This article was first published as a part of the cover story in the February 2018 issue of Digit magazine. To read Digit’s articles first, subscribe here. You could also buy Digit’s previous issues here.
Of all kinds of threats, financial frauds tend to hit us the hardest – and the most frequently as well, thanks to the added incentive of monetary gains for the attacker.
One of the biggest factors that makes it difficult for financial fraud to be detected is the speed of transactions. They’re happening faster than ever before and in larger volumes, making it difficult for regular fraud monitoring tools to keep up. With newer avenues of payments including smartphones and wearables, there are as many newer points where a financial transaction can be tinkered with. Contactless card payments have been around for a while, and so have ways to hack them to steal card details or money itself. As we move to novel methods of payment, payment hacks are evolving.
With biometric payment systems like AadhaarPay being brought in, and the fingerprints being easily available on any surface that a person has touched, it opens doors to new kinds of attacks to steal your money. It is never a good idea to authenticate financial transactions to biometric authentication systems, for the simple reason that once biometrics are compromised, they remain compromised for life. You can easily get a new credit card if it is stolen, but if someone gets a high-resolution photo of your eyeball and your finger, you cannot replace those parts of your body. Without requiring your card details like card number, CVV, Grid numbers and more, an attacker will just have to impersonate your fingerprint – which is quite easy to do if they have access to your phone or your belongings.
After the data breaches that we saw last year, financial institutions reported a rise in fake account setups and login attempts across their systems, such as multiple login attempts for a range of accounts all coming from the same set of IPs or devices. Expect such attacks to become harder to detect in 2018 as machine learning and AI are used to make them appear natural to detection systems. On the other hand, the same AI can be used to generate social engineering attacks that appear to come from your bank but end up compromising your account, resulting in an account takeover.
Cryptocurrencies have been hailed as safe havens in terms of security so far. But with its current boost in popularity, especially with major organisations also making moves into the market, malicious actors are also expected to target cryptocurrencies largely this year. If appropriate standards are not followed in crypto implementations, expect some bad news in terms of its security as well. One easy avenue of cryptocurrency based fraud rides on the popularity as well as the confusion around the emerging technology. In the top ten “how to” searches in Google from India in 2017, there were three search terms related to cryptocurrencies. These were, “How to buy bitcoin in India”, “How to mine bitcoin” and “How to buy ethereum in India.” Those new to the technology can easily fall for fraud coins being sold, which are essentially pyramid schemes disguised as cryptocurrencies. The problem here is if caught in involving your friends and family into the scheme, the trapped users can be implicated in the crime too.
One of the biggest hubs of cybercrime in India, Jamtara in Jharkhand was exposed in an investigation by India Today. The fraudsters called up individuals, and scared them into handing over their PIN numbers and OTP codes. After that, their bank accounts would be emptied. There are few legal options available to the affected users in this case, as they have willingly handed over their OTPs, which were meant to provide an additional layer of security.
Expecting financial frauds to subside is a bad idea. While both sides, the banks and the attackers, continue to innovate their approaches towards your money, what you could do is follow certain ground rules regarding password protection and the security of your account – enable two-factor authentication wherever possible, and use alphanumeric passwords instead of fingerprint authentication.