Guide to Online Security
Protecting your privacy and information online is extremely important. You can help.
There are several ways you can further protect yourself online, and this guide will help you have a secure online experience. Start with our 10 Essential Security Tips, and then read each section for more in-depth information on privacy and security online.
Password
Choose it well and keep it confidential.
Don't be obvious. Mix it up with numbers, capitalization, and symbols.
The best way to avoid scams? Never share your password.
Computer
Never open unexpected attachments
You might not even know it's there. Regularly use an anti-spyware program.
Before installing software on your computer, make sure you know exactly what it does.
Identity
Be careful when sharing any personal information online.
Erase your tracks when you leave.
10 Essential Security Tips
You're probably familiar with much of the information in this guide. Nevertheless, reviewing these tips can only improve the way you protect your personal information online.
1. Choose a long and memorable password. A password is like a toothbrush: choose a good one, don't share it with anyone, and change it at the first sign of problem. A password can be any length, and may contain spaces, symbols, or numbers. You should come up with something that's easy for you to remember but impossible for someone to figure out.
2. Yahoo! will not ask for your password in an unsolicited email or phone call. If you receive such a request, assume it's a hoax and don't reply.
3. Be suspicious. Anyone, anywhere in the world, can register for an ISP account, and Internet email protocols allow anyone to send a message that appears to be from any other person. Don't assume an email from "Mom" or "Uncle Dave" was actually sent from someone you know, and don't assume that an unsolicited message from yourfriend@alegitimateISP.com was really sent by that account.
4. Scams abound. Scams are a popular way of getting your personal information. The most common scams are fake login pages and forged emails that ask for your password, credit card number, or other sensitive information. Ignore or report anything you see that strikes you as questionable or suspicious.
5. Know your software. Malicious software (e.g., viruses, worms, Trojan horses, and spyware) often masquerades as legitimate and even useful software. Think carefully before installing or running new software, especially anything unsolicited.
6. Use anti-virus software. This can detect many, but not all, forms of malicious software before they have a chance to affect your computer. Most notably, anti-virus software does not detect spyware.
7. Keep your software up to date. You can prevent many problems by regularly checking for and installing updates for your operating system, browser, messaging software, and other programs.
8. Clean up after using shared computers. If you share a computer, whether it's in a public or private setting, make sure to sign out when not using your account. You should also learn how to "clear the cache," if you use the computer to browse the Internet. Remember that using a shared computer is always riskier than using a computer to which you are the only person with access.
9. Contact account-security. If you think your account has been compromised or someone else knows your account verification information, contact the account security team for assistance as soon as possible.
10. Everyone has a role to play. By working together, understanding the risks and knowing how to protect ourselves, we can enjoy our online experience more and be less likely to run into trouble.
About Passwords
Your password is more than just a key to your online account. If your password falls into the wrong hands, someone can easily impersonate you while online, sign your name to online service agreements or contracts, engage in transactions, or change your account information.
Your ID and password are confidential information. An authorized employee will never ask you for your password in an unsolicited phone call or email message. Do not respond to any message that asks for your password.
Do not write your password down. If you must write it down, keep it locked away in a place only you can access.
Change your password if you suspect something is amiss.
Don't use personal information that someone could easily figure out, such as your birthday, your child's name, or your phone number.
Verify your account information. From time to time, make sure your information is accurate and that no one has altered your data. If at any time, you become concerned about the security of your password, you should change it immediately. If you suspect someone knows the answer to your secret question and any other information asked on the lost password form, contact the account security team as soon as possible.
Do not check the "Remember my ID on this computer" box if:
ü you're concerned with other people seeing or gaining access to your personalized pages
ü you use a shared computer
Before saving your password on any browser, plug-in, or program, thoroughly read the security documentation for that program or service. Depending on the program, your passwords may be made available to anyone who uses that computer.
Choosing Your Password
A password is like a toothbrush: choose a good one, don't share it with anyone, and change it at the first sign of wear. A password can be any length, and may contain spaces, symbols, or numbers. With so many options, you should come up with a password that's easy for you to remember but almost impossible for someone to figure out.
Choose a password you will remember but one that is difficult to guess, even by those who know you.
Choose a long password. The more characters your password contains, the harder it is to crack. Each character added to your password increases the total number of combinations possible. A long but simple password can be as secure as a short and complex one -- and often easier to remember.
Use a combination of letters, numbers (0-9), and standard symbols (! @ # $ % ^ & *) to make your password more difficult for others to guess. Also remember your password is case-sensitive, another option to remember when thinking of a good password. A good technique is to pick a favorite phrase or lyric for your password. It can be shortened by substituting characters or extracting vowels. If you choose, you can just use the whole sentence or phrase. e.g. "2Tickets2Paradise"
Don't use personal information that someone could easily figure out, such as your birthday, child's name, or phone number. Also, avoid obvious passwords such as "123456," "test," "password."
If you use a password generator, don't share any personal information. There are a number of password generator programs available online to help you create a random password. These passwords are generally harder to crack but also more difficult to remember
Mix up your password, but keep it memorable. Try substituting letters with characters or numbers. You can also extract vowels or consonants from words.
For example:
o The phrase "Fredsboy" can be made into "Fr3d$boy"
o The phrase "Two tickets to paradise" can be made into: 2Tickets2Paradise"
o The words "cat" and "dog" can be combined into; cAt!DoG
Good passwords are:
o unique. Do not use a password you already use for another account, such as your bank account PIN.
o difficult to guess. Don't use common words or names.
o at least 7-characters long.
o made up of both lower and upper-case letters, numbers, and symbols.
Bad passwords include:
o a complete word from any dictionary (English or other);
o your login name in any form (as is, reversed, capitalized, doubled, etc.);
o common names, such as the names of family members, pets, or friends;
o based on any information easily obtained about you (e.g., license plate numbers, telephone numbers, employer, school name, automobile brand, street name, etc.);
o all the same digit or letter (this significantly decreases the search time for password cracking software);
o any obvious sequence of characters (e.g., 123456);
o obvious to anyone watching you enter them (such as "qwerty").
Password Scams
There are two common methods used to trick users into revealing their passwords: impersonation and social engineering.
Impersonation
Impersonation Web Pages
You can find web pages that exist for the sole purpose of collecting IDs and passwords. These pages mimic real or authorized sign-in screens, and are sometimes referred to as "spoof" or "password phishing" pages.
Do not enter your ID or password on any web page unless you are on the page you intended to visit.
Make sure a "trailing slash" appears at the end -- sites that impersonate will not have the "trailing slash." For example, "http://www.msn.com:login&mode=secure&i=b35870c196e2fd4a&q=1@16909060" is a bogus URL.
Impersonated Emails
You may receive an email from someone claiming to be an employee who asks for your password for any number of reasons -- to help recover your account, prevent your account from being deleted, or identify your account are a few or the more popular scams. The person may ask you to reply with your password or may direct you to a fake sign-in screen. These are scams. Please forward the email to your ISP. Include the full email headers and the HTML source code of the email you received.
If you are directed to a web page by an email, make sure the web page is one you know is safe. If you don’t know, “right-click” the link, goto properties, and view the properties to verify the originator.
Social Engineering
"Social Engineering" is a term that describes non-technical methods used to gain access to accounts, passwords, credit card numbers, Social Security numbers, names, addresses or other personally identifying and confidential information. These methods are mostly based on human interactions and, specific to your Yahoo! account, can be separated into two types.
Con Games
In a con game, the social engineer will try to convince you to share your password. They may impersonate your ISP , webmaster, or administrator, claim to be with law enforcement or someone else of authority, or they may befriend you to gain your confidence and offer to help solve problems you may be having with your account.
Never share your password. Your password is confidential and should not be given to anyone.
Most online services, hold you responsible if you do not properly safeguard your password and your account is used by another person. If you lose a password from another company or online service, you may have that company email your password to you. Thus, if someone else has the password to your Mail account, they may be able to read these emails and be able to access to online accounts from other companies.
Victim Knowledge
A social engineer may also use information they know about you to guess your password or use our password lookup utility to gain access to your account.
To reduce the chance of someone guessing your password, choose your password wisely. Read "Choosing your password" for more information.
To reset your Yahoo! password, a person needs to know your date of birth and ZIP code. To learn your new password, a person also needs access to your alternate email account or know the answer to your secret question. That's why it is important to pick a secret answer only you know.
Choose a security question and answer wisely. When you register , you can choose a special question and answer that will allow you to access your account if you forget your password. Make sure you choose information someone else cannot guess. (Remember, it's possible for anyone who knows your ID and your birthday to see your security question and attempt to answer it.)
Be careful about what you post publicly and with whom you share personal information. Social engineers may take months to gain your trust, get to know you better, and gather information about you.
The more popular an Internet service, the more likely fake log-in pages have been set up to collect IDs and passwords. Only give your ID or password when you know you're on a legitimate and trusted web site.
Reporting Password Scams
Email: If you receive an email impersonating your ISP email system, please forward the email to webmaster@yourISP.com . Include the full headers and the HTML source code of the email you received.
Web page: If you see a web page asking for your ID and password and you feel it is a scam, please report it using your ISP’s “real” web page. Include the full URL of the web page collecting passwords.
If you have already been tricked into giving your password, please use the same location, find a “suspected abuse” link, and supply as much detail as possible.
If you entered credit card or bank account numbers, you should immediately contact your financial institution. If you feel your life is in danger, call your local police department immediately.
Viruses, Trojan Horses and Worms
What are Viruses, Trojan Horses and Worms?
Though these terms are often used interchangeably, they refer to different types of malicious computer programs.
Computer viruses hide within other programs or documents and spread as a side-effect of user action (e.g., opening an attachment). They come in many forms, and you don't need to install a program for your computer to be infected. For example, some viruses are spread when you open a word-processing document, particularly if you have macros enabled. Once your computer is infected, the virus may attach itself to outgoing files or may be sent as an email attachment.
A Trojan horse is a program that disguises itself as another program. Similar to viruses, these programs are hidden and usually cause an unwanted effect, such as installing a back door in your system that can be used by hackers. They differ from viruses because they typically are not designed to replicate like a virus.
Worms spread without any user interaction, typically by exploiting a flaw in popular software. Once activated, they generally use the Internet or your LAN (local network) to self-propagate and often take advantage of vulnerabilities in Microsoft Outlook and Microsoft Outlook Express email programs.
Protecting Yourself and Your Computer
Here are some ways to protect yourself and your computer against these programs:
Use anti-virus software.
Download anti-virus software updates frequently. They are usually posted weekly, and generally only take a couple of minutes to download.
Scan email attachments and programs downloaded from the Internet. Some Mail providers allow you to scan your attachments before downloading them to your computer. If you receive attachments you aren't expecting or from someone you don't know, do not open the attachment. Even if you know the sender, you should scan the attachment in all cases.
Turn off the feature in email programs that automatically open attachments.
Don't install unfamiliar programs. Unless you know exactly what a program does and how it will affect your computer, don't install it.
Carefully read pop-up warnings. Many unscrupulous companies use pop-up advertising that falsely appear to be warnings. The pop-ups encourage users to install corrective software. These pop-ups should be ignored.
To close these: click ONLY on the X in the upper right corner OR ALT-F4 (if it is the active window).
Verify email warnings. You may receive an email warning that claims to be from a computer "expert" warning you of a virus. Such emails usually instruct you to take certain steps to protect your computer. These are usually a hoax -- before following the steps outlined in any email, research it online by searching for Computer Virus Hoax sites, a few are listed below.
Ø Symantec Hoax Page: (aka, Norton) "ttp://www.symantec.com/avcenter/hoax.html
Ø McAfee Hoax Page: "ttp://vil.mcafee.com/hoax.asp
Ø Network Associates Hoax Page: "ttp://vil.nai.com/VIL/hoaxes.asp
Spyware
What is Spyware?
Simply speaking, spyware consists of hidden programs running on your computer. You may have unknowingly installed them when you downloaded programs from the Internet or installed software from disks. These programs are easy to install but often difficult to remove without downloading specialized anti-spyware programs.
Spyware programs can change your system settings, serve pop-ups, record your surfing habits, or display advertisements over web sites you visit. Other spyware programs will run separate programs on your computer for a variety of purposes, sometimes slowing your computer down in the process. Some malicious spyware will log everything you type on the keyboard and even send this information back to those who placed the spyware on your computer in the first place. This could be embarrassing at minimum, and even result in your becoming a victim of identity theft.
Checking for Spyware
Your computer may be running spyware if you see pop-up advertisements on many web pages you visit, if your browser home page has been changed, or if your computer is unusually slow when you are online.
The best way to identify whether or not spyware is installed on your computer is to run and regularly update anti-spyware programs. Similar to anti-virus software, anti-spyware software identifies most unwanted programs and help you remove the spyware.
How Spyware Gets Installed
Here are a few potential ways spyware may find its way onto your computer. Please keep in mind, this is not a comprehensive list:
Unintentional Download
You may intentionally download and install spyware without realizing it has an unrelated, secondary purpose that isn't clearly disclosed. For example, you may be told a program will keep your computer clock synchronized with the atomic clock. If it is spyware, the program may also serve advertising pop-ups whenever you are online.
Software Bundle
Spyware may be included (bundled) with programs you download and install. For example, many file-sharing programs require you install additional, unrelated programs that may be considered spyware.
Involuntary Download
You may voluntarily install spyware while surfing the Web because it is disguised as a program that is beneficial for your browsing experience. Often times, spyware appears to be corrective software or a special plug-in that will help you view a site. If you don't know the source of the download or aren't sure what a program does, you can generally learn more by searching on the name of that program in Your Search Tool.
Other Users
Someone else who uses your computer, such as a relative or friend, may also install spyware on your computer. They may do so unintentionally in any of the ways mentioned above, or they may maliciously install a program with keystroke logging, to capture passwords or other personal information.
Computer Virus or Worm
A computer virus or worm can also install spyware that could allow someone remote access to your computer, turn your computer into a pornography or spam server, log keystrokes to steal passwords or credit cards, or perform other malicious acts.
Automatic Installation
Some unscrupulous companies use advertisements to automatically begin the installation process for their programs. By default, most browsers will prompt you with a security warning to either continue or stop the installation process. Typically, these warnings don't offer a description of the program or tell you what it will do.
Browsers that allow programs to install without a prompt are security threats and make your computer more susceptible to computer viruses and hacking attempts. Please review documentation for your browser to learn more about how to protect your security. Remember to carefully read pop-up warnings. If you don't expect to install a program or if you aren't sure what the program does, cancel the installation process. Here is an example of one such warning, given in Microsoft Internet Explorer:
 In this example, the company name and the program name are blurred. There is no information about what the program does.
Note: The browser provides the security warning, and the same message is shown during the installation of many different programs.
Avoiding Spyware
Here are some steps you can take to avoid spyware:
Regularly use anti-spyware software in conjunction with anti-virus software to give your computer maximum protection against spyware and other malicious computer programs.
Verify the security settings on your browser do not allow programs to be installed without your permission. By default, most browsers will prompt you with a security warning to continue or stop the installation process.
Carefully read pop-up warnings. If you don't expect to install a program or if you aren't sure what the program does, cancel the installation process.
Before downloading and installing programs, investigate them and their publisher. You can generally find more information by searching for the name of the program in a Search Engine.
Software
The software on your computer is often an overlooked security risk. A security flaw or vulnerability in software need only be exploited once to open up the personal information contained on your computer.
Some popular programs, particularly free Internet applications and file-sharing programs, require installation of additional programs from other companies. Yahoo! Messenger, Yahoo! Companion, and other software programs provided by Yahoo! do not require you to install additional programs from other companies.
Here are some steps you can take to protect yourself against the risks inherent in installing software on your computer.
Don't install unknown software. Before installing any program, make sure you know what it does and how it will affect your computer.
Be wary of file-sharing programs. These programs open up your computer to many other people by providing access to particular directories in your computer. Before installing any type of file-sharing program, learn how to properly configure the software to decrease the chances of a security problem.
Use spyware detection software. Such software is designed to find and remove hidden or intrusive software and should be run every week or so. To learn more, search for Spyware and Adware in a Search Engine.
Use only the newest version of your browser. Each browser release updates standards and fixes security holes present in earlier versions. If you have the newest version of your browser, you should also check the publisher's web site to see if security or other patches are available
Interacting Online With Strangers
The Internet can be a great way to meet people who have interests similar to yours. Unfortunately, sometimes people are not always who they seem. Even though you may consider yourself self-sufficient and able to identify signs of danger, you should be extremely careful when sharing any personal information with someone you don't know.
"Social engineering" is a common ploy used to gain access to accounts. Perpetrators get to know and befriend their victims, and then use information provided by an unsuspecting victim to guess a password or secret answer. Remember, someone needs to know your date of birth, ZIP code, and the answer to your secret question to obtain your Yahoo! password.
Chat/Games/Message Boards/Personals
When you are chatting, playing games, or posting online, keep in mind you never know with whom you are communicating. For your personal safety and the safety of your online accounts, be very careful about the information you disclose, even if it seems harmless.
If you decide to meet someone in person, play it safe and take a buddy with you. Let a friend know when and where you will be meeting and prearrange a time to call so they know you are all right. If you have any doubts about the meeting, consider declining the offer. Children should never arrange to meet someone they have only met online.
Job Classifieds
Make informed decisions before sharing your Social Security number with a potential employer. Most employers will not ask for personal information until you arrive at their offices for an in-person interview and are given a formal job application.
If you have doubts about a company's legitimacy, research the company using web sites operated by the Better Business Bureau and the United States Federal Trade Commission.
Don't provide credit card or bank account numbers, or engage in any financial transactions over the phone or online with a potential employer/recruiter. Exercise caution when dealing with prospective job contacts outside of the United States.
Shared Computers
Most of us access the Internet from different locations -- a friend's house to check email, an Internet café to check a stock quote, or the library to research a term paper. Sharing a computer is a great convenience, but you must take extra precautions to safeguard your personal information.
Here are some tips to help protect your Yahoo! account when sharing a computer.
Do not check the "Remember my ID on this computer" box.
Many sites offer this option. When a computer "remembers" you, it usually sets a persistent cookie that allows the web site to identify you so you don't have to sign in. You'll still be signed in after you close your browsers. This is a convenient option if you are the sole user of a computer, but if you share a computer, do not check this option..
Never leave your computer unattended while you are signed in.
Someone could approach your computer and easily access your account information.
Always sign out completely.
If you use a public or shared computer, it's especially important to always sign out completely by clicking the "Sign Out" link when you finish using Yahoo!.
Clear your browser's cache.
Your browser's cache contains copies of the web pages you have recently visited and stores these files on your hard drive. Clearing your cache is a simple process. HYPERLINK "http://help.yahoo.com/help/us/mail/errors/errors-17.html"
Know the risks.
Some shared computers allow you to install software on them, making them vulnerable to virus attacks or malicious programs such as keystroke logging programs. If you have any concerns about the security of a shared computer, don't hesitate to ask the administrator about the steps they've take to protect their computers.
See also Phishing - Identity Theft
_
| ||