Inside India’s Cybercrime Boom

Posted August 8, 2017

Inside India’s Cybercrime Boom

India’s digital transformation may be the closest thing to an overnight success the world has ever seen—unless a boom in cybercrime turns it into living nightmare.

Thanks to the government’s massive digital empowerment programs during the past decade, a country where home phones and television sets were seen as luxury items as recently as 1990 has been transformed into a nation where nearly everyone juggles a mobile phone with multiple SIM cards.

Indeed, despite persistently high levels of poverty, the pace of technological adoption has been breathtaking.

Every month, India adds 5 million new Internet users—up 40 percent in just the past year. The country has overtaken the U.S. to become the second-largest smartphone market in the world. And, emerging IoT devices are expected to drive $511 billion in value through new services and opportunities within India during the next decade.

At the heart of all this transformation is a national digital infrastructure designed to expand and extend online and mobile services to all citizens—including the half who live in poverty and lack access to traditional banking.

Today, each citizen is assigned a 12-digit unique identification number (UID) to use for digital banking and commerce, which is backed by the world’s largest and most sophisticated biometric identification system, known as Aadhaar.

Yet this kind of progress is not without dangers. With each new day, millions go from being underbanked at best to doing virtually everything online, exposing them to new security risks they may not yet understand.

The result is a nation that’s quickly becoming a microcosm for the kind of cybercriminal threats that have fueled $3 trillion in losses worldwide.

For me, it’s a problem that strikes very close to home.

Fast-Track to a Cashless Society

Beginning last fall, India also began a massive de-monetization initiative with the goal of creating a largely cashless, digital society.

As of June, UIDs are required to open bank accounts or to make transactions over 50,000 Rupee (roughly $774).

Already, 68 percent of the nation’s hard currency has been taken out of circulation—driving a dramatic shift toward mobile and online payments, which have suddenly surged 250 percent.

As you can imagine, mobile is especially important as a key driver for a cashless society, especially where traditional forms of banking have long been inaccessible. Transactions made through mobile devices already make up nearly half of all digital payments in India, and are expected to top $4.4 billion as early as 2022—a compound annual growth rate of more than 148 percent.

It’s enough to lead some to suggest India could one day become the world leader in digital payments. But there’s just one problem.

As a nation’s online transaction volume grows, so does cybercrime.

In the Bihar province of India where my parents grew up, there’s an old proverb that also holds true: “Poverty makes thieves like love makes poets.”

Together, these maxims spell big trouble ahead.

1 Billion Fresh Targets

First, there’s the pace of digitization. While mobile and online access are advancing rapidly, the country’s computers and IT systems can be quite antiquated. As a result, India was hit especially hard by this summer’s WannaCry malware attack and the latest variant of the Petya virus.

Then there’s that surge in new Internet users, which could swell to nearly 1 billion freshly-minted netizens whose lack of digital savvy could make them easy prey. Many aren’t yet familiar with safe digital practices, or how to be wary of social engineering schemes and email- or text-based phishing attacks.

In just the past year, more than 50,300 cybersecurity incidents have been reported to Indian authorities—including denial of service attacks, website infiltrations and, especially, phishing. That’s up from 11,592 the year before.

So far, 2017 looks to be even worse. According to the new Q2 2017 Cybercrime Report from ThreatMetrix, more than one in every 10 transactions is now rejected on suspicion of fraud. IP spoofing features prominently in attacks, driven by easy access to complete customer credentials on the dark web.

One area of particular concern is the low-cost, mobile-enabled, person-to-person remittance and payment transfers. India has already emerged as one of the top 10 destination countries for remittances flowing from countries such as Britain and the U.S.

While international banks harden defenses against fraud, lower-cost services can fall prey to cybercriminals, both foreign and domestic, who use stolen customer credentials to take over accounts, or to launder money from a mule account to an account in another region.

In fact, India’s own home-grown cybercrime industry is booming so much, ThreatMetrix ranks the nation as one of the world’s top 10 points of origins for cyberattacks.

And this is where that old Indian proverb comes in.

Slumdog Cyberthieves

If poverty does indeed produce thieves like love begets poets, digital technology is accelerating that process in my family’s native Bihar and in Jharkhand, states where literacy rates trail the national average by 10 percent.

Perceived by many as lowbrow backwaters, these remote regions have emerged as home to 80 percent of India’s high-tech cyberattacks. It is here, ironically, that sophisticated phishing rings have formed to help perpetrators—mostly impoverished young men—earn up to $1,500 in a matter of hours by duping educated elites in major cities.

Some of these rings purchase banking customer phone numbers on the dark web, and then pose as bank representatives calling to “help” their targets reset passwords after a “security breach”—before draining the associated accounts.

Others engage in SIM card swapping, pirating cell phone numbers and taking over victims’ mobile banking apps—with stolen funds transferred to accounts in Bihar and elsewhere.

But how can it be stopped?

A Matter of Identity

India’s government and banking institutions are racing to roll out UIDs, which use biometric authentication to help prevent fraud.

But if they’re anything like their counterparts in more developed nations, they may discover digital identity-based verification is required for these defenses to be truly successful.

Instead of relying solely on login credentials and biometrically generated passcodes that can be stolen or hijacked, digital identity systems analyze users and their devices, locations, activities and hundreds of other dynamic data elements to instantly block fraudsters—even if they’re using legitimate credentials phished from victims.

According to organizations that have deployed such solutions, trusted transaction levels can soar as much as 180 percent. Most important of all, they reflect a customer-first mindset by using advanced technology and digital identity intelligence to that help protect consumers.

Will it be enough to put an end to India’s cybercrime boom anytime soon?  It’s hard to tell.

But to quote another famous Indian proverb, “Any water in a desert will do.”

ThreatMetrix Team

ThreatMetrix Team

close btn