Just say no. Better yet, don't say anything ... or click anything.
Experts say the leading cause of computer security breaches -- about three in five instances -- is the user himself. Human errors range from misplacing laptops to, more commonly, responding to fraudulent e-mails trying to pirate sensitive information.
Roy Tavares found out the hard way. The long-haul trucker who occasionally makes purchases through an online auction site got an e-mail from what he believed to be eBay around New Year's. It looked authentic, so he supplied vital personal data -- and some scammer bought an $885 video recorder on his dime.
"I was freaking out. I never had anything like this happen to me," said Tavares, 46, who lives in Santa Rosa, Calif., and has family in the Pittsburgh area.
Carnegie Mellon University hopes to meet the phishing epidemic head-on with a forum today that runs through Friday. The second annual Symposium on Usable Privacy and Security in Oakland will feature about 100 technical and human-behavior experts from CMU, Google, Microsoft and elsewhere. (For information, visit cups.cs.cmu.edu/soups/index.html .)
Panels and workshops will focus on human interaction with computers, alternate systems to passwords and especially "phishing," where scammers trick computer users into supplying sensitive information used to defraud them.
"And it's getting worse," said Lorrie Cranor, a symposium leader and director of CMU's Privacy and Security Laboratory. "More people are using computers, and you even have scammers with phishing tool kits who wake up in the morning and decide which bank they want to pretend to be today."
Human error in various forms is responsible for almost 60 percent of computer security breaches, according to research released in April by the Computer Technology Industry Association, based in Oakbrook Terrace, Ill. The figure is up significantly from 47 percent in 2005, said the trade group's survey of 574 organizations.
Computer users' security sins often include:
• Answering phishing e-mails' requests for information such as bank and credit card account numbers, Social Security numbers or other unique identifiers
• Leaving laptops on in public places
• Failing to install or update anti-virus and anti-spyware software and
• Using passwords that are easy for scammers to crack.
Don't set up passwords named for your spouse, pet or alma mater, Cranor said. And avoid short passwords, as scammers can ferret them out fairly quickly by process of elimination.
"Instead of using a word, think of a phrase and use the first letter of each word as your password," she said.
Once online, some people get hooked by phishers who mass-mail fraudulent messages with realistic links seeking useful information.
"Scammers will send you e-mail saying they're Bank of America and that your account number needs to be confirmed. Out of 100,000 e-mails they send, they might get 100 (bank customers) who feel they need to respond with the information," said Julie Downs, a researcher in CMU's Social and Decision Sciences Department.
"And some of these fake (Web) sites look pretty legitimate," Downs said.
For instance, the e-mail Tavares got that looked like it was from eBay said he must click a provided link to update his account within 48 hours or it would be closed. The company logo and Web address looked authentic, so he supplied the requested numbers for drivers license, credit cards, etc.
"When I was done updating, they even asked if I wanted to continue shopping, and when I hit 'yes,' took me to eBay's (actual) site," he said. But hours later, Tavares grew suspicious enough to contact eBay.
Too late. Somebody bought a Sony Camcorder, and he spent two weeks "jumping through hoops to close or puts holds on every account."
"There's more sophistication now, which means higher success rates," said Ronnie Manning, a spokesman for the Anti-Phishing Working Group, an industry association formed in 2003 to wipe out online fraud. The California group estimates at least 90 percent of phishing expeditions involve bank imposters.
"Not long ago, phishing e-mails used to contain typos and funny-looking letters," said Manning. "Now, you get e-mails that look exactly like the banks' or that have links that go right to sites that look like the real ones."
