The world is full of mysteries, and stranger things than we could even dream about keep happening when we are wide awake. Most of you have read about courier scams, where scammers try to extract money from the victim mainly under the pretext of clearing a parcel for them from customs. However, a dangerous new scam has emerged where the victim was subjected to a whole enactment starting with a fake video call backed by a phoney cybercrime officer in a fake police station, then a series of fake interrogations with more fake police people, and four hours of threats and harassment. Chillingly, this can happen to anyone, and you may become a victim too.
I will tell you about this, but also about the importance of passwords. I have repeatedly said that passwords are the weakest link when it comes to protecting our assets online. This is because people use a very simple, easy-to-remember password or use the same one everywhere, from website login to bank accounts. Cybersecurity services-provider Hive Systems has recently released its password table for 2023. Sharing details about how much time it would take a hacker to try out as many combinations and passphrases before correctly 'guessing' your password, Hive Systems advises that one should use at least 18 mixed-up characters for maximum security. But more about this later.
FedEx 'Interrogation' Scam
In a Twitter thread, writer and novelist Samit Basu has described his ordeal, to help others. He was expecting some books from abroad. He received an automated call saying his FedEx package has been rejected. When the caller asked him to press 1 to know more, he simply did that. And then his worst nightmare began. He says it "involved a fake courier company with a seized package registered with me as a sender, fake video call with a fake cybercrime officer in a fake police station, then a series of fake interrogations with more fake police people, four hours of threats and harassment."
According to Mr Basu, at least six or seven people (from the gang) were making good use of technology and 'good acting'. They even used an ID card of a lawyer to 'interrogate' him. "They took their time! And had enough of my data and enough really good acting that I only even started getting really suspicious when money got involved. They really, really enjoyed themselves."
However, later when he called on the number on the lawyer's ID card, the lawyer told him that he had been subjected to the same scam with a different lawyer's ID, and all the cases and arrest clauses they referred to were accurate.
"The lawyer whose ID they had stolen told me he reported it to cybercrime as well, but all the numbers involved were untraceable, so he did not expect they could do anything," Mr Basu says.
Describing his ordeal, he says, "They were not even using the threat of pretending to believe that my stolen documents being found somewhere meant I was involved in whatever crime. They were completely using the threat of process as punishment and of needing someone to catch. And I fell for it."
"I feel incredibly stupid in retrospect but also... what sophistication. Lost some money, sent out a couple of my IDs voluntarily. (I) would have done anything after several hours of harassment and threats if they had not gotten sloppy and tried to get me to send them more (money)," he added.
Undoubtedly, it is a very sophisticated scam where scammers used the latest technologies and information about Mr Basu. Mostly personal details of Mr Basu would have been bought from the dark web. However, as he describes, all the gang members knew what they were doing and did 'really good acting'.
Mr Basu learned his lesson. What about you? We hear of plenty of people who receive such calls and some believe that they are linked to travel abroad.
To avoid falling victim to the FedEx scam, it is crucial to be cautious and sceptical of any unsolicited emails, phone calls, or text messages claiming to be from FedEx. Always verify the legitimacy of the communication by checking the sender's email address or phone number and by contacting FedEx directly through their official website or customer service hotline. Never provide personal information or payment details to anyone you do not trust or cannot verify.
Password: The Weakest Link
Hive Systems released its password table for 2023 and its analysis of password testing (read: cracking). Due to the advancement in technology and resources, the random and complex eight-character passwords that once took four hours to break now take only one hour. If you leverage consumer cloud computing, it can crack the password in minutes, and if you leverage enterprise cloud computing, then it will happen instantly.
According to the cybersecurity services-provider, the hardware used for ChatGPT would be a boon for password crackers. For example, passwords with seven characters, including numbers, upper and lowercase, letters and symbols, have no chance to remain hidden when the ChatGPT hardware is used for cracking. Passwords with eight to 13 mixed characters can be cracked in one second to 47 years, respectively.
However, the analysis shows that even for the more sophisticated hardware of ChatGPT, it would take 79bn (billion) years to crack a password with 18 characters created using numbers, upper and lowercase letters and symbols.
In case your password of any number of characters has been stolen or contains simple words and you use it across the sites, it can be cracked instantly. So avoid using the same password that either has been stolen or is being used between sites and apps.
Commenting on password storage solutions like LastPass, 1Password, and Bitwarden, Hive Systems says, (they) use a hashing approach called PBKDF2 with a strong hash alternative to MD5 called (secure hash algorithm) SHA-256. "Even NIST recommends PBKDF2 SHA-256. But we also found that things look different 'in the wild'. Breached password hashes from Dropbox, Ethereum, MyFitnessPal and DataCamp all appear to use the password-hashing function bcrypt instead of a key derivation function like PBKDF2. Bcrypt also seems to be the more secure option in terms of resources required to crack it."
In cryptography, PBKDF1 and PBKDF2 are key derivation functions with a sliding computational cost that reduces vulnerability to brute-force attacks. PBKDF2 is part of the public-key cryptography standards series from RSA Laboratories. MD5, designed by Ronald Rivest in 1991, is a message-digest algorithm widely used hash function producing a 128-bit hash value. SHA-256 is a part of the SHA-2 family of algorithms that outputs a value that is 256 bits long. Bcrypt, a password hashing algorithm designed by Niels Provos and David Mazières, is scalable with hardware.
All these cryptography standards and algorithms are used for creating robust passwords. However, since all these things work behind the screen, we, as ordinary users, need not go in depth. Just remember to create and use an 18-mixed-character password everywhere.
How To Report Cyber Fraud?
Do report cybercrimes to the National Cyber Crime Reporting Portal http://cybercrime.gov.in
or call the toll-free National Helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c).