Saturday, April 19, 2014

Alert victim nabs thief using his cloned credit card

Credit card companies send an SMS alert with payment details after each transaction. Quick thinking by a victim who received one such alert for a payment of Indian Rupees 10,000 (200 US) which he had not made, resulted in the capture of a man who used a cloned card to pay for a bill at a popular restaurant. On the receipt of the SMS, the victim searched for the number of the restaurant from an online directory and alerted its manager to the recent fraudulent transaction. The vigilant manager rushed out and nabbed the customer minutes before he was set to board an autorickshaw (tuk tuk) outside the restaurant.

This incident is a motivating example of how a combination of quick thinking and a speedy response can save the day. SMS alerts have proved their usefulness in containing the scale and extent of ATM and credit card crime in India.

Once an alert on a transaction you have not made is received, immediately bar your card to prevent further monetary loss. Take heed, and act quickly.

Sunday, April 13, 2014

Cybercitizens, do you need to be concerned about Heartbleed?


17% of all Internet services and a larger percentage of networking products have had their security systems compromised by a bug in the implementation of encrypted channels; rendering it possible for  attackers to unearth user passwords or read encrypted communications (both current and stored).

From the published list of affected websites on The Heartbleed Hit List, it appears apparent that the bug impacts a wide range of services used commonly by cybercitizens.  Mail, social networks, home networks and financial sites were all exposed to potential malicious activity which ranged from spying to crime. As vulnerable software versions were in use for over two years, the exact impact of its malicious exploitation will never be known.

The obvious assessment is that it was found early by government agencies who kept its discovery a closely guarded secret, using it to decode encrypted channels set-up to ensure privacy and safety: - to read messages, find passwords and so on. Such flaws are typically detected using a type of test tool, commonly used by governments and specialized labs. It is therefore no surprise that the flaw was uncovered by Codenomicon, a security testing tool vendor. If this was true, then the most obvious targets would be political opponents, dissidents, journalists, and others in whom governments have vested interests in.

If cybercriminals were to discover the bug early they would have used it to steal the private keys of large internet service providers, effectively enabling them to fool cybercitizens into thinking that they were communicating with a legitimate service rather than a spoofed site. In such a scenario, cybercitizens may have willingly parted with their credentials and as a consequence incurred a monetary loss.                                                                                 

The bug also allowed attackers to randomly download a small portion of the computer memory, leaking user credentials. I personally think that such random attacks amounting to finding a needle in a haystack would not be profitable. Rather, it would have been very rewarding to sell such an exploit in the underground market to one or many governments.

The bug highlights the helplessness that cybercitizens face as they rely on firms to ensure the proper use of technology to keep the services they use secure. Cybercitizens are truly helpless victims.

Now, that the bug is known, cybercitizens should first check the services they use ensure that they are not currently vulnerable; following which it is important to change passwords.
Ideally, I would have liked to have seen service provider send emails to their users requesting them to reset their passwords.

Wednesday, January 15, 2014

Citizens use spycatching gear to take on corrupt officials


In India’s capital territory of New Delhi, the Aam Aadmi Party (common man’s party) made a spectacular debut onto India’s political landscape with the promise to remove deeply rooted petty corruption, within the administration.

Within days of taking office, the new government installed an anti-corruption helpline to give advice to citizens on how to conduct sting operations on corrupt officials, by recording evidence - either audio or video against the bribe taker. Using the evidence generated from such stings as prima facie proof, the government’s anticorruption bureau would later lay traps to catch these officials red-handed and then arrest them. The prime objective behind this crusade is to strike fear into corrupt officials and minimize corruption.

Within three days, the 23,000 calls received by the helpline amply indicated the extent of the common man’s frustration; and the resultant motivation to turn into anti-graft crusaders. Delhi witnessed a surge in the sales of spy catching devices, for audio and video recording - innocuously disguised into caps, glasses, bags and even water bottles.

While, there may be positive fallouts from reducing corruption, there could be social consequences, if their use impinges onto the privacy of individuals. Spy gadgets, can be used for nefarious purposes such a blackmail, defamation, abuse, and so on. In some cases, the compliant may be malicious motivated and even fudge recordings to defame or entrap honest officials.

Thursday, September 5, 2013

Facebook pays for turning customer actions into advertising endorsements

  
Facebook's model for organic advertising turns Facebook users into endorsers for advertised products through sponsored stories. Sponsored stories are messages coming from friends about them engaging with a Page, app or event that a business, organization or individual has paid to highlight so there’s a better chance people see them.
 
Facebook does not notify users that a simple action such as liking a page would be translated into an endorsement. A cyber citizen would be embarrassed if the liked product was of a personal nature, like a sex toy.
 
A recent court case won by privacy advocates on behalf of an estimated 100 million Facebook users whose profiles were used in sponsored stories has ordered Facebook to pay 20 million dollars in compensation which amounts to 10-15 dollars per litigant. In previous court cases of this nature most of the money went to charities due to the challenges involved in distributing small amounts to a large number of people.
 
Facebook will still be able to use your endorsement in sponsored stories subject to Facebook notifying you as we'll as introducing privacy protections which allow users to specify actions that they would not like to be used as endorsements in sponsored stories.
 
Cyber citizens should be ready to modify their privacy settings and above all should consider the implications of being an unintentional endorser before they like a post or page.