This article has been written by Abhay Pujari pursuing a Privacy Technologist Training Program from SkillArbitrage.

This article has been edited and published by Shashwat Kaushik.

Introduction

Rapid development in science and technology has transformed almost every human activity into an electronic or digital mode. The early 1990s saw the introduction of banking sector reforms. Up until 1980, banks allowed consumers to conduct banking transactions through a single channel that is done in person at the bank, and because of the reforms, customers can now conduct financial transactions through a variety of channels, which is quicker than the manual banking process. Financial transactions are possible with just a single click. Due to rapid technological development, the banking industry has seen a significant transformation. E-banking means providing banking services via electronic channels. Initially, banks were not fully computerised. Full computerization started taking place as soon as the new private sector and foreign banks introduced their services, which were fully computerised from the moment of inception.

Download Now

When the internet is used to perform financial transactions and banking activities (paying bills, transferring funds, etc.) using a web browser without physically visiting a bank, it is called online or internet banking.

In India, the demonetization move saw a huge spike in the usage of mobile banking. Even though cash is still the most preferred medium for any transaction, mobile banking has managed to leave its mark in the market, and people depend on it to transfer money, pay utility bills, etc. However, just like every boon has a curse, mobile and online banking have their flaws too. Mobile and online banking offer convenience and accessibility to users worldwide. However, the increasing dependence on digital financial services has also given rise to numerous cyber threats and crimes. Money is the most common motive behind all crimes. Financial crimes include hacking into online banking of an individual, a corporation, or bank server itself, computer manipulation, etc.

Mobile and online banking crimes refer to illegal activities that target individuals or institutions and exploit vulnerabilities in the digital financial system. With the increasing popularity of mobile and online banking services, crimes have also become more prevalent, and there has been a corresponding rise in cyber threats and criminal activities targeting users’ financial information.

Common types of mobile banking and online banking crimes

Mobile banking crimes

E-banking or electronic banking, where financial transactions are handled by computer systems, can be broadly divided into two parts – Mobile banking and online banking. When a smartphone or other mobile device is used to perform financial transactions and banking activities (paying bills, transferring funds, etc.) using an application or mobile site, this is called mobile banking.

Mobile banking crimes are increasing day by day and pose a significant threat due to the increasing use of smartphones for financial transactions. Here are some common types of mobile banking crimes:

Phishing attacks

Phishing is the most common type of attack, where an attacker attempts to trick users into doing the wrong thing. An attacker sends fraudulent text messages, distributes bank look-a-like websites via SMS, email and other methods, and asks users to share sensitive information such as password, pins, OTPs, etc.

Malware and mobile banking trojans

According to RBI, attackers circulate certain app links, masked to appear like the existing apps of authorised entities through SMS, email, social media, Instant Messenger, etc. Attackers trick the users to click on such links, which results in the downloading of unverified apps containing malware or banking Trojans, which can give the attacker complete access to the user’s device. An attacker can then capture sensitive information such as login credentials and transfer/withdraw money.

SIM card swapping

SIM cards are the most essential part of mobile as they provide the ability to make & receive calls, send & receive text messages, and access the internet. By SIM swap, I simply mean changing SIM cards. In this type of crime, an attacker is able to gain control of your mobile SIM account & transfer ownership to another mobile SIM card that is under their control. Your phone will no longer connect to your mobile operator, and you won’t be able to use your phone for calls and texts. It is common that a victim of a SIM swap attack will be subject to financial fraud, which includes bank & credit card accounts, email, social media, bitcoin transactions, etc. With control of the number, an attacker can intercept two-factor (2FA) codes, OR One Time Password (OTP), and other alerts required to carry out financial transactions through your bank account.

Man-in-the-middle attacks

A man-in-the-middle (MiTM) attack is a type of cyber-attack in which an attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. This kind of attack is a type of eavesdropping attack, where attackers interrupt an existing conversation or data transfer and gain the ability to capture and manipulate sensitive personal information — such as login credentials, account details, or credit card numbers, in real time.

ATM skimming via mobile banking

ATM skimming is a type of payment card fraud in which an attacker uses a device to steal debit or credit card information from ATM users. It allows an attacker to electronically steal the data from an ATM card to imitate it completely, thus making unauthorised transactions from the victim’s account. An attacker may use this information in conjunction with mobile banking apps to conduct unauthorised transactions.

Credential stuffing

Credential stuffing is a cyber attack in which credentials obtained from a data breach on one service are used to attempt to log in to another unrelated service. It is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words, relies on the fact that users often reuse passwords across multiple platforms.

Social engineering

Social engineering is the psychological manipulation used to trick people into making security mistakes or giving away sensitive information. An attacker uses various social engineering techniques, such as posing as bank representatives, to manipulate users into disclosing sensitive information or performing unauthorised transactions.

Malicious QR codes

A malicious QR code scan may lead you to a spoofed website designed to drop different malware types or steal your sensitive data, like your login credentials, credit card information, or money.

Online banking crimes

Online banking crimes refer to the criminal activities conducted through digital channels exploiting vulnerabilities in the online banking system with the aim of obtaining unauthorised access to financial information or committing other financial crimes. This type of criminal activity can have severe consequences for individuals, businesses, and financial institutions. 

Preventive measures

It is a well known fact, and we often say that “prevention is better than cure.” The same is true for mobile banking and online banking crimes. Preventing mobile banking and online banking crimes is not a single click solution, considering ever evolving technologies and attack surfaces. Preventing mobile banking and online banking crimes requires a combination of technological measures, user education, and proactive security practices. Below are some of the preventive measures:

Use strong authentication

Always use multi-factor authentication (MFA) whenever possible. This typically involves combining your password with a one-time mobile code.

Secure devices

Keep your mobile device and computer operating systems, browsers, and security software up to date. Regularly update antivirus software, avoid downloading from untrusted sources, and back up data to mitigate the impact of ransomware attacks. Set up a strong password or PIN to unlock your mobile device.

Secure Wi-Fi connections

Always use encrypted Wi-Fi connections. Avoid accessing online banking services over public Wi-Fi. Consider using a virtual private network (VPN) for an extra layer of security.

Be cautious with emails and messages

Avoid clicking on links or downloading attachments from unknown or suspicious emails and messages. Always verify the authenticity of communications with your bank.

Password management

Use strong passwords (follow the strong password guidelines mentioned here) and unique passwords for each online account. Avoid using the same passwords for all the accounts; instead, use a different password every time.

Secure banking apps

Download mobile banking apps from the official app stores only. Never use an unverified source to download the app. Always keep your banking apps updated to benefit from security patches and improvements.

Biometric authentication

Utilise biometric authentication methods such as fingerprint or facial recognition for an added layer of security.

Educate yourself

Stay informed about social engineering tactics, common online scams, and phishing techniques. Educate yourself about safe online banking practices through reputable sources or financial literacy programmes. Be sceptical of unsolicited communications, even if they appear to be from your bank.

Secure development practices

Banks and financial institutions should follow secure coding practices to develop and maintain their mobile and online banking applications.

Mobile banking and online banking laws

Mobile banking and online banking have become increasingly popular in India, offering convenience, accessibility, and a wide range of financial services to customers. However, these digital banking channels also come with inherent risks, such as cyber fraud, data breaches, and identity theft. To address these concerns and ensure the safety and security of customers, the Reserve Bank of India (RBI) has implemented various laws and regulations.

Banking Regulation Act, 1949:

  • This Act provides the legal framework for banking operations in India, including online and mobile banking.
  • It empowers the RBI to regulate and supervise banks and their activities, including digital banking channels.
  • The Act also includes provisions related to customer protection, such as the requirement for banks to maintain adequate security measures and to compensate customers for any losses incurred due to unauthorised electronic transactions.

Payment and Settlement Systems Act, 2007:

  • This Act provides the legal framework for payment and settlement systems in India, including electronic and mobile payments.
  • It establishes the National Payments Corporation of India (NPCI) as the central infrastructure for retail payments in the country.
  • The Act also includes provisions related to customer protection, such as the requirement for payment service providers to obtain customer consent for electronic debits and to provide secure payment mechanisms.

Information Technology Act, 2000:

  • This Act provides the legal framework for electronic transactions and cyber security in India.
  • It includes provisions related to digital signatures, electronic records, and cyber crimes.
  • The Act also includes provisions related to customer protection, such as the requirement for businesses to protect the privacy of customer data and to provide customers with access to their personal information.

Master Directions on Digital Banking – Security and Controls:

  • This RBI directive provides specific guidelines and requirements for banks offering digital banking services.
  • It includes measures to enhance customer authentication, secure data transmission, and prevent unauthorised access to customer accounts.
  • The directive also requires banks to establish robust risk management frameworks and to regularly review and update their security measures.

Other RBI Guidelines and Circulars:

  • The RBI has issued various other guidelines and circulars related to mobile banking and online banking, such as the guidelines on mobile banking security, guidelines on electronic banking, and circulars on customer protection in digital banking.
  • These guidelines and circulars provide additional guidance and clarifications to banks on various aspects of digital banking operations, including customer authentication, fraud prevention, and grievance redressal.

These laws and regulations provide a comprehensive framework for mobile banking and online banking in India, ensuring the safety and security of customers while promoting innovation and digital financial inclusion. By adhering to these laws and regulations, banks can offer digital banking services that are both convenient and secure for customers.

How to prevent fraud in mobile apps

Preventing fraud in mobile apps is crucial for safeguarding user data, protecting businesses, and maintaining trust in the app. Here are some strategies to prevent fraud effectively:

  1. Strong user authentication:
    • Implement multi-factor authentication (MFA) for user login, such as a combination of password and OTP or biometric authentication.
    • Regularly monitor user login patterns and flag suspicious activities, such as multiple failed login attempts or unusual login locations.
    • Encourage users to use strong passwords and regularly change them.
  2. Data encryption:
    • Encrypt sensitive user data, such as personal information, financial details, and transactions, both at rest and in transit.
    • Use industry-standard encryption algorithms and protocols, such as AES-256 and SSL/TLS.
  3. Secure payments:
    • Partner with reputable payment gateways and adhere to PCI DSS compliance standards to ensure secure payment processing.
    • Implement fraud detection mechanisms, such as address verification and CVV checks, during the payment process.
    • Monitor transaction patterns and investigate suspicious activities, such as large or frequent purchases from new users.
  4. Machine learning and AI:
    • Utilise machine learning algorithms and artificial intelligence to analyse large volumes of data and identify fraudulent patterns.
    • Train models to detect anomalies or suspicious activities in real-time, enabling prompt fraud detection and prevention.
  5. User Education:
    • Educate users about common fraud schemes and provide tips for protecting their accounts and data.
    • Encourage users to report any suspicious activities or concerns to the app’s support team.
  6. Regular Security Audits:
    • Conduct regular security audits to assess the effectiveness of fraud prevention measures and identify areas for improvement.

By implementing these strategies and continuously adapting to evolving fraud threats, mobile app developers can create a more secure and trustworthy environment for their users.

Conclusion

By combining these measures, individuals can significantly reduce the risk of falling victim to mobile banking and online banking crimes. To protect against mobile banking crimes, users should follow security best practices such as using strong and unique passwords, enabling two-factor authentication, keeping devices and apps up to date, being cautious of phishing attempts, and using reputable security software. Financial institutions also play a crucial role in implementing robust security measures to safeguard their users’ accounts and data.

In conclusion, preventing online banking crimes requires a combination of user awareness, robust security measures, and continuous adaptation to emerging threats. Financial institutions, regulators, and users all play crucial roles in mitigating the risks associated with online banking. Regular education, updates to security protocols, and collaboration between stakeholders are essential components of a comprehensive strategy to combat online banking crimes.

References

LEAVE A REPLY

Please enter your comment!
Please enter your name here