The Telegraph
| Sunday, January 18, 2015 |


We know your password

Indians are besieged by callers seeking to sell them a product or a service. And that is done mostly through stolen personal information, say Prasun Chaudhuri and Avijit Chatterjee

The call to Ashok Apte came when he was in office. "We'd like to drop in and see you," the man at the other end of the line said. "I work for a wealth management advisory service and want to manage your money."

Apte was taken aback. How did the wealth management advisory service get his mobile number? And how did it know that he had wealth that needed managing?

The questions deserve an answer - for across the metros, Indians are being besieged by callers seeking to sell them a product or a service. And that is done mostly through stolen personal information.

"Customers' data are stolen by staff, vendors, information technology service people and a whole lot of others involved in banks," says Saradaprasad Mukhopadhyay, former chief information security officer, State Bank of India.

They sometimes even have access to sensitive information such as your password, data related to secret questions (such as a mother's maiden name or your pet name), information gleaned from magnetic strips on credit or debit cards, and Aadhar, debit or credit card numbers.

It's not difficult to steal data. When switching jobs, personnel in a bank or financial firm can simply carry all the files of customer data in a flash drive. Many don't even think it's wrong to do so.

"Most employees feel the data in their computer systems are their own property," says Prashant Mali, a Mumbai-based advocate and data theft expert. "Many don't know that they are committing data theft."

But if convicted under The Information Technology Act, 2000, they can be jailed for three years and/or fined up to Rs 5 lakh, Mali points out.

The experts say that there is a well-oiled system that deals with stolen data. There is even an online market for such highly prized information. People working in companies that handle the outsourced information technology (IT) operations of banks are sometimes involved in this, says R. Kumar, a forensic data expert who has helped unearth several data breaches in banks in association with the Central Bureau of Investigation. There are cases of people creating new outsourcing firms just to steal data and money from unsuspecting bank customers in India and abroad.

Indeed, data theft is rife in India. A few months ago, former IIT, Kanpur, director Sanjay Dande's bank details and passwords were accessed by fraudsters who siphoned off Rs 12 lakh from his accounts. Criminals procured the net banking login and password of Ashish Goradia, the owner of a computer firm in Mumbai, from the know your customer (KYC) database in his bank. They then transferred Rs 17 lakh to six different accounts across India.

In a landmark ruling last week, a cybercrime court in Mumbai ordered six banks, a telecom services company and a credit card company to pay Rs 1.06 crore in compensation to customers - including Dande and Goradia - who had been victims of serious data breaches in the past two years.

"Banks are trustees of customers' data and have to be judged on tougher standards," Rajesh Aggarwal, Maharshatra's IT secretary and the adjudicating officer in these cases, said while passing the verdict.

A recent survey by KPMG India, the audit and business advisory firm, reveals that banks and the financial services sector are most prone to data theft attacks in India. "Following rapid digitisation in the banking industry, banks have turned into rich information storehouses of personally identifiable information," says Sandeep Gupta, partner, forensic services, KPMG India.

Data breaches or small compromises with data happen on a daily basis in almost all sectors including the banks, says Pankaj Sharma, former advisor, ministry of finance, Government of India. About 15 per cent of all data get compromised on a daily basis, while "extreme data thefts" affect 3-5 per cent of data, he says.

Internal data breaches are seldom reported and many companies hardly bother about data protection, he says. "Banks in India are still low in adopting e-banking and they lack the rigour, technology and methodology to secure data."

However, with more and more people opting for mobile banking, data can become more vulnerable. "In the mad rush, many banks don't test their mobile banking applications for data or identity security," Gupta of KPMG India says. "This lapse is exploited by attackers."

This was revealed in the course of an investigation into a massive data theft at a leading financial institution and a private bank, says Gupta, who led the forensic team.

The use of top-end equipment by customers to facilitate banking and other services is also leading to theft. "Handheld devices, such as smartphones and tablet PCs, used for banking, are further exposing the banks and customers to data thieves," warns Ajay Dubey, Manager (India), Websense, a US-based IT security firm.

Automatic login apps, for instance, make it easier for a customer to access bank details - but also make it easy for hackers to steal data and money.

Siddhartha Chakraborty, in charge of cyber police station at Lalbazar, Calcutta, advises customers to use websites which have an "https" (hypertext transfer protocol secure) - instead of the simple "http" - in the web address while e-banking or shopping online. "The extra 's' means your connection is secure, and it's much harder for anyone else to see what you're doing," he says.

People should also use different passwords for different accounts. Chakraborty warns against opening suspicious email attachments or messages. "These attachments are loaded with viruses or malware despatched by hackers to steal sensitive financial data while you are working online."

In the last couple of years, there's been a huge spurt of data theft in Indian banks, stresses Ratan Jyoti, chief manager (information security), Vijaya Bank, Bangalore. "It is estimated that Indian banks are losing a few hundred crores of rupees annually owing to this," he says.

Many financial institutions (FIs) are investing in robust IT security and stronger firewalls to ward off such thefts, says Ketan Kale, head, practice and political risk, JLT Independent, a financial firm in Mumbai. "Apart from strengthening their risk management framework, several FIs are seeking our help by structuring insurance programmes to tackle the risks," Kale says.

Vijaya Bank's Jyoti stresses banks must introduce adequate risk management systems and stay alert to rising security threats. "It is a wake-up call for all the banks in India," he says.