Beware! Cyber crimes growing at CAGR of 107%

The country has seen a six-fold increase in credit and debit card frauds over the past three years

Reserve Bank of India in November 2014 issued a warning to the public about a new form of fraud perpetrated in its name; it being a credit card issued by fraudsters in the name of “Reserve Bank”.

Describing the modus operandi of fraudsters, RBI said, “the gullible member of the public is sent a credit card which allows withdrawal of money up to a certain limit, albeit a small sum, from a bank account. Having gained the confidence of the victim thus, the fraudster gets him to deposit a huge sum of money in the same bank account. Once the money is deposited, the card stops working and that would also be the last time the holder of the card (victim) would hear from the fraudster.”

RBI reiterated that it never carried out any business with an individual, whether through savings or current accounts, credit and debit cards, online banking services or receiving and holding funds in foreign exchange or any other form of banking services.

It also warned of other frauds – offers of large sum of money/lottery winnings by email, calls by posing as RBI officials, fake Reserve Bank website for online transactions, luring public to secure their bank accounts against frauds by clicking on a link given to them in an email. “People should refrain from responding to such offers. Once the monies are paid in fraudsters’ accounts, there are remote chances of recovering them,” it said.

These kinds of incidents are occurring at a nagging consistency. The number of cyber crimes in India may touch 3,00,000 figure in 2015, which is almost double that of 1,49,254 last year, said DS Rawat, secretary-general of Assocham in “Cyber and Network Security Framework”, a joint study conducted with Mahindra SSH.

During 2011, 2012, 2013 and 2014, the total number of cyber crimes registered were 13,301, 22,060, 71,780 and 62,189 (till May), respectively. Cyber crimes are growing at compounded annual growth rate of about 107 per cent. Every month nearly 12,456 cases are being registered in India.

Phishing attacks have been observed to be originating from the US, Europe, Brazil, Turkey, China, Pakistan, Bangladesh, Algeria and the UAE, the study said. Mobile frauds are an area of concern for companies as mobiles account for 35-40 per cent of financial transactions, which is expected to grow to 55-60 per cent by 2015. Many lost sensitive data due to installation of uncertified applications.

India ranked third after Japan and the US in the tally of countries most affected by online banking malware during 2014.

There has been a six-fold increase in credit and debit card fraud cases over the past three years. According to the data, around 2,277 complaints of online banking/credit/debit card fraud have been reported in 2014. Others (not related to banking include) 191 Facebook-related complaints (morphed pictures/cyber stalking/cyber bullying). Other major cyber complaints were cheating through mobile (61), hacking of e-mail ID (59), abusive/offensive /obscene calls and SMS (55).

As per the study, Andhra Pradesh-Telangana, Karnataka and Maharashtra have occupied the top three positions in cyber crimes, registered under the new IT Act in India. Interestingly, these states together contribute more than 70 per cent to India’s revenue from IT and IT related industries.

In 2013, according to the National Crime Records Bureau (NCRB), 681 cyber crime related cases were registered in Maharashtra, which was 44.6 per cent more compared with 2012. With 635 cases registered in 2013, Andhra Pradesh saw an increase of 48 per cent of such cases over 2012. Karnataka with 513 cases registered in 2013 saw a 24.5 per cent rise when compared with 2012.

Nitin Chugh, head of digital banking, HDFC Bank, said online transactions on net banking platforms take place in a secure environment. “The mobile banking platform that is on offer sits on top of our net banking infrastructure. The apps show the users’ customised image and security message so that customers are assured. Moreover, no transaction data or PIN information is stored on the device, so there is no threat to data security if the phone is lost or stolen. The same levels of checks and controls are there on the mobile banking platform as in net banking,” said Chugh.

Explaining kinds of frauds that are possible in banking and financial segments, he said in phishing internet users are tricked into disclosing personal information leading to identity theft. In a typical phishing attack, the criminal will send out a large number of e-mails purporting to be from a well-known, legitimate company, such as a bank, brokerage, or other online institution. Vishing is an attempt made by a fraudster to seek details like customer ID, net banking password or IPIN (internet pin), OTP (one time password), and ATM PIN over a phone.

Smishing is a variant of phishing where SMS is used instead email. Smishing directs the text message recipient to visit a website or call a phone number, when they are asked sensitive information.

Then there is SIM-swap. In the first instance, a fraudster obtains bank account details and then approaches the mobile service provider claiming loss of handset or SIM damage and seeks a duplicate SIM card. On making transactions, the confirmation requests come to duplicate SIM.

But the sim-swap is relatively new in India. Also, most mobile service providers check the old details and require the person to be present and do the KYC once again. Also, as a precaution, they do not allow any SMS on the new sim for 48 hours to prevent any fraudulent transactions. No passwords will be sent on this.

“Your bank will never ask for your confidential information via a phone call or text, so if you get an apparent phone call from the bank or an email or SMS, requesting your details, do not give out your login information, customer ID, passwords, OTP, card numbers and PINs,” said Chugh.

Trend Micro, an internet content security and threat management solutions firm, predicts that India will be among top five countries most affected by targeted attacks.

There would more unique cybercrime attacks against financial institutions and the later must implement two-factor authentication for online services, according Dhanya Thakkar, managing director, India & SEA, Trend Micro, in recent prediction report. “We will continue to see threat actors trying to manipulate near field communications (NFC) as certain platforms gain momentum due to their significant following and users’ penchant for adopting the latest and greatest technology.”

Meher Sarid, president, corporate affairs, HR, brand and marketing, Oxigen Services, said the company recently did a pilot using Aadhar card for authentication. This would aid in serving the unbanked. Since, it used multiple authentications – mobile numbers of sender and receiver, bank account of sender, an OTP, biometrics and finally matching the photo on the Aadhar card with the person coming to collect the money – the chance of fraud is almost eliminated.

“Wallets are effective in reaching out to poor. We can say there have been no cases of impersonation or other types of frauds using a wallet service,” said Sarid. Also, the money on a wallet does not reside with the company but in an escrow account as wallet companies are not allowed to use the customer money.

With KYC compliance, tracking who sent how much money to whom is possible. It does 1.5 million plus transactions daily and includes services and remittances/ payments amount to Rs 25 crore and money transfer alone on an average is Rs 18 crore a day. The transactions happen on multiple access channels – web, app, POS, SMS, USSD, Https/ssl. The POS has proprietary security algorithms to secure transactions.

Customers are more inclined to pay their utility bills online and the two-factor authentication has proven to be safe as the password is only known to the customer.

According to RBI data, during 2013-14, the RTGS processed around 810 lakh transactions valued at Rs 734 lakh crore. During the same period, NEFT handled 6,610 lakh transactions valued at around Rs 44 lakh crore. The electronic clearing service (ECS) debit-handled 1930 lakh transactions valued at around Rs 1,268 hundred crore and ECS credit processed 1520 lakh transactions valued at around Rs 2,493 hundred crore.

During this time, there were 5090 lakh credit card transactions valued at Rs 1,539 hundred crore and 6190 lakh debit card transactions valued at Rs 954 hundred crore. Mobile banking services handled 950 lakh transactions valued at around Rs 60 hundred crore.

There is some hope as well. In a recent instance, Maharashtra’s principal secretary for information technology department Rakesh Aggarwal, functioning as adjudication officer under section 45 of the IT Act 2000, directed six banks and one mobile operator and a card company to pay Rs 1.06 crore compensation to victims of online frauds who have been duped over past two years.

The adjudicating officer has the powers of civil court. All proceedings before the adjudicating officer are deemed to be judicial proceedings (within the meaning of sections 193 and 228 of the IPC and to be a civil court for the purposes of sections 345 and 346 of the Cr PC, 1973.) The Banking Codes and Standards Board of India makes it clear that in electronic fraud, the onus of proving that the customer participated in the fraud or compromised the user ID and password will shift to the bank.