Slightly hassled and worry in his voice, my Dad the other day, nearly gave me a heart attack when he asked me whether he should go to his banks and cancel his ATM/ debit cards. He has recently read in newspaper and heard TV news of so many bank cards being compromised, that his trust on these modern banking technologies weaned away very fast. While I was able to convince him not to take any drastic action but I could not worry less on what may be going in mind of millions of customers who have trusted the digital medium for their banking needs. Is this really a serious matter of concern? How do we safeguard customers’ interests? How do we brace up for future?
Let us look at some incidents recently reported in India:
- SBI had blocked nearly 6 lakh cards after it found that customers used these cards in certain malware affected ATMs
- According to NPCI, fraudulent transactions of 1.3 Crore INR across 19 Indian banks were reported
- Axis bank recently reported to RBI a security breach in its bank servers. While financial loss is still not evident, it poses significant risk depending on kind of breach and kind of data theft, etc that may have taken place which can compromise customer security
- Multiple phishing scams are reported by individual customers whose accounts have been swindled of nearly lakh of rupees
The situation is much more alarming if we see the growing rise in cyber frauds in financial systems across globe:
- Bangladesh central bank reported recently of a massive fraud that led to its account of being swindled of more than $ 100 million. Seems that the heist was planned of a larger amount (billion $) but early detection helped them to stop it midway.
- Sri Lanka CID reported last year of nearly 40 million SL rupee (1 SL Re ~= 0.5 INR) which was fraudulently withdrawn from accounts of a commercial bank by altering computer data, prima facie which is a hacking attack
- JP Morgan reportedly conceded in 2014, that unknown attackers stole about 76 million customers contact information
- UK FFA (Financial Fraud Action) reported GBP 755 Million financial fraud loss in 2015 spread across payment cards, remote banking (primarily digital) and cheque
- ABA (American Banking Association) Deposit account survey report 2015, reported $ 1.9 billion in losses in FY14. Off this, debit card fraud-signature, PIN & ATM combined accounted for 66% of the losses
- Kaspersky Lab 2015 Q2 Security trend report, shows that more than 65% of phishing attacks on banks are distributed among 18 banks worldwide.
Now however we may like, we may not be able to wish them away. The proliferation of digital channels has simplified banking for customers to a large extent and has helped banks to optimize their ‘cost to serve’ as well. But on the flip side, this has opened a new channel of fraud. Cyber fraud is increasingly becoming pandemic globally.
A KPMG 2015 India survey on cyber fraud/ crime throws some interesting statistics:
- BFSI sector at 74%, is the top target for cyber crime
- 63% of cybercrime incidents have led to some kind of financial loss
- Profiling of cybercriminal indicates that 56% incidents had both internal & external perpetrators
A similar 2016 survey done by PwC globally throws up a similar set of interesting data points:
- Financial sector leads the industry sector at highest risk of economic crime
- Cybercrime is the 2nd most reported economic crime, up from 4th place in year before that
Some of other statistics indicates that in FY15, average annual costs caused by cyber crime in the United States as of August 2015 is little more than $ 28 Million and is the highest among all the industry sector.
However, is that all gloom & doom? Thankfully No! To cheer you up, let’s look at some other interesting statistics:
- As per UK FFA, in 2015, prevented fraud totaled GBP 1.76 billion. This was equivalent to GBP 7 in every GBP 10 of attempted fraud being stopped
- ABA survey estimates showed that USA banks prevention measures stopped $ 11 billion in fraudulent transactions which is more than 85% in value of all attempted fraudulent transactions
Now how to safeguard? The challenge is that there is no permanent cure to this and the best that we can do is to comply with the age old adage ‘Prevention is better than cure!’ The nature of prevention depends on the complexity of the fraud. Cyber fraud attacks in financial services sector can happen broadly in following categories:
- Social engineering (including Phishing attacks): This is basically where a customer is made to believe that he is interacting with an authorized/ trusted bank agent/ channel (e.g. website). The data thus obtained from the customers can then be used for cloning cards and using those cloned cards for fraudulent transactions. There can be many examples of the same.
- Customers gets a call from a ‘so called bank agent’ and is coaxed into sharing card details (e.g. PIN / CVV) and then using the same money is withdrawn using fraudulently
- Customers receive an email purportedly from his / her bank providing a link where he is asked to change is password etc. The link takes the customer to a fraud website which has similar look & feel as original bank website but instead it captures the customer data to be used for fraud transactions
- Manual interactions etc where the customer is tricked into sharing his data/ information. For e.g. trying to help a senior citizen to operate his bank card but actually tricking him to share his PIN and replacing his card with a fake look alike
- Malware: These are software developed to infest computer system/ network with specific purpose of retrieving confidential data/ disrupt the normal processing etc. There are various Trojan malwares that are generally targeted either at common individuals or specifically to senior directors etc of an organization to trick them into downloading the same. Once downloaded, these malwares spreads within the system and relays back data either in batches or real time depending on its capability/ security mechanism etc. There can be similar malwares for getting access in your mobile also especially Android operating systems
- Hacking: A hacker is someone, with advanced knowledge of computer systems, who exploits security vulnerability in existing systems to gain an unauthorized entry and thus gets access to data residing into those systems
- POS/ ATM: Recently a lot of incidents are getting highlighted where malwares have been plugged into POS/ ATM machines. There are also cases of skimmers installed in ATM machines by fraudsters. The skimmers notes down the keyed PINs and is then used for cloning cards for fraudulent usage.
Above is by no means an exhaustive list as there are many variants of the same and many new ways being identified every time such an incident is notified.
Now coming to addressing such cyber attacks…there are multiple ways especially some key do’s & don’ts for any customer/ individual.
- Never share confidential data (PIN/ CVV etc) with anyone over any channel except for the purpose it is to be used (e.g. transacting at an ATM or in a ecommerce site)
- Always transact ‘in person’ rather than sharing data with someone else to transact with (e.g. giving PIN to a hotel waiter for billing purpose etc)
- Avoid using ATM’s which are unmanned/ distant, ill secured places
- Avoid using cards for transacting in un-trusted e-commerce websites etc
- Don’t open unsolicited mails/ especially attachments etc
For a financial services organization/ banks, this is an area which will need a lot greater attention. In a distributed system, the fraudsters will attack & get access to its most vulnerable link within the entire chain. So this would mean having proper security systems/ software in place, governance in place for such incidents and a more focused investment to secure network & establish protocols to be able to handle such situation much more judiciously.
To summarize, digital is going to be the key driver for transformation in financial services space but as we adopt digital more closely, sufficient time & money will need to be also invested in securing our systems and improving awareness of individuals/ stakeholders within the system and the customer as well.
http://www.livemint.com/Opinion/EaKnumhLsdPMBz4j3M7N7K/Why-is-bank-fraud-rising., http://timesofindia.indiatimes.com/city/pune/Bank-of-Maha-blocks-34-thousand-cards-over-security-scare/articleshow/55054368.cms, https://www.statista.com/statistics/193436/average-annual-costs-caused-by-cyber-crime-in-the-us/, Kaspersky Lab Trend Report Financial Threats Q2_2016 , KPMG Cyber crime survey 2015 (India), PwC Global economic crime survey 2016, UK Fraud Facts (FFA) ,ABA (American Banking Association) website
**Image courtesy of Stuart Miles at FreeDigitalPhotos.net**