As summer came to a close, a team of 11 men was planning a scheme that would end up stealing Rs 19.31 lakh (US$31,000) from the account of a business executive working in India. The gang was comprised of Indian and Nigerian men who banded together to hack bank accounts using phishing techniques and proxy servers located in the United States. The Indian members of the gang were responsible for opening bank accounts using false paperwork and using the social media accounts of their victims to gather personal information. The hackers would then use the details they’d ascertained via social media to get new SIM cards issued to them.
But what do SIM cards have to do with it?
Well, mobile phones are how banks in India communicate with their customers. If a person’s SIM card is blocked, then they don’t get alerts from their bank notifying them of a potential problem, which is exactly what happened to the business executive mentioned.
“There were three holidays happening back to back, so they (the hackers) were successful at deactivating the victim’s phone, and he didn’t bother because there were holidays,” said Ritesh Sarvaiya, Founder and CEO of Defencely, a manual pentesting company based out of India. “This kind of hack, which happens in India, is more prone to phishing emails being sent out to victims. The biggest thing is that one should know how to read every single email coming in to them asking them about their banking username, passwords, secret questions and answers.”
Sarvaiya said that currently, the biggest banks in India do not have digital security in place, and that for each and every transaction, passwords are being sent directly to phones. Once that password is entered (by whoever happens to be using your SIM), the transaction goes through.
“So for example, if the transaction is higher than $500, it requires a digital password to go through,” Sarvaiya said. “But Indian banks are not undertaking those measures at this time. Their entire websites are vulnerable. Because of that, this particular kind of problem is happening and hopefully eyes are opening.”
If a mobile phone falls into the wrong hands in India, the problems are endless.
Emerging Hacker Talent
While mobile banking security (or lack thereof) in India certainly needs to be reexamined, a new problem facing India’s cybersecurity landscape is that of emerging hacker talent. Local Indian media recently reported that India is now becoming a hotspot for global cybercriminals due to a lack of jobs in the country and very few legal ramifications as a result of hacking activity.
“To give you some insight, India has immense talent in regards to a value addition to anyone’s web security, or hacking a website ethically,” Sarvaiya said. “The talent that India has doesn’t get a proper break in India, so their skills are not being valued at that level, and when you have talent and you’re not respected, it’s very obvious that you’re going to find some very easy ways to make money in the black hat world and that is what the Indian hackers are doing.”
Age, lack of funding and a low level of experience are also operating against hackers in India, according to Sarvaiya.
“These people have an ample amount of talent, yes, but the big enterprises aren’t able to pay them. The Indian employment scenario is completely driven by experience. These people don’t have experience so they’re getting rejected,” Sarvaiya said. “At the max, they get about $500 to $600 a job. On the black hat market, they make $3,000 to $4,000 sitting in any corner of India.”
Changing the Tide
So, what then can be done in order to stop these hackers in their tracks before it all gets out of control? And what does the future hold for cybersecurity in India? Sarvaiya believes that the biggest problem facing cybersecurity in India is corruption at the government level and a lack of knowledge, which is allowing cybersecurity in the country to fall into the wrong hands.
“People in power, who are heading things up, they don’t have the knowledge,” Sarvaiya said. “At the government level, there are no active steps being taken. Of 150 websites in India, 90% are vulnerable. So there is no rule, set by the government, stating that you have to maintain a certain level of security. Things are not in the right hands, and those that are in the hands of someone are in the hands of someone who doesn’t know how to drive this subject.”
Sarvaiya believes that the web security scenario in India is still in need of a lot of education and that people – far beyond just Indian banks – need to be trained on the vulnerabilities of their websites.
“We are seeing change, but it’s extremely slow. You need to have a lot of patience and you need to go ahead and give it your best shot to take it to the next level.”