Study: Banks See Surge in Cyber FraudFraudsters Take Advantage of New Tech, Poor Awareness
As more Indians take to online transactions leveraging National Electronic Fund Transfer and real-time gross settlement systems platforms, and move to mobile banking, the number of cyber fraud incidents is surging substantially, according to a new study by the Associated Chambers of Commerce of India and PriceWaterhouse Coopers.
The study, Current Fraud Trends in the Financial Sector, says whether it's financial transactions, customer experience, marketing of new products or channel distribution, technology has become the biggest driver of change in the financial services sector.
The study accounts for $12.6 million worth of cyber fraud cases reported to the Reserve Bank of India during 2014/2015 - an amount that is said to be higher than in previous years.
According to RBI, out of 589 million total bank account holders, about 22 million use mobile banking applications. The volume of mobile transactions has jumped from $286.8 million in 2011/2012 to $1.6 billion in 2014/2015. Incidents of mobile fraud, meanwhile, jumped from less than $1.5 million in 2011/2012 to about $ 11 million in 2014/2015.
One of the reasons cited for the spike: the new technologies adopted by financial institutions, making them increasingly vulnerable to various risks such as phishing, identity theft, card skimming, vishing, SMSishing, malware, social engineering, website cloning and cyberstalking.
Another reason cited is the rise of the technology-savvy younger generation that is taking to mobile and online transactions, as financial institutions become eager to tap into this new market by offering services and products tailored to their requirements.
However, security leaders say the increase in the reported cyber fraud incidents is due to lack of awareness among users in adhering to security guidelines prescribed by banks and other financial institutions.
Mumbai-based Dinesh Pillai, CEO of Mahindra Special Services Group and a member of the government's Cyber Security Task Force, says, "While lack of awareness among customers in understanding the nuances of online transactions is a primary reason, there exists a security gap spread across the spectrum of people, process and technology. Every component here has several stand-alone and interconnected vulnerabilities."
Fraud, Security Landscape
The report notes that some of the major forms of fraud in the banking sector include documentation frauds, diversion of funds, identity theft and cyber-related theft directly targeting customers.
The associated risks are money laundering, increases in black money and loan loss due to lack of an appropriate monitoring process. The major challenge has been exposing customers to the risk of bank spoofing, hijacking of mobile phones and SIM card cloning.
Commenting on the trends, Mumbai-based Sameer Ratolikar, CISO of HDFC Bank, sees a big rise in card skimming, vishing and cloning activities.
"I see approximately a 5 to 10 percent growth in skimming and phishing-related activity on a quarterly basis," Ratolikar says. "Despite having security controls and authentication tools in place to enable customers to conduct secured transactions, discrepancies exist at the user level."
The challenge, Pillai explains, is that there are two types of fraudsters: those who try to make a quick buck, and those who are more focused on sustained benefits. "The first group mainly targets customers and manipulates them to get vital information and then use it to gain access and commit the fraud," Pillai says. "However, the second group, which scouts to manipulate people, targets the IT weakness to break in and commit [crimes] that affect multiple people and result in a bigger fraud."
According to Pillai, fraudsters do not necessarily exploit any technology vulnerability in the systems; they target lack of awareness among people.
While there have been several regulatory guidelines by the RBI and other bodies in fraud prevention and detection, security leaders believe that it is important to enhance internal processes, controls and fraud risk management frameworks to minimize opportunities for fraud, as well as reduce detection time.
The study recommends three lines of defence:
- Governance, involving key stakeholders, including the boards and senior management, in building awareness culture, training and security hygiene;
- Operations to deploy core process components, and monitoring systems to prevent frauds;
- New monitoring and testing standards.
In addition to those three layers of defence, Ratolikar calls for a risk-based authentication mechanism, as well as sensitizing employees and users to the ill-effects of not adhering to security guidelines.
Experts recommend that mapping of mobile applications to the device would also prove beneficial in preventing fraudulent transactions.
Given that at any point of time, the perpetrators of fraud will be ahead of defenders, Pillai argues that banks should take a multi-pronged approach to enhance security by creating a robust reporting mechanism and risk monitoring systems to detect abnormal transactions.
"One way is to deploy a real-time, analytics-based security infrastructure, besides expediting trials from the legal side to establish accountability based on the facts of the case," Pillai says.
Ratolikar notes: "Banks need to ensure their back-end platform is robust and secure and tested against major vulnerabilities before launching any service."