Cyber Crime for illicit profit is one of the major regions of concern as far as citizen safety is concerned. The cyber criminals apply all sorts of means and measures to get at the hard earned money of unsuspecting victims. They target large data bases to get vital personal information about the intended victim/victims. Take the example of servers of large banks. Such servers have all sorts and vast amount of information on numerous customers. The highly trained and dedicated hackers start this crime. They hack their way into such large data storage spaces – all security measures adopted and firewalls installed – often prove inadequate to prevent these hackers from gaining access.
Once inside they copy all the available data and exit the domain. This is indeed vital data on the future targets. Imagine if a hacker hacks your banks server and steals your information stored there – what type of information will he posses. He will have your name, age, address, email id, mobile number, account details, debit card details and many more such details. Once they have this they then proceed to sell this cache of personal information of a huge number of account holders to the lower level cyber thugs. In fact a few months ago the Delhi Police busted a racket of fraudsters who were selling account holders personal information at a throw away price of 10 Paisa per individual detail! It was eventually found that a gang of ruthless hackers had hacked many private bank servers in India and stolen the details of over 1 Crore account holders!
This information when it reaches lower level cyber thugs, they have all data about the concerned individual, his account and his debit/ATM card – but lack only one vital piece of information and that is the PASSWORD. Thus to defraud the victim they ultimately need this vital piece of information and they will get it only from the concerned person himself/herself. Thus they then attack the concerned with a Phishing attack. If they need to withdraw/transfer money from the person’s online banking account they need the password. Thus they make a call to the victim and being already armed with a large amount of data, they coax and trap the concerned and eventually get him/her to divulge their password. However if they want just to transfer the money from the individuals account to a mobile wallet or they want to do online shopping with the victim’s money – the need the One Time Password (OTP). This they can obtain either by a Phishing call to the victim as described above. Or they resort to a tactic called SIM swapping. In this case they get the OTP directly to their device. How does this work – that is what is described below.
The OTP is generated and sent for a particular fund transfer or shopping to the registered mobile of the customer. The technological fact is that there can be no two active SIM cards which bear the same number. Thus to obtain the OTP on their device the cyber criminals deploy an easy but devious scheme. They approach a police station with a written complaint about their missing mobile phone, which either is lost or stolen. On this they display the name and mobile number of the victim. From the police station they merely get a received on their complaint – duly signed and stamped by the Police. This they take to the concerned service providers SIM dealer. Producing the signed and stamped complaint they get a fresh SIM card activated bearing the same number as that of the victim. This is generally done in the late evening hours. As there cannot be two SIM with same number – once the fraudsters SIM is activated the original SIM with the victim shuts down. A message which reads, “SIM card registration failed” flashes on the screen of the victim. As it is late evening or night by then, the victim feels that there is a problem in the network and leaves the issue unattended till the morning. When the next day the same problem persists he inquires or visits the service providers’ outlet. There his temporarily shut down SIM is reactivated. That is when he gets a series of messages of the money transferred from his account to various online shopping sites or mobile wallets. The cyber criminals have cleverly got his number activated on their device and received the OTP on that and proceeded to do the online shopping or online wallet fraud.
The best way to deal with this crime is to regularly check the network connection on one’s mobile. If there is a message which says anything regarding SIM card registration or the like – it must be taken seriously by the concerned. The service provider must be contacted from an alternate phone to sort out the problem. In the meantime the bank maybe also instructed to block the card and payments and transfers from it immediately. For these actions to be taken it is imperative that all citizens should have helpline numbers of the Bank and Service Providers conveniently stored for easy retrieval and use at all times. Other than this precaution there is precious little that an individual customer can do to save himself/herself from such an attack. The onus for safety of users lies squarely with the police (not to give received on such complaints without verification) and on the service providers (not to issue duplicate SIM at the drop of a hat).
