<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans%3A400italic%2C700italic%2C400%2C700">Social engineering Archives « Aam JanataSkip to content

5

This post is the second in a series that discusses democracy and the idea of a shared country from the ground up. The previous post asked why, when the basis of civilization was a need to co-exist with some guaranteed security, the masses chose to believe in paranoia. I attempt to present some views here.

The masses at large are preoccupied with what they come in direct contact with. Few have the inclination or interest to examine what doesn't *appear* to be broken. When thoughts delegitimizing the rights of fellow citizens proliferate, there is little realization that this is something that goes fundamentally against the secure social structure they take for granted as a country.

Nationalism prefers to disenfranchise minorities and appropriate the country in the name of the majority. Secularism believes that regardless of identity, citizens must be equal under law, AND vulnerable minorities MUST be protected - because it is human nature for the majority to choose bullying as an easy way out instead of sharing.

This is not something that is limited to India. The internet and the speed of disseminating information as well as doing it in ways that allow deniability have resulted in a surge of nationalism worldwide that those believing in equality struggle to counter. There are several reasons for this. In a world where established thought respected equality, and growing globalization subtly created an attitude of opportunism being the right of those with access, a subtle erosion of morals toward "might being right" went unnoticed. Furthermore, I don't think enough "thinkers" anticipated that the unthinking masses would simply choose faulty thinking that they could superficially understand over the words of established thinkers and philosophers over the ages. The last straw was the methods.

Whichever country sees a rise of nationalism sees a barrage of incorrect and inflammatory information finding purchase among the masses. This information is not an accident, it is engineered to make people who believe it think that the minority is the threat to the majority. It further provides explanations and conspiracy theories to excuse the crimes perpetrated against the minority and invents or magnifies any wrongs by the minority. And thus, defense indeed becomes the first act in this war. Absurd as it seems, the majority is actually led to believe that the minority is out to make them extinct.

When such thought spreads, you find countries unable to prosecute crimes against the minority because of fear of backlash by a majority that believes them to be justified, resulting in a collapse of law and order. This impunity, of course is exactly what nationalist leaders want, because their entire agenda is impossible to implement in lawful ways in a democratic country.

Fake news is being recognized as a threat to rule of law worldwide now.

But this is the result. How is it that xenophobia spreads to such a degree? Why is it that fake news spreads more rapidly than real news? Well, apart from the obvious reason that fact checking takes time and effort (there are now attempts to make fact checking more easy in an effort to combat fake news) and apart from the obvious reason that fake news is crafted to sound believable - at least to those already primed with a steady barrage of it - there is the fact, that those spreading fake news are operating out of a sense of carrying out a mission for a cause.

I once observed that the approximate time difference between a Modi supporter coming up with an explanation that other supporters like for something indefensible (at this time you will have multiple excuses being made) and it being used popularly as the explanation by the vast majority of supporters is 2 hours for a simple argument, 4-5 hours for something more complex and about half a day if the propaganda involves images.

Compare this with secular intellectuals almost never having the same rebuttal for something, a far fewer number of them, each using their own words, and it is easy to see how one kind of answer has the capacity to rapidly dominate a debate, while the other fails.

This is largely because while nationalists are engaging in a propaganda war for their identity, secular intellectuals are engaging in what they imagine is a debate, where they are presenting their own view.

So the observable difference in spread of nationalist and secular views is also a difference that can be directly measured as one between active promotion of views and expressing an opinion.

To dig in still deeper. If you take a single message that needs to be put out among people to support or defend something, if released among nationalists, it will be forwarded without question and accepted as the correct explanation of events. There is a lot of schadenfreude among secularists when someone like @bhak_sala (a pro-Modi Twitter handle) gets trolled by other bhakts (unquestioning Modi supporters) when he outright dislikes the appointment of Yogi Adityanath as the Chief Minister of Uttar Pradesh. What they miss in their "LOL"-fest is how rare such an incident is. While a party like Congress accepts criticism for the most part (not that they have much choice these days) or supporters in a party like AAP form entire sub-movements in revolt against the actions of their leader, or while socialists and communists literally have so many differences as to almost hold independent views only, a voice of dissent in the BJP is so rare that it is a one off episode and literally involving one person in this instance. It stands out because in spite of BJP being able to generate the largest organized propaganda - and some of it absurdly illogical or inhuman - dissent is almost next to non-existent. This is a hive mind at work. These people aren't there to think for themselves, they are there to win a country for their team.

If a similar message were released among secular intellectuals, unless it is exceptionally well crafted so as to have agreement among those with the various flavors of secular thought, chances are that it will be read by several, further promoted by a few, and commented on with critiques or refinements by most. The slightest disagreement with the arugment or dislike for the author would mean the message goes no further with that person. In effect, there is no "team" spreading secular thought. And it is difficult for such a team to exist as well, because it is difficult for independent thinkers to come up with identical thoughts. And this is still the spread of a message among those already in agreement with secular thought. The impact and credibility of this is further diluted among the masses if concepts people aren't familiar with it are used. Relatively speaking, "jobs are few, get rid of reservations and we'll have more" is easy to understand when compared with "2-3% caste-class elites already have over 50% jobs and much more in private sectors" - particularly if the 2-3% elites have never had any reason to question why the whole country should run as per their preferences.

So, it is absurd when bewildered secular intellectuals today ask how the country could deteriorate to this degree. Well, your thoughts were not accessible to the masses, the thoughts that were not just accessible, but actively promoted among the masses were simple to understand and made prejudice sound the need of the hour, and you never bothered to organize to elevate the thinking of the masses beyond presenting your refined thoughts.

It is no coincidence that when thoughts of hate proliferate, there is absolutely no concerted campaign going on explaining the basics of democracy. What is a democracy, what are our rights? What is a government? What does the accountability of a government to people mean? and so on.

It isn't difficult to put these things in simple words anyone can understand. In fact, you could probably plagiarize a textbook non-voter kids study (quickly, before it changes) and voters have left far behind to recirculate the basics. There are ways to explain life affirming concepts through various mediums in ways anyone could understand. But it is a matter of doing it. It is not enough to call nationalism, fascism a primitive thought that cannot result in a stable country - the need of the hour is to explain why that is so. In simple words people understand. No government is going to pay for this education. Personal liberty means that we cannot have forced conscription of liberals to educate the masses either. So who will do it? And is it important enough for you to take it up voluntarily?

2

Yash K S is a software developer. In the last year or so, his interest in identification methods led to him discovering a vulnerability in online banking that can allow a malicious attacker to use attacks like Man in the Middle or Man in the Browser to steal money from bank accounts.

He published his findings on his website. Here is my interview with him. [Note: It has been edited from the original informal chat for coherence, but the content is unaltered in meaning.] Italics are my questions.

Can you explain briefly your background, so that my readers can understand the work you do?

I have diploma in CS after 10th, after that I joined Anti-virus company as C programmer. I am into building system products like Anti-virus, e-learning, Backup & Recover. Last 15 years I have built a lot of systems products for corporates.

How did you become interested in banking transactions?

Since I worked in anti-virus for couple of years, I continued to learn about security even though I was involved in building other products. I always knew banks are breakable. Zeus trojan, for example. The important trojan existed last 5 years for western banks, but not Indian banks,  and Indian banks continued to say online banking is secure compared with banks in the West. Around 4 years ago, I was trying to build a product which solves a problem of identitifying on the internet and I did extensive study on how banks work, as I built the product. Around 2 years ago, I developed a personal interest in seeing how secure Indian banks are and started analyzing Indian banks for security.

What is the basis of that claim by Indian banks - that online banking is secure compared with banks in the West?

Indian banks thought online banking is secure, since they are using Mobile device as additional factor to add Payee before transactions. Indian banks believe mobile is secure and they are trying to use that as second secure channel. When users adds a payee on a PC, they send this information to Mobile with OTP (One Time Password). Citibank, ICICI Bank - both of them use this method. In the case of ICICI Bank, they even have an additional transaction password and grid numbers, which the user needs to enter by looking at back side of the debit card. In HSBC bank, they dont use the same methods of ICICI and Citibank, they distribute hardware OTP (One Time Password) device, where it generates random number for every one minute. They assume this will not allow fraud transactions to happen without user knowledge. I believe they are not providing enough security for consumers in our country.

Who would be liable if someone stole money using the vulnerability you discovered?

If anybody looses money in online, end users are liable for that loss not banks, unless user proves to the bank, this fraud has not happend because of negligence. Negligence means, user system does not have any malicious programs which stole credentials or user did not give out uder credentials via phishing mail or user has not logged in some system which is not secure. This is very difficult to prove. Almost impossible, even for technical users. It becomes a user problem, bank does not take responsibility.

Screenshot from Yash's video for man in the browser attack for ICICI

So, the bank simply washes its hands off the loss instead of fixing it? Not their problem?

In my video what I have showed is - If a person is transferring money to Account 100, they see in their browser that the money is going to Account 100 and some X amount, but in back end malware changes data completly to Account 200 and some other amount. In this case, it is a Man in the Browser attack. The user is co-ordinating with malware without his own knowledge and the bank server fails to identify what is really happening in backend. Once the transfer of money is complete, if user sees the transaction via online, he still sees the same fake info, since the malware also knows to modify transaction statements.

Malwares are sophosticated and can fool both users and banks. Zeus trojan alone has costed 1 billion $ + loss in multiple banks in West. This trojan is still alive in wild and still causing losses. 5 years.

I built a similar trojan from scratch for Indian banks. Based on it, I have posted videos. I have not shared source code with anyone, keeping security in mind. I showed a few banks, in closed door meetings, this vulnerability. They were shocked to see it, but they have not fixed anything. One bank told, "Others banks might be insecure, but our bank is not". After a month or so, I went back with trojan modified for this specific bank and showed them. They are back again in denial mode.

How is it that the same vulnerability works for all banks? Don't all banks have their own systems - and methods?

The same trojan does not work for all banks. All banks have seperate systems, but if hacker companies writes the trojan using the concept of Man in browser and Man in middle, they can write specific malwares for each bank. Like I showed from my videos....  If I identified a security bug, banks can just fix the bug in the existing system. But, these problems are a system flaw, there is no way to fix it just by adding some stuffs. They need to replace the system itself by rethinking online banking security from the ground up.

So, you are saying, any bank account can be hacked? But can't this misuse be traced?

Today hackers are not indivisuals, they operate as underground companies. They outsource work to each other based on the skill sets like we do in normal companies. It becomes very difficult to track it. In a chain, each are specialized in specific work, they complete the work, sell it and go.

What is the most important thing here?

There are important questions..... Who is responsible if users looses money via online due to trojans? Users keeps money in bank after a solid efforts, traditional method of banking have ensured always to make sure verify the person and dispatch the money. But, moment bank exposes money via internet for anyone who authenticates using username, password + additional stuffs, if a trojan can fool these factors, who becomes responsible? How can a user be responsibile? He likes convinenace, but he definitely does not want to loose money.

Do banks explain to all end users about the online threats and make them understand, before giving them an online account? Nope. It is the responsibility of the bank to provide a safe mechanism. An insecure web facility cannot be a user's responsbility. When banks cannot give security for a specific types of attacks, they need to reduce the limit per day. They need to give insurance if they cannot solve the problem. They cannot make customer liable, since there is no way, anyone can expect a customer to know all about such threats.

Also make risks explicit, immediate transaction alerts, phone verifications?

Immediate transaction alerts exist today, due to RBI guidlines, there is no use. If a mobile has a malware which is co-ordinating with mobile trojan, then it will not even show an SMS for you.

How did banks respond to your information?

After the Citibank demo, within 2 weeks they changed system to add some information when they sent to mobile while adding payee. This mitigates a little. I appreciate Citibank for their quick reaction. But, if the same malware is expanded to mobile, complete online banking in india fails for all banks. Trojans (Zeus varients) already exists to peform co-ordinated attack by hijacking both PC and mobile of a user. There are many ways to infect both PC and Mobile, all smartphones connect to the internet or many smartphone users synch with PC. These two methods are enough to get a trojan into a mobile. Many more methods exist too. Android has more malwares compare to any other today.

ICICI Bank did not make any changes to security. Instead, they are posting on the internet saying what I am saying is wrong. After a month, they have sent a defamation case notice by asking me to pull down the content from my website. They have asked me to close my ICICI personal account too in a month.

HSBC, instead of solving problems, on 2nd Feb, people came to my house, after failed attempts to bring down content with the help of service providers. I was not present at that time; they asked my family members rude questions. I have registered an FIR. They were saying I am teaching how to hack HSBC! This is wrong! In my video, it only shows the consequences and how it is going to effect online banking customers.

Banks succeeded in removing my account from Vimeo.com. Vimeo deleted my account without informing me. After 5 months, instead of fixing problem. They are still trying to kill my content.

How many sites did your content get taken off from?

lol. Youtube, Bluthost.com, Dropbox, Vimdeo.com In ICDThost.com current hosting provided wanted me to remove direct links to video, although they were polite enough asking me, After that my site still survives there.

My intension of not pulling down the content is - This problem is not in one bank, ICICI bank thought I was targetting them alone, that was not true. But, all banks have the same issue, does not matter private or public banks today in india. I have showed this demo to RBI - Bangalore. They got a glimpse of what can happen to online transactions in country and they wanted me to proceed further to make more people within RBI aware of it, although we could not reach the executive chariman who handles payment settlements online.

So there are positive responses too.

Yes. there is a positive response too.

We had a discussion in national law school in Bangalore along with few experts, bankers, professor in that college itself. We have recorded that video. This DVD has given by professor of law school to cert-in personally. See this : Reserve Bank of India (RBI) : Man-in-browser attack - Top 100 banks of the world are reported to have experienced similar incidents - even RBI is saying last year itself. Banks are not lisetning to RBI either

Basically, we need to get support from RBI, Customers and pressure Banks for better security. That is the key.