I’ve been using cards (both debit & credit) for over 14 years. Doing almost a decade of online banking. I’ve heard people being hit by frauds on online banking and while using cards. I’ve been quite fortunate of not being targeted until recently.
I’ve seen people being duped of their hard-earned money from almost all banks. The details have been obtained by fraudsters by phishing unsuspecting customers. The farthest I can think of is around 2008-09, I came in touch with a person from ICICI bank who had warned me of the threats and how customers are being duped even after having security in place.
Being honest, I’ve faced online fraud earlier once but I’ll give a benefit of doubt and own mistake of not properly disposing the card. My chip card was giving me issues at Point-of-Sale (POS) terminals so I requested for replacement card. To my surprise the replacement card had the same card number, expiry date and CVV. I disposed the card by cutting into pieces. Some days later, I received SMS of transaction on my card. I raised dispute – which was another painful process and got to know it was an iTunes transaction. I got the refund but it was a definitely a learning to monitor your SMS for transaction.
- Dispose your card by shredding and throwing in separate places.
- Transactions in India (jurisdiction in India), need a OTP for transaction to go though
Cut to present day. I was happily sitting in my office – probably working or pretending to work – I was hit by a barge of SMS. They were OTP requests. People around have received OTP requests over phone, SMS and recently UPI payment requests. Then comes the scary part. Transaction got approved and my card was charged.
Check your wallet for any missing card.
If you are not using a card for a long time, it is better to close it. The card being charged was one of my regular cards. I checked my wallet and it was happily sitting there. The OTP requests did not stop coming and transactions were going on being authorised. Took some time to figure out the email linked to my card has been changed. I checked my online account, the account was not accessible. I was in middle of an attack. I called up customer service raised a fraud complaint. My email ID was reverted to original first. This needed an OTP. Then the account was blocked.
This has brought up the question, how Email ID was initially changed without OTP and who authorised it? Card was used online so fraudsters managed to get the card details. They also managed the account details which was then hacked to change the email ID. If hackers are smart, then why only email ID, they could’ve changed phone number as well (I would’ve to prevent any knowledge of the owner)
I did a Google search and many users have faced similar frauds. I tracked one issue for over a year. The bank has not changed the process in a year to improve user security? This has been modus operandi for all previous cases as well – only email ID has changed. The money was mostly being spent via PayTM or Mobikwik. These are online wallets and basic account need only a mobile number. Getting a mobile number via fraud is nothing new and still rampant.
My understanding is there are 3 ways your data can be updated in the records:
- While data is being fed\user created for the first time – This is definitely not the injection point. There is nothing to take from here.
- Customer Care portal\tool – User calls and confirms. This is probably protected behind a OTP but many just take audio verification.
- The backend\Customer Service Tool\SQL injection – Poor security model or using out of date security protocols. Not installing patches or allowing exploits even after being known in public domain. Even inside job can’t be ruled out.
With so many frauds being reported on a daily basis and little being done to improve the security. As per data available in public domain 24% users experience online fraud. The number of arrests so far is abysmal probably because either cyber crime cells are outdated or lagging behind the fraudsters or (the most possible reason) customer being made accountable for the frauds.
Not just online frauds, people are being subjected to frauds like card cloning, SIM cloning. Being safe has become extremely difficult. I’ve jot down my thoughts to avoid being duped:
- Shred the package and contents in which card was received
- Tape the card number using thick dark coloured tape
- Scratch away the CVV
- Never use public Wi-Fi for sensitive data
- Do not share any OTP with anyone
- Do not entertain any call suggesting from bank. Disconnect and call bank to confirm
Kindly share & comment your thoughts on how we can protect ourselves from these attacks.