The cyber law series: Keep your hands off my online stash; how internet fraud works

By Asheeta Regidi

Recently, a group of cybercriminals, one of them a deputy manager at Axis Bank, allegedly hacked into the mobile wallet facility provide by Axis, and State Bank of India, and siphoned off more than Rs 25 lakh from nine account holders. The deputy manager identified account holders with a large balance and noted their numbers. His gang then filed fake First Information Reports for lost SIM cards, and obtained duplicate cards using forged documents. They hacked into the bank accounts and transferred funds into the mobile wallets set up on their phones. They then withdrew the money using mobile wallets from the bank’s ATMs.

The growing popularity of online financial transactions indicates the slow but steady shift to completely cashless transactions. The increasing number of such transactions also means exposure to risk. As newer forms of financial transactions are introduced, fraudsters devise new ways of exploiting flaws in these mechanisms. The Reserve Bank of India routinely issues guidelines to deal with such issues – the Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, 2013, for instance.

One such mechanism is net banking, now the norm for many transactions. There are two basic forms of net banking. One is informational, which involves obtaining data such as balance enquiries and transaction enquiries. This is low risk. The second is transactional, which involves transfer of funds and payments. As is evident, this poses high risk. As people are increasingly turning to their smartphones for financial transactions, the risks that apply to net banking also apply to mobile banking.

Users are quite familiar with using an anti-virus and running regular virus scans to check their systems for infections. Despite this, viruses are a major cause of extraction of financial information such as usernames, passwords and PINs. For example, while people generally avoid spam, they don’t hesitate to click on links sent by people they know, without any thought that their accounts may have been hacked. Similarly, coupons and discount offers available online or sent by mail are a regular source of viruses. In smartphones, viruses pose a greater threat since installing anti-virus software is the exception rather than the norm. In addition, people tend to download apps or connect to public WiFi without much thought as to the security risks they pose. These tend to be the primary source of viruses in smartphones.

The best known method used to extract financial information is phishing. Spoofed e-mails like ‘ noreply@statebankindia.com ’ and spoofed websites like ‘ www.sbionline.org ’ (instead of the original ‘ www.onlinesbi.com ’), which are designed to resemble the original, are common methods. People also fail to keep an eye out for the mandatory ‘https’ communication protocol while conducting online financial transactions.

Fraudsters are taking to new systems as well, such as calls over Voice over IP using fake IDs, cloned voice-banking systems and fake automated answering systems. In a case reported by the Times of India , over 300 people were said to have given out their ATM card numbers and PINs to fraudsters who asked for it over the phone, on the pretext of granting them easy loans. Hardware key-loggers, which track what is typed into a keyboard, are a common method used, particularly where an attacker has physical access to the computer system, such as in a cyber café.

Online payment gateways, like those used on shopping websites, are another target of fraudsters. The techniques employed usually involve exploiting security vulnerability in the website. One such method is the ‘SQL injection attack’, where the attacker first determines if the site is vulnerable. By sending certain queries to the site, he obtains access to restricted areas of the site, which in turn gives him access to sensitive information, such as credit card information, stored online. An example of this is eBay’s Magento platform, which discovered its vulnerability to an SQL injection attack recently. Another method is vulnerability in online shopping carts, where the attacker manipulates the price to be paid by the user. These manipulations tend to go unnoticed, especially when the user is making several purchases on the same site.

The e-commerce boom has resulted in multiple sites offering transactions, many of which have online payment gateways. While reputed websites are usually quite safe, others tend to neglect security. In addition, these sites have no responsibility towards the user for security breach or data loss, since they amount to ‘intermediaries’ under the Information Technology Act, 2000.

This is the newest form of online financial transaction. While mobile wallet makers are working to increase security , these are also vulnerable to financial fraud. For example, security concerns emerged with the mobile wallet Apple Pay that hackers could use a person’s stolen data to set up an ITunes account, through which they could gain access to his Apple Pay account. The major concern for regulators is that mobile wallets give money launderers and terrorists a simple way to store illegal amounts of money in small amounts and then make withdrawals, since the transactions on mobile wallets are generally unmonitored.

Of course, these inventive schemes have arranged themselves around conning people of traditional forms of wealth. It doesn’t come close to describing the enormous task of regulating new kinds of money – cryptocurrency or virtual currency, the best-known example of which is the bitcoin. This currency and transactions that stem from it is entirely unregulated. There are elaborate online bitcoin scams, such as the sale of fake bitcoins, fake bitcoin mining investment schemes, and bitcoin wallets from which the virtual currency is stolen. Indeed, online transactions lend themselves almost perfectly to that frequently cited meme – Rule 34 . If you can transact it, it exists as an internet scam.

The author is a lawyer with a specialisation in cyber laws and has co-authored books on the subject.

This is the concluding segment in our series on cyber law.

Part 1: Social media and politics

Part 2: Defamation and social media

Part 3: Privacy at the workplace

Part 4: Terms and Conditions and other online disclaimers

Part 5: Online stalking and sexual harassment