It’s estimated that cybercrime will result in global business losses to the tune of $2 trillion in the next two years. It has already hit India as it compromises credit cards and empties wallets
By Ramesh Menon
When it comes to ingenuity in scams, one has to hand it to some Indian brains. Who else would have thought of starting a call center in Mumbai to frighten American citizens of impending tax raids and then siphoning off their money?
Last fortnight, the police questioned over 600 call center employees in Mumbai and Ahmedabad and arrested more than 70 of them, charging them with extortion, impersonation and cybercrimes under the Indian law. Mimicking and posing as tax collectors from the US Internal Revenue Service (IRS), they made hundreds of calls every day to US citizens threatening that the police would soon knock on their doors because they had filed fraudulent tax returns or defaulted on tax payments. They asked them to immediately make a payment to avoid arrest. The Americans would see the IRS number flashing on their caller IDs as the call center had spoofed the toll number. Paranoid, they would immediately agree to pay up, fearing that their previous tax and financial statements would be opened up.
The police stumbled on one case where the victim shelled out $60,000 within minutes of the call. The callers would ask their victims to transfer funds to specific individuals or accounts. About 30 percent of the money thus collected was reportedly shared by American collaborators in a well-oiled operation that went undetected for a year. Around $55 million was siphoned off from nearly 6,500 US tax-payers.
As the police swooped down on the call center, its masterminds, Sagar Thakkar, and his sister, Reema, flew off to Dubai. Sagar had picked up the dynamics of how call centers operated since he was 16 from one Jagdish Kanani who had learnt it while working abroad. Though Sagar escaped, the crime branch seized his Audi R8 which he had bought from cricketer Virat Kohli for a whopping Rs 2.5 crore. He had handed it over to a friend in Delhi, who in turn hid it at a relative’s place in Rohtak, Haryana. Param Bir Singh, Thane’s police commissioner, suspects that this scam may just be the tip of the iceberg. According to one estimate, as much as $1,50,000 daily could have been extracted from the victims.
Nearly 70 percent of call centers in India are involved in fake, illegal and extortion activities. It is safe to operate as it is such a low-risk activity. The chances of detection or being punished are rare. The police do not know how to trace or investigate cybercrime or collect digital evidence that can make it admissible in a court. No wonder above 80 percent cases are acquitted.—Neeraj Aarora, cyber lawyer and forensic expert
This scam has shown that cybercrime will be a new challenge for our security agencies. Unfortunately, the police even in urban India is too ill-equipped and technologically-challenged to understand the nuances of automated crime. Kochi-based cyber law consultant Prem Kamath said: “Though call centers handle personal data, India does not have a dedicated data protection law like the US and many other countries. The only legislation in this regard is the Information Technology Act 2000 which was basically brought in to facilitate e-commerce. It just has a few provisions for combating cybercrime. Even those got diluted with amendments in 2008.”
In future, modern crime will be directed from sophisticated technological gizmos in AC confines where hackers steal data and information. Juniper, a global research agency, estimates that cybercrime will result in business losses to the tune of $2 trillion in the next two years. Gartner, a global technological consultancy, said that by 2017, businesses will have to invest nearly $100 billion on cyber security.
Ransomware is one of the new threats that beats police all over the world. It is a malicious software which steals entire data from a computer system and it is not restored until a sum of money is paid. In the US, two police stations which were attacked with Ransomware paid up to get their data back as the criminals operated from the Dark Web. In India, over 5,000 corporate entities were victims of Ransomware but just five cases have been registered.
Kamath said: “Technology changes rapidly but laws do not. Most of the laws in the Information Technology Act 2000 are bailable. A criminal targeting computers knows that the law is lax as far as punishment goes. When cyber laws are framed, it must have a strong deterrent that will discourage the criminal. Cybercrime laws should be constantly revisited, evaluated and changed.”
What should worry all of us is that more and more devices like TVs, mobiles, computers, fridges, cars and even pacemakers are being connected to the internet, exposing us to the danger of cyber thieves tearing our lives apart. CISCO, a technology company, estimates that by 2020, nearly 50 billion of our devices will be connected to the internet. Most of these will be insecure connections. Think about it.
There is also this new concept called the Internet of Things, where any device can be connected to the internet with an on and off switch. This will be a huge network of people connected to things, people to people and things to things. It could, for instance, set your alarm clock to go off at 7 am, then alert your coffee machine to start brewing coffee and switch on the bathroom geyser. Later, it could switch on the toaster while your car looks at the calendar and figures out which route is least crowded. An exciting automated life, no doubt, but someone could hack into these to steal data! Gartner says that by 2020, there will be over 26 billion connected devices while others estimate that it could be much higher.
In another eight years, the Internet of Things will generate up to $11 trillion to the global economy, according to McKinsey Global Institute. Why should this worry India? Cyber criminals can easily shoot off malware to infect devices and take control of data within. Last year, over a billion Android phones were exposed to a malware called Stagefright which allowed criminals to hack the devices by just sending an infected text message. Like the duped US citizens, you might know how you were shortchanged only months or years later.
So how would a Bhatinda cop who has been trained to tackle local crime track a transnational thief who is using servers in various countries? It is not easy even with modern tools. Training, therefore, is imperative. In a study, IBM found that 95 percent of all data-security breaches were caused by human error. If India has to brace up to cybercrime, it has to ensure excellent training and education so that more people are alert to the dangers of cybercrime. And the cyber criminals could be anyone. Records of the National Crime Records Bureau last year showed that these criminals could be those whom you least suspect such as neighbors, friends, relatives, business rivals, disgruntled employees, hackers, sexual freaks, mentally deranged people and even religious leaders.
Prof Madhava Menon who is seen as the father of law education in India told India Legal: “The real challenge is putting in place an enforcement apparatus that can smartly use technology to investigate sophisticated cybercrime both in the police force and the judiciary. Constables today cannot handle it. We need technical experts in the police force who can constantly update themselves on criminals who are every day acquiring new technology to outwit the police and the judiciary. No more can the conventional standards of proof work in cyber crime as it has its tentacles across international borders.”
Last month, numerous banks such as HDFC, ICICI and Axis found that they had been hit by cyber attacks. They and several other banks like the State Bank of India blocked over 3.2 million debit cards as a precautionary measure as they noticed fraudulent transactions of their cards in countries like China and the US. Around 640 customers were found to have lost about Rs 1.3 crore in these fraudulent transactions.
Some banks asked customers to immediately change their PIN (Personal Identification Number). An investigation by the National Payments Corporation of India found a malware-induced security breach in the systems of Hitachi Payment Services. It provides point-of-sale to numerous ATMs in India. It was one of the biggest data breaches in India.
Union Home Minister Rajnath Singh said that growing cybercrimes have magnified the country’s challenges and the cybercrime prevention strategy needs to be strengthened. Cybercrime figures for 2013-14 indicate that it is increasing at the rate of 50 percent annually. Maharashtra, UP and Andhra Pradesh are the most affected states, while the North-Eastern states are the least affected.
A joint study of Assocham-PwC—“Protecting Interconnected Systems in the Cyber Era”—showed that between 2011 and 2014, cybercrimes increased by 300 percent. It said that these attacks were happening with greater frequency and intensity. Most of it was from the US, Turkey, China, Brazil, Pakistan, Algeria, Turkey, Europe and the UAE. As India is one of the major users of the internet and smartphones, it is emerging as one of the primary targets for cyber criminals, it said.
The study said there was a possibility of attackers gaining control of vital systems such as nuclear plants, railways, transportation and hospitals, disrupting and endangering life. In the US, between 2012 and 2015, there has been an increase of nearly 50 percent in reported cyber incidents against critical infrastructure. In India, the Indian Computer Emergency Response Team reported that as many as 50,000 security incidents took place in 2015. The only way to combat this threat is to ensure regular sharing of cyber security intelligence and improving the resiliency of these systems and processes.
Neeraj Aarora, cyber lawyer and forensic expert who has been training judges, police officers and other security personnel on cybercrime and law, told India Legal: “We have so many challenges as far as cybercrime goes but we have no solutions. Nearly 70 percent of call centers are rackets in India and are involved in fake, illegal and extortion activities. It is safe to operate as it is such a low-risk activity. The chances of detection are almost nil. The chances of being punished are rare. The police do not know how to trace or investigate cybercrime as they do not know how to collect digital evidence to make it admissible in a court of law. That is why more than 80 percent of cases are acquitted. The legal community is also not aware of the intricacies of cybercrime. It is a frightening and dangerous situation.”
Lead pictures: Bhavana Gaur