The investigations by the Mulund Police about the Rs 1 crore phishing fraud that occurred in Mumbai have brought to public attention the modus operandi of the fraudsters.
The police have arrested two brothers in Delhi who have revealed the following during investigations.
Mr Fajroor Rehman Khan the elder of the brothers is a 26 year old college drop out who is an expert in Software. He learnt the “art of e-fraud” and formed a gang in 2008. He improved upon the old Nigerian tactic of sending an e-mail and asking the recipients to visit the bank’s website. He considered this method as “Out dated” and took the “Trojan Route”.
He did some research and found chose a “Trojan Virus” and sent mails to around 5000 persons asking if they needed “Expert help” to update their systems. The moment the recipient clicked on the e-mail, the trojan got activated and enabled Fajroor to monitor the activities of the victim. Using the technique he stole the credentials of the current account of Mr Ankur Korani, a director of a cosmetic company and using the password and user name he accessed the account and transferred Rs 1 crore to 12 accounts in 45 minutes.
It is to be noted that with this “Trojan Approach”, Banks cannot accuse the customers of being negligent in passing on the credentials to a fraudster which they used to do in the older technique.
Secondly, the usual security message which Banks provide on their website stating “We donot ask your password” is of no consequence since a “Trojan” is dropped with a spam mail of any subject line or content.
Banks should therefore harden their system so that an analysis of the pattern of past transactions should reveal such suspicious transactions. In the instant case, transfer of Rs 1 crore within 45 minutes to 12 different unknown persons across the country is a give away.
The fact that PNB did not have a system of risk analysis from the transaction pattern is a matter to be taken note off.
It must also be noted that there is an inherent risk in the browser based log in with password authentication which has no legal or regulatory support and sooner the Banks recognize the truth, better it is for bank customers.