Friday, February 27, 2015

Cyber Risks

Hyderabad City Police commissioner in a press conference recently revealed that the city police registered 21,035 cyber crime cases in 2014 as against 19,011 in 2013 and 18,744 in 2012. A near ten per cent rise in just two years is a cause for alarm. The rise is attributed to the large scale use of technology and mobile phones.

Social media contributed significantly with the uploading of fake woman profiles, online payment frauds, blackmailing, hacking, skimming, identity theft and data theft etc. The police are trying to use technology again to track and trace the criminals. Global trends are no different although it cannot be a solace.

According to Internetlivstats, 2014 of the UN Population Division, around 40% of the population in the world today has internet facility compared to just one percent in 1995. The number of internet users has increased tenfold from 1999 to 2013.

The first billion was reached in 2005: the second billion in 2010, the third billion in 2014.
In 2014, nearly 75% (2.1 billion) of all internet users in the world (2.8 billion) live in the top 20 countries. The remaining 25% (0.7 billion) is distributed among the other 178 countries, each representing less than 1% of total users. With 17.5% of share of world’s population, India has internet penetration of near 20% compared to 46% in China and 86% in the US with their share in world’s population at 19.19% and 4.45% respectively. This would mean that the impact of any cyber attack would be felt more in India and China than the rest of the world though the volume of resources affected could be large in the countries like the US, Germany, Japan and the USSR in the immediate future.

Javelin’s “2014 Identity Fraud Report” provides a comprehensive analysis of fraud trends in the context of a changing technological and regulatory environment in order to inform consumers, financial institutions and businesses on the most effective means of fraud prevention, detection and resolution. Although the Survey covers only the US, the findings are of consequence to Europe and Asia and in particular India where population using internet and mobile technologies for finance are exponentially increasing.

In 2013, 13.1 million consumers suffered identity fraud – the second highest level on record. Existing card fraud (ECF) became increasingly popular with criminals, contributing to the near record number of identity fraud victims. Password habits, mobile device usage, and social networking on identity fraud reflect the highest incidences with data collection on a longitudinal updates from 2005 to 2013.

Identity frauds were found to be on the increase (Nancy Ozawa, 2014) and these frauds occurred mostly on the transactions through eBay, PayPal and Amazon with the stolen information to make purchases, which are more than just credit card fraud.

“Identity fraud is defined as the unauthorized use of another person’s personal information to achieve illicit financial gain. Identity fraud can range from simply using a stolen payment card account, to making a fraudulent purchase, to taking control of existing accounts or opening new accounts, including mobile phone or utility services.”[1]   The study found that the number of identity fraud incidents increased by 0.5mn consumers over the year 2012 while the dollar amount stolen decreased to $18bn indicating more alertness on the part of the financial institutions. Account takeover frauds accounted for 28% of all identity fraud. Data breaches are noticed to be the biggest risk factor here.

American Bankers’ Association in a recent report quoted Kaspersky Lab, a computer security firm mentioning that a hacker group has stolen as much as $1 billion from banks and other financial companies worldwide since 2013 in an "unprecedented cyber-robbery." The gang targeted as many as 100 banks, e-payment systems, cash dispensers like the ATMs and other financial institutions in 30 countries including the U.S, China and European nations, stealing as much as $10 million in each raid. The criminals detected by Kaspersky infected bank employees' computers with Carbanak malware, which then spread to internal networks and enabled video surveillance of staff. That let fraudsters mimic employee activity to transfer and steal money, according to Kaspersky, which said it has been working with Interpol, Europol and other authorities to uncover the plot.
While many American banks quickly denied the impact on their institutions, even spokesperson for the U.S. Federal Bureau of Investigation in Washington, Paul Bresson, declined to comment on the revelations in the Report. Dough Johnson, senior Vice President of payments and cyber security policy at the ABA said that he has high degree of confidence that the US Banks aren’t somehow denying the Report.

The ABA caution is worth taking note of, for the Indian banks because of the increasing penetration of internet banking through different instruments and routes on one side and penetration with Aadhar card ID for the more vulnerable groups in the Jandhan products and wholly networked payments and settlement solutions:
“U.S. banks ought to take a close look at three things, he said: the way the attackers break into companies (using spear phishing and Carbanak malware); the surveillance and spying they did once they got inside the bank, as well as privilege escalation and the ability to take over legitimate accounts; and their ability to manipulate balances in e-payment and online banking systems.”[2]

Preventive measures should also include: keeping personal data private, opt-in-two-factor authentication wherever it is offered, and saying ‘no’ to Social Security Number (SSN) authentication. Detection measures required that consumers should work in partnership with institutions on identity theft prevention. Aadhar is moving into the social security number status and that worried me.

Resolution involves taking any data breach seriously and to report the problems immediately. Banks should also shed the hypocrisy of always holding defense to whatever they did and take an objective view of breaches to data. Regulatory oversight is also highly critical. The mute question is; does the regulator view these global developments in coordination with the cyber investigation teams of Government of India? If data and files in physical form were stolen, and computer data in defense department also had no exception are banks in India away from them? Public should be made aware of the precautions in a more penetrative manner.

[1] Javelin Strategy & Research, Pleasanton,  a department of Greenwich Associates CA, USA, February 2014.