Work Diaries

Thursday, 2 March 2023

The Ultimate Guide to Staying Safe Online

If a thief comes to you and asks for your jewelry, you will not take it out and give it to them, right?

Now, for decades, experts have been telling us that data is the new oil. So, why are we still giving our data away like its harmless? It's not. Data is called the new oil because it is a wealth generator.

Many people make the mistake of thinking that the only use of data is advertisement targeting. It is not. Data is used for many things, and targeted advertising is the LEAST important of those uses.

Data is used for:

A. Regime Change

B. Civil Unrest almost amounting to internal emergency (I think, in more than 10 countries in the last 3 years alone)

C. Financial Fraud

D. Physical Crime

E. Targeted spear phishing attacks on enterprises

F. Addiction algorithms in apps, websites, and games

G. Blackmail

H. And yes, getting a few dollars out of your pocket through targeted advertising.

You might have read many stories of cyber hack or cyber fraud. You may also have got such calls yourself. You might think that these are random incidents in which innocent civilians got victimised.

They are not. There is proper segmentation, targeting, and then attack. So, if you have been scammed or have received a scam call, a lot of homework has already been done. Much of that homework is now automated.

But, the average Indian is not tech savvy. So, how do we protect ourselves from this?

I have worked to create a list of simple things people can do to minimise their risk of being targeted. Each of these is a small, simple step that will take you one step towards safety.

Like good health practices, these are good cyber health practices.

Identity Theft

1. Do not give your Adhar Card anywhere. If they ask for Adhar, ask them - "Do you need my Adhar, or do you need a photo ID/address proof?" For both these purposes, a Driving License works just as well.

2. When submitting your ID card anywhere, blacken a part of the ID number OR DoB so that the ID proof cannot be copied. Especially while checking into hotels and giving ID proof for forms where it will be handled by a call center.

3. Do not use runners or other facilitators who can get access to your ID documents. No one should see your ID document unless it is absolutely necessary.

4. Your phone no. and your email id are your identity. No phone no. at office gates, parking lots, and other random places. Keep two phones - one for all personal interactions and one for places where one has to give the phone no. Never share your personal phone no. or personal Whatsapp number randomly. Same for personal email id. Phone no. and email id are the foundation stones of identity theft. Identity theft is very difficult without them.

Financial Fraud

1. If something appears too good to be true, it is. This applies to things you are trying to sell, investment options, and everything else related to money. New asset classes are not bad, but ensure that you understand them well before investing.

2. Do not use the same signature for bank cheques and everyday activities. Have two signatures - the official one, and a short signature. When signing for a courier or at an entry gate, use your short signature. Only on official documents, use your official sign.

3. Do not keep money in current and savings accounts. Do not link Fixed Deposits to current and savings accounts. Budget for putting your cash requirements for a month or a fortnight, and put the rest away - even a short term FD will do. Just make sure that it is not linked to your main account.

4. If you are a senior citizen getting inbound transfers of money from your children, ensure that you receive the remittances in 2-3 different bank accounts, and use the non-linked FD principle to manage the cash. Senior citizens with significant inward remittances are specially targeted as they are easy.

5. Do not click on any link on Whatsapp or SMS. All links only on a large screen laptop, where it is easier to spot fake websites and check http and https: (among other things)

6. Do not save credit card information on any website. Most websites, especially Amazon, are sneakily designed to get you to store your credit card information. While tokenisation is supposed to make this safe, it is not foolproof. It only takes one extra minute to input your information manually each time. Do it.

7. Do not load apps on your phone except those that are absolutely necessary. Facebook, LI, Twitter are all available as mobile websites. Use that. Every app is a backdoor entry into your phone and any one of these apps can be compromised or hacked to get into multiple devices at one go.

8. If you have not used an app for more than 2 months, uninstall it. When you need it again, you can install it again.

9. To the extent possible, don't use free apps for things that should cost money - video editing, photo editing, scanning, are all backdoors into your data. Remember Camscanner? It was a popular scanning app that turned out to be .. well, not just a scanning app. It was subsequently banned in India.

10. In addition to 2FA, keep different security questions for each banking/ financial app.

11. Do NOT share your phone number while billing at retail outlets. They will customarily ask you for the phone number. Customarily say, 'Please bill without the phone no." - this one step will minimise the spam calls you get AND your potential for a bank fraud.

12. Do not use autofill and Save Password feature in any browser.

13. Always set your browser to delete all cookies when you close the browser.

14. Do NOT use Google to find service numbers for anything. The number of scams that have happened because Google does not control who can post as service agency for any brand, is crazy high. Google is not your directory. Make an effort to go to the website for the manufacturer or service provider, and ensure that the website is legit.

15. Don't contribute to crowdfunding campaigns for medical care if they ask for your email id and phone number. Just remember the days when you could leave the house, buy the stuff you needed, attend tuition classes, visit a doctor, and come home, without sharing information about yourself. At most, the doctor took your name, age, and gender. That was it. No email id, no phone no.

16. If you get a message that KYC is pending - Visit the Bank. This is for two reasons - One, you need to submit KYC documents physically, and two, the relevant person in the branch will do this. Do not respond to SMSs asking for KYC to be done online.

Blackmail and Crime

1. Do not discuss your family composition, especially the number and ages of children in a public platform or public place or over the phone. Don't comment on a facebook group of 10,000 members - "How cute! My grandson is 8 years old too!"

2. This is basic, yet ignored by so many people all the time - cyber love is great. No pictures please. Your partner might be safe. The platform isn't. The device may not be.

3. Do not discuss financial information in a public place. Never over the phone or on social media.

4. Even if you trust them implicitly and have worked with them for long, keep your personal financial information on a need-to-know basis only for everyone.

5. When sharing your home wi-fi with staff or guests, it is best to create a separate wi fi so that they are not on the same network as your home devices. You can just use a mobile hotspot to enable wi fi.

General Precautions

1. If your phone is using up battery very quickly or is heating up, immediately uninstall ALL money related and person apps from it and change your passwords. The phone may or may not be compromised, but changing your credentials will save you proactively.

2. Use browsers that don't dial home - send data to their developers. Brave and DuckDuckGo are both great mobile browsers.

3. While installing an app, check the permissions it is seeking carefully. A photo editing app does not need to read your SMS. When in doubt, do not install.

4. Hospitals are, unfortunately, one of the most vulnerable data centers. If you can, use the services of RMPs who own their data center or keep patient records locally. When choosing a diagnostic center, choose one that stores data locally. Indian law requires medical practitioners to retain details of treatment for about 2/3 years, but there is no need to put this data on the cloud. Avoid putting medical data of any kind on the cloud as far as possible. You can also ask for your data to be deleted after 3 years. In multiple cases, the Honorable courts have held that the patient is the absolute owner of their medical records.

5. If you find yourself wanting to play a game or an app when you should be doing something else, it's time for digital detox. Do not take this lightly. All addiction leads to financial loss and loss of quality of life.

6. If your computer hangs often and this has started recently, get a thorough scan done.

7. On social media, NEVER accept requests from people you do not know. This is how spear phishing is done. (targeted email is sent to one person. This email is designed as per the usage behaviour and interests of that one person).

8. Don't give kids social media accounts, no matter how much they cry. Don't post pictures of children on social media, no matter how cute they are and how close the group is. The group is reliable. The platforms are not.

9. Your Date of Birth, mother's maiden name, first school, place of marriage, and other such details are also used as security questions in many applications. So, don't put this content on social media.

10. Do NOT choose childcare centers that beam images of your children over the internet for you to monitor them. If you can see them, so can hackers.

11. While installing CCTV at home, try and get the storage on a local hard drive. Cloud storage of home CCTV footage is a vulnerability.

12. Do not install Trucaller or any other directory app that requires you to share your contact list with the cloud.

13. Keep an offline backup of all your data in a separate SSD or Hard drive. Do this periodically.

14. Subscribe to haveibeenpwned?

15. Add your phone no. to DND. Then, if you get a call or message, complain to TRAI for sure. You will notice that the number of violators of DND will go down once you start complaining.

16. On any browser, log out, don't just close the tab or window.

17. Do NOT use free wi-fi. At any place. Use your own mobile data hotspot. This applies to airports, star hotels, cafes, and every other place. In India, data is real cheap now.

18. On Facebook, Google, and other platforms, go to your account and disable access to third party apps that you are no longer using. Do this at least once every 6 months.

19. When you are given a choice to login using Google or Login using Facebook, check carefully the data the site will get when you connect the two. Usually, its fine. But check. And if you are uncomfortable, use an email id you have exclusively for these websites.

20. There are no miracle cures. No soulmate is dying to talk to you online. You have not won any lottery. There is no limited time opportunity to invest or get a job. No one has selected you for a job without an interview. No friend of yours is stranded and needs your help. Tax officers are not going to fine you. That new website does not sell everything cheaper.

21. If you are meeting an online friend for the first time, meet in a public place. Not at either of the homes, even if they say it's a get together and many people are expected.

22. When giving out your data for "Registration" - ALWAYS ask:

a. Why is this being collected? (You don't need to give your email id and phone no. to enter an event, make a retail purchase at a retail store, meet a professional who does not need your personal data. In fact, the default state is to NOT share your data. So, always ask WHY they need to collect it. If the answer is - "We just need it", or "It's our process" - Exit. You are not missing anything in life.)

b. Where is this going to be stored? On the cloud? In your hard drive?

c. Who will have access to this information?

d. How will you protect it? What is the safety standard that you use to store your data? Who do you give APIs to?

Do NOT worry about looking awkward or odd. You need to be sure that they really need this info to complete your request, and that they are capable of safeguarding data that is owned by YOU.

23. Online shopping is great. 10-minute grocery delivery is also great. Ordering in food is also great. But if you are a senior citizen or a person with a little child at home, this introduces a vulnerability that you don't want. It is possible to plan your grocery and get it. If you order frequently from online shopping, quick delivery, or food delivery, it becomes possible for someone targeting you, to just don a uniform and approach your house. The security will not notice because these delivery professionals come to your house very often. This is not imagination. Many crimes have taken place in this way. A simple common-sense rule that this model violates is - Your doorbell is sacred. It should only be rung by people you want to invite into your home. Do you really want someone to get a layout of your approach, the entrance area, and the security arrangements, just by getting hired at a nearby delivery service? This is a completely avoidable risk.

24. Before you rush to control everything in the house with an app - ask about how the data is shared, whether it is stored on the company's servers, and who in the company has access to it. Many people were shocked to learn that Amazon uses human listeners to listen to their voice commands. But if they had asked this question earlier, they would know and then take a conscious decision. If the device needs bluetooth to communicate with your phone, that leaves your phone vulnerable to other bluetooth devices, but ensures that the data does not reach the company's servers. Especially if you are a child enabling gadgets for your parents' home, the responsibility of cyber security rests with you.

Political Manipulation

1. Do not post political content on Social Media. Do not click on political content on Social Media. Get your news from better sources.

2. Social Media will share political content based on your browsing history. Do NOT fall for this clickbait. Social media is not the place to read news or get politics.

3. Do not join protests based on social media posts. Both physical and virtual protests and events.

4. Do not break friendships over your political stance.

5. Fact check everything. Then fact check again. Biden and Trump both would not have been elected if Americans had not used Facebook and Twitter for political information. (and this is only what is in the public domain).

6. When faced with a news item (the government is trying to kill the forests) - Always ask questions from the other side - Why is the government doing this? Who will benefit if the proposal goes through? Who will benefit if the proposal fails? Who is bringing the money to the table? Why? - These four questions are enough to help you see through most movements, protests, and save the world campaigns.".

And finally, the most important tip is this:

NEVER Divorce Common Sense.

If it doesn't make common sense, it's going to fly only as long as chaff does.

*This post is based on real behavior exploited by hackers and criminals. None of this is just "good advice". Its not just actionable input, its needed to take action kind of input.

Saturday, 25 February 2023

Dear Premium Video Website

Step 1: Allow people to upload videos.

Step 2: Run ads on those videos if the creators agree.

Step 3: Run ads on all videos whether the creators agree or not

Step 4: Introduce a premium no-ads experience.

Step 5: Make ads pernicious, until users have to pay you just to get rid of the nuisance value.

Step 6: Make money from ads AND from subscription, but share a trickle, if that, with creators.

Step 7: Someone makes an app that allows users to charge for content ab initio AND run ads at 50-50 rev share.

Step 8: Creators go to that app. You live with millions of legacy videos. Just like your search, which is now incapable of answering many user queries, thanks to the SEO industry created by you, and the lazy crawling algos that relied on market monopoly and forgot about inherent crawling excellence.

Step 9: Nothing. Game Over.

Friday, 17 February 2023

I was waiting for the lift. Next to me was a child in a pram, chaperoned by his grandmother. The child was staring at the display screen near the lift, and the grandmother, after a while, said, "TV dekh raha hai?"

That's when I looked up and realised that the child was looking at the TV screen. I came in front of the pram and started talking to the child. The child left the TV screen immediately and started focusing on me.

The lift came and both of us entered. We continued chatting - the child and I. When their floor came, the pram and the grandma exited, but the child's eyes remained glued to me.

it was a simple thing to happen - a neighbour chatting with a child in a pram. It has been done to my child by strangers so many times.

Today, to make it a better world, I will...

Today, to make it a better world, I will:

A. Have a human interaction with someone - a real human interaction.

B. Be kind to a child.

Monday, 30 January 2023

The first thing to learn when investing

When a person starts their investment journey, what is the first thing they should learn?

It is not asset classes or financial goals. Nor cashflow requirements.

It is their risk appetite.

The only nervous investor in the stock market is an investor who invests differently from their risk appetite. To a high-risk investor, 3-5% range bound market is a nightmare. To a risk averse investor, that scenario is heaven.

When the market tanks, if stocks are a higher %age of your portfolio than your risk appetite allows, you will lose sleep. But if the percentage of stocks is such that you can wait it out, or even lose a little, that is fine.

So, as a new investor starting out your personal wealth journey, understand the personal risk appetite and plan investments.

Tuesday, 24 January 2023

On the USD

The world went from "The sun never sets on the British Empire" to "The sun never sets on the American dollar".

It has been evident for some time now that:
1. The strength of the dollar is not based on the strength of the American economy, but on its stranglehold on international trade.
2. As countries start to declare independence from the currency, it will lead to macroeconomic shifts and some numbers changing.

The US is, and has been for some time now, a net importer of goods and services. This works very well when you have a strong currency. But if your currency drops, and you suddenly realise that you do not have production capabilities in-house, then the house of cards tumbles, and how!

As a society also, the US is not a welfare state. It is a highly individualistic society. This means that any state of scarcity will not lead to Ubuntu or collaboration as the first response. The first response is likely to be competition for the same scarce resources. (We saw a sample in early 2020).

After a few months, everyone will realise that it makes sense to work together. Then, of course, given that, like every country, it has some great brains - America will bounce back stronger.

But until then, as the march of the colonies continues, we do expect to see some social and political turmoil in the US.

Tuesday, 17 January 2023

Individual Investor in the Stock Market

Yesterday, I crossed an important milestone.

This year, I set self a target - to make 8% on my equity investments.

Yesterday, I achieved that goal.

With the Feb dividends, one might even close at 9 - 10%.

What makes this super special is that this includes only the cash profit that I have made and is in the pocket - dividends and trade profit. Not the notional increase in the value of the stocks, which varies from day to day and is currently at 1.1%).

(Today, the market fell and I bought a lot, bringing the portfolio return value to just under 8%, but that's ok)

************

It's not phenomenal. It's something fund managers do all the time. But for an individual investor who has never seen equity as a wealth generator, this was HUGE.

So, I took time to reflect on the things that went well. This post is a retrospective for me to refer later.

What I look for in a stock

1. Trend in NET PROFIT, not revenue. If overall trend is positive, then one invests. Growth is not necessary. The company should have been able to defend its margins and work well. Even when everyone was laughing at REC, i looked at their numbers and they made a lot of sense. So, I bought. REC gave 45% annualised return. Same thing for BHEL and SAIL.

2. Asset heavy - I have always preferred companies that are asset rich. Capital assets preferred over stock in trade or current assets. Land preferred over machinery. This is the main reason that GAIL and OIL are heavy in the portfolio. Average annualised return for GAIL: 47%. OIL: 44%.

3. Good management - This is a deal breaker. The management team is very important because my investment period in each company is over 5 years and consistent growth matters. This is the reason that Dabur is a permanent fixture. Same for Ashok Leyland. Tata Steel was Jubilant were added this year to the portfolio. Of these, Jubilant I went through a fair bit of due diligence on management.

4. Debt - Equity Ratio trend and current debt profile - Debt -Equity ratio of <.5 is ideal, <1 is necessary. Likewise, Capital Adequacy and the trend of debt. If the operating income is negative, it's a sell. If debt is being used for day-to-day operations, that is a sell immediately. Debt is the cancer of a company. In all my 20 years of investing, only 3 companies have gone belly up. Two of them were Jet and Kingfisher - both in aviation and both to debt. Every single company in the portfolio today as a debt - equity ratio <0.5

5. Ethical Business - I am old fashioned and believe that if you give money to a murderer, the blood is on your hands too. This is why I have made no money from Big Pharma, Diamonds, and other businesses where we knew the dealings are not ethical.

When to buy, and when to sell

1. I consider the annual inflation rate to be 6%. So, to be profitable in real terms, the sale must be at >6% annualised profit. At less than that, hold. Some stocks have taken years to bloom, some remain depressed. That's fine. Kotak was bought at 1316 in 2018 and sold at 1830 this year. HUL, bought in October 2021 during a slump gave 8% annualised when sold this year.

2. When buying, if a stock is failing, I use one of the two strategies - either buy small units every day of the fall, OR, wait for the day the stock rises a little bit. On that day, even if it is a little more expensive than the previous day, buy. Usually, value stocks rise after that. Have used this to accumulate Kotak Mahindra Bank in the past and Asian Paints, Reliance, and Bata this year.

3. For high dividend stocks, look at the dividend pattern and decide whether the trading profit will be more than the dividend value. For instance, most PSUs give dividends in Feb, so from December onwards, I accumulated them, but also sold if the trade profit was more than 4% of the market value, because dividend rarely goes beyond 2.5-3% of the market value.

4. Don't be emotionally attached to the stock. If it is high today, just sell. Don't look at the opportunity loss from selling at a lower price when the stock continues to rise. I didn't sell Dabur at 610, thinking it will go up again. But next day, it was at 604, at which point i sold immediately. So, no one can time the market. Take your modest profit in pocket and relax.

5. Do consider replacement buy for value stocks. Put a GtDt order immediately if you don't trust your memory. For my portfolio, these staple stocks are OIL, IOCL, SAIL, BHEL, and some other PSUs that I truly value.

6. I maintain a separate excel sheet where I record all my trades. When selling, i do a mental calculation of which lot I am selling, and do the accounting in my excel sheet. Brokers tend to record the most expensive lot of shares first, so that your tax liability is lowest. But you are doing your lot trading. It evens out, because eventually, the securities account and I both agree on the total figure - capital appreciation + trading profit.

What I did differently this year

Honestly, only these things -

One, I fixed a tangible target to meet.

Two, even if the markets were moving only in a band and for months the stocks gave nothing but dividend, I did not stop going to the market every day and monitoring buy and sell opportunities. Some day, it would come. And they did.

Three, I raised the band of individual trades. A wealth planner volunteered to manage my equities this year and made 4 large trades. Two of them tanked (and are still in the portfolio, costing a neat amount), but he said - Mam, bada socho - think big and trade big. So, my risk appetite increased a little bit.

Four, I read a LOT MORE about how big investors choose their stocks, what they look for, what are the common things in their portfolio and mine. Bought Moneycontrol Pro (waste of money). As usual, I completely disregarded the research houses and their recommendations. Traders are not investors. Their money comes from keeping capital flowing in the market. Investor's money comes from stability. So, I read only those reports where the investor speaks about how they choose, when they decide to buy and sell, and learnt from that.

Five, understood that PSUs may not be a popular sector, but they are the sector that I know best, and therefore, this year, I did a lot of investing and trading in the sector I knew instead of looking for good high earning stocks. My son invests only in blue chips so I followed his lead and made some decent moneys on that too. Evey month, he invests 10,000. I would wait for him to choose his stocks and immediately put money in the same ones. Basically, he has been ok with choosing good bluechips and I have been ok with PSUs and I shamelessly used both. BUT, i stopped the Hunt for More stocks and stopped doubting myself. Just plodded on.

And what I always did:

One, NO SIPs. SIPs are lazy investing. If a fund manager or stock wants my money every month, let them be worthy of that money every month. The only person who is helped by a SIP is the fund manager - because irrespective of how the SIP performs, he will get his cash inflow to invest. He does not have to worry about making money grow to invest next month. Also, MF as an asset class does not work for me because even in low value stocks like PSUs i find that there is more money in stocks directly than in the MFs.

Two, NO Tips. No talking to traders to understand which stock is going to rise in the short term. Even the high value stocks that are stuck in the portfolio are robust companies, so am not too worried.

Other than that, it was my 20 years of knowing the stock market, the stocks I am comfortable with, and knowing that even if it looks rock bottom, if the company is good, buy. It will go up. I have now lived through at least two stock market crashes, bought GAIL at 497 and at 97, and all that collective experience really helps stabilise the mind.