Some time back, AGM of UCO bank lodged a complaint stating that about Rs 75,000 was illegally transferred to some other account. Recently, a doctor fell prey to phishing scam, and lost Rs 1.4 lakh. Cybercriminals had siphoned off Rs. 1.4 lakh from four bank accounts of a physiotherapist after tricking him into revealing his bank and personal details through a phishing mail. And just few days back, the RPG Group of companies became the latest victim of online banking fraud when cyber criminals hacked into the firm’s Mumbai-based current account and siphoned off Rs. 2.41 crore in three hours. In total, 13 RTGS were issued to siphon off Rs 2.4 cr.
Such news has made the headlines in the past and undoubtedly, will continue in future too. Before we go into the details of the perpetrated crime, let us understand some basics which are related to online banking.
As per RBI, NEFT is an electronic fund transfer system that operates on a Deferred Net Settlement (DNS) basis which settles transactions in batches. In DNS, the settlement takes place with all transactions received till the particular cut-off time. These transactions are netted (payable and receivables) in NEFT, whereas in RTGS the transactions are settled individually. For example, currently, NEFT operates in hourly batches – there are eleven settlements from 9am to 7pm on week days and five settlements from 9am to 1pm on Saturdays. Any transaction initiated after a designated settlement time would have to wait till the next designated settlement time. Contrary to this, in the RTGS transactions are processed continuously throughout the RTGS business hours.
OTP stands for Online Transaction Password which the user has to provide either during the login process or while processing transactions related to NEFT/RTGS. As per the guidelines issued by RBI, it is mandatory for all banks to provide OTP for all transactions.
Phishing Attacks and Information stealing Trojans will always steal the login information i.e. the user id and the password, in certain cases the transaction password as well. Certain banks have an additional passphrase for transactions, commonly known as transaction password.
Other banking details which are stolen from the user are their credit/debit card details i.e. the card number, expiry date and CVV number. Hence, a successful phishing /Trojan attack will steal user-id, password, Credit / Debit Card Number, Expiry date of the card, or the CVV Number. Now the question arises, when OTP for every transaction has been enabled by the banks then how are the cyber crooks able to successfully conclude the transactions?
There are two different approaches adopted by cyber criminals when they target online banking system:
1: Mobile Hijacking,
Mobile Hijacking: In this method, criminals steal the identity of the victim to procure a duplicate mobile SIM card. When procuring a duplicate SIM card, it is imperative for the Mobile Operators to verify the submitted documents also known as KYC documents. However, in the recent past we have seen a rise in mobile hijacking, hence raises the concerns of KYC norms not being followed or we can also assume that the photo-copy of the identity related documents being used blatantly and the originals are not being verified by the telecom operators, while issuing a duplicate SIM card.
After procuring a duplicate SIM card, whatever security is deployed by the banks goes for a toss as the login / withdrawal / OTP notifications are received by the criminals and the victim is unaware of the fact that something dreadful is happening with their bank accounts.
The targeted victims are those who are leaving the country and flying overseas, moreover they are probably not in a position to verify the exact reason as to why they have lost the mobile signal. With a duplicate working SIM card available, criminals use it in a variety of ways either by initiating password change or if password is already known then they proceed with the unauthorized account access.
When Mobile Hijacking is not being implemented by the criminals, the manner in which OTP has been deployed / processed by the banks is targeted by the criminals. In order to facilitate RTGS/NEFT, it is imperative for the BANK to send the notification and in turn request the OTP pin received by the user. However, it is to be noted that OTP is sent to the registered email-id and mobile number of the end-user. During a Trojan attack, the users’ computer is entirely under the control of the crook. After the system has got infected and all the credentials have been stolen from the system; the cyber-crooks also ensure that they have unhindered access to the email account. The crooks, using the stolen credentials will access the online banking account add a beneficiary to the victims bank account, they also access the OTP mail received by the victim and provide the same to authorize the beneficiary.
However, it is to be noted that not all banks will allow this to happen. During the login itself, they will ask for Login-OTP and this Login-OTP is sent only to the registered mobile phone. Crooks are very well aware of the banks which do not ask for OTP at the time of sign-on and will go to any lengths to exploit the users of such banks.
OTP asked during the login process ensures that the user is genuine and they are given access to the configuration settings of their account. However, any bank which does not use OTP at the time of login risks the user’s configuration settings.
During day-time, it would be viable for any user to keep a tab on the messages received however, when these activities are carried out by the crooks in the dead of the night, in all probability, such messages either by way of SMS or email will never serve the intended purpose. The crooks have already registered the beneficiary accounts and initiated the RTGS / NEFT transactions, very well knowing that these transactions will be processed by the automated systems of the Bank in the first available slot.
The issue with OTP in the above case is related to choice; when OTPs are mandatory then why give a choice? Every person who does online banking owns a mobile phone and no one can deny this fact.
Why not make it mandatory to deploy, rate and allot time limits to the newly added RTGS/NEFT beneficiary accounts, as this ideology is similar to the ‘Trust while issuing Credit-Note’ between two organizations and is commonly seen in every business. Moreover, it must also be noted that very few banks have deployed this feature.
Now, when we look into the Online-Payment via net-banking or credit/debit cards, the only requirement to facilitate this transaction is to provide your internet banking password or your credit/debit card details. These are same details which have been stolen by the Cyber-crooks. The information required to clone a card is nothing more than what has been mentioned earlier and in such cases, cash is withdrawn or purchases are made from different geographical areas and many a times from different countries.
Since every bank has a different approach towards the deployment of OTP and other online-banking security related issues; it would reap huge benefits if we start asking questions, so as to have a clarity and transparency into the additional facilities provided by the banks to their customers. Does the bank allow geographical block for cash withdrawals or swiped card based payments?
- RTGS / NEFT:
- Implementation of OTP during online account login process?
- Is there is any limit to the payment amount for a New Payee? If yes, how much is limit for the amount? What is the limit of time period?
- Is this limit also applicable based on the number of transactions?
- Is there any upper limit that can be defined to limit the outgoing amounts via NEFT / RTGS based on per transaction / per day basis?
- Do the banks initiate calling the customer to confirm if he had initiated a RTGS above a certain limit?
Unless and until, drastic changes are devised and implemented by the Banks, online banking frauds are here to stay. Banking is based on a practical approach of the business ethics where all businesses and individuals adhere to these norms. However, when it comes to online banking, why is the approach towards the practicality of security / alert deployment so very different for all banks?
– By Govind Rammurthy, MD & CEO, eScan