How will you benefit from investing early in mutual funds?

Cyber fraudsters are lurking all over the online payment ecosystem. Banks, financial institutions and payment gateways have reported a surge in cyber frauds during the pandemic, and warned customers not to fall prey to them.

While banks continue to educate customers about the novel methods of duping adopted by tricksters, the latter are devising fresh ways to defraud the hapless people, already reeling under the impact of the Covid-19 pandemic. Banks have now strictly asked customers not to share any personal details/one-time passwords, and avoid downloading mobile applications that are not verified.

“Two types of frauds are common these days. One is by asking people to download mobile apps (which are malwares) to facilitate their vaccination. Using this, the fraudsters source personal data of victims. Some use it to take out money from banks by initiating a fake refund offer. Some others, try and change the mobile number linked to the bank account, and then, wipe out the victim’s bank account clean. Some others, use an email suggesting a quick vaccine and seek personal data. Here again, some use the façade of a refund and make people use the UPI ‘approve to pay’ option. People will remain under the assumption that they have been paid money, without knowing that they have in fact allowed the fraudster to take money out of their own account,” said a Mumbai-based cyber security expert.

Money Mules

He said in most cases, ‘Money Mules’ are used, and it makes tracking the fraudster extremely difficult. Mules are innocent victims who are duped by fraudsters into laundering stolen/illegal money via their bank accounts, by offering a small amount for every transaction in the account.

Before making any payment online, it is recommended to check the phone number, UPI id and the bank account on public websites such as the Covid Scam Directory.

A banker said one of the latest methods is to claim your credit card reward points that are just about expiring. “Most banks have told their customers to be wary of fake messages. Please do not click on any suspicious links or share your confidential details with anyone,” said a private banker.

SMS-based OTPs

Ventaka Guttula, Director- Security at Rediff.com India, believes that SMS-based OTP is old-fashioned, and the system needs an overhaul. This is a major source of fraud, according to him.

“It is now a de-facto two-factor authentication method for online banking activities, credit card payments. It is used in the registration or to log in to services, reset a forgotten password, reserve a restaurant table, and even register to the COWIN portal to schedule Covid-19 vaccination. It is time for businesses to stop using SMS-based OTPs and start using other software-based or hardware-based token authentication, which are in their control for two-factor or multi-factor authentication,” he said.

A standard hardware token is a small hardware device generally in the size of a credit or keychain. A simple hardware token looks identical to a USB flash drive and contain a smaller amount of storage holding a certificate or unique identifier and are often called dongles. Since credentials are stored on a dedicated hardware device, they can’t be duplicated.

On the flipside, a software token (called soft token) is a piece of a two-factor authentication security device that may be used to authorize the use of computer services. These tokens are stored on a general-purpose electronic device such as a desktop computer, laptop, mobile phone and can be duplicated.