Understanding why do companies claim that their social networking apps, websites, UPI payments are secure…

Published in

The Startup

8 min readNov 8, 2019

In today’s rapidly advancing world, the usage of smartphones has increased to the level that we cannot survive without checking our social networking apps at least a couple of times in a day. Moreover, the advent of UPI payments has just boosted the numbers. But have you ever thought about how and why do these companies claim that the data collected over these applications are secured? Let’s find out.

Two-Factor Authentication to your rescue

With digital frauds and hacking at a record high, keeping your account and data safe is becoming a priority for everyone. Once someone gets access to your account, not only can they cause you financial loss, but also the loss of reputation and image. Although most websites and applications nowadays require you to use numbers, special symbols or a combination of both in your password. This greatly increases your security against brute force attacks, but it doesn’t solve the security issue completely. Here is where Two-factor authentication, also called multiple-factor or multiple-step verification comes into the picture.

So, what is Two-Factor Authentication?

It is an authentication mechanism to double-check that your identity is legitimate. It adds another security layer to the login process, reducing the chances of account hacking. In this, just knowing and entering your password is not enough. This new layer can be anything like an OTP sent to your mobile, an auto-generated code, or biometric verification on a device you own. All these extra steps are time-sensitive, making them more secure.

How does it work?

When you want to sign in to your account, you are prompted to authenticate with a username and a password — that’s the first verification layer.

Two-factor authentication works as an extra step in the process, a second security layer, that will reconfirm your identity.

Its purpose is to make attackers’ life harder and reduce fraud risks. If you already follow basic password security measures, two-factor authentication will make it more difficult for cybercriminals to breach your account. And it is due to this very reason, most of the applications and websites might periodically prompt you to activate Two-factor authentication.

What are the authentication factors?

There are 3 main categories of authentication factors:

1. Something that you know — This could be a password, a PIN code or answer to a secret question.

2. Something that you have — This is always related to a physical device, such as a token, a mobile phone, a SIM, a USB stick, a key fob, an ID card.

3. Something that you are — This is a biological factor, such as a face or voice recognition, fingerprint, DNA, handwriting or retina scan. However, some of these are quite expensive, so, unless you work in a top-secret / Mission Impossible kind of facility, you probably don’t have this kind of authentication method implemented.

Time and location factors can also be used. For example, if you log into your account and someone tries to log in from a different country 10 minutes later, the system could automatically block them.

Having said this, you might be already using this method when you log into your Google account or when you make an online payment. And it will get just better if you could use it in your other applications like Whatsapp, Facebook, Linked-In, etc. I hope this link might help you to set up two-factor authentication on your desired application. However, you shouldn’t expect this mechanism to work like a magic wand that will miraculously bulletproof your accounts. It can’t keep the bad guys away forever, but it does reduce their chance to succeed.

End-To-End Encryption (E2EE) in Applications

Many ordinary people use messaging apps for daily communication and hence, it is the responsibility of these applications that these communications must be secured and private. To cater to this need, most applications like WhatsApp, Telegram follow what is called end-to-end encryption of the conversations.

What is End-to-End Encryption (E2EE)?

When you use E2EE to send an email or a message to someone, no one monitoring the network can see the content of your message — not hackers, not the government, and not even the company that facilitates your communication.

How does Whatsapp implement E2EE?

WhatsApp’s end-to-end encryption ensures that only you and the person you’re communicating with can read what’s sent. Nobody in between, not even WhatsApp, can read the messages. The messages are secured with locks, and only the recipient has the special key to unlock and read the messages. WhatsApp uses Signal Protocol developed by Open Whisper Systems. The following steps describe the working of E2EE when two people communicate on WhatsApp.

When the user first opens the WhatsApp, two different keys (public & private) are generated. The encryption process takes place on the phone itself.
The private key must remain with the user whereas the public key is transferred to the receiver via the centralized WhatsApp server.
The public key encrypts the senders’ message on the phone even before it reaches the centralized server.
The server is only used to transmit the encrypted message. The message can only be unlocked by the private key of the receiver. No third party, including WhatsApp, can intercept and read the message.
If a hacker tries to hack and read the messages, they would fail because of the encryption.

How do I verify that WhatsApp is using end-to-end encryption?

To manually verify the encryption between the sender and the receiver, simply tap on the contacts name on WhatsApp to open the info screen. Now tap on ‘Encryption’ to view the QR code and 60-digit number. You can scan your contacts’ QR code or visually compare the 60-digit number. If you scan the QR code, and if they match, then your chats are encrypted and no one is intercepting your messages or calls.

At the moment, E2EE without any doubt is the most reliable way of establishing safeguards and ensuring data security and privacy, but unfortunately, not all companies provide E2EE encryption. This is by the fact that there are some challenges faced with E2EE which need to be overcome in some or the other way.

Security in UPI Payments

Not so long ago, your money-related transactions used to be between you and your bank. But with digitalization everywhere, usage of the UPI payment method has increased tremendously.

What is UPI?

UPI or Unified Payments Interface is an immediate real-time payment system that helps in instantly transferring the funds between the two bank accounts through a mobile platform. Hence, UPI is a concept that allows multiple bank accounts to get into a single mobile application. This idea was developed by the National Payments Corporation of India (NPCI) and is controlled by the RBI and IBA (Indian Bank Association).

How does UPI work?

UPI links itself with your mobile number for identification. When you sign up for a UPI app, your phone sends a push SMS for verification purposes. This ensures that nobody can copy the OTP from another device. Using push SMS binds your device to your mobile number (needs to be redone every time you change your device) and creates a virtual private address (VPA).

UPI adds an extra layer of security by requiring you to create a PIN for your transactions. To create a PIN, you’ll need to input your card details and verify an OTP sent by your bank to your registered mobile number. Every transaction needs you to key in your PIN for authorization. Physical access to your phone will not be enough to make a transaction. This means that even if your phone is stolen, your PIN will still be needed to make transactions, and the money in your account stays safe.

So, regardless of which transaction mode/channel you use, the transaction can only be completed with your mobile device that was registered by verifying your mobile number via SMS, and your PIN.

Key UPI features that boost security

The selling point of the UPI platform is that your money never leaves your account before your transaction is complete. There is no intermediate step where a third party receives access to your money. In short, UPI transactions are a direct bank account to bank account transactions.

The way apps like PhonePe or GPay works is that you just need the payee’s bank linked a mobile number to make a transaction, provided that they are a PhonePe or a GPay user too. This removes the need to share confidential details like bank account number and IFSC number.

Conclusion

We are now living in a world where smartphones and the applications in it play a vital role in our life. Each one of us needs to know how is our data secured with the applications we are using and to what extent is the data secured. Although there are various threats in sharing our data over the internet, it is for the individual to decide which data to share and which to not share.