Gone Phishing

Story In Numbers

As the credit card and online economy grows, so do the frauds

***

In the first week of January, J.M. Gugnani, a 66-year-old independent consultant, got a series of messages on his phone, informing him that transactions were taking place on his credit card in Islamabad. When he added up the many small transactions that were swiped, Gugnani was stunned to discover that he had “spent” 2.5 lakh in Pakistani rupees (about Rs 1.36 lakh). There were two problems, tho­ugh: the credit card was firmly tuc­ked in his wallet; and Gugnani had never ever been to Pakistan. He’s based in Gurgaon, near Delhi. “Initially, I didn’t realise it was Pakistani rupees. I was shocked more because it was not an online transaction; a card had been physically swiped there,” he says. After a few rounds of investigations and verification of his passport, his bank—ICICI Bank—blocked the card. Last week, Gugnani received a formal communication from the bank saying that the “dispute” had been resolved in his favour.

Not everyone is as lucky. It doesn’t always end well. Since January 2013, Mumbai resident Shailesh Ghai has been running from pillar to post trying to reverse three online fund trans­fers that took place on his bank account without his knowledge. His account, now Rs 15,000 short, was hac­ked and the funds transferred to ano­ther account in three separate transactions over a week. His big mistake: responding to an e-mail that tricked Ghai into revealing his password (something called phishing). Although Ghai was quick to inform the bank, he’s yet to receive a reply on the status of his funds. Ghai hasn’t had much luck with the cyber crime cell either although a formal complaint has been filed with them. And he’s still deciding whether he should knock on the doors of the consumer courts or write off the whole experience. Simply put, Ghai is no longer sure he’s comfortable using internet banking anymore.

These are not isolated cases; they mark a growing epidemic of e-fraud in the country. Increasingly, banks are being bombarded with complaints reg­arding fraudulent internet banking transactions, ATM cards being misused, and debit and credit card data being hacked or swiped for domestic and international transactions. As more and more Indians try to muddle their way through the maze of cyber and electronic banking transactions, e-thieves are always one step ahead of them. According to national cyber crime estimates, credit card frauds, phishing, hacking into accounts and so on are on the rise and increasing at an alarming rate of 30 per cent in India.

Photograph by Jitender Gupta

Mehul Gupta 35, New Delhi, Associate VP, IAMAI
He used his corporate credit card as a guarantee at a London hotel in Oct 2012. A fortnight later in India, he got an SMS saying he had spent $1 on a Facebook app. He called Amex to complain. While on the call, he was informed of another transaction for $850 at a sports equipment store in Manchester and a third attempt for $4,000. Amex blocked the card, didn’t charge him.

“In the past seven to eight months, we are noticing a rise in phishing complaints in net banking or e-commerce in India. Another common complaint is identity theft, done by copying the data from the card’s magnetic strip, usually at shopping outlets,” says Uttam Nayak, group country manager, South Asia, Visa. Last year, the two largest payment processing firms—Visa and Master­card—suffered a massive online data breach of 1.5 million card details in North America. “Although frauds in India are on the rise, it is still one of the lowest impacted countries globally because of stringent Reserve Bank of India guidelines,” adds Nayak.

Well, in the last six months alone, there have been numerous instances of huge amounts being skimmed (where the magnetic strip of the card has been copied). Most recently, unauthorised transactions of an estimated Rs 30 crore have affected all the top card-issuing banks, including ICICI, HDFC, SBI, Citi­bank and Axis Bank. Senior banking sources told Outlook that it was suspec­ted that many of these online international tra­nsactions might have taken place thro­ugh cloning or skimming of data at key department stores and fast food joints.

Sure, India is still a nascent market as far as internet penetration goes—but the growth rates are astounding. Mobile banking, for instance, has grown by over 60 per cent in April-December 2012. Cash still dominates banking but the growth of electronic transactions is over 40 per cent. And yes, banking is not isolated to singular devices or technologies any longer. There is a greater push by bankers, regulators and even the government to move towards electronic payments. “It is alarming to see the number of cases that are coming to light and clearly a cause for concern. As the number of transactions increases, the sense of security in these transacti­ons needs to go up rather than diminish,” concedes A.P. Hota, MD and CEO, National Payments Corporation of India.

Photograph by Amit Haralkar

Rohit Mehrotra 33, Mumbai, Business head, Mahindra Insurance
In February 2013, he got an SMS saying Nepalese Rs 40,000 had been charged to his HSBC Visa card. When Mehrotra complained, he was told the tra­n­saction was already through. On filing a complaint at an HSBC branch, he was told he’d be informed in about 30 days. He’s awaiting a response still. Meanwhile, the transaction was included in his monthly statement.

If the numbers look small right now, that’s also partly because there’s massive under-rep­orting of cases. Apart from the monetary loss, victims often have to face a lot of harassment at the hands of the police—and more often than not from the bank’s dispute redressal cells—in the process of filing a complaint. Gugnani, for instance, had to go through several rounds of investigations and verificati­ons—on phone as well as in person and examination of his passport and whether he had a Pakistan visa or not. Says Apar Gupta, cyber law expert, “In many cases, the cost of litigation is higher than the cost of the transaction. So it acts as a deterrent and many don’t go for litigation at all.”

Central government employee Sum­edha Nagpure, 35, is one such harassed soul. For the last three years, she has been fighting a futile battle in trying to recover the Rs 69,000 in arrears she ear­ned out of her Sixth Pay Commission in 2010. In February 2010, an SMS alert told her that the money had been withdrawn from her Bank of India account through an ATM and transferred to another account. Police complaints have been filed, the bank has come in but failed to investigate the issue and even her own lawyer has little hope of winning the battle in the consumer court. Three years later, the Rs 69,000 dent in her hard-earned savings still pinches.

Photograph by P. Anil Kumar

S. Arun Kumar 27, Hyderabad, IT professional in Madhapur, Hi-Tech City
Arun Kumar used his ATM/Debit card thrice to buy train tickets on the IRCTC website in Dec 2012. In January this year, Rs 8,989 was deducted from his ICICI Bank account without his knowledge. Following his complaint, the cyber crime unit arrested an IT pro who was using a software to access people’s ATM and credit card details from computers at internet cafes.

All this growing consumer angst has forced the government to answer many questions in Parliament. Recently the banking regulator has introduced new guidelines to ensure that limits are set on domestic and international card spending (see graphic on the impact). “The regulator is wary and concerned, but honestly one needs to step back and examine whether greater systemic regulation is the solution here,” maintains a former senior RBI official. Most experts in the field, whether on the banking or investigation side, agree that this is one area of crime that will evolve at an extremely rapid rate.

“There is no call for physical presence while committing the crime. And that makes it the perfect low-risk, high-profit crime these days,” says Niket Kau­shik, additional comm­issioner of police (crime), Mumbai. All over the country, cyber crime cells are cropping up and special training to officers in cyber forensics is being provided, he adds. It is a jurisdictional nightmare though. T. Krishna Prasad, additional DG, CID Cyber Crime, Hyderabad, says 40 investigating officers in Hyderabad are working in the cyber crime section. “But we are working on training off­icers in districts too and increasing the statewide strength to 200,” he adds. Calcutta too set up a cyber cell in 2011, yet has been grappling with an increasing number of cyber crimes.

“Most of the recent cases that have emerged involved international transactions emanating from countries like the US, UK, France. Once we track down the initial trails, we get stuck in following up the leads due to international laws and jurisdictions,” Kaushik adds. There has been a good success rate in apprehending culprits within domestic laws; but not so when there are cross-border transactions. Custo­mers then have to depend on resolving the issue via the banks or consumer courts.

Photograph by Amit Haralkar

Varun Grover 33, Mumbai, Lyricist
In Feb 2013, an SMS alerted him that his Visa card had been swiped at an overseas location for Rs 25,000. Within minutes, he got a call from his bank checking if he was at home or abroad. He was told of a fraud being committed on his card and directed to the dispute form on the bank website. The issue is yet to be resolved. He has had to pay for the transaction meanwhile.

So who bears the brunt of the blame? The easy answer would be to assign equal blame to all the players—regulators for not implementing regulation; bankers for not having enough safeguards; consumers for not being resp­onsible enough. Indeed, many banking and payment experts Outlook spoke to believe that the RBI guidelines are fair and stringent. Cyber law experts, on the other hand, say it’s not the law or regulation that is lacking—it is the implementation of the law that is the problem. The punishments and penalties involved need to be far more stringent in the case of errant banks who don’t adhere to norms as well as criminals who are apprehended by the law. “In a nascent market, you cannot afford to cut corners and put the burden on the consumer. Technology has to be accessible and convenient to the customer and it is up to the banks and regulator to ensure that happens,” says the former senior RBI official.

Of course, as with any case involving money, there is often another side. “It’s not fair to say that there is no redressal system in place. Many times consumers also misuse cards themselves and the system does have a mechanism to protect consumer interests,” says Bejon Misra, Consumer Voice. A key problem is that the customer is liable till the stage of reporting. Clearly, it’s no longer enough for customers to sit on the sidelines. Misra believes in increasing e-literacy. He feels there can be greater prevention if consumers get more proactive in understanding what is involved and how they can protect themselves. It makes sense for consumers to be scared—that’s the only way they will survive the onslaught from the e-thieves.

In the meantime, banks are looking at meeting the new norms, propagating safety, updating merchant terminals, alerting against phishing and so on. “There is no other way to say it but precautions are better preventives,” points out Kaushik. It’s not a comforting thought. Not knowing whether your data on the internet, credit, ATM, debit card is safe is a question you want a definite answer to. Unfortunately, there are no easy answers.

In other markets, like the UK and US, there is far more awareness and action as far as cyber crimes and these kinds of frauds are concerned. All the parties involved—legal, banking, governmental or regulatory agencies—take a far more active role in solving these crimes. That needs to start happening here as well. As long as the base is small, processes can be built in to ens­ure a higher degree of safety and security. Without this, the idea of anytime, anywhere banking—as well as the dir­ect cash transfer project—will remain an elusive dream.

***

How You Can Get Conned

• Phishing or Spoofing: You get e-mails that look similar to ones from banks, office, e-commerce websites or institutions you regularly interact with. Some ask for verification of credit card or bank account data, or a date of birth. You reply, thieves use the precious data.
• Vishing & Smishing: Phishing via voice or SMS. You get a call from someone pretending to be your bank exec with an offer or for verification (usually DoB). The calls are designed exactly like a bank’s automated voice system.
• Skimming: Obtaining a person’s card details by photocopying transaction receipts or swiping a card using a “card copier” that stores user data. Often this kind of theft works in collusion with people handling cash at shops, hotels and restaurants.
• Carding: To check validity of a stolen card before it is blocked. Initially used by thieves for a small initial purchase; if that goes through, used for big amounts. A Delhi exec’s card was used to buy a Facebook app for $1 and later for goods worth $850 and $4000 in the UK.
• Cloning: Creating duplicate cards by using easily available, inexpensive technology and machines. These cards are then used for transactions or online.
• Application fraud: Opening bank accounts in someone else’s name by using either fake or stolen documents like utility bills
• Account takeover: Taking over a person’s bank account by using fake or stolen documents and signatures and appearing as the account or card holder. Often these documents are also used to change addresses of a bank account and transfer funds. False reports of lost or stolen cards too are filed and requests made for replacement cards/passwords.
• BIN attack: Thieves get one good, valid card, then generate card numbers by changing the last four numbers using generator software/machines. This is possible because credit cards are produced in Bank Identification Number (BIN) ranges. In most cases expiry dates of the cards are also in a series.
• Mail redirect: Thieves intercept or hack into e-mails and redirect them to their own account. They then redirect password reset e-mails to their own acc­ounts and break in to operate a person’s account.
• Quantum breach: Normally users and banks set alerts for transactions over a set limit, mostly Rs 5,000. Thieves use bank account passwords or credit/debit cards for amounts below that and for several purchases so that detection is not immediate via alerts and seen only in monthly statements.

***

Remedies: What new RBI norms (valid from June 30, 2013) will do

• Restrict card to domestic usage unless you have made specific arrangements
  Impact May help curtail misuse of cards or information internationally; will be cumbersome for frequent fliers; banks unhappy about additional process
   
• Conversion of existing cards to EMV chip cards for customers who have used their cards internationally
  Impact Expected to provide greater security
   
• Threshold limits for international usage based on risk profile and usage of customer. Common threshold limit for cards that have never been used internationally before
  Impact The customer will have to be more proactive in determining limits and keeping track of them
   
• Banks to ensure that terminals at merchants should be certified for PCI-DSS (Payment Card Industry-Data Security Standards) and PA-DSS (Payment Applications-Data Security Standards)
  Impact Another layer of security, will take time to roll out effectively
   
• Bank should track transaction patterns of usage of cards with card payment network to clamp down on fraud
  Impact More active notification of transactions; raise red flags when behaviour deviates from pattern
   
• Banks should move towards real-time fraud monitoring system at the earliest
  Impact Reduce the impact of fraud on the customer if fraudulent transaction pointed out immediately
   
• Banks should provide easier methods (like SMS) for the customer to block his card
  Impact Should reduce the burden on the consumer to block cards in cases of misuse.

***

Dos & Don’ts

• Select complex passwords that have nothing to do with your personal information; change them frequently; use different passwords for different accounts
• Do not write your passwords anywhere or share them with anyone; don’t save them on computers that many can access
• Never access your bank account on a device that is not personal; password-protect your devices
• Run regular virus/malware checks
• Do not respond to any e-mails/calls asking for any account or personal information, particularly ones seeking your data
• Immediately inform your bank if you notice a fraudulent transaction; block card at the earliest. Complain in writing, so that it can followed up legally.
• Ensure that websites asking for sensitive data online have SSL encryption in place (URL starts with https://); copy and paste the URL manually instead of clicking on a link in an email
• Don’t use auto fill forms; log out of every e-commerce site before closing the browser window.

By Arti Sharma and Arindam Mukherjee with Madhavi Tata in Hyderabad, Prachi Pinglay-Plumber in Mumbai and Dola Mitra in Calcutta