I've been interested in this topic for a while, that is how secure my data on the cloud is.

I always assume it's hard to hack me. I'm a professional developer, not naive, not lazy, I don't even know my own passwords, I rotate them, use 2FA...

Nonsense! Actually, anyone who uses the internet is at risk of having some of their data taken without their knowledge and sold to interested parties.

Actually I got inspired to finally write this post after getting a phishing call from a representative of a popular Croatian health insurance company, speaking in bad Croatian, asking me why am I not paying my bills. This was a funny and short call, but got me thinking...

Is my Phone Eavesdropping on me?

It must have occurred to you at one point of your life that your phone is listening to your conversations or at least your friends and relatives have a theory about that.

Let's forget that Google knows too much about you, and imagine a scenario where you're in a café, watching someone across drinking some interesting beverage, and you decide to google what it is... But no, advertisements have already beat you, they know what you want before you've even typed in the search term.

I won't go too much into this topic, as I'm not an expert. Maybe your phone really is "eavesdropping" on you, or maybe the systems have such advanced algorithms that they can predict what you want better than you can yourself.

As soon as you use a phone and the internet, some of your data is already shared. After all, do you ever read the terms of use of an application? What did you agree to when you logged into Facebook?

The Double-Edged Sword of Complex Authentication

I'm talking about classic data theft: email, password, phone number, firstname/lastname.

For instance, I never use the same password, and I don't even know it myself. But what does that mean? These passwords that I don't know are stored somewhere on a remote server, that's a potential issue isn't it?

If you're serious about authentication, you'll enable what's called a two factor authentication (2FA) everywhere.

The problem with 2FA authentication is that those details are temporarily stored on some remote server. If you've chosen SMS for your 2FA, you should be aware that 2FA authentication might be outsourced to an external company. You might have heard about the recent leak of 2FA databases https://www.forbes.com/sites/daveywinder/2024/03/06/millions-of-google-whatsapp-facebook-2fa-security-codes-leak-online/. The news might be a bit exaggerated since after all, 2FA codes are short-lived. It requires a combination of factors for a hacker to have your password, access to the fresh 2FA database, you are interesting enough for them to spend their time on you, and the stars align for them to access your data.

Sale of personal data

But what else can happen, your data gets sold to shady characters who want to sell you something or extract something from you, at best, money or even more data about you.

Take me, for example, I haven't changed my phone number in like forever.

Maybe I should treat my phone number the same way as passwords, rotate it periodically.

What's the problem? Among the hacked data, there often is the mobile number. If you've ever entered your mobile number on any account, it's possible that there will be a data leak, and you'll start receiving strange calls from abroad.

Maybe it's "just happening to me", but occasionally I get calls where the person only knows my name and wants to sell me something. Sometimes these calls come from local numbers 091, 095, etc. But don't be fooled that it's a local number; the number can still be from abroad. It's masked to appear as a local number.

What can you do in that case?

  • Report the incident to your mobile network provider? Good luck! I've done that several times. They don't know what to say. The best answer is to try to ignore it. Even checking the mobile number makes no sense because often the call is not made from that number, it just appears to be.
  • Install an app that blocks known spammers https://www.truecaller.com/? I have it, the paid version. It works decently, the database is constantly updated. It won't stop all the calls though.
  • Change the number?

Data breach registry

This website might be of interest to you https://haveibeenpwned.com/ to see how much of your data has leaked out. You might wonder what if this website also stores your email. Read https://haveibeenpwned.com/Privacy and decide for yourself. This site has been checking for security breaches since 2013.

Recognizing phishing and saving the nigerian prince

I assume that most of the phishing attacks are very easy to recognize. But it's only the case I've been trained well and years of experience.

I remember in the 2000's I'd get emails from nigerian princes promising me large sums of money. I'd find them funny and thought how anyone would get fooled by these silly emails. That was the old era.

What hasn't changed is that at one point they'll all ask you for money by promising you things or threatening you, whatever works.

Email and web phishing

Usually websites and emails have grammar errors. This will improve in future, scammers know how to use ChatGPT too. Scam websites are often good copies of the real deal, and average Joe won't think to look at the funky url or funky email, or know how to check the "show original" in the email he's received.

Phone phishing calls

This is easy to spot in my case. One tell sign is if the caller speaks english or very bad croatian. I work with foreign clients, but all means of communication are over slack, google meet, zoom...you get the picture. One exception to the rule, I've noticed people from UK I've communicated with prefer phone calls.

Other tell sign is, caller introduces him and asks me how am I?

Like how dare he?! Asking me how am I doing. But seriously, I'd expect introduction who's calling, why he's calling, and then they can ask me "how are you". Otherwise, it's going to be a short call.

Third tell sign is, the short connection pause, maybe 2 seconds after I answer the call, before the caller starts talking. I've noticed it so far on all calls. It's like they're doing many calls at once, so first fool that answers will be routed to the scamming agent. I think there's some automation going on here, if you get these kinds of calls try not answering for 2 seconds. See what happens.

Conclusion

There’s no smart conclusion here, just sharing some of my thoughts. I remember, long ago at a company where I worked, they were quite serious about security: everything was done through a VPN and emails were sent exclusively in encrypted form.

Maybe encrypting emails seemed a bit too much to me back then, but now I see it really isn’t.

When you use a service, you're not just using it alone; your data goes through several different services. Ideally, all this should be mentioned in the terms of use and privacy.

Don't be lazy, don’t use the same password everywhere. Don't enter your mobile number unless it's absolutely necessary. Read the privacy terms.

Thank you for reading!