The absolute numbers don’t seem big. With 3 per cent of all phishing sites across the globe coming from India, the country’s “market share” is way below United States’ 50 per cent and Germany’s 15 per cent.
Yet there is cause for alarm. Consider this: just 12 months ago, India’s share of hosting such dubious sites was next to nothing. And the first phishing attacks that directly targeted Indian brands happened only some six months ago, when the websites of two major banks in the country were replicated and messages were shot off to their customers from the fakes.
Today, the country has clearly established a footprint on the international cyber map for being in the list of top 10 hosts of phishing sites globally, says a report by RSA, a leading information-centric security services provider.
Worse, phishing — the “art” of coercing unsuspecting victims into parting with critical personal financial information — is no longer limited to the Internet. Srikishna Raghavan, regional head of RSA, cites cases of phishing attacks through feedback forms in upmarket restaurants and phone calls from fraudulent call centres asking for personal information to be updated.
“Feedback forms in some restaurants are known to ask for patrons’ names, addresses and date of birth. Armed with these two details and the patron’s credit card number, a restaurant employee with bad intentions could easily withdraw money from the former’s account even if he doesn’t have the customer’s personal identification number,” explains Raghavan.
As in the West, Indian phishers have been known to target not just banks and financial institutions, but retail establishments, airlines and other service providers as well. One of the most glaring attacks was the recent purchase of more than 15,000 online tickets on Kingfisher Airlines by fraudsters who somehow got hold of the credit card information of several cardholders, many of them foreign nationals. While it is not clear where the fraud originated, some estimates peg the loss to the carrier at Rs 17 crore.
Unlike in the West, India’s lack of security systems has seen attacks even on the bigger guys, says Raghavan. In the US, strong security systems have limited the exposure of national banks to 12 per cent, the collective share of smaller regional banks and credit unions being at 88 per cent.
Raghavan recommends the integration of three kinds of security mechanisms to combat the phishing menace. The first category consists of two-factor authentication devices like the small little token he carries with him everywhere. It’s got an LCD display that throws up a random number every 60 seconds that the user must feed in for every transaction.
At the next level, there can be a personalised watermark — like a family photograph — that appears on the computer screen each time a person logs on to one’s account using his user ID and password. “If you don’t see the watermark, don’t transact,” he says.
“At the third level, it is the establishment – bank, retail outlet, airline – that will get back to you (on your cellphone, for instance) if it finds something strange about the transaction, like an unusually large purchase or a transaction executed from an unknown computer,” says Raghavan.
Asked how many establishments in the country have gone in for such integration, Raghavan said: “None at present.”
So what does the average customer do in the meantime? “Make use of a very rare resource. It’s called common sense,” said Raghavan.