Online honey trapping is becoming very prevalent. The underlying root of all this is the prevalence of fake profiles. We along with tech journalist dwelled deep into this and came up with the story. More below.
One of our founders recently spoke about how to be safe online with PS Show. Here are the videos along with transcript.
So, you know there is digital India, there’s the entire universe, there’s cyber attack, there’s wannacry malware, So, how do I as a common person, you are an expert when it comes to security. But I as a common person keep myself safe.
I want to give you the way we look at it first, before we go into tips and tricks, right! Just like in real world when you lock your homes lock, you are just not relying on one lock right? There is a lock on the gate, there is a lock on the house main door and then there is godrej cupboard where there is another lock. That’s what I mean by Layered security. In online world also, there is a lot of tool available for layer security. One famous one is two factor authentication for everything you should simply go and enable two factor authentication without even thinking about it. So the second way to approve this is what is called resilience because technology is only as good as the humans manage it, and as you know humans are fallible…right! So, resilience means assume whatever the system that you are using are hackable. And make sure that you don’t store anything that destroys your life if it gets hacked.
with technology so progressive, why are we still able to hack things u know, that is something I find little difficult to understand.
Its, not the technology that is getting hacked, yes there are extreme cases where super specialise cyber warfare tea are involved with the break inscriptions and all that. Most of other news that you see, people losing Money, getting online harassed or even this recent wannacry thing, its exploiting human emotions.
Right, You Know prudence for example discipline, you need to always patch your system. You need to have a basic antivirus. People just don’t do that. It doesn’t take any money all these tools are free. But many people either ignore or they are in this ok this won’t happen to me. It’s there but it won’t happen. It’s as simple as people not wearing helmets.
so, that’s what is getting exploited in most of the cases. Technology hacking is there, but that is very rare.
But having said that, you know there is social media, I want to be on social media and you know everybody wants to be there, everybody wants to talk about the work that they are doing or even just post some photographs. But there is a part of me which want’s to be there and doesn’t want to be there also, because of everything that’s happening. So, how do I strike a balance of being visible yet not being there.
And part 2,
Right, So you know the idea of being secure or being safe does not mean you curtain yourself. That’s not I am advocating at all. No, on the contrary what I am saying is, there is a way to exist anywhere.
right, you can be as free live a bondless life, but you need to do certain precautions. Right. Lets say you want to be an adventurer both offline and online right. You know offline you do, you do take certain precautions right. When you are adventurer, in-fact one of the adventurer who live crazy life are some of the most responsible people that I have met.
Because they understand and they take precautions
PS_ Safety First Right, Safety First
I would say same thing applies to social media right, you need to be visible, but you can also control what people you are visible to
And there are always tools of blocking reporting, and you know in some cases you can’t do much because these people are creating. For example if you are using twitter you have always new fake account that come into, you can’t do much…but you know i you look at the norm, everybody just ignores them
That’s Ok, you know the issue comes when people share sensitive information, I am not talking about the looks and the life, I am talking about somebody taking a selfie with the credit card and posting it online.
Boarding pass, yes
But that has that BARCODE, and the BARCODE has lot of information right, and if you have good resolution and you can scan and get lot of information about you. So things like that, ok
So there is a balance that you can, and also its not a good idea to share credential related information like your complete date of birth or you know your PAN card or things like that
yea, those are things you cant change at all.
Change at all and people can misuse and create artificial identity or do an identity theft
I know I have blocked about 100 people from my facebook account, yea, so that’s what I understand when it comes to now social media that still somewhere under my control right I can always delete my account, or else I can always like a set block people. But now when it comes to say financial aspects of my life, be it a banking account, that’s not under my control, So is there some measure that I can take in ter of being safe
ME- right, so there are couple of things right, and again these are some common sense thumb rules that its not perfect. But one good thing about financial world is it is highly regulated. So even if some hack happens, more than 90% of the people have got the money back, So other than, I mean, if it is not your fault there are many instances where money has been returned to the account holder. Always use a sort of assign computer for your banking transaction, right. Don’t visit some torrents and then come back to your banking site and do things. I mean if you can afford have two computers. Also don’t connect to random wifi, just because its free.
we all love things free things
for banking related transactions or any financial related transaction make sure you are on a very secured network. Use VPN, if you are really paranoid use VPN. Or you know some official Wifi, or your home wifi which you subscribe to. That’s good enough.
Ok, OK, so i understand this part not that you made this clear having a sandbox or a VPN for that matter. But having said all of this, there is still lot of online harassment happening, you know, how do I protect myself. Or only women prone to it, I know maybe I am speaking because I feel lot of women speaking about it on social media. So what do you think about that.
So, So I actually don’t think women are prone to it because based us on my own research. There are people of all sorts which get harassed online, and there was a recent case in Bombay also where this media guy was getting stalked down by this woman, right. But apart from that especiaaly when you come to raomeware or what they call to honey trapping, men are the primary targets for them. And you know unfortunately they can’t even come out and say because people will laugh at them.
for women at least do get sympathy.
because of the sensitivity
ya, u get sympathy and there are lot of people trying to fight for you. But for men some of this thing are even more difficult. And also you know apart from this if the crime is not of personal nature, if it is a random harassment, random hack, financial hack, there is no distinction between men and women.
have you personally helped any people you know in ter of tracking who has hacked there account and are there any examples
So there have been many examples, I mean I have put it on my blog. Ammm…So in one case there was this business guy, who was getting harassed by his business partner, Ex- business partner. They had some fall-out because of some financial issues. And he was sending Fake emails. Saying pseudo thing, your daughter will die, your son will die, or things like you have cheated this person, and he used to also send mails to the government officials claiming to be ne of the customer for him and saying he is cheating and things like that. Amm based on lot of the email traces and also based on some circutantial clues we were able to identify that team and then he send them legal notice and that stopped.
You know Manjula, all that sounds so interesting and I would like to dig a little more deeper into this. But before that I would like to take a short break.
You are watching the Prathibha Sastry show and lets take a short break.
10.34- Welcome back everyone, we are still with Manjula Sridhar and I think you know we have focused so much cyber security. We have focused on, online harassment, know I would like to ask a little bit about the laws, you know the laws and the legal aspect of it.
What kind of, you know service do we have in this area.
yes, so legal system is prity complete in ter of dealing with all sorts of prevalent issues right. For example, IT act 2008, that has a detailed provisions for online harassments. For example, even if you receive any sort of messages you can go to cyber crime cell, police station and lodge a complaint , even if it is very frivolous one right. Because law is very very clear on that right. And this is a message to the wrong doers out there also, many of them are not aware that sending some of these messages is illegal. But it is illegal and you could be easily caught. I would also request all these people who are going through certain level of harassment to file a complaint because what happens is these people who are doing these crimes they are habitual offenders, right. The more data one has more easier to attack them and get them behind bars. So its very very important that you atleast you lodge in a complaint. It’s not very difficult now a days with the cyber crime police station and online FIRs and something like that.
So you know anything that happens on the mobile, wrong doing that happens on the mobile and the laptop would come under the cybercrime..
any electronic communication, right…
like email, mobile, or even pager somebody sends you. It says any electronic communication which falls under that purview. IT Act I think 66A covers it, 66C, there are many variations of it. All of these comprehensively cover these kind of issues. And same applies to financial crimes also. There is a special provision to deal with financial crime. Like they say there is special powers issued to IT secretary and there is a separate appellate dealing, for dealing with speedy reimbursement of the money.
So IT Secretaries of the State you Mean?
Yea, IT Secretaries have some special powers with respect to refunding the money, that is hacked.
Oh! That sounds interesting. I am sure people will defiantly take notice of this. You know now that you have given us so many tips tricks, and tricks of the trade if I say so, but one of the thing you know with the changes you creating it and so many digital trends that are coming up every other day. I mean how do I keep track of them, how do I keep myself updated and is, I am sure its necessary to keep myself updated. But how do I go about it.
_ So its very simple right. Many of the platfor that you day to day interact with, what is it, Google,
Facebook and your bank. These are the three major touch points for you with respect to internet right. All of them are actually doing lot of campaigns. Right. If you go to google .com/security
or facebook.com/settings/security or even your bank…bank keep on sending these emails…right
which we ignore,
Don’t ignore them..I think just like health and nutrition, digital prudence has become a thing for you to keep attention on. It is, everything is going digital, So you can’t afford to ignore it. And you know, the the myth about you say technology is hard, I don’t understand it, all I think Self created
Even as a person, I mean, I can think like a normal person, not as a teche, if you can read, I think you can understand technology. And And now a days, many of the technology platfor they actually take lots of pain to make it user friendly. Because the whole domain called UX has come into existence
So, I think people need to get out of this fear of technology and embrace it.
I mean easier said than done, you know I know you are making it so simple for us to understand, you know but then again I will go back to that, you are a teche, I am non-teche, So So the user experience is the importance part of this what you are recommending.
I think one of the things if one point that people want to take away from this segment would be how to enable two factor authentication and its very simple and there is no reason why you should not do it. There is absolutely no reason. I can’t think of one single reason why everybody shouldn’t have a two factor authentication on there gmail. Because if your gmail gets hacked everything else gets hacked, because all your information all your OTPs all your password reset comes to gmail right.
I think that would be one good ways to look at it.
OK, that would be the minimum that you can begin with it actually.
Ya, right, that’s the first layer, or the second layer that you can have. I want to show you how to enable two factor authentication on google. Its part of you know the layered security that I talked about. So, Simply go to WWW.google.com/2 step…2 number and STEP…and it will take you to a place that explains what I already told you and its very simple…you just go to get started button, at the bottom of the screen and then it will ask you to login and there is a button which says enable two fact authentication and that’s it, you just make it onn…and from then onwards whenever you login…you will get either a OTP as S for your mobile…or you know you may even enable an option of call where someone calls you and tells you what the OTP is…and then you enter the OTP when you are logging in…and to make it convenient you can even make it devise specific, so if you are operating a very very safe computer and you don’t worry about entering OTP everyday, because it becomes quite irritating if you have to enter OTP everytime you login to Gmail,…then you enable that, so you only if you are logging in from somewhere else a friend’s computer or a cyber center or somewhere else then it becomes active otherwise for you its very simple its like you are logging into your account normally only something is happen then it comes into effect so you add a layer of security without losing inconvenience. So now i will show you about face book as i think it is one of the concern about people because lots of people are on face book they share lot of personal information on that…So again Facebook has made it very simple to enable all of them, you can go to facebook.com/security
And it will give you set of options including to see who is logged into accounts, what kind of authentication you can enable you can deactivate, delete and all that. Just follow the steps, I mean you don’t need any technical understanding ….you just need to understand English….go and click those buttons and there you should be able to make it secure …these are very simple things you can do without any additional money, time, or investment in understanding, because these guys have made it easy for you.
I think I’d be interested to know more about the following layers that would come out, may be in the following segments we can defiantly touch upon them …thank you manjula for joining us today and sharing this…I think I will go first and ensure all my two factor authentications are set …that’s the right word to use..
Yes, yes that is the right word..
Maybe I will focus on that, and thank you once again…
Sybil attacks are named after a fictional character with dissociative identity disorder. Sybil Attacks are attacks against the reputation of online social networks by proliferation of fake profiles using false identities. Fake profiles have become a persistent and growing menace in online social networks. As businesses and individuals embrace social networks the line between physical and online world is getting blurred. Hence it is critical to detect, prevent and contain fake accounts in online communities. This article looks at the specific dangers caused by fake profiles and solutions to detect and prevent them.
Fake Accounts & the Problems
The root cause of Fake accounts is the popularity of the open systems such as Facebook, Twitter and Linkedin. Identities have become porous, instant and temporary leading to easy creation of fake profiles. Fake accounts can be few types :
Accounts created using fake identities.
Accounts created using stolen identities.
Both are serious issues and can break trustworthiness of online communities.
Trust of online communities is broken by,
manipulating the reputations of businesses, individuals, entities, using paid fake accounts and fake voting, reviews.
Adversely affect the trends, news by spread of false information and spam.
Act as anonymous front for harassment and ransom.
Fake accounts have not been limited to OSN (Online Social Networks) alone of course but also affect all forms of online open identities such as crypto currency wallets, emails and phone numbers.
The problem can be looked at two ways;
Preventive approach which relies on making the signup process closed linked to a robust real life identity. (Closed Systems)
Detection of fake profiles after the signup.(Open Systems)
The first one is harder to implement as many business models depend on more and more people signing up. So ease of signup is number one priority. There is also the aspect of privacy that takes the precedence over detection of fake accounts. So many open systems such as FB, Twitter and Linkedin completely do away with any form of verification of identification.
The more pragmatic solution is to figure out methods of detecting and blocking fake accounts after the signup.
Some networks rely on wisdom of crowd or the action of aggrieved party to flag down the fake or problematic account. While it has some success in cases of standalone fake accounts, it isn’t effective against clusters of fake accounts as well as automated sybil attacks.
Another approach would be the use set of behavioural thumb rules to determine who to let in and keep. For example a person who is a friend of trusted person is considered trust worthy. The accounts are also monitored for, frequency of posts, types of posts, type and frequency of interactions, devices & IP addresses from which they login, time of activity and many such parameters. But as social spheres grow and people start adding people who aren’t part of their physical circles this becomes harder to manage and rely upon. These solutions do not account for stolen and compromised identities as well.
So more evolved solutions rely on the use of artificial intelligence to recognise fake account patterns. The standard procedure for AI (machine learning) based solution is as follows.
Collection of data with manually (or otherwise) tagged known fake accounts.
Training models to to learn the complex patterns and rules.
Automation to enforce the rules.
Machine Learning Classifiers
Training the machine to learn is the most critical point of any AI based system. It requires thorough understanding of the domain, the datasets and the inter relation of the datasets. Based on this the right type of classier is chosen and implemented. Some of the most commonly used classifiers in the context of Fake profile detection are as below.
Naive Bayes Classification
Decision Tree Classification
Support Vector Machine
These classifiers are only the starting point and to improve the accuracy, it is better to try to different classifiers, vary the parameters and compare against known data.
So availability of known diverse data is equally important in designing a detection and prevention system. One such dataset is available here (https://www.kaggle.com/bitandatom/social-network-fake-account-dataset). In order to increase the accuracy it is better to get the data in the context of targeted geography and demographies.
(This blog was originally written by me @ https://komunity.komand.com/learn/article/sybil-attacks-detection-and-prevention/)
Anyone who’s been alive long enough will remember the act of locking their desk drawer (or briefcase) with a shiny metal key. Today they’d store virtual files on a laptop – and instead of a keyhole, they’d be confronted with a ‘login screen’ with a little rectangle indicating where they could type in their ‘password’ – a secret word that they’ve memorised.
The problem with having a secret word is that we all live in fear of picking a word so secret, we forget it ourselves. So we take shortcuts. We write it down on a little piece of paper conveniently within reach. We use the same password on multiple websites. We use the name of a person we care about. Or – and this happens a lot – we simply use the word “password”. Clever, huh?
pic credit : Bangalore Mirror
The problem with this approach is that anyone can write a little program to run through all the words in the dictionary (or a baby names list) and try them one by one until they crack your password. This kind of thing is trivial for the average computer, taking mere minutes to run through hundreds of thousands of word combinations. This is called a “brute force attack” because it uses nothing more than a computer’s ability to do repetitive tasks, trying all possible passwords.
What if you were smart enough to use nonsense words and symbols? Congratulations, your password is indeed better. But you’re no longer like the average person who isn’t so careful, and this is a problem if you manage IT security at a bank and a customer is on the phone sobbing about all their money disappearing from their account.
Password theft happens in many ways and using a difficult password won’t protect you all the time:
Shoulder surfing, in which someone watches over your shoulder when you’re typing out an ATM pin (or similar public situations).
Vishing: A caller claiming to be from the bank dupes victims into revealing their passwords.
Phishing: Links sent over email or SMS perfectly impersonate a target website (banking, email) duping people into entering their password.
Keyloggers: A “virus” or malware infecting victim’s computer that can capture keystrokes and send them (including passwords) back to their masters.
Man-in-the-Middle Attack: An entity (most often, software) eavesdrops on and modifies traffic at any point between your device, WiFi router, and ISP. If you bought a WiFi router and installed it without changing the default password, chances are it’s already infected by someone accessing it over the internet, and now it’s spying on you.
Man-in-the-Browser Attack: A man-in-the-middle attack conducted by malware infecting a victim’s web browser, usually because you installed a browser extension that claimed to give you extra smileys or emoji.
Security professionals have known for a while that passwords are too hard for the average user, a lot harder than telling someone to be careful with their keys. What if a password could be more like a key, something you have rather than something you know? Or better, use both?
This is the idea behind “two-factor authentication”, where you prove your identity to a service provider by demonstrating both that you know your password, and that you have some kind of physical object that no one else has. Question is, exactly how does a website verify that you’re currently possessing some physical object? Maybe if your computer can somehow communicate with it?
Everybody has a mobile phone these days, and every mobile phone is capable of receiving an SMS, so what if the service provider sent you an SMS and asked you to type back the number received? This is the idea behind the “One Time Password” or OTP SMS your bank sends when you do a financial transaction.
Mobile phones are a recent phenomenon, but the idea of using a physical object has existed for decades and the industry has come up with many ways to do this, some of which are superior to an SMS, although at additional cost.
Let’s look at the sort of things you can have:
You have a phone and it’s capable of receiving an SMS. The service provider sends you an SMS with an OTP. Almost everybody has an SMS-capable phone, so this is by far the most common mechanism. However, sometimes the network is congested and your SMS doesn’t arrive on time. Since it’s transmitted over radio, anyone with the appropriate radio equipment sitting anywhere in your neighbourhood can also receive it, just like in a spy thriller. Unlikely to happen to you, but you never know.
Remember the discussion we had in the last column about how encryption works? Your bank now sends you a little device (like an RSA SecurID) that displays a number that changes every minute. The number is based on an encryption algorithm for which the bank already has the secret key. When you type in the number on the website, they know you’re now in possession of this little device, and it doesn’t depend on an SMS arriving on time. This is called a “Time-based OTP” or TOTP because the constantly-changing number is based on the current time, and both the device and your bank’s servers are set to the same time. If an attacker somehow manages to steal a number from you, it’s only good for the next one minute. They can’t predict what the next number will be.
That little device your bank sent you is a small computer powered by a watch battery. Your phone is also a computer that can keep time, so why can’t your phone do the same thing? Download the Google Authenticator or Authy apps from your phone’s app store. They work with many websites including Gmail.
While Google Authenticator and Authy are very convenient, your bank doesn’t support them. They insist on an SMS or their own hardware dongle. If you operate multiple bank accounts, pretty soon you’ll have a bagful of these devices. To get around this problem, several companies joined hands to form the FIDO alliance and agree on common standards so you can use one device with multiple service providers.
There’s another problem with TOTP, whether you use a physical device or your phone. You went to your bank’s website and entered the number, but is it really your bank’s website? Is that URL saying ICICI or 1C1C1? The number ‘1’, uppercase ‘I’ and lowercase ‘L’ all look similar, so if you’re not in the habit of looking at the letters carefully, you may not even notice. The FIDO alliance decided to solve this problem with their “universal 2-factor” (U2F) specification, a hardware key that you must plug into your computer. If you use the Chrome browser, it automatically recognises this security key and will ensure you don’t accidentally enter a code into the wrong website. Firefox and others plan to add support soon. Yubikey is a popular brand. The company that makes them recently gave away 500 keys at a conference in Bangalore, so chances are there’s someone around you that already has one.
Several companies have made it mandatory for their employees to use U2F keys, and you should consider using one too. Because it’s a public standard, any U2F key will work with any website that supports the standard.
At the very least, turn on SMS or TOTP-based authentication using your phone on all the websites you use frequently. Here’s a good list of websites where you can use them: https://twofactorauth.org This may just save you from losing your entire digital identity one day.
As a person who deep dives into hard tech such as networks, never had I visualized that I will concern myself with a celebrity scandal. But here I am curiously following up and getting annoyed to no end by the technology inaccuracies being reported in media about the infamous Kangana Ranaut and Hrithik Roshan Saga. For uninitiated, a top Bollywood actress (Kangana Ranaut) has accused a top Star (Hrithik Roshan) of publicly circulating the personal information shared over private emails. He is countering saying that the email is an impostor account. One can read all about it in various tabloids, but in this article, in we will be in “Sheldon Cooper Mode” and will focus on the tech part.
So first things first, the alleged crime (committed both for the impostor if any or the accused), is defined in IT Act 2008 (http://www.cca.gov.in/cca/?q=it_act_amendment.html) which clearly states the transmission of such personal images is punishable by imprisonment of . Below is the relevant excerpt,
66E. Punishment for violation of privacy. (Inserted Vide ITA 2008)
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both Explanation.
– For the purposes of this section —
(a) ―transmit‖ means to electronically send a visual image with the intent that it be viewed by a person or persons;
(b)―capture‖, with respect to an image, means to videotape, photograph, film or record by any means;
(c)―private area‖ means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
(d)―publishes‖ means reproduction in the printed or electronic form and making it available for public;
(e)―under circumstances violating privacy‖ means circumstances in which a person can have a reasonable expectation that—
(i)he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or (ii)any part of his or her private area would not be visible to the public, regardless of
whether that person is in a public or private place.
Punishment for publishing or transmitting obscene material in electronic form (Amended vide ITAA 2008)
Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to two three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.
67 A. Punishment for publishing or transmitting of material containing sexually explicit act,etc. in electronic form (Inserted vide ITAA 2008)
Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.
Exception: This section and section 67 does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form –
(i)the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science,literature,art,or learning or other objects of general concern; or
(ii) which is kept or used bona fide for religious purposes.
Now to the email part; How does one establish that a particular account belongs to an Individual ? It is a hard thing to do, specially if the criminal is tech savvy has taken lot of precautions to make sure he isn’t tracked. Keeping aside the non tech methods that law enforcement officials effectively use, many tools are at Law enforcement agencies disposal.
Step by step process in a typical scenario would be this,
Track the IP address of the email address: Take a copy of the header of the mail. google to know how to get the headers of a particular email. Very simple steps but it is different for different providers such as gmail, outlook, hotmail etc. Run the header through a tracer tool. There are many free Internet tools to do this. Some are listed below, purely based on the google rank they show up (It is fairly low tech so its ok to use any one)
In some cases you will find the IP address straight away. But now a days due to email server proxies it traces back to providers location (For example Mountain View for Gmail). However once law enforcement officials request for it, email providers such as google are obligated to provide the real IP of the end point and hence you can trace the person (In some cases you may need to get this from ISP or internet providers as well).
In some cases though criminal may use spoofing software or desktop proxies that will fake the IP address and will make it impossible for the law enforcement officials and the providers to identify the correct IP. In such cases step 2 is the way to go.
Engage the person and send spying attachment to the email id.
This needs to be done in collaboration with the law officials. Usually spying software is nothing but some script which read more identifiable information from the endpoint (laptop, desktop etc) and transmits it back to the sender. This information then can be used to identify the real person/IP behind the proxies. Many such scripts are available easily online.
Deduction : If enough emails are available, many analytical techniques may be employed to determine the geography,time etc and can be matched with the known movements of the accused.
Writing Style Analyses : This is probably the most technologically advanced but not so well developed technique yet. Writing styles can be matched with software to establish the likelihood of the accused sending the email.
Forensic analyses of the Devices (provided they are physically intact). Deleting and formatting will not really delete the content and is available for recovery by forensic tools.
There are some more advanced techniques based on the content (such as pictures) but that is for another article. In general it is a combination of the steps above which will determine with accuracy of the outcome. I am eager to see what they find with the hope that media reports it accurately. But most likely this will be out of court settlement thus my tech quest may as well end here.
Through this blog I have been suggesting many preventive methods for all sorts of digital usage. However recent news reports such as this http://tinyurl.com/jydguqk are shaking the foundations of preventive practices by consumers. In this news article many bank account holders was robbed by a hacker diverting money into a wallet. Normally such hacks are done by a mixture of social engineering (fraudsters posing as bank folks and calling consumers for the OTP) and some data gathering. In this case though no such effort was made. In the social engineering cases though, the banks put the burden on the consumers, although in many cases the consumers have no clue about digital awareness. In the latter cases at least there is bit of solace as banks take the burden. Since many systems and disparate companies are involved (laptop providers, internet providers, telecom providers, banks, telecom equipment providers) and the hack could be anywhere, it is easy to pass the buck around.
There are many systematic issues which lead to this state. The general thinking when it comes to security measures, is to do the minimum possible to avoid the regulatory pressures. For many large corporations ROI on the investment becomes a paramount importance. Startups are even worse because traction and growth are more important than inconveniences of security.
But the most dangerous aspect of this whole thing is the unprecedented growth of digital proliferation without any effort on creating awareness about safety measures. Whose job is this ? Government’s ? Company’s ? or Users ? Question’s to be answered are,
Should companies provide method for opting out of online mode ?
Should awareness exercise be mandatory ?
Should there be consumer insurance ?
Who should carry the burden of proof with respect to hacks ?
Hope regulators wake up and provide clarity on this !!
According to recently released National Crime Bureau Statistics 2015, the reported cyber crime number in India is roughly about ten thousand with a conviction rate of 23%. A significant chunk of reported cyber crimes is of financial in nature. An interesting but not surprising fact about cyber crimes is that strangers commit most cyber crimes of financial nature, while the first or second circle of people around the victim often commits cyber crimes of personal nature. This makes financial cyber crimes harder to defend against and identify the culprits.
Various aspects of financial cyber crimes that are important to consider are,
• Majority of the financial crimes are organized crimes, with call centers of sometimes of innocent employees executing on behalf of crime syndicates. Some of you must have received series of calls asking you to verify certain aspects of credit/Debt cards. They claim that they are either calling from banks or from contractors of the bank.
• Many are globally spread, so catching them and prosecuting them under legal framework becomes much harder.
• In some cases insiders of the Telcos and Banks collude with the criminals making it much easier to breach into the system. Cloned SIM and calls from inside the bank call center numbers are good examples of such failures.
• Even when the culprits of the crimes are caught it takes long time for the legal system to act and get the money back.
Courts in many cases have penalized Banks and Telcos and sure enough they have implemented many measures to safeguard against such crimes. Some of measures are KYC for SIM, fraud analytics of accounts (detection and prevention of abnormal behavior in users accounts) and two-factor authentication (two different types of password to safeguard against any one of them being compromised; It is an additional layer of protection like a lock with two different keys needed for opening).
In spite of these criminals still continue to prosper due to lack of awareness of many of the users. Most users fall prey to what is called social engineering; it is a technique of making people believe that they are talking to authentic folks (such as banks) and extracting secret information such as passwords. Some examples of social engineering are:
• Call from someone claiming to be from the bank and asking for password due to system upgrade or any other plausible and believable excuse.
• Mails, seemingly from banks such as “yourbank”@gmail.com asking you to change your password. Most people wouldn’t notice the domain name changes.
• Fake e-commerce sites to collect card data along with static PIN.
• Fake ATMs to read magnetic strips of the cards (Not possible with new chip and pins)
• In some cases, faking phone calls from relatives and asking for password and pins.
No amount of technology measures from the Banks and Telecoms can be used to safeguard against such aspects if you/consumer become the weakest link. So it is very important for individual users to be aware of crimes and take precautions. So here are the safety measures to adopt for the online banking or other online financial institution access.
• Spread the money in multiple accounts.
• Enable all sorts of notifications (mobile, email, slow mail) for transactions. This will help in case of cloned mobiles.
• Use only dedicated private computers (or phones) for online banking.
• Use safe and private networks (strongly secured home WiFi or office WiFi)
• Use strong passwords (Not related to Date of Birth, family members name etc).
• Enable two-factor authentication provided by banks wherever possible. These are
o OTP – One time passwords usually come on SMS but in some cases apps are available on smart phone which display the number)
o Smart cards (Downloading of specific keys to your computer and hence blocking any computer that doesn’t have these.
o Hardware tokens (which display OTP)
• Use trusted websites and wallets for sharing your banking information.
• Make sure your primary email used for notifications is protected with two factor authentication as well. Google authenticator is a popular choice for many.
• Install a good anti virus on the primary computer and mobile.
• Do not reveal birthdays etc. on public/private social media profiles. Criminals can easily scrape them and use to gain access.
• Do not install unverified software/apps in the main accounts. Many apps and software can contain malware that can eavesdrop on your transactions. Same with many sites on the Internet. If you must use a virtual box or a different device.
• Do not share your password to anyone on phone or web for whatever reasons. When in doubt cut the call politely and call back on official support numbers of the institutions.
• Do not use public computers at hotels and airports for any logins.
• Do not use random WiFi/networks (airports, hotels, Cafes) for online transactions
• Avoid unbranded standalone ATM machines especially in some high-risk areas such as some well know tourist locations (Many to list, so just avoid)
With increasing technology advances and immense focus on Digital India, technology is going to be part of every aspect of our life. While we are instinctively safety conscious, the new technology paradigms are unknown territory to us and hence educating oneself on these aspects and taking appropriate safety measures if the best way forward.
So take care and stay safe.
(This blog was originally published @ techinasia https://www.techinasia.com/talk/avoid-financial-scams-fast-digitalising-india)
Recently a person reached out to me for a forensic analyses of his phone. Intrigued I asked him to explain the problem. He didn’t want to discuss this on the phone and asked to meet-up. We met in a cafe.
The man (Lets call him K) wanted to know if his phone is hacked and if someone has accessed his messages.K was not too tech savvy but well versed with his phone and used typical applications such as Whatspp, Uber etc. He had not used a password to lock the screen until recently. He wanted to know if someone had copied messages from his phone when he left it unattended.
Now that is such a difficult question to answer. Copying can be done in so many ways and in this context could also imply taking a screen grab from other phone and there is no way one will have any sort of valid log of that activity. So unless there is bit more context and details for this query it would be really hard to investigate.
I gently nudged him to share the context for the request so that I provide him a right solution. Here is the story, he was in the process of separating from his wife and during one of the fights she had threatened him saying that she has copies of his messages and will show the world the kind of person he is. He was paranoid and suspected that she had installed spying software and will use the messages out of context way to malign him.
I took a look at his apps to see if any suspicious software is installed. The samsung phone had two apps called shareit and shareall-dongle, both used to sync data and files between various devices. I asked him if he has installed them, he hadn’t. While these are not necessarily spying software per say, but can be used to siphon out data to another device. Another redflag was the phone being backed up to a google drive with an unknown gmail account. The data usage etc seemed normal so any surreptitious data transfer is ruled out. We deleted these and kept the app footprint to few favorite apps. I also disabled bluetooth and other connections just to be sure.
Anyway all these measures are for future and we have no way of knowing for sure what happened in the past. Only small consolation is such illegally acquired messages will not be admissible as evidence. Domestic situations are really complex and can defeat best of the security measures.
So if you want to make sure you aren’t spied on, follow this simple steps. (This isn’t exhaustive and doesn’t cover more sophisticated attacks. A post on that will be put up shortly)
Check application folders for any unknown apps.
See if the data usage has increased for no reason.
Check if you are receiving any Strange SMS (sometimes used to control the spying applications)
Check your automatic backup settings.
And finally keep the screen locked and dont store sensitive data on SD cards.
Recently I met a business colleague for Lunch and she recounted a strange incidence of a elaborate fake profile on a matrimony site. Also you keep reading in newspapers about how, fake profile befriended gullible teens and blackmailed them after collecting lot of information about them. There are also spammers and financial fraudsters who can gain lot of information about you by befriending you on facebook. Even very cautious and otherwise intelligent people sometime fall prey to this fraud. The culprit seems to be the belief that if you have common friends and the photo looks normal enough one can trust the profile.
There are many complex ways of doing this. For facebook in particular there are apps which do behavioral analyses and predict if the profile is fake. These apps are specific to However one simple way would be to do a reverse image check on the profile picture. The process is simple.
Click on the profile pic; Right click (or ctrl click, or hold depending on the device). Copy the image URL. Alternatively one can download the picture too.
Go to images.google.com (Many other sites too, but google is well well-known).
click on the camera icon in the search box and upload the profile pic or paste the URL from step 1.
If search throws other pics/profiles with different contexts and names then you know you have a fake profile.
Once that is established you can report the profile to the concerned website. For facebook the link is https://www.facebook.com/help/167722253287296; Facebook explicitly states that
We don’t allow accounts that:
Pretend to be you or someone else
Use your photos
List a fake name
Don’t represent a real person
However given the nature of these fake profile creators they will come back in other avatars but at least you have a method of detecting. One prudent(but conservative) approach in general would be not to add anyone that you haven’t met offline.
Recently we held a session on online safety in an elite school. Session was full of teenagers, bright kids full of mischief and eager to conquer the world. Most of them are avid users of facebook and some hesitantly admitted to being ethical hackers.
I discussed them about Cyber Safety, many are aware of the general issues but the areas that seem to surprise them are
1. Privacy : Nothing is really private even if the electronic exchange has happened between two individuals.
2. Legal Aspects : Many were unaware of the illegal nature of somethings. Many things that they had taken as granted turned out to be illegal.
I spoke to reachers as well, they were concerned about the amount of information that the kids disclose online. It is thin line here. Many kids feel that they will be cut off from mainstream circles if they don’t behave certain way. All the tradeoffs of offline social life get more highlighted in in online world.
How does one manage the balance in such scenario ? Here is what I told them, take a look at it.