AarogyaSetu , India’s main contact tracing app which is developed by National Informatics Centre under the Ministry of Electronics and Information Technology and is widely downloaded by citizens these days, is again in limelight. This time the privacy threat is confirmed by “The Computer Emergency Response Team of India” (CERT) itself. According to CERT, phishing attacks in the name of Aarogya Setu is witnessing a “high rise” as attackers are impersonating the tools linked to the WHO for sending phishing messages and e-mails claiming users’ bank details, credit card details etc. The app which uses phone’s Bluetooth and GPS to store data of persons infected by COVID-19 reached 50 million downloads in just 13 days, according to NITI Ayog CEO, Amitabh Kant. The app is mandated by central government for its employees.
Besides the claims of its feeble privacy by the French Hacker few days back, this new revelation of threat has raised a novel conundrum among its users. Hackers are impersonating popular video platforms such as Zoom, Microsoft Teams, Google Meet and WHO through SMS, WhatsApp and e-mails to steal important personal details of users. Cyber attackers are using fake domains for fascinating victims and then sending links such as corona detected in a person in your vicinity, relief package, safety tips for corona, corona vaccine, corona testing kit etc. Some people being aware report these types of phishing messages but some unaware people get trapped and repent later on.
Few days back, French hacker Elliot Alderson on Twitter has also shared Aarogya Setu’s security flaws to which government retaliated by issuing a statement that app’s privacy features are quite secure.
Since the app is not backed by any regulatory law, citizens do not know how their personal information is processed. As a result, people have to bow before the privacy policies of government, though government has said that the data will be stored for 180 days and will be used for coronavirus tracking only.
CERT suggests that users should avoid clicking on dubious links, URLs, alluring packages, prizes, rewards, and practice safe browsing, anti-viruses, and firewall for better protection. Users should carefully observe domain names, spelling errors in e-mails, unknown e-mail senders to fullproof themselves against these attacks.
By Vivek Badoni
Member, Reporter’s Committee