DON'T you just love the convenience of your smartphone?
With the widespread availability of WiFi, you can update your Facebook status, check on that urgent e-mail, and do your banking almost anywhere.
You can even do all of that in a fast-food restaurant while chomping down your lunch.
But while you are doing so, do you know that someone just a few seats away may be hacking into your account and stealing your details?
The worst part is that you will have no clue that it's happening.
All a 22-year-old Thai student needed to hack into Thai Prime Minister Yingluck Shinawatra's Twitter account last Sunday was a mobile phone.
In the span of 20 minutes, eight tweets mocking Ms Yingluck's incompetence were sent out from her own Twitter account.
The student surrendered to the authorities days later, after he was contacted by investigators searching for the hacker.
While most media reports here centre on hackings and cyber attacks involving large corporations - there were recent reports of banks and the two integrated resorts being attacked - the end user's misery often goes unnoticed.
The problem is that in tech-crazy Singapore, while there are many smartphones available out there, there just aren't enough smart users.
People don't protect themselves enough.
Mr Tong Hui Leong, 40, a principal trainer at IT security training consultancy Black Belt Academy, showed The New Paper how easy it is to hack into other people's accounts.
Applications like DroidSheep, which is free, are downloaded onto an android phone or tablet computer which supports the application.
After installation, all the hacker has to do is to launch the application on his device from a public place with free WiFi, and wait.
When someone taps on the WiFi to access, for example, a Facebook account on an unsecured connection, the unsuspecting victim's device will send his data through the WiFi to the Facebook server.
This data can then be read by every computing device that shares the same network.
Some data, such as the victim's password for his Facebook account, is encrypted, thus preventing the hacker from reading it.
But other data, such as the session ID, which is assigned to the user every time he logs into his Facebook account, can be stolen.
The session ID is like a temporary virtual pass, which allows the user to access his account without having to log in repeatedly.
Every time the user does something on Facebook, his device sends Facebook the virtual pass, so that the website will recognise him and grant him access.
But once the user logs out of his account, his access to Facebook through that virtual pass will be revoked.
And it's this virtual pass, or session ID, that the hacker steals and replicates on his own device.
Once the hacker gains access to the victim's Facebook account, he would be able to do almost anything that the real owner can do, including sending status updates and messages to friends.
A lot of damage could be done.
In an extreme case, the hacker could access the victim's Facebook friends' information, for example, their mobile phone numbers, and make monetary demands of his friends in the guise of the victim.
Said Mr Tong: "We have to embrace Facebook because Facebook is here to stay. But by empowering people with knowledge, we're teaching people to protect themselves online."
Mr Tong, who conducts security training to businesses, added that all a Facebook user needs to do to protect himself is to enable the secure browsing feature in his Facebook account security settings.
On Facebook, this secure browsing feature is disabled by default.
Enabling the feature would encrypt the user's session ID that is being sent to Facebook, thus disallowing the hacker's application to read it.
The hacking application operates on the same principle when accessing a victim's Twitter or e-mail accounts.
There's a catch, though: It's not easy for the layman to install the application, said Mr Tong.
The person would need to have knowledge of rooting an android device, which is similar to the concept of jailbreaking an iPhone.
It would take about 15 minutes for someone with rooting knowledge to install the application, he said.
And there's another deterrent for anyone who's contemplating installing the application - it's illegal to access someone's account through this method.
Said tech lawyer Bryan Tan, a director of the Keystone Law Corporation: "Under Singapore law, illegal accessing a computer, including a computer account you do not have access to is an offence under our Computer Misuse Act.
"This applies whether you used another hacking program or whether you simply stole the password."
Avoid using public WiFi to log in to any website such as Facebook, Twitter and e-mail accounts. If you want to use public WiFi to access your Facebook, ensure that secure browsing is enabled on your Facebook security settings.
Avoid leaving the secure zone while you are surfing Facebook on public WiFi.
If you think that someone is logging on to your account, log out immediately. Always remember to log out from your accounts.
This article was first published in The New Paper .
Source:
No comments:
Post a Comment