How Not To Be Hacked
[This blog will be move to https://storysangam.com/how-not-to-be-hacked/]
It’s becoming very common for us to get a call that some fraudster has compromised his/her card online, “My money is gone”! With the Online Shopping & Digital India push of GoI, people across the board are now commonly using Credit/Debit cards/Netbanking along with UPI or installing some software in our mobile. Now, let’s be aware, how easily our credit/debit card can be compromised & money can be siphoned off by creating PANIC/HURRIED situation, what can we do to protect us and respond to reduce our liability?
How Are We Hacked?
Phishing emails, Calls, SMS [by creating PANIC/HURRIED/Attractive Offer situation] are main sources of deceiving common people into the hacks.
Before clicking on unknown links email/SMS, please look for symptoms (example, marked in red colored box) as shown is the figure 1: phishing email:
- Did you receive the email from correct source(in this example, from address email id should be norton.com or any domain belonging to Norton or Symantec)
- Without clicking the button just hover over your mouse(or right click and Copy Link address) in the button/link and see which link it is pointing to. In this example you can see it does not point to any Norton/Symnatec domain but some random domain
People sometime receive SMS (which was sent as bulk SMS to many people) that their Bank a/c or card will be Blocked in few minutes if they don’t update some KYC details like PAN etc. SMS has a link of a fake site of the bank which if someone uses, scammers could collect customer id, NetBanking password etc. In next step scammer use that credentials to login into the banking site start fund transfer. As they need OTP for fund transfer they perform social engineering techniques to collect OTP from the user. That’s how money will be transferred to the scammers a/c.
3. Further to above instruction, before clicking on any link on E-mail/SMS, check the link online for whether it is malicious or not from https://www.virustotal.com/ or as shown in the below figure:
Card security, Mobile security, Fraud in Online transactions:
Most of us having a big misconception that any online transaction would require you to enter OTP! No, OTP for online transaction is a guidelines given by RBI(Reserve Bank of India) for India. OTP for online transaction is not required when any online transaction was done on a overseas/foreign websites!
Now you would still ask me, what about the CVV number? Yes, when you handover your card so casually over so many vendors, have you ever noticed how easy it is for anyone to copy your card number, CVV, even your PIN? Don’t believe me?
Try it yourself. We have CCTV cameras everywhere, so, it take how many seconds, for any person to just show the card to the visibility of a CCTV? And a majority of card users even don’t try to hide the PIN while entering in an ATM/PoS! Isn’t it?
Now, if the card reader has a card skimmer, you have lost everything and for a bigger trouble!
There is mainly a gang which works for these kind of fraudulent activities, but any other person you handover your card can also do so!
Now, the person concerned would use your card in an online website outside India, not requiring OTP. And for a skimming machine case, it’s more dangerous than you think!
The other modus-operand is to create PANIC/HURRIED situation, ATTRACTIVE OFFER, EASY/EXTREMELY HELPING scenarios, using social engineering technique to make some transaction or install some software to resolve issues, say, remove virus from your computer as it is generating malicious requests, or help customer pay for utility bills, school fees or police (fake) calling to install software, job offer, marriage proposal etc. In all these scenarios a PANIC, HURRIED, UNBELIEVABLY ATTRACTIVE offer/proposal/business/job/relationship/scenario etc. would be created as if you don’t do these actions in few mins then YOU WILL BE IN TROUBLE or the OFFER IS CLOSED!
How Not To Be Hacked?
Are there simple steps everyone can follow to be safe? My answer a big “Yes”:
Don’t call to unknown personal number or click on unknown link for availing any government or private facility! Clarify from the call center only! Just remember: Creating PANIC/HURRIED situation is the common way used in most fraud!
- First thing first, enable SMS notification service for bank. Please don’t have many cards that you can’t track! It’s good to use only 1 card with limited usage limit, for PoS (Point of Sale machines you swipe your card) transactions!
- Once you have the card, memorize the CVV number and scratch any one digit or more of the CVV from the card!
- Now, login to the netbanking and change the International/Domestic Usage Limit, disable NFC transactions(disallows to use your card without swiping on PoS machine)
4. Next time you enter PIN for your card in ATM machine, PoS terminal or in your UPI app, please make sure you hide it from others. Are you really doing that religiously :)
5. Don’t do online transaction in any website which is not reputed, don’t have https.
6. For financial website(like netbanking website), use email address that you don’t share with anyone and keep a strong password that you have never used in other website. One of the easy technique to create strong password is to create a password with the song, place, day in your mind. Say, IHaveADream#Delhi2
7. Don’t do online transaction, netbanking from a device which is used by many people and does not have a good anti virus s/w installed and regularly updated.
8. Makes sure you update the device with recent s/w updates, browser updates etc.
9. If you are downloading some app it should be done always from AppStore/Google PlayStore/MicrosoftStore etc. not from any link/.apk file etc.. Even while downloading from AppStore/Google PlayStore/MicrosoftStore etc. please read description, user reviews, number of downloads etc. to make sure you are safe. A major reason for people getting defrauded is through fake apps of reputed brands!
10. Avoid doing anything online (payment, install software, login into netbanking etc.) in panic and hurried scenario, such that if you don’t do these actions in few mins, then you would be in SERIOUS TROUBLE! Remember, even if you don’t pay your credit card bill or electricity bill on the last day/after due date NOTHING SERIOUS IS GOING TO HAPPEN (may be little late fee you need to pay) but such malicious person would make you feel that the whole world will go upside down!
Now, say, someone was unaware about all the above point and someone siphoned off his/her money what do we do? :(
How can a victim reduce liability in case of Cyber fraud?
Look at the back side of you card, for the 24/7 call center number of the bank and immediately report the breach, block card and ask for refund as per RBI guideline. Do take the reference number/acknowledgement number for tracking. Your complaint has to be resolved within 90 days.
Report the incident or here https://cybervolunteer.mha.gov.in/Default.aspx
Helpline Number 155260 has been changed to 1930. In case of cyber fraud, please register complaint at http://cybercrime.gov.in and take assistance on #helpline No 1930.
And also report to local cyber police station if possible!
Twitter: https://twitter.com/rakshitmca
References:
- How credit card is stolen by websites: https://www.darkreading.com/attacks-breaches/criminals-use-one-line-of-code-to-steal-card-data-from-e-commerce-sites/d/d-id/1334173
- Customer Liability in Unauthorised Electronic Banking Transactions https://m.rbi.org.in/commonperson/English/Scripts/SMSLimitedliability.aspx
3. Customer Protection — Limiting Liability of Customers in Unauthorised Electronic Payment Transactions https://www.rbi.org.in/Scripts/NotificationUser.aspx?Id=11446
