When he bought FASTag, a prepaid rechargeable tag for toll payments, through Internet banking, Noel Vincent, a young techie from Infopark, Kochi, had no inkling that he would come to rue it.
Over a fortnight later, his bank account was plundered bone dry through a mobile wallet, as he saw in disbelief alerts of unauthorised transactions land on his cell phone.
“First there was an alert one withdrawal of ₹14,999 followed by another attempt of withdrawing ₹4,999, which was declined owing to lack of enough balance, before another ₹3,120 was debited. It took place in a matter of minutes between 4.15 p.m. and 4.17 p.m. on November 14. The funniest thing is that the mobile range at my work place is patchy to even make calls forget about logging into the mobile wallet and transacting funds after the double authentication,” said Mr. Vincent who had since then lodged a petition with the Infopark police.
Just moments before these unauthorised transactions, he had received a call from someone claiming to be from the customer care of his private bank asking details about a petition he had filed with the consumer court after the FASTag was not forthcoming even a fortnight after he paid for it. Mr. Vincent had no clue how a payment he made through the Internet banking led to a plundering over the mobile wallet.
“While most financial transactions have now switched to online owing to convenience, people who are using the gadgets neither understand the technology nor the threats entailing it. The simplest of safeguards like changing privacy settings and passwords, updating software and using anti-virus are ignored sending an open invitation to the cybercriminals,” said Inspector General of Police and District Police Chief (Kochi City) Vijay Sakhare.
Carding on a roll
Carding has emerged as one of the most common financial frauds whereby the credit and debit card details are stolen for unauthorised transactions or are even used for cloning cards. Instances of credit and debit card details put up for sale on the Dark Web and Telegram groups have come to the notice of cyberexperts where trading is done on the basis of the credit worthiness of the victims.
“It is surprising how they get to know about credit worthiness, which points at a potential nexus with the ground level data collectors like third party banking agents, who have easy access to such information. There are even dedicated Dark Web groups with tutorials on card cloning while in some cases the sale of card details come with the instructions to restrict their use to specific sites to avoid potential detection,” said Nandakishore Harikumar, who runs a cybersecurity start-up and is actively associated with the Cyberdome set up by the Kochi City Police Commissionerate.
Regarding it as a very organised crime, he shared how data mined from the Dark Web for research purposes featured 20-odd cards from Kochi proving how even a third-tier city is not free of the scourge of technology-driven financial frauds.
Theft of card data happens through phishing sites of popular websites and even through the point-of-sales machines, which are no longer free from ransomware and malware. Enterprise Resource Planning, a business process management system for integration of apps to manage and automate back office transactions, is another potential avenue of data leakage.
Saving cards in untrustworthy sites, which do not follow encryption protocol for their storage, jumping at every alluring offer on the Internet and saving card details casually in notepads on mobile phones are cited as other ways of inviting trouble.
Making matters worse is the easy availability of card skimming devices in both the open and black market for anywhere around $1,000-5,000. “A good electronic engineer can put these devices to use on his own. Banks should counter this by fitting ATMs with anti-skimmers, which are widely available,” said Mr. Harikumar.
OTP theft
Abhijith B.R., deputy manager at a cybersecurity digital hub and who closely associates with Kochi police Cyberdome, drew attention to the increasingly widespread targeted attacks involving the theft of One Time Passwords (OTP). This often takes place through the installation of malicious mobile applications by gullible users who are oblivious of the permissions they gave while installing them and the threats that entail. “The cybercriminals will be already having the user name and password and OTP would be all they need, which these malicious apps make accessible to them,” said Mr. Abhijith.
A cursory look at 21 cases invoking the Information Technology Act being investigated by the city police reveals several instances of OTP theft-induced financial crimes.
Mr. Abhijith said people were exposed to potential financial frauds when they sent their data like account details and Aadhaar card copies to the private mail or WhatsApp accounts of third parties while applying for a new credit card of bank account. That compromises data and explains how people often get messages and calls with financial offers in perfect sync with their income without them revealing it anywhere .
Situation-specific crimes
An official associated with Cyberdome said that financial frauds does not follow a specific pattern but has become situation-specific. “For instance, when it was time for filing Income Tax Returns, attempts were made to dupe people in the name of refunds and when FASTag became mandatory even that was targeted as a potential avenue for fraud,” he said.
Then there were the financial frauds committed by virtual impersonation like the recent instance in which the general manager of the Kochi unit of a UAE-based export company was taken for a ride by a man who duped him of ₹2 lakh by masquerading as the assistant general manager of Steel Authority of India Limited. The victim later realised that the perpetrator who had similarly duped another person from Ahmedabad was now behind bars.
Stating that Information Technology Act is invoked in 30% of cases, including financial frauds, registered by the Kochi city police, Mr. Sakhare said that their investigation remains a challenging task.
“Cybercrimes are ‘going dark’ as the information is not forthcoming provoking enforcement agencies across the world to seek backdoor to technological devices to check criminal activities and demand localisation of data. Gathering information and evidence linking the virtual and physical identity of the cybercriminals remains a challenging task because of this opacity of technological devices. The jurisdictional issues of country-specific laws make the process even tougher,” he said.
There is a Cybercrime station for the Kochi Range covering five districts and manned by 20 police personnel, besides a few dedicated personnel to deal with cybercrimes in every police station. There is a also a cybercell at the district headquarters under the District Police Chief (Ernakulam Rural).
While the structure is there the challenge is in keeping the force up-to-date with technological advances, to counter which the Kochi city police developed the concept of Cyberdome in the public-private participation domain with special focus on patrolling the social media. The Infopark-based facility enlists the services of ethical hackers, experts and institutions guiding police in effectively dealing with cybercrimes.
“Recently, we had the first review meeting of Cyberdome, which has amassed a goldmine of data in its short period of existence. We have the capacity to archive data for one full year before moving it to portable devices,” said Mr. Sakhare.
Education, awareness, research and development, and enforcement are the primary objectives of Cyberdome, while it closely watches five primary areas: incidents and the response it evokes in the virtual world, radical and extremist elements and terrorist activities, narcotic drugs and arms smuggling, paedophilia and human trafficking, and economic offences.
