Cyber crimes in Indi are rising exponentially, the CAGR growth being in double digits. With the rise in such crimes and increasing awareness, people have become reluctant to share OTP, UPI PIN etc.
Learn the most common types of online frauds in India, here: https://cyber-cops.com/cyber-victim/5-most-common-types-of-online-frauds-in-india
However, some citizens have false notion that for unauthorized transactions to take place, fraudsters mandatorily require OTP. Cyber criminals have started reaping benefits of this notion, to commit frauds. They ask for credit card details, suggesting that for online transactions, OTP is must, thus sharing card details is not unsafe.
Many gullible citizens fall to their trap, leading to their victimization. Hence, this write up is about, requirement of OTP for online transactions and various Modus Operandi that cyber criminals employ, to know your OTP without you telling it.
In essence, we shall understand, whether it’s possible for a fraudster to commit fraud, even without sharing OTP details. Also, remedial measures shall be discussed towards the end, to prevent being victims of such frauds.
Why OTP is Needed for Bank Transactions in India?
Reserve Bank of India had introduced a new guideline for Tele Shopping / Mobile / Interactive Voice Response Transaction, done using credit card. As per the guideline, all such transactions required an additional password validation, starting from January 1, 2011.
The idea was to prevent credit card abuse and frauds, and to secure all such transactions done over the Mobile or Interactive Voice Response system. Before this guideline, a credit card transaction over an IVR system required the following:
So, with stolen credit cards, fraudsters were able to make fraudulent transactions, as all the details were present on the card itself. However, after this guideline, two additional things were needed to perform an online transaction.
So, even if you lost your credit card, the fraudsters were unable to generate the OTP for fraudulent transactions.
RBI Dec 6, 2016 Guidelines:
RBI had been receiving requests from several stakeholders to review and relax the 2FA requirements, at least for low value transactions. In light of demonetization and to promote cashless payments, RBI relaxed the OTP rules for online transactions (or Card Not Present transactions) under the value of Rs 2,000 on December 6, 2016.
As per the new rule, customers need to opt-in for this facility and complete one time registration to avail its benefits. The registration process includes entering card details and a password authenticated by the card network.
One the registration is complete, users don’t need to re-enter the card details for every transaction at merchant website or app. The card details act as first factor of authentication and the credentials used to login into the solution act as second factor of authentication.
Result: “A fraudster can acquire your login credentials through phishing, then transact up-to Rs 2,000 without requirement of OTP”.
Ways for Fraudster to Gather OTP without you Sharing it?
Fraudsters deploy certain methods to know your OTP, without you revealing it. These methods include:
Method 1: Screen Recording Apps:
Step 1: Fraudster impersonate as representative of a bank or any other financial institution like RBI, telecom service provider etc. To make the call sound legitimate, they proceed with verification questions like name, DoB, mobile number etc.
Step 2: Fraudsters then ask you to download an app, which gives remote access to your mobile phone to carry out fraudulent transactions via UPI. Examples of such apps include Any Desk, Team Viewer, Screen Share or any other third party app.
Step 3: After you install the app, the fraudsters ask you to share the code, following which they get complete access to your device, without you even knowing it.
Step 4: Now fraudsters can steal your passwords and transact with your UPI account. They need not ask OTP from you any longer, for making unauthorized transactions from your account.
Method 2: Spy Apps like Free Tracker Mobile:
Many citizens don’t understand virtual world dangers and hand over phone to strangers. Similarly, when phone requires repairs, we give our phone casually, and don’t check back again for possible bugs.
You may be surprised to know, that to install spy app in your phone, it hardly requires 100 seconds. Once the spy app is installed into your device, it starts relaying data to the cloud. Using the login credentials, the fraudster can then see all the data being stored in the cloud. E.g., cloud of Free Tracker Mobile.
In nutshell, sharing your smart phone with untrustworthy people, can compromise your device and thus, OTP too. The fraudster can read your OTP remotely, to perform unauthorized financial bank transactions.
How to Know if you have been Bugged?
Step 1: Install a free Android app named “Net Capture”. Search for Net Capture in Google Play Store and follow on the screen instructions, to download and install it.
Step 2: Start Packet capture and run it for some-time. Then, analyze all the outgoing packers.
Step 3: If you find any suspicious outgoing packet, inspect the related apps and its permissions.
Step 4: If you have not installed the suspicious app, uninstall it.
Note: Free Tracker Mobile app, disguises itself as Wi-Fi. Similarly, other spy apps, assume unsuspecting names, to prevent being un-installed by the victim.
How to Protect Yourself?
In digital world, one single mistake can compromise your phone, leading to fraudulent transactions. You should always vigilant and cautious.
Still, if you become victim of online fraud, then you lodge an FIR with the nearest police station/ cyber cell. Otherwise, you can use the online government portal – National Cyber Crime Reporting Portal – cybercrime.gov.in to report such fraudulent transactions.
Here is the complete procedure to get money back in online fraud cases: https://cyber-cops.com/blog/sop-for-money-refund-in-online-fraud-cases