Apparently harmless apps showing how a person would look after 30 years make the data of millions of users vulnerable, Internet experts said at a meet on cyber security on Friday.
Net Neutrality implies all Internet users be treated equally and under such a circumstance it is incumbent upon users to ensure their personal information is secured, they said while speaking at the Security Symposium and Awards 2019.
“Most apps seek permission to access a user’s contacts, location and other details before being downloaded,” Sushobhan Mukherjee, the chairman of Infosec Foundation, said.
The non-profit organisation is dedicated to cyber security and was the organiser of the meet.
“Most users unsuspectingly give permission, making their data vulnerable. If the phone is hacked or if the service provider behind the app is compromised, all information can be stolen and misused,” Mukherjee said.
The Internet and smartphone boom has brought along with it the threat of data theft. The number of smartphone users in India was 468 million in 2017 and is expected to touch 859 million by 2022, according to an Assocham study.
“Less than 10 per cent of users have an anti-virus software or firewalls installed in their handsets,” Rajan S. Mathews, director-general, Cellular Operators Association of India, said.
“We keep our jewellery and cash in bank. We keep our cupboards locked. But when it comes to our data, we leave it all open, as if waiting for it to be stolen.”
Mukherjee of Infosec explained how downloading WhatsApp pictures and videos could be risky. “We tend to download everything sent on WhatsApp without verifying the sender’s authenticity. A sniffing software that captures data transmitted on a network can be easily installed in a WhatsApp video file.
“The moment the video is downloaded, the sniffer gets injected into the device. The person or group which now has access to the user’s data will not do anything instantly. He will wait for days, studying the user’s behaviour pattern.
“The strike will happen at an opportune moment. A phishing mail will be sent from the user’s email ID — that can be spoofed easily — asking for funds to be directed somewhere. The receiver of the mail will have no reason to suspect foul play.”
If the user is a senior executive of an organisation or he/she uses the phone to send/receive office mails, the entire organisation could be at risk, Mukherjee said.
Speakers cited the example of the 2016 Hitachi ATM data breach —one of the worst cyber breaches for Indian banks that had outsourced their ATM operations to the Japanese firm.
The most important tool against data breach is awareness, they said. Some simple steps like keeping the GPS and data off when not using a phone can go a long way in securing data.
“The data protection bill, which is still to tabled in Parliament, can go a long way in curbing misuse of data,” Mathews said. The bill seeks to regulate the processing of personal data of individuals by government and private entities in India and abroad.
