New Delhi: Cybercrime in the country is rising, what with the greater number of net users banking and trading in stocks online and buying air and rail tickets, movie tickets, gifts, books and other merchandise and services on the internet. Raghu Raman, CEO, Mahindra Special Services Group, speaks to Namit Gupta on the new methods online crooks are using to cheat you of your money, and what you must do avoid becoming their victim.
How serious is the cybercrime situation in India today?
While it is difficult to provide accurate statistics there is no denying cybercrime is on the rise in India. There are three key reasons for this:
Cyber care: Raghu Raman, CEO, Mahindra Special Services Group
1.The number of internet users is increasing exponentially
2.This increasing base of users provides fertile ground for cybercriminals to thrive as with little or no effort they now have a much bigger pie of “potential targets”
3.There is no entry barrier, unlike the brick and mortar world, where a new entrant into the world of crime has to deal with the local goon or an existing syndicate. The attacker is practically anonymous on the Internet and therefore much more dangerous. Easy entry is also facilitated by the small infrastructure requirements — all you need is a computer, internet connection and an intelligent albeit devious mind to kick-start a career in crime
Which establishments are particularly susceptible to phishing attacks in India?
The banking and financial services sector, particularly wealth management services and retail banking, has been targeted. Here I would like to mention that the wider the footprint of the establishment, the greater the susceptibility of its customers to phishing attacks. Let me give you an example. A smaller bank, with a smaller and geographically more concentrated customer base will be in a position to offer RSA tokens to its customers.
A larger bank with a more spread out customer base, on the other hand, may not be able to implement such a security mechanism across the board and might typically rely on more conventional two-factor authentication such as the credit card and PIN number or an online user ID and password.
Also, phishing isn’t only online and has been attempted on the phone as well (commonly referred to as “vishing”) with so-called call centre executives using very clever means such as free offers and reduced interest rates on outstanding balance to extract credit card and other details from unsuspecting victims.
Other industries such as airlines and online subscription services are also susceptible.
Is the nature of online frauds also changing?
Yes it is. At one time, online phishing would typically involve email messages from a website that mimicked the website of a bank or another reputed establishment and sought personal information such as credit card details from the intended victim.
Then you had fake donation sites —one came up only 45 minutes after the tsunami struck. These sites would typically play on the generosity of the internet user, hoping to get him to make a donation using his credit card. Not only would the victim lose his money, but he’d also run the risk of getting his computer infected with a Trojan that would pass on information about every monetary transaction he conducted on the net to some faceless criminal somewhere, without his knowing about it.
Other variants include the ‘Letter 419‘ that typically came from some so-called widow or other unfortunate in Africa who had access to a huge sum of money and who was willing to share it with you if you paid something upfront or shared your banking details so that the money could be transferred to your account.
Some phishers have been known to offer free pornographic content to adults but not to minors. Their objective is to get the children in the family, if any, to steal the parents’ credit card and use it to access that content.
Today, the crime has become even more sophisticated with crooks targeting specific groups or individuals.
How do they do that?
It’s called “spearing” or “spear phishing” and is a bit more sophisticated than phishing.
The modus operandi in phishing is to lay the bait for as many internet users as possible with the expectation that some would bite. Letter 419, donation sites, mimics belong to this category.
Spearing is more concentrated. Let’s say you are gay and have your sexual preferences stored on a gay group in a social networking site. Obviously, the information you provide is top secret and only meant for other members in your group. What prevents a cyber-crook from pretending he’s gay if he wants to enter your network? And once he does, he’ll have a focused strategy because he knows whom exactly he is targeting.
A smart criminal might want to target IT groups today, given that this group will be actively contacting friends and associates on the internet for new job opportunities and IT contracts in a bad market.
What should one do to protect oneself from phishing or spearing attacks?
For starters, I would recommend getting the latest version of the more widely used internet browsers—Mozilla, Internet explorer or Firefox— installed on your computer, because they all have anti-phishing alerts, plus the latest versions of the anti-virus and anti-spyware programmes. Other steps one must take include:
•Never download or open attachments, whose source you are not certain about. Even if the source is trusted, see if the content is relevant, if not don’t open attachment.
•Do not give away your residence or cell number. Be especially careful when you are filling in contest forms, coupons, free gift vouchers etc. more often than not these are gimmicks to obtain your personal details.
•Set a limit on the value of a single transaction on your credit card. Purchases made beyond this would be rejected.
•Maintain two distinct set of identities on the net—one exclusively for your financial affairs and the other for other dealings on the internet such as memberships on social networking sites. Remember, your acceptance of someone as a friend on a social networking site, usually gives him or her access to your other friends as well.
•Never ever transact online at a cybercafé or even a friend’s place.
•Always type in the desired URL instead of clicking on links
•Check your credit card or bank account statement regularly for any discrepancies
•Read about Information security breaches by subscribing to some news letters. In the case of many breaches the only defense is knowledge.
Despite this, if you think you’ve been hit, inform your bank immediately. You can at least block your credit card or account and prevent further damage. If the crook is not seasoned, it may also be possible for the bank to track him. You must also file an FIR with the police.
How strong is the law in India addressing and controlling cybercrime?
The laws, per se, are adequate. The issue is enforcement. The police force needs to be endowed not only with greater numbers in the cybercrime cells, but also needs to be educated in dealing with this category of offences, where the perpetrator does not have a face.
However, it is the corporate world—banks, financial institutions and other segments offering online services and whose credibility is at stake if their sites are targeted—that must take the initiatives here.
They must realize that security is a high-end and professional game and cannot be left to IT vendors and audit firms for implementation. In fact, security should be treated as a board level issue and not something for the CFO or the CIO to manage. Typically the security apparatus in a company tends to look at procedural correctness instead of the probable outcome of a security lapse. For instance, auditors are usually more concerned about ensuring that the know-your-customer (KYC) formalities have been duly completed at the bank, but rarely explore the possibility of a loan being disbursed on a form that has one person’s name, another’s photograph and the address of a third person.