The digitisation of financial services has definitely made life easier for consumers. However, it offers a similar degree of convenience to fraudsters as well, especially cyber criminals. Of the manifold risks they pose to the financial ecosystem, the most pernicious one is that of identity theft. “We do have cases of financial instruments of one person being used by someone else,” says Alok Jha, managing director, CyberPlat India, an electronic payments processing company. “This happens largely on online transactions. In such situations it is difficult to understand a genuine transaction as it is impersonal. But we do velocity checks to understand if it is real or a hacked transaction.”
And, despite many safety measures, the threat is steadily increasing. Says Rajesh Mirjankar, chief executive officer at Infrasoft Technologies, a firm offering digital solutions to the banking and financial services industry: “It is fast turning into what we call an 'organised crime'. When I say organised crime, it means that people know how to carry out identity theft, either on a digital channel or through card-based transactions or using somebody else's personal details to get either an account opened or present a better credit score while taking a loan.”
According to a report by Experian Credit Information Company of India, identity theft accounts for three-fourths of overall fraud incidences. The maximum incidences of fraud were found to be in the consumer loans category, followed by that in credit cards. Mohan Jayaraman, managing director of Experian, says identity theft has become a full-fledged business involving people who go to offices with briefcases to collate data on prospective targets. “And they are doing nothing illegal,” he says.
So how has it become so easy to steal someone's identity? “Social media profiles that are visible to all internet surfers can be used by cyber criminals to collect details like birthdays, the identity and personal details of the individual’s family members, mother’s maiden name, their online banking service provider, and other such details,” says Sheran Mehra, senior vice president at DBS Bank in India. “Hackers often use this information to impersonate the individual on the internet. Social media updates can be used by hackers to seek money for reasons like the wife’s birthday or an emergency during a foreign vacation. Recipients may find it difficult to suspect mail filled with accurate references to personal details. Instead of hacking individual computers, cyber criminals are targeting data stored in corporate organisations, hospitals, and even online gaming sites.”
The traditional methods of using Trojans and phishing to extract details such as online banking user IDs and passwords, credit card numbers and CVV numbers continue to be used.
Financial services providers have waken up to the threat and are doing their bit to secure the system against identity theft. Players like CyberPlat have their own systems in place. “First of all, we ensure that all transactions are logged in through a key concept and use digital encryption for creating additional security layer to all transactions. This simply means that all transactions coming to us and leaving the system are fully encrypted. We also have alerts and notification system to do velocity checks on value, frequency and other important parameters,” says Jha.
At the same time, consumers are advised to be cautious. Mehra of DBS Bank says they must be careful to use a secure computer, banking-specific safety features, on-site safety features like virtual keyboards, and OTPs rather than transaction passwords. They must type the bank’s address in the browser’s address bar instead of using links received in emails and chat messages, and check for the appearance of 'https' in the address bar to ensure that the data being transmitted between the computer and the server is fully encrypted and no hackers can access it. They should also be mindful of what they do with other seemingly innocuous details.
Says Mehra, “Instead of the bank account details, phishers and vishers focus on data and information that can be used to reset your online banking account. Banks allow users to reset their login and transaction passwords by submitting additional information like PAN data, date of birth, and other personal details. Disclosing information like your mother’s maiden name or your first car’s license number can be as risky as disclosing your login or transaction password to a stranger.”
Jha warns against sharing bank and card details on phone in restaurants. “I have seen people who do not get up and go to the counter and input the passcode; instead they give it to the waiters in restaurants,” he says. “This can get sticky. Also, keep changing password at regular intervals.”