In this article we will look at the types of cyber frauds that scamsters perpetrate in banking and payments, and see how the variety, risks, numbers and sophistication of such frauds grew with the growth of computerisation of banking operations resulting in customer convenience. As the role of computerisation in banking grew and became more sophisticated, so did the variety and sophistication of cyber fraud. We will also see what banks do to minimise the risk of such frauds, and importantly, what we as customers of banks can do to avoid falling prey to such fraudsters. A caveat – this article talks only about cybersecurity in the context of banking as it relates to the handling and transfer of money. It does not deal with cyber fraud related to securities transactions and insurance – that will take another couple of articles.
Forgery
In the 1970s, before computers came into banking operations, you had to go to a bank branch to do any kind of banking transaction, starting from opening a bank account, to depositing or withdrawing cash, or transferring money to another account. You could write a cheque and hand it over physically or by post to whoever you wanted to transfer money to. That person would have to go to his or her bank and deposit the cheque into their bank account by filling in a slip. The cheque would then travel to a local cheque clearing centre, from where it would go to the payer’s bank branch. If the cheque was from another city (an “outstation” cheque), then it would have to be sent by post to the bank branch where it was drawn. If there was sufficient balance in the account and the signature matched with the sample signature with the bank, then the cheque would be “cleared” and retained by the payer’s bank branch. Banks had a specific number of days to reject the cheque if there was insufficient balance or a signature mismatch, and the cheque would travel back to the payee’s bank branch, and the payee would be informed about the cheque being “returned”. This process would often take several days, until which time the payee had no idea if his/her account had been credited. If one wanted a guaranteed document, then the payer had to make out a bank draft by going to the branch, filling up a form and the branch would issue a bank draft payable to the payee.
In those days, the only way somebody could steal money from your account was to steal your chequebook and forge your signature.
The reason for explaining the process in so much detail is for younger readers who have not seen what banking was like in India before computerisation to understand the breathtaking transformation that has happened in banking in the last forty to fifty years.
Frauds in Inter-branch Reconciliation
In the days of manual processes in banking, a cheque deposited in a branch that belonged to a different cheque clearing centre had to physically travel by post from that branch “for collection” to the branch on which the cheque was drawn. The branch where the cheque was deposited often provided early liquidity to the customer by “purchasing” the cheque and crediting the customer’s account. Fraudsters, with the help of insiders at the bank or post office, would intercept and steal the cheque before it reached the destination branch, so that the account on which the cheque was drawn never got debited. The manual process of inter-branch reconciliation would often take weeks before the fraud was discovered. So the first giant step in bank computerisation was in reconciliation of accounts of different branches, by matching of transactions that span across two branches. This threw up anomalies where the payee’s account got credited (because the bank “purchased” the cheque), but the account of the customer who wrote the cheque never got debited as it should have. I remember that in my earlier years at Tata Consultancy Services in the early 1980s, the banking group used to manage the massive job on inter-branch reconciliation for State Bank of India on a Burroughs mainframe computer. The data of all inter-branch transactions used to be punched on cards, transferred to tapes, and sent to the TCS computer centre for overnight processing. This was a “batch” process, with input data of cheques being fed through punched cards or magnetic tape, and the output reports being printed on reams of stationery. But it did alert the bank to mismatches in cheque transactions between branches.
Phishing
Jamtara is a backward district in Jharkhand. According to the last census in 2011, Jamtara had a population of around 800,000, a low literacy rate of 62.58% and a high unemployment rate of over 58%. There has not been a census since 2011, but my guess is that the numbers do not look much better now. Not many people outside Jharkhand would have heard of Jamtara, if it was not for the fact that it gained ignominy as the cybercrime capital of India. It was made (in)famous by a widely watched TV serial on Netflix simply called Jamtara.
Around 2015 or so, a few unemployed youths from a small, backward village from Jamtara district came up with a brilliant idea to scam people all over the country using a simple mobile phone.
Groups of 2-3 such young men would get together to run the scam. They would procure a large number of SIM cards using fake identity documents. One of them would call mobile and landline numbers posing as a very official-sounding bank employee. He would sweet talk and cajole the target into sharing their bank account or ATM card details. The other scamster would then immediately use the information to withdraw money from the unsuspecting person’s bank account into his e-wallet, quickly transferring the stolen money into a bank account, often via another e-wallet. They would then destroy the SIM cards to wipe all traces of the transaction. Very soon, the young men started buying expensive motorcycles and cars, and building houses from their ill-gotten wealth. This went on for a few years, but then more such youths got attracted to this “game” and some of them became sloppy, and eventually got caught. The Jharkhand government had to set up a cybersecurity cell in the village to investigate these scams. Many of the ringleaders have been caught and jailed, and hopefully the Jamtara scams will end soon, before the criminals resort to some other more sophisticated form of crime. Having said that, this method of scamming unsuspecting and gullible targets is still very common. I get a number of calls daily telling me that there is a large insurance policy in my name that has matured, and all I have to do is to pay the last few premiums which are due in order to claim the amount. I am sure many readers do as well, and this is one of the many types of stories the scamsters spin to separate you from your money.
What is described above is the simplest form of cyber crime called “phishing”. It does not require any understanding of technology, just some street smartness. Of course the targets have to be gullible and a bit careless. These are probably the first reported incidents of phishing on a large scale in India, but the word “phishing” was invented way back in 1995 in the US where the modus operandi was used to steal AOL credentials from users.
Interestingly, the word phishing has morphed into other forms – “smishing” (using SMS text messages to make the target click on a compromised link), “quishing” (enticing somebody to scan a QR code containing a compromised link) and “vishing” (using voice calls, as in the Jamtara scams).
Another related term invented more recently is “whaling”, where the targets are high profile individuals like company CEOs and High Network Individuals (HNIs), the amounts involved are large, and the targets are often corporates. The modus operandi is the same, exploiting people’s gullibility and carelessness. There are quite a few reports of whaling recently, but I will not go into them for want of space.
As mentioned earlier, this is the easiest and least sophisticated type of fraud that school dropouts can perpetrate. On their part, banks and the police warn customers to be careful while responding to telephone calls, texts and WhatsApp messages from unknown senders, and never to give PINs and passwords of bank accounts and apps to such callers. Banks never ask customers for such information. That is the only way to avoid falling prey to such scams.
Despite all the warnings, the number of phishing attacks recorded in India in 2023 is a staggering 79 million.
The only consolation, if it can be called that, is that the US was number one in the world (1.1 billion), followed by the UK (112.9 million). Of course, it is possible that in India all phishing attacks do not get properly recorded or counted.
ATM Frauds
Then came the Automated Teller Machines (ATMs). Although the first ATM or cash machine was invented in the late 1960s, they became popular much later in the 1980s. For the first time, customers of the bank could interact directly with the bank to withdraw cash, check their account balance and deposit cheques, etc. using the ATMs. However, the ATMs were not connected to the bank’s computer systems until the late 1990s. In India, the National Financial Switch (NFS) was implemented in the early 2000s. The NFS network connected ATMs all over the country. Earlier, banks would issue ATM cards which could be used only on ATMs. These days, most banks issue debit cards which work on ATMs as well as for online transactions where the money gets deducted from your account instantly. Let’s see the kind of imaginative tricks used by fraudsters to steal your money
- Skimming: a device placed on the ATM card reader copies information stored on the magnetic stripe at the back of the card. Either somebody peeping over your shoulder, or concealed cameras give away the PIN. This type of fraud has now been largely stopped with chip embedded cards, where the information on the magnetic stripe cannot be skimmed.
- Card trapping: A device placed underneath the card reader physically captures your card. The PIN is captured as above.
- Cash trapping: This is even lower tech – a device placed in the cash dispenser traps the cash. Easy!
- Keyboard jamming: The Enter key on the ATM keyboard is jammed physically, so that after you punch in the PIN you cannot enter it. It is then used by the fraudster by releasing the jammed key.
- Phishing: We dealt with this type of fraud above, which uses the phone, SMS or WhatsApp to entice gullible users to part with the card details.
Evolution of Computerisation in Banks
Over the next couple of decades, the monolithic architecture of the so-called mainframe computers transitioned to a client-server architecture, thanks to the flexibility and growth of the Unix operating system, the TCP/IP protocol, the http and https protocols, and eventually the explosive growth of the internet as we know it today. Initially in the client-server architectures, branches ran the client software (not to be confused with the clients of the bank) on desktop computers at the branches, which were connected using TCP/IP over leased telephone lines to a centralised “server” run in a large data centre owned either by the bank or a service provider. The clients interact with the server using APIs – Application Programming Interfaces. Of course there are several layers in between, and the architecture of the layers has evolved and become more sophisticated over the years, but we will not get into those details at the moment.
An important step in the evolution of computerisation of banking operations was “Core Banking” software, an integrated suite of software modules that automate the day-to-day operations of banks for their retail banking (retail account opening, loans, payments and receipts and updating account balance, chequebook ordering, etc.) as well as wholesale or corporate banking (corporate loans, treasury, trade finance, etc.).
Until then, banks ran multiple applications developed by different vendors, with the resultant challenges of reconciling the data managed by these disparate applications. So Core Banking was definitely a development in the right direction, as data related to the different businesses of banks at all branches was maintained in a central database of the Core Banking system.
Let’s now fast forward to the Internet age, where bank customers can access their bank accounts over the Internet using a browser on their computers, and more recently on their smartphones. Before we get to that, let us take a quick look at the HyperText Transfer Protocol (HTTP), with and without the “s” as in HTTPS, the Domain Name System (DNS) and the HyperText Markup Language (HTML). In simple terms, HTML and later variations of it is a language that allows the user to exchange information back and forth with the server, using forms, which were rudimentary initially, but became more graphic with images and colours. Browser clients use HTTP to communicate with the server. The protocol contains a definition of the format of the information transferred between the client and the server. Since its invention in 1991, HTTP has undergone a lot of revisions to make it more extensible to communicate important information between the client and server to create a failsafe communication mechanism. The formats are rigorously defined by technologists entrusted with the responsibility of defining the standards, and followed by designers and programmers. Shortly thereafter in 1994, a security layer called a Secure Socket Layer (SSL) was added on top of HTTP, simply called HTTPS. The SSL protocol was later upgraded and renamed as TLS (Transport Layer Security). The protocol verifies that both pieces of software at the two ends have valid “Certificates”. These certificates are issued by a hierarchy of global certificate authorities. It works on pairs of “public and private keys” issued by the certificate authorities. Each side uses its private key to encrypt the message before sending it, and the public key of the sender to decrypt messages received. In the TCP/IP protocol, every end point on the internet anywhere in the world connected to the internet, including laptops, smartphones, gaming devices and everything else, has a unique “IP Address”. This is a four part number separated by dots that can accommodate around 4.3 billion devices, in the current IPv4 version of the protocol. As you can well imagine, with the explosion of devices connected to the internet all over the world, a later version, IPv6, is being rolled out. This is double the length of IPv4 and can accommodate trillions of devices, but we need not go into that detail at the moment. All websites that you access are identified by their unique IP addresses. Simply put, the DNS assigns a unique name (chosen and paid for by the owner, assigned if the name is still available by domain name registrars authorised to do so). The mapping of domain names to IP Addresses is maintained on DNS servers that propagate changes to all DNS servers periodically. The obvious purpose of the DNS is that users need not remember the numerical IP addresses of websites, including of their banks and other financial services providers, for accessing them. The web address of the website and the page on the website that you are trying to access, consisting of the domain name of the website plus an extension containing the location of the page on the website is called a “universal resource locator” (URL). It contains an http://www or https://www followed by the address of the page, often a long string of unintelligible characters.
One other development in the past couple of decades that has changed the computing landscape is “cloud computing”.
It offers a solution to the technical and management challenges that many small and medium-sized businesses face, allowing them to rent resources from cloud providers as and when their demands change, instead of maintaining servers and investing in computing resources. Large technology companies like Amazon, Google and Microsoft invest in the infrastructure and rent out resources like servers, storage, networking, software tools, and analytics. As compared to owning and managing your own infrastructure of computing resources, cloud computing adds vulnerabilities to systems, making them attractive targets for cybercriminals. Historical data bears this out.
The widespread and ubiquitous availability of internet services gave an opportunity for banks to provide tremendous convenience to their retail as well as corporate customers to access their accounts for making payments and receipts, balance enquiries, and ordering services from banks like statements and chequebooks. It also gave banks the means to sell other services related to stocks and mutual funds, insurance and a lot more. This also opened up vulnerabilities for cybercriminals to exploit holes in security and gullibility and carelessness on the part of customers using banking services over the internet.
An added factor in the last decade that has aided customer convenience, but has opened up vulnerabilities for cybercriminals to exploit, is that a lot of internet traffic, including banking and financial transactions, now originates from and terminates on smartphones. I would guess that a majority of mobile phones are cheap ones imported from China, and lack the security features that costlier and more sophisticated mobile phones do.
Lastly, the proverbial “elephant in the room” is the advent and popular use of Artificial Intelligence (AI) in the past few years. It has introduced a totally unknown and unpredictable variable into the equation. I believe the jury is still out on whether AI will help the cops or the robbers more. So we will not get into it right now.
The reason to present this long treatise (hopefully without getting into too much boring detail) is for the reader to understand the enormous complexity and scale of how the Internet works, and the number of links in the chain that fraudsters can exploit. All good software architects, designers and programmers incorporate the security features that are meant to authenticate who they are communicating with, and secure the communication between two endpoints. It is when these principles are not rigorously followed, that fraudsters find opportunities to insert themselves in the communication, often infect the computers involved in the communication with malware, and perpetrate frauds. Also, it is often through insider collusion that such backdoor entries are gained by fraudsters.
Let us now look at some of the types of cyberthreats that the technological developments described above have given rise to.
Cyberthreats
IP Spoofing: A cybercrime where a hacker alters the source IP address in a packet header to make it look like the packet is coming from a trusted source. This can be used to launch attacks such as denial of service (DOS), man-in-the-middle, and more.
Man in the middle: A cyber-attack where a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway. The goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-commerce sites and other websites where logging in is required.
Trojans: The term is borrowed from the well-known Greek story about the Trojan Horse. A Trojan is a type of malware that misleads users of their true intent. They are often disguised as legitimate software; another common installation tactic is when a user gets a malicious link, like an email attachment disguised as an invoice, that once clicked on can silently install a Trojan. Once activated, they can enable cybercriminals to spy on you, steal your sensitive data, and gain backdoor access to your system.
Ransomware: Ransomware is a type of malware that encrypts the files on a victim’s computer or network, making them inaccessible, and demands a ransom payment to decrypt them. Victims are often threatened with permanent loss of data or exposure of stolen data if the ransom isn’t paid.
Dropper: A dropper is a type of malware designed to install other malwares onto a target system. The dropper itself does not typically cause harm to the system; instead, its purpose is to evade detection and establish a foothold from which it can discreetly download and execute other malicious programs.
The India Stack and UPI
This article would be seriously deficient without the mention of the India Stack. The India Stack development was started under the leadership of Nandan Nilekani in 2009 as chairman of the Unique Identification Authority of India (UIDAI), solidly backed by the government and the Reserve Bank of India. I might mention in passing, though I am sure it is unnecessary, that he belonged to the 1978 batch of IIT Bombay, and was a cofounder of Infosys. The India Stack consists of three layers of use cases: Identity, Payments and Data Empowerment. The India Stack, the number of users and kind of facilities it enables for the entire population of India, and the staggering volume and value of financial transactions it supports, has been recognised the world over as a unique achievement. It is truly something that should make us proud.
Briefly, the Identity layer consists of the Aadhaar infrastructure, where every resident of India can (but is not forced to) have an identity document/card containing his or her personal details such as name, address, year of birth, gender and a photo so that it can be used as physical proof of identity where needed. Each individual has a unique, twelve-digit Aadhaar number. The data on each Aadhaar card is digitally stored on secure servers owned by the government. The Payments layer is supported by the Unified Payments Interface (UPI) rails. As of January 2024, 550 banks are connected to UPI. Many smaller banks connect to UPI through larger banks. There are about 452 million active users connected to UPI through over 70 mobile apps. Most merchants have QR codes (totalling an incredible 340 million) allowing users to pay them for purchases using these payment apps. UPI is used for person-to-person instant payments as well as person-to-merchant instant payments. In 2023-24, there were 131 billion transactions adding up to a total value of ₹ 20 trillion. After its launch in 2016, UPI volumes have been growing at over 40% annually. All entities connect to UPI through APIs, maintained and published by the National Payments Corporation of India (NPCI). One of the excellent security features in UPI is multi-factor authentication (MFA), in the form of face recognition or a six-digit UPI PIN to complete any transaction, and the payer and payee are both alerted within a few seconds with a text message about the transaction.
As a surprising and funny aside, I was once accosted by a beggar on the street asking for money. When I told him I was not carrying my wallet, he responded that I could pay him using GPay (one of the hugely popular payment apps from Google).
The type of fraud mechanisms on UPI are mostly covered in the earlier sections. They include Phishing, Fake UPI QR Codes, and Malware attacks. One recent addition has been SIM cloning, which requires the fraudster to get physical access to your phone or SIM card by stealing your phone. The precautions to be taken in order to prevent UPI fraud are the same as for other types of fraud, with the additional precaution not to leave your phone unattended in a public place. Also, never ever use phone chargers at airports, malls and other public places to charge your phone, as they can contain chips embedded in the charges to copy your data, even if the chargers may be the standard, common makes of chargers.
Given the breathtaking volume and value of UPI transactions, the number of UPI frauds reported is just around 95,000 in 2022-23. I could not find the numbers from last year.
I do realise that there are a few things that the article did not cover, but I hope I can be excused given that the article has become longer than initially planned. I also hope the lay non-tech user will find something useful in the article to take home.
1 comment
wq3hid