In our wired world, most devices are connected through Wi-Fi and protecting the connection should be priority.
When Trai Chairman R.S. Sharma dared hackers to do him harm by revealing his Aadhaar number on Twitter recently, the online community went into overdrive. The hackers could not do much and Sharma escaped unscathed.
However, you may not be so lucky. Reckless sharing of personal information on social media is just asking for trouble.
You can’t be careful enough. “You need to be paranoid about protecting your personal data,” says Nandan Savnal, MD, PeopleSys Consulting, a cyber security company. This is because data misuse is growing thanks to use of multiple devices and all your critical data, including those of a financial nature, are stored online.
For example, your email account can be accessed from the desktop, laptop, tab and your mobile phone. A password leak from any one device can compromise your privacy. “The RBI, banks and financial intermediaries can only make the system robust at their end and educate the public. No one can save us if we reveal our own data,” warns Peeush Jain, Head of Retail Banking, Lakshmi Vilas Bank. So what all can you do to protect your personal data and in the process, your money?
Protect your Wi-Fi
In our wired world, most devices are connected through Wi-Fi and protecting the connection should be priority. The risks are many. Neighbours tapping into your connection and using data at your expense is a risk. However, the risk quotient rises markedly if financial fraudsters use this route to access your personal data or terrorists use your network for their activities. Some simple solutions can help. Switching off the Wi-Fi when not in use, changing the user name given by the manufacturers, making a complex password and changing it regularly are some. You can also choose to go invisible.
That way your connection will not show up during a search. But there is a small risk. “Since you are hiding your Wi-Fi from all, including yourself, you could lose your connection if you forget the user name,” warns Savnal.
Free can be costly Anything free makes us Indians happy, but you need to control your glee when it comes to free Wi-Fi. Most experts advise avoiding public Wi-Fi and using it only when absolutely needed. “Attackers can track the entire traffic in a Wi-Fi zone and spot systems with weak connections. While you may be browsing normally, attackers may be carrying out financial transactions using your device.
Anti-national activities can also be carried out from your device without your knowledge,” says Shivangi Nadkarni, Co-Founder & CEO, Arrka, another data protection entity. So what does one do if there is no option but to use public Wi-Fi? “It is better to install tools like Norton Wifi Privacy that encrypts traffic from your device and make it invisible to others. However, please note that such anonymous users are banned in some countries,” says Savnal.
Also Read: How your financial data can get stolen
Guard your devices The first step is to install high quality antivirus and anti malware software. Avoid free softwares as they could be spreading viruses and malwares. “I don’t like anything free. As the saying goes, ‘If you are not paying, you are the product and not the customer,’” says Savnal. Even if you have a strong anti-virus software in place, you cannot let your guard down. Just like Wi-Fi, the outside world would have access to your Bluetooth. “If Bluetooth is on, anyone near you would have access to your devices. So turn it on only when it is needed,” says Nadkarni. Similarly, there is no need to tell the entire world about your location in real time.
With almost all OTPs now coming to your mobile, protecting that should be your next priority. A complex screen lock can keep your phone data safe for some time even if it falls into the wrong hands. Most devices have in-built cameras that also need protecting. In addition to software-based protections, physically controlling the camera is an option. “I use a black sticker on top of the camera and remove it when using it for video conferencing, etc,” says Savnal.
Choose apps with care Mobile apps today are many and mostly free and we are only too happy to download them. However, experts advise caution and recommend using the fewest possible as most data is now leaked through these apps. The problem stems from the permissions the apps demand. Most seek access to your contact list, camera, phone, sms, location, etc. You are also given additional incentives for downloading the apps. Once permission is given, the apps can collect almost all the information you store on your phone. “Our study of 100 apps developed in India and meant primarily for Indian audiences revealed that 31% apps take more than 10 dangerous permissions and shared data with at least one third party,” reveals Nadkarni.
Be choosy when giving permissions to apps Remove all dangerous permissions physically
* Permission : Calendar
What it can do : Read and write in calendar
Potential dangers : Business meeting info can be leaked, even to your competitors
* Permission : Camera
What it can do : Take photo and videos
Potential dangers : These apps may also take sensitive photos and videos of you
* Permission : Contacts
What it can do : Read and write in contacts list
Potential dangers : You may be compromising details of others in your contact list
* Permission : Phone
What it can do : Read and write in call log
Potential dangers : Apps will be able to spy on you through your call detail records
* Permission : SMS
What it can do : Read and send SMS & MMS
Potential dangers : Terrorists could use this to send SMS and MMS from the phone
* Permission : Storage
What it can do : Read, write internal and external storage
Potential dangers : Becomes easy for apps to store virus infested files in your storage space
In addition to your own data, these apps also mine other people’s data stored in your phone. “You may be compromising someone else’s data. For instance, assume that you have saved someone’s personal number on your phone and these apps will get it, without that someone revealing it himself,” says Tarun Wig, Co-founder, Innefu Labs. The worrying bit is this data extraction is legal as of now and will become illegal only after the new data protection law comes into force. The data mined can be used in a good and a bad way. The apps can push advertisements based on what it finds in your system.
For instance, if your phone has a lot of photographs of exotic locations stored, the system will assume you like to travel and push advertisements tuned towards it. However, since some of these apps also contain third party software, they may be extracting other data and there is no guarantee it won’t be sold. While we cannot stop using all apps, we can revoke permission given to them. “Though there are softwares that track permissions given to apps, security of those are also in doubt. The best way is to physically remove the permissions to such applications and allow permission only when it is needed,” advises Wig. For example, allow location tracking permission only when you use Google maps and remove its permission later.
Permissions sought by apps can be misused Reduce the number of apps and use only the essential ones
* Apps: 29%
Dangerous Permissions : 0 to 5
* Apps: 40%
Dangerous Permissions : 06 to 10
* Apps: 31%
Dangerous Permissions : More than 10
Virus or malwares can also come through attachments, especially in apps like WhatsApp. “Ideally, you should remove the automatic download option on WhatsApp and open only what you are sure about,” says Nadkarni.
Email alert The first step in guarding your email lies in a strong password that is changed regularly. The second factor authentication is the next step. “Most emails allow you to set up two-step authentication and everyone should use it,” says Wig. This will send you an OTP every time you try to login from a new device, thereby reducing chances of hacking. Hackers also try to get hold of your email or device by sending attachments that contain viruses or malwares. “Don’t open mails in the spam folder because the mails also can have viruses or malwares now,” says Savnal.
Keep your cards safe The next time you withdraw money from an ATM, watch out for cloning devices. Delhi resident Jyotsna Singh was away in Jaipur in March 2018, when Rs 50,000 was withdrawn from her account through multiple transactions at various ATMs in Delhi. “Since the debit card was in my possession, I immediately alerted the bank and also transferred the remaining money to another account using Netbanking,” she says. An FIR and several interactions with the bank finally got her money back after a few months.
In Pic: Jyotsna Singh 37, Delhi Her Story:In March 2018, Rs 50,000 was withdrawn from her account through various ATMs in Delhi even though she was in Jaipur and her debit card was with her. As the withdrawals happened late at night, Singh logged into Netbanking and transferred her money into another account before informing the police and the bank the following morning. Her money was reimbursed after a few months.
Further, most debit and credit cards can now be used anywhere in the world, posing its own set of dangers. Transactions worth Rs 1.4 lakh were made with Bengaluru resident Alok Anand’s debit card in Russia during Diwali 2015, even though Anand was at home at that point of time and the card was with him. “I had stepped out on Diwali night for shopping and decided to withdraw some money at an ATM. However, the transaction was declined. After a couple of attempts, I visited another ATM only to meet the same challenge,” he says. He returned home and logged into Netbanking to discover that his card had been swiped for transactions worth Rs 1.4 lakh in St Petersburg. After several interactions and also proving to the bank that he was in India during that time, he got his money back in four weeks.
In Pic: Alok Anand, 47, Bengaluru His story: Around Diwali, purchases worth Rs 1.4 lakh were made at a POS terminal in St Petersburg, Russia, using his debit card, even though he was in Bengaluru. Though he informed the bank immediately, he had to prove that he was in India when the incident took place before he got his money back.
However, the scars remain. “I feel helpless at times and uncomfortable that it might happen again,” he says. The habit of writing down one’s PIN and keeping it along with the cards can be suicidal. Ditto goes for revealing one’s PIN to others. “Don’t give your debit or credit cards to relatives or friends as this increases the chance of later misuse. Similarly, don’t give the PIN to the waiter in a restaurant. Ask him to bring card reader to you or you go the counter yourself,” says Jain.
Several old debit and credit cards still don’t have magnetic chips and work on magnetic strips that are easy to clone. “Though the deadline for replacing magnetic strip cards with chip-based ones is December 2018, customers who have strip based cards should ask their bank to change it immediately,” says Deepak Chandnani, CEO, Worldline South Asia and Middle East. You can also replace your card at regular intervals for greater safety. “I change my credit card every year and don’t mind the small fee I have to pay for it,” says Wig. Another no no is saving your card details, including the CVV number, with online retailers. “It may be painful to enter the credit card details again and again, but the risk of leaving it out there is very big,” says Wig.
Be wary of calls from banks Several fraudsters pretend to call from your bank and siphon off your details, which they then use to wipe your account clean. Jaipur resident Bhupender Dagur should know. He had a running home loan account with SBI when someone called him two days before the EMI was due, claiming to be from the bank. He told Dagur that his debit card had been blocked and that would hinder his EMI payment. He asked Dagur for his card details to “unblock” the card.
In Pic: Bhupender Dagur 50, Jaipur His Story: In July 2016, a fraud called Dagur two days before his home loan EMI was due, claiming to be a bank official. He was told his debit card had been blocked and that would hinder his EMI payment. Dagur was asked for his card details to unblock the card. In panic, he revealed his card details and within half an hour, Rs 50,000 was debited from his account. He never got his money back.
In panic, Dagur revealed his card details to the caller. Within half an hour, Rs 50,000 had been debited from his account in five transactions. Despite filing an FIR and complaining to the RBI, Dagur could not recover his money. “I am more informed now and will never reveal any details over phone again,” he says.
Shield your passwords Passwords are supposed to protect us, but the problem is most users don’t know how to protect their passwords. The issue is compounded by the fact that we have multiple bank, investment, mail and social media accounts. Several online portals, ticket booking sites, service providers, etc also insist on a user name and password for ‘better service’. And most of them want these passwords to be complex. “Since it is difficult to remember so much, most people keep simple passwords. This is a high risk strategy because if one such account is hacked, the hacker could have access to all your other accounts,” says Wig. Writing down your passwords in one place is also risky. So memorising all the passwords is the only safe option. If you must write down your passwords, keep the language coded.
Scamsters also try to steal your details through phishing. For example, phishing occurs when fraudsters, masquerading as your bank, send a mail with a link and when the link is opened; it shows the mirror image of the bank’s website. Since the mail says that you need to login and do something, you try to give the username and password – and the same is recorded by the fraudster. “Never click on a bank link that is sent on email. Always go to the bank site directly,” says Rahul Vora, Director & Head, Deposit and Wealth Management, Deutsche Bank India.
Be discreet on social media Many have the habit of revealing critical data like their date of birth, home or office address, phone number, etc on social media without realising that what you put out on the Internet is permanent. You could delete a social media account, but the details will remain in the backups and can be accessed by hackers. For example, we keep sharing our date of birth with everyone, but it is the ‘second password’ for stock trading accounts in India. It is important for phone banking as well. “Revealing date of birth on social media is a bad habit because the date of birth is one of the criteria banks ask for during phone banking,” says Chandnani.
Revealing personal data on social media can harm you in other ways too. For example, most banks use secret questions and answers for generating a new password or during third party transfers. “These secret questions are designed to have unique answers known only to the customer and they are taking a big risk if they share answers on social media,” says Jain.
Control offline leak Beware that someone who approaches you for your details for a ‘lucky draw’ every time you visit malls and conferences. They are data vendors and they make money by selling your details. “No one can save you if you are ready to trade your personal data for lucky draws, cakes, tickets, etc,” says Savnal. Shredding all papers before selling or binning them is another good practice. This is because phone bills, bank statements, boarding passes etc carry a lot of your data. Even the envelope addressed to you contains your name, address and phone number. Throwing them without shredding can compromise your safety.
A strong intermediary Your data can also get leaked from financial intermediaries, telecom companies, etc, so only deal with entities that have strong systems in place. Data breach in India is significantly higher than the global average. According to the 2018 Thales Data Threat Report, more than half – 52% – of Indian respondents reported a successful breach during the last year, well ahead of the global average of 36%.