How Fraudsters can Gather OTP without Sharing 2020

How Fraudsters can Gather OTP without Sharing  2020

How Fraudsters can Gather OTP without Sharing:

Cyber crimes in Indi are rising exponentially, the CAGR growth being in double digits. With the rise in such crimes and increasing awareness, people have become reluctant to share OTP, UPI PIN etc.

Learn the most common types of online frauds in India, here:

However, some citizens have false notion that for unauthorized transactions to take place, fraudsters mandatorily require OTP. Cyber criminals have started reaping benefits of this notion, to commit frauds. They ask for credit card details, suggesting that for online transactions, OTP is must, thus sharing card details is not unsafe. 

Many gullible citizens fall to their trap, leading to their victimization. Hence, this write up is about, requirement of OTP for online transactions and various Modus Operandi that cyber criminals employ, to know your OTP without you telling it. 

In essence, we shall understand, whether it’s possible for a fraudster to commit fraud, even without sharing OTP details. Also, remedial measures shall be discussed towards the end, to prevent being victims of such frauds. 

Why OTP is Needed for Bank Transactions in India?
Reserve Bank of India had introduced a new guideline for Tele Shopping / Mobile / Interactive Voice Response Transaction, done using credit card. As per the guideline, all such transactions required an additional password validation, starting from January 1, 2011.  

The idea was to prevent credit card abuse and frauds, and to secure all such transactions done over the Mobile or Interactive Voice Response system. Before this guideline, a credit card transaction over an IVR system required the following:

  • Credit card number
  • Card Expiry date
  • CVV Number 

So, with stolen credit cards, fraudsters were able to make fraudulent transactions, as all the details were present on the card itself. However, after this guideline, two additional things were needed to perform an online transaction. 

  • Mobile Number
  • IVR 3D Secure OTP (One Time Password) 

So, even if you lost your credit card, the fraudsters were unable to generate the OTP for fraudulent transactions. 

RBI Dec 6, 2016 Guidelines: 
RBI had been receiving requests from several stakeholders to review and relax the 2FA requirements, at least for low value transactions. In light of demonetization and to promote cashless payments, RBI relaxed the OTP rules for online transactions (or Card Not Present transactions) under the value of Rs 2,000 on December 6, 2016. 

As per the new rule, customers need to opt-in for this facility and complete one time registration to avail its benefits. The registration process includes entering card details and a password authenticated by the card network. 

One the registration is complete, users don’t need to re-enter the card details for every transaction at merchant website or app. The card details act as first factor of authentication and the credentials used to login into the solution act as second factor of authentication. 

Result: “A fraudster can acquire your login credentials through phishing, then transact up-to Rs 2,000 without requirement of OTP”. 

Ways for Fraudster to Gather OTP without you Sharing it?
Fraudsters deploy certain methods to know your OTP, without you revealing it. These methods include: 

Method 1: Screen Recording Apps:

Step 1: Fraudster impersonate as representative of a bank or any other financial institution like RBI, telecom service provider etc. To make the call sound legitimate, they proceed with verification questions like name, DoB, mobile number etc. 

Step 2: Fraudsters then ask you to download an app, which gives remote access to your mobile phone to carry out fraudulent transactions via UPI. Examples of such apps include Any Desk, Team Viewer, Screen Share or any other third party app. 

Step 3: After you install the app, the fraudsters ask you to share the code, following which they get complete access to your device, without you even knowing it. 

Step 4: Now fraudsters can steal your passwords and transact with your UPI account. They need not ask OTP from you any longer, for making unauthorized transactions from your account. 

Method 2: Spy Apps like Free Tracker Mobile:
Many citizens don’t understand virtual world dangers and hand over phone to strangers. Similarly, when phone requires repairs, we give our phone casually, and don’t check back again for possible bugs. 

You may be surprised to know, that to install spy app in your phone, it hardly requires 100 seconds. Once the spy app is installed into your device, it starts relaying data to the cloud. Using the login credentials, the fraudster can then see all the data being stored in the cloud. E.g., cloud of Free Tracker Mobile. 

In nutshell, sharing your smart phone with untrustworthy people, can compromise your device and thus, OTP too. The fraudster can read your OTP remotely, to perform unauthorized financial bank transactions. 

How to Know if you have been Bugged?

Step 1: Install a free Android app named “Net Capture”. Search for Net Capture in Google Play Store and follow on the screen instructions, to download and install it.  

Step 2: Start Packet capture and run it for some-time. Then, analyze all the outgoing packers.    

Step 3: If you find any suspicious outgoing packet, inspect the related apps and its permissions. 

Step 4: If you have not installed the suspicious app, uninstall it. 

Note: Free Tracker Mobile app, disguises itself as Wi-Fi. Similarly, other spy apps, assume unsuspecting names, to prevent being un-installed by the victim. 

How to Protect Yourself?

  • Don’t share your card details: Refrain from sharing credit card details to any stranger, irrespective of the deal. Always remember, that banks and other financial institution, will never call you to ask sensitive personal information. Further, to check the authenticity of unknown numbers, you may use free apps like Eyecon, Truecaller etc. 
  • Be cautious of malicious apps: Fraudster create fake mobile apps, similar to original bank apps and upload them on the Google Play Store. When a person, accidentally installs the fake app and provides the necessary permissions, it starts sending sensitive data to the fraudster. E.g., Modi BHIM, BHIM Modi, Modi ka BHIM apps etc. 
  • Do not download and install third-party apps: Such as Screen Share, Any Desk, Team Viewer etc. Always use apps downloaded from the official Google play store (for Android) or App Store (for iPhones). This applies to bank apps as well. 
  • Don’t share phone with strangers: As discussed, it hardly takes couple of minutes to bug a phone. Similarly, don’t place the SIM linked with the bank account in smart-phone. Rather, keep it in basic mobile phone, as it can’t be hacked. 

Other Suggestions:

  • If you receive any suspicious text message or a message with link from unknown number, better ignore it or visit the nearest bank branch to confirm it.  
  • Do not search for your app’s customer support numbers on Google or any social media. Visit the official website of your app or bank to find the customer-care number. 
  • Be skeptical of someone calling you and offering freebies like cash-backs.
  • Do not post phone number linked with bank account on social media sites. 

In digital world, one single mistake can compromise your phone, leading to fraudulent transactions. You should always vigilant and cautious. 

Still, if you become victim of online fraud, then you lodge an FIR with the nearest police station/ cyber cell. Otherwise, you can use the online government portal – National Cyber Crime Reporting Portal – to report such fraudulent transactions.

Here is the complete procedure to get money back in online fraud cases: