Shyam Sundar, a 23-year-old computer engineer, wanted to sell an iPhone on Quikr. He posted a picture of the phone and waited for a buyer. Within hours, an interested buyer chatted with him and they exchanged phone numbers to negotiate how Shyam would be paid. “Within seconds, I got a Paytm one-time password (OTP). I could not believe my eyes. I had only just given him my phone number,” he said. Millions of people nationwide are having to switch willy nilly to mobile wallets such as Paytm, Freecharge and MobiKwik with the government bent upon ushering in a digital economy. But how safe are these mobile wallets?
In all probability, the person who posed as Shyam Sundar’s iPhone buyer chose the ‘forgot password’ option on Paytm to generate an OTP which went to Shyam’s phone. Within seconds the latter received a message from an unknown number. “Please send your OTP to this number. This is to authenticate the seller,” it read. To a gullible user, the message might look genuine. There was nothing to suggest it was a hoax. There are high chances that in an impulse to sell, the user would share the OTP. But Shyam Sundar quickly understood that the buyer was trying to con him to siphon money from his Paytm wallet. “After that episode, I added an extra security wall to all my accounts — email, mobile wallets, bank accounts, everything. I did not want to take another risk,” he said. In the above instance, the con man tried a simple trick to get the seller to reveal his password. But professional hackers can crack passwords using a high level of expertise without having to trick a mobile wallet user, said a professional programmer and open source software enthusiast who did not want to be named. “When a user types in his user ID and password, the packet of data is sent to another server which authenticates it and then lets the user open the account.
If someone can intercept the data packet, they will have access to the password. It can lead to a man-in-the-middle attack,” he explained. Simply put, imagine you have to send a parcel to a friend. If somebody grabs the parcel on the way, takes a look at it, repacks it and sends it to your friend, they will know what is inside the box. You and your friend will never know someone took a look at the ‘secret’ parcel. The probability of an attack is high if the attacker is using the same local network (for eg, a public wifi). Another way in which a password can be found is by social engineering — guessing passwords based on your social media feed.
For instance, many use the birth year of their close relatives as their ATM PIN number. Vulnerable data is not just restricted to the messages you send on Facebook or Whatsapp. Many apps send data in the background. For example, apps send push notifications to you by tracking your location through the data that your mobile phone keeps sending. You may have allowed access to such data when you clicked okay to the terms and conditions when you downloaded the app. “Who reads terms and conditions these days,” says the programmer who spoke to us. “These days people really don’t care about what they put out on the Internet. And once it is out there, it is permanently there.” The level of expertise needed to hack into your phone or desktop may not be high, for the current software and computers can be easily broken, says Norton Quinn, a journalist who has long covered the hacking scene, in a piece on Medium titled “Everything is Broken”.
She narrates an instance when a hacker friend of hers accidentally obtained control of about 50,000 computers. “This story isn’t extraordinary at all. Spend much time in the hacker and security scene, you’ll hear stories like this and worse,” she writes.