit card and to re-initialise my hard disk.
In summary, I realise that I made quite a few errors of judgement in this matter. I had assigned myself a degree of IT competence that was inflated. My familiarity with IT and the Internet has probably bought with it a certain level of contempt. Yet my one consolation is that I have been given an unexpected education on IT security. It was Oscar Wilde who once said that experience is simply the name we give our mistakes. As such, I hope my experiences can help you avoid my mistakes if you ever find yourself in the situation that confronted me last Tuesday.
I can assure you that the screen that greeted me looked highly plausible. Take a look at the picture at the top of this blog and ask yourself who you think authored this software. I mean it even has the Microsoft icon. Or does it? Who else but Microsoft could call their product the XP Security Tool 2010? XP was my operating system. Who else but Microsoft would know that? I suspect if I took the time to look in fine detail the word Microsoft would be nowhere to be seen.
Anyway, the product advised me to register if I wanted to get rid of the security breeches on my system. There was an option that offered me the opportunity to register later. Since I already had the CA Security suite I selected that option. Unfortunately, this option gave me no respite. The reality was that the only way it seemed that I could get round this screen was to register. This entailed buying the product. I had a busy schedule in front of me. I cursed the apparent aggressive marketing of Microsoft which seemed to make an assumption that there was no alternative solution to my needs than their application. I was though re-assured by a 30 day guarantee allowing me to return the product if I wasn’t happy.
No sooner had I paid my money than I got an email from the other party complete with my registration details. As soon as I registered the apparent security breeches were deleted. Moreover, an option appeared asking me for any feedback. By now I was ropeable so I sent off an email, to Microsoft I assumed, complaining bitterly about my experiences. I got a response with a fairly incoherent message in rather poor English. Bloody offshoring was my instant reaction to it.
However, I now proceeded to compound my stupidity. The response did sympathise with my predicament. It told me that these pop-ups were not related to the Antivirus program but were created by a partnership company whose services had since been discontinued. The email offered me the ability to disable these annoying pop-up screens. All I had to do was to run an attached program. Like a lamb to the slaughter this is precisely what I did. I ran a program which didn’t appear to do anything and only then did I start to suspect something might be up.
I went looking for XP Security 2010 on the Internet. My worst fears were confirmed. This was a bogus program. Moreover, it slowly dawned on me that I had given the culprits my credit card details and had executed a program they had sent me which had probably impregnated my computer with Spyware. In effect, my computer was the IT equivalent of up a creek without a paddle. I began to appreciate that my only surety would be to re-initialise my hard disk. Bang goes my long weekend I thought.
However, there were to be other lessons in this episode for me. In particular, I was surprised to discover that several of those who I had thought would be on my side in this matter projected indifference. I notified CA of my plight as soon as it happened. I was critical that this program had slipped through the firewall and been undetected by my security program. I am still waiting a response to this email five days after the event. I have not even received an acknowledgement from the company that they have received my email. This contrasts dramatically from the support I have received from Sophos, another IT security vendor.
When I realised that CA would offer little immediate assistance in determining if any Trojans or Spyware were on my computer I went looking for help on the Internet. Sophos offered a free 30 day trial of their security suite. Moreover, their support team deciphered the program I had inadvertently loaded and re-assured me somewhat that it was probably not Spyware. The impression I very much gathered from these two responses was that if you valued IT security then you should enlist the services of a specialist company rather than a generalist. It was clear to me that Sophos live and breath IT security and that they were as interested in learning from my experiences as helping me address the problems I had encountered.
I was also somewhat disappointed in the initial response I got from my bank, Westpac. As soon as I realised the implications of what I had done I contacted their fraud squad to outline the circumstances. After all I had been hoodwinked so I expected some support. However, their fraud squad advised that because I had voluntarily given my details, albeit under false pretences, they did not regard it as fraud. Instead they told me the disputes department would be in touch. After three days they hadn’t so I went back to Westpac. Finally, I did get some re-assurance from an attentive staff member but she was the third person I spoke to about the matter. I must say I was surprised by the nonchalant response. I had expected that banks would be much more passionate about securing the integrity of Internet commerce. After all it is very much in their commercial interest for it to grow isn’t it?
The final discovery was that the Secure Sentinel credit card protection I had acquired several years ago did not offer quite the security I had perceived when I took out the cover. Fraud and deception were not covered under its arrangements. I only had protection if I lost my card and someone discovered it and used it pretending to be me. I’m now very much questioning the value such cover really gives me.
However, probably the most important lessons I learned are personal ones. In retrospect, I realise that my first action should have been not to get frustrated and to shut down the computer. This would definitely have given me time to think. Moreover, it would have enabled me to go to another computer to do some background checks on the XP Security tool 2010. Even if I had to go to someone else’s place to do this check I’m quite sure the time to do all this would have been a lot less than the time needed to cancel my credit card and to re-initialise my hard disk.
In summary, I realise that I made quite a few errors of judgement in this matter. I had assigned myself a degree of IT competence that was inflated. My familiarity with IT and the Internet has probably bought with it a certain level of contempt. Yet my one consolation is that I have been given an unexpected education on IT security. It was Oscar Wilde who once said that experience is simply the name we give our mistakes. As such, I hope my experiences can help you avoid my mistakes if you ever find yourself in the situation that confronted me last Tuesday.
1 comments:
Peter, don't feel too bad about falling for rogue anti-malware - lots of people do. Even Larry Dignan, Editor of ZDNet, did not long ago http://blogs.zdnet.com/BTL/?p=27234&tag=nl.e539.
Second, CA security software is about the worst out there, and Sophos is a far more comitted outfit.
Third, banks don't care. Full stop.
Fourth, you're right: best response is DO NOTHING, while you take a good look or better, talk to a colleague or someone who knows.
Fifth, here's the drill if it happens again and if your machine gets infected in the process
http://bit.ly/b2J5tM
Best
Kim
Post a Comment