New Delhi: There’s good news and bad news for Indians worried their phones will be hacked and spied upon, as happened with around 1,400 WhatsApp users earlier this year.
The bad news first: There is no 100 per cent foolproof method to ensure your data and devices are safe from hacks and unauthorised access 100 per cent of the time.
“The only way to make sure your phone is not hacked is to take a hammer and break it to pieces,” said cybersecurity analyst Jiten Jain, CEO of Indian Infosec Consortium, a non-profit engaged in the sphere of online security.
Satyajit Sinha, a cybersecurity analyst working with the firm Counterpoint Research, urged constant vigilance.
In a real-world scenario, constant vigilance may not be possible — you could end up logging into an unsafe public WiFi network to send an urgent message, or leave your password scrawled on a paper somewhere.
Unfortunate events like these increase our vulnerability to ill-intentioned individuals, but here’s the good news — there are a few things you can do to boost your defences.
For one, according to IT expert Khemchand Sharma, one ought to use discretion while downloading apps. “Only download apps you need, that you understand the purpose of, and that are verified by the online store you download it from,” added Sharma, who is also a member of the BJP national IT and social media campaign committee.
Additionally, he said, a user should monitor the data use of apps. “If data usage is too high, then you should be alert, it may be some malware,” he added. He also suggested deleting sensitive information from devices as soon as possible.
Victims of the WhatsApp hack found their devices compromised to spyware via calls made through the app. Perhaps the most worrying aspect was that it didn’t matter if they answered the malicious call — the damage was done anyway.
Sharma acknowledged that the WhatsApp hack had cast a shadow on its reputation for safety and security, but said you can continue using the chat platform since the company is “taking safety measures and not all users are vulnerable to hacks”.
More layers of security
Jain suggested using two-factor authentication for your devices, which means a second step of verification in addition to a password.
“Have your personal devices like phones and laptops audited by cybersecurity professionals every six months,” he added. This should throw up any malware and vulnerabilities present.
“Never click on untrusted links or download any attachments sent by unknown people and never conduct sensitive transactions like banking on public WiFi like at airports, cafés and shops,” he said.
According to him, the security afforded by email providers like Google’s Gmail, Microsoft’s Hotmail, and Yahoo is good enough for the general user. But users should definitely use a two-factor authentication to secure access to the email account, he said.
Several journalists and activists have started using an end-to-end encrypted email service called ProtonMail, based in Switzerland, and an encrypted web browser called Tor to prevent surveillance, but Jain claimed that it was important to first understand what entities have created and are managing such services before using them.
“And if you are going to use VPN [virtual private network] to use the internet without being monitored, make sure it is not from a malicious provider but a reliable provider,” Jain said.
Then there is the advice we often ignore when signing up with different web-based services — make sure your passwords are hard to guess, and typically a combination of letters, numbers, and special characters (@#$% etc). In addition, said Sinha and Jain both, passwords should be changed frequently, every three months or so.
“1234 is not a password, it is easy to guess,” added Sinha.
“Don’t use the same password on multiple devices and online accounts — it makes it easier to hack you,” he said.
He also suggested regularly updating software to patch vulnerabilities, and buying mobile security software from firms like Norton, Avast, or McAfee instead of settling for free versions
“It is important to recognise that cyber-crime is a business, not just a technological issue or a ‘system glitch’,” Sinha added. “The defences, therefore, have to be constantly reviewed and updated…”
Samsung users can store sensitive data on the “Knox” platform, a software that allows the user to isolate sensitive data with an additional layer of security.
Security features enabled by hardware
If all this isn’t up your street, try using a feature phone aka dumb phone, which allows internet access but doesn’t have many of the advanced offerings of their ‘smart’ counterparts.
Hackers typically don’t target these phones since they don’t support or store enough data to be worth hacking.
If you have the money, investing in a premium smartphone with greater security — enabled by hardware — is a good idea too. Sinha said iPhone 5s onwards, Apple started embedding phones with a ‘Secure Enclave’, a hardware component enabling memory encryption to keep your data secure.
Another big tech player, Samsung, implements the ‘Physical Unclonable Function (PUF)’ in Galaxy S10, S9 and Note 9 and 10.
PUF is a physical entity embedded within the SoC (system on a chip, the brain of a smartphone). It gives the device a unique identity that can’t be cloned, hence making it harder to tamper with your phone.