We often read on daily local news about Singaporeans losing their lifetime savings due to a scammer attack. We acknowledge that the Government and our local banks are adopting new processes and initiatives to block these attacks but still, these criminals are able to steal our money.
In Singapore, due to the high digitalization of business and the widely use of social media platform for work and personal life, nobody is immune to these kinds of attacks.
The news on media and local information platforms are mostly about prevention, but what are the steps we need to take if we are under attack and our mobile device is compromised?
What can we do?
I will reference to the NIST Incident Response Cycle to show you a strategy that can be adopted for these cases.
We will go through the four core phases and how these translate in practical actions.
Important note:
In this scenario we are preparing to stop an attack on a smartphone that is used to access critical information such as bank apps, government apps (ex. CPF), shopping platforms with credit cards details stored, personal and business emails etc.
If you are under attack, please jump directly to phase 3. Containment, Eradication and Recovery. There is where you need to concentrate your resources asap to limit the damage blast, in this case, to protect your money.
1. Preparation
List down the information that you need in case your mobile phone is compromised or damaged. Examples could be:
- Your banks details: accounts numbers, usernames, customer service contacts
- Your credit cards details: numbers and customer service contacts
- Your emails passwords
- Your online shopping platforms’: usernames and passwords
- Any other useful emergency contacts to call for help.
Important note: Do NOT keep this list on the same smartphone you are using and use a hard copy properly stored in a safe place.
Since several services require a second factor of authentication (2FA), activate if available the use of app authenticators and backup those configurations.
2. Detection & Analysis
In this phase, we need to understand if your device is compromised. To do so, we need to detect one or more of these indicators:
- We see apps opening and closing on the device, like an invisible finger is playing around, like someone is looking at our email and bank accounts and is operating on them!
- We notice new apps that we didn’t install. We uninstall the undesired apps, but they get re-installed each time.
- The smart device is heavily consuming the battery without us doing anything out of the ordinary.
- The smartphone is heating up without any reason.
The first symptom is the clearest and it confirms that the device is under attack through a RAT (Remote Access Trojan). The criminal has already gained access to our device and is using it to command and control, in this case, he/she is trying to operate on our bank accounts and to transfer the money elsewhere.
The second symptom is quite clear too, the device is compromised and infected with malicious software. As a precaution matter, change your passwords on another clean device and search assistance to eradicate the malicious code.
For the third and fourth symptoms, you will need to reach out for assistance if you are not a tech expert. You need to understand if it is a hardware failure (false positive) or something else like a malicious code (true positive). Once you get the response, you will act accordingly.
Always, a valid suggestion, is to change your passwords on another device when you have any suspicion.
It is better to play safe than to discover your accounts have been hacked.
How to stop and slow down the attacker? Crucial if we have the first symptom!
3. Containment, Eradication and Recovery
We need to isolate the device asap, cut the connection that the attacker has with your device. If it was a wired connection, it would be easier, unplug the connection cable. But since we are using radio signals (WI-FI, 4G, 5G) we need to complete successfully one of the below actions:
- Put the device in Airplane mode.
- Turn-off the Wi-Fi appliance and remove the SIM.
- Put the device in a Faraday bag (available on online shopping platforms at 4-5 SGD)
- Power off the device through the power button if we are able to do so.
In any way, we need to cut the connection immediately! Like blowing up the bridge between the attacker and your lifetime savings.
Without access to the smart device, the attacker will need to find another way into your accounts.
Meantime we managed to slow him/her down.
Leave the device in this state and move on to the next steps.
Call your bank(s) to:
- Explain the situation
- Block the undesired operations on your accounts and block your credit cards
- Remove the 2FA SMS OTP option to restore the use of physical token (the old way).
From a clean device, change the passwords of you banks’ accounts and your emails, and any other password from websites that the attacker could use to buy with your credit cards details stored in these apps.
Once the attack has been contained and you regained the control of your accounts, you may evaluate how to eradicate the malicious code.
You may consider asking support and assistance to the Police Authorities if you need to report the damages and loses.
If your device is switched-off and you are unable to retrieve the information, you must find a way to work around. You may switch-on only if the device can be kept offline. You need to complete the containment steps before putting the device online.
It is better to buy a new smartphone than having your savings stolen.
Every minute gained is precious.
4. Post-Incident Activity
What have you learnt?
Please note that being attacked once doesn’t make you secure from other future attacks.
You need to understand what habit, or action brought you to be vulnerable?
How did the criminal gain access to your smartphone?
Evaluate how can you protect better your devices and be faster in detection and respond.
I hope you found this article useful. If so, please share it with others or explain the steps to the people you care because we can make the difference.
“Knowledge is Power but without Actions is useless.”
Roby Osamu
