Late last year, Balaji Vijayaraghavan, a criminology student from Chennai, downloaded Snapit, a money-lending app. A few days later, he lost close to a lakh from his bank account.
Balaji immediately froze his bank accounts and launched an investigation along with Save Them India Foundation, an NGO working in the cybersecurity front, into how the data breach occurred.
“When we began to probe the issue, I learnt that there were 59 malware in the digital lending app that I installed,” says Balaji “Although I did not log in on the app or give permission to access details of other apps such as gallery and contacts, my mobile was hacked and data was compromised,” Balaji, TN president of Save Them India Foundation, adds.
The scammer, in fact, had taken control of his device to send SMS without his knowledge or consent. The scammer unblocked Balaji’s bank account as it was able to read the OTP and siphon off funds.
Balaji noted that there were multiple transactions in just 27 days and his account was credited and debited with close to Rs 8 lakhs. The hackers used his bank account for money laundering activity. In the process of which, the hackers siphoned off close to a lakh that Balaji already had in his account.
“I think it was done to convert the dark web transactions via cryptocurrency, black money into white, and use it for local operational activities in India,” he says.
How does the black money get converted into white money?
Cryptocurrency is a non-traceable form of transaction digitally circulated in the dark web. The most popular cryptocurrency is bitcoins and the transaction fee is negligible. The hackers use bitcoin to ensure the government does not suspect the activity. The entire process appears legitimate as a result of which the government cannot take notice as the transaction may appear like native transactions.
Balaji’s experience is just the tip of the iceberg. There has been a considerable spike in the number of cyber crimes happening in India during the lockdown as can be seen from the statistics below:
- Pune recorded 14,759 cyber crime cases
- Delhi saw 29,847 complaints
- Cyberabad witnessed 1119* cases in 2020
- In Hyderabad 1,200 cyber crime cases were registered till June 2020
- 1,755 FIRs were filed in Ghaziabad till August 2020.
In light of the above, Save Them India Foundation has filed a petition in the Supreme Court urging it to take measures to pass the Data Protection Bill, 2019.
We spoke to Pravin Kalaiselvan, founder of Save Them India Foundation and Balaji Vijayaraghavan to understand the trend of rising cyber crimes in India and what we can do to stay safe. Excerpts from the interview:
What does the rise in cybercrimes in India indicate?
Pravin: We began to investigate the loopholes when the cybercrimes were peaking during the lockdown. Our team found out that the entire exercise was hatched by Chinese nationals. India is not ready for a cyberwar as there have been security breaches detected and reported in the Aadhaar card and PAN card databases in the past.
Another dangerous weapon used by hackers is the selfie camera. While we think it is just a camera application, hackers access the data for stealing facial recognition using Artificial Intelligence (AI) technology. Similarly, the latest smartphones are equipped with fingerprint sensors that get stored in the server. If a data war erupts, our economy will be damaged as they have access to the Aadhaar and PAN details which can be cracked with facial recognition, fingerprint sensor tools and other data.
How do digital lending apps and shell companies work?
Pravin: Digital lending applications are most commonly available on Google PlayStore. When users install such applications, its first step is to copy all the data. From contacts to photographs — everything is compromised and is stored on their web servers. The server where data is stored is crucial to ensure data breach does not happen. Most of the malicious apps store data on Alibaba server that operates from China. We found out that about 92% of the companies who use the server give Alibaba access to user information.
When a user avails a loan from such applications, the app developers threaten the users with the data. This is called digital/data mortgage where users pawn their data in exchange for money.
The main reason for the rise in digital lending applications in the Play Store is the lack of monitoring by the Centre.
Balaji: The hackers have set up a number of shell companies pan-India where they train people on several verticals of cyber crime. While one group targets high-profile people and tries to invade their device through different hacking methodologies, the other targets commoners through gaming, microlending and dating apps. The kingpin behind all these carefully planned cybercrimes is in China and operates in India through shell companies here. Recently, the Chennai police nabbed two Chinese nationals and two Indians in Bengaluru as they were illegally operating instant loan apps.
What should one do if their mobile is hacked?
Balaji: Factory reset of the device is enough to wipe out the malwares. I formatted my Android device and switched to an iOS platform. It is not easy to hack iPhones as in the case of Android mobiles.
For Android users, I suggest to be extra cautious and not click the random web links from spam mails or messages and refrain from downloading forwarded images/GIFs that are received on WhatsApp or any other messaging platform. The user should not make a copy of the data if s/he gets to know that their device is hacked as the malware may also get copied.
What can be the consequences for a user who installs a malicious app?
Pravin: There are several kinds of fraudulent activities that can happen to an individual. Our recent probe revealed that several applications can read the user’s text messages and tap into his list of contacts. In Balaji’s case, the hackers reached out to many people in his contact list.
As they can read the messages, it implies that they have access to the One Time Password (OTP) that gets generated while making a transaction. The hackers usually indulge in siphoning off activities at midnight while everyone is sound asleep. None of us really know immediately when a notification pops up.
Balaji: Identity theft is another type of cybercrime. In my case, a new Director Identification Number (DIN) was created even without my knowledge. DIN is similar to PAN and is assigned to people who would want to start and run a company. It is a crime to have more than one PAN/DIN. I found out that there were a number of DINs created in my name. It is very easy to create a DIN number as it requires some basic details, a KYC video, which I had done long back for my company, and can be created online. While that was resolved, what is noteworthy is that the fraudsters used every media file found on my device.
What is the status of cybercrime rules and regulations in India?
Pravin: Our petition at the Supreme Court is to ban Indian companies from using Chinese servers for storing data, banning digital lending apps and passing the Data Security Bill, 2019. Passing the bill is the need of the hour, as it has the potential to shut down international companies, who operate from India illegally to steal data.
What can the Reserve Bank of India (RBI) do when a financial fraud case gets registered?
Pravin: As per the rules, digital lending apps should be approved by the RBI and Non-bank financial institution (NBFC). However, we found out that 90% of the money-lending apps are not approved by the RBI.
Two weeks ago, the RBI flagged Google about the digital loan lending applications following which 30 apps were taken down from PlayStore. The government has just begun acting against cyber crimes.
How to know whether the identity of a user is stolen? What should they do if they find out if it is used for illegal activities?
Pravin: One should keep checking Zauba Corp from time to time to ensure their identity is not misused. Zauba Corp is a web directory that has information about the companies in India. Basic details like name of the company, directors, registered location, name of shareholders and address of the company and annual financial data and competitors. The authenticity of a company can be assessed by cross-checking on Zauba Corp website.
If the identity is misused, file an FIR immediately. If the local police do not launch an immediate investigation, people should reach out to the nearest Superintendent Office.
Save Them India Foundation has been receiving a lot of distress calls. What kind of requests do you get?
Pravin: From March till date, we have helped around 49,000 persons who have been victims of various kinds of cyber threats. Many people have even committed suicide due to their private data being hacked illegally; this is certainly a wake-up call and the time is ripe to have strong data protection rules. We are closely working with police departments in Tamil Nadu, Andhra Pradesh, Telangana, Karnataka and Maharashtra for nabbing cybercriminals.
What should users watch out for?
- Do not install unauthorised, unnecessary and third-party applications.
- Use legit photo-editing applications to ensure the pictures are safe and secure.
- Limit permissions given to applications
- Do not click on web links and attachment if the message or e-mail is a spam
- Do not download commonly circulated/forwarded ‘greetings’ images. Such images come with payloads and would inject a bot into your device.
- Check if the data collected by an application is stored in protected Indian servers like AWS
- Do not have private photographs on mobile phones
- Do not have digital copies of Aadhaar, PAN Card and other confidential details
- Two-way authentication sign-in for emails
- Turn off data/Wi-Fi when not in use, especially in the night.
With the world going digital, there are only two kinds of people now — people who know that they are hacked and people who do not know that they have been hacked. One should always be wary of data breach and file a complaint immediately.
- Explained: The Data Protection Bill and how it proposes to safeguard your personal data
- Aadhaar amendment bill: Here’s why you need to be concerned
- Tracking quarantine, tracing cases, sharing info: Can these govt-issued apps help fight Covid-19?
*Errata: The cybercrime figures reported by Cyberabad police were wrongly cited in the first published version, and have since been corrected. The error is regretted.