BY SHWETA PATEL IN MUMBAI: There is a famous riddle shared among generation after generation of us, fraud fighters. It goes as follows: If you are being chased by a lion how fast do you need to run? Answer: Well, you only need to run a little bit faster than the slowest person in the group, so the lion doesn’t get you. Similarly, in fighting fraud, you just need to be less vulnerable than most vulnerable targets. Hence, while in this part of my educative series I share tips and tricks, stories and nuggets that help you protect your devices, it may not be an exhaustive list. However, it will help you stay way ahead of the vulnerability curve, and thereby reduce your chances of being that low hanging easy fruit for hackers and fraudsters, who usually go for the weakest link.
Let me begin with this confession. I have only ever owned iPhones since beginning of the Smart phone age and thought they were invincible, until I read this eye-opening story a while back. Fraudsters in New York city had found a new (though insanely low-tech) way of breaking into iPhones. The fraudsters would befriend unsuspecting victims at a bar and shoulder surf the device passcode, and eventually steal the phone and drain the accounts of the victim that were linked to that device. What was the worst part was that they could even kick out the original user out of their own Apple account. Here is how they were doing it. Once they had the device passcode, they would unlock the device and change the Apple password of the user’s account. They could also turn off tracking on the device. Moreover, with the Apple password and access to other passwords on the device they had everything they needed (if biometric was not set up specifically at the app level), to break in. The way to protect from this is a few settings changes and placing a screen lock passcode (more on that in the Do’s and Don’ts section below).
The moral of this story is as follows. Even the most secure devices in the world are not immune to theft. Duh! That seems obvious, right? But a lot of the times we cybercrime fighter types are not trained to think about possession as a risk, unlike our physical crime counterparts. We always think of a phone as being an inseparable attachment of the human body. Therefore, authenticated by phone assumes that the right person possesses it. Unfortunately, that is a brittle premise as we saw in the case above.
In the case of thefts, iPhones also give users the additional benefit of tracking the phone’s location even if the phone were switched off, using the ‘Find My’ app with its partnered phones. Now let me share this refreshingly ingenious case study from New Delhi, where the thieves used exactly this feature to trick a victim. ‘Find My’ has an additional feature called ‘Mark as Lost’ on the lost device to lock the device remotely, which the victim had turned on. That feature again was supposed to be a security feature, but was twistedly used by the threat actors to send a phishing message. The victim published the following on his Twitter handle, ‘After a couple of days, on Monday afternoon I get a message NOT from a mobile number, saying ‘Your lost iPhone 12 Blue has been found and temporarily switched ON. View location …’ followed by the phishing link. He clicked on the link and the prompts asked him to enter his Apple credentials. Like all stressed out victims, he panicked and quickly dished out his Apple credentials to the scammers on a platter. Very much as expected, the credentials gave the perpetrators access to his now exposed Apple account and an unknown windows device promptly logged in, soon after.
If you Google the words “Thak Thak gang” you’ll find stories about a gang of four members that were arrested after a string of 40 thefts. Their modus operandi was to first scan the contents inside parked cars, scanning for valuables, particularly phones and laptops. And then they would smash the windows with a catapult and make away with the booty. Now imagine if someone stole both the laptop and cell phone, how vulnerable would that leave the victim especially if the thieves kicked him out his Gmail. And if Gmail required two factor authentication hooked to that phone. And conversely, the phone’s SIM duplicate request required a code sent to the Gmail. This would be a classic Catch-22.
I remember one time when I was reviewing scam claims, a customer was disputing a charge on a mobile P2P payment. The memo capturing her claim was something to the effect “My boyfriend took my phone when I was sleeping and made this payment to himself.” Another similar one I recall was when an elderly victim stated that the Uber driver borrowed the customer’s phone and helped himself quietly to a very generous tip, that was way larger than the cab fare itself! These are some examples of what is a very common reason for scam related claims underscoring the importance of protecting your physical device. In a recent trend in India, scammers played out a script in which they pretended to be in an emergency, needing to make a call to speak urgently with a relative. They would pretend like their cell battery was dead and borrow an unsuspecting good Samaritan’s phone. But instead of just making a call they would dial the service provider’s dial code for forwarding calls and input their own number behind it. Once this was done, they would claim the call did not go through and then dial a random number a second time and talk. By the time the phone is returned, it would be diverting all the multifactor authentication needed by the scammer. I say it with many stories, so readers understand the vulnerabilities of handing over a device to a perfect stranger, and more importantly the context behind some of the Do’s and Don’ts in the closing section.
ALSO READ: The Less Talked About Immigration Scam
Let me add a final example of how a phone can be physically (as opposed to remotely) infected with malware, by what is commonly called juice jacking. Picture this. Loose hanging wires of USB cables at an airport, and you are running out of juice at 10% on your cell phone and waiting for an important call. The natural temptation is to charge your phone using the charging port. Hackers use such physical cables to install malware on unsuspecting phones for reasons ranging from data theft (of call logs, GPS location, gallery, passwords, the works) all the way to cloning the phone and taking control of it.
Please note, devices other than phones can also be targeted. In another interesting story, this one I remember reading about in a news article, a certain employee of a British accounting firm was alleged to be running a spying racket targeting Pakistani politicians, as a side hustle. It was revealed through a sting operation that this hustler was operating with his team from Gurugram and deploying malicious software that took control of the target’s computer camera and microphones to enable the spooks to eavesdrop on their victim’s conversations apart from viewing emails etc. This sort of risk of exposure through our devices is not new and was made famous by the legendary Israeli spyware, Pegasus that found a zero click vulnerability in messaging applications like WhatsApp, iMessage etc. to control a phone including turning on its camera and mic to snoop on the designated target. Not just spies but perverts do break in too. One UK man from Nottingham was convicted for voyeurism after he confessed to stalking and secretly watching children and adults through their web cams after infecting their machines with remote access trojans and stole explicit pictures of the victims.
In the modern times, other than web cams, phone cameras and microphones one needs to be careful with other hardware like smart devices that seem to be proliferating everywhere and taking over our lives. One example of that is wearables like smart watches, pedometers, fitness trackers that track how much you run, swim, play tennis or whatever is your jam. These devices carry a lot of your personal data and are always at risk of data privacy infringement, as the wearable manufacturer’s cloud system can be a target for hackers. Similar story with IoT devices like smart home appliances, which don’t necessarily come equipped with strong security built in, and easy to hack, although they may be of limited value to hackers compared to say a smart watch. While personal wearables like smart watches are harder to access as they require physical proximity, once paired with a smart phone they can leak more confidential data such as emails. The sad truth is anything wireless is hackable.
Here are some Do’s and Don’ts we recommend to protect your devices from becoming easy targets to fraud, hacking, tampering and/or abuse.
- Always invest in a reputed Antivirus subscription such as Norton, McAfee, Kaspersky etc.
- Likewise, always keep your apps and OS updated in Android and iOS and laptop.
- Secure your Wifi by having a complex name and password and selecting the most secure form of encryption such as WPA2.
- Most computers come with a firewall. A firewall is a network security system. Be sure to enable your computer’s firewall. In a Mac you can go to – System Preferences > Security & Privacy > Firewall Tab > Turn on Firewall. On a Windows machine you can for to – Start Button > Settings > Update & Security > Windows Security > Firewall & Network Protection > Choose a network Profile > Toggle on the Windows Defender Firewall.
- Get a VPN (Virtual Private Network) to increase your online privacy and anonymity.
- Always hire known and trusted tech support and only call them on known numbers in your records, never through online searches. There are scammers prowling around in the web that will bubble up to the top of your search engines pretending to be tech support only to plonk scareware or remote access or other malware into a user’s system.
- Check your webcam regularly to see if it lights up while not in use, this could indicate that it has been hacked.
- If you work at public places, it is best to use a privacy screen filter where anyone peeping into your screen from the left or right will only see blackness.
- Always keep your web camera covered physically, or unplug it. There are laptops that come with built in shutters for web cams too.
- Invest in a good antitheft cable or laptop lock to physically secure it.
- Turn on Tamper protection in your Windows Defender by searching defender in the task bar > Windows Security > Virus & Threat Protection > Virus & Threat Protection Settings > Tamper Protection Toggle.
- Regularly run a security scan using your security software or other reputed AV.
- Always have a flip open folder case or sleeve to cover the camera of your phone camera and place it face up to cover the back camera when not in use.
- On your iPhone go to Settings -> Screen Time and turn it on and set a passcode and make sure that it is different than your device passcode.
- Register online with ceir.gov.in (Central Equipment Identity Register) to be able to block or report your stolen mobile device.
- Before trashing your old laptop, mobile phone, digital copiers, drives etc. make sure to use software to delete the data or by a factory reset. Before the factory or hard reset make sure to unpair all your linked devices and remove all the linked accounts and your SIM card from your old phone.
- Always encrypt portable media containing sensitive information for example thumb drives.
- Always set up a partnered phone on your Find My device application.
- Apple users may use an Air Tag to track important flash drives, and other portable media or physical authentication tokens etc.
- Always add multifactor authentication, and biometric where possible to apps on your device. Do not rely just on the passcode to protect you in case of loss or theft.
- Regularly back up contents of your phone to Cloud. If you run out of space it is recommended that you buy Cloud space, as needed.
- Download apps only from the App Store or Play Store. Never download .apk files from unknown websites or messages.
- For your laptop, using a user account is always in good strategy, as opposed to an administrator account.
- Always disable Bluetooth on your devices when not in use. Limiting access to Bluetooth makes you much less vulnerable to Bluebugging attacks.
- Note Airplane mode does not always disable Bluetooth.
- Also disable any filesharing services that leverage Bluetooth technology such as AirDrop, until the time you need to share files with trusted persons, and only for the time that you are sharing.
- Disable Wi-Fi completely when not needed. And delete unused Wi-Fi networks.
- Avoid connecting to unknown removable media/flash drives.
- Set your device to lock automatically after 5 minutes.
- On computers always disable extra USB ports that are not required. Such extra ports can be misused for things like hardware keyloggers and go undetected for a very long time if they are stuck at the back of the computer.
- Only use original charging cords and accessories purchased from a authorized dealer.
- Never hand over your devices to a stranger. If they need to use your phone, dial the number before you hand it to them and monitor them the whole time the device is in their possession.
- Never connect to a public Wi-Fis in cafes, airports, hotels etc.
- Never charge your cell phone in public charging ports. If you absolutely must, turn off the phone while its charging.
- Never let anyone shoulder surf your device unlock passcode, or ever share it.
- Never give call log, photo, gallery, location access or other unnecessary permissions to any apps.
- Always disable location tracking, unless it is absolutely critical that your app needs that access. For instance, a Maps and directions app. You can choose the ‘Allow once’ or ‘Allow when in use’ option as needed.
- And finally, never use pirated software, since cracked apps lack vendor support and open you up to a host of vulnerabilities that can turn your device into a malware magnet.
Shweta Patel is a Fraud & Financial Crime Strategy professional from Mumbai, with an MS in Applied Statistics from the Royal Melbourne Institute of Technology. A career spanning across India, Australia and N. America, banking & finance sectors she has served across financial products: asset, liability, brokerage/trading & prepaid accounts, while managing fraud losses to budgets and owning end-to-end strategy teams across Fraud Risk and AML & CTF.