ID Theft Prevention
Thursday, September 3, 2015 at 3:28PM
FPG in General, ID Theft Prevention

Typosquatting': How 1 mistyped letter could lead to ID theft
By Claes Bell, CFA • Bankrate.com

  Remember when you used to think learning how to spell was a useless waste of time and cursed your teachers for making you do something that would never have any real-world benefit? Turns out you were wrong.

  Missing just a few letters in a web address can cost you the money in your bank account, or start an all-out identity theft attack, because of a type of fraud called "typosquatting."

  Typo-what-ing?
Typosquatting is a type of online fraud based on the assumption that people are predictably bad at spelling.

  "When you look at people who are typing in domain names, when they type them into web browsers at home, we find that with a certain regularity, people make the same typos over and over again," says Matthew Green, an assistant research professor at the Johns Hopkins Information Security Institute in Baltimore.

  That creates an opportunity for hackers.

  "People anticipate that, and they try to go out and find those common misspellings, and they register them and put up copies of a bank's website that look identical, and then they use them to get people's credentials," Green says. "The idea is to put out a net. You hope that some people will make some mistakes."

  Phishing
Attempting to deceive individuals into providing sensitive information online for the purposes of committing identity theft or other types of fraud.

  How typosquatting works in practice
Rajiv Motwani, director of security research at Websense Security Labs, gives an example of what a typical typosquatting attack might look like.

  Say criminals wanted to target Bank of America customers. They might register "BankofAmerlca.com," one letter off from the bank's actual domain, and set up a fake site. (This is also known as "spoofing.")

  "The attacker puts up a page that looks very much like Bank of America's website, so you will go ahead and enter your credentials there, thinking you are logging into the bank," Motwani says.

  From there, it's off to the races, Green says.

  "They can then log on to your banking website and transfer money and do all kinds of things," Green says.

  Spoofing
Creating a realistic copy of a website in order to trick victims into entering personal information, or for some other purpose.

  Banks battle typosquatting
Typosquatting has been around for a while, so many financial institutions have taken steps to protect customers, Green says.

  "Some sites now go out of their way to go lock up and register all the common, closely related domain names, and they also will monitor to see if you're registering another one that's too close, but not everyone does that, unfortunately," he says.

  Why not? It mostly comes down to cost.

  "(Registering a web domain) only costs maybe $10 a year, but if you're trying to lock up 50 of them, most small websites don't have the resources to do that," Green says.

 

Article originally appeared on Front Page Gloversville (http://frontpagegloversville.com/).
See website for complete article licensing information.