KOCHI: The deep recesses of the cyber world is a perfect hiding place for those with a criminal but technical bent of mind. With digital becoming the byword in every sector, huge question marks hover around security. Everything hitherto considered personal information is now available to anyone at the click of a button. The rise in cyber crimes the world over is an indication of how vulnerable people are. Recently, Kerala too bore witness to a series of OTP (one-time password) frauds. Kochi, the business capital of the state, has seen around 20 cases till date.
However, it is surprising the people who have fallen prey to fraudsters are educated professionals. Two weeks ago, some professors working in various departments of the Kerala University lost huge sums, some close to around Rs 1 lakh. The incident happened on a Sunday when the professors got a call from a ‘bank officer’.
“The bank officer gave details like the card number and also the CVV. The victims were informed their cards have been blocked and new ones will be issued soon. For a new card, they were asked to reveal the OTPs,” said a police officer with the cyber cell.Only when they got messages informing of certain amounts withdrawn from their account did the professors realise they had been duped. Thomson Malayil, a resident of Kozhikode, is another victim of OTP fraud.
“I was duped of Rs 25,000 by a person claiming to be from the SBI head office in Mumbai. He said he would renew my card which was about to expire. He knew my card number, CVV, expiry date and wanted the OTP sent to my phone to initiate the process. These incidents raise serious questions regarding data protection online,” he said.
Quick thinking and prompt action saved Manju, another prospective victim. “I never check my messages. But it was pure luck I happened to look at a message which said around 63,000 Sri Lankan Rupees have been deducted from the account. There was also a second message that implied the transaction has been a successful one. I quickly contacted the bank, which checked the account and confirmed the money hasn’t gone out. I immediately blocked my ATM card,” she said.
This is the second incident happening to Manju’s family. Four years ago, in a similar incident that happened when they were in Dubai, a message alerted her husband that around 5,000 Dirhams were debited from his account. “Further inquiries revealed the fraud happened from somewhere in France,” she said.
How does the fraud happen?
According to a police officer with the cyber cell, the details get leaked when the banks outsource data entry. “Nearly all banks in the country outsource data entry. So, all customer details become readily available to a third party. This data then gets sourced out to other people who misuse it to steal money from the unsuspecting customers,” he said.
According to Manoj Kumar, a security analyst, data leaks from banks’ servers too. “This happens when the financial institutions don’t carry out source code auditing,” he said. “Whenever a programme is written by a developer, some vulnerabilities might creep in. Expert programmers are sometimes able to weed them out. Often, these vulnerabilities remain,” he said.
To find and clear them, every institution needs to do a source code audit, he said. “It is like finding a crack in the plaster protecting the building and filling it up so that the elements do not enter the base structure and eat into it. If a financial institution doesn’t audit its system, any hacker will be able to enter its server and glean information. Online frauds happen this way,” said Manoj.
The same applies in the case of mobile applications of banks too. “Bigger banks are up to date with regard to source code auditing. They even have a foolproof programming. But the smaller financial institutions are vulnerable to cyber attacks,” he said.
Threat from browsers
Whenever, a person types or keys in personal details, especially the ATM card details while shopping online, he or she actually ends up sending the information to thousands of other websites. “This happens when the data leaks from the browser. When this information lands in the hands of unscrupulous persons, they misuse it to siphon off money,” said Lavakumar Kuppan, founder of SBOXR, a cybersecurity startup. However, it is possible to find the leak and plug it if the vulnerability is detected in time, he said.
Awareness is most important
Awareness is the most important tool in tackling OTP frauds, said a bank officer. “People need to be aware that no bank officer will ever contact them over the phone regarding cancellation, issue or blocking of ATM cards. Officers will also not contact the customer over the phone to exchange account details. Whenever a person gets such a call, he or she should not reveal the account or debit/credit card details. Please contact your bank if such a call is made or if your account gets breached,” the officer said.