“Go cashless, go for online transactions,” is the advice doled out by the Union government even as citizens are patiently facing the impact of last month’s demonetisation. With government aggressively promoting cashless transaction, the concept figures in the speech of every ruling party leader, from Prime Minister Narendra Modi to finance minister, Arun Jaitely.

The moot question remains whether it is easy or even feasible for a huge population to switch overnight. Certainly not, declare most economists. Let’s consider what data says: The Reserve Bank of India has issued 25.9 million credit cards, 697.2  million debit card (till July) and the number of online banking is not very significant. However, post demonetisation, a significant number of people are shifting to online mode of payment every day. For instance, Paytm registered 7 million transactions worth Rs.1.20 crore per day. Similar reports are coming from other websites like Mobikwik, Payumoney and others.

While this news is welcomed by government, it also brings cheer to another group – hackers or cyber criminals. Looking at the way people are getting comfortable with mobile wallets and banking through apps, smart phones and Wi-Fi networks, it is feared this would open the doors to these unethical hackers. India’s weak cyber laws is only adding to the woes.

 There was a surge of 350 per cent in cybercrime cases during 2011-14. This was the scenario when very few people opted for online banking or card payment. Now imagine what would happen if a good chunk of the population shifted to this mode of transaction? In India, barring a handful, the major part of the population is not even technology-savvy. In rural India, the situation is even worse. Even though most of them have a mobile phone or use Internet, they are still novices when it comes to using applications. Aren’t they then in danger of giving a free hand to hackers?

A criminal mind

What exactly is hacking? In simple words it is an unauthorised access to or control of a private network for some illicit purpose. To deal with any incident of cyber crime or hacking, government has brought in the Information Techology Act (2000). However, the law appears to be ineffective to check the cyber crime and incidents of hacking have grown manifold. Open any newspaper or news channel and one is sure to come across reports of duping or fraudulent activity with the help of computer or mobile phone.

 On 5 June, the Cyber Crime Cell of the Mumbai Police arrested four men for allegedly cheating a businessman of Rs.2.2 lakh. The victim received  an email on 19 April for change of his password and security settings. After a few days, he found that his cell phone number had been blocked and he was unable to receive any email. After recovering his email, he found a mail from his bank, informing him about electronic transfer of money from his account.

 Take another case: A 23 May report spoke of a case of Pune cyber scam, where cops busted an illegal call centre in Delhi. A resident of Pune, Satish More was duped under the pretext of a bank loan. His troubles began when he received a call offering a loan. In the following weeks, he received several calls asking for his bank details and personal information and he was asked to make payments to certain account numbers. The case led to the busting of an illegal call centre in Delhi and arrest two persons who had cheated as many as 60 persons across India to the tune of Rs 65 lakh by luring them in the same manner.

 Hackers, it has been noticed, target single persons too. In a classic case, a young man had registered on a well-known job portal. He soon received a call from a person claiming to represent a company looking for people. The victim was told he need to pay a fee before he could be called in for an interview. This is how he ended up paying around Rs.94,000.

 These are some cases where people were duped. Here the modus operandi is quite simple: They got trapped because of their naivite or greed. “Instances of fraudulent activities are not technical but tricking. These hackers mostly attack altruistic impulses of people, greed and gullibility. Therefore, one has to follow certain dos and don’t,” said an expert.

 Hackers, who went technical, managed to hack 3.2 million debit cards of several banks (HDFC, Axis, Yes Bank and ICICI). At times, cyber criminals don’t go for just financial gains but can also cause major damage to businesses in particular. As per an Assocham-PWC study, an intruder can even gain control of vital systems like nuclear plants, hospitals, railways and transportation. Needless to say, this can lead to dire consequences – power failures, floods, water pollution, disruption of transportation systems and loss of life.

Growing numbers

Users of mobile phones and computers are expanding very rapidly. As per Assocham around 600 million Indian populations would be using Internet by 2020. But the bad news is that cyber crime is growing at the same speed. As  already mentioned, that is a surge of approximately 350 per cent of cybercrime cases registered in the country. The attacks have been mostly initiated from countries like the US, Turkey, China, Brazil, Pakistan, Algeria, Turkey, Europe and the UAE. The report also spoke of growing adoption of Internet and smartphones made India a primary target of hackers. Therefore, as per National Crime Records Bureau, in 2015, around 11,592 cases of cyber crime were reported in India ~ around 26 times more than a decade ago in 2006 (453 cases). These are the cases which were reported. There are many cases which remain unreported. Many a time people hardly get to know how they were duped or framed.

Lacklustre law

It was in 2000 that India came up with a legal provision – Information Technology Act, 2000 – to check cyber crime. The law involves criminal activities that are traditional in nature, such as theft, fraud, forgery, defamation and mischief, all of which are subject to the Indian Penal Code. The abuse of computers has also given birth to a gamut of new age crimes that are addressed by the Information Technology Act, 2000.

But the crux of the whole Act, expert ssay, is that India lacks laws to protect consumers if they lose money during digital transactions. “We don’t have any dedicated law on digital payments. That’s very important to grant complete legality and remove and doubts and clarifications pertaining to legal efficacies and legal validity of digital payments,” said Pavan Duggal, an advocate in the Supreme Court and expert on cyber law, in a report.

 Apart from this, there are many other loopholes in the IT Act, which needs to be checked or amended. There is feeling among legal experts the law does not adequately cover certain aspects of cyber security, mobile crimes and issues around abuse and misuse of the social media.

At the same time, the poor action of Cyber Police is another loophole in the Act. In 2015, around 11,592 cases were registered, in which around 8,121 people were arrested. Over 36,000 cases were registered between 2006 and 2015 while 24,140 persons were arrested during this period. “As usage becomes more widespread, cyber security demands will skyrocket. This is the time, when government should take the security issue seriously. Adequate measures are put in place so that each transaction undergoes stringent security check so that no breach or information leakage can happen at any stage whatsoever,” said Nilesh Jain, Country Manager (India and SAARC), Trend Micro.

Potential danger

Most of the cases in Internet fraud are debit and credit card cloning. Next big contributor to cyber crime is greed and financial gain. Then come insult of women, sexual exploitation, defacement of website and causing disrepute.

Following the government’s urging to use mobile wallets, the number of users is growing rapidly. But the mobile-friendly transaction can prove very risky in India. “It is an incredible opportunity for online payment gateways, e-commerce, digital wallets and currencies. It is also an equally incredible opportunity for cyber criminals to wreak havoc,” informed Nilesh Jain.

“Mobile payments in India are still not governed by any legal provisions. These payments are mostly contractual obligations. With lax cyber security, the weakest link in this chain is the bank customer,” said Pavan Duggal.

Many banks appoint a third party to develop and manage mobile banking applications. This means, the vendor gets access to bank account information of the customer, which could be misused by rogue employees. Moreover, the threats of sim card swaps and malware affecting mobile phones still remains a grim reality. It was in news that Bengaluru police busted a network that stole money from the mobile wallets of Axis Bank and State Bank of India (SBI). Now what would happen if everyone starts opting for mobile wallets? Aren’t mobile wallets highly vulnerable to such attacks putting people’s hard-earned money at risk? “Post demonetisation, the use of online payment platforms has gone up. Along with it has grown the fraudulent misuse of payment networks and data theft,” informed Amit Nath, Head of AsiaPacific (Corporate Business) F-Secure.

The threats are at two levels, said Rajat Mohanty, CEO of Paladion Network. The attackers target the online platform to gain access and carry out fraudulent transactions. Another fear is growth of advanced malware and persistent threats. This scenario is becoming more common in our region. In a country like India, millions of users, who have poor security awareness and low levels of security protection of their devices, hackers easily target them.

Steps to take

Apart from having a good antivirus, experts also advise that one should not accept requests from unknown people. One should create separate email accounts for different purposes – a separate account for bank and other financial accounts, another for shopping and one for social networks is a good idea. If a hacker succeeds in cracking the password for a common email, he will have access to a user’s personal data, including banking, passport details and date of birth. Another trap to lure a user is pop-ups. Many a time, these online pop-ups abet people with malicious software, which can trick users. The best way to deal with them is to ignore them.

Another challenge these days is the growth of payment companies. Majority of them are putting in efforts to encrypt, tokenise and authenticate user credentials before letting transactions to proceed on their platforms. As the technology is comparatively new and lacks a concrete history and legacy to boast of, it is prone to many undiscovered attack vectors that we are currently unaware of.

Therefore, to ward off any fraud in cards, consumers are advised to change their passwords quite often. At the same time, users should also check that the company they are transacting through have a security authenticity certificate in place. And last but not the least, while making online payment, one should not store card details on the websites – this could be very dangerous. Taking a few extra seconds to feed in card details, when paying online, is a small price to pay for the entire security process.