Prying eyes!

I was a software developer and team lead. Recently, I came across certain hacker group who have some kind of invisible spying equipment.

I think going forward, any website should not show any kind of keys, like API keys etc… Even OTP’s as it is today are problematic. Some of these hackers might even claim someone else’s accounts in some hacker chat rooms by claiming someone else’s mobile number and announcing OTP’s. As a matter of fact, I suspect a lot of OTP theft’s might have happened.

I like Microsoft’s approach of displaying a code on the screen, sending a request to Authenticator app displaying the code and asking to approve or deny. And such Authenticator apps should be allowed to be logged in on only one mobile. All websites should display login history, signed in applications and should allow MFA and signing off. If possible real multi factor authentication such as YubiKey apart from Authenticator app.

And honestly, I don’t understand why Android, sometimes shows clipboard content. Which era are you still living in Google? In this particular aspect?

Cloud providers should not display API keys. The keys should be allowed to be downloaded. Corporations can take care of how to encrypt and or develop applications on how to paste keys or passwords without typing in and displaying on screen.

For example, I use a USB drive which has both USB-C to connect to Android and normal USB to connect to laptop. I have a passwords file and I use KeePass. Windows on my laptop does not display password, but Android displays clipboard contents on long-press.

Also, clipboard should be revamped as, when copying content, target application should be selected. And the clipboard’s content should be available only for the targeted application. This way some cyber security threats can be eliminated.

More on this topic in future blog posts.