Tuesday, June 09, 2015

Why 'Online Fraudulent Financial Attacks' Are Not Active?

Internet, as we know it, has conquered our lives and everything in it. Providing in-depth access to knowledge, satiating our curiosities and letting us voice our opinions, Internet is also responsible for fostering innovative minds. The result: Internet of Things and Net Neutrality have come to be the new tech buzzwords.

With Internet of Things, the daily physical objects like watches, washing machines, refrigerators, etc. now come to enjoy network connectivity to send and receive data. Net neutrality, on the other hand determines free and unobstructed access to various apps and websites on internet enabled smartphones and computer systems.

Thanks to these, today, in India, we have around 300 million Internet users. If we take into account recent reports, by 2018, India will have a whopping 500 million people online. As per Boston Consulting Group, the figure may reach 583 million, most of it being mobile internet users.

Just as the entire nation is going digital, the world of ‘Dark Web’ too is warming up to huge amount of personal and confidential user information, and how?

As per a Computer Emergency Response Team India (CERT-In) report, around 308,371 websites were hacked between 2011 and 2013. And 1.2 billion Internet credentials with usernames, passwords and E-Mail IDs got stolen in 2014.

“In India, 80 percent complaints in the cyber crime cell are related to online frauds and banking frauds”, confirmed Rakshit Tandon, Advisor, Cyber Crime Redress Unit for UP & Gurgaon Police.

CERT-In has also identified a virus called ‘Bioazih’ that has recently spread across the Indian online space and threatens to alter users’ personal data. It can even operate under disguises to execute functions on different computer systems stealthily and in an unauthorized way.

So while internet users reap the benefits of a plethora of internet services and easy online transactions, it is the cyber criminals that are laughing their way to the banks.

One case in point is that of cyber fraud victims from Mumbai. In April this year, the complainants lost Rs. 63 lakh in an online banking fraud as their fixed deposits were fraudulently transferred to another bank account without their knowledge and permission. Such cases in India have resulted in the loss of Rs. 8646 crore to financial frauds in 2012-13 in India, as per RBI records.

How it works?

“Free Wi-Fi or public Wi-Fi can let hackers walk all over your gadgets and collect information which is openly exposed. Another popular method is by sending unsolicited messages alluring a user to click on links, going on duplicated web pages, entering personal information voluntarily or responding to spam messages, willingly parting with money and getting duped by attractive schemes,” said Vinod Kumar, Managing Director, Satcom.

A recent report by Verizon on Data Breach Investigations conducted on about 80,000 security incidents in 61 countries suggested that 23 percent of recipients open phishing messages while 11 percent click on attachments. Verizon also discovered that, in an organisation even if 10 employees are sent phishing mails, the entire company network is under attack.

Ashish Tandon, Chairman and CEO, Indusface too validates this point saying, “Phishing (fraud emails) is prevalent. Around 16 million fraud emails pass through spam filters and 8 million are opened daily, which is a huge cause of concern. Attackers can even combine phishing with Cross-Site Scripting (XSS) attacks to steal anything from credit card details to internet banking passwords. At server end, SQL Injection and Cross Site Request Forgery (XSRF) vulnerabilities allow hackers to get into system database and steal information from thousands of users.”

From ‘Vishing’ (Voice Phishing), spywares inserted in computers, ATM-level hacking, e-wallet hacking to fake job offers and harmful viruses, the online crimes are increasing day by day. “As per recent public figures, from April to December 2014, over 9600 incidents were reported, amounting to a loss of Rs. 60 lakh,” said Rakshit Tandon.

With their rampant cloning, credit/debit card frauds rank the highest among cyber crimes in India. Cyber-stalking and cyber-bulling into sharing financial details, ATM PINs and bank account info are some frequent tactics used by tricksters in the online space.

The fraudster may “approach you with free credit card options with double benefit schemes and ask you to give a front/back photocopy of the existing card,” according to Kanwal K. Mookhey, Founder, The Institute of Information Security further explained.

Debit-credit card frauds also involve callers posing as an employee of the bank (process called ‘vishing’) to procure the CVV number (on the back of the card) needed for online transactions. The caller may even threaten the customer saying that the account may get frozen if they do not share the information. This is fast becoming a part of cyber crime aggregators and is also known as social engineering.

A classic case is the unforgettable Nigerian scam or the advance fee-fraud. It first originated in Nigeria, and lured people to pay advance fee to the account of a Nigerian prince for financial gains that never happened.

Rakshit Tandon stated that the Nigerian scam is still far from being extinct and job scams are also on the rise. “A case happened in Gurgaon where a fake website was created using Maruti’s name to scam millions of children offering jobs with the company for a ‘refundable deposit’,” he explained.

In the digital world, fraudsters need not have access to the physical cards but only the card security numbers which they can trace from irresponsible online dealings. Often, it is also found that people write their PIN numbers on the back of their card and share it with retailers or waiters at restaurants or even at the ticket counters at movie theatres.

In this regard Mookhey believes, “OTP has gone a long way in preventing wide-scale hacking.” Cyber criminals, however, are on the lookout for ways to transcend such safety mechanisms. “For a while now, malwares are being planted on phones to intercept OTPs (One-time-password) and send them to the hacker who are then able to log into original accounts. The actual SMS of OTP does not even show up on the customer’s phone,” warned the cyber security expert. Meanwhile, Rakshit Tandon confirmed receiving several complaints regarding hacked e wallets, a service for refunds in the case of online shopping.

Cyber frauds are also not limited to a particular city as Rakshit Tandon reports that he gets complaints from every place in the country, even from a small village near Indore, Madhya Pradesh.

Ashish Tandon of Indusface too believes that online fraud cases will increase in Tier-2 and Tier-3 in this decade.

Why ignorance is not bliss?

Most often than not, users also fall prey to dubious websites that are not secure. Clicking on links for offers and schemes on e-commerce sites and otherwise are also ways of fraudulent financial deals. “This is social engineering and cyber professionals call it ‘two good to be true syndrome’,” Mookhey confirmed.

Many tend to be unaware of the fact that a safe URL always begins with ‘https’ as opposed to ‘http’. Credible websites also show a small gold padlock at the lower right corner of the browser.

Mookhey also warns against using unlicensed operating systems (OS), easy-to-guess passwords that are not changed for a long time, having the same password for multiple sites and not enabling two-step verifications for e-mail accounts as they increase the risk for obtrusive actions by cyber criminals.  Chances of executing backdoor operations on computers through malwares such as Bioazih are higher with pirated OS or outdated browsers.

In addition to this, using one’s personal computer for financial transactions is advisable. For this, securing PCs with genuine anti-virus software is a must as a potentially threatening virus can also execute phishing attacks.

However, as Kumar puts it, “That will only be a start because a lot of responsibility still lies with the user in not taking unwanted actions as well as not leaving personal information like credit card details, passwords lying around in their laptops or any other gadgets which are exposed to the internet.”

Awareness programmes initiated by banks, retailers, restaurants, etc. are “a better approach rather than simply telling people to use safe passwords, not responding to fake calls and using shared computers more responsibly,” affirms Ashish Tandon. He further advices users on “reading more about online security, especially what most banks share with their customers over emails and reporting about such frauds to proper authorities who can learn and educate others.”

Besides learning lessons from the aforementioned cases and the experts, one can also study safety measures from DBS India’s Act against Cyber Theft (ACT) microsite. This is a part of the DBS India anti-cyber theft initiative. The ACT microsite also introduces cyber crime victims to measures that can safeguard their sensitive details and indulge in safe online shopping. Their initiative is based on the fact that with awareness and careful continuous vigilance one can avert such attacks.

No comments: