By Sushobhan Mukherjee, Chairman – Infosec Foundation, CEO-Prime Infoserv LLP
We are living in the era of connectivity where usage of smart phones, tablets, computers, internet, social media, online banking, e-commerce, third party payment gateways, games, online utility payments, internet of things etc are bound to touch every aspect of our lives. People are getting addicted to comfort and convenience with the inclusion of technology. With the increasing trend of being connected, last few years the well-known rumor “cyber-crime” or “cyber security” has transformed into a frightening reality. Whether it is a corporate or government organization, all seems helpless to stop intrusion or incursion. Cyber-attacks have become continuous news in media. 90 percent of companies worldwide recognize they are insufficiently prepared to protect themselves against cyber-attacks. Cyber-crime costs the global economy over US$400 billion per year.
Cyber Security is a serious challenge and concern across the globe. Cyber security can be defined as achieving minimum baseline of basic security criteria including –
- Assuring “Confidentiality” of all data;
- Maintaining “Integrity” of all data and infrastructure;
- Assuring “Availability” of services in desired quality parameters;
- Assuring protection of “Privacy”;
- “Non-repudiation” of person and/or transaction;
- Maintaining “Incident response” with defined service level parameters and;
- Availability of “Customer protection functionalities” in end-to-end IT infrastructure.
We read regularly cases of data theft, hacking, loss of money, software malfunction, hardware malfunction, data center outage, denial of service, delays, etc.
Internet banking applications are not tested for many customer oriented risks and vulnerabilities such as and not limited to man-in-the-middle attack, malware, business intelligence, information leakage, etc. In some cases, it is observed that even very basic requirement is missing, for example SSL/TLS is not used; password storage in browser not blocked; auto-complete is enabled; cookie is not secured; security patches are not applied; to name a few from a long list. Having security vulnerabilities such as SQL-Injection, Cross Site Scripting, CSRF, unsafe transport layer, session hijacking, etc. is another major concern. These vulnerabilities are hacker’s gateway to compromise the user demographic, logon and transaction data. Any compromise violates the basic cyber security criteria like confidentiality, integrity, privacy, etc. and exposes the citizen to risk of various losses including and not limited to financial, regulatory, credibility, image, identity hijack, etc. Very limited web-portals are rigorously tested for cyber security vulnerabilities.
Inline of the circumstances here goes some quick tips:
Never use the same password more than once
Many of us are guilty of having had the same password for every account for years and, even worse than that; the most common 25 passwords include “123456”, “password”, and “abc123”. The best way to keep your online accounts – from your internet banking to social media – secure is to never use the same password more than once.
Create a different password for each online account that you have and store them in a password manager. There are many excellent free option like lastPass, Log me ones, DashLane, 1Password andkeepasss. They will hassle out of creating thought passwords and remembering them. It’s important these days because people tend to use simpler passwords (made of words numbers) and using the same password on multiple websites. If one gets hacker, there is potential that all your logins will get hacked.
Once you’ve set up a secure set of account logins make sure you don’t share your passwords with anyone.
In featured (smart) Mobile phone environment, installing any app will ask you almost all permission such as (a) take pictures and record videos; (b) read, add and modify contacts; (c) Approx and precise location; (d) record audio; (e) read phone status and identity; (f) directly call phone numbers; (g) read, receive, send, view your SMS and MMS; (h) read, modify or delete contents on your SD card; (i) full network access; (j) activity recognition; (k) control vibration; (l) run at startup; (m) view network connections; (n) control NFC; (o) install shortcuts; (p) receive data from internet; (q) read google service configuration; (r) prevent phone from sleeping; (s) measure app storage space; (t) change audio/video settings; (u) pair with blue tooth devices; (v) view and connect wifi connections; (w) change network connectivity; (x) send sticky broadcast. Most of the app asks either for all these permissions or most of these permissions. The user, without reading and understanding, permits all permissions. S/he has the option either install app with permissions or forget it.
Now, in some operating systems, the user has an option to deny certain permissions. But, very few citizens are aware of it and even after that there is no guarantee that the app is not be reading the data even after permission is off.
Further, many apps also read data, which is not in permission list. This data includes and not limited to (a) reading data from buffer/cache/RAM; (b) specially read authentication (user-id and password) data; (c) sending data to defined IP address/server; etc. There is no check or control or regulation over this tendency.
Given all above permissions and read of data, in mobile phone, especially smart phones, the citizen data is totally naked. The data used by payment app, including authentication (user name and password etc) is totally exposed to many other apps, which are loaded on mobile and reading everything with permission and even without permission.
Hence unwanted access to be blocked for the applications post installation or the applications / games are to be used is disconnected mode (Bluetooth, Wifi , Mobile Data) sothat chances of sniffing data can be minimized.
Keep it private
Check the privacy settings on all of your social media accounts so that only the people you want to share your information with can see it. You can restrict what others see about you in the Setting sections of your account.
For example, you can make your posts private on Facebook, and restrict what Google can know about you. Use a site like Ghostery to find out what websites are tracking you and easily block them.
Beware of public mobile charging points
It’s possible to hack into a smartphone that is charging via USB in a public place, such as an airport, cafe or on public transport. To avoid being a victim, only plug your phone into trusted computers when using a USB cable.
Deletion of Traces from Old Devices
When you are getting rid of your old computer, simple deleting your data is not enough. Even if you use the format command to wipe the hard disk clean, the data can be recovered using simple, free software. The only way to make to sure data remains inaccessible is to overwrite it with random data. For windows, DBAN which is free for personal use. Some other common tools include CC Cleaner and Eraser. SHREDroid is also a similar free App on Android phones.
Security using a VPN
A VPN or Virtual Private Network is a way to secure and encrypt internet connection (Whether on a PC or mobile device) to prevent data from being stolen/accessed while in transit. There are many free VPN services available like tunnel bear, VPN book Cyber Ghost or Windscribe. Once signed up, they will provide full instruction to set it up on your ma-chine. Opera free VPN is one of the option in mobile devices.
A firewall is a piece of software/hardware that blocks unsolicited incoming connection from the public network. Both windows and Mac OSX have built it firewalls any they are up to the task for almost any situation. Just make sure that they are on and functioning. If you need something more advanced (typically for Windows), you should check out Glass-wire or Zone Alarm.
Unsecured Wi-Fi Networks
Free Wi-Fi temptations are provoking in a coffee shops, restaurant or in malls, airports, libraries and Hotel lobbies or other public areas. The danger is that hackers target user on these kinds of networks and use software to sniff out passwords and personal data. The previously mentioned firewalls and VPNs can help by adding an extra layer of security. Other things you can do is make sure your browser address bar URL starts with ‘https, and disable things like file & printer sharing and network discovery.
Web –Safe Browser Extensions
The web browser is the gateway to the web and the easiest way to add a layer of security is with an extension. McAfee Secure or WOT (web of trust) can be tried to get notified about the trustworthiness of a website – especially useful lot of new websites are being visited quite often. Another free extension called HTTPS Everywhere will automatically encrypt communications with several websites. Some of the other options are Avast, ZenMate and Ultrasurf.
On-The-Move RFID Blocking
RFID or radio frequency identification tags are already embedded in many of the bank cards, passports and even loyalty cards. A lot of the information on them can be read without even knowledge of the user. A portable RFID scanner will be able to read the information from a few inches away. These on-the-move attacks can be prevented by using RFID blocking. Other options include passport wallets, travel cases, sleeves and backpacks with special RFIB blocking compartment.
Identifying Fake Call & SMS
This is the easiest thing to do on any mobile phone by setting up True caller. Once the app is set with the phone number and signed in, spam detection can be enabled. It can show information of the incoming call so that can either be accepted or rejected. True messenger works in pretty much the True Caller Widget and simply copy any number – the widget will look up the number all tell you instantly.
Use your common sense
If an email offer looks too good to be true, the prices on a website are abnormally low or you receive an unsolicited telephone call offering computer support, it’s probably a scam.
- Use of two-factor authentication on all email accounts
- Creation of access passwords (pattern, login IDs, swipe, pass codes) on all devices
- Usage of unique Password Reset Security question and updating of alternate recovery IDs
- Operating system of desktop, laptop, mobile devices are to be licensed and updated.
- Enable remote location & wipe on your mobile device (Android device manager, find my iphone )
- Overwrite data on your device to prevent it from being accessed later.
- Use password manager to take the guesswork out of creating remembering passwords.
- That’s not all. Avoid creating pin/password with names, surnames, date of births, anniversaries (yours/parents/spouse/children) combinations as these can be predicted very easily through your social spread. Try implementing alfa numeric passwords stitched with special character.
- Using benchmarked standard antivirus (better Total Protection) in both desktop/laptop/mobile/tablet are essential. Free or cracked software is to be avoided.
- Any banking/ecommerce site should be used through secure site (ssl) i.e instead of “http://”, it should reflect “https://”.
- Saving online banking, ecommerce site, mail password etc. to be avoided for convenience.
- Password is not to be kept anywhere is writing in any form (not word, excel, cloud, printed paper, handwritten paper)
- Any non-standard games / application are to be avoided as lot of applications is being framed to sniff data.
- Latest smartphone/tablets are having application control mechanism. Please block unwanted access of all application (like contacts, sms, camera etc whichever is not relevant for that application).
- Any information related to password, pin is not to be floated through mail, WhatsApp etc. so that there are chances to have repository.