Beware of e-Natwarlals
For now, we have only taken the first step against networked Natwarlals by making the PIN mandatory for internet transactions. There’s some safety in numbers. Pratik Kanjilal writes.india Updated: Jul 31, 2009 23:28 IST
It’s such a pity that Natwarlal has died twice over, 13 years apart. His brother cremated him in 1996 and his lawyer announced his death last Saturday. It’s a wonderful death, mystifying the police all over again. But his passing is a pity nevertheless, because the golden age of the masters of deception is just dawning.
Last autumn was a watershed in the history of identity fraud, with a record 21 per cent increase in global incidence. Credit card fraud, its most lucrative subset, is now worth several billion dollars to international crime syndicates. The Reserve Bank of India (RBI), historically slow in such matters, has finally moved to protect our 35 crore cardholders from this global crime wave and from today, you can’t make an Internet transaction without a PIN (personal identification number) or a banking password.
Like rape, identity fraud tends to be under-reported. But at least Rs 25-30 crore is being snarfed by the ungodly every year from the Indian banking system. The new technology for hooking dupes is phishing, a form of digital diddling in which fake emails sent from familiar addresses are used to lure people to sign on at copies of well-known Websites, and type in their credit card details.
Social networking has made this easier than ever before and a hacked Facebook account, from where a scam can be launched using the friends list, now sells for Rs 30. Card data is more expensive at Rs 50 to Rs 5,000 per card, depending on the kind of card, its credit limit and the freshness of the catch. Indeed, shopping for phished data is much like buying fish. When criminals target particular high net worth individuals, it’s called ‘spear phishing’. When they go for really big fish like an Ambani or a Rajnikanth, it’s called ‘whaling’.
The RBI directive will save us from being whaled or guppied on the Net, according to our financial standing, but it does not address offline fraud. The magnetic stripe credit cards we use can be cloned by anyone who swipes your card out of sight. Even a crooked waiter could do it, using technology freely available on the Net. In fact, the output device is the machine hotels use to code the plastic key to your room.
Magstripe cards are becoming history. Britain, for instance, instituted Chip and PIN technology in 2004. It requires buyers to insert a smart card into the card reader with their own hands and punch in their PIN, which is checked instantly against the contents of the card. The seller is hands-off, making fraud much more difficult. But not impossible. British cheats are stealing PINs as they are punched in using pinhole cameras (appropriately enough!) and circuits embedded in card readers and stealing several hundred million pounds per year. But experiences vary — France has used similar technology to cut fraud by 80 per cent.
In India, where plastic money is proliferating rapidly, we should move on from magstripe cards. And internet fraud calls for public education, because it can be difficult for a user to tell a phishing site from a legit entity. For now, we have only taken the first step against networked Natwarlals by making the PIN mandatory for internet transactions. There’s some safety in numbers.
Pratik Kanjilal is publisher of The Little Magazine (The views expressed by the author are personal)