Please help us with a fraud situation

We had some identity thefts situations with our credit cards and Bank
accounts.
People using our credit cards and writing checks against our account.

How can I set up a really secure internet connection in my home ?

I use a Windows XP - wireless laptop to access the internet I have
in my home.
We use Comcast cable.
We have a WPA secure internet. We use a Netgear Rangemax MIMO
and the Comcast modem.

Somehow some people have managed to get both our credit card numbers
and bank account numbers and even driving license number.

I use this internet to access all our bank accounts etc.

Because of the fraud that occurred, we want to make sure that
we have a really secure internet connection.

What additional hardware, software etc do I need, if any ?
Since I am not a techie, pls help me with as much detail as possible.


Thanks in advance for your help,

Irfan Smith

irfansmith@gmail.com wrote:
> Please help us with a fraud situation
>
> We had some identity thefts situations with our credit cards and Bank
> accounts.
> People using our credit cards and writing checks against our account.
>
> How can I set up a really secure internet connection in my home ?
>
> I use a Windows XP - wireless laptop to access the internet I have
> in my home.
> We use Comcast cable.
> We have a WPA secure internet. We use a Netgear Rangemax MIMO
> and the Comcast modem.
>
> Somehow some people have managed to get both our credit card numbers
> and bank account numbers and even driving license number.
>
> I use this internet to access all our bank accounts etc.
>
> Because of the fraud that occurred, we want to make sure that
> we have a really secure internet connection.
>
> What additional hardware, software etc do I need, if any ?
> Since I am not a techie, pls help me with as much detail as possible.
>
>
> Thanks in advance for your help,
>
> Irfan Smith

People always point to the Internet when bad things happen...

We had our Chase account compromised a few years ago -
Had nothing to do with Internet,
but person used stolen checks from other mailboxes (reported),
deposited into our account with cash back...but not caught.

Anyway - just think about all the places someone has your "info".
- credit cards when you hand them to someone at a food place
- checks at the grocery store, or anywhere you pay by check
- driver lic for some ID written down - maybe even on check

and NONE have anything to do with the Internet

On Tue, 27 May 2008 20:06:14 -0700 (PDT), irfansmith@gmail.com wrote:

>Please help us with a fraud situation

I don't see anything resembling fraud. More like common sense and
internet security setup. If this sounds like blame the victim, I
appologize, but if your surfing and security practices are lacking,
you are as big a part of the problem as the typical hacker.

>We had some identity thefts situations with our credit cards and Bank
>accounts.
>People using our credit cards and writing checks against our account.

There are plenty of ways to get that info without involving the
internet. Most commonly, it's a theft of credit card data from some
idiot vendor that leaves the data on their web site. Having a virus
or trojan horse on your computer, that sends "interesting" files back
to the evil hackers, is also quite common. Lots of others. Hopefully,
you have a clue how it happened or who leaked the data.

>How can I set up a really secure internet connection in my home ?

Yes. WPA2-PSK-AES encryption is about as secure as it gets. However,
that requires a shared key, which can easily be leaked if some evil
person has access to one of the computahs. To prevent that, you can
install a RADIUS server to provide a one-time encryption key along
with an extra login and password.

Incidentally, one of my friends got ripped off via identity theft. I
trashed a nice dinner by literally pounding the concept of NOT using
the same password for every account she was using. A month later, she
was moaning that it was too difficult to remember all the passwords,
so she just wrote them on a ledger pad and hung it on the wall of her
office. Moral: You gotta understand how security works in order to be
fairly safe.

>I use a Windows XP - wireless laptop to access the internet I have
>in my home.

Any particular model wireless router? Are you using WPA2 encryption
with a fairly obscure and non-dictionary password?
<http://wireless.wikia.com/wiki/Wi-Fi_How_To#Secure_a_wireless_network>

>We use Comcast cable.

Comcast uses DOCSIS with BPI (Baseline Privacy Interface). That's
quite safe from sniffing.

>We have a WPA secure internet. We use a Netgear Rangemax MIMO
>and the Comcast modem.

Ummm... are the number keys missing on your keyboard or is there some
security reason why you don't disclose the model numbers?

>Somehow some people have managed to get both our credit card numbers
>and bank account numbers and even driving license number.

Give me a break. When was the last time you remember typing in your
drivers license number into a web form? If you did, it was probably a
hackers site. Do you even have any documents on your computah that
have the drivers license in them? If the drivers license number was
involved, it probably wasn't by sniffing your traffic or breaking into
your computer.

>I use this internet to access all our bank accounts etc.

So do I. Have you checked that you're actually using the banks web
site, and not some impostor (phishing) site? Most banks have some
mechanism for storing an identifying icon or phrase that insures
you've got the correct site and not some phony that's collecting
passwords.

>Because of the fraud that occurred, we want to make sure that
>we have a really secure internet connection.
>
>What additional hardware, software etc do I need, if any ?

No hardware. Anti-phishing software (i.e. Free AVG 8.0) works well
for identifying evil sites. Add some common sense and some heavy
reading about how internet security works. Pay attention to
anti-virus, anti-spyware, anti-rootkit, and anti-phishing software.
Pick *ONE* that works for you, and uninstall the rest as they trample
each other.

>Since I am not a techie, pls help me with as much detail as possible.

Detail. OK. See:
<http://iase.disa.mil/stigs/checklist/>
Grab the XP and the wireless security checklists. You probably can't
impliment everything on the shopping list as much of it is not
applicable. However, you can get a good idea of what is expected if
you want to be REALLY secure.

This looks interesting. NIST Wireless Security Checklist:
<http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf>



--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 jeffl@comix.santa-cruz.ca.us
# http://802.11junk.com jeffl@cruzio.com
# http://www.LearnByDestroying.com AE6KS

> People always point to the Internet when bad things happen...
>
> We had our Chase account compromised a few years ago -
> Had nothing to do with Internet,
> but person used stolen checks from other mailboxes (reported),
> deposited into our account with cash back...but not caught.
>
> Anyway - just think about all the places someone has your "info".
> - credit cards when you hand them to someone at a food place
> - checks at the grocery store, or anywhere you pay by check
> - driver lic for some ID written down - maybe even on check
>
> and NONE have anything to do with the Internet

Our only problem with this kind of thing happened because of the old system
of using carbon paper between slips for credit cards. The retailer didn't
properly dispose of the carbons and neither did any of the other retailers
in the mall. Crooks went dumpster diving for the slips and then tried to
take advantage of the credit card numbers. Luckily, they were dumb as knobs
because they went to our bank to try and cash a cheque but the tellers all
knew us and knew immediately that the persons trying to pass themselves off
as us were crooks....case solved rather quickly.

We did however have to keep an eye on all of our accounts and the bank and
credit card companies questioned every purchase that we made for the next
year.

--
Ron P

If we are what we eat then: I'm fast,
cheap and easy and past my best before date

To restore balance to the world irfansmith@gmail.com wrote in
c82efd98-97c7-4b63-ac1e-87b390a240e2@w1g2000prd.googlegroups.com
>> Please help us with a fraud situation
>>
>> We had some identity thefts situations with our credit cards and Bank
>> accounts.
>> People using our credit cards and writing checks against our account.
>>
>> How can I set up a really secure internet connection in my home ?
>>
>> I use a Windows XP - wireless laptop to access the internet I have
>> in my home.
>> We use Comcast cable.
>> We have a WPA secure internet. We use a Netgear Rangemax MIMO
>> and the Comcast modem.
>>
>> Somehow some people have managed to get both our credit card numbers
>> and bank account numbers and even driving license number.
>>
>> I use this internet to access all our bank accounts etc.
>>
>> Because of the fraud that occurred, we want to make sure that
>> we have a really secure internet connection.
>>
>> What additional hardware, software etc do I need, if any ?
>> Since I am not a techie, pls help me with as much detail as
>> possible.
>>
>>
>> Thanks in advance for your help,
>>
>> Irfan Smith

I think you may find it has sod-all to do with your WIFI/Internet but more
to do with the way you dispose of discarded mail or mail stolen from your
letter box.

Buy a good cross cut shredder and shred all letter (and I mean all) make
sure you have a good secure large mail box the post people can get the mail
in,but know one can get it our and never let you cards out of your eyesight
as it can be scanned in a blink of a eye.

Chris

--
Superb hosting & domain name deals http://dn-22.co.uk

> Buy a good cross cut shredder and shred all letter (and I mean all)

Yep, if it has any identifying information we shred it. Not catalogs or
other direct mail junk, as that would put wasteful wear on the shredder
blades. But any solicitations or other financial documents get shredded.
Cheap insurance against identity theft.

make
> sure you have a good secure large mail box the post people can get the
> mail
> in,but know one can get it our and never let you cards out of your
> eyesight
> as it can be scanned in a blink of a eye.

That and it can't hurt to periodically get new cards. I've had plenty 'wear
out' just to get new numbers. With the advent of electronic bill paying
from most banks it almost eliminates the need to use a credit card number
for most payments. Sure, a few will still need it but those can be managed
easily when being issued a new number.

On Tue, 27 May 2008 21:37:01 -0700, Jeff Liebermann <jeffl@cruzio.com>
wrote:

>On Tue, 27 May 2008 20:06:14 -0700 (PDT), irfansmith@gmail.com wrote:
>
>>Please help us with a fraud situation
>
>I don't see anything resembling fraud. More like common sense and
>internet security setup. If this sounds like blame the victim, I
>appologize, but if your surfing and security practices are lacking,
>you are as big a part of the problem as the typical hacker.
>
>>We had some identity thefts situations with our credit cards and Bank
>>accounts.
>>People using our credit cards and writing checks against our account.
>
>There are plenty of ways to get that info without involving the
>internet. Most commonly, it's a theft of credit card data from some
>idiot vendor that leaves the data on their web site. Having a virus
>or trojan horse on your computer, that sends "interesting" files back
>to the evil hackers, is also quite common. Lots of others. Hopefully,
>you have a clue how it happened or who leaked the data.
>
>>How can I set up a really secure internet connection in my home ?
>
>Yes. WPA2-PSK-AES encryption is about as secure as it gets. However,
>that requires a shared key, which can easily be leaked if some evil
>person has access to one of the computahs. To prevent that, you can
>install a RADIUS server to provide a one-time encryption key along
>with an extra login and password.

a more secure scheme is - no wireless, as then getting the security
wrong is much less risky.

ethernet cables are a lot more difficult to tap into without physical
access to the wires.
>
>Incidentally, one of my friends got ripped off via identity theft. I
>trashed a nice dinner by literally pounding the concept of NOT using
>the same password for every account she was using. A month later, she
>was moaning that it was too difficult to remember all the passwords,
>so she just wrote them on a ledger pad and hung it on the wall of her
>office. Moral: You gotta understand how security works in order to be
>fairly safe.
>
>>I use a Windows XP - wireless laptop to access the internet I have
>>in my home.
>
>Any particular model wireless router? Are you using WPA2 encryption
>with a fairly obscure and non-dictionary password?
><http://wireless.wikia.com/wiki/Wi-Fi_How_To#Secure_a_wireless_network>
>
>>We use Comcast cable.
>
>Comcast uses DOCSIS with BPI (Baseline Privacy Interface). That's
>quite safe from sniffing.
>
>>We have a WPA secure internet. We use a Netgear Rangemax MIMO
>>and the Comcast modem.
>
>Ummm... are the number keys missing on your keyboard or is there some
>security reason why you don't disclose the model numbers?
>
>>Somehow some people have managed to get both our credit card numbers
>>and bank account numbers and even driving license number.
>
>Give me a break. When was the last time you remember typing in your
>drivers license number into a web form? If you did, it was probably a
>hackers site. Do you even have any documents on your computah that
>have the drivers license in them? If the drivers license number was
>involved, it probably wasn't by sniffing your traffic or breaking into
>your computer.
>
>>I use this internet to access all our bank accounts etc.
>
>So do I. Have you checked that you're actually using the banks web
>site, and not some impostor (phishing) site? Most banks have some
>mechanism for storing an identifying icon or phrase that insures
>you've got the correct site and not some phony that's collecting
>passwords.
>
>>Because of the fraud that occurred, we want to make sure that
>>we have a really secure internet connection.
>>
>>What additional hardware, software etc do I need, if any ?
>
>No hardware. Anti-phishing software (i.e. Free AVG 8.0) works well
>for identifying evil sites. Add some common sense and some heavy
>reading about how internet security works. Pay attention to
>anti-virus, anti-spyware, anti-rootkit, and anti-phishing software.
>Pick *ONE* that works for you, and uninstall the rest as they trample
>each other.
>
>>Since I am not a techie, pls help me with as much detail as possible.
>
>Detail. OK. See:
><http://iase.disa.mil/stigs/checklist/>
>Grab the XP and the wireless security checklists. You probably can't
>impliment everything on the shopping list as much of it is not
>applicable. However, you can get a good idea of what is expected if
>you want to be REALLY secure.
>
>This looks interesting. NIST Wireless Security Checklist:
><http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf>
--
Regards

stephen_hope@xyzworld.com - replace xyz with ntl

On Wed, 04 Jun 2008 21:56:13 GMT, Stephen <stephen_hope@xyzworld.com>
wrote:

>a more secure scheme is - no wireless, as then getting the security
>wrong is much less risky.

Hmmm... I'm typing this answer on my laptop, while sitting on the
toilet. So, you want me to drag a 100ft CAT5 cable around the house,
or install an ethernet port in the bathroom? Well, that would work,
but I kinda like internet without wires.

>ethernet cables are a lot more difficult to tap into without physical
>access to the wires.

I beg to differ. Ethernet is TRIVIAL to tap and sniff. There are
even commercial products for the purpose:
<http://www.netoptics.com/products/product_family.asp?cid=1&Section=products&sid=&menuitem=1&network=Network%20Taps>
I want one of these:
<http://www.netoptics.com/products/product_family_details.asp?cid=1&pid=159&Section=products&menuitem=1&tag=NetOptics+Network+Taps>

I once found a mystery CAT5 cable running from an under the house
ethernet switch to the neighbors. Since I installed the switch about
a year previously, spotting the extra connection was easy. The guy
was very clever, using a short length of CAT5 that was identical to
the other cables coming from the switch. Following the CAT5 with a
tone tested into the neighbors house was also easy. The dead beat
next door claimed the he didn't do it. About a month later, I caught
him trying to hack the WPA2-AES password on the wireless, without much
luck.

If you're faced with taping into a CAT5 cable, it's easy enough to cut
the cable, crimp on two RJ-45 connectors, and stuff an ethernet switch
in between. When leaving, just install a double RJ-45 receptacle.
I've found a few of these in rather suspicious locations, indicating
that someone knew the trick and was probably sniffing.

There is one problem with plugging into a switch. You can't sniff
other machines traffic. The switch isolates the traffic on each port
to only traffic to/from the machine on that port.

However, security features are useless when someone gets clever. A
friend told me about a 15 year old brat, that got a new telescope for
Christmas. Instead of astronomy, the brat points the telescope out
the window and towards the neighbors LCD monitor. I think he
mentioned that the keyboard was also visible. He then takes his
parents camcorder and proceeds to record the neighbors screen and
keystrokes. Fortunately, he got caught before he could misuse the
info.

Incidentally, sniffing and capturing wireless traffic for the purpose
of recovering logins and passwords is not as easy as it might seem. I
posted some stuff on this in the past, but am too lazy to go find it.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558