Internet banking is getting more popular in India, and with this
the threat of expected losses due to phishing is increasing. The most targeted
industry sector for phishing attacks continues to be financial services.
According to the Anti-Phishing Working Group (APWG) this sector averaged 81% of
all hijacked brands in March, with 9 out of 12 new brands falling in this
category. According to CyberSource Corp, which processes financial
transactions, Internet frauds, in general, cost merchants $2.6 bn in 2004-$700
mn more than in 2003.
Unlike Phishing, in the case of Pharming, most victims, even the
clever ones, might have no idea that they are being scammed, until it's too
late. Though DNS attack tactics used by pharmers have been around for a while,
the rise in internet banking, online shopping and electronic bill payment has
created a wide potential profit zone for criminals eager to get hold of login
information and credit card and bank account numbers.
Especially after Citibank became phishers' favorite brand,
customers have become more aware of possible cyber swindling. In late 2004
pharmers attempted to exploit a known vulnerability in firewalls redirecting
Google, eBay and Amazon visitors to sham sites.
Most private and international banks have already setup elaborate
Internet banking infrastructure and nationalized banks are also moving fast to
keep pace with changing times. India till date has been relatively safe from
unruly Internet movements due to relatively low levels of PC penetration and
skeptical users. It is over time that the security drive for Banks has started.
- In a position where you have given out your debit,
According to CN Ram, Head-IT, HDFC "The use of digital
certificates puts a safety check on transactions. Though using private digital
certificates is cumbersome and expensive for individual customers, they are
used for corporate customer accounts, operating on both the client and the
bank's site. HDFC's corporate customers are also protected with SAP safeguards
that use server-to-server authentication for any transaction to take place
Punjab National Bank, which according to the2005 DQ-IDC Mega
Spenders survey, had taken the top slot in IT spending, has appropriate safeguards
built in. According to KS Bajwa, GM-IT "We have to constantly review our
products and ensure that adequate security measures are in place. We get
Information Security audit (including penetration testing) done from external
auditors at periodic intervals.
Phishing is derived from “fishing”-a social engineering
E-mails masquerading as official messages from banks are
A computer with a compromised host file will go to the
Trends: Web site
A new variation of the scam is wi-fishing, where crooks
PNB's web servers are provided with Digital Certificates and are
SSL enabled. Customers are forced to change the passwords at periodic intervals
and a virtual keyboard feature has been provided for Internet Banking login,
whereby the customer uses mouse clicks instead of typing using the keyboard.
This minimizes the risk of keyboard grabbing.
Some financial services companies whose users are the prime
targets of phishing and pharming scams, are experimenting with
"multi-factor authentication" logins, including ways like single-use
passwords and automatic telephone callbacks confirming that a transaction is
about to take place. PNB too is contemplating the possibility of providing 2
factor authentication mechanisms, which would use smart cards, I Keys and
As per RBI guidelines on Internet banking, security issues include
questions of adopting internationally accepted state-of-the-art minimum
technology standards for access control, encryption/decryption (minimum key
length), firewalls, verification of digital signature, and Public Key
The ifs and buts
According to an SBI spokesperson, India is still relatively
safe from such attacks because identity thefts are dreaded in countries like
the US, because of the widespread use of Social Security Numbers. Moreover,
since most of the sites are hosted, pharmers are more interested in dollars
rather than Indian rupees.
Once the Multi-Purpose Identity Card (MNIC) Project of the Indian
government is rolled out nationally, it may not be long before India goes the
US way, in terms of higher phishing and pharming risks. Cyber Laws in India
also have a long way to go before they become stringent enough to tackle such
Companies like Trend Micro, Symantec and McAfee are the global
players offering e-safety solutions to individuals and corporates.
Niraj Kaushik, Country Manager, India and SAARC, Trend Micro says,
"Though Pharming is more lucrative for pharmers, it is all the more
difficult to attempt. Safety solutions are implemented at Gateways, which keep
a track of the email and browsing exchange. According to IDC, 67% of desktops
are infected by spyware."
Invariably, all the banks that Dataquest contacted expressed the
utmost need for consumer education on Internet banking. Most banks advice
clients to be alert and not to divulge their user IDs and passwords in pop-ups.
Security is indeed the last word. According to Neeraj B Bhai, CTO,
IDBI, Internet banking is not a one-time activity. The bank has to persuade its
customers to use the service to achieve cost advantage. In this case, data
security needs to be very thorough." The SBI spokesperson sums it all,
"Banks that cannot provide such security should not be in the