How Fake BTS Attacks Steal Your OTP — And How to Protect Yourself

If you are receiving OTP via SMS for your bank transfers, logins, or reseting passwords, you must read this. This is a realistic hack happened in real life in many countries and cybercriminals has stolen a lot of money by this trick. Victims are any people who live in countries that still use 2G mobile network, use old phones with 2G network mode enabled by default, and has many things to be stolen.

1. What is 2G mobile network

2G (Second Generation) is one of the earliest digital mobile network technologies, introduced in the 1990s. Unlike the old analog 1G systems, 2G allowed phones to transmit voice calls digitally, making communication clearer and more secure than 1G. 2G was designed mainly for: Voice calls, SMS text messages and Very slow mobile internet (GPRS / EDGE).

Compared to modern networks today such as 4G and 5G, 2G has extremely limited bandwidth and weak security protections. Many security mechanisms used by 2G were created decades ago and are now considered outdated.

Why 2G Still Exists

Even today, many telecom providers still keep 2G active because:

Old feature phones still depend on it
Some IoT devices use it
Rural areas may rely on legacy infrastructure
Emergency fallback compatibility

However, this backward compatibility also creates a serious security problem.

2. What Is a Base Transceiver Station (BTS)?

A Base Transceiver Station (BTS) is the radio communication equipment that connects mobile phones to a cellular network. In simple terms, a BTS is the “cell tower” your phone talks to when you:

making calls
sending SMS
using mobile data
registering to the network

Every time your phone shows signal bars, it means your device is communicating with a nearby BTS.

MS — Mobile Station

The Mobile Station is the physical mobile phone, plus the SIM card identity inside it. Each MS has identifiers such as:

IMSI (International Mobile Subscriber Identity)
IMEI (device identifier)

These identifiers are important and fake BTS attacks often try to capture them.

BTS — Base Transceiver Station

The BTS acts as the bridge between your phones and the telecom core network. Its responsibilities include:

transmitting radio signals
receiving signals from phones
managing communication channels
broadcasting network information
forwarding traffic to the carrier network

A BTS usually covers a geographic area called a “cell.” When you move around, your phone constantly switches between BTS towers through a process called: handover, or roaming

How MS and BTS Communicate

The communication between phone and BTS happens over radio frequencies using GSM protocols. Basic flow is like so:

Phone searches for nearby BTS signals
BTS broadcasts network identity information
Phone selects the strongest or preferred tower
Phone registers itself to the network
BTS assigns communication channels
Voice/SMS/data traffic begins

In 2G GSM, the BTS continuously broadcasts:

MCC (country code)
MNC (carrier code)
Cell ID
supported encryption modes

The problem is that early GSM protocols were designed with a dangerous assumption: The phone trusts the BTS automatically. This becomes the core weakness exploited by fake BTS devices.

3. The Security Problem in 2G GSM

In modern 4G/5G systems, both sides, BTS and MS, authenticate each other. But in classic 2G GSM:

The network authenticates the user
The user does NOT authenticate the network

That means:

A fake tower can pretend to be a legitimate carrier
Nearby phones may connect automatically
Users often receive no warning

Attackers exploit this weakness by broadcasting a stronger signal than legitimate towers. Once the phone connects, the rogue BTS can:

Request IMSI identifiers: this means attacker can know your phone number without asking.
Downgrade connections from 4G to 2G for weaker encryption: this means attacker can read your SMS.
Intercept SMS: this means attacker can even impersonate you and send SMS to your friends, under your name.
Send phishing messages: attacker can impersonate other legit phone numbers, your boss’s number for example, to send you a link and require you to fill passwords

This is the fundamental mechanism behind IMSI Catchers and Fake BTS attacks.

4. What Is a Fake BTS (IMSI Catcher)?

Mobile phones are designed to automatically search for the “best” available cellular signal. In GSM/2G networks, your phone often prioritize connecting to BTS tower that has stronger signal. Attackers exploit this behavior by broadcasting:

Stronger signals than nearby legitimate towers
with Copied carrier information
with Attractive network parameters

To the phone, the fake BTS appears to be a normal carrier tower. Because classic GSM lacks proper network authentication, the device may connect automatically without warning the user.

IMSI stands for: International Mobile Subscriber Identity. It is a unique identifier stored inside the SIM card. An IMSI Catcher is named after its ability to trick phones into revealing this identifier. Once attackers collect IMSI numbers, they can:

Identify devices
Track movement
Target specific users

This is one of the first steps in many surveillance-oriented attacks.

5. Attack Setup (High-Level, No Harmful Instructions)

A simplified Fake BTS attack flow is like so:

Attacker activates rogue BTS equipment to be a fake tower
Fake tower advertises itself as a legitimate carrier
Nearby phones detect strong signal
Devices connect automatically to the tower with stronger signal
Then Fake BTS requests device identifiers and controls the communication process.

Depend on attacker’s purpose, the fake tower can:

Downgrade your phone from 4G to 2G: this is the most common technique for stealing OTP purpose.
Disable encryption: so attacker can read SMS content, which may contains OTP code.
Forward traffic to real networks: this is so called: Man-In-The-Middle attack, where attackers keep you communicating normally, but can eavesdrop everything.
Inject phishing SMS messages: you can receive SMS from your friend numbers, but actually that SMS is delivered from fake BTS tower, your phone just display it.

Below is a confiscated fake BTS, captured in public, by police, while doing above attack:

6. How to defend

Symptoms of a Possible Fake BTS Attack

Detecting a Fake BTS in real life is extremely difficult. Modern rogue base stations are designed to look almost identical to legitimate carrier towers, and most smartphones provide very little visibility into low-level cellular behavior. Still, there are several warning signs that may indicate suspicious activity.

Sudden Drop to 2G or “E” Signal

One of the most common indicators is your phone suddenly falling back from 4G/5G to 2G, commonly with the icon “E” instead “4G” on top-right corner of the phone screen. Attackers often force devices onto 2G because:

GSM security is weaker
Phones trust the network more easily
Encryption protections are cracked easily

A downgrade becomes more suspicious when 4G/5G coverage is normally strong in the area but the signal change happens unexpectedly, and, multiple nearby devices behave similarly.

Weak or Missing Encryption Indicator

In classic GSM networks, the BTS controls whether encryption is enabled. A rogue BTS can force weaker encryption, or request no encryption at all. Historically, some phones displayed warnings such as: “unencrypted network”, “ciphering disabled”. But today, most smartphones hide these low-level network details, so users rarely receive visible warnings. As a result, users may have no obvious indication that something suspicious is happening.

Reality: Detection Is Extremely Difficult

The uncomfortable reality is: Most users cannot reliably detect a Fake BTS attack. Reasons include:

Users do not understand how phone calls and SMS work in tech.
Smartphones show very little info about radio diagnostics.
Rogue towers can imitate legitimate carrier behavior.

Even cybersecurity professionals often require specialized equipment to investigate suspicious cellular activity. Advanced detection may involve using SDR (Software Defined Radio) analysis, Baseband Monitoring tools and Carrier database comparisons. But ordinary users typically have no easy way to confirm whether a nearby tower is genuine.That is one reason Fake BTS attacks remain effective even decades after GSM was introduced.

Mitigation Strategies

Due to it is unreliable to detect a Fake BTS, it is reliable to stay away from OTP sent via SMS. Use Authenticator app such as Google Authenticator, or Authy, for OTP is highly recommended. Beside of that, make sure to disable 2G on your phone if it still support 2G. Most of today mobile phone disable 2G by default, so if you are using old phone, let search on how to disable 2G on your phone model. Last but not least, Avoid login, resetting password, or doing bank transfer on public networks, only do it in your trusted places.

3 steps to avoid malicious mobile apps

Today, everyone has smart phones, from children to elders. Smart phones contains a bunch of applications that increase productivity in real life. Human today may spend time with smart phones even more than with human. Smart phones become a part of life, an accessories, and maybe secrets holder of everyone. People put almost everything in their phone, from photo, identity to bank accounts. This habit makes smart phones top priority target for hackers in hacking campaigns, to steal secrets, or simply money. These hacking campaigns usually exploit users’s low awareness or low knowledge about mobile app security factors. Android & iOS, as default, provide many mechanisms to protect users from getting hacked but the weakest point in the system is always human psychology. “Amateurs hack machine, Professionals hack people“. If you are afraid of hacking, this post is for you. This post hopefully can guard your mind up to defense against one of the highest risk factors in Internet era: cybercriminal.

Most of cyber security incidents – aka get hacked – known in public begins from a very non-technical step and can be performed by anyone, named Social Engineering. Social Engineering is a type of manipulation where someone tricks people into giving away sensitive information, access, or money—by exploiting human psychology rather than hacking systems. To steal data from your phones, 99% of time, hackers need to trick you to install malicious applications. Malicious applications, once installed, will silently steal data and send back to hackers. So, just by acknowledging which app can be malicious, you already get you safe 99%. The rest 1% is involved to Zero Day exploitations, which are real hacking, require top-notch hacking knowledge and skills, but will not be mentioned in this post. For more understanding about Zero Day exploitations, you can subscribe here then the-tech-lead.com will inform you when there is any article available.

Here we back to How to know if a mobile app is malicious!

1. Double Attention on download source

As a golden rule for mobile applications, only download from trusted store which is PlayStore and AppStore. PlayStore and AppStore is pre-installed on any Android or iOS smartphones. For any applications, only download from PlayStore app (for Android phones such as Samsung, Pixel, Nexus, etc) and AppStore app(for iPhones). Do NOT install any applications outside these 2 official stores, regardless any reasons, urgency or who tell us.

For Android world, mobile applications are written in Java and Kotlin language, exported as APK files (file has extension .apk). This .apk files then be signed with digital signature of its owner – who registered as developer on PlayStore with their legal information. This process is essential as it can tell who actually behind an application, and if we has evidence about any malicious activities, we know who to sue. The information of who develop certain application can be found at section “App Support” under its logo.

APK files can be installed directly to Android phone via user’s explicit grant. Users can tap to .apk files stored in their phone (inside Download folder, or Document folder for example), a popup will display asking installing permission. If user grant it, the .apk will be installed. This process usually is for developers to test applications before submitting to PlayStore. For regular users, this process is an absolute indicator for a malicious application. So if someone, for any reason, tell you to do these steps manually, don’t trust them and report them to police asap. Typical trick flow is like so:

You are on Social Network such as Facebook, seeing a post tell that install an application to get free 1000USD as a reward for its early users.
You click on download link, your phone download it into Download folder
You follow “installation guide” written next to download link, saying that you open Setting app, enable “installation app from unknown source”, then open Download folder, tap on APK file.
Your Android phone show a popup telling you that APK is from unknown source, but according to the guide, it tell you just press Accept.
Then the malicious APK is installed then it steal your data.

Similarly, on iPhone world, iOS applications are written in Swift and ObjectC language, and exported as .ipa file. IPA files can be installed via the App Store or through developer tools like Xcode. Usually, we can’t freely install IPA files unless the app is signed with a valid certificate or the iPhone is registered for development. But there is still a trick that hacker can trick users to install malicious IPA files: via TestFlight abusing. TestFlight is Apple’s official tool for distributing beta (testing) versions of iOS apps before they go public on the App Store. Developers use it to invite testers, collect feedback and fix bugs before release. TestFlight is legit—but it can be abused in social engineering attacks. Typical trick flow is like so:

Someone impersonates a bank employee, call you, tell exactly your name, your address, and saying “Your bank account is in legal risk due to a transfer from criminal gang” or “Police is screening your account because they think you laundry money”, with urgent, serious, and a bit threaten.
Then they sent you a link to install their internal iOS app to prove that you are innocent.
You tap on that link, iPhone redirect you to TestFlight app because it is TestFlight invitation link and your iPhone does not have TestFlight installed
Then you are told to tap on the link again, this time the fake application is installed to your iPhone, via TestFlight
The fake app looks the same to bank’s official application so you have no doubt
But the app then steal data from your iPhone, or trick you to fill username, password, even OTP and CVV number

2. Make sense of app permissions

When users smart enough to not install app from untrusted source anymore, hackers may use level 2 of malice: Camouflage. Typical hacking plan is like so:

This time, hackers develop or purchase normal mobile application source code then publish via PlayStore and AppStore normally.
Because it is normal, PlayStore & Appstore accepts and make it available.
Then hacker send next updates for the normal application, with new features requiring some system permissions such as: read contact list, read call logs, read gallery, read GPS, etc…
Hackers advertises that app with awesome features that can make outstanding outcomes, right in need of some users.
Then with curiosity, users install the app, from PlayStore, or AppStore depends on their phone OS.
The app requires user to grant quite a lot permission but users usually don’t care and don’t understand so just accept it.
Then the app steal call logs, photos, location data, etc …, from the phone, thanks to user’s grant.

Both Android & iOS has default safeguard to protect user’s privacy. Every application, as default, can not access to sensitive data on smart phone. For example, if an application want to read some photos, developer – who is making that application – must register “Access Gallery” permission. Then whenever the application want to use this permission, the operating system (Android / iOS) will display a message asking users to grant that permission. When granted, application now can see photos in the phone. Similarly, other sensitive info such as call logs, GPS, and many more also requires user grant permission before the app can actually read data. To know an application want what permission, we can check right on PlayStore for Android app, and AppStore for iOS app.

How to check Permissions of Android application

Before installing:

Open the app page on the Google Play Store
Scroll down to “App info” → “Permissions”
Tap “See more” to view full details
Check what the app can access:
- Location
- Contacts
- Storage
- Microphone, etc.

After installing:

Go to Settings → Privacy → Permission Manager
Select a permission (e.g. Location)
See which apps are using it
You can:
- Allow
- Allow only while using
- Deny

👉 Tip: Android also shows permissions during first use, so don’t just tap “Allow” automatically.

How to check Permissions of iOS application

Before installing:

Open the app page on the App Store
Scroll to “App Privacy” section
Review what data the app may collect:
- Location
- Contacts
- Identifiers
- Usage data
- etc …

After installing:

Go to Settings → Privacy & Security
Tap a category (e.g. Location, Photos, Microphone)
Select the app
Choose access level:
- Never
- Ask Next Time
- While Using
- Always (for location)

Review these permission carefully. Anticipates which features need it. If there is too much permissions comparing to expected features, it is a red flag.

Here’s a practical mapping of common Android & iOS permissions you’ll see on the Google Play Store, AppStore and the features that legitimately use them. This helps you judge whether a request makes sense.

Android Permissions & Legit Features use them

Permission	Legit Features	Suspicious If …
Read Contact, Write Contact	Messaging apps (find friends) Contact backup/sync Invite friends feature	Suspicious if a simple game or flashlight asks for this
Read Call Log, Read Phone State	Caller ID / spam detection apps Dialer & call management	Suspicious if: unrelated apps request call history
Read SMS, Send SMS	Messaging apps OTP auto-fill	High Risk: can intercept verification codes Recommend: NEVER download
Access Fine Location, Access Coarse Location	Maps & navigation Ride-hailing / delivery Weather apps (local forecast)	Suspicious if: calculator or offline app asks for precise location
Read External Storage, Media Access	Upload photos (social media) File managers Image/video editing apps	Suspicious if: app doesn’t handle files but asks access
Record Audio	Voice messages / calls Recording apps Voice assistants	Suspicious if: no voice feature exists
Camera	Taking photos/videos QR/barcode scanning Video calls	Suspicious if: app has no visual capture feature
Notification access	Notification managers Smart reply apps	High risk: these app can read OTPs and messages, Recommend: NEVER download
Accessibility Service	Screen readers (for visually impaired) Automation tools	High Risk: these app can control screen, read inputs, commonly abused in scams Recommend: NEVER download

iOS Permissions & Legit Features use them

Permission	iOS Permission Name / Key	Common Legit Features	Suspicious If…
Contacts	Contacts (NSContactsUsageDescription)	Messaging, contact sync, invite friends	Game or simple app requests it
Location (GPS)	Location (NSLocationWhenInUse / Always)	Maps, ride-hailing, delivery, weather	App doesn’t need location
Photos / Media	Photos (NSPhotoLibraryUsageDescription)	Upload images, editing apps	App doesn’t use images/files
Camera	Camera (NSCameraUsageDescription)	Photos, video calls, QR scanning	No camera-related feature
Microphone	Microphone (NSMicrophoneUsageDescription)	Voice calls, recording, voice input	No audio-related feature
Bluetooth	Bluetooth (NSBluetoothAlwaysUsageDescription)	IoT devices, wearables, accessories	App has no hardware/device interaction
Notifications	Notifications (UNUserNotificationCenter)	Alerts, messages, reminders	Spammy or excessive notifications
Tracking	App Tracking Transparency (ATT)	Ads personalization, analytics	App unrelated to ads asks for tracking
Local Network	Local Network (NSLocalNetworkUsageDescription)	Smart home, device discovery	No local device interaction
Motion / Fitness	Motion (NSMotionUsageDescription)	Fitness apps, step tracking	App unrelated to activity tracking

Simple rule to evaluate permissions

When you are considering to install a new mobile application:

Anticipate what functions that app may have,
Check the Permissions that app requires
Then ask yourself: “Does this feature really need this permission?”

If there are permissions that is not aligned with expected functions:

Then slow down, don’t rush to install for whatever reason.
Find alternative applications, compare Permissions among them.
If you not sure but want to check the app, use Emulators to test it first. Emulators is virtual smart phones and can be created via tools such as Genymotion, VirtualBox and a few others. Emulators is isolated environment and do not contain your data.
If you know any experts in cybersecurity field, ask them for advise.

3. Monitor phone’s performance

Welcome to the level 3 of malice: Zero Day Exploitation

Thanks to strictly review process of AppStore and PlayStore, most of malicious mobile app is banned. But optimism is not a recommended character in cybersecurity field. Zero Day is vulnerabilities that is unknown by public, even among experts, and in fact, they are weaponized by many governments as a national strength.

Android & iOS itself is softwares. Softwares might have bugs and security holes. These vulnerabilities is actively hunted by experts in cybersecurity industry and sponsored by governments. Once a Zero Day is discovered, it becomes a secret weapon for cybercriminal groups to attack or infiltrate system on over the world. Mobile app is not immune. If there is some vulnerabilities in operating systems, here is Android or iOS, then it will be the target for level 3 of malice.

Although it is rare, but it still a case for us – regular users – to keep an eye on. After install an application from Google Play Store, or AppStore, pay attention on device performance:

whether it get slower,
or hotter,
or get lagged
or any abnormal behaviors.

Vulnerabilities has many forms, it is hard to explain on a single post here but many of its form create a lot workload on device, as a try to exploiting, so it may make the phone slower, hotter, or lagged.

Example: a well-known Spyware

One of the most well-known cases of this level 3 of malice involves commercial spyware: Pegasus, developed by NSO Group. This spyware has successfully stolen sensitive data on user’s phone often without any visible permission prompts. The trick flow is like so:

NSO Group Deliver Pegasus via app or link. Target users receives a message that trick them to install the app. The app looks absolutely normal since it require minimal permissions.
Once installed, Hidden zero-day exploit triggers. The app, or content inside it, exploits an unknown vulnerability in Android.
Privilege escalation: The exploit gains deeper system access than normal apps should have and bypasses Android’s sandbox protections.
Silent data access: then NSO Group can access Messages, Camera / microphone, Location without user’s awareness

This attacks are extremely expensive and used for targeted surveillance, not mass scams. Once the exploit method is discovered, it can be quickly patched by developers behind Android & iOS system. But the problem is it really hard to discover.

There isn’t just one single CVE for Pegasus. It has used multiple zero-day vulnerabilities over time, often chaining several together. Here are some of the most well-known ones:

Notable CVEs linked to Pegasus campaigns

1. FORCEDENTRY exploit chain (2021)

CVE-2021-30860
Affected: iOS (Apple devices)
Type: CoreGraphics / PDF parsing vulnerability

What it did:

Delivered via iMessage (no user interaction needed)
Exploited how the system processed malicious image/PDF data
Led to full device compromise

👉 This was one of the most advanced zero-click exploits ever discovered

2. WhatsApp exploit (2019)

CVE-2019-3568
Affected: WhatsApp on Android & iOS
Type: buffer overflow in VoIP call handling

What it did:

Attacker placed a WhatsApp call
Even if you didn’t answer → exploit could trigger
Installed spyware silently

3. Chrome sandbox escape (used in chains)

CVE-2020-6418
Affected: Google Chrome (Android)

What it did:

Used as part of a chain to escape browser sandbox
Combined with other bugs to gain deeper access

4. KISMET (suspected chain, 2020)

No single confirmed CVE publicly disclosed
Targeted iMessage (iOS 13)

What it did:

Zero-click exploit (no interaction)
Predecessor to FORCEDENTRY

To understand more about these CVE in the future, please subscribe so when the-tech-lead.com post any, you will be informed. Each of CVE deserves a long post itself.

9 habits that make you unsecured on Internet (and how to protect yourself)

In the digital age, personal data is an extremely valuable asset. However, many people unintentionally expose their own information due to habits that seem harmless. Below are common habits that make you vulnerable to data theft—and that you should stop immediately.

1. Using Weak or Reused Passwords

This is the most common mistake in personal security. In many data breach cases, users were found using extremely simple passwords like “123456” or “password”. Others create passwords based on personal information, making them easy to guess.

There are many tools in cybersecurity designed to guess passwords using personal data by trying all possible combinations—this technique is known as brute force.

In addition, reusing the same password across multiple platforms makes things much worse. If one account is compromised, all others are at risk.

Best practice:

Use passwords with at least 10 characters
Avoid personal information
Combine letters, numbers, and special characters

2. Saving Passwords in Browsers

Browsers like Chrome and Firefox offer password-saving features for convenience. However, this habit carries risks.

If these browsers have undiscovered vulnerabilities (known as zero-day vulnerabilities), attackers could potentially steal stored passwords.

Also, when using shared computers—such as in internet cafés, print shops, or even your workplace—you should never save passwords. Others may access your accounts through stored credentials.

Safer alternatives:

Memorize important passwords
Use encrypted password managers with biometric authentication
Always log out after use, especially on shared devices

3. Connecting to Unsafe Public Wi-Fi

Free Wi-Fi at cafés or airports is often poorly secured.

Common risks include:

Weak encryption:
If a network uses WEP or WPA, avoid connecting. These encryption methods are outdated and easily cracked.
The minimum safe standard today is WPA2 or higher (as of 2026).
Evil Twin attacks:
Attackers create fake Wi-Fi networks with the same name as legitimate ones. If you connect, they can monitor your activity or steal login data.
Unnecessary data collection:
Some Wi-Fi networks request personal information through surveys—you can usually skip this step.

4. Clicking on Suspicious Links (Phishing)

Phishing is one of the most common ways attackers steal data. It relies on psychological manipulation to trick users into revealing information or installing malware.

Common phishing scenarios:

Fake banking emails that tell your account has some problems.
“You’ve won a prize” messages
Fake login pages of others popular websites

To avoid be fooled, you must always double check the domain name on the url. A simple trick is you should search the business name on google and call their customer support to confirm situation.

5. Installing Apps from Untrusted Sources

Applications downloaded from unofficial sources may contain malware designed to steal data.

Attackers often disguise malware as:

Free “useful” software
Cracked versions of paid tools

Trusting unknown sources can lead to data theft or even ransomware.

Stay safe by:

Downloading software only from official websites
Verifying sources before installing

6. Oversharing on Social Media

People today spend more time on social media platforms like Facebook, TikTok, and X than in real life.

Sharing too much personal information can be dangerous. Scammers can collect:

Your name and location
Friends and family connections
Habits and interests

This information can be used for scams, impersonation, or malware attacks.

Even more concerning, modern AI can generate fake images or sensitive videos using just a few photos of your face.

Protect yourself by:

Limiting personal information shared online
Avoiding posting sensitive content
Enabling profile privacy settings

7. Not Enabling Two-Factor Authentication (2FA)

Many popular platforms like Gmail, Facebook, and X offer two-factor authentication (2FA).

This feature adds an extra layer of security by requiring:

OTP codes sent to your phone
Biometric verification

Even if your password is compromised, attackers still cannot fully access your account.

However, 2FA is often disabled by default.

Action step:
Review your accounts and enable 2FA as soon as possible.

8. Not Updating Software & Using Cracked Versions

Outdated software often contains serious unpatched vulnerabilities that attackers can exploit.

Many people think updates are only for:

New features
Better UI
Performance improvements

But the most important purpose is security patching.

Each update typically:

Fixes known vulnerabilities
Blocks new attack methods
Strengthens system defenses

Without updates, you may be using software with publicly known exploits.

In some cases, simply opening a malicious image, audio file, or website can infect your system through these vulnerabilities.

Best practice:

Always update to the latest version
Avoid cracked software—they may include hidden malware

9. Ignoring App Permissions

Many apps collect more data than necessary, but users often ignore this.

On app stores, applications must declare required permissions—but most users simply tap “Allow” without review.

This habit may result in:

Sharing personal data unnecessarily
Giving apps access to sensitive system features

Stay in control by:

Reviewing permissions before installing
Avoiding apps with excessive or unrelated access requests
Checking reviews or consulting experts if unsure

Conclusion

The habits that lead to personal data exposure are often small—but the long-term consequences can be severe.

By recognizing and correcting these behaviors, you can significantly improve your cybersecurity awareness and avoid unnecessary risks on the Internet.

6 entrances that hackers use to infiltrate your company

If you are a business owner, you are likely no stranger to news about data breaches causing millions of dollars in losses across companies in all industries. The leaked data could be your customers’ information, and sometimes even employee login credentials for your internal systems. Regardless of the type of data, assessing and reviewing vulnerabilities is always a critical step for every company—especially in today’s digital era.

However, security vulnerabilities are an extremely complex concept and not easy to grasp, which makes them difficult for business owners and their teams to identify. While it is hard to pinpoint exact vulnerabilities, it is much easier to block the sources that commonly lead to them. Therefore, this article will highlight several common sources of serious security vulnerabilities and suggest solutions to strengthen security for you, your company, and anyone working in the modern digital age.

1. Outdated Software

Every business today uses various software tools to automate and optimize workflows—such as Chrome, Word, Excel, Photoshop, PDF readers, and many specialized tools. These software products are developed by different developers, who may or may not have strong expertise in security. As a result, features may contain vulnerabilities that even the creators are unaware of.

Software is constantly updated, and many updates include patches for bugs and security flaws. However, most people tend to stick with older versions or hesitate to update—sometimes simply because they are unaware of new releases. This habit can leave systems exposed to unpatched vulnerabilities, making them easy targets for hackers.

Information about known vulnerabilities can even be bought and sold on black markets, including the dark web and deep web. This makes outdated software a highly attractive entry point for attackers. Therefore, always keep your software up to date to reduce security risks.

2. Outdated Windows Operating System

Older Windows versions such as Windows 7, Windows XP, or unsupported Windows Server editions are prime targets for hackers. This is because Windows itself is a collection of system-level software components, many of which may contain unpatched vulnerabilities over time.

Taking advantage of users’ reluctance to upgrade, many hacking campaigns successfully infiltrate systems running outdated operating systems through known exploits. The consequences can include data loss, ransomware attacks, remote surveillance, and privacy violations.

To stay safe, regularly update your Windows system and only install applications from trusted sources.

3. Cracked Software

Cracked software often contains malware or hidden backdoors that can take control of your system. Many users prefer free software, and paid software is frequently cracked by hackers to bypass licensing.

However, downloading cracked versions from the internet is extremely risky. You have no way of knowing who modified the software or whether malicious code has been injected. Many cyberattacks originate from installing cracked software embedded with viruses or backdoors.

Whenever possible, use licensed software and keep it updated to avoid both malware and vulnerabilities in outdated versions.

4. Self-Developed Websites

Most companies today maintain their own websites to establish an online presence. Many also have internal IT teams responsible for building and maintaining these systems.

Just like external software, internal development teams may lack sufficient expertise or experience in cybersecurity. This reality often leads to unnoticed vulnerabilities within company-built systems. These weaknesses may exist in the operating systems, third-party libraries, or even in the system design itself.

To mitigate these risks, companies should continuously invest in security training for their IT teams. In urgent cases, hiring professional penetration testing (pentest) teams to audit and identify vulnerabilities is highly recommended, although it can be costly.

5. Email Phishing Attacks

Phishing emails are one of the most common methods used to compromise business accounts. These attacks require minimal technical skill but are highly effective because they exploit human psychology and general lack of technical awareness.

Common tactics include impersonating banks, government agencies, or reputable companies to trick recipients into entering login credentials or sharing OTP codes. In other cases, phishing emails disguise themselves as legitimate software downloads but actually contain malware.

Many businesses have customer support staff who may lack sufficient cybersecurity awareness, making them easy targets. Simply training employees is often not enough, as phishing techniques are becoming increasingly sophisticated.

6. Weak Operational Processes

Poorly controlled internal processes can allow hackers—or even insiders—to gain access to sensitive information. Some global cybercriminal groups have even deployed insiders by infiltrating companies as employees to create internal backdoors.

Companies with weak hiring, monitoring, and access control processes are especially vulnerable. Large multinational corporations face higher risks due to their scale, but small and medium-sized businesses are not immune—especially from competitors.

To reduce these risks, companies should enforce strict access control policies, granting employees only the permissions they need—and only for a limited time.

Conclusion

Prevention is better than cure. Identifying and addressing security vulnerabilities early is essential to protecting your company’s data, finances, and reputation.

How to compete with generative AI as a software engineer ?

Before the decade of AI bursting, software engineering is mostly about writing code that realize requirements. Software Engineers, at some extent, act like a translators between human languages and computer language. This translation today can be accomplished by many generative AI products in seconds and from my observation, generated code has pattern even better than code written by most of developers. It is understandable when companies begin laying off employees that does not match existing AI. It is just a cost optimization – vital part of every business – and also a coldest truth of this life, might be !

What is generative AI good and not good at ?

Recall the flow that each software engineer has to do daily is:

Receive requirements -> Review current state of source code -> Define a target state of source code -> Retrieve information from documents of related tools, libraries and solutions -> Pick solutions -> Actually write code -> Aligning new code to existing code -> Deploy -> Testing -> Measuring results -> Read error messages -> Debugging.

Some steps of this flow is done better by generative AI, and some is better by human:

Steps	Description	Winner and Why
Receive requirements	to capture goals, constraints, acceptance criteria, performance, security needs, and stakeholders’ expectations.	Human Reason: human are better at eliciting ambiguous needs, negotiating trade-offs, and asking the right follow-ups with stakeholders. AI can help by summarizing long requirement documents and suggesting missing or inconsistent points.
Review current state of source code	to read codebase, architecture, tests, docs, build scripts, dependencies, and CI config.	Human + AI Reason: AI can quickly index, summarize files, find patterns, risky hotspots, and generate dependency graphs. But humans provide domain knowledge, historical context, and recognize subtle intent (business logic, quirks, trade-offs).
Define a target state of source code	to design the desired architecture, interfaces, data flows, APIs, and acceptance criteria for the new state.	Human + AI Reason: AI can propose multiple concrete design options, highlight trade-offs. Humans must pick the option that fits non-technical constraints (policy, team skill, product strategy).
Retrieve information from documents of related tools, libraries and solutions	to find API docs, migration guides, best practices, configuration notes.	AI Reason: AI can extract key steps, call signatures, breaking changes, and produce concise examples from long docs much faster than manual reading. Humans validate and interpret edge cases.
Pick solutions	to select libraries, patterns, and implementation approaches considering performance, security, license, team skills.	Human Reason: human decision-makers must weigh organizational constraints, long-term maintenance, licensing, and political factors.
Actually write code	implement features, refactor, add tests, update docs.	AI Reason: AI excels at generating boilerplate, test stubs, consistent code patterns, and translations across languages.
Aligning new code to existing code	ensure style, APIs, error-handling, logging, and patterns match the codebase; maintain backward compatibility.	Human + AI Reason: AI can automatically reformat, rename for consistency, and propose refactors to match patterns; humans confirm that changes don’t break conventions tied to tests or runtime behaviors.
Deploy	push to staging/production, run migration scripts, coordinate releases, rollback plans.	Human Reason: Humans must coordinate cross-team tasks, business windows, and incident response. AI/automation is excellent at packaging, CI/CD scripts, and repeatable deployment steps.
Testing	Run the application locally and manually verify that new changes behave as expected.	Human Reason: Manual testing relies heavily on intuition, product knowledge, and human perception (e.g., UX feel, layout issues, unexpected delays, weird state transitions).
Measuring results	monitor metrics, logs, user feedback, testing results, and define success signals.	Human + AI Reason: AI can detect anomalies, summarize metrics, and surface correlations. Humans decide what metrics matter, interpret business impact, and choose next actions.
Read error messages	analyze stack traces, logs, exceptions, and failure contexts.	Human + AI Reason: AI quickly maps errors to likely root causes and suggests reproducible steps. Humans provide context (recent changes, infra issues) and confirm fixes.
Debugging	reproduce issues, step through code, identify root cause, fix and validate.	Human Reason: AI speeds discovery (identifying suspicious diffs, suggesting breakpoints, generating reproducer scripts), but complex debugging often needs human insight into domain rules, race conditions, and stateful behaviors.

How to compete with generative AI to secure the career as a software engineer ?

Similar to the Industrial Revolution and Digital Revolution, where labors is replaced by machines, some jobs disappeared but new jobs got created. And at some extent, AI, is just another machine, huge one, so, essentially, we are still in the Revolution of Machine era.

The answer for this question is that we need to work on where this huge machine cannot. So far, at the moment of this post, what we can do to compete with AI in software development are:

Transit to Solution Architect

As AI becomes strong at writing code, humans can shift upward into architectural thinking. A Solution Architect focuses on shaping systems, not just lines of code. This involves interpreting ambiguous requirements, negotiating constraints across teams, balancing trade-offs between cost, performance, security, and future growth. AI can propose patterns, but only a human understands organizational politics, legacy constraints, domain history, and long-term impact. By moving into architecture, you operate at a layer where human judgment, experience, and foresight remain irreplaceable.

Become Reviewer / Validator

AI can produce solutions quickly, but it still needs someone to verify correctness, safety, and alignment with real-world constraints. A human reviewer checks assumptions, identifies risks, ensures compliance with business rules, and validates that AI-generated code or plans actually make sense in context. Humans excel at spotting hidden inconsistencies, ethical issues, and practical pitfalls that AI may overlook. Becoming a Validator means owning the final approval — the role of the responsible adult in the loop.

Become Orchestrator

Future engineers will spend less time typing code and more time coordinating AI agents, tools, workflows, and automation. An Orchestrator knows how to decompose problems, feed the right information to the right AI tool, evaluate outputs, and blend them into a coherent product. This role requires systems thinking, communication, and the ability to see the entire workflow end-to-end. AI is powerful but narrow; an Orchestrator provides the glue, strategy, and oversight that turns multiple AI capabilities into a real solution.

Study Broader knowledge

AI is good at depth — consuming a specific library or framework instantly — but humans win by having breadth. Understanding multiple domains (networking, security, product design, compliance, UX, devops, data, hardware) allows you to make decisions AI cannot contextualize. Breadth lets you spot cross-domain interactions, anticipate downstream consequences, and design better holistic systems. The more wide your knowledge, the more you can see risks, opportunities, and real-world constraints that AI cannot infer from text alone.

Expertise in task description

In an AI-driven era, the most valuable skill is the ability to turn a messy idea into a clear, precise, constraints-rich task. This includes defining scope, edge cases, success criteria, and architectural boundaries. AI is only as good as the instructions it receives — so those who excel at describing tasks will control the quality of AI output. Humans who master problem framing, prompt engineering, and requirement decomposition gain leverage: they make AI more accurate, faster, and more predictable than others can.

Business Analyst

The heart of value creation lies in understanding the business, not writing the code. AI cannot replace someone who knows market dynamics, user behavior, budget constraints, prioritization logic, risk tolerance, stakeholder psychology, and regulatory boundaries. A Business Analyst bridges the gap between technology and real-world value. They decide why a feature matters, who it serves, how it impacts revenue or cost, and what risk it introduces — areas where AI can help, but not replace the human nuance needed.

Pentester

Security is one of the hardest domains for AI to master fully because it requires creativity, unpredictability, street knowledge, and adversarial thinking. A pentester does more than run scanners — they exploit human behavior, spot surprising vulnerabilities, and think like an attacker. Humans who understand security fundamentals, threat modeling, social engineering, and advanced exploitation techniques will stay in demand. AI helps automate scanning and code analysis, but a creative pentester stays ahead by understanding motives, tactics, and real-world constraints.

Essentially, it is to use AI as a super-assistant
that can write code very well
to realize our intentions.

A must read before start learning AI

Natural Language Processing (NLP) is a major research field of AI and to almost developers, it sounds like a miracle. Lately I have an interest in this field since the noticeable viral news of GPT-3 model. I decided to learn to make use of it as a tool before somehow it will replace developer job in the future as many predictions from many illustrious figures. But the more I study about it, the more nothing I know. There are too many background knowledge to know before understanding each word on the GPT-3 paper. Below is a quick summary about works behind the scene that hopefully useful to developers like me who wants make a leap to catch up with the AI progress.

List of keywords

It is inevitable long and exhausting journey to make sure we can understand fairly basic about below terms:

Convolutional Neuron Network, Recurrent Neuron Network, Activation Function, Loss Function, Back Propagation, Feed Forward.
Word Embedding, Contextual Word Embedding, Positional Encoding.
Long – Short Term Memory (LSTM).
Attention Mechanism.
Encoder – Decoder Architecture.
Language Model.
Transformer Architecture.
Pre-trained Model, Masked Language Modeling, Next Sentence Prediction.
Zero-shot learning. One-shot learning, Few-shot learning.
Knowledge Graph.
BERT, GPT, BART, T5

What exists before BERT and GPT ?

There was a lot of researches and works existed in NLP field. Work on NLP field means to solve below common Tasks:

Tagging Part of Speech.
Recognising Named Entities.
Sentiment Classification.
Question & Answering.
Text Generation.
Machine Translation.
Summarization.
Similarity Matching.

SpaCy and NLTK is two most famous libraries in NLP field that provide tools, frameworks and models solving a few Tasks above, but not everything. Each Task usually had its own model and there is no reusing or transferring between models, until the Transformer Architecture is published. With its amazing performance and ability of Transformer Architecture, researchers begin to think about using this architecture to perform above NLP tasks, to have one single model can do it all. And the result is the BERT and GPT models which both are using Transformer. A fact is that, BERT is powering the Google search engine, and GPT-3 is the one powering ChatGPT application. There are also more applications making used of these models can be found around Internet.

Some Core Challenges when doing NLP

No matter what method is applied, the challenges that forming the NLP field is still the same:

Computer does not understand words, it understands numbers. Find a method to convert each word in a sentence into a vector (a group of numbers) that: given 2 words with similar meanings, 2 vectors can have a close-distance to present the similarity.
Given a sentence with many words and variable length, find a vector can present the sentence.
Given a passage with many sentences and variable length, find a vector can present the whole passage.
From a vector of a word, sentence or passage, find a method to convert it back to words/sentences/passage. This task in turn become the Machine Translation, or Text Summarization.
From a vector of a word, sentence or passage, find a method to classify it into some senses/intents. This task in turn become Sentiment Classification.
From a vector of a word, sentence or passage, find a method to calculate the similarity to other vector. This task in turn become Question & Answering, or Text Generation, Text Suggestion.

It will be too long to dive into each keyword here so please Subscribe button to receive upcoming posts from my learning journey.

Thanks for reading!