Nibbling away into your bank account, salami attackers cart away a fortune

The article by Kiran Parashar KM and Akram Mohammed was published in New Indian Express on October 25, 2017.

This is among the various strategies allegedly used by some bank employees, working in cahoots with persons working in telecom companies to defraud customers of their savings. Cyber crime police, who have arrested several bank employees in the past in similar cases, warn that throwing caution to the wind while banking online or responding to calls claiming to be from banks could land you in serious financial trouble.

What’s shocking is law enforcement agencies have failed to nab the culprits in a majority of such crimes.
Speaking to Express, Shubhamangala Sunil, head, Global Cyber Security Response Team, said that of all the techniques used by bank insiders to siphon off funds, ‘salami attack’ is probably the stealthiest. “Imagine you have Rs 2,75,233 in to your account. If someone steals say `3 or 4 from your account every day, would you get an alert? If you did, would you go and complain to the bank that such a small amount is being stolen?” she questioned.

Due to lack of awareness about such threats, a complaint to the bank about such an issue is unlikely to bring any relief to the victim, she said. With time, many new techniques will be discovered by fraudsters and security might not be adequate to thwart all of them, she added.

Pranesh Prakash, Policy Director at the Centre for Internet and Society said the extent of fraud in the financial sector can be decreased “by improving security of financial processes, auditing software for vulnerabilities and fixing them and improving consumer protection laws.” Processes used by banks, both offline and while engaging with customers online and through systems such as Unified Payments Interface, should be improved, he said.

Bad practices
Prakash cited bad practices by different banks — such as preventing right click in password boxes (which curb positive security practices such as usage of password managers), limiting password lengths, and not supporting software-based OTPs and stronger security like “Universal 2nd Factor” — were also putting customers at risk. Stressing the need for consumer awareness, he said that even if everything works fine at the bank/financial institutions side customers commit mistakes, leaving them vulnerable. Therefore, spreading awareness about security best practices and hassle-free insurance to minimise harm to customers is essential, he said. “Bank fraud or any other online fraud is inevitable. We have to ensure that the harms from such fraud are as minimal as possible,” he added.

Insider frauds
While bank fraud cases — both online and offline — are increasing, police are finding the involvement of insiders who exploit loopholes in the banking systems. Sources in the CID-Cyber Crime Cell say there have been multiple cases where there is involvement of at least one bank employee. Digital banking has increased post demonetisation and yet the security features are not enhanced. Two days after police caught two employees of JP Morgan bank who had swindled `12 crore of a US-based client, police express concern over the security and background checks in the banking system as one of the accused had been working for four years with fake documents and on a fake name.  An investigating official said the insider shares details of debit/credit cards with the conmen who clone cards for commission.

Banking security
Joint Commissioner of Police (Crime), Satish Kumar N said there is a co-ordination committee of police and Reserve Bank of India. “We share notes about cases of bank fraud and also recommend some security features to be adopted in the banking sector. The meeting is held on a regular basis,” he said. To a question on ‘salami attack’, he said that police have not come across any such complaints yet. “We have been vigilant about cyber related issues,” he added.

WHODUNNIT?

Case 1: June 2017
Vinod Kumar Pacchiyappan, manager of SBI Cards and Payment Services Pvt Ltd, located in Embassy Heights on Magrath Road filed a complaint with police that Know Your Customer (KYC) data of customers was compromised. Apart from this, fake credit cards were created resulting in a loss of `38.39 lakh. The investigating officials suspect the involvement of insiders in the case.
Status: No arrests yet

Case 2: May 2016

An US-couple living in Bengaluru was cheated of `6 lakh in just 2 hours.Cyber criminals, using their bank data credentials, had shopped online.The police, almost a year-and-half after the incident, are yet to know how their credit card details were extracted, but suspect that a bank employee was involved in the case.Status: No arrests yet

Case 3: January 2016
Police lodged a complaint of hacking against unknown persons, who cheated customers of several lakhs in Karnataka and Telangana. Police learnt that the fraud was committed by hacking into Axis Bank’s mobile wallet app LIME and SBI’s Buddy app. Bank account details of the victims, mobile phone numbers, etc., were stolen by the accused.
Status: Seven people, including G Gopalakrishna, deputy manager of Axis Bank’s Peddapalli branch in Karimnagar district of Telangana, and others involved in the crime were arrested.