Mounds of financial sector data calls for cyber security ‘enlightenment’
Notwithstanding the recent headwinds from Covid-19, India’s largely consistent economic growth for more than a decade has precipitated an unprecedented expansion of financial services in the country. With rising disposable incomes, more and more Indians are accessing banking, insurance and mutual funds, among others.
The advent and penetration of the internet has further simplified these daily financial tasks. However, in an era of inter-connected world of devices with cyber technology at its core, lack of awareness as well as the prevalence of ill-designed or inadequate security systems is always a challenge.
With 160 crore bank account holders, 32.8 crore life insurance and 47.2 crore health insurance policyholders, 2.78 crore registered investors with stock exchanges and 9.26 crore mutual fund accounts, India has a mammoth financial sector.
The sheer scale generating gigantic volumes of data on a continuous basis renders the sector vulnerable to frauds. As such, a large scale cyber security enlightenment drive is the need of the hour.
Recent data breaches illustrate the risks
Although banks are considered as one of the world's most secure and sophisticated enterprises, banks are becoming a popular target for new-age hackers. Only last year, the RBI had to direct the banks to secure their customer data after reports of 1.3 million credit and debit card data of Indians found to be on sale on the dark net came out.
In another instance back in 2016, 32 lakh debit cards had to be recalled by several banks including State-run SBI on account of data breach. According to the latest RBI report, card and internet frauds, more than doubled to Rs 195 crore in 2019-20 from the previous year. Then last year, Aegon had to investigate a data breach involving 10,000 customers. Then this year, Religare is reported to have faced data leakage of 5 million customers and employees.
The modus operandi of a hacker
In recent times, unscrupulous hackers have evolved ingenious ways using unique and complex arrays of cyber-attacks to get past the ordinary security systems. The hackers are attempting to get hold of sensitive financial information of individuals, either from banking servers or an individual’s personal devices.
Infiltration of smartphones
One of the ways of extracting a person’s financial information is by infiltrating his smartphone with malicious applications. When a user wishes to use an app requiring access credentials, a data-theft overlay mimicking the desired app user interface gets displayed tricking the user to think that he is clicking on the genuine app.
The unsuspecting user goes on to record the details of his access credentials which now get transferred to the hacker who now also has the app under his control.
Deploying banking Trojans
Going a step further, hackers also embed these fake applications with banking Trojans, such as bank bots’ cabarets pink slips intending to attack banks and stock brokerage firms with an eye on making hacking operations easier. These malware lock users using an Active Directory attack further bolting it up with many login attempts. These bots and Trojans are focused on stealing money from the bank accounts.
Phishing is another type of attack which involves the hacker sending an email to the victim claiming to be a trusted sender (like a bank or online shop), or by way of setting up fake websites claiming to be genuine.
A banking Trojan is attached to this email. Once the victim downloads it and opens it, the Trojan activates and steals information.
Retargeting real information from dark web using fake pages
Another method entails hackers first buying real account information in bulk quantities from the dark web and then retargeting those accounts using phishing emails. In such a phishing email, disguised hackers request victim to follow some simple procedures on a web page, which has been deliberately set up by hackers for stealing login information and other important credentials.
Hackers also employ what is known as macro malware which is developed using programs like VB Script programming language used for MS-Word and MS-Excel. Legitimate-looking files are usually sent via phishing email which comprises of malware-infected attachments such as CV by job seekers and cover letter reports in the form of MS Word files.
Even as several advanced antivirus programs claim to detect macro viruses, hackers are trying to stay ahead of the game. Now, malware can comfortably hide within a system for a long time that gives hackers ample time to infect the system of users.
What is the way out?
First, financial institutions must identify micro malware during the initial phase itself with a view to pre-emptively block it. And for individuals, to protect your information and make India’s financial sector secure, some tips are as follows: never open or download any attachments on your device without knowing the context, Invest in a genuine and licensed antivirus software on all your devices, never click suspicious links within an email that claims to contain genuine intimation and abstain from sharing your personal details on social media.
Therefore, in order to mitigate financial risks and to rule out any breach, concerted steps are needed at both macro and micro levels. Banks and financial institutions must invest strategically towards improving cyber security with a view to protect customers as well secure the larger financial architecture of the country. More importantly, ordinary users need to be made aware of these risks.
(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)