Protect your money from banking fraud
When you carry cash, you run the risk of losing the money or getting robbed. Similarly, there are risks involved in digital and online banking as well. According to a June report by PricewaterhouseCoopers Pvt. Ltd (PwC), as financial institutions use more digital banking channels, the new technologies make them more susceptible to fraud.
But that doesn’t mean you should avoid digital transactions completely. In fact, it’s a convenient and cost-effective method. All you have to do is be aware of the risks and not disclose any confidential information such as password or personal identification number (PIN).
Mint Money examines some of the repeated frauds in the digital banking space and how to guard against them.
Traditionally, cheques topped the list of frauds in banking. But now, with increasing use of Internet and mobile phone for financial transactions, new kinds of frauds have emerged. “In my experience, some of commonly perpetrated frauds prevalent across the banking value chain include phishing, vishing, man in the browser attacks and malware-based attacks,” said Sandeep Dhupia, partner and head—forensic services, KPMG India.
Almost all frauds that happen online or electronically involve collecting information. Phishing means collecting information from a customer by sending fake emails. Vishing means calling a customer posing as a bank executive or an official from the central bank and collecting information for identity theft. The data can also be stolen through smishing, in which the customer receives an SMS with a web link, which, if clicked, downloads a malicious programme causing theft of data. Man in the browser means a malware infection into the Web browser. Once this happens, when a user enters details on the website, it gets stolen.
Banking transactions can be categorized into three channels—mobile banking, cards and Net banking. You are susceptible to fraud in any of these channels. Here is a look at what the issues can be on each channel.
Mobile banking frauds
According to the Reserve Bank of India, in 2014-2015, 22 million of the 589 million bank account holders were using mobile banking apps. The volume of mobile banking transactions has also risen from around Rs.1,819 crore in 2011–12 to about Rs.1.02 trillion in 2014–15, PwC said in a report. As the number of mobile transactions goes up, different kinds of frauds such as fake apps, SIM swap and malware have surfaced.
Fake apps: The first step in stealing money online is to steal information. This can be done by creating a fake app outside a playstore. “Hackers create fake apps which will look exactly like the original,” said Dinesh Anand, Delhi-based partner and leader—forensic services, PwC. The user interface is very similar to the original application.
How do they get you to download the fake app? “One way is to send the bank customer a link asking them to upgrade the bank’s app,” said Amit Jaju, executive director, forensic technology and discovery services, and head (Europe, Middle East, India and Africa) software license forensic, EY. If you click on the link, a fake app gets downloaded. This may happen if you jailbreak your phone. When you enter your user name and password, the fraudsters get access to that information.
SIM swap: The fraudsters will first collect your personal banking information through phishing, vishing, smishing or any other means. Once they have your personal information, they get your SIM blocked, and obtain a duplicate one by visiting the mobile operator’s retail outlet with fake identity proof. The mobile operator deactivates the genuine SIM card, which was blocked, and issues a new SIM to the fraudsters. It is now simple to generate a one-time password (OTP) required for transactions using the stolen banking information. This OTP is received on the new SIM held by the fraudsters and they can now transact before the bank customer realizes the theft and alerts the bank.
App mapped to incorrect number: “This type fraud can be perpetrated by a bank employee,” PwC said in a report. Say, you have an account with a bank but you don’t use the mobile app. An employee of the bank can attach a different mobile phone number to your bank account and install a mobile application on that mobile device.
Once the app gets linked to your account with the incorrect number, the employee can do a transaction. Usually banks alert the account holder about a transaction via SMS. Since the number linked to the account is different, you will not get any notification on your mobile.
The point of sale (PoS) terminals where you swipe your cards for a transaction and the ATM use the same channel for the bank, called base24 switch, through which your card transactions go through. Here fraud may happen if your card gets cloned or skimmed through the PoS or ATM.
Cloning: Cloning can happen online as well as offline. Say, you swiped your card at a restaurant where the PoS is misused to clone cards, or you enter your card details at a fake shopping site. Once you enter the details, the fraudsters clone the card with your details and then use the information to make online purchases.
“When you use debit and credit cards, theft of identity by use of card readers in restaurants and shops is often done with the help of restaurant waiters and shop sales persons. The stolen data of credit cards is passed on by them to the cyber fraudsters who the clone the cards,” said Dhupia.
Skimming: This involves a machine or camera that is installed at an ATM to pick up card information and PIN numbers when customers use their cards. A fraudster acquires this data and withdraws money from the machine.
Net banking frauds
Net banking is now acknowledged as a traditional channel for transaction and has been attacked too. “The two primary sources of Net banking fraud are executed through malware. It would either be through stealing passwords from customers or stealing customer details from bank systems. The intent is to access the password for the account to enable siphoning off funds,” said Jaju.
Hackers can also obtain access to a person’s mobile phone through malware or cloned/fraudulently obtained SIM card and then use the information to gain access to the Net banking channel. “A secondary and more indirect approach is to hijack a person’s Net banking session through her computer using a malware so that it appears as a legitimate transaction from the account holder’s computer,” said Jaju.
Whose liability is it?
If you have been a victim of any of these frauds, what should you do? According to a master circular by RBI on “Frauds—classification and reporting”, the central bank has put the responsibility to provide protection against and fight frauds on banks, exposing them to a completely new horizon of financial risks, notes PwC. Further, banks are now required to report to the RBI complete information on frauds and the follow-up action.
The RBI has also issued operative guidelines to regulate this channel, suggesting reporting of suspicious transactions to its financial intelligence unit. “To keep a check on frauds, banks need to incorporate a greater level of scrutiny by deploying advanced tools and technology capable of protecting the customers against unethical activities,” said Dhupia.
What you should do
While banks are mandated to prevent frauds, you, too, can take some steps to protect yourself. Ethical hackers—people who hack to evaluate level of security and without any malicious intent—say that users should be especially careful when using banking or other apps on which financial transactions can be conducted.
Don’t jailbreak your phone. Jailbreaking is the process of removing hardware restrictions and thus allowing free apps.
Check what you download and run on your phone. “For example, don’t use WhatsApp for confidential communication; use an encrypted app instead,” said Jaju.
You may want to limit debit card usage at PoS machines and use it only as an ATM card for cash withdrawal. “Try to use credit cards at PoS because if a fraud takes place, you can raise a dispute, and it is not your money,” said Jaju. Be cautious at ATMs; look around for suspicious objects or hidden cameras above the keyboard.
You may rub off the CVV number to be extra careful. But do remember it, so that you can continue using the card. Use computers that have anti-virus software. Don’t share passwords, PINs and OTPs with anyone regardless of the reason stated. Banks never call asking for OTP details. Do not log into links sent on emails that require you to revalidate your credentials on account of a system upgrade. For apps, download directly from an app store; don’t click on unknown links or those sent by unknown numbers.