PETALING JAYA: With Macau and other scams becoming commonplace, and victims in the country losing hundreds of thousands or even millions of ringgit from their bank accounts daily, cybersecurity experts have called for urgent education programmes for the public.
Universiti Sains Malaysia Assoc Prof Dr Selvakumar Manickam said in general, all messaging apps such as WhatsApp, Telegram, and WeChat are being hacked.
He said most hacking incidents are caused by the negligence of users and inadvertent downloading of malicious apps, which are beyond the control of the main messaging app’s security design.
He added that there are several ways apps can be hacked.
“One of the ways is through social engineering, whereby users are tricked into believing a hacker is another user on a group chat. This inadvertently links devices and allows them to gain access through web interfaces.
“The hacker then controls third-party apps installed on the user’s phone to steal information and control the device without the user ever knowing about it. It is best to read the community reviews of any app before installing it. Also, download apps that have been verified, for example by Google Play Protect.
“Attackers will exploit vulnerabilities in messaging apps, which the app developers are not aware of. This is called the zero-day attack.”
Selvakumar said encryption is between devices and not users.
“When a message leaves an app, it is encrypted and it is decrypted when it is received.
“This ensures that no hacker can steal or manipulate messages while they are in transit over the network. It prevents what we call man-in-the-middle attacks.
“Nevertheless, once the messaging app decrypts it, it is no longer the job of the app’s encryption engine, but the onus is now on the user to ensure he is not social-engineered or hijacked by third-party apps.”
Selvakumar said all genuine app developers have put in security and privacy mechanisms in their software, and the apps are regularly updated with new patches and countermeasures.
“But if users are not doing their part to ensure that they don’t fall prey to tricks or instal potentially malicious apps, there is only so much that technology can do to protect them.”
He said hacking is a global problem and it will never go away as long as we rely on smart devices and the internet.
“This is why the government must launch an education programme so that people will not fall prey to hackers. The government must create a comprehensive awareness and education programme for Malaysians from all walks of life, starting with school children.”
eSecurity and Privacy Channel and Cybersecurity Malaysia founder Assoc Prof Datuk Dr Husin Jazri said it is not so easy to hack into messaging apps if it is well funded but it is not impossible if the technique involves zero-day attacks.
“In many instances, the attacker does not have to hack into apps but rather make use of publicly available information obtained from social media and reuse that to spoof intended victims.
“Messaging app codes are not encrypted. They are compiled and turned into binary codes understood by the system. What is encrypted is the message sent between sender and receiver end to end. Any interceptor in between cannot read those messages during transmission and storage.
“These messages can be read by the service provider and those authorised by them. Again messaging codes that make up the app are usually not encrypted.”