Tue, Nov 05, 2024 | Jumada al-Awwal 3, 1446 | DXB ktweather icon0°C

To chase a crooked shadow

Top Stories

Alamy Image

Alamy Image

Personal data breaches, thanks to compromised online security protocols, are leading to a spike in identity thefts in India’s consumer economy. What does it mean to be impersonated by a cybercriminal?

Published: Sat 24 Jul 2021, 10:07 PM

  • By
  • Anil Padmanabhan

In the first week of April, Delhi-based Rishi Kapoor approached Electronica Finance Ltd, a non-bank finance company, to jointly avail a commercial loan for expanding the family business headed by his father. During routine queries, the loan officer, after reviewing his credit history, informed him that there were outstanding loans in his name. Kapoor presumed the reference was to the loan he had taken out previously to purchase a car and replied it had been repaid. The matter rested there as both sides said they would revert. Two weeks later, India was in the throes of a ferocious second wave of Covid; Delhi, along with most of India, went into lockdown. The Kapoors decided to drop their business expansion plan — and, by extension, the loan proposal.

However, the loan officer’s claim of outstanding dues against his name continued to bother Kapoor.


A month later, he casually mentioned this to a friend, who, in turn, cautioned Kapoor he may have been a victim of identity theft — among the fastest-growing cybercrimes in India, and across the world.

Kapoor, like most victims, was initially pretty sure this could not happen to him as he was always careful about his online transactions. But then fear got the better of him and, in early June, he checked his credit scores tracked by Transunion Cibil, the credit information company.

Imagine his shock when he found he had not one, but three outstanding loans: two loans from Bajaj Finance to purchase consumer goods and one from HDFC Ltd for purchase of a used car. Together, they added up to Rs389,588 (approx. Dh19,000), a tidy sum for the 36-year old salaried professional. “I alerted HDFC and Bajaj Finance and copied the Reserve Bank of India [on the complaint] on 4 June,” Kapoor says. While Bajaj Finance is yet to respond, HDFC got back claiming it was an internal error of the bank which led to the linking of Kapoor’s account with someone who had “similar demographic details”. A new update provided by Cibil shows that the HDFC loan is no longer an outstanding against Kapoor, who is still unsure whether or not he will file a police case.

The good news, he points out, is there is no forensic record of this money either being received by him or paid by him as EMI (equal monthly instalments) repayments. Further, neither lender had approached him for defaulting on the EMI payments from March: whoever had taken out the loan in his name was paying the EMIs.

But the bad news is that Kapoor’s online identity may have been compromised. In other words, his personal specs, including his unique Income Tax Permanent Account Number (PAN), is out on the dark web. He remains vulnerable to fresh hacks.

Kapoor’s is not an isolated case. Data suggests that there has been a spike in the last one year as most people were forced to work from home (WFH) with domestic Internet access unable to ensure required security protocols. The fear is that, if left unchecked, these rapidly growing cybercrimes — largely homegrown at the moment — have the potential to undermine India’s rapidly growing online commerce space. While the big headlines are being grabbed by Amazon and Flipkart, the social commerce sector, led by the likes of Meesho, is now taking business beyond the metros to smaller towns and villages too.

Whack a mole

Norton Cyber Safety Insights, a cybersecurity firm, in its 2021 report released in April found that 120 million Indian consumers were victims of some kind of cybercrime in the last 12 months, when most people were confined to their homes and transacted online. Of this, a record 27 million adults, like Kapoor, were victims of first-time identity theft. “In a year of lockdowns and restrictions, cybercriminals have not been deterred,” says Ritesh Chopra, Director Sales and Field Marketing, India & SAARC Countries, NortonLifeLock. “More Indian adults fell victim to identity theft in the past 12 months and most are concerned about data privacy.” The survey reports identity theft was the “stand out trend” last year. The growth in the number of people reporting an identity theft for the first time was 14 per cent in 2020 compared to 10 per cent in 2019. “And almost one in two people were actual victims of ID theft,” he adds.

What is true for individuals is worse for companies. According to the Experian’s Global Insights Report (January/February 2021) released recently, 46 per cent businesses in India witnessed an increase in fraud in the last one year.

One reason for this surge in Internet users in India is the low tariffs on data — a trend that got a big fillip after Jio launched its services, forcing other telcos to match their low tariffs. According to the ‘ICUBE 2020’ report compiled by The Internet and Mobile Association of India (IAMAI) and Kantar, the global data, insights and consulting company, India reported 622 million Active Internet Users (AIU) in 2020; it was 384 million in 2017. This is projected to grow to 900 million by 2025, by which time Internet users in rural India will outnumber their urban counterparts.

The data also reveals that, in urban India, Internet users are evenly divided. The cluster of top nine metros account for 33 per cent, while small towns account for 40 per cent. The same study indicates that nearly one in two AIUs have engaged in some kind of online e-commerce: shopping, banking, booking train or plane tickets etc. This usage pattern has only accelerated in the post-Covid era when people have been forced to stay indoors. “There has been an accelerated digital adoption, especially after the adoption of #WFH. We are ordering online groceries, medicine, classes… Entertainment consumption has shifted online too,” says Chopra.

With so much personal information out there, cyber criminals are acquiring the edge which makes it easier for them to evade scrutiny of security protocols and rewrite existing white collar crime modus operandi. As Sanjay Bahl, Director General, Indian Computer Emergency Response Team (CERT-in), the nodal government agency in India dealing with cyber security threats, explains: “Everything is evolving, including crime. Earlier identity theft was restricted to stealing credit card details and hacking passwords. Today, personal data is shared on so many platforms (social media, hotels, hospitals and restaurants etc): if any of these platforms is hacked, your personal data is compromised.”

WFH has meant that security protocols of companies have been diluted with employees accessing the Internet on their home WiFi, which are, at times, unsecured or protected by a weak password. “While Internet access is growing, the vulnerability of users is growing proportionately since the attack surface is increasing,” Bahl points out.

Brijesh Singh, Inspector General of Maharashtra, who was earlier headed the anti-cybercrime cell for the state, says cybercrimes are assuming a financial form: “Mass cyber-attacks are happening primarily because of data breaches. A data breach is not as simple as it looks. It utilises the personal information so gained to stage further attacks.”

The last one year has seen a big spurt in data breaches across the world. CERT-in recently informed the Indian Parliament that over 26,100 websites were hacked during 2020 compared to 17,560 two years ago. The recent high-profile breaches include Air India (which compromised the details of 4.5 million passengers) and Domino’s India (details of 180 million orders were stolen).

The trend is similar, if not worse, in the United States. According to the Identity Theft Resource Center (ITRC), a US-based non-profit, the first half of 2021 has seen a surge in data breaches. There were 846 compromises in the period ended June 2021; if this trend endures for the rest of the year, ITRC feels breaches this year will top the record of 1,632 — logged in 2017.

Offence vs defence

The nub is to deal with the difficult trade-off between convenience (for users) and security. Most consumers are willing to compromise on security to enable ease of use — typically allowing the browser to memorise the password — leaving them vulnerable. “There is no one-size-fits-all approach to curb the menace of identity theft,” says Rajesh Thareja, Vice President – IT, Pine Labs, a fintech engaged in consumer credit. One way of minimising the risk is to ensure personal data is kept encrypted and stored only for the required duration: in short, it should not lying around permanently on computer servers of consumer-facing companies.

Nitin Gupta, founder and CEO at UNI, a new fintech looking to disrupt the business of consumer credit, admits that identity theft will worsen. “When you are combating identity theft, you are trying to research the customer without increasing the pain point of verifying too many details of the customer. It is a continuous balancing act,” he said in response to a question posed by Khaleej Times during a recent chat on Clubhouse on how identity theft could upend online commerce.

An added worry is whether these hacks are now beginning to acquire a cross-country, or cross-regional, hue — something like criminals without borders. Sanjay Pandey, Director General of Police (DGP) Maharashtra and someone who has worked extensively in cybersecurity, believes there is no evidence as yet. “If a person is committing cyber fraud, it is certainly indicative of an organised network, especially if they are engaging in identity theft. As yet, we are not aware of a linkage to international syndicates with respect to identity theft.”

There seems to be a consensus among experts that the solution lies in addressing both the cause and effect of cybercrime. This is easier said than done given the prevailing mindset and the fact that law is still playing catch up. Cybercrimes are listed under the Information Technology Act, conceived in 2000 and amended in 2008. The problem is that these laws were put in place in a different era and with the intent of facilitating e-commerce; the maximum sentence for a cybercrime is a fine and a three-year prison sentence. The notion of cybercrime is pretty recent to India’s online space and there is no separate law addressing it.

As Pandey explains, “The existing IT Act in India came into being to place guardrails to facilitate the growth of e-commerce. Unlike in the US which had ‘The Computer Fraud and Abuse Act’ enacted way back in 1986 to address cybercrime. In fact, all developed countries have a separate law to deal with cybercrime which have protection of data privacy at the centre of it.” Arguing his case for a separate law on cybercrime, Pandey maintains that at the moment the cause of the breach is not investigated. Instead, the emphasis is on examining the consequences. The ability to deal with both the cause and effect of identity theft, as Pandey points out, can only be achieved by legally securing the data privacy of an individual.

The law protecting personal data is still doing the rounds of Parliament. It is not clear whether it will be tabled and approved in the upcoming Monsoon session of Parliament. While there is talk about evolving a national cyber strategy, there is no buzz on a separate law to deal with cybercrime.

For the time being, mitigation may be the best bet, both for consumers and companies. Unfortunately, there’s a prevailing “careless” mindset vis-à-vis Internet security, Bahl points out. Especially among companies “which need to be on top of their game when they secure data... this is not the case and most will be willing to invest only after a breach. By then it is too late.” Singh concurs. “Most (companies) will dismiss investment in cybersecurity as unnecessary costs as defence is disproportionately more expensive than offence. After all, defence has to succeed all the time while offence just needs to break-in once.”

As one expert pointed out, in most companies, the Chief Information Officer, who oversees the information technology networks, rarely reports to the Chief Executive Officer. Most often it is an indirect reporting line, which inevitably blindsides the management to the threats and consequences of cybercrime.

Interestingly, Kapoor, though chastened for his bad experience, is pragmatic. “Look, I can’t avoid buying online. It is a way of life for most of us now. But, yes, I will be careful about the sites I access. Further, I am planning to extinguish all my credit card accounts except one and will use a masked Aadhaar from now on (for online verification of identity).”

(Anil is a journalist based in New Delhi, India. He tweets @capitalcalculus)



Next Story