In this digital day and age, giving out personal information is an everyday occurrence - something we do with every paperless transaction or online order. But do we really know what happens to all that information once we key in the details?
Well, the information you put online leaves a digital footprint and this trail can be helpful or hurtful, depending on who picks up the scent. And, if the information happens to fall into the wrong hands, you could very well be robbed of your hard-earned money. So, beware!
According to the Experian Fraud Report 2016, identity theft or identity frauds alone account for three-fourth of the overall fraud incidences in India. Says Chetan D. Dalal, chartered accountant and a certified fraud examiner: "Gone are the days when fraudulent activities were committed by casual fraudsters. Today, organised crime is equipped with very sophisticated methods and get complete control of the target person's bank or credit and debit cards, taking the level of fraud complexity to a whole new level."
Fraudsters on the Prowl
At the root of the nefarious activities is a group of technology-savvy criminals who are well equipped to make sense of even incomplete data trails. But how do they fill in the gaps to get access to crucial details? "The answer to this lies in social engineering," says K. Kanagaraj, an expert in forensic auditing.
"Social engineering is a major part of the fraud today as it gives the fraudster access to data that is not otherwise available," says Suveer Khanna, Associate Director Forensic Services, KPMG in India. The fact is further corroborated by security firm Proofpoint, which identified social engineering, or psychological hacking, as the top cyber attack trend in 2015 - where phishing, scare techniques, baiting and pretexting are some of the oft-used techniques.
There are also instances where a fraudster may get hold of the complete set of data from multiple sources. For instance, he may be in possession of your bank account number or some related data, which may not be enough to get access to your account. Therefore, he may dig through your social media accounts to get the names of, say, your pet or school, or your mother's maiden name - information typically prompted by bank portals - to walk through the multiple security layers and crack your online banking password.
Given the amount of personal data available on social media platforms, it would be prudent to revisit the privacy settings of your accounts to limit your exposure only to a closed group of family and friends because a lot about one's personality can be found out by just checking the groups that you are a part of, photographs you post or your birth date and age. Says Dalal: "Be very careful while sharing images on social media because too many people can access those images. This not only increases the risks associated, but also puts forth the option of the pictures getting manipulated and used later. Therefore, the most ideal action would be to not share any personal pictures."
According to the Reserve Bank of India, nearly 12,000 cases of fraud relating to net banking, credit and debit cards were reported between April and December 2015, while 2014/15 witnessed 13,083 such cases. Says Amit Jaju, Executive Director, Fraud Investigation and Dispute Services, EY India: "Over the years, instances of fraud may have lowered but the quantum of money lost due to fraud has increased several-fold. However, the actual number of fraud cases in the banking space will be much higher than these figures represent." This is so, despite the one-time-password (OTP) security layer mandated by the RBI for all online and mobile transactions.
Method in madness
Phishing. The oldest and most-used technique is used to extract sensitive information such as personal details, bank account number and passwords, by sending fake e-mails. Here, the targeted individual receives an email, which is made to look like an official communication from the bank, with a link to a look-alike site of the bank's official portal. Once you start keying in the details asked for on the fake site, the data, including password and PIN, is passed on to the fraudster.
Malware. Another popular method is a malware or malicious software - trojans, worms, virus, adware and ransomware - designed to copy and transfer data from an infected device. A malware can be inadvertently downloaded from a fake e-mail attachment or from any other unsecured website. Fraudsters have also hacked banking networks to get hold of customer data.
Money Mule. Once the targeted individual's data is available, fraud rings or organised criminals typically transfer money from the target account to an intermediary, or money mule, account to receive the illegal money. This move not only conceals the identity of the fraudster but also throws the investigators off trail. In some cases, it has been observed that fraudsters look out for dormant accounts to use them as mules. The money can then be transferred to an overseas account where, typically, banking systems are lax.
Recently, RBI Deputy Governor S.S. Mundra raised concerns about Jan Dhan accounts being misused as money mules. The case in point was that of a daily wage-earner's idle Jan Dhan account, which was used for receiving and transferring Rs1 crore. The incident came to light after the Income Tax department served a notice to the man on the basis of the transaction. Says Brijesh Singh, Inspector General of Police (Cyber), Maharashtra Police: "This is one of the most common methods used by fraudsters to disappear with ill-gotten wealth. Most often the original account holder has no clue as to who the user was. This means the trail goes cold creating a hurdle for investigating authorities."
SIM Cloning. Since the time OTP became mandatory for banking and card transactions, SIM card cloning has mushroomed. The fraudster first gets hold of your account details and an identity proof to get a duplicate SIM. Then he requests for a new SIM from the mobile service operator on some pretext and gets the targeted individual's original SIM deactivated. Once the new SIM gets activated, he can transact using OTP authorisations. And, by the time the victim realises, his account is wiped clean.
Card Fraud. Card frauds can be either offline or online, i.e., through skimming (ATM transactions) or vishing (online fraud). And, with 336 million debit card and 19 million credit card holders and 0.2 million ATM users, and debit card and credit transactions are Rs7,000 crore and Rs12,000 crore per month, respectively, the opportunity for fraudsters is huge. "The irony is that, most often, card frauds happen due to the carelessness of card owners," says Jaju.
Vishing. Since the emergence of e-commerce, vishing has increased rampantly. Experts say most of the money defrauded through vishing is used for shopping on international websites where OTP is not required. And, there is a clear pattern in which gullible individuals are defrauded. Scamsters often dial an individual between 11am to 2pm, when people are usually busy at work, posing as bank representatives and weave a web of deceit to extract card details. Investigators say the following are the most common approach.
And finally, the most pleasant bait!
In each of the above mentioned instances, the caller has the perfect reply to almost every question, making it sound very authentic. However, if you happen to disconnect the call, they will not try their luck with the same person. That is what noted consumer activist Jehangir Gai realised while attending a fake call. "I immediately called the bank I was associated with and asked if there was any trouble with the credit card. The bank executive informed that it was not a call from their end," he says.
Gai quotes another incident where one of his clients had registered a complaint with the bank about his credit card. The very next day, the complainant received a call from a bank representative, apparently a fraudster, asking for complete card details to address the complaint. Innocently, the complainant shared the details and immediately a transaction took place. On cross-checking with the bank, the user realised that he had fallen victim to a fraud. The scary part is that the fraudster had complete details of the complaint and, therefore, the needle of suspicion turns to the bank and its employees.
ATM Skimming. When it comes to ATM transactions, fraudsters work on the premise that the user is in a hurry and will not check if the machine has been tampered with. Therefore, by making a few smart modifications, a fraudster can successfully defraud users by getting hold of their personal data stored on magnetic strips. This popular route of defrauding is known as ATM skimming.
For obtaining the PIN, the fraudster strategically places a camera which focuses on the keypad or uses a fake keypad. Sophisticated thieves have been found to use thermal imaging to pick heat signatures left behind after the user enters the PIN. In order to collect data stored on magnetic strips, fraudsters insert a card reader in the space provided to insert the card. Whenever a card is swiped, the user's personal data gets recorded in the skimming device. Once the data is collected, the fraudster creates clone cards and uses them to withdraw funds from the victim's account.
This is one method used to defraud large sums both online and offline. The data of the original card, including the ones on the magnetic strip, is imprinted on another card, making it a fully functional card. The disturbing fact here is that the entire spoofing can be carried out in less than a minute by an expert.
The easiest way to fall prey is when you leave your card unattended in the hands of a stranger at a restaurant for bill payment, or at the billing centre in a shopping mall. With the help of a device know as skimmer, the stranger just needs to swipe the card and the skimming device will capture all the data, while the fraudster or his associate just needs to note down the CVV number manually. And within a matter of seconds, your card will be cloned.
The most recent case in credit card fraud was that of an withdrawal of $13 million in Japan, using forged credit cards issued by a bank in South Africa. It was found that data of nearly 1,600 credit cards issued by the bank were used in this heist.
According to Vikram Narayan, Managing Director and Country Manager, PayPal India, the online medium is also witnessing a rise in wallet takeovers and man-in-the-browser attacks. A wallet takeover is when the fraudster takes charge of your wallet and misuses the credit card attached to it. A man-in-the-browser is a much more complicated process wherein the attacker installs a malware in the victim's system that modifies inputs in real time. For example, a credit card payment through an infected app may be altered in real time, with a different set of instructions to the credit card company that would benefit a different recipient or different account.
Preventing Financial Fraud
When it comes to offline transactions, you must not share your personal data with a stranger. "In most cases, being alert can help individuals more than any other action," says Khanna of KPMG. You must also be careful when you hand over your card to strangers, especially during point-of-sale purchases.
Forensic experts say negligence of a few minutes can prove to be costly as skimmers can collect card data within seconds. However, there are some inherent flaws in the system which can be self-defeating in countering fraudulent actions.
Says Mohan Jayaraman, Managing Director, Experian Credit Bureau, India: "When it comes to identity theft, it is almost impossible to get all the details of a stranger. There is always room for error, which is where the Hunter - a fraud detection technology by Experian - comes into play. This application detects fraud right at the point of application, thereby saving both the financial institution and the individual whose identity has been stolen."
The other document that can be helpful is a credit report. "We would always recommend individuals to opt for quarterly reports rather than a one-time need-based report, such that one can track their rating on a constant basis. In case there is a fall in the rating, the user can immediately check the reason for the same. If any fraudulent activity is detected, one can immediately take action and inform the stakeholders involved. Also, one has to put the rating on hold till the time the discrepancy is cleared," says Jayaraman.
Cards. Although the RBI has mandated banks to issue only EMV chip and pin cards starting September 2015, it has been largely observed that debit cards in India use magnetic strips. The central bank, in its notification, had said that "banks are advised that with effect from September 1, 2015, all new cards issued - debit and credit, domestic and international - by banks shall be EMV chip- and pin-based cards". EMV chip cards were expected to protect users against skimming and lost or stolen card fraud.
However, bankers are of the view that a complete change in the system is bound to take at least three years. Even though some banks have started issuing chip cards, the worrying part is that most of it still bears a magnetic strip. "What's the point of having both magnetic strip and chip? Where is the safety aspect if the magnetic strip is still present," asks Jaju of EY. Says a MasterCard spokesperson: "The EMV standard serves as the backbone for future payment technologies by enabling safer, smarter and more secure transactions. Wherever we have implemented EMV chip technology, there has been a significant decline in fraud."
The RBI, in a recent release, has also asked banks and white-label ATM operators to move to chip- and pin-based card infrastructure by September 30, 2017. "Contact chip processing of EMV chip and pin cards at ATMs would not only enhance the safety and security of transactions at ATMs, but also facilitate preparedness of the banks for the proposed 'EMV Liability Shift' for ATM transactions, as and when it comes into effect," the RBI said.
Banks. After hackers compromised the SWIFT platform to siphon off $81 million from the Bangladesh Central Bank, it would be worthwhile to check if the Indian banking system is ready to deal with such attacks. K.K. Mookhey, Founder, Network Intelligence, a provider of information security services to several major banks in India and overseas, says security in Indian banking is a mixed bag. "It is neither easy nor correct to generalise, but what we can say is that with the larger banks, they definitely have fairly robust fraud monitoring systems in place and are quite capable of detecting fraudulent transactions. But with smaller banks, the capacity to invest in such solutions is less and, therefore, the level of controls might not be sufficient."
However, not everyone is as optimistic. Kanagaraj says that India has been much ahead of several advanced nations, thanks to RBI's pro-activeness, but the absence of a real-time fraud monitoring system that can flag suspicious transactions instantly is a cause for worry. Says Paul Abraham, COO, IndusInd Bank: "Our bank uses Enterprise Fraud Monitoring system. It effectively generates real-time alerts based on pre-defined rules. These are investigated and customers are alerted promptly on occurrence of the transactions, and further transactions are averted."
The other major threat to the banking system is outsourcing, because these businesses are contract-based, but individual data is always accessible to such entities, including customer service assistants. However, Amit Sethi, CIO, Axis Bank is confident that the data is secured. "Access to customer critical data is given on the need-to-know and need-to-do basis, and in a controlled manner. User access reviews are also conducted on a periodic basis," he says, adding: "The bank has implemented technology controls like DLP (data leakage prevention), which ensures customer critical data is not being sent out accidentally or intentionally. Along with this, controls such as information rights management, wherein the data owner is able to control the actions of the recipient of the received data, is also exercised."
Finally, given the increasing importance of KYC-compliance, banks and financial institutions want to ensure all documents related to an individual's identity are in their possession. But given the sheer number of documents that banks have to deal with, there are chances of forgery and the possibility of critical information falling into wrong hands.
Dalal says that compliance has turned out to be all about volume of the documents collected, than the quality. Experts also point to the data retention policy as the storage capacity is not often adequate. For example, banks are mandated to keep video clips of ATMs or paper trails for a certain number of years and then destroy it, but the rules are not always followed.
In the Payment System Vision Document 2012/15, the RBI has suggested frameworks for establishing roles and responsibilities of both customers and banks in electronic transactions to fix responsibilities and zero-liability protection, such as to increase customer confidence in electronic transactions. At present, protection available for paper and online transactions are different and the liability equation is in favour of banks as the onus of safeguarding card and bank details lies with the customer.
However, going by the statements of Mundra, RBI is likely to issue regulatory direction with regards to limiting the liability of customers for fraudulent transactions arising out of frauds and electronic banking transactions. "It is imperative to have a robust mechanism to prevent incidents of fraud in mobile net banking and electronic fund transfer so as to retain the customers' confidence in these delivery channels," says Mundra.
Reporting a Cybercrime
Under the Information Technology Act, 2000, every form of cybercrime can be registered at a police station. However, in real life it could be a bit confusing with the police refusing to register a complaint. Says Singh of Maharashtra Police's cyber cell: "The offence can be registered at either the place of residence of the complainant or at the location of the bank or where the crime has been committed." Adding to this he highlights that only a person of the rank of a police inspector and above is authorised to investigate the complaint as per the I-T Act.
Apart from reporting a cybercrime and filing a criminal case, the aggrieved party can take action under Section 43 of the I-T Act. Under the Act, state-level I-T departments have been empowered to act as adjudicating officer for the cyber appellate tribunal cases where the quantum of compensation does not exceed Rs5 crore. The only caveat is that the loss has to be because of 'deficient standard of services maintained by the financial institution'.
Given that India is waking up to the menace of cyber fraud and Maharashtra is leading the pack in the number of crimes reported, the state government is setting up the required infrastructure to detect, investigate and bring cyber criminals to book.
Are We Ready?
Experts are of the view that fraudulent activities are not going to recede anytime soon. What makes it doubly dangerous is the evolving nature of the landscape. Fraudsters currently seem to be ahead of law agencies across the globe, wreaking havoc. "If an attack like the SWIFT system were to happen in India, the repercussion to the banking industry would be immense," says Kangaraj, adding: "Currently, in India we are trying to address the past more than preventing future attacks."
When it comes to retail banking, however, there are quite a few steps that have been taken as the target is an individual and not the banking network. And that's where companies like Experian look to be in. "Experian is looking into identifying fraudulent transactions based on devices used for such activities. For example: if an individual has a history of transacting via a particular device, which maybe a laptop or a mobile phone, and all of a sudden, if a transaction with your details is being tried on a different device, the system is designed to immediately red-flag such transactions. This is even after all the data input tallies and the discrepancy is only on the device data," says Jayaraman.
The picture may not be all that rosy, but a little discretion and good sense at the individual level and the robust technologies banks are setting up can go a long way in keeping your money safe.
Copyright©2022 Living Media India Limited. For reprint rights: Syndications Today