Here is how the scam works: Suppose you want to look up a company online named Super Duper, so you type the store’s name into your favorite search engine. An attacker might have purchased the top result to take you to the website superduperco.com. However, if you knew to scroll down past the paid-for-results, you would have seen that the real website is superduper.com. Attackers set up a website and named it superduperco.com.

Their deceptive site might contain malicious advertising, ask you to enter credit card numbers during checkout, or tempt you to download malicious programs and apps. They might ask you to login or reset a password, and they capture the password you type in.

If you look up a retailer in a search engine, skip past the ads and paid results. Scroll down to see real search results. Even then, be skeptical in case attackers used SEO techniques to appear at the top of the actual search results.

Please forward this to your friends to alert their users that top search engine results can be a trap.

The post Beware: Attackers Buy Top Search Engine Results to Trick You appeared first on Foster Institute.

It is easy to become numb about the news of stolen passwords. In the biggest discovery, so far, more than 420,000 websites have been hacked – and they are just finding out about it now. What if yours is one of the 1.2 billion stolen passwords?

Changing passwords frequently helps – but it is an inconvenience. Today is a good time to do it anyway – especially for banking, medical, and the most important sites.

Password managers can help you – they remember your passwords for you so you can have a different password at every site. Therefore, you only need to remember one password, the password to your password manager. Choices abound including LastPass, DashLane, Roboform and many others. There are “enterprise” versions to use in your company, and they are inexpensive.

Yes, there is a tiny risk that an attacker might breach the password manager, so you may decide to keep your banking credentials in your head, but use the password manager for other sites.

Perhaps the best solution is “multi-factor authentication” also known as “2-step” verification. Then you may not even care if someone else knows your password. An example of this solution: You enter a username and password into a web site, and then your mobile phone buzzes and tells you to enter the code such as 777888 to complete the login process.

Now an attacker would need to steal your mobile phone too before they could log on with your username and password. Obviously, if the attacker is in another country, then it is more difficult for them to steal your phone.

DropBox, PayPal, Google Apps, and many other sites already support multi-factor authentication – you just have to “turn it on.” See https://www.google.com/landing/2step/ to set up your Google account’s 2-step verification.

However, even multi-factor solutions are not perfect. One example, among many others, is how it was possible to bypass PayPal’s multi-factor authentication if you logged into EBay first.

By the way, in case you have eaten there, P.F. Chang’s published a list of restaurant locations that may have been breached: http://pfchangs.com/security/#locations

Change your passwords, get a password manager if you want to, and inquire about multi-factor authentication at the websites that contain your sensitive data.

Please post your comments below…

The post What to Do About Your Passwords appeared first on Foster Institute.

STEP 2: If your business never accepts credit or debit cards, you can stop reading here. If you do accept credit or debit cards, then it is time to make your incident response plan now. It is better to decide now – rather than in an emergency – what to do if you suffer a breach. Check with your insurance provider about cyber-insurance and be aware of the “caps” that limit your coverage. Make sure the insurance at least covers your notifying everyone who’s ever done business with you. Additionally, make sure that the insurance also covers the costs you will incur by providing free credit monitoring to your customers.

STEP 3: Make a plan for what to do when your customers switch to “the competition.” Be sure you will weather the lost sales as well as the fines associated with the breach. If the breach happens, you may have to invest a lot of money in marketing and advertising to put a positive spin on your company’s loss of credibility. Target has such “deep pockets,” they will bounce back. Make sure you can too. Will you need to raise prices? Target might.

STEP 4: Step up your efforts to build loyalty from your customers. That way, you’ll lose fewer of them. Put even more energy into differentiating yourself from the competition. If you have a breach, your customers will know they are at a higher risk of fraud – all because they did business with you. Generate such loyalty that your customers won’t be concerned that you had the breach. Target is about to find out first-hand how well they’ve successfully differentiated themselves and won the loyalty of customers.

STEP 5: Prioritize your becoming PCI-DSS (Payment Card Industry – Data Security Standard) compliant. PCI is designed to protect you from having to notify all of your customers via preventing the breach in the first place. Most companies don’t know “where to start” in order to become compliant. Many IT Professionals are understandably unfamiliar with the intricacies of the PCI DSS. Here are some tips to make the PCI process simple and easier than ever: “If You Accept Credit Cards-Simplify PCI-DSS”

Please post your comments below.

The post The Target Breach – Do This Now appeared first on Foster Institute.