Are You a Click Away From Getting Conned?

Tales from the Encrypted

Are You a Click Away From Getting Conned?

Illustration: Juergen Dsouza

Your password must contain at least eight characters, and consist of alphabets, numbers, special characters, two mathematical symbols, an emoji, and must not be the same as any of your 18 previous passwords.

Complicated password rules and invites to play Candy Crush are the bane of the internet experience, but they are here to stay. Many have tried to circumvent these rules with standard extensions to passwords across their accounts. If I had five bucks for every time I saw a password containing @123, or @CurrentYear, I’d be able to retire rich.

As annoying as they may be, password rules exist to keep our accounts, and by extension our money and privacy more secure. Unfortunately our temptation for convenience, fuelled by the instant gratification age of high-definition streaming video, and next-day delivery, has spoiled us all to the point of being fickle.

Our callous collective attitude toward security has pervaded our startups as well. As discovered earlier in 2015, security at Indian startups has been about as effective as the ageing security guard at the shopping mall, who runs his scanner over my elbow for a half-hearted second before letting me in. Hotshot companies such as Ola, Zomato, and have seen their systems compromised, with the data of tens of millions of users ripe for the taking, for anyone with the time and inclination. Somewhere out there, an evil sociopath is laughing at my taste in music.

The combined apathy of the average internet user toward his password and the security of his data that he will willingly surrender into the safekeeping of less-than-responsible third-party companies, is the root of all evil in information security. The choice between “I think I’ll take a chance and register on this website” and “Okay I’ll just take a regular cab” is an understandable dilemma, and so here are a few lessons I’ve learned along the way to ensure a relatively secure online experience.

One Ring to Rule Them All

In The Lord of the Rings, the dark lord Sauron created many rings of power that bestowed magic abilities to their respective wearers. He also created one ring of power, for himself, that made other ring-wearers his eternal slaves. In 2016, users who have been tempted by a different kind of power at their fingertips – bringing shopping, transportation, communication, and high-definition video at the click of a button – are all bound by their email accounts, to which all these services will obediently send a password reset link, to help their owners gain access to their respective accounts.

Your email account is precious, not because it is coveted by a scrawny anti-social man who lives in a dimly lit room and talks to himself, but because anyone with access to it would effectively have access to nearly every other account you own. In many cases, experienced identity thieves will create auto-delete and spam filters on your account, to ensure that any communication from other services will not notify you of a new incoming e-mail, allowing them to quietly reset your other passwords and take over your life.

While scouring your coffee shop for men in trench coats operating unusual devices, you probably want to take a closer look at the WiFi that you’ve been using to shamelessly watch YouTube videos for the past hour while sipping the cheapest coffee on the menu very, very slowly.

Fortunately, securing your email is pretty straightforward. Users with accounts on Outlook, Gmail, Yahoo, and Zoho can enable two-factor authentication, which ensures that you confirm a six-digit code that is sent to your mobile phone via SMS every time you log in to your account. Since users are typically logged in on their personal computers and devices, this is only an inconvenience when logging in from a new location, where your password can be compromised through a host of different methods, as simple as watching you type it on the keyboard, or as complicated as running keystroke recording software on the device you use. If you lose your phone or your number, you can always reconfigure your account accordingly.

In order to log in to your account, a would-be attacker would not only need your password, but also a way to enter the six-digit code sent to your phone. In most cases, this should mitigate nearly every prevailing scenario in which you could have your account compromised.

The 2G scam

SMS/OTP verification systems such as the one described above are relied on for nearly every secure transaction in India. While cellular networks in major metropolitan areas are switching to 3G and 4G networks, India is still one of the many places in the world where 2G coverage is prevalent across a large section of the country, particularly in areas where a user’s network provider does not have strong coverage. These networks run an old unencrypted variation of GSM technology that are easily defeated by approximately ₹50,000 worth of specialised hardware connected within a hundred meters of your phone, allowing attackers to intercept incoming calls, SMSes, and record conversations, and to some degree, internet traffic over 2G.

Unfortunately, from your standpoint there’s little that can be done to protect against this degree of perseverance on the part of criminals, outside of ensuring transactions are only ever performed when your phone is connected to a 3G or 4G signal, and there are no strange men with unusual antennae at the next table at the coffee shop. If you do happen to see me, come say hi.

Came for the WiFi, stayed for the phishing scam

While scouring your coffee shop for men in trench coats operating unusual devices, you probably want to take a closer look at the WiFi that you’ve been using to shamelessly watch YouTube videos for the past hour while sipping the cheapest coffee on the menu very, very slowly.

Traffic that’s transferred between your device and any public WiFi hotspot that doesn’t have a password is visible to all other devices that are connected to the same hotspot. What this effectively means is that any information transmitted between you and any website or service that is not running via secure HTTPS, can be stolen (secure HTTPS is the green lock icon that you sometimes see in your address bar when you visit some websites). Most professional websites run HTTPS so the risk of being compromised in this way is relatively small. However, access to your account at a small startup, work-related website or any other service not running HTTPS can easily be intercepted by someone else at your location.

Additionally, it’s common for criminals to sometimes “stake out” an airport lounge or café by setting up their own free WiFi hotspot, that presents you with a fake login screen for popular websites such as Gmail, Facebook, Outlook, Yahoo, etc that you may hurriedly type your password into without checking for the green lock icon, because you don’t want the nosy moustachioed man sitting next to you waiting for his flight to notice that your password is gmail@2017. There’s also the possibility that the fake WiFi page could trick unsuspecting users into downloading malware in the guise of special software to enable free access.

As is the case with any other variation of having your password compromised, this sort of vulnerability can be safeguarded by adopting the two-step/OTP-based login method described earlier. In general, however, it’s always probably a good idea to be wary of free public WiFi hotspots while accessing or submitting any personally identifying data online.

Following these suggestions might not be enough, but it’s a good start, since to an extent we’re all at the mercy of those to whom we entrust our data. With every passing year, an analysis of our dependence on technology reveals more of who we are to anyone that’s watching. The Google search bar is as close as it gets to a window into what’s on somebody’s thoughts, or in the case of the simple-minded, the Facebook status box. If you’re young enough, the internet probably knows about the first time you fell in love, the happiest and saddest days of your life, every lie you’ve ever told, every secret you’ve ever sworn to keep, and every morbid curiosity you’ve tried to satisfy. As is the case with all things, in more ways than one, in the world of online security, the cost of convenience, is compromise.

This post is sponsored by Palo Alto Networks.

This is an updated version of an earlier story.