BY Vivina Vishwanathan & Lisa Pallavi Barbora
When
you carry cash, you run the risk of losing the money or getting robbed.
Similarly, there are risks involved in digital and online banking as
well. According to a June report by PricewaterhouseCoopers Pvt. Ltd
(PwC), as financial institutions use more digital banking channels, the
new technologies make them more susceptible to fraud.
But
that doesn’t mean you should avoid digital transactions completely. In
fact, it’s a convenient and cost-effective method. All you have to do is
be aware of the risks and not disclose any confidential information
such as password or personal identification number (PIN).
Risk factors
Traditionally,
cheques topped the list of frauds in banking. But now, with increasing
use of Internet and mobile phone for financial transactions, new kinds
of frauds have emerged. “In my experience, some of commonly perpetrated
frauds prevalent across the banking value chain include phishing,
vishing, man in the browser attacks and malware-based attacks,” said
Sandeep Dhupia, partner and Head—Forensic services, KPMG India.
Almost
all frauds that happen online or electronically involve collecting
information. Phishing means collecting information from a customer by
sending fake emails. Vishing means calling a customer posing as a bank
executive or an official from the central bank and collecting
information for identity theft. The data can also be stolen through
smishing, in which the customer receives an SMS with a web link, which,
if clicked, downloads a malicious programme causing theft of data. Man
in the browser means a malware infection into the Web browser. Once this
happens, when a user enters details on the website, it gets stolen.
Banking
transactions can be categorized into three channels—mobile banking,
cards and Net banking. You are susceptible to fraud in any of these
channels. Here is a look at what the issues can be on each channel.
Mobile banking frauds
According
to the Reserve Bank of India, in 2014-2015, 22 million of the 589
million bank account holders were using mobile banking apps. The volume
of mobile banking transactions has also risen from around `1,819 crore
in 2011–12 to about `1.02 trillion in 2014–15, PwC said in a report. As
the number of mobile transactions goes up, different kinds of frauds
such as fake apps, SIM swap and malware have surfaced.
Fake apps: The
first step in stealing money online is to steal information. This can
be done by creating a fake app outside a playstore. “Hackers create fake
apps which will look exactly like the original,” said Dinesh Anand,
Delhi-based partner and leader—forensic services, PwC. The user
interface is very similar to the original application.
How
do they get you to download the fake app? “One way is to send the bank
customer a link asking them to upgrade the bank’s app,” said Amit Jaju,
executive director, forensic technology and discovery services, and head
(Europe, Middle East, India and Africa) software license forensic, EY.
If you click on the link, a fake app gets downloaded. This may happen if
you jailbreak your phone. When you enter your user name and password,
the fraudsters get access to that information.
SIM swap: The
fraudsters will first collect your personal banking information through
phishing, vishing, smishing or any other means. Once they have your
personal information, they get your SIM blocked, and obtain a duplicate
one by visiting the mobile operator’s retail outlet with fake identity
proof. The mobile operator deactivates the genuine SIM card, which was
blocked, and issues a new SIM to the fraudsters. It is now simple to
generate a one-time password (OTP) required for transactions using the
stolen banking information. This OTP is received on the new SIM held by
the fraudsters and they can now transact before the bank customer
realizes the theft and alerts the bank.
App mapped to incorrect number: “This
type fraud can be perpetrated by a bank employee,” PwC said in a
report. Say, you have an account with a bank but you don’t use the
mobile app. An employee of the bank can attach a different mobile phone
number to your bank account and install a mobile application on that
mobile device.
Once
the app gets linked to your account with the incorrect number, the
employee can do a transaction. Usually banks alert the account holder
about a transaction via SMS. Since the number linked to the account is
different, you will not get any notification on your mobile.
Card frauds
The
point of sale (PoS) terminals where you swipe your cards for a
transaction and the ATM use the same channel for the bank, called base24
switch, through which your card transactions go through. Here fraud may
happen if your card gets cloned or skimmed through the PoS or ATM.
Cloning: Cloning
can happen online as well as offline. Say, you swiped your card at a
restaurant where the PoS is misused to clone cards, or you enter your
card details at a fake shopping site. Once you enter the details, the
fraudsters clone the card with your details and then use the information
to make online purchases.
“When
you use debit and credit cards, theft of identity by use of card
readers in restaurants and shops is often done with the help of
restaurant waiters and shop sales persons. The stolen data of credit
cards is passed on by them to the cyber fraudsters who the clone the
cards,” said Dhupia.
Skimming: This
involves a machine or camera that is installed at an ATM to pick up
card information and PIN numbers when customers use their cards. A
fraudster acquires this data and withdraws money from the machine.
Net banking frauds
Net
banking is now acknowledged as a traditional channel for transaction
and has been attacked too. “The two primary sources of Net banking fraud
are executed through malware. It would either be through stealing
passwords from customers or stealing customer details from bank systems.
The intent is to access the password for the account to enable
siphoning off funds,” said Jaju.
Hackers
can also obtain access to a person’s mobile phone through malware or
cloned/fraudulently obtained SIM card and then use the information to
gain access to the Net banking channel. “A secondary and more indirect
approach is to hijack a person’s Net banking session through her
computer using a malware so that it appears as a legitimate transaction
from the account holder’s computer,” said Jaju.
Whose liability is it?
If
you have been a victim of any of these frauds, what should you do?
According to a master circular by RBI on “Frauds—classification and
reporting”, the central bank has put the responsibility to provide
protection against and fight frauds on banks, exposing them to a
completely new horizon of financial risks, notes PwC. Further, banks are
now required to report to the RBI complete information on frauds and
the follow-up action.
The
RBI has also issued operative guidelines to regulate this channel,
suggesting reporting of suspicious transactions to its financial
intelligence unit. “To keep a check on frauds, banks need to incorporate
a greater level of scrutiny by deploying advanced tools and technology
capable of protecting the customers against unethical activities,” said
Dhupia.
What you should do
While
banks are mandated to prevent frauds, you, too, can take some steps to
protect yourself. Ethical hackers—people who hack to evaluate level of
security and without any malicious intent—say that users should be
especially careful when using banking or other apps on which financial
transactions can be conducted.
Don’t jailbreak your phone. Jailbreaking is the process of removing hardware restrictions and thus allowing free apps.
Check
what you download and run on your phone. “For example, don’t use
WhatsApp for confidential communication; use an encrypted app instead,”
said Jaju.
You
may want to limit debit card usage at PoS machines and use it only as
an ATM card for cash withdrawal. “Try to use credit cards at PoS because
if a fraud takes place, you can raise a dispute, and it is not your
money,” said Jaju. Be cautious at ATMs; look around for suspicious
objects or hidden cameras above the keyboard.
You
may rub off the CVV number to be extra careful. But do remember it, so
that you can continue using the card. Use computers that have anti-virus
software. Don’t share passwords, PINs and OTPs with anyone regardless
of the reason stated. Banks never call asking for OTP details. Do not
log into links sent on emails that require you to revalidate your
credentials on account of a system upgrade. For apps, download directly
from an app store; don’t click on unknown links or those sent by unknown
numbers
