Phishing is the term for an attempt to steal our digital info and use it to steal our money. I assume it’s called phishing because it resembles fishing. A bait is dangled before the intended catch with a hook hidden in it. This usually happens in the form of a call or message assumed to elicit my user info. I used to think only a fool would fall for such attempts. But a couple of close shaves have made me aware that even the smartest of us can be easily taken for a ride. Let me illustrate with a few incidents where I was the target.
Anyway, it began with this call I got from an unknown number claiming to represent a verification agency for Amazon. He said he was calling to check if I had applied for increasing my credit limit on Amazon Pay. I had done this, so when he requested me to come on Google Duo (video chat). Once I came on the video chat, the guy who looked like a friendly sort, held up his visiting card for me to check as proof of his identity. He asked me to hold still for a mug shot and then asked me to hold up my Aadhaar and PAN cards so he could scan them. I did all that he asked without a second thought, and the entire encounter was over in a couple of minutes.
It was only after I put down my phone that I realised what I had just done.
My heart thudding violently, I paced around trying to clear my head. I needed to figure out the ramifications of what I had done, and limit the damage. I knew speed was of essence. Like if a credit card is hacked, the faster you block it, the less chance the hacker has to run up huge spends on it.
Was something similar possible with my ID cards?
Google directed me to UIDAI, the Indian government site, which lets me lock the usage of my Aadhaar card to prevent biometric verification. There was no such option for my PAN. However, being able to do something instead of nothing, was such a relief that I finally calmed down.
As I began thinking clearly, it struck me that preventing biometric verification didn’t make sense. The hacker doesn’t have my eye scan or my fingerprints, so why block him from using biometric verification with my Aadhar? However, UIDAI wouldn’t offer this facility for no reason. It could probably be a last line of defense in the remote possibility that the Aadhaar server itself is hacked and all biometric info on it leaked. Or maybe, a thief can steal something I have held in my hands, and pick up fingerprints and use it. Sounded more like a Hollywood movie than real life though. But then, the Indian government does move in weird ways its wonders to perform. And they do do wonders, like when the Indian economy was relatively unaffected in the last giant financial crash when the US economy nearly went for a toss (Grammarly says ‘do do’ is incorrect. I disagree, but will admit I didn’t know it was possible till it typed it. Oops, sorry for the detour.). Anyway, a bit more digging around on the UIDAI site reassured me there was not much a hacker could do much with just my Aadhaar card.
Since there was nothing more I could do, I called Amazon, related my story, and gave them the number on which I received the call, as well as the name of the guy, and this supposed verification agency. The Amazon lady put me on hold, and after an agonising five minutes, confirmed the number was genuine, and the agency was indeed contracted by Amazon. It was only then that I stopped sweating.
Much ado about nothing, but it had been a very stressful 45 minutes.
I mention this incident to illustrate how easily even a reasonably, tech-savvy guy like me, acted like a complete nincompoop and gave away vital info. All the caller had to do was say the right words. In this case, the words were, ‘…in response to my request.’ Most of us have usually requested for something or the other, and it’s easy to fall for this con. I think it’s something to do with our human psychology to assume things. This is a favorite tactic of phishers, and I actually know a guy who fell for it and had his bank account cleaned out.
As for real phishing attempts, the first such one happened quite a few years ago around the time banks first started going online in India. Having an ‘early adopter’ mindset, I was quick to hop on the bandwagon. Then one day, I received an email which seemed to be from my bank, asking me to update my info for better service. Seemed a genuine request so I clicked on the link and was taken to what looked like my banking login site. If I had entered my user name and password, the phishing attempt would have succeeded, and the hacker would have been able to access my bank account. However as I was new to online banking, I was ultra-cautious and always checked the URL on banking sites. So I noticed that it did not display the secure (locked) symbol, and was not https. On taking a closer look, I noticed that though the URL had my bank’s name, it read ‘banknameinfo.com’ instead of ‘bankname.com.’ It was a subtle and almost unnoticeable change, designed to fool a layman.
I went back to check the email that had fooled me in the first place. They had copied the bank letterhead perfectly, complete with logo. Usually, the language of the letter is a giveaway but this one was grammatically correct. Guess it was my lucky day as I was alert enough to spot it at the website level.
Please note this phishing email happened on my Mac. So don’t assume you are safe because you use a Mac. An antivirus may have spotted this mail before I opened it. I learnt my lesson, and installed Sophos on my Mac that very day. Besides phishers are not the only danger. Malware from emails and websites can install on your machine, and steal your banking info. Better safe, than sorry. I must admit my Gmail has grown a lot smarter now. It probably diverts such emails to my spam box, which may be why I rarely see such stuff anymore.
Phishers often try to use new developments to make their pitch credible. An example is the time a few years ago when all Indian banks were required to update their credit cards with the embedded chip technology.
Anyway, I got a call from a guy who claimed to be from my bank. He said I needed to update my credit card with a new chip-embedded card. When I mentioned that my card was already a chip card, he said there was a technical issue with that particular chip, and the card had to be replaced. He then asked me if my card was a Visa or MasterCard, and informed me that the card number would start with 4 if it’s a Visa and 5 if it’s a Mastercard. After thus lulling my worries with his friendly expertise, he casually asked me to read out the remaining digits of my card number. It was only after I had read out the first eight digits that I realised what I was doing. I stopped and asked him why he wanted my credit card number. He told me not to worry as he wasn’t asking for the CVV. But my antenna had gone up. So I deliberately gave him wrong numbers for the remaining 8 digits and googled his phone number while I was talking. It came up flagged as a scam. Meanwhile, the guy wanted me to doublecheck and read out the numbers again. I insisted it was correct, and told him to come on a Skype and read the numbers directly from my card. I’m not sure why I said that but it may have been curiosity to meet a real-life crook. Sadly, it was not to be. Something must have given me away because the guy abruptly cut the call.
So how do we tell when we are being phished? Though they keep changing their tricks, there are some ways to spot a phishing attempt.
Phishers usually try to pass off as if they’re from a company we know or trust. It was a bank with me, but it could also be websites and apps where you make online payment. They often try to con us with a story to trick us into giving them our data, click on links or open attachments. The phisher tried the credit card chip upgrade story with me. Other stories they favor are telling you they’ve noticed some suspicious log-in attempts on your account, or a problem with your payment credentials or you are eligible for gifts or refunds. Once they feel they have hooked your attention, they go for the kill, asking you to confirm your personal info or click on a link to make a payment.
It’s been a while now since I have any such encounters, but I can tell you I’m not missing our friendly, neighborhood phisherman.
It’s now been a while since I have tapped on the ‘Forgot password’ link. That’s because these days, my iPhone creates complex passwords, stores them on my phone, and recalls them whenever I need them. I wasn’t initially comfortable in putting all my trust in machines but was willing to give it a shot.
Turned out it was good in theory, but it can sometimes backfire. Like when my phone charger conked off while I was traveling. If I knew my passwords like I once used to, I could have borrowed a phone for essential communication. I think I did have an option of accessing my password manager online or on public WiFi, but that wasn’t a risk I wished to take. I ended up buying whatever unbranded charger was available in that remote place, and hoping it wouldn’t fry my phone before I got home.
After that incident, I took back control of my passwords, and can now access all my key accounts without the help of my digital assistants. I must admit I’m not one of those guys with a photographic memory. My system only works because I have just a handful of accounts that I rate as key accounts. There’s no way I can memorize and recall more than half a dozen passwords.
Anyway, for unimportant websites or whatever, I will let my iPhone handle the password management. But for more important accounts, though I still depend on my password manager to store all my passwords, I don’t let it create passwords anymore. I do that myself.
Here’s the technique I use to make sure these self-created passwords are hard to crack but easy to recall.
Finding a catchy phrase
I start with a phrase that’s easy to recall. Next, I change it slightly to make it nonsensical and end by encrypting it. The final password has to meet the typical password requirements. At least eight characters: with one being in uppercase, one in lowercase, one is a number, and one a symbol.
Annoyingly memorable
Anyway, I have recently been getting an overdose of this annoying ad jingle repeatedly playing on the kids’ TV channel in India. It ends up with a ditty that goes like ‘Mamy Poko Pants.’ Though it was an irritant, it was also catchy. So I knew it would be easy to recall. However, if I used that phrase as it is, even Google would be able complete the phrase before I finished typing it.
Making it make sense only to me
As I mulled over what to change it to, an old Hindi song popped up on my phone’s playlist. The song was called ‘Pappu can’t dance, sala.’
Hmm, ‘dance’ rhymed with ‘pants’ so it could replace pants. My kid dances well. Her mother doesn’t. Mamma, mummy, mammy… Mamy can’t dance.
Good recall value, but it didn’t have the rhythm of ‘Mamy Poko Pants.’
Mamy don’t dance. Still not working. The tune sounds closer to ‘Pappu can’t dance.’
Wait a minute, the word for ‘don’t’ in one of the Indian languages is ‘noko,’ a word that rhymes with poko. So we have Mamy Noko Dance.
Sounds good. It syncs perfectly with Mamy Poko Pants. No hacker is going to dream that I used a Marathi word for ‘don’t.’ Better still, it’s grammatically wrong in Marathi, as the correct usage would be ‘Mamy Dance Noko.’ At least, I think so because I don’t really know Marathi, which is again good!
If I can visualise it, I can recall it
The key factor is this password is easy to recall. I have to just picture my wife dancing, and I have a perfect reference photo to that in my mind.
So ‘Mamy Noko Dance’ is our phrase.
Now we need an encryption code. This has to bring in numbers and symbols. We already have alphabets in upper and lower case.
Amateur coder day: numbers
What I’m going to do is substitute a few characters in my phrase with numbers and symbols set to an encryption rule. As I’m creating this rule, only I will know it.
I consider a number rule that replaces the first letter of every word with its number equivalent from my alphabet code key. This would be the unique sentence with all 26 alphabets, ‘The quick brown fox jumped over the lazy brown cow.’ (T is 1, h is 2 , etc). But it means I lose all my capital letters.
How about if I change only the first word? So ‘Mamy Noko Dance’ becomes ‘19amy Noko Dance.’ I think I can live with that.
Now all that’s missing are symbols.
Amateur coder day: symbols
My symbol rule could be all spaces replaced with symbols in some sequence. The keyboard sequence on the Macbook I’m typing on is ~!@#$%^&*.
I have a feeling that ‘~’ is not present on all keyboards, and may not be accepted. So let’s stick with !@#$%^&*.
Since we have only two spaces, our password becomes 19amy!Noko@Dance.
Amateur coder day: tester
Let’s evaluate it. The disadvantage is the password is not as strong as one generated by a password generator. The advantage is it’s still good enough to be rated as ‘very strong’ by any password analyser. But for me, the real plus is it’s possible for me to actually recall this from memory if I follow my rules.
Let me try.
19amy!Noko@Dance
Got it.
However, it’s not advisable to use one password across all my important accounts. And some sites also insist I change my password periodically.
Life is complicated
This complicates things but again, it’s something I have to live with.
What I can do is have versions of that password running across all accounts. Version 1 uses ! and @ as the symbols. Version 2 uses @ and #. Version 3 uses # and $. Like if I have three email IDs, I grade them as 1,2 and 3, and use those three passwords. After six months, I switch passwords, with version 1 going to email 2, version 2 going to email 3, and version 3 going to email 1.
Every year, I change my catchphrase, and create a new set of passwords for the year.
I have been using a similar system for a few years now, and I haven’t yet been hacked. I do admit that I have sometimes been confused between which of my important accounts was using which version of my password. So I have had to go back to my password manager for help. That only proves it’s good.
Anyway, if like me, you are not comfortable with putting all your passwords in one basket and relying on machines, you can try doing something similar.
Locking your SIM, making your accounts accessible only on your devices, and other ways to avoid SIM swap fraud
Photo by Paul Garaizar on Unsplash
The recent hack of Twitter CEO Jack Dorsey’s Twitter account using a SIM swap fraud has me worried. If a leader of the tech industry can be so easily hacked, how safe is an ordinary layman?
If your money is gone, it may be gone forever
What’s even more worrying is the case of a pensioner in Delhi who had ₹25 lakh or $35,000 stolen from his bank account. He was informed that he’s not entitled to any compensation. According to Indian laws, it seems banks and cellular operators are not responsible for his loss. Indian citizens have lost more than Rs 200 crores ($28 million) in cases related to SIM swap fraud.
Seems like there’s a Damocles sword dangling over our collective heads, and we are all pretending it isn’t there.
Is there a fix for SIM swaps?
Yes, there is, but India and US have not implemented it. All the government needs is rule that bank transfers should not allowed till three days after a SIM swap. This should be enough time to alert the SIM’s actual owner as his number will stop working once a fraudulent SIM swap happens. But this can only work if a cellular operator sets up a system to let a bank to query phone records for any recent swaps on SIMs associated with a bank account. That way, banks can always check before they allow a money transfer. In fact, many countries in Africa, as well as UK and Australia have implemented such systems, and it has reduced SIM fraud massively.
I don’t understand why India is not doing it as we have the tech. If I sign up for a payment app like Google Pay, the app asks for my phone number. Then in a matter of seconds, the app will tell me the name of the bank I have linked my SIM to, as well my bank account number. Now if the banks can share that info with apps, then why can’t operators share info about SIM swaps with banks?
Self-defense is our only defense
I was hoping that the coming of e-SIMs, might help us avoid this issue. But they could be just as insecure, and are taking time to go mainstream. Seems it’s up to us to figure out how to take additional precautions if we are forced to use our mobile phones as authentication devices.
You may say you keep very little money in your bank account. But that’s irrelevant. Why should you allow anyone to steal even a penny from you?
Now I’m a layman, and the rest of this post is all that I learned on my own, and the simple steps I have taken to avoid becoming a victim of SIM swapping. If I could do it, so can you.
In the West, SIM swappers are now focusing on crypto currencies
There are quite a few SIM Swap victim stories on the net. I picked this one up because the victim is tech-savvy, and yet was attacked (a crypto attack is similar to a bank account attack as both involve stealing money from online digital vaults). To go straight to his experience, watch from the 3.30 to the 6-minute mark. But the whole video is worth a watch, and his tips on preventing SIM Swap fraud align with mine. What I have done is try to give a total picture of SIM Swap fraud, and illustrate in simple terms, how to avoid getting caught by it. The above video covers the topic in brief. You have been warned;-)
Most of India use their phones to go online
SIM swapping is a serious issue in India as the Indian banking industry mostly uses cell phones as the secondary device for its two-factor authentication system. Like if you want to transfer funds from your bank account, you need an OTP (one time password) that is sent to your phone via SMS. On the surface, it seems a good idea as an OTP changes for every transaction, unlike a banking password which often remains the same for ages.
SIMs are not designed to be security devices
In reality, this system has some serious loopholes, simply because a phone SIM was never meant to be used as a security device.
Let me explain with the analogy of a household safe. The safe has only one door and one key. Unless a thief has that one key, he can’t unlock that safe.
Now imagine if that safe has infinite doors and infinite keys. That’s a SIM. If a hacker successfully does a SIM swap, he can create his own key (an OTP) and use his own door (his device) to enter the safe and steal your money.
Stay away from SIM OTP verification
As a SIM card is insecure by nature, the best way is to totally remove it from anything related to security. For instance, my Gmail used to have my phone number linked to it. This meant that if I forgot my password, Google would send an OTP to my phone, using which I could access my email account. But this also means that a SIM swapper can hack my email with those same OTPs.
So what I did was delink all of my email IDs from my phone numbers. Google no longer gives me an OTP option to access my email. I have instead asked them to rely on verification OTPs generated by my phone (the device itself, not the phone number) and my other emails. More about this later.
India is changing but it will take time
In India, the entire online financial system mostly runs on SIM OTPs with most transfers from bank accounts have to be authenticated by OTPs.
Fortunately, things are changing. SBI, the country’s leading bank gives an option of generating OTPs from an app which is linked to your device, and not sent via your SIM. The UPI system of money transfer also avoids SIM linked OTPs in favour of app-generated codes. But a transaction limit of Rs 10000 a month limits the utility of the system, and UPI may have its own issues.
Hopefully, other banks start following SBI’s lead, and SIM OTPs get removed from the financial transaction security loop. But till that happens, we will have to try to minimise the areas in our lives, where SIM based OTPs work.
How is a SIM swap done?
There are many ways a SIM swap fraud can happen. The hacker usually hacks your email or social media like WhatsApp or Facebook to finds basic information about a customer like his name, his addrees, phone number, pet’s name, where he studies, works, family details, and important dates (like birth and marriage). After that he uses his hacking skills, to get details like your ID, banking user ID and password, and so on. He uses these to create false IDs, get a duplicate SIM card issued from your cellular operator and finally intercepts your OTPs. Sometimes a SIM swap can be as easy as bribing someone at your network provider to get access to your details and apply for a new SIM. Hackers have also begun using malware on cellphones to extract user info, or redirect users’ OTPs to their own phones.
Anyway, once the fraudster convinces your operator, they deactivate your existing SIM, and issue a new working SIM with your number to him. The catch is your phone will go dead for a few hours, and this is likely to alert you. To avoid tipping you off, the hacker usually does the process at night, and gives you multiple missed calls in the middle of the night till you mute or switch off your phone, at which he begins the activation.
The rest is simple. Since the fraudster has already hacked your bank account, he now logs in and initiates a funds transfer to his bank account. The bank sends an OTP to verify the transaction to your phone number. As the fraudster has hijacked your SIM, he gets the OTP, and not you, and he transfers the money out of your account. By the time you realise your phone is dead, your bank account will have been emptied.
So how do you safeguard your SIM?
Multiple locks are one way to stay safe
The obvious thing to do is to make it hard to hack my phone. To continue with the analogy of a safe, I want multiple locks on my safe. So if a hacker opens one of those locks, he will still not be able to open the safe. And that may alert me, and give me time to prevent the theft. So increasing the level of difficulty to hack my phones is essential. After digging around, I figure that there are four increasing levels of security to protect my phone.
Level 1: Locking the SIM
In India, SIM cards come unlocked by default. I don’t really know how effective SIM locking is. But following the principle of ‘Something is better than nothing,’ I decided to figure out how to do it. Here’s what I learnt, and this is only for India. Other countries have similar systems and here’s a sample.
Caution Before you try locking your SIM, please be aware that a few wrong steps can erase the data on your SIM. In India, if you decide to change your SIM pin, the networks allow you three attempts to enter the right pin. If you get it wrong, you get a further 10 attempts to enter the SIM’s PUK number (pin unblocking key). After 10 wrong entries of the PUK, your SIM will be erased. That’s right. Your SIM will stop working. You will have no option but to replace it by visiting your network provider with your ID. That’s why networks keep a SIM unlocked by default. So please don’t try this unless you have your SIM card’s PUK numbers.
Like I mentioned, SIMs in India come unlocked, but have a default PIN. You can’t lock the SIM unless you know this PIN. The default PINs are set by the network provider, and so vary from network to network. On googling it, I found that it’s usually ‘0000’ or ‘1234’ for most service providers in India.
However, I was curious about how to get the PUK in case I didn’t know the default PIN. A bit more digging around told me it would be there on the original SIM packing. But I had thrown that away. The alternative for the Jio network is to register your Jio SIM on the Jio website, give your details, and then request your PUK from Jio.
To do this dial 199 from your Jio SIM, and follow the instructions.
Or follow these steps: Dial 199 and enter 2 for English; To skip the recorded rubbish, type 6; IVR will say you have typed an invalid code; Type 1 for repeat; Then 6; Then 2 for PUK; IVR will ask for your DOB in ddmmyyyy; Next it will ask for your Jio phone number; After which, it will recite your 8-digit PUK; Type 0 to repeat, and verify you got it right.
After this, go to your phone settings and change the SIM PIN. In my iPhone 6S+ running iOS 13, I found the SIM PIN in ‘Settings’ under mobile data->SIM PIN. See below.
On my Android (Poco F1, running MIUI 10, an Android Pie fork), I had to go to settings – >additional settings->privacy->sim lock. It will be something similar in most Android forks. Or you could just ‘search’ for sim lock in settings. See below.
So I started the process on both my phones, entered ‘0000′ for my Jio SIM. The phone rejected it, and said I had two more attempts. I put it ‘1234′ and it worked. There was option to change the default pin. As the pin can be longer than 4 numbers, I changed my SIM pin to a longer one. The longer it is, the harder to hack.
After changing the pin on both phones, I was a bit puzzled. Nothing seemed to have changed on either phone. Had I gone on a wild goose chase?
I tried restarting my phone, and there it was. A new SIM lockscreen which pops up after the regular lockscreen on my iPhone (It also appears before the regular lockscreen on my Android but I couldn’t get a screenshot as nothing works on an Android until I unlock the SIM). But you can see the iPhone version below. The Android version looks similar except it’s a black screen on my phone. Notice how the ‘Locked SIM’ icon on the top left, changes to the network’s name once I unlock the SIM.
Is an extra lock screen worth it?
I know it’s an extra effort to memorise one more passcode. Since my Android has a dual SIMs, I have to enter both the SIM lock pins, and the lockscreen code before I can use my phone. But since I was already mentally prepared myself for multiple locks, I was fine with this. In any case, I have to do this process only when I restart my phone, which happens rarely. But then again, I like to imagine the look on a hacker’s face after he’s gone to a lot of trouble to steal my SIM, only to realise my SIM is locked with a password that’s locked inside my head. Just the thought makes it worth it.
Does the SIM lock have a loophole?
Sadly, the answer is yes. I can think of three ways. A hacker could simply bribe an employee of the operator to give him the PUKs to my SIM, which would enable him to bypass my SIM PIN (this may have been the case in the video I linked above).
A second way is if my phone is stolen, the hacker can remove the SIM, and use the 19 digit ICCID number engraved on the SIM to get the PUK, and unlock the PIN. I don’t know how it works, but people kept telling me it can be done. Like I said, a SIM was never meant to be a security device.
A third way is if the hacker has already hacked my Jio.com online account and my email. All he has to do is make a request to Jio from within Jio.com account. Jio will then send my SIM’s PUK numbers to the email registered with them. Using this, the hacker can successfully do a SIM swap.
Looks like SIM locking by itself may not be enough to put off our hacker. I need to double down on securing my email, which is the weak link.
Level 2: Double locking my accounts
The technical jargon for this is 2FA or two-factor authentication.
This is when your account, say email, can only be unlocked if you have two codes. The catch is you know only one these codes. The second will be sent to you on request. The first is your password. The second is an OTP that is sent to one of your registered devices, whenever you try to access your account. This means a hacker can’t access your account with just a password. He needs the OTP too. Two factors.
Google has been pushing me all these years to go in for 2FA. I’ve ignored them as it seemed a bit of a hassle to set up and to use. But seeing how my locked SIM can be unlocked by accessing my email, I finally decided it was time to upgrade my primary email’s security to 2FA.
I’m doing the process on my phone. It’s not too complicated but here are the steps anyway. If you are on iOS, you will need to download the Gmail app.
Caution: Once you set up 2FA, accessing that account can sometimes be a pain. For instance, last night the Apple Mail app on my iPad was unable to access my freshly 2FA-ed Gmail account. It asked me to go into settings and re-enter my password. I did so, and was sent an OTP on my phone. For some reason, the OTP didn’t come through for 10 minutes. It’s not really a big deal as I could access my email on the Gmail app on my iPad as well as on my phone. But all the same, it was a hassle till the OTP arrived and things fell into place. My only consolation was if it was a hacker, he would have probably have gone nuts.
Anyway, first, I sign in to my Google account on my phone’s browser (I’m using Chrome here). Then I tap on my profile pic in the right top corner, choose the email account I want to protect, and tap on ‘Manage your Google Account.’ In the next screen, I swipe to the ‘Security’ tab, and then scroll down to where 2-Step Verification shows as ‘off’ and tap on it to toggle it on, and finally tap the ‘Get Started’ button.
After I verified my email by entering my password, Google next offered to let me use my phone (the number linked with my Gmail account) as the second sign-in step. To verify that it was I who was doing all this, Google then sends a ‘Google prompt’ to all the devices on which I am currently signed in on that Google account (in iOS devices, the prompt only comes within the Gmail app, probably because Apple will not allow such prompts at an iOS system level). After I confirm by tapping on the ‘Yes’ button, Google asks me for a second phone number as a ‘backup option’ in case I lose my phone.
At this point, I noticed that Google was also offering an alternative backup option. So I click on it. This option turns out to be a series of ten 8-digit backup codes, each of which I can use once. I preferred the backup phone option (for now) as I was quite likely to misplace those codes. So I entered my second phone number, and clicked on ‘send.’ Google sends me an OTP to check if the backup number is working. Once I confirm this, Google informs me I will stay signed on in the three devices where I’m currently signed in. To sign in on any other device, I will need to do a two-factor authentication.
To confirm, I try signing in to my email from my old Mac laptop, and am asked to check my Android device where a prompt has been sent.
I go to my Android and I find a ‘Google prompt’ similar to the one I got in the previous step of setting up the 2FA. I tap ‘yes’ on that prompt, confirming it’s me who signed in on a Mac in ‘XYZ’ place at ‘XYZ’ time. Only after I do this am I allowed access to my email on my old laptop.
My email is now double-locked, firstly, with a password I know, and secondly, with a OTP or Google prompt that is sent to one of my devices.
Feels good, but…
Does 2FA have a loophole?
Ok, I’m now getting into paranoid level. But I have always lived on the principle that ‘If you are going to do something, then do it well.’
My first issue is unrelated to hacking. What if I have access WiFi but there’s no cellular network for some reason? Will I be locked out of my email? It’s not that remote a possibility. I experienced it while traveling in Ladakh in the Himalayan mountains where cellular network is poor. Or what if I lose my phone? Will I be stuck till I get a new SIM?
However, the weak link is still the SIM OTP, which can be used to break the 2FA is the hacker already has the password to my email.
There are possibilities, and though they are remote, they are known to happen. What if the hacker hacks my cellular network provider’s database, and gets the PUKs for a whole bunch of phones, including mine. He can crack my SIM pin in no time. Or what if someone uses his birthday as his SIM pin? People do it all the time and hackers know that.
Let’s assume the hacker has somehow hacked my SIM. Is there a way I can still stop him?
Can I add another level of difficulty? I believe I can.
Level 3: Restricting my accounts to my devices
Going back to that analogy of a phone SIM being like a safe with infinite keys (OTPs) and infinite doors (devices), the idea here is to restrict entry to one or two doors (devices).
Authentication Apps
This category of apps work by checking if the device being used to access my account is one which I have approved. If it’s not, access to my account is denied. In short, the app locks my account to my device, and not my SIM. This means that even if the hacker has hacked my SIM, and has my OTP (the keys to my safe), he can’t get into my safe as it can be accessed only on device approved by me. In this case, it’s my phone (one door).
If I do this, the only way a hacker can steal my money is if he can: – hack my bank account user name and password – take over my SIM – hack my SIM lock pin – crack my phone’s lockscreen pin – and finally, steal my phone
The odds are now definitely more in my favour. Question is, can this be done. The answer is no and yes.
No, because most Indian banks still work with OTPs.
Yes, because SBI, India’s largest bank has an authentication app that links OTPs to my phone, rather than my SIM.
SBI Secure OTP app
SBI is India’s largest bank and used to have a reputation for being inefficient. though that is gradually changing. In theory, the idea behind its app, of delinking OTPs from SIMs is conceptually sound.
But in reality, the SBI app is often glitchy, gives error messages, and asks you to try later. My guess is SBI, being a public sector bank, prefers to err when in doubt, rather than let a fraudulent transaction happen. That may make SBI safer but it means you can’t always rely on the app to work (see the app’s reviews on IOS or Google Playstore). However, I like the concept so I use the SBI app. But I also have a second bank account with a private sector bank as a backup, as they tend to be more reliable.
Anyway, what this app does is remove the SIM from the equation. I first need to download and register this app, which strangely enough is by OTP via SMS. After this is done, whenever I do a transaction in my account and it asks for an OTP, I know it won’t be coming by SMS. So I login to this app on my phone, tap on the ‘Get Online OTP’ option. It generates an OTP, which I then use to complete the transaction. I’m using the ‘Online OTP’ option where your phone has to be online. SBI also has an offline OTP option where you are given an 8- digit number when you attempt to do an online transaction. You enter that number in the app, and it generates the OTP, without the need for your phone to be online.
As OTPs are not being sent via SMS, a SIM swap is now useless for a hacker. Even if he has accessed my bank account, he can’t transact or steal my money despite having hijacked my SIM.
I must add that I’m not sure that this app is foolproof. As you can see in the last screen, I can change my phone by clicking on settings, deregistering my existing phone, and registering a new one. So if this is possible, maybe a hacker who has access to my bank account could delink my phone and register his phone to run that SBI Secure app, and get the required OTP. Or for that matter, he could just switch back to the OTP by SMS mode.
But I haven’t heard of anything like that happening, so maybe SBI has figured out how to prevent that.
Oddly enough, SBI itself provides a way to bypass the SBI Secure app. You just have to download SBI’s YONO app, and link it with your phone. You can then transfer funds with an SMS OTP. This happens even after you have clearly indicated in your online SBI account that you want to disable OTPs, and stick to the SBI Secure app OTP. This loophole does not exist on the SBI YONO Lite app, so the solution would be to discontinue the YONO app. But who’s going to bell the cat?
Authy
Though I haven’t been able to figure out how to use authentication apps with banks other than SBI, I have found that you can use authentication apps to lock down your other accounts like Google, Amazon, and Dropbox. So why not? The more locks, the better.
Normally, I would have gone with the Google authenticator app. But it seems the app doesn’t provide a backup option. This means if the device you install the app on crashes or is lost, you will be locked out of those accounts you protected, and will have to manually and laboriously unlock each of those accounts. I don’t really understand how it works, but what I understood was enough for me to avoid the Google authenticator app.
So I tried the Authy app, which allows an online backup option. Setting it your phone as an approved secure device isn’t too complicated. You download the app, and open it. Setup automatically starts. You enter your phone number, receive an SMS OTP, and that’s it. Here’s how I did it on my Android.
Adding devices After setup, the app asks to install an account to be protected. But I quit the app as I wanted to first add my iPhone and my iPad to the list of approved devices. Again, the process was simple as shown below for my iPad. Download app, install, choose option to verify… and the device is added.
Adding accounts Next I decided to try to add a Google account to Authy on my Android. The ‘add account’ function is buried in the three dots on the top right of the app (screenshots are disabled on this page). The steps were simple. The app asks you to scan the QR code from the Google site, and allow Authy to use your camera to do this. Once the QR code is scanned, the account is added to your protected accounts.
However, there were a few hiccups along the way as that QR code wasn’t easy to locate. Had to dig deep into Google before I found it. Here’s what you need to do. First, sign in to your Google account, and go through the process to turn on 2-step verification (see previous section). After you tap on the ‘turn on’ button, 2FA will be turned on, and the next page will display a ‘turn off’ button. The authenticator app option is hidden on this page; scroll down and you will see it.
Tap on ‘set up’ in the authenticator app section. You will be asked what kind of phone you want to install the app on. I was doing it on the Android so that’s what I tap on. And finally we get the see the elusive QR code.
But there’s still an issue. If I was setting up Authy on another device, then I can just scan the QR code from my Android’s screen. But in this case, I’m setting up Authy on my Android itself, so it’s obviously impossible to use my Android’s camera to scan the QR code. What I have to do is tap on ‘Can’t scan it’ below the QR code. That takes me to a new page where I’m shown a key. I copy it, go back to the Authy app, tap on the three dots, and then choose add account. On the next page, instead of scan QR code, I tap on ‘enter code manually.’
One last precaution. There is a possibility that someone can hack Authy account, and add his device and thus get access to my accounts. To prevent this, I go to my Authy app, find my way to its settings, tap on the ‘devices’ tab, and then turn off the option to ‘allow multi-device.’ Now even if a hacker accesses my Authy account, he will not be able to add his device.
One last step. I need to delink and remove my SIM number from my email accounts, as I had relinked my SIMs to my email while writing this post.
We are finally done. My account is now secured and can only be opened on my devices.
Level 4: Restricting access to a physical key
This is the final level that I could find. It’s basically two factor authentication, except that the second factor is an actual physical device, without which you will not be able to access your accounts. It’s sometimes given by a service provider, like say a bank. There are two ways in which it works.
The first is a key that you plug in to your device, without which you will not be able to access your accounts on that device. It usually plugs into the USB port. So we are talking of laptops and desktops mainly, though some mobile devices do allow USB access.
The second is a tiny code generator that gives you a code which you need to enter along with your password. I have used this thingy when I had an account with HSBC. Though it’s secure, I was always worried I would lose it.
A few more tips to stay safe
If your phone’s network is out of coverage for an extended period of time, check with your service provider. If they say your SIM is active and being used, a hacker could have done a SIM swap on you.
Make sure your SMS notifications don’t show on your lockscreen. If a thief steals your phone, then he can get your OTPs even without unlocking your phone.
Don’t use your phone number on social media if possible. I have an old number on my Facebook, and I refused to update it on the site despite repeated nags to do so. Facebook actually knows my current number as it’s linked to my WhatsApp, which Facebook owns. But they can’t just go and update it in my account, can they? (I still need to remove that number just to avoid my FB account being taken over)
Check your bank account statement regularly, and make sure you are registered for email alerts in action to your SMS alerts. This has to be your primary email account so you don’t miss the alerts.
If you have elderly family members with bank accounts who do not keep an eye on them, use your email on their accounts. This can be an issue if you both have accounts with the same bank. That’s because your email can only be linked to one account in that particular bank. One workaround is to use an alias. So if your email is johndoe@gmail.com then you can use johndoe@googlemail.com for the second account. The bank will see it as different emails and accept it, but the alerts will both come to the same email.
Avoid keeping your IDs and important documents in your email or cloud accounts.This includes that 19-digit SIM number on the back of your SIM card. If you absolutely need to store documents online, then make sure these accounts are securely locked to your device.
Use a password manager app like Lastpass to store all your passwords, and manually access it. Obviously, the master password to your password app should not be one you have used anywhere else. I know Apple already stores passwords in a similar service built into their devices, which is supposed to be encrypted and all. Google also does the same. But the thing is your system also has access to these services across many apps. So I have the same ‘too many doors to my safe’ worry. Or maybe I’m just being a paranoid android.
Related posts:
I have written a couple of companion articles to this post. The one below is for those who are worried about handing over all their passwords to a digital password manager. It illustrates how I manually created a password that’s easy to recall but at the same time is very strong.
babulous 