The increasing adoption of online banking, mobile banking and credit and debit cards in the country brings with it a danger that is clear and present — that of cyber-crime. A June 2015 report by industry body Assocham and consultancy PwC states that financial fraud in the country through these channels is on the rise.
For instance, online banking-related cyber fraud reported to the RBI is estimated to have doubled in value from about ₹40 crore in 2011-12 to nearly ₹80 crore in 2014-15.
From the simple to the sophisticated, cyber-criminals employ a range of tools to commit financial fraud. The bad news is that these conmen are an ingenious lot, always on the look-out for vulnerabilities and ways to exploit them. The good news is that simple, common-sense precautionary steps on your part, along with the tightening of the security measures by the Reserve Bank of India (RBI), should keep many of these fraudsters at bay.
Here’s a low-down on some major tricks in the conmen’s arsenal and how you can fob off their attacks.
Getting hold of the basic personal details of their victims is generally the first step in the game-plan of cyber-criminals. So, they seek out data, such as name, address, date of birth, and PAN of potential victims. This is then used to commit ‘identity theft’ — that is, the criminal masquerades as the victim to commit financial fraud.
Identity theft is done through a variety of ways. These include hacking into electronic appliances and websites the victim accesses, shoulder-surfing when a user enters data in electronic devices, diverting mails, rummaging through waste paper, and social engineering — befriending the victim or someone close to him to pry out information.
The conman could use this information to create counterfeit documents, open accounts or get cards using the victim’s identity. Such information could also be used to convince the victim about the conman’s credentials while trying to extract other crucial data.
It’s the minor chinks in the armour that often lead to big breaches. So, be discreet about giving out your personal information to others — share on a need-to-know basis. Assess whether the purpose of seeking the information is genuine, and ask for authentication before sharing.
Update your electronic appliances with the latest anti-hacking and anti-virus protection. Keep passwords strong with a combination of alpha-numeric and special characters (no easily guessable family member names and children birthdates), and change them at regular intervals.
Also, try to make sure no one’s watching when you input personal information into your devices. As far as possible, avoid public computers or networks, for financial transactions.
Unfortunately though, these days we often have to share a lot of our personal details for a variety of purposes, including getting basic services such as a gas or a mobile connection. And despite the precautions we may take, there is a risk that such details may find their way into wrong hands.
So, it’s critical to safeguard information of a confidential nature, privy only to you and which is required to complete financial transactions. This can frustrate the fraudster’s designs. Read on.
It’s what the name suggests. Conmen ‘phish’ (seek to extract) for your confidential information such as passwords, personal identification number (PIN), card verification value (CVV) and one-time password (OTP). They then use this information to defraud you. ‘Phishing’ happens over e-mail, and is one of the most popular tricks among conmen.
A genuine-looking e-mail preys upon your greed or fear. So, the bait in the e-mail is sometimes an invitation to collect a lottery prize, refund, gift points or some such goodie. Or it could be a purported message from your bank or from the RBI seeking verification of details to keep your account or card active. These phishing e-mails ask you to reply over e-mail with your confidential information, or click on attached links or attachments and enter the details.
Respond and you walk into the trap. Clicking on the link takes you to another website which looks just like your bank’s or the RBI’s — this is called website spoofing. The information entered here is captured by the fraudster and used to make unauthorised transactions from your account or card. These links or attachments could also install malware into your electronic device which may capture your keystrokes, leaving you exposed.
First and foremost, never share your confidential details such as passwords, PIN, CVV and OTP with anyone. Be on the alert and don’t pass on this critical information in a weak moment. Your bank or card provider will never ask for such information. Nor will the RBI. Keep off links or attachments that come from unknown or suspicious sources. Report such emails to your bank or card provider.
Next, check the security settings of any website before doing your financial transactions. Transact on secure websites starting with https. A lock icon in the web browser is also an indicator of a secure site. Use of a virtual keyboard instead of a regular one for your online transactions is a good idea.
A virtual keyboard is an application that lets you enter details such as passwords with the help of a mouse instead of typing it on a keyboard. This can prevent cyber-criminals from capturing the keystrokes on your computer. Also, go only for genuine software which provide regular anti-virus patches. This can reduce your vulnerability to malware.
The RBI has tightened the security architecture around most online and offline transactions by insisting on ‘two-factor authentication’. So, you also have to enter your PIN to complete offline (physical) transactions; or you have to enter the dynamically-generated OTP which is sent to your mobile number to complete an online transaction. This adds an added layer of security by requiring confidential information known only to you. Be sure not to let anyone know about it.
Vishing and SMShing
Vishing is short for ‘voice phishing’ and SMShing (also called SMiShing) is phishing through SMS. In vishing, the conman tries to extract your confidential information over the phone, while in SMShing, he attempts to trick you via phone messages.
A confident voice at the other end of the phone line claims to call from the lottery firm, or from your bank, card company, the RBI or some such powers-that-be. He may possess some of your basic personal details and uses this to convince you about the genuineness of the call and to part with critical details such as your password, PIN, OTP and CVV.
Similarly, messages purporting to be from your bank or from the RBI can goad you to reply back with such confidential information.
Some messages may also carry malicious links or phoney phone numbers that you are egged on to click or call. The alibis employed are similar to those used in phishing — claim your windfall or special offer, keep your card or account active, or verify details as part of regulatory procedure. Part with your confidential data, and in quick time, see your card being charged or the account being debited.
Again, remember that no card company, bank or the RBI will ever ask for your confidential information. So, such calls or messages should immediately raise a red flag. Cut them off and ignore them. Report them to your bank or card company.
Fraudsters skim your credit card or debit card to get their hands on crucial information which goes into the making of ‘clone cards’. These are used to put through unauthorised financial transactions, online or offline. Fraudulent online transactions can be done using the skimmed data, even without clone cards.
Your card could get skimmed at ATMs or at physical stores such as supermarkets, petrol bunks or restaurants. At the ATM, cameras installed by conmen at vantage points capture the information you enter, including the PIN number. Alternatively, a ‘skimmer’ machine inserted in the ATM slot captures the data on your card and the PIN that you input in the keypad.
This is then used to make a clone card that is used to withdraw money at ATMs or for use at physical stores. It could also be used for online transactions — using the OTP got through phishing, vishing or SMShing.
At physical stores, conmen often, with the connivance of store employees, install skimmers on the card reading machines. This captures the information on the card and the PIN entered by the card user.
Alternatively, unscrupulous store employees take the card out of the sight of the card holder on the pretext of completing the transaction and note down the card details. They then watch closely or use cameras to capture the PIN as you enter it. This information is used to make a clone card that is used for physical purchases, ATM withdrawals, or for online purchases.
When you use an ATM, see if the card insertion slot appears oddly positioned or shaky — this could indicate the presence of a skimmer. Avoid such ATMs and check with the bank or the security personnel outside the kiosk if you notice anything amiss. Enter the PIN discreetly covering your fingers with the other palm, whether at the ATM or at the physical store.
On getting your debit or credit card, sign on its reverse. Also, memorise the CVV number mentioned on the reverse of the card, and scratch it off. Don’t note down this and other confidential details such as the card expiry date in your diary or electronic devices — if you lose them or they are accessed by unauthorised persons, you may become vulnerable.
At physical stores, don’t let the card be taken out of your sight. Many stores these days have mobile card readers; so, store employees can bring the machine to where you are to input the PIN — this is much safer.
Also, replace your magnetic strip-based swipe cards with the EMV chip-based dip cards. EMV stands for Europay, MasterCard and Visa — the three companies that created the new security standard for the chip cards that provide a much higher degree of security compared to the swipe-based cards. Your personal data stored in these chip-based cards is encrypted.
So, even if a conman gets access to your card, he will not be able to clone it. The RBI has made chip-based cards mandatory when new cards are being issued or old ones are being replaced. Also, certain categories of card users, for example, those who have used their cards internationally, necessarily have to migrate to chip-based cards.
Mobile banking frauds
The growing use of mobile banking exposes users to new kinds of fraud. The Assocham–PwC report says that mobile banking frauds include fake or similar interface apps, the app being mapped to an incorrect mobile number, and malware.
Fake apps, with the same user interface as the original application, steal the user’s confidential information. This risk can be avoided by downloading apps only from genuine sources and not tampering with the security settings of the mobile phone.
Mapping the app to an incorrect mobile number is generally an insider job perpetrated by a bank employee; this can take place when the customer does not use mobile banking. Ideally, banks should have foolproof security mechanisms to prevent unscrupulous employees from exploiting the system. Malware, which can infect your phone and compromise your personal information, can be avoided by staying away from unknown or suspicious links, and keeping the protection systems up-to-date.
What to do
What if a fraudster gets the better of you? First, limit your damage in quick time. This can be done by enabling SMS alerts for your banking and card transactions. This will alert you to unauthorised use and help you act with alacrity. Inform the bank immediately and tell them to block the card.
Being quick cuts your losses and could also result in the fraudulent transaction getting reversed if you are not at fault or have not been negligent. If the bank disputes your claim of no-fault, you can take up the matter with the banking ombudsman and thereafter with the appellate authority. You can also go to court.