“…the best fintech founder in the world is a scammer because he has the best return of investment on capital. At the heart of every fraud is the jumpstart,” said Anand Venkatnarayan, a cybersecurity researcher and DeepStrat Co-Founder, in his presentation on the Fraud Stack at MediaNama’s “Exploring User Verification” roundtable on March 23, 2023.
The roundtable explored the future of anonymity and privacy in India, amid broad government mandates to “verify” users online for security reasons. It dealt with topics like the importance of anonymity on the internet, when someone can be anonymous, when they need to be verified and whether verification addresses problems of fraud, spam, and scam.
Venkatnarayan explained that the process starts with the procurement of IDs for which there exist many ways such as “loaning IDs” but most of them prefer “forging” them. The scammer procures sim cards, after the forging is done, with which one can create several bank accounts.
He added that there are a lot of techniques (nearly 45) to extract money from victims, revealing that there are call centers with hundreds of people› so the average volume of their operations is very different compared to a normal fintech firm.
The comments have been edited for clarity and brevity.
MediaNama hosted this discussion with support from Meta and Truecaller. The Internet Freedom Foundation, CUTS International, Centre for Internet and Society, and the Centre for Communication Governance at the National Law University, Delhi, were MediaNama’s community partners for this event.
STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!
Key takeaways from the presentation
How do they operate: Venkatnarayan shed light on the modus operandi of these scammers by explaining that every team leader is given a goal of hundred victims a month at an average income of Rs. 2 lakh. “They need 10 sim cards for scamming a hundred victims; they don’t reuse sim cards,” he said. He added that the scammers only need to procure two to three IDs per year, and have an agile model, scrum teams, project planning, dashboards, Trello, etc., like start-ups.
Fraud unit economics: “Every team leader is given a task of procuring 2 to 3 IDs in a year, which is manageable. I want to make Rs. 24 lakh of income per three IDs so one usable ID in the market is Rs. 8 lakh a year. Every ID sells in the market for about five paise and 10 paise during election times. The average estimate is about Rs. 80,000 crore of income because we track about 10 lakh IDs being bought and sold on a monthly basis,” said Venkatnarayan.
- He offered the example of a two-person gang in Delhi who had access to 305 bank accounts, 10 Airtel payment bank accounts, 12 Phone Pe wallets, and 10 money wallets.
- “Every one of these bank accounts had verified IDs. Each one of these phones had verified IDs. The bank accounts were all attached to people who didn’t have any idea that these bank accounts and phone cards were brought on*bought in* their name,” he said.
- Venkatnarayan added that the gang also managed to fake the DSC verification process of a lot of service providers by doing e-KYC as per the norms.
- “They generated about Rs. 27.5 crore in 2021. The money that these entities are spinning is so high that they could even afford to buy small gangs, shooters or protection gangs,” he said.
Understanding the fraud stack: “This is the fraud stack. The bottom layer is what I call the jam layer, the telecom, banking, and liability layer, all intermixed together. When cops usually come and say ‘we can’t bust scammers’, they are talking about the operational layer, which is payments. They have f-KYC (Fraud KYC) just like you have eKYC. They have hacking tools, sharpshooters, and so on,” Venkatnarayan said.
Why have regulations failed: A close look at the fraud stack explains why the regulation around verification has failed, as per Venkatnarayan. “It comes down to a very simple proposition— implementation is bad. So the regulators are saying— my incompetence is now your privacy problem,” he argued, adding that they force verification upon intermediaries. “We have replaced verification as a social thing into a system, and the system is broken. Most of the identities in India are self-certified,” he explained.
What is the solution without verification: “It is not a considerable problem. It is an extremely complicated trade-off problem. Our trade-offs have been universally biased towards making individual privacy vanish to the point of non-existence in the digital era,” Venkatnarayan explained. He added that the lack of privacy feeds the fraud stack because these trade-off problems have allowed fraud to be perpetrated at scale.
- It may be difficult for a lot of people to understand because they argue that if everyone is so visible then fraud should vanish but it has not because the solutions and implementations are “crappy”.
- He pointed out that governments and all fintechs companies are trying to guarantee trust and accountability by defeating anonymity and privacy.
- “The people who are really losing are the users because they neither get accountability, and they are rewarded with fraud,” he said, adding that people who can defend themselves are able to defend themselves*redundant* but 99 per cent of the people can’t defend themselves.
Presence of a market: One of the attendees said that there was an “entire political economy of surveillance, identity, and verification” shaping developments in the digital ecosystem. She said that a part of the reason for these efforts is the presence of private players that have developed these technologies, and are pushing it across various markets. “There is a market aspect to it,” she declared.
Risk from social engineering: “We have seen people engage with fraudulent communications when they are fully aware that these are suspicious text messages,” said a representative from Dvara. He added that people are willing to do it because of their behavioral biases. “They might believe that it’s not too much of a risk, I can manage my way out of it. It is the problem. The problem is not about the identification of the person who is calling but it is about how social engineering is working,” he said.
No solution is foolproof: “…identity verification is a weak system of protecting anybody in the ecosystem, be it corporates, governments or users. The other options can involve tools like the AI which assess threats to your system. There is no solution that is going to be a 100% accurate or excellent. There are going to be some victims eventually,” an attendee said. He added that the approach of not maintaining any identity verification will backfire because it is not acceptable if a company fails to address grievances of users by hiding behind the excuse. “I don’t think it is an acceptable solution because people will demand recourse if somebody has lost money on UPI,” he explained.
Governmental accountability: An attendee pointed out that accountability from governments is lacking in this scenario. She said that the reporting of cyber crimes, and recourse available to citizens does not result in the money coming back to them. She added that the agencies can trace the movement of money but one needs an intervention from law enforcement agencies to step in to fill the gaps. “It never happens because they are overloaded and overburdened with so many complaints,” she said, elaborating that they invest their time only if the loss is in hundreds of crores. “There is a need for accountability from law enforcement in the whole ecosystem,” she concluded.
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also read:
- Why is Online Anonymity Important—And Does Taking It Away Hurt Fundamental Rights? #NAMA
- Can we map a framework for verification? NASSCOM’s Varun Bahl on a model for proportionality #NAMA
- When Does Information Become “Private” and How Do “Privacy Concerns” Arise? #NAMA
Note: The headline was updated due to editorial input on 29/3/2023 at 03:55 PM
