“There is a need for a dedicated effort to collect structured empirical data on cyber payment frauds to assess the magnitude of the problem countrywide,” notes a joint report by think tanks Deepstrat and The Dialogue, titled, “Tracking Retail Financial Cyber Crimes in India“, published earlier in June, 2022.
This report comes on the back of an exponential increase in the number of financial cyber-crime across India as more and more transactions moved online during the pandemic, with the Reserve Bank of India (RBI) recording 69,410 cases in 2020. It cites social engineering and phishing as the two most commonly observed attack patterns deployed by criminals to commit ATM, online banking, UPI and OTP frauds.
While acknowledging that the lack of concrete data prevents a detailed study of financial cyber-frauds, the researchers at suggest that regulators such as the Reserve Bank of India need to evolve their safety features and security processes of all stakeholders in the digital payments ecosystem for greater harmonization and user safety, noting that this will also law enforcement agencies to investigate crimes.
Why this matters? The frequency of cyberattacks on both public and private sectors has risen exponentially in the last few years, especially during the pandemic. Cyber breaches across the country in the past two years have resulted in victim entities and individuals incurring huge financial losses, not to mention the severe violations of confidential data and privacy. To gauge the attack patterns and methods of threat actors is the key to improve existing cybersecurity measures.
Never miss out on important developments in tech policy, whether in India or across the world. Sign up for our morning newsletter, with a “Free Read of the Day”, to experience MediaNama in a whole new way.
What were the standout attack patterns around India in the past two years?
Payment frauds are essentially extraction of money from a payment instrument by either hacking or through social engineering or phishing attacks that compromise their security measures. In both these approaches, the attackers send a corrupted message which manages to get the user to share their banking password. This, in turn, allows the attacker to siphon money from the victim’s account to some other payment instrument in their control.
Three common techniques to manage the locks to take money out of payment instruments are:
- What you know – A secret such as a static password, personal identification number (PIN) or a dynamic secret with an expiry such as Time-based One-Time Passwords (A OTP)
- What you have – Possession of a device (USB key, hardware token), a smart card (ATM Card), a cheque book (physical paper).
- What you are – A unique identifier that identifies the person such as fingerprint, facial identifier, palm scan, or even a signature.
Below, are listed the methods that the paper has stated as being usually employed by cyber-criminals to extract money from victim accounts. This information was collected by the researchers from police analyses of the FIRs filed in Gurugram, one of the most cyber-crime infested cities in India, and from interviews with the officers in charge of investigating these cases.
- Fraud ATM withdrawal: A fraudulent ATM withdrawal needs two main sets of information: the card and the PIN or CVV number and there are two ways to obtain the information in question: physical stealing or via card cloning. This information is put in the magnetic stripe in plain text format but over the years fraudsters learnt how to read them via custom devices and then replicate them to create cloned cards. This led to the RBI-mandated usage of chip and PIN cards but still attackers are using trojan viruses, phishing mails, card skimming and hidden cameras on ATM machines to bypass these protections.
- Corrupt bank employee: Finance industry insiders, particularly bank employees, can deploy multiple methods to defraud bank customers. “For instance, they may simply leak customer information including Debit/Credit card details to others or may change the email IDs/Mobile numbers to which OTP (One Time Password) is sent or they may use a returned Debit/Credit card which could not be delivered to the customers,” the report says in substantiation of its claims.
- KYC lapsed: This is a modus operandi that is uniquely Indian and is a side effect of the regulatory and technological changes that happened in the payment landscape following the mandatory Aadhaar-bank seeding orders. The economic disruption that a deactivated wallet or bank account can be quite strenuous for most people, when they get to know that their financial instrument could be cancelled without Aadhaar linkage by a third party. This has created an environment where any notification about an account deactivation because of KYC expiry, can create a panicked reaction. Fraudsters exploit this by calling the victims disguised as bank agents and telling them that unless they share an OTP or click a link, their wallet or bank account will be deactivated for non-compliance with KYC norms. The two methods listed below are very popular with these criminals.
- Sending a transaction OTP to the victim’s phone number in the guise of a KYC verification, which is then used to hijack their bank accounts.
- Sending them a link, which when clicked, installs a Trojan that takes over their mobile device completely and puts it under the fraudster’s control, which allows them to see their m-PINs (Personal Identity Numbers used to make transactions in their bank or wallet mobile apps).
- OTP shared by victim: One time passwords have been the norm in Indian card transactions since 2008. OTPs are harder to break through than conventional passwords because of their one-time usage. However, cyber illiteracy among Indians make them particularly vulnerable to sharing their OTPs or other similarly sensitive data. As per the report, there are many patterns deployed to target OTPs.
- Offering an upgrade of their Credit/Debit Cards (thus providing them a sense of belonging to a unique and exclusive club which pampers their self-importance).
- Providing them a free tour package, cashback reward (thus creating a FOMO (Fear of Missing Out) effect.
- Threatening account deactivation because of lack of KYC compliance (a fear inducing effect that works because of the ground reality of ever-changing compliance rules).
- Pay via link: Paying via a malicious link is an easy mistake to make. There is almost no concrete way to figure out whether a payment link messaged or mailed over to you is genuine or fake. In the past couple of years, scamsters have almost perfected these boiler plate payment request texts by far. It must be noted that other than links, scammers also send malicious QR codes or pose as a shopping payment gateway to steal money from unsuspecting people. The following are the three usual patterns used by phishing messages.
- Forging the name of the receiver
- Switching the direction of payment – A fraudster may say to the victim that clicking the link is required to receive money, whereas they end up paying.
- Rapid withdrawals by sending multiple links of which some are small credits, but some are large debits.
- Proxima fraud: This is a common fraud that happens because of a vulnerability that allows overseas payment gateways to process payments on a credit card without an OTP. All that is required is the Credit card details and the CVV, which have been leaked to the fraudsters.
- Team Viewer attacks: While in theory, apps installed in the device are isolated and can’t interfere or read the data of other apps, reality is much more complex. There are always root apps which are installed as part of the operating system, that can neither be
uninstalled nor have their permissions revoked. “However, apps that allow remote controlling such as TeamViewer or viewing the phone screen in their entirety, can enable capturing of secrets such as mPINs (Mobile Personal Identity Numbers) and other private information like Debit Card number, Expiry date etc. Once secrets are captured, it is trivial to withdraw money from the compromised bank account, load it into a wallet and then spend it away on online portals, thus making recovery impossible,” the report notes.
Data discrepancies create blind spot for policy makers
Perhaps, the most difficult hurdle faced by the researchers is the discrepancy between multiple authorities on the number of financial cyber-crimes that have taken place in India. While the Reserve Bank of India (RBI) contends that there were 69,410 cases, the National Crime Records Bureau (NCRB) has recorded 30,142 cases for the same period. Yet another report, this one by The Ken, claims a much higher number of financial cyber-crime cases at over 80,000 using anecdotal data.
Other reports indicate that after the pandemic set in, Delhi witnessed a total number of 32,896 cyber-crime related cases filed between January 2020 to December 2020, marking an approximately eight times increase in cyber frauds from the previous year’s number across all states and union territories. “What is unclear from these two sources is the money defrauded by the scamsters from the victims and the evolution of the modus operandi and other contextual information such as why these crimes are exploding, the resolution rate and impediments faced by investigators in solving them,” the ‘Tracking Retail Financial Cyber Crimes in India’ report notes.
It also points out that the lack of this information is a blind spot for policy makers because all they see and hear is the ever-increasing adoption of digital financial transactions, but not the growth limiting problems that increase in fraud poses. “For instance, it is unclear which segment of the population is more vulnerable to payment frauds, and what remedial measures must be taken to mitigate the vulnerability because of lack of granular data, categorized across various modus operandi,” the report notes.
The lack of data on payment frauds, also leads policy makers to ignore investment on grievance redressal and instead focus on growing the volume of digital transactions, by reducing the cost of digital transactions, through approaches such as the Zero MDR (Merchant Discount Rate). However the report notes that it has been clear to other “successful market players” that bringing down fraud volumes, sets them up for long term success, by increasing trust among customers and businesses.
The report’s recommendations for safer transactions
- OTP is not enough: The involvement of several parties in the loop between the initiator and the financial institution creates fragility not just in the delivery of the password, but also in terms of risk. For instance, PayTM sued telecom companies saying that they did not act against phishing companies. The telecom companies retorted that it is not their problem, but that PayTM is responsible. “While improving state capacity is one option, other technical options must also be thought through which reduces the chance of account holders falling prey to scamsters,” the report notes. For instance, account holders can be given multiple technical options to choose from rather than only having the option of using OTP delivered through mobile phones, such as app based OTPs.
- Data sharing regulations: “Financial fraud investigation is only possible if all entities in the transaction pipeline agree to share data with one another when an incident occurs,” the researchers say. For example, when the fraud is committed by using payment wallets, a commonly observed pattern is that it is done through UPI registration of names in well-known e-commerce entities, but with a different domain name. Unwinding the chain is not possible without information sharing, but without an FIR, entities will not share any information to the victim. Hence, it is imperative for the state to evolve and define a data sharing protocol among financial entities for the purpose of fraud investigation by the regulator as uncertainty in this aspect ensures that fraudsters are never stopped on time
- Dedicated payment fraud investigation cells: Most online frauds are cross-state and in some cases even cross country (eg: the Chinese loan scams). This requires state units to cooperate across state boundaries and work with law enforcement in other countries via the MLAT (Mutual Legal Assistance Treaty) route. With transfers and lack of equipment, dedicated training investigators are not very effective as there is less institutional memory on the complexities associated with payment frauds. Given the volume of frauds, perhaps the time has come to create dedicated payment fraud investigation cells at the national level.
- Need to collect more data: There is a need for a dedicated effort to collect empirical data on cyber payment frauds to assess the
magnitude of the problem countrywide.
- Stricter RBI norms: A regulator such as the Reserve Bank of India needs to standardize safety features and processes of all stakeholders in the digital payments ecosystem for greater harmonization and safety of users. This will also aid law enforcement agencies in reducing their effort to carry out successful investigations of financial cyber-crimes.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Corrigendum 13/07: MediaNama had missed out crediting Deepstrat, The Dialogue’s partner on this paper, in the previous version of the story. The story has been updated to reflect the joint effort.