The new wave of change in the banking sector is the usage of mobile phones through apps and social networking. These, however, have brought in a myriad of risks, especially related to cybercrime. Managing these threats primarily depends on two aspects: security of the device, and intent to protect the data; both of which lie in the consumer’s hands.
With the advancement in technology and dropping costs of processing and storage, most banks have migrated to centralised core banking systems and moved all transaction information into electronic form. Technology has helped banks penetrate into remote regions and expand their customer base. This has been made possible by the use of different channels such as payment cards, debit and credit cards, phone banking, Internet banking and mobile banking.
However, these new channels have brought in risks from cyberspace, which banks have to defend themselves against. However, banks have no control on how secure are the devices and how safe is the behaviour of its customers.
India has the second largest population of mobile subscribers (more then 1 billion) and Internet users (approximately 500 million). This makes India an attractive target for hackers who regularly come up with new schemes to defraud bank accounts of unsuspecting customers.
Hackers are constantly evolving to create new tricks and techniques. With no formal ‘training’ ever given to Internet or mobile phone users, hackers are using social conditioning to trap unsuspecting users. Here are some of these techniques.
Phishing: A link is sent through an email, SMS or Whatsapp message, where the origin of this message looks genuine. Clicking on these fraudulent links would lead a customer to enter her bank details, which is then exploited by the hackers.
Malware: Malware, such as key loggers, can get into computers that are not securely configured or without adequate anti-virus or anti-malware protection. It steals banking credentials based on key strokes or passwords stored at less secure locations, such as browser password cache or text files.
Tapping, man in the middle, war driving: This method generally involves luring a customer to a honeypot wireless or wired network for free Internet in public places. The hacker would configure this network to monitor Internet traffic and copy information.
Protecting your card: Scratch-off the CVV number on your card, and memorise or keep it in a password manager app. For online transactions, use virtual credit cards. You can go a step further by insuring all your cards against fraud and theft by subscribing to card protection services.
Securing mobile device: Avoid jailbreaking or rooting as it removes the inherent security mechanisms. Install apps only from the authorised app store. You should also configure a secure PIN and use an additional platform password such as iCloud for remote wiping, and tracking devices. Further, you should enable biometric authentication if your device allows for it. Lastly, switch to app-based one-time passwords.
Securing computers: Enable anti-virus and anti-malware protection software that is set to automatically install latest updates. Also, make sure you create dedicated user accounts, and restrict administrative rights in case of shared computers.
Securing passwords: You should use a password management utility to save all passwords at one location. Another thing you can do is configure two passwords. Here, one can be done for the user who can only use the passwords on relevant websites without viewing them and another for the administrator who can edit and view them. Make sure you open relevant websites from the utility’s toolbar to protect against phishing. Enter your password using the onscreen keyboard to defend against keyloggers.
These steps would go a long way in defending against hackers and will definitely be appreciated by your bank as well.
Amit Jaju is executive director, fraud investigation and dispute services, and head (EMEIA), software license forensics, EY.