The hacking of Telegram app and the vulnerability of relying on SMS as authentication method

Yesterday (2 August 2016) there was news about 15 million Iranian Telegram users mobile phone number exposed and more than dozen accounts compromised by hackers.

A chain is only as strong as its weakest link. This incident exposed that SMS, which is currently commonly used as authentication method in many online services including online banking systems, is vulnerable to security breach and could be the weakest link in the security measure.

Coincidently, Focus Malaysia Issue 191 dated 29 July 2016 has also just discussed about this vulnerability in its featured article titled "Overcoming The Two-Factor Vulnerability: When it comes to securing your web accounts, two-factor authentication using SMS is safer than just a standard password. But recent cases have shown that it might be time to move away from that."

Why is it not a good idea for online service providers to make use of SMS as security measure?

Firstly, the sending and receiving of SMS is depending on the telco service, which is totally out of control of the online service providers. Therefore, it is vulnerable to listening, hijacking, impersonating, replicating, and other kinds of security breaches along its sending and receiving process.

Secondly, technically speaking, personnel working in the telco can also easily manipulate the SMS as the control is with them. This is very likely the case as happened to Telegram users in Iran.

Thirdly, as mentioned in the article in Focus Malaysia, the code sent by SMS can be obtained using social engineering.

Fourthly, as SMS is sent to the phone, in the event the user lost his/her phone with the mobile apps of online banking, online stockbroking, etc., if the mobile apps are using SMS for authentication, whoever who got the phone can easily take control of the user's accounts, unless the SIM card in the phone is immediately barred, which then disables its SMS function.

As for the case of Telegram app, you can further secure your Telegram account by activating two-step verification, which will require your password to login beside your mobile phone number.

To activate two-step verification in Telegram app, go to Menu > Settings > Privacy and Security > Two-Step Verification and set your recovery email there. Your email can then be your last resort to safeguard your account from hijacking.

LED light bulb that fit in PLC downlight fixture

I have been wondering for a long time if the PLC downlights in my house that use CFL (compact fluorescence) bulbs can be replaced with LED light bulb without much modification. Today, I've finally found the answer.

One of my PLC downlights is faulty and I need to replace its 18W CFL bulb. While searching for its replacement at the shop, I found this...

Yes, it is the PLC light bulb with 2-pin leg that fit with the fixture of my downlight. Instead of CFL tubes, this product is using LED as its lighting source.

So, this is exactly the LED solution that I've been searching for years. Even better, this kind of LED light bulb fit exactly to the existing PLC fixture, and totally no modification is needed.

This LED light bulb is more environmental friendly than the CFL, as it contains no mercury. It also claims to have longer lifespan than CFL, and consume less electricity to obtain the same amount of lumen output. In addition, LED light generates much less heat than CFL. It is also said that LED light does not attract insects, which is a desirable feature. However, this LED bulb is a little bit more expensive than its CFL counterparts.

I have purchased one to replace the faulty CFL bulb. See it in action below:

Finally, I've found the solution to change my PLC based downlights at my house to LED type.

I have been gradually changing the CFL bulbs with E27 base to LED type, as LED light with E27 base has been around for a few years.

Eventually, most if not all the lamps at my house will be LED based, when the CFLs are gradually replaced after they have reached their end of life.

Changed my car battery with The Battery Shop

I've just changed my car battery today with the service from The Battery Shop.

My old battery was still able to crank up the car engine, after serving for about 2 years. I decided to make an appointment with The Battery Shop for a free onsite checking, after experienced 2 times of car clock reset itself to 12:00 and 1 time of all the radio station preset memory gone. Yesterday, the VST-706 voltmeter in my car has shown unstable voltage that kept on changing within the range of 13.0V to 14.8V when the car is running.

2 young men arrived at my home right on time of the appointment. They called me about 40 minutes earlier to conform the appointment before they came.

They checked my car electrical system and informed me the car alternator is working fine. They found greenish residue developed at the anode terminal of the old battery. Decision was then made to replace the old battery with a new Korean brand Atlas BX 75D23L sealed maintenance free (SMF) battery.

They kept my car engine running during the changing of battery. The whole process was less than 5 minutes. All the settings and memory of the car's clock and radio system are still remained after the battery swap.

Here is my car's new battery, up and running at its place. The voltage supplied is now stable at around 14.2V when engine is running with this new battery.

The Battery Shop's onsite service (delivery, inspection and installation) at Klang Valley area is free of charge. The 2 young technicians I met were polite and the job was professionally done. I was given a RM20 discount, and the new battery cost me RM310. This price is quite reasonable, as 75D23L battery is of higher spec than 55D23L and therefore carries a higher price tag.

The new battery comes with 12 months warranty with warranty card and a car sticker. The technicians informed me that if they see this sticker on my car's windscreen during their next service, they will provide RM20 discount for the next battery change.

I am aware that The Battery Shop is in direct competition with BateriKu. The brands that they carry are different, and the team is also different. If you prefer Atlas BX or GP, you can contact The Battery Shop; if you prefer Century, Yuasa or Astra, you can contact BateriKu.