If a thief comes to you and asks for your jewelry, you will not take it out and give it to them, right?
Now, for decades, experts have been telling us that data is the new oil. So, why are we still giving our data away like its harmless? It's not. Data is called the new oil because it is a wealth generator.
Many people make the mistake of thinking that the only use of data is advertisement targeting. It is not. Data is used for many things, and targeted advertising is the LEAST important of those uses.
Data is used for:
A. Regime Change
B. Civil Unrest almost amounting to internal emergency (I think, in more than 10 countries in the last 3 years alone)
C. Financial Fraud
D. Physical Crime
E. Targeted spear phishing attacks on enterprises
F. Addiction algorithms in apps, websites, and games
G. Blackmail
H. And yes, getting a few dollars out of your pocket through targeted advertising.
You might have read many stories of cyber hack or cyber fraud. You may also have got such calls yourself. You might think that these are random incidents in which innocent civilians got victimised.
They are not. There is proper segmentation, targeting, and then attack. So, if you have been scammed or have received a scam call, a lot of homework has already been done. Much of that homework is now automated.
But, the average Indian is not tech savvy. So, how do we protect ourselves from this?
I have worked to create a list of simple things people can do to minimise their risk of being targeted. Each of these is a small, simple step that will take you one step towards safety.
Like good health practices, these are good cyber health practices.
Identity Theft
1. Do not give your Adhar Card anywhere. If they ask for Adhar, ask them - "Do you need my Adhar, or do you need a photo ID/address proof?" For both these purposes, a Driving License works just as well.
2. When submitting your ID card anywhere, blacken a part of the ID number OR DoB so that the ID proof cannot be copied. Especially while checking into hotels and giving ID proof for forms where it will be handled by a call center.
3. Do not use runners or other facilitators who can get access to your ID documents. No one should see your ID document unless it is absolutely necessary.
4. Your phone no. and your email id are your identity. No phone no. at office gates, parking lots, and other random places. Keep two phones - one for all personal interactions and one for places where one has to give the phone no. Never share your personal phone no. or personal Whatsapp number randomly. Same for personal email id. Phone no. and email id are the foundation stones of identity theft. Identity theft is very difficult without them.
Financial Fraud
1. If something appears too good to be true, it is. This applies to things you are trying to sell, investment options, and everything else related to money. New asset classes are not bad, but ensure that you understand them well before investing.
2. Do not use the same signature for bank cheques and everyday activities. Have two signatures - the official one, and a short signature. When signing for a courier or at an entry gate, use your short signature. Only on official documents, use your official sign.
3. Do not keep money in current and savings accounts. Do not link Fixed Deposits to current and savings accounts. Budget for putting your cash requirements for a month or a fortnight, and put the rest away - even a short term FD will do. Just make sure that it is not linked to your main account.
4. If you are a senior citizen getting inbound transfers of money from your children, ensure that you receive the remittances in 2-3 different bank accounts, and use the non-linked FD principle to manage the cash. Senior citizens with significant inward remittances are specially targeted as they are easy.
5. Do not click on any link on Whatsapp or SMS. All links only on a large screen laptop, where it is easier to spot fake websites and check http and https: (among other things)
6. Do not save credit card information on any website. Most websites, especially Amazon, are sneakily designed to get you to store your credit card information. While tokenisation is supposed to make this safe, it is not foolproof. It only takes one extra minute to input your information manually each time. Do it.
7. Do not load apps on your phone except those that are absolutely necessary. Facebook, LI, Twitter are all available as mobile websites. Use that. Every app is a backdoor entry into your phone and any one of these apps can be compromised or hacked to get into multiple devices at one go.
8. If you have not used an app for more than 2 months, uninstall it. When you need it again, you can install it again.
9. To the extent possible, don't use free apps for things that should cost money - video editing, photo editing, scanning, are all backdoors into your data. Remember Camscanner? It was a popular scanning app that turned out to be .. well, not just a scanning app. It was subsequently banned in India.
10. In addition to 2FA, keep different security questions for each banking/ financial app.
11. Do NOT share your phone number while billing at retail outlets. They will customarily ask you for the phone number. Customarily say, 'Please bill without the phone no." - this one step will minimise the spam calls you get AND your potential for a bank fraud.
12. Do not use autofill and Save Password feature in any browser.
13. Always set your browser to delete all cookies when you close the browser.
14. Do NOT use Google to find service numbers for anything. The number of scams that have happened because Google does not control who can post as service agency for any brand, is crazy high. Google is not your directory. Make an effort to go to the website for the manufacturer or service provider, and ensure that the website is legit.
15. Don't contribute to crowdfunding campaigns for medical care if they ask for your email id and phone number. Just remember the days when you could leave the house, buy the stuff you needed, attend tuition classes, visit a doctor, and come home, without sharing information about yourself. At most, the doctor took your name, age, and gender. That was it. No email id, no phone no.
16. If you get a message that KYC is pending - Visit the Bank. This is for two reasons - One, you need to submit KYC documents physically, and two, the relevant person in the branch will do this. Do not respond to SMSs asking for KYC to be done online.
Blackmail and Crime
1. Do not discuss your family composition, especially the number and ages of children in a public platform or public place or over the phone. Don't comment on a facebook group of 10,000 members - "How cute! My grandson is 8 years old too!"
2. This is basic, yet ignored by so many people all the time - cyber love is great. No pictures please. Your partner might be safe. The platform isn't. The device may not be.
3. Do not discuss financial information in a public place. Never over the phone or on social media.
4. Even if you trust them implicitly and have worked with them for long, keep your personal financial information on a need-to-know basis only for everyone.
5. When sharing your home wi-fi with staff or guests, it is best to create a separate wi fi so that they are not on the same network as your home devices. You can just use a mobile hotspot to enable wi fi.
General Precautions
1. If your phone is using up battery very quickly or is heating up, immediately uninstall ALL money related and person apps from it and change your passwords. The phone may or may not be compromised, but changing your credentials will save you proactively.
2. Use browsers that don't dial home - send data to their developers. Brave and DuckDuckGo are both great mobile browsers.
3. While installing an app, check the permissions it is seeking carefully. A photo editing app does not need to read your SMS. When in doubt, do not install.
4. Hospitals are, unfortunately, one of the most vulnerable data centers. If you can, use the services of RMPs who own their data center or keep patient records locally. When choosing a diagnostic center, choose one that stores data locally. Indian law requires medical practitioners to retain details of treatment for about 2/3 years, but there is no need to put this data on the cloud. Avoid putting medical data of any kind on the cloud as far as possible. You can also ask for your data to be deleted after 3 years. In multiple cases, the Honorable courts have held that the patient is the absolute owner of their medical records.
5. If you find yourself wanting to play a game or an app when you should be doing something else, it's time for digital detox. Do not take this lightly. All addiction leads to financial loss and loss of quality of life.
6. If your computer hangs often and this has started recently, get a thorough scan done.
7. On social media, NEVER accept requests from people you do not know. This is how spear phishing is done. (targeted email is sent to one person. This email is designed as per the usage behaviour and interests of that one person).
8. Don't give kids social media accounts, no matter how much they cry. Don't post pictures of children on social media, no matter how cute they are and how close the group is. The group is reliable. The platforms are not.
9. Your Date of Birth, mother's maiden name, first school, place of marriage, and other such details are also used as security questions in many applications. So, don't put this content on social media.
10. Do NOT choose childcare centers that beam images of your children over the internet for you to monitor them. If you can see them, so can hackers.
11. While installing CCTV at home, try and get the storage on a local hard drive. Cloud storage of home CCTV footage is a vulnerability.
12. Do not install Trucaller or any other directory app that requires you to share your contact list with the cloud.
13. Keep an offline backup of all your data in a separate SSD or Hard drive. Do this periodically.
14. Subscribe to haveibeenpwned?
15. Add your phone no. to DND. Then, if you get a call or message, complain to TRAI for sure. You will notice that the number of violators of DND will go down once you start complaining.
16. On any browser, log out, don't just close the tab or window.
17. Do NOT use free wi-fi. At any place. Use your own mobile data hotspot. This applies to airports, star hotels, cafes, and every other place. In India, data is real cheap now.
18. On Facebook, Google, and other platforms, go to your account and disable access to third party apps that you are no longer using. Do this at least once every 6 months.
19. When you are given a choice to login using Google or Login using Facebook, check carefully the data the site will get when you connect the two. Usually, its fine. But check. And if you are uncomfortable, use an email id you have exclusively for these websites.
20. There are no miracle cures. No soulmate is dying to talk to you online. You have not won any lottery. There is no limited time opportunity to invest or get a job. No one has selected you for a job without an interview. No friend of yours is stranded and needs your help. Tax officers are not going to fine you. That new website does not sell everything cheaper.
21. If you are meeting an online friend for the first time, meet in a public place. Not at either of the homes, even if they say it's a get together and many people are expected.
22. When giving out your data for "Registration" - ALWAYS ask:
a. Why is this being collected? (You don't need to give your email id and phone no. to enter an event, make a retail purchase at a retail store, meet a professional who does not need your personal data. In fact, the default state is to NOT share your data. So, always ask WHY they need to collect it. If the answer is - "We just need it", or "It's our process" - Exit. You are not missing anything in life.)
b. Where is this going to be stored? On the cloud? In your hard drive?
c. Who will have access to this information?
d. How will you protect it? What is the safety standard that you use to store your data? Who do you give APIs to?
Do NOT worry about looking awkward or odd. You need to be sure that they really need this info to complete your request, and that they are capable of safeguarding data that is owned by YOU.
23. Online shopping is great. 10-minute grocery delivery is also great. Ordering in food is also great. But if you are a senior citizen or a person with a little child at home, this introduces a vulnerability that you don't want. It is possible to plan your grocery and get it. If you order frequently from online shopping, quick delivery, or food delivery, it becomes possible for someone targeting you, to just don a uniform and approach your house. The security will not notice because these delivery professionals come to your house very often. This is not imagination. Many crimes have taken place in this way. A simple common-sense rule that this model violates is - Your doorbell is sacred. It should only be rung by people you want to invite into your home. Do you really want someone to get a layout of your approach, the entrance area, and the security arrangements, just by getting hired at a nearby delivery service? This is a completely avoidable risk.
24. Before you rush to control everything in the house with an app - ask about how the data is shared, whether it is stored on the company's servers, and who in the company has access to it. Many people were shocked to learn that Amazon uses human listeners to listen to their voice commands. But if they had asked this question earlier, they would know and then take a conscious decision. If the device needs bluetooth to communicate with your phone, that leaves your phone vulnerable to other bluetooth devices, but ensures that the data does not reach the company's servers. Especially if you are a child enabling gadgets for your parents' home, the responsibility of cyber security rests with you.
Political Manipulation
1. Do not post political content on Social Media. Do not click on political content on Social Media. Get your news from better sources.
2. Social Media will share political content based on your browsing history. Do NOT fall for this clickbait. Social media is not the place to read news or get politics.
3. Do not join protests based on social media posts. Both physical and virtual protests and events.
4. Do not break friendships over your political stance.
5. Fact check everything. Then fact check again. Biden and Trump both would not have been elected if Americans had not used Facebook and Twitter for political information. (and this is only what is in the public domain).
6. When faced with a news item (the government is trying to kill the forests) - Always ask questions from the other side - Why is the government doing this? Who will benefit if the proposal goes through? Who will benefit if the proposal fails? Who is bringing the money to the table? Why? - These four questions are enough to help you see through most movements, protests, and save the world campaigns.".
And finally, the most important tip is this:
NEVER Divorce Common Sense.
If it doesn't make common sense, it's going to fly only as long as chaff does.
*This post is based on real behavior exploited by hackers and criminals. None of this is just "good advice". Its not just actionable input, its needed to take action kind of input.
