With increasing usage of devices connected to the internet, we are constantly at the risk of being trapped by fraudsters. The damage to an individual or an organisation can be reputational as well as financial. The most common type of theft online is identity theft (read more about it here: bit.ly/2fBZI0O).
While identity theft in itself can be harmless, often it is only the first step of causing larger damages such as stealing critical information or money from your bank accounts. Though it is not impossible to execute a hack and steal money from a bank account remotely, often some kind of physical involvement at some stage is needed. We spoke to experts to understand how some of these tricks work, so that you can be more careful and not fall into traps.
Most financial and non-financial transactions need a one-time password, which you receive on your registered mobile phone. This is a crucial detail. “We freely give photocopies of our identity proof and PAN card wherever needed. Sometimes, these end up in wrong hands and they are able to get a SIM card for your number using these documents," said Altaf Halde, managing director, Kaspersky Lab (South Asia). “If you have not given an alternate number to the telecom company, you have no way of finding out that a new SIM card has been issued," he said. If the service provider has another number to contact you, you can be alerted that there is a request from you for a new SIM card.
When a new SIM gets activated, the one that you have gets disconnected. “It should be alarming, but what happens in reality is that when network disappears from your phone, your first reaction is that there is some problem with the network, said Halde. However, Aadhaar-based verification is helping solve this problem to quite an extent, he said.
Social engineering in the context of frauds means manipulating a person in such a way that she gives out information that can be used to commit fraud. Usually, individual or sets of individuals are identified as targets. “Through just social engineering...you can get a lot of private information on an individual," said Harshil Doshi, strategy security consultant, Forcepoint India, a cyber security firm. “An attempt is made on thousands of people and the hit rate is 2-3 in a thousand," he said.
It is not uncommon to find basic details like name, date of birth, address, email and phone numbers online. Data sets according to age, location, salary or other metrics are sold in the market. “Along with some more technical steps and social engineering, this information can be used to hack someone," said Halde. For example, if you are using an email service, there are some security questions you have to answer to recover a password. Some of these questions, like mother's maiden name or first school you attended, are used in many places. “So, social engineering is used to get answers to your security questions," said Halde. And the answers are then used to get into, say, your account.
These are programs that steal information while hiding somewhere on your device. “People want to download a lot of free software, videos and music; and chances are high that those files are hosting some malware that will steal information from the end machine," said Doshi. These can also get downloaded to your device when you click on some link, usually in spam emails or SMSs promising something attractive, cheap or free.
The inherent nature of malware is to steal information from the device. “The malware is coded to pick up information from the device and send it to the command and control centre, which is hosted somewhere on the internet. Malware is designed smartly and does not look for non-sensitive information. It looks for sensitive information based on keywords like password, banking, or transaction. Any file having these keywords is stolen," Doshi explained.
An advanced version of malware is ransomware. This does not even steal information. It just encrypts the data so that you cannot access it. If you want to access it, you have to pay a ransom. To avoid ransomware risk, it is a good practice to backup of your data on an external drive, which is not connected to the internet.
While the risk of cyber financial fraud will remain, this does not mean that you stop transactions altogether. The Reserve Bank of India in July this year issued a notification on customer protection in case of electronic banking transactions. You can read about it in detail here: bit.ly/2tPP3r3
The RBI has clearly spelt out banks’ as well as customers’ liabilities in case of unauthorised electronic banking transactions. If an unauthorised transaction takes place and the bank is responsible for it, then even if the customer doesn’t report the fraud, the customer has zero liability. This means the bank will make good any losses you may suffer. If there is a third-party breach where neither the bank nor the customer was responsible and the customer responds within 3 working days, then too the customer doesn’t have any liability. But in case you don’t report the fraud within 3 days but within 4 to 7 working days after receiving the communication from the bank, you will have some liability for the transaction. This means you will incur some monetary loss for the fraud. But what if you report after 7 days? In such a situation the bank will decide what to do.
Being alert, and even before that, following basic rules like not storing passwords and PINs, having complex and different passwords for different services, not clicking on unknown links and not downloading from suspicious sources can keep you safe to a large extent.