Saturday, January 11, 2025

QR Code: safe to scan?

Are QR codes safe to scan? The answer is neither yes nor no, but more like a maybe. While most QR codes are safe to use, it's important to be aware of the risks of fraudulent QR codes. Quishing, or QR phishing, is a cybersecurity threat where attackers use QR codes to redirect victims to malicious websites or prompt them to download harmful content. Scammers will place these fake QR codes in many places, including emails, text messages, social media, public places, parking meters, printed flyers, or physical objects. Depending on the QR code scanner app you use, if you do not check/inspect the URL in the QR code, you may end up visiting the website represented in the QR code without realizing it. At this point, it is too late to do anything if that URL is indeed malicious. Scammers take advantage of the fact that QR codes are very common, and most people trust them because they are usually from reputable places like restaurants or ad posters. This is another example of convenience over security that gets people in trouble.

So how do you protect yourself? The only way to protect yourself is by inspecting the URL and making sure it is a legitimate site before you open it. That is the only thing you can do, but unfortunately, that not a foolproof method because an attacker can deceive the user by creating  a short URL that leads to a malicious destination using popular URL shorteners like bit.ly or even linkedin.com, most people trust. To illustrate this, scan the QR-Code below with your device and see where it takes you.

Once you scan/navigate to the intended URL, note the browser address bar. I wrote a blog about dangers of URL shorteners (https://blog.selvansoft.com/2023/03/shorturlscams.html) few years back, which provides more details on URL shorteners. There is also a tool that can validate a URL before you actually visit the destination. Feel free to check out.

In summary, the only way to protect yourself from Quishing attacks is to avoid scanning QR codes and see if there is an alternate method to accomplish what you intended to do.

Related Links:

Thursday, January 9, 2025

Online Safety Tips









This blog is intended for both general and technical audiences. While the tips outlined below are basic things everyone should already be aware of, following as many of them as possible will significantly reduce your risk of becoming an online victim. First, using common sense is your primary line of defense in staying safe online. Trust your instincts, be cautious of unfamiliar websites or emails, and think twice before sharing personal information on social media. Common sense can go a long way in protecting you online. In addition to using common sense, adhere to the following guidelines to enhance your online safety.

  • Passwords: Use long and complex passwords and change them regularly. If the website allows passphrases, use those instead of passwords with special characters that are hard to remember. For example, a passphrase like "Jade Owl Loop Zinc Moon" is easy to remember but much harder to crack. You can opt-in for passkeys when offered, but don’t be fooled into thinking passkeys will solve all your password problems; they won’t. Read this blog (https://blog.selvansoft.com/2025/01/passkey-practical-or-premature.html) which explains why.
  • Multi-Factor Authentication (MFA): Wherever possible, use more than just a password to secure your accounts, commonly referred to as two-factor authentication (2FA). Most websites provide multiple options for MFA these days. Always choose an OTP authenticator or hardware key-based authenticator if those options are offered and avoid SMS-based 2FA at all costs.
  • Account Recovery: It is very important to set up account recovery for your Gmail, Apple, and Microsoft accounts. Make sure account recovery is set up with recovery codes, your phone, and most importantly, a different email that you never use for anything else but account recovery.
  • Web browsing: Always ensure the website you visit uses the HTTPS protocol, especially when entering sensitive information. While all modern browsers enforce this and provide warnings, be attentive to these warnings and refrain from using any website that does not use HTTPS protocol or, worse, provides a mismatched SSL certificate, which is a red flag for a phishing attempt.
  • Online Banking: Before logging in to your banking website for financial transactions or to review your bank statement, close all tabs in your browser. If you are particularly cautious, temporarily disable any browser plugins you may have installed, which you can turn back on later. When you are logged in to your banking website, do not do anything else, such as performing a Google search, browsing Facebook, Instagram, or any other sites. Specifically, avoid reading emails or, worse, clicking on a link your buddy sent you to "check it out." Once you are done with your online banking, make sure to log off. Many secure banking websites these days do protect you by logging you off automatically. However, don’t rely on them because there are still some online banking websites that don’t properly log you out in a reasonable time or, worse, don't do anything.
  • Public Wi-Fi: When using public Wi-Fi, avoid logging into sensitive accounts or performing financial transactions. It's safer to wait until you're on a trusted network. This applies even to smartphones, as they are on a wireless data network shared by thousands of devices.
  • Enable Firewall: Ensure your device's firewall is enabled. Most operating systems come equipped with a built-in firewall, so enable it and block all inbound connections. Keeping your firewall enabled is a simple yet effective way to bolster your security on any network, public or private.
  • DNS: Don’t use the default DNS servers provided by your ISP (Internet Service Provider). Instead, use any of the following DNS servers: 1.1.1.1, 8.8.8.8, or 9.9.9.9. You can follow this link (https://www.tomsguide.com/us/cloudflare-dns-1.1.1.1-set-up,news-26964.html) that walks you through how to change DNS on various devices.
  • Antivirus and Anti-malware Software: Keep them updated to protect your device from threats.
  • Phishing Scams: Be skeptical of emails or messages with links or attachments that urge immediate action or ask for personal information. If it sounds too good to be true or creates a sense of urgency, it's likely a scam.
  • Installing Software: Only download and install software from reputable sources. Avoid pirated software and gaming cheat codes, as they almost always contain malware and viruses.
  • Software Update: Regularly update your operating system, browsers, antivirus definitions and apps to protect against security vulnerabilities. 
  • App Permissions: Check the permissions granted to apps and revoke any that are unnecessary.
  • Personal Information Sharing: Be mindful of what personal information you share online. Don’t overshare on social media and be wary of websites or services asking for more information than necessary.
  • Monitor Your Accounts: Regularly check your bank and credit card statements for any unauthorized transactions.
  • Credit Freeze: Add a credit freeze to all major credit bureaus. There is no need for your credit report to be in an "unlocked" status unless you are applying for a loan, bank account, credit card, etc., which you don’t do every day. So, why does it need to be in an "unlocked" status? When you need it, you can unlock your credit report, get your business done, and lock it back. Follow this blog (https://blog.selvansoft.com/2023/05/howto-credit-freeze.html) that walks you through the credit freeze process.
  • Backup: Regularly back up your data to an external hard drive or a cloud service.
  • Educate Yourself: Stay informed about the latest cybersecurity threats and how to protect yourself. There are a lot of useful cybersecurity FAQ’s documented in this blog (https://blog.selvansoft.com/2024/09/cybersecurity-faq.html
  • Trust Your Gut: If something feels off or too good to be true, it probably is. Your intuition can be a powerful tool in staying safe online. 

Sunday, January 5, 2025

Passkey: Practical or Premature?


 







In the last year or so, you may have seen tech giants like Google, Apple, Microsoft, and others making a big push for passkey for authentication instead of user/password w/MFA. While it is true that passkey is elegantly designed and secure, does it actually solve the security problem today? This blog will focus on why it is difficult, if not impossible, to realize the full benefit of passkey at present or in the foreseeable future. Additionally, this blog is intended for a general, non-technical audience and, as such, does not go into technical details. I have listed links to blogs at the end that go into in-depth details on various challenges of passkey, specifically on their usability today, if you are a technical reader.

What is a passkey? In simpler terms, a passkey generates and associates unique public/private keypairs for each website you log in to. While the public key is shared with the website, the private key remains on your device. To log in, you need your private key and the public key from the website. It is roughly similar to how your lockbox at the bank works where you have one key, and the bank has the other key, and the lockbox can be opened only when both keys are inserted.

Ok, all this sounds very secure. Why is it not practical today? The reason is plain and simple: all websites that support passkey login also provide other, less secure forms of authentication like user/password with weak MFA (e.g., SMS) or worse, no MFA, along with many forms of recovery methods. So, when an attacker is trying to break into your account, they don’t care if you have secure passkey authentication; instead, they will choose the weakest method. A good analogy is that you have a 10” thick steel door to your vault, but you also have glass windows; which one would you choose to break into the vault? Until websites start to offer only passkey login—which is not going to happen anytime soon—the use of passkey doesn’t make your security posture strong. You are better off choosing a unique, strong password combined with strong MFA (authenticator app or hardware key) to protect your account.

There is also a downside to passkey regarding how they are implemented today. Earlier in this blog, I mentioned that the private key never leaves the device, which is not actually true in most implementations. The implementation choices made by Google, Microsoft, and Apple could have been different, making passkey nearly impossible to hack except by using the "$5 wrench" method. However, I feel they chose convenience over security by shipping each key pair to their respective cloud storage to support syncing across multiple devices. At the end of the day, the question to ask is if the private key leaves your possession (encrypted or otherwise), is it still a private key?

In conclusion, while passkey sounds secure and elegant, today’s authentication mechanisms like user/password + MFA are here to stay for the foreseeable future.

Related Links: