was successfully added to your cart.

All you wanted to know about 2 Factor Authentication.

By | Information | No Comments

(This blog was originally written for Bangalore Mirror  – http://www.bangaloremirror.com/bangalore/others/Two-factor-authentication/articleshow/52169477.cms with Kiran Jonnalagadda and Beli Bopaiah)

Anyone who’s been alive long enough will remember the act of locking their desk drawer (or briefcase) with a shiny metal key. Today they’d store virtual files on a laptop – and instead of a keyhole, they’d be confronted with a ‘login screen’ with a little rectangle indicating where they could type in their ‘password’ – a secret word that they’ve memorised.

The problem with having a secret word is that we all live in fear of picking a word so secret, we forget it ourselves. So we take shortcuts. We write it down on a little piece of paper conveniently within reach. We use the same password on multiple websites. We use the name of a person we care about. Or – and this happens a lot – we simply use the word “password”. Clever, huh?

fact

pic credit : Bangalore Mirror

The problem with this approach is that anyone can write a little program to run through all the words in the dictionary (or a baby names list) and try them one by one until they crack your password. This kind of thing is trivial for the average computer, taking mere minutes to run through hundreds of thousands of word combinations. This is called a “brute force attack” because it uses nothing more than a computer’s ability to do repetitive tasks, trying all possible passwords.

 

What if you were smart enough to use nonsense words and symbols? Congratulations, your password is indeed better. But you’re no longer like the average person who isn’t so careful, and this is a problem if you manage IT security at a bank and a customer is on the phone sobbing about all their money disappearing from their account.

 

Password theft happens in many ways and using a difficult password won’t protect you all the time:

 

  1. Shoulder surfing, in which someone watches over your shoulder when you’re typing out an ATM pin (or similar public situations).
  2. Vishing: A caller claiming to be from the bank dupes victims into revealing their passwords.
  3. Phishing: Links sent over email or SMS perfectly impersonate a target website (banking, email) duping people into entering their password.
  4. Keyloggers: A “virus” or malware infecting victim’s computer that can capture keystrokes and send them (including passwords) back to their masters.
  5. Man-in-the-Middle Attack: An entity (most often, software) eavesdrops on and modifies traffic at any point between your device, WiFi router, and ISP. If you bought a WiFi router and installed it without changing the default password, chances are it’s already infected by someone accessing it over the internet, and now it’s spying on you.
  6. Man-in-the-Browser Attack: A man-in-the-middle attack conducted by malware infecting a victim’s web browser, usually because you installed a browser extension that claimed to give you extra smileys or emoji.

 

Security professionals have known for a while that passwords are too hard for the average user, a lot harder than telling someone to be careful with their keys. What if a password could be more like a key, something you have rather than something you know? Or better, use both?

 

This is the idea behind “two-factor authentication”, where you prove your identity to a service provider by demonstrating both that you know your password, and that you have some kind of physical object that no one else has. Question is, exactly how does a website verify that you’re currently possessing some physical object? Maybe if your computer can somehow communicate with it?

 

Everybody has a mobile phone these days, and every mobile phone is capable of receiving an SMS, so what if the service provider sent you an SMS and asked you to type back the number received? This is the idea behind the “One Time Password” or OTP SMS your bank sends when you do a financial transaction.

 

Mobile phones are a recent phenomenon, but the idea of using a physical object has existed for decades and the industry has come up with many ways to do this, some of which are superior to an SMS, although at additional cost.

 

Let’s look at the sort of things you can have:

 

  1. You have a phone and it’s capable of receiving an SMS. The service provider sends you an SMS with an OTP. Almost everybody has an SMS-capable phone, so this is by far the most common mechanism. However, sometimes the network is congested and your SMS doesn’t arrive on time. Since it’s transmitted over radio, anyone with the appropriate radio equipment sitting anywhere in your neighbourhood can also receive it, just like in a spy thriller. Unlikely to happen to you, but you never know.

 

  1. Remember the discussion we had in the last column about how encryption works? Your bank now sends you a little device (like an RSA SecurID) that displays a number that changes every minute. The number is based on an encryption algorithm for which the bank already has the secret key. When you type in the number on the website, they know you’re now in possession of this little device, and it doesn’t depend on an SMS arriving on time. This is called a “Time-based OTP” or TOTP because the constantly-changing number is based on the current time, and both the device and your bank’s servers are set to the same time. If an attacker somehow manages to steal a number from you, it’s only good for the next one minute. They can’t predict what the next number will be.

 

  1. That little device your bank sent you is a small computer powered by a watch battery. Your phone is also a computer that can keep time, so why can’t your phone do the same thing? Download the Google Authenticator or Authy apps from your phone’s app store. They work with many websites including Gmail.

 

  1. While Google Authenticator and Authy are very convenient, your bank doesn’t support them. They insist on an SMS or their own hardware dongle. If you operate multiple bank accounts, pretty soon you’ll have a bagful of these devices. To get around this problem, several companies joined hands to form the FIDO alliance and agree on common standards so you can use one device with multiple service providers.

 

  1. There’s another problem with TOTP, whether you use a physical device or your phone. You went to your bank’s website and entered the number, but is it really your bank’s website? Is that URL saying ICICI or 1C1C1? The number ‘1’, uppercase ‘I’ and lowercase ‘L’ all look similar, so if you’re not in the habit of looking at the letters carefully, you may not even notice. The FIDO alliance decided to solve this problem with their “universal 2-factor” (U2F) specification, a hardware key that you must plug into your computer. If you use the Chrome browser, it automatically recognises this security key and will ensure you don’t accidentally enter a code into the wrong website. Firefox and others plan to add support soon. Yubikey is a popular brand. The company that makes them recently gave away 500 keys at a conference in Bangalore, so chances are there’s someone around you that already has one.

 

Several companies have made it mandatory for their employees to use U2F keys, and you should consider using one too. Because it’s a public standard, any U2F key will work with any website that supports the standard.

 

At the very least, turn on SMS or TOTP-based authentication using your phone on all the websites you use frequently. Here’s a good list of websites where you can use them: https://twofactorauth.org
This may just save you from losing your entire digital identity one day.

Mobile SIM Cloning fraud, 90# hoax, from +92 numbers

By | Information | One Comment

Today I received a flurry of “whatsapp” messages with one specifically requesting me to comment on this story that appeared in Times of India and subsequently got replicated everywhere (http://tech.firstpost.com/news-analysis/do-not-respond-to-calls-from-numbers-starting-with-92-90-or-09-29654.html).  In a nutshell this was a story about a telecom company warning people not to respond to calls from +92 numbers as it would lead to your SIM getting cloned by terrorists.

First, good news is this is a hoax(http://urbanlegends.about.com/library/weekly/aa021898.htm). But like all good hoaxes there is a bit of truth hidden behind technological complexity and widely held fear of certain type of criminals(in this case terrorists).

The bit of truth here is as per the “urban legends website” is 90# is the code in old PABX (private exchanges that some businesses use to transfer the call and control. Once that happens people can dial a # to connect to whatever the number thus charging these businesses the tariffs for those calls.  This is not true for any of the mobile or cell phone numbers.

Cloning or more appropriately duplication of SIMs is still possible but they don’t need access your phone. You can not have any control over it either one way or the other. This is a headache of the mobile networks and they need to figure out how to deal with two similar numbers in their network (and they do have means of identifying the fake ones).

In spite of hoax or fear mongering of this, this may have still benefitted regular folks as it would cause some awareness about Phishing frauds and make people aware of social engineering frauds.

The generic lesson here is,

  • Never respond to unsolicited (not initiated by you) calls by any companies/call centers. It is highly unlikely that any companies use this kind of mechanisms to get anything done as the cost is very high for such exercises.

That brings us to the question, why these missed calls (I too have received them in the past) ?  No concrete answers for these. It would be most likely a VOIP based random dialing to build database of folks who fall for these (i.e if you call back and answer any questions).

Banking fraud, illegal transfer of money – some measures!

By | Information | No Comments

World over online banking frauds account for about 50% of all online crimes. To be sure there is lot of technology enhancements done by the banks to make online banking safe and secure. They range from high end two factor authentication to fraud analytics. But it seems like criminals still rule just by manipulating the human aspects.

Take a look at the story http://indianexpress.com/article/cities/pune/cyber-crime-in-pune-unsecured-digital-india-dangerous/ ? In spite of the details, it is still inadequate reporting as they have only talked about SIM duplication, but most also have the alerts on the emails. Did they hack and divert the emails as well ?

Couple of things are important to note in the story;

  • One, there seems to be collusion of insiders, otherwise it would be pretty hard to get a cloned sim and not have any notification on email.
  • Second in-spite of the police investigation, they aren’t able to trace the main folks behind heist.
  • The IT secretary has the power to award punitive damages.
  • Legal system can take long time.

In such cases how does one defend their money barring not going for any online accounts at all. Here are some simple non technology measures.

  • Spread the money in multiple accounts.
  • Enable all sorts of notifications (mobile, email, slow mail) for transactions.
  • Use only dedicated private computers for online banking aspects.
  • Educate yourself on phishing and do not type your password in anything other than the website which you typed yourself in the browser.

How to hack ? Dont; For your own sake !!

By | Cyber Bullying, Information | No Comments

My SEO person pointed to me that about 15-20% of folks reach our website are reaching with keyword searches such as “How to hack FB for free”, “Fake email generator” etc. The demography puts them as young adults. This post is for them.

It is so easy to be tempted by fun, thrill and swayed by negative emotions such as anger, jealousy and pain. But just pause and think for a moment, Is it really worth it ? Consider these

  • It is crime in most countries and punishable under many new and old laws.
  • In spite of all sorts of technology precaution, with the law enforcement it is very easy to retrieve your activities online. Nothing is truly anonymous.
  • Internet never forgets anything. You are leaving a permanent mark of your criminal activities.
  • It will have severe impact on your career, social life, your family, in short life itself.

Check the case below for details of the judgment https://www.argbyte.com/2015/07/cyber-stalking-judgement-details/.

So just dont. There are many healthy ways of dealing with emotions, talk to your friends, family or a psychologist.

Cyber Stalking Judgement Details !

By | Cyber Bullying, Information | No Comments

Recently a techno legal case made news in Bombay and dealt with online harassment, intimidation. Check the judgement copy here for a great information on how the court views these and some in detail clues  on how to go about gathering and providing evidence. Cyber Stalking – Yogesh Prabhu Court Judgement (although it is legal document it is surprisingly easy to read).

This case demonstrates very interesting aspects of how criminals who think they cant be caught by changing email locations are blind in their belief. It also demonstrates the importance of keeping documents related to any harassment that one receives so that it can be used intelligently in case of escalations.

Thanks to Advocate Prashant Mali of www.cyberlawconsulting.com for providing the access to this document. He opines that only S66E of The IT Act 2000 & S509 of IPC is applied in this judgement. Section 67 & 67A are not applied in this case. The specifics applied are,

1. Punishment for Violating of privacy of the person under Section 66E of The IT Act,2000.
2. Word ,Gesture or Act intended to insult the modesty of a women under the section 509 of The IPC.

Reach out to us (ArgByte) for any technology queries or Prashant and his firm  for any legal aspects.

Tracking an Online Troll !!

By | Information | No Comments

We haven’t had a case dealing with online troll yet !! However this case we found online  is so relevant and sensible, we can not stop ourselves from linking it.  It has abundant information on both legal and technical aspects of dealing with a troll. Most importantly it talks in detail about the psychological effects of trolls and how this could be devastating. Finally there is an interesting twist in the tail and it seems to be common occurrence in most of the cases we dealt with as well. Check the blog at http://www.traynorseye.com/2012/09/meeting-troll.html and also the technology feasibility of the same at https://evertb.wordpress.com/2012/09/26/tracking-a-troll/

Based on this blog Forbes came up with a article which details steps as well as information on both

1) taking law enforcement approach and

2 ) Figuring out yourselves approach. (DIY)

Step 2 is faster and less cumbersome provided you have some web suaveness. Sometime step 2 may not work if the criminal is savvy and has taken lot of precautions himself/herself. But as they say no one is truly anonymous in the internet.

Who and What of cybercrimes !

By | Information | No Comments

One of the interesting fact that came out of discussion with a law enforcement official who deals extensively with cybercrime in India is,

Among the two large buckets of cybercrime i.e

  • Financial crimes (illegal gain, greed, fraudulent transfers ) &
  • Online harassment

it turns out the first one is largely perpetuated by strangers and syndicates. The second bucket is largely perpetuated by second circle of folks around you. Second circle involves extended family, colleagues, class mates, neighbors and other sundry folks who co-habit physical space. That is why it is important at least to figure out “who” even though it is probably trivial issue that one faces online.

There are also many other interesting statistics on cyber crime in India at http://ncrb.gov.in/.  (Check the report of 2013 crimes in India and go to cyber crime section)

The trend in the world over seems to be similar. The Internet Crime Complaint (ic3) a US government body provides quite telling statistics 

Couple of interesting stats are captured below for quick reference.

 

IC3 Stats on cyber crime complaints

 

So take care and be vigilant and be sure to report rather than ignore.