The Bait isn’t fishy at the outset. You’ve got mail from the customer support department of your bank that says your account has been compromised. All it takes to protect it from further fraudulent activity is the click of a mouse.
A link takes you to a site that looks exactly like your bank’s home page. The ‘verification system’ requires that you fill in your account details — only to ensure that only rightful account holders operate it, of course. You’ve just fallen hook, line and sinker in the phishing net.
And you are not alone. The Indian Computer Emergency Response Team (CERT-In), Ministry of Communications and Information Technology, the nodal investigative agency for incidents related to computer security, has got 200 phishing complaints this year. The big boys of Indian banking, State Bank of India, ICICI Bank and UTI Bank are among those targeted alongside global majors Citibank and ABN Amro.
On December 15, the Economic and Offences Wing of the Delhi Police arrested five Nigerians who allegedly duped over 30 victims who were running a phishing site that used the UTI logo.
In the last week of November, Punjab Police arrested Harpeet Chauhan, Nigerian Sunny Gene Onwaka, Narendra Kumar and Ravi Chauhan in Jalandhar on charges of creating a cloned ICICI web-page asking the bank’s customers to update their details, for ‘security upgrades’.
The State Bank of India also reported a phishing attempt in November. Bank authorities say there has been no financial loss to the bank. “Phishers solicit personal information through a mail, promising an incentive or threatening action. We have filed a complaint with the appropriate authority, which is investigating the matter. Customer awareness is the only protection against phishing. To educate consumers against the fraud, we have put elaborate do’s and don’ts on our website,” says a SBI official.
Although there is no specific legislation in India pertaining to phishing, in a landmark judgment, delivered in March last year, the Delhi High Court declared phishing on the Net to be illegal.
The Court defined phishing as “a misrepresentation leading to confusion as to the source and origin of the e-mail causing immense harm not only to the consumer but even to the person whose name, identity or password is misused”. After the judgment, the defendants paid Rs 16 lakh as damages for allegedly sending mails to job applicants in the name of Nasscom.
Phishing is a way of social engineering with which malicious users convince normal users to divulge personal information, says CERT director, Dr Gulshan Rai. “The phisher tries to persuade you to click on a link that takes you to a site where you are driven to log in and verify your account information. Most phishing mails scare users with warning messages like ‘your account has been suspended, please login and verify your address’. People end up revealing their bank accounts, passwords and, in the West, even social security numbers,” says Rai.
In the case of a leading nationalised bank, the victims were Indian, the web server hosted in the United States and the details of the users going to a machine in the Czech Republic. On getting such complaints, CERT experts home in on the location of the malicious page, the IP address hosting it and the network service provider. “We write to service providers urging them to shut down the site. If it is hosted on an Indian ISP, they respond quickly. If, on the other hand, the server is abroad, we seek the assistance of other CERTs across the globe,” explains Rai.
The way out
To minimise the impact of phishing attempts, banks are putting their own safety measures in place, says Madhabi Puri Buch, 40, group chief officer and head operations, ICICI Bank. “The trick is to make life tougher for fraudsters. To challenging their response mechanism, beyond asking the user id and password we employ a double-factor authentication. For instance, we ask the respondent to type the fourteenth digit on his debit card. Subsequently, we ask him a number in a particular cell on the grid behind the card. Finally, if the fraudster tries a third party funds transfer from your account, our consumers get an immediate alert on their mobile phones,” she says.
Citibank was the first to introduce the Online Virtual Keyboard login screen in India, says Pradeep Sekar, vice-president and Head, Information Security, Citigroup India. “By allowing customers to use the mouse instead of the keyboard to enter their password information, the virtual keyboard protects against malicious ‘Spy Ware’ and ‘Trojan Programs’ designed to capture keystrokes and thus reveal secret passwords. Our recent introduction of the Online Authentication Code (OAC) for third-party transactions also protects the customer from malicious elements. By verifying ownership of something more than the Internet banking account, it ensures that phishers can’t misuse an account even if they obtain the password by malicious means.
“As a matter of policy we don’t seek personal information from customers through e-mails. We have advised our customers not to respond to such mails. Compromising username and passwords can cause financial loss as the phisher will use the genuine user’s rights to effect a transaction. It is like keeping signed blank cheques in open drawers, without a lock,” sums up V.K. Ramani, President, IT, UTI Bank.
It takes just a little bait, sorry… bit of caution to net a virtual shark. And there are thousands of them lurking in the world wide web.
(with inputs from Abhishek Bhalla)