'Zero trust' everyone on the internet

By Emmanuel Cliff Muganhwa

A friend, let's call him Brian, decided to advertise and sell his Sony smart TV on a once popular e-commerce website in Uganda that we will call ‘X'.

He was promptly called by a ‘potential buyer' and they agreed to meet at his home in Ntinda. Said fellow came with another ‘Sudanese' man with dollars, and Brian invited them into his bedroom to view the asset on sale.

They promptly gave him dollars, and when he went to verify their authenticity with his dad in the next room, the two conmen disappeared with the TV, and left him with fake dollars in exchange.

Prior to that, he was selling his phone on the same platform, he was lured to Entebbe, cuffed and mugged of his phone, wallet and other valuables and was left in a hotel room licking his proverbial wounds.

Brian's scenario is a common occurrence in Uganda today, and paying a visit to police stations will tell you how much trouble we are in because of technology right now. It is the same weakness that most of us have though and it is called ‘TOO MUCH TRUST', which I suspect is as a result of our cultural setting and lack of knowledge.

Technology is faceless and allows all of us to be and say what we are not. Most people do not understand how it works but are simply happy to use whatever free websites and platforms that are offered on the internet like Facebook, twitter, WhatsApp without looking at the repercussions.

In cyber security we have a term called ‘ZERO TRUST'. It is a simple concept that tells you not to trust anyone or anything because online, you do not deal with people, you deal with OBJECTS (yes, I said it). It is only as good as one claims to be, and unless you have a way of knowing who they are, you will also become their OBJECT.

We have all received a friend request or call from a ‘familiar' account name or number and gladly replied without thinking twice because we see a familiar profile picture attached to it. Most times the same friend will have an already existing account and a con artist has replicated their account to lure you into becoming their friend. They will ‘social-engineer' you into releasing certain private information to them, send you emotional requests for help, use you to get to a friend they can con etc.
But have you paused to contact your friend to ask them why they are opening a new account?

In the case of companies, almost all cyber-attacks to their systems have happened because a single individual was compromised, and tricked either to click on an email with fake link that helps the hacker, lured to install a game or software that granted the bad guys a back door access into the company network or profiled on social media and befriended by the bad guy and lured to provide critical information.

The one and standard rule if you are using technology is to VERIFY anyone and anything. You can do several things to ensure whoever gets in touch is who they are;

1.       If someone called you on phone and are making an unfamiliar claim, call them using a different alternative line and pretend to be someone else. Most times they will either not pick the call or they will try to identify themselves as someone else

2.       Do not lay yourself bare on social media and other platforms: Family photos, work tools, contact numbers and other personal details should be left out of your profiles and posts. That is where online profilers start to piece your private life together. If you cannot live without social media, at least go into the settings and turn on the privacy controls.

3.       Go through the new requester's friends' list and if you do not share at least 10 verifiable friends in common do not accept their friend request

4.       Companies need to urgently train staff to be on the lookout. Individuals are the greatest cyber security risk and USER AWARENESS TRAININGS are key to resilience, and will save you from any fallouts from cyber-attacks, and TRUST ME it is not only money you will lose if you are compromised.

The Writer is a certified IT Systems Auditor