Cybercrimes: Smarter and smarter
Officials explain how card users can protect themselves from racketeers' schemes
The Indian nationals were thought to be running a jewellery shop. Yet, when Criminal Investigation Department (CID) detectives raided the establishment at the ground floor of the Gold Centre building in Pettah last week, not a trace of gold was found; only a few empty cupboards. The jewellery shop was a front, the detectives found. The five-member gang was, in fact, carrying out an elaborate credit card fraud.
A CID source said they acted after a private bank official made a complaint that the suspects were involved in a fraud using a Point of Sale (POS) terminal provided by the bank and credit cards containing fake data. The POS terminal is a device retail outlets use to scan credit or debit cards to process payments. The suspects had obtained this device from the bank saying they wanted to conduct “business transactions” at the jewellery shop which they claimed wasbeing set up with a local partner. The CID source said the device had been used to carry out 97 illegal transactions on September 29 and 30. Four of these had been successful, resulting in USD 1,100 (Rs. 188,700) being transferred to an account in the shop’s name. The suspects had attempted to obtain USD 266,771 (Rs 45, 351, 070) in total through the transactions. Among the items found in the suspects’ possession were an encoder device, 20 credit cards encrypted with false data, a laptop and six mobile phones containing data used for the scam.
The suspects themselves are a curious mix. According to investigators, one is a registered doctor in Tamil Nadu. Another is a lawyer while a journalist was also among the arrested. The CID source said the suspects had bought customer data stolen from banks in seven countries by hackers to carry out the scam. The gang had bought the data using the digital cryptocurrency bitcoin.
Financial crimes of this nature have become all too common in the digital age, and lack of awareness among the general public of such scams is the major reason why the crooks succeed, officials told the Sunday Times. In recent years, ATM “card skimming” scams have targeted debit card users in many parts of the country, with both locals and foreigners involved in the crimes. In most cases, thieves have stolen customers’ card information by attaching card skimming devices to ATM machines. Other types of financial crimes are also on the rise.
In the most recent example, the CID, this week, arrested four women who were allegedly defrauding money from elderly men and women by duping them into divulging their bank details. The women had been involved with various non-governmental organisations conducting social welfare programmes, through which they came into contact with their victims. The elderly victims, most of whom were pensioners, had little or no knowledge of conducting financial transactions through the internet. The women had allegedly perusaded their victims not only to divulge their banking details, but also to download mobile apps that most banks have now developed to make online banking easier. “Armed with all the relevant details given by the victims, the suspects had then used the same mobile apps to transfer funds from the victims’ bank accounts into their own,” a senior CID officer explained.
Among foreigners involved in digital financial frauds, Nigerians have been the most prominent. Police have arrested 114 Nigerians in recent years. The CID said some suspects contact victims over the internet and build a relationship. They then claim to have sent a gift to their victims, and subsequently ask them to debit some money to a bank account as taxes to get the item released from the Customs. Some who have been caught in the scam have lost more than Rs 6 million, detectives said. On other occasions, some Nigerian nationals here have asked locals to give them access to their bank accounts on various pretexts, only to use the accounts to transfer stolen funds out of the country. This has disastrous consequences for the locals as they, too, are liable to be arrested for aiding and abetting financial fraud.
Dileepa Dharmapriya, a member of the experts’ panel set up under the Payments and Settlements Systems Act, said customers had a responsibility to “immediately” notify their banks if their credit and debit card details had been compromised. He said banks would not accept responsibility for any transactions which occurred prior to the customer reporting the matter.
Mr Dharmapriya said retailers using POS terminals had a responsibility to verify customer details on the card receipts if the purchase was substantial and aroused suspicion.
Private companies and small businesses, too, have become victims in financial crimes conducted over the internet, said
Roshan Chandraguptha, Principal Information Security Engineer at the Sri Lanka Computer Emergency Readiness Team (CERT).
He said there had been incidents where hackers, after hacking email accounts, had managed to route the funds to overseas bank accounts. “They mostly hack accounts by tricking people into divulging their user names and passwords,” Mr Chandraguptha pointed out. For example, victims may receive an email claiming that their inbox had nearly reached its capacity and they needed to click on the link in the email to verify their account details. Once the user does this, the hacker gains access to the account.
In one case, a company had been expecting money from a client for a shipment of goods, but believed payment was being delayed due to the New Year holidays. When the money failed to arrive even after the holidays, they had contacted the overseas based client, only to be told that the funds had been deposited with the company’s “other bank account” before the New Year as per their email. The company, however, had only one bank account and had sent no such mail. It was then that they realised that they had been scammed, Mr Chandraguptha revealed. “Small businesses have gone bankrupt after being caught up in such scams,” he also said.
If you are engaged in a business, you should ensure that any changes to the bank account of the person you are supposed to send the funds to are correctly verified, he said. “Make sure to verify the change of account through multiple channels. If you are changing your own bank account, also inform the partner through multiple channels of communication, rather than just via email.”
Even banks and financial institutions in Sri Lanka are under constant threat. “There are attacks coming every day. Some (hackers) are just checking security measures and gathering information. Others actually try to gain access,” said Loshan Wickramasekara, Manager Information Security at the Financial Sector Computer Security Incident Response Team (FINCSIRT). Initiated in 2014, FINCSIRT is a specialised unit responsible for receiving, reviewing, processing and responding to computer security alerts and incidents affecting the banks and other licensed financial institutions in the country. It is a joint initiative of the Central Bank, CERT and Sri Lankan Bankers Association.
FINCSIRT has 43 members, which includes all local banks and most of Sri Lanka’s financial institutions. Mr Wickramasekara said the unit conducted monitoring 24/7 to identify security threats to the country’s financial sector.
At present, the only way people in Sri Lanka can transfer funds overseas is by using the SWIFT messaging network, which links more than 11,000 financial institutions in some 200 countries and territories around the world. Mr Wickramasekara said the network’s security had been greatly enhanced since the2016 Bangladesh Central Bank cyber heist. In this case, hackers issued instructions via the SWIFT network to successfully withdraw USD 101 million belonging to the Bangladesh Central Bank and transfer the funds to accounts in Sri Lanka and the Philippines.
Though ever more stringent security measures are taken, one cannot guarantee 100 percent security due to two reasons, Mr Wickramasekara said. One was the human factor. “There is always room for human error, and that cannot be factored out,” he said. The second reason is what are known as “Zero-Day Attacks.” A zero-day is a computer software vulnerability that is unknown to those who would be interested in mitigating the vulnerability. Hackers who identify the vulnerability can exploit it maliciously to their advantage. “As such, no one can be super secure from hackers. But, what we can do by having more security is to make their lives harder,” he said.
Among foreigners involved in digital financial frauds, Nigerians have been the most prominent. Police have arrested 114 Nigerians in recent years. The CID said some suspects contact victims over the internet and build a relationship. They then claim to have sent a gift to their victims, and subsequently ask them to debit some money to a bank account as taxes to get the item released from the Customs.