Saturday, September 28, 2013

Share your money but not your password

Everyone knows what a password is and why we should never share it.  The same applies for credit/debit card details as well.  We often make online transactions and its fine, because banks and online shops take extra care to safeguard their websites and your communication with their websites.  For example, banking sites use https protocol which is relatively more secure.  Now, https is not a fool-proof solution against hacking but the technology is not really the biggest issue.  Like IT companies say, the real crack in the armor is us, people.  All the technology in the world can't save you when you write your banking credentials in a clean white sheet and leave it in the backseat of a call taxi.

Which idiot would do that, you ask?  Well, I've seen a few people send credit card or bank account credentials through SMS.  Say you send the message and immediately delete it from your phone.  Great!  But the person who received your message, might have a fancy android mobile.  He is a bit lazy, like me and so he makes use of an app to sync his mobile messages with his PC so that he can reply to and read SMS from his computer (like me  :D).  Now, after receiving the message with banking details, he deletes it from his mobile.  Smart thinking.  But the message is already synced into the app's online database.  Say, the app was developed by 3 to 4 guys during their free-time.  They don't have the time or money to set-up additional security for their website or database.  Besides, they'll be thinking, why does an SMS syncing app need additional security?  That means, they can be hacked easily compared to your banking website.

All this might sound too complicated, but its not really.  But then you might say, "I haven't heard of something like this happen even in USA".  Not yet, but 5 years ago did you think that you will pay your TV bill online?  We can't guess what'll happen 5 years from now.  You may forget about the SMS that you sent and you may not have even had 100 rupees in the account when you sent it, but 4 years later, that account might have your life's savings and the password will still be the same and that information will still be available out there somewhere.  If it still sounds implausible, what if the receiver didn't delete the message and his mobile gets stolen the next day?  And there are many more possible risks that I can think of and there are a lot more I don't even know about.

So how the hell are we supposed to protect ourselves from these unknown threats, you ask?  Well, its simple, use common sense.  a) don't send passwords and sensitive information over SMS or email.  b) if you have to for some urgent need, change the password by the end of that day.  Now, that's simple, isn't it?  There is no point in being lazy and then blaming the new technology for being unsafe.

This is only part-one; there is more to come..  :P