Suramya's Blog

Visit suramya.com Who am I?

July 11, 2017

Like XKCD but don’t get the jokes?

Filed under: Interesting Sites — Suramya @ 11:38 PM

Do you like the XKCD Comics, but don’t always get the jokes? Or do you have someone in your life that keeps quoting it but you can’t make heads or tails of it? If so then you should check out ExplainXKCD.com, a website dedicated to explaining the XKCD Comics. e.g. Lets take the following comic from July 3rd 2017:

The site explains it as follows:

In the United States, the 4th of July is celebrated as Independence Day. This comic claims to show the timeline of different activities that are used to celebrate the holiday. One common activity is to watch fireworks displays. With the rise of personal drones there have been several videos of fireworks from drones, including flying the drones through the middle of the display. The comic then purports that starting in the year it was published (2017), fireworks and drones will be at some sort of war with each other, starting with drone pilots leading their drones into the path of the rising fireworks before they explode, leading to fireworks technicians intentionally trying to strike down drones. In 2019, Randall posits that the drones will be weaponized with fireworks and competitions will be held to shoot down your opponents’ drone. This wanton destruction of drones leads them to turn against their pilots and humanity in 2020 (after gaining sentience, presumably by their AI evolving through the competition), and then in 2021, they will be celebrating their Independence Day from the humans.

The title text refers to another popular 4th of July activity in the United States: Barbecues with fare such as hot dogs and hamburgers. But since the drones don’t have mouths or a digestive tract, they simply make a mess by using their rotors as a blender.

Check it out if you have some time to kill. Its a fun and distracting read.

– Suramya

July 6, 2017

Dear HDFC Bank: Please stop making life easier for phishers

Filed under: Computer Security,My Thoughts — Suramya @ 11:32 PM

I recently had to create a HDFC account because I changed firms and needed a HDFC account in order to be paid 🙂 . Once I created the account I got a few SMS messages from AM-HDFCBK asking me to register online for Netbanking and Mobile Banking which is quite normal (though the no of messages were a bit annoying), what was scary and concerning was that the link in the message was a generic bit.ly URL. (See screenshot below)

HDFC Messages Screenshot

Screenshot of the Messages I got

For those who don’t know, bit.ly is a URL shortening service that allows you to create a short URL that redirects to a different URL. e.g. I have configured http://bit.ly/1MUISmu to redirect to https://en.wikipedia.org/wiki/Phishing. The service is most commonly used on Twitter where the max allowed characters are limited and the URL lengths are long.

However since anyone can create a bit.ly redirect there is no way of verifying that the link I got in the SMS was actually created by HDFC and points to a legitimate site and not a website controlled by a cyber criminal who is out to steal my data. The link can point to literally any website in the world that the sender wants including sites that are copies of the legitimate HDFC bank but in reality are storing your credentials to allow people to steal your money or sites that infect your system with a virus/ransomware.

There is a reason why computer security professionals tell people not to click on random links you get via email/SMS/whatsapp.

If you think that since the sender of the SMS is ‘AM-HDFCBK’ the message is legitimate and thus safe to click then think again. There are a ton of websites out there that allow you to spoof SMS sender details to anything you want at a cheap price. In fact you can also code your own software for doing this in bulk using publicly available API’s at ridiculously cheap prices. These are sites I found after a couple of mins of searching on Google, I am sure there are more secure/untraceable methods of sending fake/spoofed SMS messages on the dark web. So the risk of clicking on unknown links that I got out of nowhere is not worth it.

Normally what companies do in similar scenarios if they absolutely have to use a shortner is that they but a short domain name and use that so people getting the messages can identify the link as something pointing to the official site. But I guess someone at HDFC is trying to save money by not registering a new domain that would protect their customers. *Shrug*.

Ah well, looks like I will need to go to their official site and register my account from there.

Well this is all for now. Will write more later.

– Suramya

Powered by WordPress