Lowyat.NET: Latest topics by thewan

The problem with SMS is the user has ZERO control

thewan — Wed, 24 Aug 2022 00:32:12 +0800

I would like to highlight one of, probably the main issue with SMS. As the user, we have zero control over SMS. It was standardized around the 1980s. The same core technology is still used until now.

The problem with SMS is that there is no form of authentication. There is no need to identify the sender, the service used to send the SMS, or the receiver. Person A can send a SMS pretending to be B. C can pretend to be the service provider, intercepting the SMS and reading the contents. D can pretend to be the receiver and receive the SMS. And this part can be done with or without SIM swapping, you just need to invest in the right tools and software, and those are cheap and relatively easy to procure.

Also, the bank does not know that the SMS has arrived safely for its intended recipient. The user cannot verify that the one sending the SMS is indeed from a bank.

Where else by using non SMS methods, a user has some form of control of the end result. Let's take for example the banking app. Assuming that you trust your bank to do the right thing by securing their app and the method of communication between the app and the bank, the only thing a user has to worry about is the security of their phone. This is something under your control.

For example, you can buy an iPhone, which is usually more secure due to its heavily controlled app ecosystem. In case of Android, you can choose a more reputable brand, that not only has good security practices, but has regular security and OS updates. When your updates end, you can choose to buy a new phone, or buy a different brand. You can use more complicated phone passwords instead of pin numbers, enable device encryption, or use biometrics instead of a password if u feel you can't be bothered to use a complicated password because of your poor memory. You can make sure your phone is with you at all times, make sure not to lose or forget it, and in the event you cannot retrieve it safely, try your best to remote erase it. You can disable notifications for your financial apps as an additional security measure, or make sure no app has the permission to read your notifications other than required by your phone OS.

With the above we have some control and some choices over how we secure ourselves. If you made the wrong choice and lose your money in the process, and if it was under your control, you will learn from your mistakes and be able to fix it and perform better.

SMS is a different story. You can't do anything about it. You can't fix any mistakes. The only thing you learn is that SMS is a useless form of authentication and should be abandoned. You can only pray that the sender is the bank, it has traveled through only your provider, there is no one intercepting the SMS, no one sim swapped you and no one uses tools and software to pretend to be you. Also no app, be it any official app or some funny app you found on the internet, is reading your SMS or notifications (permissions can only help if there are no security holes in your OS and it is updated in security patches). I mean you can't guarantee your Facebook app isn't reading your SMS and notifications (for advertising purposes obviously) and that Facebook is the one leaking your OTP/TAC. It should only be used for emergencies and casual communication if you have no data for some reason.

Even if you trust your bank that everything else is secure, their app, their service, their network, their infrastructure. In the end the SMS is the weak point. If you don't trust them or if they messed up, move to another bank. Sue them. Report to BNM. Claim insurance. Users still have some control over that. Meanwhile SMS....did I need to repeat that? ZERO.

There is no TLDR. Security is important. Either read the whole thing and understand, or ignore it.

Front page article inaccuracy

thewan — Tue, 21 Dec 2021 15:05:23 +0800

I don't use facebook, so I can't comment on the article itself and decide to post here. I hope I'm not wrong in doing so.

The article This “Audiophile Grade” SSD Looks Too Good To Be True contains a false statement that shows how lazy Malaysians have become in checking their own linked sources. It is one thing that this happens in forums/social media. But in this case this is an article/news piece by a reputable site like Lowyat.net. The following quote of the article is what I have issue with:

QUOTE

At the time of writing, the original poster of the device said that they were already sampling drives to a select number of forum members, but a majority of them lost contact with the maker, almost immediately after receiving the product.

I have read the source of the above article, which originates from a forum thread here. As shown in the beginning of the thread, the discussion started around April of 2021. Your article mentions that they lost contact with the maker after receiving the product. However if you go to the latest page of the thread, you can see that the original poster who looks like is the representative of the product, is posting replies as recent as last Sunday (19th December 2021). There is no "lost of contact". He is posting replies and acknowledging feedback. Your article is implying that the person is scamming his community by doing a "hit and run". (Whether the product itself is a scam or not it doesn't matter in this context). Link to latest post by author as of this post date.

I'm not endorsing/protecting nor do I care about this product being snake oil or not. What I would like to highlight is the failure of even our local news sites reading their own sources before hastily posting articles. What if this was an article of a really important issue with our local community? Would you also give that article the same treatment of not checking your sources?.

Malicious Android app steals Malaysian bank info

thewan — Thu, 02 Dec 2021 03:26:45 +0800

A fake Android app is masquerading as a housekeeping service to steal online banking credentials from the customers of eight Malaysian banks.

The app is promoted through multiple fake or cloned websites and social media accounts to promote the malicious APK, 'Cleaning Service Malaysia.'

This app was first spotted by MalwareHunterTeam last week and was subsequently analyzed by researchers at Cyble, who provide detailed information on the app's malicious behavior.

QUOTE

"cleaningservicemalaysia.apk": 7845bb247dbfad94018047afbb2f5e1d9e54752b620d995033c695d9a2d104a0 pic.twitter.com/wx6nM2GFdX
— MalwareHunterTeam (@malwrhunterteam) November 25, 2021

Sos and more technical info:

https://www.bleepingcomputer.com/news/secur...ials-mfa-codes/

But we Malaysians love SMS and despise app based MFA...and Security keys are too expensive for us, not to mention our banks don't use them either. Oh well.

[WTS] DeepCool Maelstrom 240t AIO Liquid Cooler

thewan — Sat, 10 Feb 2018 15:45:35 +0800

Item(s): DeepCool Maelstrom 240t AIO Liquid Cooler (AM4 Ready)

Package includes: Full package in the box

Price: RM 220

Warranty: 1 Month personal. Its a new cooler as replacement from DeepCool, RMA near the end of its warranty so no more warranty from DeepCool

Dealing method: COD anywhere accessible in/around KL by train preferable. Postage maybe possible.

Location: Putrajaya

Contact method/details: PM
---

Item(s) conditions: Brand New inside box replacement from DeepCool for RMA.

Picture: Its in the box, PM if you want picture of the box. I can show you picture of the RMA receipt if required.

Reason for sale: Got a replacement cooler while waiting for RMA.

Website

[WTS] Imported Calvin Klein Cortlandt Collection

thewan — Fri, 23 Sep 2016 22:14:20 +0800

Item(s): Imported Calvin Klein Cortlandt Collection 28" Spinner - Silver

Package includes: Luggage (Silver Color)

Price: Now RM600.00 Negotiable. Reference price can be googled/checked below from amazon link.

Warranty: As provided by Calvin Klein. You may contact them on their FB/Twitter/email.

Dealing method: COD around KL, Putrajaya/Cyberjaya. Anywhere in between need to contact 1st. Shipping outside these areas via Poslaju

Location: Putrajaya

Contact method/details: PM Me or reply here.
---

Item(s) conditions: Brand New, just arrived from USA via Fedex. Shipping box opened to inspect item but item not removed, item is still inside protective plastic.

Picture: [attachmentid=7596149][attachmentid=7596156][attachmentid=7596157] [attachmentid=7596184]

Reason for sale: Extra, Realize don't need it.

You can see pictures on how the Luggage looks like from Amazon. Interested buyers may request for pictures of the luggage and I will PM them the pictures.