News
Cybercrimes: Financial fraudsters are becoming increasingly innovative
The Indian nationals were thought to be running a jewellery shop. Yet, when Criminal Investigation Department (CID) detectives raided the establishment at the ground floor of the Gold Centre building in Pettah last week, not a trace of gold was found; only a few empty cupboards. The jewellery shop was a front, the detectives found. The five-member gang was, in fact, carrying out an elaborate credit card fraud.
A CID source said they acted after a private bank official made a complaint that the suspects were involved in a fraud using a Point of Sale (POS) terminal provided by the bank and credit cards containing fake data. The POS terminal is a device retail outlets use to scan credit or debit cards to process payments. The suspects had obtained this device from the bank saying they wanted to conduct “business transactions” at the jewellery shop which they claimed wasbeing set up with a local partner.
The CID source said the device had been used to carry out 97 illegal transactions on September 29 and 30. Four of these had been successful, resulting in USD 1,100 (Rs. 188,700) being transferred to an account in the shop’s name. The suspects had attempted to obtain USD 266,771 (Rs 45, 351, 070) in total through the transactions.
Among the items found in the suspects’ possession were an encoder device, 20 credit cards encrypted with false data, a laptop and six mobile phones containing data used for the scam.
The suspects themselves are a curious mix. According to investigators, one is a registered doctor in Tamil Nadu. Another is a lawyer while a journalist was also among the arrested. The CID source said the suspects had bought customer data stolen from banks in seven countries by hackers to carry out the scam. The gang had bought the data using the digital cryptocurrency bitcoin.
Financial crimes of this nature have become all too common in the digital age, and lack of awareness among the general public of such scams is the major reason why the crooks succeed, officials told the Sunday Times. In recent years, ATM “card skimming” scams have targeted debit card users in many parts of the country, with both locals and foreigners involved in the crimes. In most cases, thieves have stolen customers’ card information by attaching card skimming devices to ATM machines. Other types of financial crimes are also on the rise.
In the most recent example, the CID, this week, arrested four women who were allegedly defrauding money from elderly men and women by duping them into divulging their bank details. The women had been involved with various non-governmental organisations conducting social welfare programmes, through which they came into contact with their victims. The elderly victims, most of whom were pensioners, had little or no knowledge of conducting financial transactions through the internet. The women had allegedly perusaded their victims not only to divulge their banking details, but also to download mobile apps that most banks have now developed to make online banking easier. “Armed with all the relevant details given by the victims, the suspects had then used the same mobile apps to transfer funds from the victims’ bank accounts into their own,” a senior CID officer explained.
Among foreigners involved in digital financial frauds, Nigerians have been the most prominent. Police have arrested 114 Nigerians in recent years. The CID said some suspects contact victims over the internet and build a relationship. They then claim to have sent a gift to their victims, and subsequently ask them to debit some money to a bank account as taxes to get the item released from the Customs. Some who have been caught in the scam have lost more than Rs 6 million, detectives said. On other occasions, some Nigerian nationals here have asked locals to give them access to their bank accounts on various pretexts, only to use the accounts to transfer stolen funds out of the country. This has disastrous consequences for the locals as they, too, are liable to be arrested for aiding and abetting financial fraud.
Dileepa Dharmapriya, a member of the experts’ panel set up under the Payments and Settlements Systems Act, said customers had a responsibility to “immediately” notify their banks if their credit and debit card details had been compromised. He said banks would not accept responsibility for any transactions which occurred prior to the customer reporting the matter.
Mr Dharmapriya said retailers using POS terminals had a responsibility to verify customer details on the card receipts if the purchase was substantial and aroused suspicion.
Private companies and small businesses, too, have become victims in financial crimes conducted over the internet, said Roshan Chandraguptha, Principal Information Security Engineer at the Sri Lanka Computer Emergency Readiness Team (CERT).
He said there had been incidents where hackers, after hacking email accounts, had managed to route the funds to overseas bank accounts. “They mostly hack accounts by tricking people into divulging their user names and passwords,” Mr Chandraguptha pointed out. For example, victims may receive an email claiming that their inbox had nearly reached its capacity and they needed to click on the link in the email to verify their account details. Once the user does this, the hacker gains access to the account.
In one case, a company had been expecting money from a client for a shipment of goods, but believed payment was being delayed due to the New Year holidays. When the money failed to arrive even after the holidays, they had contacted the overseas based client, only to be told that the funds had been deposited with the company’s “other bank account” before the New Year as per their email. The company, however, had only one bank account and had sent no such mail. It was then that they realised that they had been scammed, Mr Chandraguptha revealed. “Small businesses have gone bankrupt after being caught up in such scams,” he also said.
If you are engaged in a business, you should ensure that any changes to the bank account of the person you are supposed to send the funds to are correctly verified, he said. “Make sure to verify the change of account through multiple channels. If you are changing your own bank account, also inform the partner through multiple channels of communication, rather than just via email.”
Even banks and financial institutions in Sri Lanka are under constant threat. “There are attacks coming every day. Some (hackers) are just checking security measures and gathering information. Others actually try to gain access,” said Loshan Wickramasekara, Manager Information Security at the Financial Sector Computer Security Incident Response Team (FINCSIRT). Initiated in 2014, FINCSIRT is a specialised unit responsible for receiving, reviewing, processing and responding to computer security alerts and incidents affecting the banks and other licensed financial institutions in the country. It is a joint initiative of the Central Bank, CERT and Sri Lankan Bankers Association.
FINCSIRT has 43 members, which includes all local banks and most of Sri Lanka’s financial institutions. Mr Wickramasekara said the unit conducted monitoring 24/7 to identify security threats to the country’s financial sector.
At present, the only way people in Sri Lanka can transfer funds overseas is by using the SWIFT messaging network, which links more than 11,000 financial institutions in some 200 countries and territories around the world. Mr Wickramasekara said the network’s security had been greatly enhanced since the2016 Bangladesh Central Bank cyber heist. In this case, hackers issued instructions via the SWIFT network to successfully withdraw USD 101 million belonging to the Bangladesh Central Bank and transfer the funds to accounts in Sri Lanka and the Philippines.
Though ever more stringent security measures are taken, one cannot guarantee 100 percent security due to two reasons, Mr Wickramasekara said. One was the human factor. “There is always room for human error, and that cannot be factored out,” he said. The second reason is what are known as “Zero-Day Attacks.” A zero-day is a computer software vulnerability that is unknown to those who would be interested in mitigating the vulnerability. Hackers who identify the vulnerability can exploit it maliciously to their advantage. “As such, no one can be super secure from hackers. But, what we can do by having more security is to make their lives harder,” he said.
Think before you reveal personal details | |
Most Sri Lankans who fall victim to cybercriminals do so due to lack of awareness, said Loshan Wickramasekara, Manager Information Security at the Financial Sector Computer Security Incident Response Team (FINCSIRT). Even in rural areas, people are increasingly using ATM cards and smartphones, but many people do not have a proper idea of how to use them, he pointed out. There are also so many competitions where people can win various prizes that sometimes, verifying the authenticity of competitions is a challenge, he said. “If you are told you have won Rs 5,000 and need to give out some of your personal details to claim the prize, many will divulge the information without thinking, unless they have been educated on what information to give and what not to give.” Since the younger generation is the more well-versed in digital technology, Mr Wickramasekara opined that cyber-security awareness programmes should begin at school-level. |
Cyber-attacks come in four ways | |
Cyber-attacks directed against Sri Lanka’s financial sector are grouped into four categories, namely phishing, ransomware, malware and information leakage, according to FINCSIRT. Phishing is a type of cybercrime where criminals try to trick individuals into revealing sensitive information such as user names, passwords and credit card details. It is typically carried out through email or instant messaging. Malware, or malicious software, is any programme or file that is harmful to a computer user. These include computer viruses, worms, Trojan horses and spyware. Ransomware is a type of malware that prevents users from accessing their system or personal files unless a ransom is paid in order to regain access. Information leakage is where sensitive data are revealed, either willingly or unwillingly, enabling hackers to exploit weaknesses in the system. |
Sri Lankan lawyer re-elected to cybercrime treaty bureau | |
At the recently concluded sessions of the Cybercrime Convention Committee (T-CY) of the Council of Europe in Strasbourg, Sri Lankan Attorney, Jayantha Fernando, was re-elected to the Bureau of T-CY. The Council of Europe Convention on Cybercrime (ETS 185), also referred to as the “Budapest Cybercrime Convention”, is the only global treaty on Internet and computer related crime and improves investigative techniques based on international standards and enhances criminal justice cooperation among nation states to effectively combat the threat from cybercrime. The Bureau of the Budapest Cybercrime Convention Committee, consisting of a Chair, Vice Chair and 9 elected experts from across the world, is tasked with the effective implementation of this important International treaty at a global level. The convention entered into force in Sri Lanka on September 1, 2015. Sri Lanka became the first country in South Asia to become a state party to this convention. The ICT Agency of Sri Lanka (ICTA) and Sri Lanka CERT, which functions under the Ministry of Telecommunications & Digital Infrastructure, took the lead initiative to facilitate Sri Lanka’s entry into the Convention, along with the Ministries of Justice and Foreign Affairs. Jayantha Fernando serves as Legal Advisor of ICTA and Acting Chair of Sri Lanka CERT. Mr. Fernando’s nomination was proposed by Australia, Estonia and Portugal and he was elected unanimously, with other state parties supporting the nomination. He is the first from a South East Asian country to be elected to the Bureau of the Budapest Cybercrime Convention. |