was successfully added to your cart.

Fake Profiles and Detection.

By | Cyber Bullying | No Comments

Synopsis

Sybil attacks are named after a fictional character with dissociative identity disorder. Sybil Attacks are attacks against the reputation of online social networks by proliferation of fake profiles using false identities. Fake profiles have become a persistent and growing menace in online social networks. As businesses and individuals embrace social networks the line between physical and online world is getting blurred. Hence it is critical to detect, prevent and contain fake accounts in online communities. This article looks at the specific dangers caused by fake profiles and  solutions to detect and prevent them.

Fake Accounts & the Problems

The root cause of Fake accounts is the popularity of the open systems such as Facebook, Twitter and Linkedin. Identities have become porous, instant and temporary leading to easy creation of fake profiles. Fake accounts can be few types :

  • Accounts created using fake identities.
  • Accounts created using stolen identities.
  • Compromised accounts.

Both are serious issues and can break trustworthiness of online communities.

Trust of online communities is broken by,

  • manipulating the reputations of businesses, individuals, entities, using paid fake accounts and fake voting, reviews.
  • Adversely affect the trends, news by spread of false information and spam.
  • Act as anonymous front for harassment and ransom.

Fake accounts have not been limited to OSN (Online Social Networks) alone of course but also affect all forms of online open identities such as crypto currency wallets, emails and phone numbers.

Solution Spectrum

The problem can be looked at two ways;

  1. Preventive approach which relies on making the signup process closed linked to a robust real life identity. (Closed Systems)
  2. Detection of fake profiles after the signup.(Open Systems)

The first one is harder to implement as many business models depend on more and more people signing up. So ease of signup is number one priority. There is also the aspect of privacy that takes the precedence over detection of fake accounts. So many open systems such as FB, Twitter and Linkedin completely do away with any form of verification of identification.

The more pragmatic solution is to figure out methods of detecting and blocking fake accounts after the signup.

Some networks rely on wisdom of crowd or the action of aggrieved party to flag down the fake or problematic account. While it has some success in cases of standalone fake accounts, it isn’t effective against clusters of fake accounts as well as automated sybil attacks.

Another approach would be the use set of behavioural thumb rules to determine who to let in and keep. For example a person who is a friend of trusted person is considered trust worthy.  The accounts are also monitored for, frequency of posts, types of posts, type and frequency of interactions, devices & IP addresses from which they login, time of activity and many such parameters. But as social spheres grow and people start adding people who aren’t part of their physical circles this becomes harder to manage and rely upon. These solutions do not account for stolen and compromised identities as well.

So more evolved solutions rely on the use of artificial intelligence to recognise fake account patterns. The standard procedure for AI (machine learning) based solution is as follows.

  1. Collection of data with manually (or otherwise) tagged known fake accounts.
  2. Training models to to learn the complex patterns and rules.
  3. Automation to enforce the rules.

Machine Learning Classifiers

Training the machine to learn is the most critical point of any AI based system. It requires thorough understanding of the domain, the datasets and the inter relation of the datasets. Based on this the right type of classier is chosen and implemented. Some of the most commonly used classifiers in the context of Fake profile detection are as below.

  1. Naive Bayes Classification
  2. Decision Tree Classification
  3. Support Vector Machine
  4. Logistic Regression

These classifiers are only the starting point and to improve the accuracy, it is better to try to different classifiers, vary the parameters and compare against known data.

So availability of known diverse data is equally important in designing a detection and prevention system. One such dataset is available here (https://www.kaggle.com/bitandatom/social-network-fake-account-dataset). In order to increase the accuracy it is better to get the data in the context of targeted geography and demographies.

(This blog was originally written by me @ https://komunity.komand.com/learn/article/sybil-attacks-detection-and-prevention/)

All you wanted to know about 2 Factor Authentication.

By | Information | No Comments

(This blog was originally written for Bangalore Mirror  – http://www.bangaloremirror.com/bangalore/others/Two-factor-authentication/articleshow/52169477.cms with Kiran Jonnalagadda and Beli Bopaiah)

Anyone who’s been alive long enough will remember the act of locking their desk drawer (or briefcase) with a shiny metal key. Today they’d store virtual files on a laptop – and instead of a keyhole, they’d be confronted with a ‘login screen’ with a little rectangle indicating where they could type in their ‘password’ – a secret word that they’ve memorised.

The problem with having a secret word is that we all live in fear of picking a word so secret, we forget it ourselves. So we take shortcuts. We write it down on a little piece of paper conveniently within reach. We use the same password on multiple websites. We use the name of a person we care about. Or – and this happens a lot – we simply use the word “password”. Clever, huh?

fact

pic credit : Bangalore Mirror

The problem with this approach is that anyone can write a little program to run through all the words in the dictionary (or a baby names list) and try them one by one until they crack your password. This kind of thing is trivial for the average computer, taking mere minutes to run through hundreds of thousands of word combinations. This is called a “brute force attack” because it uses nothing more than a computer’s ability to do repetitive tasks, trying all possible passwords.

 

What if you were smart enough to use nonsense words and symbols? Congratulations, your password is indeed better. But you’re no longer like the average person who isn’t so careful, and this is a problem if you manage IT security at a bank and a customer is on the phone sobbing about all their money disappearing from their account.

 

Password theft happens in many ways and using a difficult password won’t protect you all the time:

 

  1. Shoulder surfing, in which someone watches over your shoulder when you’re typing out an ATM pin (or similar public situations).
  2. Vishing: A caller claiming to be from the bank dupes victims into revealing their passwords.
  3. Phishing: Links sent over email or SMS perfectly impersonate a target website (banking, email) duping people into entering their password.
  4. Keyloggers: A “virus” or malware infecting victim’s computer that can capture keystrokes and send them (including passwords) back to their masters.
  5. Man-in-the-Middle Attack: An entity (most often, software) eavesdrops on and modifies traffic at any point between your device, WiFi router, and ISP. If you bought a WiFi router and installed it without changing the default password, chances are it’s already infected by someone accessing it over the internet, and now it’s spying on you.
  6. Man-in-the-Browser Attack: A man-in-the-middle attack conducted by malware infecting a victim’s web browser, usually because you installed a browser extension that claimed to give you extra smileys or emoji.

 

Security professionals have known for a while that passwords are too hard for the average user, a lot harder than telling someone to be careful with their keys. What if a password could be more like a key, something you have rather than something you know? Or better, use both?

 

This is the idea behind “two-factor authentication”, where you prove your identity to a service provider by demonstrating both that you know your password, and that you have some kind of physical object that no one else has. Question is, exactly how does a website verify that you’re currently possessing some physical object? Maybe if your computer can somehow communicate with it?

 

Everybody has a mobile phone these days, and every mobile phone is capable of receiving an SMS, so what if the service provider sent you an SMS and asked you to type back the number received? This is the idea behind the “One Time Password” or OTP SMS your bank sends when you do a financial transaction.

 

Mobile phones are a recent phenomenon, but the idea of using a physical object has existed for decades and the industry has come up with many ways to do this, some of which are superior to an SMS, although at additional cost.

 

Let’s look at the sort of things you can have:

 

  1. You have a phone and it’s capable of receiving an SMS. The service provider sends you an SMS with an OTP. Almost everybody has an SMS-capable phone, so this is by far the most common mechanism. However, sometimes the network is congested and your SMS doesn’t arrive on time. Since it’s transmitted over radio, anyone with the appropriate radio equipment sitting anywhere in your neighbourhood can also receive it, just like in a spy thriller. Unlikely to happen to you, but you never know.

 

  1. Remember the discussion we had in the last column about how encryption works? Your bank now sends you a little device (like an RSA SecurID) that displays a number that changes every minute. The number is based on an encryption algorithm for which the bank already has the secret key. When you type in the number on the website, they know you’re now in possession of this little device, and it doesn’t depend on an SMS arriving on time. This is called a “Time-based OTP” or TOTP because the constantly-changing number is based on the current time, and both the device and your bank’s servers are set to the same time. If an attacker somehow manages to steal a number from you, it’s only good for the next one minute. They can’t predict what the next number will be.

 

  1. That little device your bank sent you is a small computer powered by a watch battery. Your phone is also a computer that can keep time, so why can’t your phone do the same thing? Download the Google Authenticator or Authy apps from your phone’s app store. They work with many websites including Gmail.

 

  1. While Google Authenticator and Authy are very convenient, your bank doesn’t support them. They insist on an SMS or their own hardware dongle. If you operate multiple bank accounts, pretty soon you’ll have a bagful of these devices. To get around this problem, several companies joined hands to form the FIDO alliance and agree on common standards so you can use one device with multiple service providers.

 

  1. There’s another problem with TOTP, whether you use a physical device or your phone. You went to your bank’s website and entered the number, but is it really your bank’s website? Is that URL saying ICICI or 1C1C1? The number ‘1’, uppercase ‘I’ and lowercase ‘L’ all look similar, so if you’re not in the habit of looking at the letters carefully, you may not even notice. The FIDO alliance decided to solve this problem with their “universal 2-factor” (U2F) specification, a hardware key that you must plug into your computer. If you use the Chrome browser, it automatically recognises this security key and will ensure you don’t accidentally enter a code into the wrong website. Firefox and others plan to add support soon. Yubikey is a popular brand. The company that makes them recently gave away 500 keys at a conference in Bangalore, so chances are there’s someone around you that already has one.

 

Several companies have made it mandatory for their employees to use U2F keys, and you should consider using one too. Because it’s a public standard, any U2F key will work with any website that supports the standard.

 

At the very least, turn on SMS or TOTP-based authentication using your phone on all the websites you use frequently. Here’s a good list of websites where you can use them: https://twofactorauth.org
This may just save you from losing your entire digital identity one day.

Bollywood Scandal with a Technology Twist !!

By | Cyber Bullying | No Comments

 

As a person who deep dives into hard tech such as networks, never had I visualized that I will concern myself with a celebrity scandal. But here I am curiously following up and getting annoyed to no end by the technology inaccuracies being reported in media about the infamous Kangana Ranaut and Hrithik Roshan Saga. For uninitiated, a top Bollywood actress (Kangana Ranaut) has accused a top Star (Hrithik Roshan) of publicly circulating the personal information shared over private emails. He is countering saying that the email is an impostor account. One can read all about it in various tabloids, but in this article, in we will be in “Sheldon Cooper Mode” and will focus on the tech part.

So first things first, the alleged crime (committed both for the impostor if any or the accused), is defined in IT Act 2008 (http://www.cca.gov.in/cca/?q=it_act_amendment.html) which clearly states the transmission of such personal images is punishable by imprisonment of .  Below is the relevant excerpt,

…………………..

66E. Punishment for violation of privacy. (Inserted Vide ITA 2008)
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person, shall be punished with imprisonment which may extend to three years or with fine not exceeding two lakh rupees, or with both Explanation.
– For the purposes of this section —
(a)
transmit means to electronically send a visual image with the intent that it be viewed by a person or persons;
(b)―capture‖, with respect to an image, means to videotape, photograph, film or record by any means;
(c)―private area‖ means the naked or undergarment clad genitals, pubic area, buttocks or female breast;
(d)―publishes‖ means reproduction in the printed or electronic form and making it available for public;
(e)―under circumstances violating privacy‖ means circumstances in which a person can have a reasonable expectation that—
(i)he or she could disrobe in privacy, without being concerned that an image of his private area was being captured; or (ii)any part of his or her private area would not be visible to the public, regardless of
whether that person is in a public or private place.
Punishment for publishing or transmitting obscene material in electronic form (Amended vide ITAA 2008)
Whoever publishes or transmits or causes to be published in the electronic form, any material which is lascivious or appeals to the prurient interest or if its effect is such as to tend to deprave and corrupt persons who are likely, having regard to all relevant circumstances, to read, see or hear the matter contained or embodied in it, shall be punished on first conviction with imprisonment of either description for a term which may extend to two three years and with fine which may extend to five lakh rupees and in the event of a second or subsequent conviction with imprisonment of either description for a term which may extend to five years and also with fine which may extend to ten lakh rupees.
67 A. Punishment for publishing or transmitting of material containing sexually explicit act,etc. in electronic form (Inserted vide ITAA 2008)
Whoever publishes or transmits or causes to be published or transmitted in the electronic form any material which contains sexually explicit act or conduct shall be punished on first conviction with imprisonment of either description for a term which may extend to five years and with fine which may extend to ten lakh rupees and in the event of second or subsequent conviction with imprisonment of either description for a term which may extend to seven years and also with fine which may extend to ten lakh rupees.
Exception: This section and section 67 does not extend to any book, pamphlet, paper, writing, drawing, painting, representation or figure in electronic form –
(i)the publication of which is proved to be justified as being for the public good on the ground that such book, pamphlet, paper, writing, drawing, painting, representation or figure is in the interest of science,literature,art,or learning or other objects of general concern; or
(ii) which is kept or used bona fide for religious purposes.

—————-

Now to the email part; How does one establish that a particular account belongs to an Individual ? It is a hard thing to do, specially if the criminal is tech savvy has taken lot of precautions to make sure he isn’t tracked.  Keeping aside the non tech methods that law enforcement officials effectively use, many tools are at Law enforcement agencies disposal.

Step by step process in a typical scenario would be this,

  1. Track the IP address of the email address:  Take a copy of the header of the mail. google to know how to get the headers of a particular email. Very simple steps but it is different for different providers such as gmail, outlook, hotmail etc.  Run the header through a tracer tool. There are many free Internet tools to do this. Some are listed below, purely based on the google rank they show up (It is fairly low tech so its ok to use any one)

http://whatismyipaddress.com/trace-email

http://mxtoolbox.com/EmailHeaders.aspx

http://www.traceemail.com/

In some cases you will find the IP address straight away. But now a days due to email server proxies it traces back to providers location (For example Mountain View for Gmail). However once law enforcement officials request for it, email providers such as google are obligated to provide the real IP of the end point and hence you can trace the person (In some cases you may need to get this from ISP or internet providers as well).

In some cases  though criminal may use spoofing software or desktop proxies that will fake the IP address and will make it impossible for the law enforcement officials and the providers to identify the correct IP. In such cases step 2 is the way to go.

  1.  Engage the person and send spying attachment to the email id.

This needs to be done in collaboration with the law officials. Usually spying software is nothing but some script which read more identifiable information from the endpoint (laptop, desktop etc) and transmits it back to the sender.  This information then can be used to identify the real person/IP behind the proxies. Many such scripts are available easily online.

  1. Deduction : If enough emails are available, many analytical techniques may be employed to determine the geography,time etc and can be matched with the known movements of the accused.
  2. Writing Style Analyses : This is probably the most technologically advanced but not so well developed technique yet. Writing styles can be matched with software to establish the likelihood of the accused sending the email.
  3. Forensic analyses of the Devices (provided they are physically intact). Deleting and formatting will not really delete the content and is available for recovery by forensic tools.

There are some more advanced techniques based on the content (such as pictures) but that is for another article. In general it is a combination of the steps above which will determine with accuracy of the outcome. I am eager to see what they find with the hope that media reports it accurately. But most likely this will be out of court settlement thus my tech quest may as well end here.

 

“Cross the Bridge when it comes” – hurting Digital Consumers ?

By | Cyber Bullying | No Comments

Through this blog I have been suggesting many preventive methods for all sorts of digital usage. However recent news reports such as this http://tinyurl.com/jydguqk are shaking the foundations of preventive practices by consumers. In this news article many bank account holders was robbed by a hacker diverting money into a wallet. Normally such hacks are done by a mixture of social engineering (fraudsters posing as bank folks and calling consumers for the OTP) and some data gathering. In this case though no such effort was made. In the social engineering cases though, the banks put the burden on the consumers, although in many cases the consumers have no clue about digital awareness. In the latter cases at least there is bit of solace as banks take the burden. Since many systems and disparate companies are involved (laptop providers, internet providers, telecom providers, banks, telecom equipment providers) and the hack could be anywhere, it is easy to pass the buck around.

Dilbert-Buck-Passer 2

There are many systematic issues which lead to this state. The general thinking when it comes to security measures, is to do the minimum possible to avoid the regulatory pressures. For many large corporations ROI on the investment becomes a paramount importance. Startups are even worse because traction and growth are more important than inconveniences of security.

But the most dangerous aspect of this whole thing is the unprecedented growth of digital proliferation without any effort on creating awareness about safety measures. Whose job is this ?  Government’s ? Company’s ? or Users ? Question’s to be answered are,

  • Should companies provide method for opting out of online mode ?
  • Should awareness exercise be mandatory ?
  • Should there be consumer insurance ?
  • Who should carry the burden of proof with respect to hacks ?

Hope regulators wake up and provide clarity on this !!

Safety Measures For Online Financial Transactions

By | Cyber Bullying | No Comments

According to recently released National Crime Bureau Statistics 2015, the reported cyber crime number in India is roughly about ten thousand with a conviction rate of 23%. A significant chunk of reported cyber crimes is of financial in nature. An interesting but not surprising fact about cyber crimes is that strangers commit most cyber crimes of financial nature, while the first or second circle of people around the victim often commits cyber crimes of personal nature. This makes financial cyber crimes harder to defend against and identify the culprits.

imgres

Various aspects of financial cyber crimes that are important to consider are,

• Majority of the financial crimes are organized crimes, with call centers of sometimes of innocent employees executing on behalf of crime syndicates. Some of you must have received series of calls asking you to verify certain aspects of credit/Debt cards. They claim that they are either calling from banks or from contractors of the bank.
• Many are globally spread, so catching them and prosecuting them under legal framework becomes much harder.
• In some cases insiders of the Telcos and Banks collude with the criminals making it much easier to breach into the system. Cloned SIM and calls from inside the bank call center numbers are good examples of such failures.
• Even when the culprits of the crimes are caught it takes long time for the legal system to act and get the money back.

Courts in many cases have penalized Banks and Telcos and sure enough they have implemented many measures to safeguard against such crimes. Some of measures are KYC for SIM, fraud analytics of accounts (detection and prevention of abnormal behavior in users accounts) and two-factor authentication (two different types of password to safeguard against any one of them being compromised; It is an additional layer of protection like a lock with two different keys needed for opening).

In spite of these criminals still continue to prosper due to lack of awareness of many of the users. Most users fall prey to what is called social engineering; it is a technique of making people believe that they are talking to authentic folks (such as banks) and extracting secret information such as passwords. Some examples of social engineering are:

• Call from someone claiming to be from the bank and asking for password due to system upgrade or any other plausible and believable excuse.
• Mails, seemingly from banks such as “yourbank”@gmail.com asking you to change your password. Most people wouldn’t notice the domain name changes.
• Fake e-commerce sites to collect card data along with static PIN.
• Fake ATMs to read magnetic strips of the cards (Not possible with new chip and pins)
• In some cases, faking phone calls from relatives and asking for password and pins.

No amount of technology measures from the Banks and Telecoms can be used to safeguard against such aspects if you/consumer become the weakest link. So it is very important for individual users to be aware of crimes and take precautions. So here are the safety measures to adopt for the online banking or other online financial institution access.

Dos

• Spread the money in multiple accounts.
• Enable all sorts of notifications (mobile, email, slow mail) for transactions. This will help in case of cloned mobiles.
• Use only dedicated private computers (or phones) for online banking.
• Use safe and private networks (strongly secured home WiFi or office WiFi)
• Use strong passwords (Not related to Date of Birth, family members name etc).
• Enable two-factor authentication provided by banks wherever possible. These are
o OTP – One time passwords usually come on SMS but in some cases apps are available on smart phone which display the number)
o Smart cards (Downloading of specific keys to your computer and hence blocking any computer that doesn’t have these.
o Hardware tokens (which display OTP)
• Use trusted websites and wallets for sharing your banking information.
• Make sure your primary email used for notifications is protected with two factor authentication as well. Google authenticator is a popular choice for many.
• Install a good anti virus on the primary computer and mobile.

Don’ts

• Do not reveal birthdays etc. on public/private social media profiles. Criminals can easily scrape them and use to gain access.
• Do not install unverified software/apps in the main accounts. Many apps and software can contain malware that can eavesdrop on your transactions. Same with many sites on the Internet. If you must use a virtual box or a different device.
• Do not share your password to anyone on phone or web for whatever reasons. When in doubt cut the call politely and call back on official support numbers of the institutions.
• Do not use public computers at hotels and airports for any logins.
• Do not use random WiFi/networks (airports, hotels, Cafes) for online transactions
• Avoid unbranded standalone ATM machines especially in some high-risk areas such as some well know tourist locations (Many to list, so just avoid)

With increasing technology advances and immense focus on Digital India, technology is going to be part of every aspect of our life. While we are instinctively safety conscious, the new technology paradigms are unknown territory to us and hence educating oneself on these aspects and taking appropriate safety measures if the best way forward.

So take care and stay safe.

(This blog was originally published @ techinasia https://www.techinasia.com/talk/avoid-financial-scams-fast-digitalising-india)

Someone Spying on Your Phone ?

By | Case Study ! | No Comments

Recently a person reached out to me for a forensic analyses of his phone. Intrigued I asked him to explain the problem. He didn’t want to discuss this on the phone and asked to meet-up. We met in a cafe.

The man (Lets call him K) wanted to know if his phone is hacked and if someone has accessed his messages.K was not too tech savvy but well versed with his phone and used typical applications such as Whatspp, Uber etc. He had not used a password to lock the screen until recently. He wanted to know if someone had copied messages from his phone when he left it unattended.

Now that is such a difficult question to answer. Copying can be done in so many ways and in this context could also imply taking a screen grab from other phone and there is no way one will have any sort of valid log of that activity. So unless there is bit more context and details for this query it would be really hard to investigate.

Théodore_Jacques_Ralli_Eavesdropping_1880

I gently nudged him to share the context for the request so that I provide him a right solution.  Here is the story, he was in the process of separating from his wife and during one of the fights she had threatened him saying that she has copies of his messages and will show the world the kind of person he is. He was paranoid and suspected that she had installed spying software and will use the messages out of context way to malign him.

I took a look at his apps to see if any suspicious software is installed. The samsung phone had two apps called shareit and shareall-dongle, both used to sync data and files between various devices. I asked him if he has installed them, he hadn’t.  While these are not necessarily spying software per say, but can be used to siphon out data to another device. Another redflag was the phone being backed up to a google drive with an unknown gmail account. The data usage etc seemed normal so any surreptitious data transfer is ruled out. We deleted these and kept the app footprint to few favorite apps. I also disabled bluetooth and other connections just to be sure.

Anyway all these measures are for future and we have no way of knowing for sure what happened in the past. Only small consolation is such illegally acquired messages will not be admissible as evidence. Domestic situations are really complex and can defeat best of the security measures.

So if you want to make sure you aren’t spied on, follow this simple steps. (This isn’t exhaustive and doesn’t cover more sophisticated attacks. A post on that will be put up shortly)

  1. Check application folders for any unknown apps.
  2. See if the data usage has increased for no reason.
  3. Check if you are receiving any Strange SMS (sometimes used to control the spying applications)
  4. Check your automatic backup settings.
  5. And finally keep the screen locked and dont store sensitive data on SD cards.

 

Fake Facebook Profile or Any Other Profile !

By | Cyber Bullying, impersonation | No Comments

Recently I met a business colleague for Lunch and she recounted a strange incidence of a elaborate fake profile on a matrimony site. Also you keep reading in newspapers about how, fake profile befriended gullible teens and blackmailed them after collecting lot of information about them. There are also spammers and financial fraudsters who can gain lot of information about you by befriending you on facebook. Even very cautious and otherwise intelligent people sometime fall prey to this fraud. The culprit seems to be the belief that if you have common friends and the photo looks normal enough one can trust the profile.

There are many complex ways of doing this. For facebook in particular there are apps which do behavioral analyses and predict if the profile is fake. These apps are specific to However one simple way would be to do a reverse image check on the profile picture. The process is simple.

  1. Click on the profile pic; Right click (or ctrl click, or hold depending on the device). Copy the image URL. Alternatively one can download the picture too.
  2. Go to images.google.com (Many other sites too, but google is well well-known).
  3. click on the camera icon in the search box and upload the profile pic or paste the URL from step 1.
  4. If search throws other pics/profiles with different contexts and names then you know you have a fake profile.

Once that is established you can report the profile to the concerned website. For facebook the link is https://www.facebook.com/help/167722253287296; Facebook explicitly states that

We don’t allow accounts that:

Pretend to be you or someone else

Use your photos

List a fake name

Don’t represent a real person

However given the nature of these fake profile creators they will come back in other avatars but at least you have a method of detecting.  One prudent(but conservative) approach in general would be not to add anyone that you haven’t met offline.

Stay Safe !!

Online Safety v/s Social Obscurity !

By | Cyber Bullying | No Comments

Recently we held a session on online safety in an elite school. Session was full of teenagers, bright kids full of mischief and eager to conquer the world. Most of them are avid users of facebook and some hesitantly admitted to being ethical hackers.

I discussed them about Cyber Safety, many are aware of the general issues but the areas that seem to surprise them are

1. Privacy : Nothing is really private even if the electronic exchange has happened between two individuals.

2. Legal Aspects : Many were unaware of the illegal nature of somethings. Many things that they had taken as granted turned out to be illegal.

I spoke to reachers as well, they were concerned about the amount of information that the kids disclose online. It is thin line here. Many kids feel that they will be cut off from mainstream circles if they don’t behave certain way. All the tradeoffs of offline social life get more highlighted in in online world.

How does one manage the balance in such scenario ? Here is what I told them, take a look at it.

Mobile SIM Cloning fraud, 90# hoax, from +92 numbers

By | Information | One Comment

Today I received a flurry of “whatsapp” messages with one specifically requesting me to comment on this story that appeared in Times of India and subsequently got replicated everywhere (http://tech.firstpost.com/news-analysis/do-not-respond-to-calls-from-numbers-starting-with-92-90-or-09-29654.html).  In a nutshell this was a story about a telecom company warning people not to respond to calls from +92 numbers as it would lead to your SIM getting cloned by terrorists.

First, good news is this is a hoax(http://urbanlegends.about.com/library/weekly/aa021898.htm). But like all good hoaxes there is a bit of truth hidden behind technological complexity and widely held fear of certain type of criminals(in this case terrorists).

The bit of truth here is as per the “urban legends website” is 90# is the code in old PABX (private exchanges that some businesses use to transfer the call and control. Once that happens people can dial a # to connect to whatever the number thus charging these businesses the tariffs for those calls.  This is not true for any of the mobile or cell phone numbers.

Cloning or more appropriately duplication of SIMs is still possible but they don’t need access your phone. You can not have any control over it either one way or the other. This is a headache of the mobile networks and they need to figure out how to deal with two similar numbers in their network (and they do have means of identifying the fake ones).

In spite of hoax or fear mongering of this, this may have still benefitted regular folks as it would cause some awareness about Phishing frauds and make people aware of social engineering frauds.

The generic lesson here is,

  • Never respond to unsolicited (not initiated by you) calls by any companies/call centers. It is highly unlikely that any companies use this kind of mechanisms to get anything done as the cost is very high for such exercises.

That brings us to the question, why these missed calls (I too have received them in the past) ?  No concrete answers for these. It would be most likely a VOIP based random dialing to build database of folks who fall for these (i.e if you call back and answer any questions).

One form of Email Scam : AFFHA

By | Cyber Bullying | No Comments

Recently we received a mail on our contact form. A gentleman congratulated us on our good work (yay :-)) and enquired about one email that he has received. Quoting from the mail,

“just today i have received an email for donation on humanitarian ground for the websitehttp://www.affha.org/donations.html
Also someone posing as a representative has send email for becoming a rice supplier to this organization on long term basis.
On the first look the website appears find … but when i googled a little i found that there have been rounds of such fake emails going on. (http://blog.dynamoo.com/2013/11/african-development-humanitarian.html)
Can you please help me know whether this organization affha exits or not?”

The answer is obvious. Just mark these mails as spam and ignore. Do not click on any of the links unless you are in a sandbox.

He seems to be quite clued in and did his research, but there are many people who fall for these scams.  If one takes the bait, many things may happen. Starting with your donation money going to wrong folks to you sending your rice (second bait) to them without getting paid a dime. There are variations of this theme everywhere and many do fall for it.

Unfortunate part of these scams is, there is no solution once you get conned. These are spread across the world and victim’s country’s law and law enforcement will not reach them at all. Only safe way is not to fall for these in the first place. My heart goes out to folks who fall for these, typically unaware and probably desperate.