Maya OS - Interesting Journey

 There was a recent announcement of the release of Maya OS in India. I saw that news and got interested. There were lot of comments on X as well about the fact that Maya OS is based on Ubuntu. It should have been based on Debian, a more stable and secure platform. Being interested in the domain of security, this was enticing for me. So I looked at it from different vantage points.

From a high level view, I see a trend where lot of nations are trying to get out of Windows OS. There was a news of Germany and Russia treading the same path. Below is the list of reasons.

1. Windows being a product from US head quartered company, there is a risk wherein state administration can force Windows to behave in an adversarial fashion for the rest of the world. This is not hypothetical. There are too many instances of the same starting with financial sanctions for outright adversary to controlling the functionality of defense technology sold to allies that will work only to the extant allowed by state administration of the seller. One can argue that in very secure environments that are within controlled network, it is difficult to exercise the level of control from outside. But, as we move forward in time, we see the operating systems need more and more network feature and some form of connection to the mother ship(OS company) for upgrades or other aspects. It is operationally difficult to prevent payloads being passed from mothership to individual devices hosting the OS. Lot of nations and nation groups have launched their own GPS satellites for the similar reason.
2. With so many devices hosting Windows, there is lot of focus and surface area ready to be exploited by bad actors. With such a large pool, comes out large pool of vulnerabilities.
3. Countries using specific OS within small number of critical departments provide a very small surface area to be exploited by large number of attackers. Only the dedicated and state funded actors generally focus on attacking these devices. So you kind of raise the cost of attack for the attacker. They can't pick easily available vulnerability, rather they will have to develop something by themselves.
4. Reducing software supply chain risk is big part of this effort where the state should have few options and some of them controlled by the state itself rather someone outside the state.
5. Saving forex can be a motivator. But, very low in the list if at all. This is true specially when it comes to government departments. If some of these OS turn out to be user friendly and the state if ready to allow civilian use, then saving forex for general public becomes a decent motivation.

The Chaos

When I was looking for this topic, I found there is another OS called Bharat OS that was released some time back and is also in use in certain pockets. Bharat OS is trying to provide alternative to Android. The reviews suggest BOSS version 9 and above are really smooth to work with. It is based on Debian OS. This was developed by state owned company called C-DAC. The same company is involved in development and launch of Maya OS as well, which is Ubuntu OS based OS. The look and feel of Maya OS is very close to Windows 11. So looks C-DAC is releasing different operating systems to provide for different level of user experience and security combination products. This will help ease the transition out of Windows. To maintain an operating system is no easy task. Managing more than one makes it even more difficult. This is going to be a journey for sure.

The Order

Intent seems right. There are few thousand employees in the C-DAC and other partner organizations launching the Operation Systems. With that type of human resources, it should be possible to manage the OS and the journey. Looking at the history of this effort so far, I can see few years have passed and there are versions released over time. So this doesn't look like one off release and forget. The initiative is very much alive. This opportunity create a very large talent pool that has product development and management experience. I can see this will help software product development in other spaces as well. India has done well in software services space. But, not so much in software product creation so far. I can see initiatives like this will help on software product creation side. 

India had an option of not wasting time and money on such initiatives and keep using Windows/Android products just like most of the world does. They picked up an hard but India first kind of initiative. There are many other examples I see in recent past, be in terms of UPI development and use when they already had VISA/Mastercard or even Rupay network for payments. One off right initiatives can be result of chance. But, when you see more than one thing going in right direction, it gives you a sense of nation starting to move in right direction. We will see lot of failures and missteps along the way. That is natural. As someone really smart said, "Failure doesn't matter, success does", we will have to look for successes and not get bogged down too much about failures to see the trajectory of nation. I think it is time to bet in favor of the this country now.

Evolving phone scam landscape

Lot of us have heard of someone getting scammed over the phone. Typically it is the result of some action triggered by the scammer by reaching out to the target via phone call/email/message. I have seen lots of instances where one of these channels was utilized. 

Recently, I came across another type of attack where the scammer sets up a bait, then waits and lets the victim reach out to the scammer. The attack scenario is like this. The victim placed an order on a trusted website like amazon. The order was paid for via credit card. Now, the victim didn’t get the order and the order suddenly disappears on the amazon website. The initial part of the flow looks something like as shown below wherein the trap is set up by scammers and then they wait for some issue to happen on third party retailers like Amazon and the affected customer to call them.

 With amazon avoiding any good publicly known callback numbers, the victim ends up searching google for amazon support number. The scammer knowing the design from amazon to avoid a clean public number, puts up a fake number on websites that ends up showing up in google search as amazon support number. This is the bane of Mobile App First/Internet First companies that they fail/deprioritize clean presence/information on other channels like sometimes even having a website or proper phone numbers that are published and don’t change frequently. There are numerous examples of this type of behavior by companies such as Uber, PayTM, etc. The victim finds this fraudulent phone number on google and calls up to check for order status and possibly request a refund. The scamster picks up the call and using the phone of the caller, immediately looks up the name of the caller via a public registry. Victim tells the scammer about the missing order and describes the order details. A scammer is able to find the price of the item described and relays back the charge along with the name derived from the caller. The flow is depicted in the diagram below.

By relaying back the name and amount associated with the order, scammers gain confidence of the victim that they have reached the right support even when they didn’t get a callback from the retailer. As part of user security training over the years, it has been taught to not trust the call you get but always call the publicly listed numbers yourself to make sure you are talking to the right people. The scammer then mentions that there is some system error that is causing the refund to fail the original payment method. They send a message with a link to click in order to accept the payment. This link typically contains a malware payload. Since the confidence level of the victim is high, they do end up clicking the link and the phone is compromised at this point. Now, the scammer tells the victim that payment is still failing and if the victim can share other account details, those accounts will be tried for refund. Victim shares another account details and the scammer triggers the payment using the victim phone that is under the control of the scammer. There are OTP messages generated and received by the victim's phone during the call and those are read by scammers. The victim still thinks that they didn’t share any OTP with the person on the phone so they are safe. This is another aspect of security training over the years. Scammers try to keep the victim on the phone as long  as possible in order to show how helpful they are and also get as many accounts as possible and try to empty out the accounts. These calls sometimes go as long as an hour. The victim did have some knowledge of scams and basic knowledge to avoid these by not picking up calls from strangers and never sharing their OTP passcodes. Still the fraud happened. So far, we covered the How of the attack. Now, let's get into Who all are responsible for this. It would be naïve to put blame on one party in the flow. So what are the weak links or points of failures here. 

1. First and foremost is the user/victim. They have been trained to avoid clicking any link. They still did it and stuck on call sharing accounts one after the other.
2. Retailer is the next participant in this chain that is responsible here. The policy of leaving the holes on older channels as part of either saving operational cost or going after certain demographics can result in those gaps being filled by bad actors. We know that technological change takes time in society. We know people keep switching between the channels over time like paper based mail, phones, Fax, email, Messengers, etc. But different demographics adapt to these channels at different paces. By just switching to the latest channel and avoiding presence over the old channels, the company might be behind a certain demographic. Maybe they just want young customers. For whatever reason these gaps are, they end up being the source of trouble. The other bigger issue from the retailer side is the loss of integrity of data. The sudden disappearance of order from the supported app/website is big damage to trust. A canceled order for whatever reason is better than a disappeared order where customers will get anxious and try to call the support. The retailer on their side does try to make the experience better for users to never have to call the support. But, it doesn’t happen. Good goal but there are failures.
3. Search Engines are also responsible for the problem. This one is a little tricky. On one hand, search engines are just gathering information and distributing without validation. The whole argument around the legal protections these platforms enjoy. I get that part. Now where it gets tricky is that we know these platforms are starting to do more than just search and distribute functions. As part of Covid misinformation spread, we have seen the content distribution channels starting to filter or mark articles as not verified or something to stop the misinformation. The major search engines are moving towards AI capabilities telling us they can and will be doing way more than just search and distribute. They apply a lot more checks to control the spread of misinformation.

Now let's cover the solution. The solution may involve more than one party. 

1. We will start with the first weak link. User/victim is the first weak link here. One of the strategies to help with the issue will be user training by making them aware of these issues with dos and don’ts. But, with ever evolving threat landscape, we can see that some of the guidelines can help them fail by giving false confidence when the attack is changed. As we can see in the current scenario, the fact that the victims themselves called the scammer and heard some information they expected only the trusted retailer to be aware of and also, they never shared the OTP gave them false confidence. During the interview with the victim, it did come out that they saw the messages from the bank regarding money transfer. But they were confident that no one could take the money out as long as they didn’t tell the OTP to another person, this caused them to ignore all the red flags and still continue on call and support the scammer trying other accounts. We know there is a lag between training start and its impact on the general population. These are generally multi-year cycles. It becomes even more hard when you have to change the original training and those old teachings start to become a problem. Another aspect around user training is that it is important but not foolproof. Some users in certain tricky situations will always fail. So, we will have to think of quickly updating the user security training content, fast distribution. But will still have to assume that this link can fail, and we need to tighten other parts of the flow as well.
2. Retailers can take multiple actions to address this. First is to make sure the orders don’t just disappear. We can understand that even retailers would not like this to happen. But the checks on their side need to be more stringent. As of now it is obviously a big known gap that scammers are trying to utilize. Second aspect is to provide contact information in easily accessible ways to force misinformation to be reduced. One of the ways they can use it is to provide contact information in EV certs. If the information is easily available, the search engines of the world can utilize this and mark this verified information.
3. Search engines can utilize EV certificates or some other reliable sources of contact information. There is lot of talk about Digital Public Infrastructure. A clean and vetted contact information for business entities seem good candidates for this Digital Public Infrastructure as a home. Search Engines can utilize those in case information is not present in EV certificates.
4. 
   Banks/Financial institutions have important role to play here. For one, they employ strong fraud control technologies on the credit card side of the business than the bank account side. Even in case I interviewed, when the scammer tried to charge on credit card account, that was immediately declined. That means from technology perspective, there are tools to help on this problem in terms of fraud that are effective but are not being utilized fully. Another aspect is that use of SMS for OTP got developed as second factor in multi-factor authentication schemes. But with smart phone where caller is using the phone to talk and also get SMS on same phone that is now compromised is not adding much value. Banks need to switch from SMS to towards either hardware token devices or Authenticator apps on the phone. Hardware token devices can present operational challenge in terms of how many devices one will carry in case of multiple accounts at different financial institutions. An Authenticator App on the phone still presents a nice compromise where in order to get the token, there is additional user action required so use does know that token is being generated explicitly and is more difficult to just read the SMS on compromised phone. 
   

Whatever be the combinations that are picked as part of solution, there is an urgent need to address this. The issue is that what looks like just a financial crime/fraud is not limited to finance only. Financial aspects can sometimes be taken care of by insurance or other ways. The bigger issue I have observed is loss of confidence specifically in elderly who went through this experience. That emotional blow is hard to come out off, neglected, not spoken about much and feels like shame to victim forever. The other argument for urgent action is that even if we leave any morality aside, people in the higher age group generally hold lot of wealth. If some of them loose confidence in dealing with money, they will avoid dealing with the actors in the system and that will cause more financial issue to the system than the original amount that was fraudulently taken away.