need-to-secure-data-as-cyber-frauds-trying-new-ways-summary

Context: Cyber crime, like a pandemic, knows no state borders and this presents a global challenge for law enforcement agencies during the COVID-19 outbreak.

More about the news:

  • A few people are attempting novel ways of defrauding innocents using information and technology. 
  • Money is being siphoned off using fake accounts and exploiting vulnerabilities of various applications.
  • Recently, the DCP Cyber Crime, Delhi’s official Twitter account alerted citizens about a fake UPI (Unified Payments Interface) ID of the PM CARES Fund, pmcare@sbi – the correct UPI ID to donate for coronavirus victims is pmcares@sbi
  • The Delhi police took suo motu cognisance of the fraud, registered an offence of cheating under sections 419 and 420 of IPC, and blocked this and a number of other similar accounts. 

UPI related frauds:

  • The Fraud: 

The offence highlighted by the DCP, in fact, has nothing to do with the security of UPI as such. It is phishing, in which the offender creates a similar-looking ID to deceive users.

  • Impacts:
    • Within the limits set by each bank, any amount can be exchanged instantly using such apps, and the defrauded amount could be huge. 
    • The imposter can immediately withdraw the amount and flee, as there is no caveat on withdrawal. Also, if the bank has not done the Know Your Customer (KYC) process thoroughly, nabbing the culprit may become difficult.
  • Road ahead:
    • It is important to verify the destination UPI ID from authentic sources before making any transaction. 
    • If a mobile phone with a UPI-enabled app is stolen, it must be blocked and the bank intimated before it could be misused. 
    • Banks also must adhere to the KYC guidelines issued by the RBI, so that the address of each customer is checked physically.

About UPI: 

  • UPI is a real-time payment system developed by National Payments Corporation of India(NPCI) for inter-bank transactions. 
  • The interface is regulated by the Reserve Bank of India and instantly transfers funds between two bank accounts on a mobile platform. 
  • The NPCI keeps a record of all the accounts and transactions.
  • It is very easy to create an account using the UPI platform. One just needs an ID that could be even one’s mobile number or name, and a four-digit PIN. 

National Informatics Centre (NIC) 

  • It is an attached office under the Ministry of Electronics and Information Technology (MeitY), Government of India, established in 1976. 
  • NIC provides infrastructure to help support delivery of Government IT services and delivery of some of the initiatives of Digital India.

Facebook fraud

  • Cases of fake Facebook accounts are being reported where money has been fraudulently asked for the treatment of alleged patients by hacking their accounts. 
  • Facebook is often used for fraud
    • If the privacy settings are not consciously set to protect an account, it is always susceptible to hacking. 
    • Most users don’t change the default settings and keep them ‘public’
    • This makes it very easy for a cyber criminal to download a profile photo and create a fake account. 
    • Sometimes, people also exchange their bank account details, mobile number and other sensitive information on Facebook. 
    • Further, if the password on Facebook is weak, it can easily be cracked and the account hacked.
  • Road ahead: It is therefore, best to keep the privacy settings at ‘Only me’ or ‘Friends’ and not to share sensitive information on social media. Privacy settings can also be changed for every post and photo.

Using of public platforms for office works:

The lockdown has forced many to work from home. Unless the organisation has its own infrastructure and uses VPN (virtual private network) for accessing its resources, the use of public platforms may result in loss of confidential data.

  • A VPN is a private network that uses a public network (usually the Internet) to connect remote sites or users together.

Vulnerability of video conferencing apps:

  • Recently, the popular video conferencing app Zoom, which can add up to 100 participants in a call, has come across as vulnerable. 
  • As the meeting ID can be shared through a link, on screen and other mediums, uninvited guests can also join a meeting and gain access to sensitive information.
  • When one uses Zoom, it seeks permission for accessing the user’s microphone, web-cam and data storage. 
  • This can result in hijacking and loss of private data. 
  • Users may also experience ‘Zoomraiding’ or ‘Zoombombing’ in which hate speech, pornography or other content is suddenly flashed by disrupting a video call on Zoom.
  • The Computer Emergency Response Team-India (CERT-In) circulated a ‘vulnerability note’ recently, giving Zoom a ‘medium’ security rating.

Advisory of the Interpol:

  • In guidelines for law-enforcement agencies recently, Interpol warned about the emerging trend of false or misleading advertisements about medical products, setting up of fraudulent e-commerce platforms, phishing etc during the pandemic.
  • It has recommended that people avoid opening suspicious emails and clicking links in unrecognised emails and attachments, backup files regularly, use strong passwords, keep software updated and manage social media settings and review privacy/security settings. 
  • Cyber experts also recommend the use of ‘https’ protocol for secure financial transactions.
  • Legal provisions: The computer-related wrongs covered under the IT Act, 2000, liable for penalty and compensation, and criminal liability in appropriate cases.

Therefore, it is important to be cautious while using such free apps for confidential meetings, or to use organisational infrastructure for such meetings. The public network can still be used for accessing critical applications, provided authentication, access control and integrity of data are ensured through VPN or other options.

Types of Cyber Attacks

  • Malware stands for malicious software, refers to any kind of software that is designed to cause damage to a single computer, server, or computer network. 

Ex: Ransomware, Pegasus(Spyware), Worms, viruses, and Trojans are all varieties of malware.

  • Phishing: It is the method of trying to gather personal information using deceptive e-mails and websites.
  • Denial of Service attacks: A Denial-of-Service (DoS) attack is an attack meant to shut down a machine or network, making it inaccessible to its intended users. 
    • DoS attacks accomplish this by flooding the target with traffic, or sending it information that triggers a crash.

Latest Cases:

  • Pegasus(2019): It is a Israeli made spyware that works by sending an exploit link, and if the target user clicks on the link, the malware or the code that allows the surveillance is installed on the user’s phone. 
  • WannaCry(2017): The ransomware locked user’s devices and prevented them from accessing data and software until a certain ransom was paid to the criminals. Top five cities in India (Kolkata, Delhi, Bhubaneswar, Pune and Mumbai) got impacted due to it.

Laws related to Cyber Security in India:

Information Technology Act, 2000:

  • The act lists down following as offences:
    • Tampering with computer source documents.
    • Hacking with computer system
    • Act of cyber terrorism i.e. accessing a protected system with the intention of threatening the unity, integrity, sovereignty or security of country.
    • Cheating using computer resources etc.
  • The act regulates use of computers, computer systems, computer networks and also data and information in electronic format.

National Cyber Policy, 2013:

  • It aims to 
    • create a secure cyber ecosystem.
    • create mechanisms for security threats and responses to the same through national systems and processes.
      • National Computer Emergency Response Team (CERT-in) functions as the nodal agency for coordination of all cyber security efforts, emergency responses, and crisis management.
    • secure e-governance by implementing global best practices, and wider use of Public Key Infrastructure.
    • Provide protection and resilience of critical information infrastructure with the National Critical Information Infrastructure Protection Centre (NCIIPC) operating as the nodal agency.
      • NCIIPC was created under the Information Technology Act, 2000 to secure India’s critical information infrastructure, based in New Delhi.
    • Promote cutting edge research and development of cyber security technology.
    • Build Human Resource Development through education and training programs to build capacity.

Source: https://indianexpress.com/article/explained/cyber-frauds-trying-new-ways-its-important-to-secure-data-accounts/

Image Source: Businessworld