Secure banking in age of cybercrime

On a typical chilly Bengaluru morning, you get up only to see your mobile light furiously blinking away. Three SMS notifications show transactions made on your Euro visa card from Rio de Janeiro in far-off Brazil. You double check, your card is safe and secure with you. But the transactions - at 10 to 15 minute-intervals are current. No, the card has an EMV chip and you have not shared your PIN or the card verification code (CVV) with anybody (and certainly not with someone in Brazil), yet all the money is gone!

What remains now is to block the card by calling up a sleepy operator at the bank's call centre, who takes ages to crosscheck and confirm your identity and makes you explain the problem repeatedly. The next morning, you report the matter to a bank official who nonchalantly takes down all the details once again!

With the evolution of information technology (IT), popularisation of computer usage coupled with rapid internet growth, people now have equal opportunities to access information and stored data using high-end technology.

The increasing number of netizens has given birth to cybercrimes, intellectual property crimes, e-mail spoofing, forgery, cyber defamation, cyberstalking, unauthorised access to a computer system, theft of information contained in electronic form, phishing, site intrusions, defacements, virus or malicious coding, ransomware with a demand for ransom in bitcoins (a crypto-currency which attackers feel is the safest way to get paid), financial crimes, sale of illegal articles, pornography, online gambling - criminal activities all done through the use of computers.

Unauthorised transactions are occurring via several methods. Skimming is a sneaky tactic where thieves siphon away digits to create duplicate cards by copying information on the card's magnetic strip to create a counterfeit card to make purchases. Phishing is another method where emails, supposedly from banks or government agencies, ask for confidential details or make us share account-related information on bogus sites.

There is also the physical loss of a debit card or credit card, which in the hands of a fraudster could be used to conduct transactions till blocked. Or, the most frequent card-not-present (CNP) fraud, where the fraudster uses the card number and expiry date to conduct a transaction over phone or mail. The card need not be present physically and the CVV or a one-time password (OTP) may not be required.

This is happening despite most Indian banks using EMV (Europay, MasterCard, Visa - the three companies that originally created the standard) smart cards that store data on integrated circuits in addition to magnetic stripes, cards that must be physically inserted into a reader which has made counterfeiting cards much tougher but doesn't help CNP transactions, when the phone is used to make purchases.

As more Indians go online and cyberfrauds have international ramifications, we must take cybersecurity seriously and not as a compliance task. Here are some practical suggestions to avoid cyber trauma.

Our password hygiene is very poor. We must create unique, complex passwords for each account. Thieves often test lists of passwords stolen in one breach against other accounts to see if an old Yahoo password is still used for a net banking account.

We need to become digitally engaged. We must guard our data by taking precautions while operating the internet; avoid disclosing any personal information to strangers via e-mail or while chatting; update our anti-virus software to guard against virus attacks; never send a credit card number to any site that is not secured.

We must set up SMS alerts with our banks on transactions so that we are notified every time there is a transaction in the account, especially when exceeding a rupee threshold, or when expenses originate overseas, or are made online, by phone or mail when the physical card isn't present.

We must conduct online purchases with reputed companies or merchants after ensuring the merchant's website is secure by checking whether the site is "https" and if there is a lock symbol before the site's name in the address bar.

Having notified the bank of the three unauthorised transactions from Brazil and having got them to block the card within three working days, one needs to now wait for the bank to refund the money as per RBI guidelines. If their response is protracted, one can approach the banking ombudsman or if still dissatisfied, can reach out to the appellate authority to get the money refunded.

(The writer is Associate Professor, Sai Vidya Institute of Technology, Bengaluru)

Liked the story?

  • 0

  • 0

  • 0

  • 0

  • 0