Rediff.com« Back to articlePrint this article

Beware! Mobile wallet frauds on the rise

January 25, 2016 11:51 IST

This can happen due to a malicious app, a weak password or loopholes in the system.

 

Recently, the Bengaluru police arrested a gang of seven for hacking bank accounts and mobile wallets, having stolen lakhs from gullible account holders.

The gang had hacked Axis Bank's mobile wallet app, LIME, and State Bank of India's Buddy app. A deputy manager at the former was among those arrested, being charged with having passed on customer information.

By presenting fake documents of bank customers, the accused obtained duplicate SIM cards of mobile numbers registered with the bank.

Once they had access to the number, the money was transferred using mobile banking to different mobile wallets and then withdrawn from ATMs.

Srinivas Nidugondi, head of mobile financial solutions at Mahindra Comviva, says hackers and fraudsters are targeting wallets as there's minimum Know Your Customer compliance if the user holds up to Rs 10,000 in these.

In such a case, the mobile wallet company only needs to know the mobile number and e-mail address of the customer.

Also, if hackers have stolen credit card information, they transfer the money to a wallet at one go and later use it for multiple transactions.

This saves them from procuring a one-time password (OTP) for each transaction.

Responding to all this, wallet companies have started putting more security to curtail misuse.

Sunil Kulkarni, deputy managing director of Oxigen Services, says cyber crimes can happen because of a malicious app or a weak password or loopholes in the system.

It's not possible for any digital company to avoid hackers completely anywhere in the world. Serious players in this space have to catch up with criminals and introduce new security to avoid such instances.

When wallets lack security

When a person is doing the transaction, the mobile phone interacts with servers of the wallet company and data is exchanged.

Nidugondi says he has come across a few wallet apps that don't follow basic rules like encrypting the data when a transaction is taking place.

Sidharth Bhansali, a tech blogger and e-marketing consultant, lost the money kept in his wallet because of a security glitch.

A user in a different city could access Bhansali's wallet and transact on it and vice versa. The person used the money from Bhansali's wallet to order pizzas.

Bhansali saved the screenshots and took the matter up with the wallet company. After fighting with it for a few months, the wallet company relented, apologised and offered compensation.

Action: If you can capture the security issue, preserve the proof; there are chances of recourse.

However, if it's something you cannot identify, like a wallet's data which is not encrypted during transactions, there's little you can do.

That's because if the transaction happens using all the correct credentials, the wallet company will not assume any responsibility.

However, do approach the cyber crime cell in your city and file a complaint.

Precaution: It's difficult to know the security measures a wallet is using.

So, there's little precaution you can take to avoid falling prey to attackers.

The only option is to research on your own and opt for one that you find more reliable.

When hackers attack

This can be as complex as in the Bengaluru cyber crime and as simple as someone stealing your credentials by using malware.

Rishi Ranjan Sharma, technology lead, corporate business (India & Saarc) at F-Secure, says the most common attack is termed social engineering.

In this, cyber criminals make the person reveal confidential information by interacting with them.

Say, someone pretending to be from your wallet company calls and says they're upgrading all systems and would like to cross-check your credentials.

Then, there's brute-force attack. In this, hackers systematically check all possible keys and passwords until they find the correct one.

Those with weak or common passwords fall prey. There are also instances when hackers can control a public Wi-Fi. Any data that passes through the Wi-Fi, such as password or card number, can be captured and misused.

The most common way a person's credential is compromised is malware. This can get into your mobile through an e-mail attachment or when you download an unauthorised app.

In rare cases, even apps from Google Play Store get installed in your mobile.

According to mobile security firm Lookout, in October 2015 it found a malware called Brain Test in 13 apps, written by the same developers on Google Play Store.

They contacted Google, which promptly removed those. The app transmits all your data to the attacker, including keystrokes.

Action: If your account is compromised, immediately call the wallet company and bank to block services.

If you lose your phone, Sharma says one should erase all the information using the Device Manager in Play Store.

For a phone affected by malware, Lookout says a simple factory reset is not enough. The best option for most users would be to re-flash a ROM supplied by the device's manufacturer.

Precaution: Don't reveal any information to strangers. Keep passwords that are strong with letters, numbers and characters.

Avoid using public Wi-Fi. Keep a security app in your phone.

Don't download an unauthorised app or open attachments from strangers. Also, keep your phone protected, using a PIN or pattern. 

Many cyber criminals also steal card details, sign up on a wallet service instantly and transfer money to it.

Wallet companies have started putting security against such frauds.

FreeCharge, for example, does not allow transfer of money to a bank for 72 hours after a person puts the money in their wallet, says Govind Rajan, its head if operations.

He says 99 per cent of card users complain within 24 hours in case of fraud. Oxigen has the same feature.

Virender Gupta, head of PayUmoney Checkout & Wallet, says they do device fingerprinting.

When a person changes a SIM card but retains the same phone, the technology checks whether the device is the same as was used for earlier transactions.

FreeCharge also uses the technology. Both the companies also have velocity checks, wherein they track a person's usage pattern and in case of anything suspicious, they block the transaction.

Wallet companies are also looking for newer and more secure technologies.

Somit Somani, deputy general manager at Paytm, says the company is evaluating features such as face and sound recognition.

Someone used my wallet to order pizzas
Sidharth Bhansali
E-marketing consultant 

One of the wallets I was using started redirecting me to someone else's account.

And instead of showing my wallet details, it showed details of another user - even exposed few digits of his credit card. This went on for weeks.

At that time my wallet had Rs 1,000 or so. Finally, I called up the company and explained the issue. I was told my phone number was linked to two accounts.

So, they blocked the account of the user, whose details were visible to me. Thereafter, I was able to smoothly use my wallet.

But soon after, I received an SMS, which said that pizzas were ordered using my wallet.

When I checked, Rs 914 was deducted from my wallet. I went to the company's Twitter page and complained.

And, noticed there were many like me, complaining their accounts were hacked. The reply from the company said that because all correct credentials were used they cannot do anything about the transaction.

It was after I posted my experience on a few websites with screenshots of the glitch, the company changed its stance and offered a refund.

DON’T FALL PREY

Tinesh Bhasin in Mumbai
Source: source image