The Magnitude:• Identity theft will be among the top 10 risks faced by Indian companies in the near future
• Home users are targeted in 95% of such attacks
• Phishing attacks on banks have gone up six times since October
• Consumer databases are being openly sold online
The Most Common Methods:
• Soliciting personal information on the phone or online
The Victim:Pushp Raj Sharma, assistant manager,Yamaha Motors
• His credit card was used to buy flight tickets worth Rs 75,000
• He didn’t realise the fraud till he received his monthly statement
• Matter settled after four months. He did not have to pay the fraudulent charges
Nabanita Talukdar, a beauty consultant based in Guwahati, got a call last month ostensibly from her bank. The caller claimed to be doing “routine upgradation” of records, and wanted Talukdar to confirm her date of birth, address and secret question. An unsuspecting Talukdar says: “Since she did not ask for my account number I did not think anything of it,” and provided the information.
Her husband, however, did not take it as lightly, and insisted that she change her Internet banking password. “Thank god I listened to him! The following week I discovered that my account was blocked because of three consecutive wrong entries,” says Talukdar.
This could happen to any of us. It’s just that we do not take identity theft seriously. “It won’t happen to me” is the standard refrain. Allow us to burst that particular bubble of complacency and say that it can happen to you, and it might already have happened. You’re not safe online or offline. Sniffing and skimming, two forms of offline identity theft, involve stealing data from a distance from radio frequency identification tags—this includes office security tags or swipe cards—or even from the magnetic strip on your debit card.
Credit card fraud is the most common type of identity theft. Take the case of Raman Bhanot, an international sports broadcaster. Out shopping for a watch in a popular showroom in Delhi, he was told the card machine in the shop was not working so he allowed the shop assistant to take his card to a neighbouring store. Only when his bank’s head office called up to confirm if he had made online purchases worth over Rs 40,000 did he realise he was a victim of card skimming. It took a six-month battle to make the bank reverse the fraudulent charges.
Online investing is another target area. A recent case resolved by Cyber Smart, a portal that provides legal solutions to tech-related fraud, involved fraudulent securities transactions using an innocent client’s user-name and password. Some years ago, Chugh Securities, Delhi-based stock brokers, suffered a loss of Rs 6.15 lakh when the person who installed the company’s firewall hacked into the system.
According to a study by Symantec’s Pune-based Security Response Lab, there has been a sixfold rise in phishing (see box Cyber Crime Lexicon) attacks on Indian banks, from just 20 in October 2007 to 120 attacks in January this year. Further, KPMG’s latest fraud report reveals that Indian companies acknowledge that identity theft is going to be one of the top 10 risks they face in the next three years.
What is worrying is that home users are targeted in 95% of these attacks. That’s because at least 15% of home users go online without adequate security software. That there is a problem is obvious when you see that even a relatively small outfit like the Indian Detective Agency claims to receive 10-20 cases of online identity thefts a month.
Identity theft has reached pandemic proportion in the US where there’s a victim every four seconds. The only way to avoid similar statistics here is by being aware. With consumer databases for everything from high net worth individuals in India to female credit card holders in specific cities being openly sold online—and in the grey market— for $200 or less, the stage is set for mass identity thefts.
The good news is that under Indian law, banks, credit card companies and other financial service providers cannot force innocent victims to bear the brunt of such frauds. The bad news is that, in the absence of specific laws for such crimes, one has to be prepared to battle it out for years before justice is done.
More important, you have to take steps the minute you discover that your identity has been hijacked. Says Gurpreet Singh, an IT lawyer with Amarjeet and Associates: “The first thing to do is to inform your bank and the police. The longer you delay reporting, the colder the trail grows and the more unlikely your chances of proving fraud.”
Most people do not realise that they have been victims of fraud till it’s too late. Says Singh: “If just Rs 200-300 is missing from your account, you are more likely to ignore it, thinking it’s not worth the hassle. Like you, a thousand other account-holders too will keep silent, while a fraudster somewhere will be rolling in money and, unfortunately, getting away scot-free.”
Maninder Walia, a researcher at Cyber Smart, says: “Identity theft could well be the biggest kind of cyber fraud in India but it often goes undetected and is usually unreported.” Pavan Duggal, an advocate with the Supreme Court of India who specialises in cyber law, has conducted a survey on the extent of under-reporting cyber crimes and claims that for every 500 instances of cyber crimes that take place in India, only 50 are reported and of that, only one is registered as a criminal case. If you cannot protect your identity from being stolen, make sure that you at least report the crime.
BOTS: Also called web robots, these are usually used in search engines, auction sites and the like, which need simple, repetitive tasks to be performed fast. However, there’s a dark side to bots, when they are used like worms.They are small enough to hide behind pop-ups and smart enough to use sophisticated social engineering to make people click on their malicious links.
DNS POISONING: Every website has a numeric address. Poisoning modifies the domain name system table in a server so that someone hits fraudulent sites thinking they are accessing legitimate ones.
DRIVE-BY DOWNLOADING: When a user visits a non-secure site, details of their computer are hijacked. Later, the site looks for vulnerabilities in the user’s PC and then installs a keylogger.
KEYLOGGER: An application that makes a note of keystrokes made on the computer for getting hold of banking and credit card information.
PHISHING: A method of trying to gather personal information using deceptive e-mails and websites.
PHARMING: A practice in which malicious code is installed on a computer or server, misdirecting users.
SKIMMING: The illegal copying of information from the magnetic strip of a credit or ATM card.
SNIFFING: Akin to eavesdropping, here the attacker gains access to the network TCP/IP traffic path of the victim.
SPOOFING: This comes in two varieties. In “e-mail spoofing” the header of an e-mail appears to have originated somewhere other than the actual source. In “IP spoofing” the intruder sends a message to a computer with a fake IP address, appearing to be coming from a trusted source.
TROJANS: This is a program that enters stealthily and offers the hacker remote-access and control of the system. It is similar to a virus, except that it does not replicate itself.Trojans often sneak in with free games.
URL HIJACKING: Also known as “typo-squatting”. People often make spelling errors typing URLs. A mis-spelt version of a popular URL is registered and used by the fraudster. For example, “citbank.com” instead of citibank.com.
WIRELESS HACKING: If your wireless network or Bluetooth system isn’t secure and encrypted, the information on your phone or computer could easily be hacked.
| Also Read: |
|Avoid being bait||Net Profit or Loss|