When you carry cash, you run the risk of losing
the money or getting robbed. Similarly, there are risks involved in digital and
online banking as well. According to a June report by Pricewaterhouse Coopers
Pvt. Ltd (PwC), as financial institutions use more digital banking channels,
the new technologies make them more susceptible to fraud.
But that doesn’t mean you should avoid digital
transactions completely. In fact, it’s a convenient and cost-effective method.
All you have to do is be aware of the risks and not disclose any confidential
information such as password or personal identification number (PIN).
Traditionally, cheques topped the list of frauds
in banking. But now, with increasing use of Internet and mobile phone for
financial transactions, new kinds of frauds have emerged. “In my experience,
some of commonly perpetrated frauds prevalent across the banking value chain
include phishing, vishing, man in the browser attacks and malware-based
attacks,” said Sandeep Dhupia, partner and Head—Forensic services, KPMG India.
Almost all frauds that happen online or
electronically involve collecting information. Phishing means collecting
information from a customer by sending fake emails. Phishing means calling a
customer posing as a bank executive or an official from the central bank and
collecting information for identity theft. The data can also be stolen through
phishing, in which the customer receives an SMS with a web link, which, if
clicked, downloads a malicious programme causing theft of data. Man in the
browser means a malware infection into the Web browser. Once this happens, when
a user enters details on the website, it gets stolen.
Banking transactions can be categorized into
three channels—mobile banking, cards and Net banking. You are susceptible to
fraud in any of these channels. Here is a look at what the issues can be on
Mobile banking frauds
According to the Reserve Bank of India, in
2014-2015, 22 million of the 589 million bank account holders were using mobile
banking apps. The volume of mobile banking transactions has also risen from
around `1,819 crore in 2011–12 to about `1.02 trillion in 2014–15, PwC said in
a report. As the number of mobile transactions goes up, different kinds of
frauds such as fake apps, SIM swap and malware have surfaced.
Fake apps: The first step in stealing money online is to steal
information. This can be done by creating a fake app outside a playstore.
“Hackers create fake apps which will look exactly like the original,” said
Dinesh Anand, Delhi-based partner and leader—forensic services, PwC. The user
interface is very similar to the original application.
How do they get you to download the fake app?
“One way is to send the bank customer a link asking them to upgrade the bank’s
app,” said Amit Jaju, executive director, forensic technology and discovery
services, and head (Europe, Middle East, India and Africa)
software license forensic, EY. If you click on the link, a fake app gets
downloaded. This may happen if you jailbreak your phone. When you enter your
user name and password, the fraudsters get access to that information.
SIM swap: The fraudsters will first collect your personal banking
information through phishing, vishing, smishing or any other means. Once they
have your personal information, they get your SIM blocked, and obtain a
duplicate one by visiting the mobile operator’s retail outlet with fake
identity proof. The mobile operator deactivates the genuine SIM card, which was
blocked, and issues a new SIM to the fraudsters. It is now simple to generate a
one-time password (OTP) required for transactions using the stolen banking
information. This OTP is received on the new SIM held by the fraudsters and
they can now transact before the bank customer realizes the theft and alerts
App mapped to incorrect number: “This type fraud can be perpetrated by a bank employee,” PwC
said in a report. Say, you have an account with a bank but you don’t use the
mobile app. An employee of the bank can attach a different mobile phone number
to your bank account and install a mobile application on that mobile device.
Once the app gets linked to your account with
the incorrect number, the employee can do a transaction. Usually banks alert
the account holder about a transaction via SMS. Since the number linked to the
account is different, you will not get any notification on your mobile.
The point of sale (PoS) terminals where you
swipe your cards for a transaction and the ATM use the same channel for the
bank, called base24 switch, through which your card transactions go through.
Here fraud may happen if your card gets cloned or skimmed through the PoS or
can happen online as well as offline. Say, you swiped your card at a restaurant
where the PoS is misused to clone cards, or you enter your card details at a
fake shopping site. Once you enter the details, the fraudsters clone the card
with your details and then use the information to make online purchases.
“When you use debit and credit cards, theft of
identity by use of card readers in restaurants and shops is often done with the
help of restaurant waiters and shop sales persons. The stolen data of credit
cards is passed on by them to the cyber fraudsters who the clone the cards,”
involves a machine or camera that is installed at an ATM to pick up card
information and PIN numbers when customers use their cards. A fraudster
acquires this data and withdraws money from the machine.
Net banking frauds
Net banking is now acknowledged as a traditional
channel for transaction and has been attacked too. “The two primary sources of
Net banking fraud are executed through malware. It would either be through
stealing passwords from customers or stealing customer details from bank systems.
The intent is to access the password for the account to enable siphoning off
funds,” said Jaju.
Hackers can also obtain access to a person’s
mobile phone through malware or cloned/fraudulently obtained SIM card and then
use the information to gain access to the Net banking channel. “A secondary and
more indirect approach is to hijack a person’s Net banking session through her
computer using a malware so that it appears as a legitimate transaction from
the account holder’s computer,” said Jaju.
Whose liability is it?
If you have been a victim of any of these
frauds, what should you do? According to a master circular by RBI on
“Frauds—classification and reporting”, the central bank has put the
responsibility to provide protection against and fight frauds on banks,
exposing them to a completely new horizon of financial risks, notes PwC.
Further, banks are now required to report to the RBI complete information on
frauds and the follow-up action.
The RBI has also issued operative guidelines to
regulate this channel, suggesting reporting of suspicious transactions to its
financial intelligence unit. “To keep a check on frauds, banks need to
incorporate a greater level of scrutiny by deploying advanced tools and
technology capable of protecting the customers against unethical activities,”
What you should do
While banks are mandated to prevent frauds, you,
too, can take some steps to protect yourself. Ethical hackers—people who hack
to evaluate level of security and without any malicious intent—say that users
should be especially careful when using banking or other apps on which
financial transactions can be conducted.
Don’t jailbreak your phone. Jailbreaking is the
process of removing hardware restrictions and thus allowing free apps.
Check what you download and run on your phone.
“For example, don’t use WhatsApp for confidential communication; use an
encrypted app instead,” said Jaju.
You may want to limit debit card usage at PoS
machines and use it only as an ATM card for cash withdrawal. “Try to use credit cards at PoS because if a fraud takes place,
you can raise a dispute, and it is not your money,”said Jaju. Be cautious at ATMs; look around
for suspicious objects or hidden cameras above the keyboard.
You may rub
off the CVV number to be extra careful. But do remember it, so that you can continue using the card. Use computers that have
anti-virus software. Don’t share passwords, PINs and OTPs with anyone
regardless of the reason stated. Banks never call asking for OTP details. Do
not log into links sent on emails that require you to revalidate your
credentials on account of a system upgrade. For apps, download directly from an
app store; don’t click on unknown links or those sent by unknown numbers