My wife foiled a cybercrime !

Statutory WarningRedRidingHood (2)

Living in the Digital Age is like being Red Riding Hood —-‘Enjoy the lovely forest, but watch out for the big bad wolf!’ Well, Anu was Red Riding Hood last week.

Thieves at our doorstep

That afternoon, a lady from the “Card Company” phoned Anu. Good news, she had been awarded Bonus Points worth Rs.4900, could she validate some details before they accounted it? Now, Anu knew that her debit card had no bonus scheme and she had no credit card either. Anyway as an accountant’s wife, she knew there were no free lunches, ever. By now, the TRUECALLER App in her phone (which my son had thoughtfully installed) indicated an unidentified Uttar Pradesh number.

“What Card?” demanded Anu. The lady at the other end was vague: Master Visa Card, she mumbled. Both? This was suspicious! When Anu stood her ground, she broke into Hindi. So Anu stood her ground, this time in Hindi: “Kaunsa card, hmm?” She immediately passed the phone to her “supervisor” who spoke good English. While the “supervisor” spoke, Anu heard the original lady tell him in sotto voce “ICICI Bank mey yeh number nahi enter ho raha hai!” So, the spammers were Phishing (Vishing, to be exact)— for Anu’s name and/or Bank account!

Anu thwarts them

As Anu contemplated her counter attack, an incoming call cut in. This was from the Bank. Mrs. Anu, are you trying to do a transaction for Rs.4900 through your Debit Card? When Anu said NO, the Bank lady said, we are disabling your Debit Card this minute, because it has been compromised; we will issue a new card within 2 days. Anu broke into a sweat now, but Little Red Riding Hood had vanquished the Big Bad Wolf, with a little help from the Hunter!fraud

Our friendly Banker helps

That evening the Bank Manager came home and I did some CID-style interrogation. He was a nice fellow and he gave us some dope on the modus operandi. Anu never gave financial details to anyone, and the card was safely in her possession; she always transacts through secure payment gateways and uses OTPs. So how could anyone connect her card number to her cell-phone number? The Manager thinks she could have registered her phone number in some retailer’s site (though Anu cannot remember doing so); that site could have been hacked. There are crime syndicates which have a large database of stolen links and their operatives patiently phish till a sucker swallows the bait. The choice of Rs.4900 was significant — because when the transaction exceeds Rs.4999 the retailer would ask for a CVV number, which our thieves cannot produce, since the card is not with them!

I learnt that banks  spend more than 25% of their IT budget on Security and Fraud Detection systems. The thieves had hoped to succeed by attempting a transaction below Rs.5000 (flying below the radar range). Banks share ‘suspect’ phone numbers internally, and they have triggers to alert when such a number hits their server. Many banks use specialised Intelligence systems that ‘look’ for abnormal transactions; and there are specialist crews monitoring the systems. Which is why Anu’s Bank acted swiftly. Boy, am I grateful to them!

But who can change Karma?

Before leaving, the Manager offered Anu a free upgrade to their Luxury Debit Card. So what was special? He said, for example madam, it has a Bonus Point Scheme… Ayyo Ramaa, not again!

Notes
For practical information on Phishing, Vishing and Smishing, I found the following sites useful:
http://www.hdfcbank.com/security/beware_of_frauds/phishing_fraud
https://www.onlinesbi.com/aboutphishing.html
Advertisements

4 thoughts on “My wife foiled a cybercrime !

  1. Sir I can’t believe this. The same thing happened to me from Western UP which I also figured through True Caller. I called the number too but it would not go through. I do a lot of purchase on Amazon and think my data was stolen from there. Their site was comprised sometime back.

    Krishna Sent from my iPhone

    >

  2. I am not surprised that your call to the Voice Phishing cell number did not go through. Our Bank Manager tried to call back the numbers in previous cases. Once he succeeded: and was cursed in the choicest Hindi Gaali (abusive language). I am told that his bank gets 4 to 6 complaints every month. These are reported cases; I guess many more may have gone unreported.

  3. Since I run a payment system in India I have to weigh in.

    1) India has the most secure card payment system. Every transaction has to be authenticated with a PIN, the CVV and a Second Factor Authentication. Visa calls it Verified By Visa and Mastercard calls it MasterCard 3D Secure, Amex calls is Amex SecureKey. 2FA works either with a password, or an OTP, or your internet banking password.

    2) Banks have to mandatorily enable 2FA. In the United Kingdom 2FA is optional and depends on the issuer bank.

    3) In Anu’s case it is not that CVV is not mandatory for a transaction of less than Rs 5000. 2FA and CVV are mandatory regardless of transaction value.

    4) In her case the next step would have been to ask for the OTP generated by the bank for 2FA. With that the scam is complete. Luckily the bank intervened, because the bank would have detected the IP address from which the card debit was being attempted, and called her (since a number of private banks restrict the device from which you are using the service).

    5) Most Internet banking frauds happen in India because of gullibility. An authoritative sounding voice calls and asks for the OTP. People readily give it. Dont.

  4. Thanks a lot, Ravi. Coming from a Dada in the industry, your comments are very reassuring. (For the benefit of the readers: Ravi is the CEO of Empays Systems which is a pioneer in the Instant Money Transfer business in India — where Security is everything!)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s