How can you protect yourself from cyber frauds?
How can you protect yourself from cyber frauds?
Three Vs of data- volume, variety and velocity have increased the cyber frauds and threats. AI, ML and DL are the most exciting technologies to combat cyber security threats. In this article the various Telecom frauds and debit/credit card frauds and how customers can avoid becoming prey to them are discussed.
Telecom frauds and the best practices
1. SIM swap/ MNP frauds
In this kind of fraud, the fraudster manages to get a new SIM card issued against a registered mobile number of the victim. He gets OTP and alerts, which are required for doing transactions through the victim's bank account.
He may acquire SIM:
• From the same TSP (Telecom Service Provider) by impersonating with fake documents
• From different TSP by fraudulently getting UPC (Universal Porting Code) from the actual customer
How to combat?
• If there is no network with your SIM card
• Confirm by switching off-on, flight mode off-on
• Make a call to your mobile number to verify if it is swapped
• Call customer care to verify if SIM swap or MNP is done with your number. If so, ask the TSP to block your number and also block the transactions on your bank account linked to this number.
• Don't share UPC
• Don't share your mobile phone with unknown person
2. Telecom tower installation frauds
The fraudster advertises in the local newspaper that landowners can lease their vacant land for the installation of the tower and lures them with attractive rent offers, hefty advance offers and other benefits. The victim contacts him and the fraudster demands survey charges and other fake charges. After receiving the money the fraudster switches off the mobile number from which he used to call.
How to avoid becoming prey to the above frauds
TRAI often warns people, through their press releases, that they don't issue NOC for the installation of towers.
Landlords should be aware that they need not deposit money for tower survey/ installation. If any TSP is installing a tower, TSP will pay the landlord. If anyone is a victim of such fraud, he should complain in the police station.
3. Call spoofing fraud
Call spoofing is displaying the caller ID of a different person than the true caller. Spoofing calls are routed through international gateway by international networks. Landline number can't be passed by the international gateway but the cell number can be passed. Victim receives a call with the display of the name of friend/relative but the person calling is different from the name displayed. The person calling may ask for money.
Solution: Call back the friend/relative in case of doubt of spoofing.
4. KYC documents misuse/ e-KYC fraud
Fraudsters may misuse the document submitted by the customer for KYC purpose to get a SIM card in customer name.
While issuing SIM cards, double biometric authentication, through E- KYC, is done by the retailer. The retailer, with the fraudulent motive, may inform the customer that the authentication failed and ask for authentication again and may issue the second SIM card in the customer name to a fraudster. Fraudsters may use this SIM card for illegal activity or may sell the SIM card to criminals.
How to avoid
• The photocopy of identity proof should be crossed and dated. The purpose for which it is given should be written on the photocopy of identity proof
• Check the number of connections in your name through DOTs TAFCOP (Telecom Analytics For Consumer Protection) portal
• Ensure that while taking SIM card double biometric authentication is done only once.
• From UIDAI website authentication history in the last six months can be checked.
Debit/ credit card threats and the best practices
4.05 per cent and 2.58 per cent of total digital payments in the country during the current calendar year occurred through debit and credit cards respectively. Though, compared to percentage of UPI transactions (60 per cent), their percentage is less, but their number is quite significant (339 crores and 216 crores respectively). These cards are also used by rural and not so tech savvy people. Year wise credit/debit card frauds are on the rise. The top five States in this regard are Maharashtra, Jharkhand, Haryana, Delhi and Uttar Pradesh. Even educated people are also affected by these frauds.
Various frauds
• 1. Misuse of lost/stolen cards and cards not received by genuine applicants
• 2. Counterfeit and altered cards
• 3. Merchants acting in collusion with fraudster
• 4. ATM/POS skimming
Small skimming device is attached to the POS device to hack card data. It scans and stores card information, while the customer swipes. Similarly external attachment may be fastened to the ATM card slot to clone card information or a camera is secretly placed over the keypad to capture PIN.
Best practices for avoiding becoming a prey to ATM/POS skimming
• Look out for suspicious device connected to ATM/POS unit
• Cover the keypad with the other hand while entering the PIN
• On NFC (Near Field Communication) enabled POS machine tap the card to pay
5. Shimming attacks
Shimmer is made of thin, flexible PCB and a microprocessor chip. Once installed, the microprocessor functions as chip-in-the-middle and relays the ATM commands to the victim's chip card and back, while recording information from the chip card. This information is extracted by the fraudster to clone a fake magnetic card. Shimmers are harder to detect than skimmers as they are completely inserted into the ATM reader.
Best practices
• Prefer the ATMs installed in the bank. Avoid ATMs in remote areas and in low lit areas.
• When transacting during weekends, we have to be extra careful. Fraudsters tend to install illegal devices in ATMs on a weekend knowing that the bank won't be open for more than 24 hrs.
• While inserting an ATM card, if it is not going smoothly or some pressure is felt it should lead to suspicion about the presence of a shimmer.
6. Keystroke logging
The victim clicks a suspicious link or unknowingly installs malware on his system/ mobile. Hackers, through the malicious software, get credit card details relying on keystroke logging. The software records every key pressed on the system, stealing card details and PIN.
Best practices
1. Virtual keyboard should be used
2. Links from untrustworthy sources should not be clicked
3. Reliable antivirus software should be installed
7. Application fraud
The fraudster impersonates a victim by using the victim's stolen or counterfeited documents to obtain a new credit card. Similarly the fraudster may take over an existing credit card by posing as a victim using similar fake documents.
Best practices
• All KYC documents should be tracked and redundant should be destroyed.
• Now-a-days banks are asking for online uploading of kyc documents to reduce the scope for the above fraud
8. Social engineering
1. Phishing: Scamster tricks the victim into sharing credit card number or other confidential details
2. Dumpster diving: Discarded old cards may be used for frauds
3. Pharming: Fake sites are used to lure the customers for giving card data
4. Smishing: Getting card details by persuading customer through messaging
Best practices:
1. Use only the bank's official website for any online transaction or contact the bank's official helpline number.
2. Telephone number from where fake calls are received should be reported to bank
9. Identity theft
Card details/ statements contain certain Personal Identifiable Information. Card information can be abused for account take over. In some cases, the person may not be even aware that a loan has been taken in his name. He becomes aware only when the lender starts chasing for repayment or while checking the credit report.
Best practices
1. Check for alerts such as transactions not made (through main card as well as through add on card)
2. Keep your mobile device safe
3. Check your credit status.
10. Spyware/ Malware/ Trojans
Best practices
1. Don't install software recommended by an SMS or from unfamiliar website
2. Never let an unidentified app access to text messages or call history
3. Double check information received through SMS or email.
11. Improper storage of card/ CVV details
Payment Card Industry Data Security Standard (PCI DSS) is mandatory for card processing and storage, still there is 19 per cent increase in card breaches. Viruses, keyboard-logging software and other tools are used by fraudsters to steal personal information.
Best practices
1. Password managers and VPN are available to encrypt internet connection and keep sensitive information safe.
2. Take data backup often to secure it in the event of a compromise.
Common tactics & techniques
1. Random credit card numbers: Fraudsters generate card numbers randomly through computer programmes. The card numbers will be tested to determine which combination belongs to an actual card.
2. Small purchase: People who steal credit card information make small online purchase which are less likely to raise suspicion because a website can't check identification or compare signatures.
3. Scammers create websites where they list big ticket items at reduced prices. The site is only to collect credit card information. They will not have products or won't deliver the products.
4. Phishing website: In this online shopping scam 'spoof' website is created which uses the logo of a well known company and the website may appear nearly identical.
Consumer best practices
1. Wi-Fi networks should be protected with strong passwords. Free public internet should not be used for financial transactions. Use a safe password manager.
2. Autofill and saving personal data on website/ browser should be avoided
3. Use virtual credit cards
4. Shop only at renowned secure websites
5. Keep track of transaction and card statements
6. Don't send credit/ debit card details on email
7. Set transaction limits and disable international transactions
8. Avoid paper trials of card details. Tokenize the card for better protection
9. Keep debit/ credit cards safe. Use RFID (Radio Frequency Identification) blocking wallet to protect NFC enabled cards
10. Don't use credit cards on suspicious website
11. Expired cards should be safely disposed
12. Report about stolen or last card to issuer and police.
Way forward
RBI guidelines for banking frauds: If money is withdrawn fraudulently from your account, inform the bank and take acknowledgement. Bank has to resolve it within 90 days. If due to your negligence fraudulent transaction occurred, you have to bear the loss till it is reported to the bank. After reporting also if the fraudulent transaction continues, then the Bank has to make good the loss. Cyber crime can be reported on the National Cyber Crime Reporting Portal. Cyber crime helpline number is 1930. Complaints can be lodged at the cyber police station.
(The author is a former Advisor, Department of Telecommunications (DoT), Government of India)