Before we start, we forgot to mention this at the seminar, please mail anything to " awareness@dfcsecurity.co.in " to get an automated response with some links with a privacy kit which you should definitely read, and that is not as technical as this post is. Do it now, we will take that email ID down soon.
FOLLOW UP ON CYBER CRIMES AND CYBER FRAUDS AWARENESS SEMINAR.
Thanks to Mr. Zafar Ajmal Kidwai (IPS) SP KPD and Mr. Amandeep Jakhu(IPS) Addl. SP for taking this initiative, we have a long way to go and we will.
Here's some clarification about yesterday's awareness seminar held by Krishnanagar Police District and answer to some question people asked me later, but first of all I would like so say that I am more of a research guy with social anxiety and that was my first stage presentation, but the main problem was we had limited time, that's why I had to brainstorm through some of the key points which finally ended up like an information soup, as the time was limited I was constantly drifting off of my track and topic, that's what caused the confusion among the people.
So the first question we got was, "Can my SIM Card be cloned?"
And the answer is YES, but there is no point in cloning a SIM Card so let's get a bit technical here and see why, First of all, SIM (Subscriber Identity Module) Card has a 64 bit stored data called IMSI (International Mobile Subscriber Identity) and an authentication key. If you put a SIM card in a mobile it sends the IMSI and Authentication key to the nearest cellular tower and the service provider uses a random number and the key to generate a new number and the random number is sent back to the mobile and it binds with the key again and if these two keys add up then "you're connected" now in sim cloning, you need the victim's SIM Card physically to copy the IMSI and Key to a new blank SIM Card, but it used to work in CDMA and in some cases you could use both of the SIMs at the same time, it doesn't work much in GSM and the ICCID of the original SIM card often causes connectivity issues in roaming.
And the answer is YES, but there is no point in cloning a SIM Card so let's get a bit technical here and see why, First of all, SIM (Subscriber Identity Module) Card has a 64 bit stored data called IMSI (International Mobile Subscriber Identity) and an authentication key. If you put a SIM card in a mobile it sends the IMSI and Authentication key to the nearest cellular tower and the service provider uses a random number and the key to generate a new number and the random number is sent back to the mobile and it binds with the key again and if these two keys add up then "you're connected" now in sim cloning, you need the victim's SIM Card physically to copy the IMSI and Key to a new blank SIM Card, but it used to work in CDMA and in some cases you could use both of the SIMs at the same time, it doesn't work much in GSM and the ICCID of the original SIM card often causes connectivity issues in roaming.
Then some people got confused when I forbade them to use NFC enabled Credit/Debit Card but suggested them to use virtual wallets like Google pay, I could not demonstrate how NFC Hacking works on open stage because in the past I have seen cases where some specific crime rate increased after someone demonstrated on open stage and I request all of my fellow cyber security experts and cyber criminals to keep your knowledge to yourself and don't show off like kids, the cyber crime rate has already increased.
Now the NFC, here's the deal with contact less VISA Card, and I am concerned from the day one about this, here I am going to describe why going "card less" is a better idea if you follow these steps.
1. Your Credit/Debit card has an embedded NFC (RFID) chip which typically generates different unique identification code to which theoretically promises security ( but there are some bottlenecks) and usually if you are using that card with a genuine payment portal you have to place the card within 4cm of the device, which also promises security but an attacker uses a high power antenna to sniff one UIC and he can take out up-to 2000 INR without any PIN.
2. If your wallet gets stolen, or if you drop your wallet somewhere, same thing happens, the criminal can spend up to 2000 INR in any departmental store without any PIN.
But in the case of using any wallet like Samsung Pay, Google Pay and Apple Pay is relatively safer, here's why.
Samsung Pay: Samsung pay has NFC and Magnetic Secure Transmission ( which is the most insecure part about it, it simulates the magnetic strip of a card in case the terminal has no NFC.
Apple Pay is the most secure among these as it uses bio-metric authentication if you need to process a payment, and Google pay also needs pin or bio-metric in tap to pay and sometimes it goes crazy and asks for your Google Password which is OK, and Google's Browser payment needs your card's CVV/CVC, and I would always suggest to go for Card Number and CVV Combination instead of Card number and Pin combination in any other payment gateway as well.
So the bottom line is if you secure your phone with a lock screen and don't use any malicious app or watch "educational videos" on your phone which is the worst thing you could do to get your personal stuff stolen, then you are safe, *geek alert* Google Pay doesn't work on Rooted Device (even on systemless root) unless you are an ADB wizard.
Apple Pay is the most secure among these as it uses bio-metric authentication if you need to process a payment, and Google pay also needs pin or bio-metric in tap to pay and sometimes it goes crazy and asks for your Google Password which is OK, and Google's Browser payment needs your card's CVV/CVC, and I would always suggest to go for Card Number and CVV Combination instead of Card number and Pin combination in any other payment gateway as well.
So the bottom line is if you secure your phone with a lock screen and don't use any malicious app or watch "educational videos" on your phone which is the worst thing you could do to get your personal stuff stolen, then you are safe, *geek alert* Google Pay doesn't work on Rooted Device (even on systemless root) unless you are an ADB wizard.
And if you decide to use your card after all that I said, wrap your card with a piece of aluminium foil and you are good to go. Sometimes too much paranoia cause problems, if you call your bank, they might ask last 4-6 digits of your Debit/Credit card for verification purposes, this much information won't cause any damage but try to negotiate by providing other personal information like Name and DOB, they usually ask this if you call to unblock your blocked credit card or activate a new one, and since you are calling them, check the number twice and only call the number mentioned in the back of your card.
Now I want to share a trick where you can feed your curious minds and stay safe from malicious links, most of the criminals out there use bit.ly to shorten a malicious URL, but hold on, you can copy the URL, paste it in the browser and simply place a "+" sign after the URL, it will show the content without opening the link.
And again, some of those "educational video" sites out there used to use ads to generate revenues, but since we use ad blocker they had to find out another way to generate revenue, and not only those sites, if you ever feel like your laptop fan cranked up after you open a site or your phone is heating up, chances are the site is running some JavaScript to mine cryptocurrency using your CPU/GPU power while you are on that site, this is not a potential threat but can cause your laptop/phone battery run out soon and the lifespan of the device also shortens ( I would give a live demo if we hold a seminar next time, and this can even happen if you connect to a random WiFi router and there is an attacker in the same network. Do not connect to any random access point, always use your own WiFi and also check it if someone has broken into time to time.
The last and very important point is, some of you think that if you make an account anywhere and feel threatened you should abandon that account, that's not the way you should handle things, denial is not the key here, if you abandon an old account someone can steal some public data from that account to make a new account and pretend to be you, so I would suggest that you should stay connected at least. Even if someone does such things some of your friends still might identify your real account and aware you about the same.
And do not make an account with a fake name, if someone makes an account with your real name and that person has access to any of your identity card somehow then chances are you'll have to face issues to ban him/her from spoiling your reputation and your real account might also get banned if you can't submit any document that matches the name and any of your pictures, this kind of thing happened before, and real account with fake names are the first target of fake account creator.
And remember, I have personally tried all of the above and these are not just based on theory.
DO NOT POST ANY PHOTO WHILE YOU ARE AWAY FROM HOME, AND DO NOT GEOTAG, THIS IS VERY IMPORTANT, IF YOU ARE AWAY FROM HOME IT CAN CAUSE BREAK INS IN YOUR HOME AND THIS IS A VERY COMMON THING THAT HAPPENS, ALWAYS POST YOUR VACATION PICTURES AFTER YOU RETURN.
There were several questions but I cannot cover them all in the same post, if you have any specific query, please mail me at ceo@dfcsecurity.co.in, and in case of any emergency contact the Police first. And if by any chance your report gets delayed please don't criticize the Police, they are trying their best to protect us all, we are getting so many cases that every single person involved is overwhelmed, and it takes time to wrap each of them properly, give them time, and they will obviously help you.
Agnidhra Chakraborty, (C|EH, ECSA, C|HFI, L|PT MASTER)
CEO, DFC Security.
CEO, DFC Security.