Mobile Phone SIM Swap or SIM Exchange fraud and how to protect your selves?

Mobile Phone SIM Swap or SIM Exchange fraud and how to protect your selves? By Prashant Mali

I have clients who have lost Rs. 1,25 Crores to Rs. 30,000/- in SIM Exchange/Swap fraud and mind it no one was computer illiterate. As the name suggests, someone may buy a new SIM from the same network provider and start to operate all your banking transactions. The bank will not differentiate between you and the fraudster. Because the account is operating from the same number. Even mobile operator are also unable to track such frauds and sometimes abet the crime by faulty KYC Checking.

Let us see each step one by one.

1) Fraudsters gather your information-The first step they do is to gather your personal information. Usually, they try to access your personal information by way of phishing, Vishing, Smishing or any through the Trojans / Malware. They try to gather your banking details.

2) Fraudsters visit mobile operator to block your SIM-They approach mobile operator with genuine customer fake ID proof and request operator to block the SIM. They provide the reason as loss of handset or SIM damage.

3) Issuance of new SIM to fraudster-After due verification, a mobile operator issues a new SIM with the same number to a fraudster. Because even for a mobile operator it is hard to find a genuine customer. They issue the duplicate SIM to a fraudster. Once this new duplicate SIM is issued, then the genuine customer mobile phone will be without a network. Therefore, a genuine customer stopped to receive the SMS alerts on the phone.

4) Fraudster accesses your bank account with new SIM-Fraudster then initiates financial transactions (from the banking details which he has already stolen) by generating a one-time password (OTP). This new password will be sent to the fraudster’s new SIM but not to a genuine customer. Hence, a genuine customer kept in dark.

How the fraudsters get bank details?

SIM swapping/exchange is usually phase two of a fraud attack. Initially, they send a phishing email (or other similar phishing attempts) to get all your banking details. These details can also be stolen using Trojans/Malware. They also work towards getting the victim’s personal information and may even go as far as stealing identity and creating fraudulent ID documents. In order to use all of this gathered information, they need access to the victim's mobile messages – hence the SIM swap. In some countries, notably India and Nigeria the fraudster will have to convince the victim to approve the SIM swap by pressing some keys.

Once this happens the victim's phone will lose connection to the network and the fraudster will receive all the SMS and voice calls intended for the victim. This allows the fraudster to intercept any one-time passwords sent via SMS or telephone calls sent to the victim; and thus to circumvent any security features of accounts (be they bank accounts, social media accounts etc.) that rely on SMS or telephone calls.

How to protect from such frauds?

If your phone is out of network continuously for a few hours specifically on weekends, then you have to take it seriously and be alert and complain the same to a mobile operator.

Never switch off your mobile for long periods to avoid unwanted calls. Instead, try not to pick them. Otherwise, activate DND (Do Not Disturb) facility for your SIM.

Regularly check your bank account statement.

Register for both email as well as SMS alerts.

Do not share your 20 digits SIM number mentioned on the back of your SIM with anyone

Do not display your mobile number on social media websites.

Advocate Prashant Mali handles these kinds of cases and is instrumental to win many cases against banks and telecom operators . 

Awards & Recognition Won by Prashant Mali in 2014

Cyber Security: Build a Culture of Prevention in Your Organisation

Cyber Security:  Build a Culture of Prevention in Your Organisation

Prashant Mali, 

Cyber Security Policy & Law Expert - India

“You cannot buy the revolution. You cannot make the revolution. You can only be the revolution. It is in your spirit, or it is nowhere.” 
― Ursula K. Le Guin, The Dispossessed

Today all organization’s need “Cyber Security Revolution”  i.e they need to bring in culture of cyber security within their organization. A strong cyber security culture is both a mindset and mode of operation. One that’s integrated into day-to-day thinking and decision-making can make for a near-impenetrable operation. Conversely, a security culture that’s absent will facilitate uncertainty and, ultimately, lead to security incidents that you likely can’t afford to take on. This is also brings us to have Cyber Insurance as part of the organisations culture.

What is a organizations cyber security culture?

An organisation's cyber security culture is the styles, approaches and values that it wishes to adopt towards cyber security.

The lack of robust security protocols and standards for data exchange between enterprise systems, devices and personal/home devices can put organizations at increased risk and exposure. However, by employing a comprehensive threat intelligence strategy, organizations can more effectively, proactively and sustainably defend against threat adversaries. The development of policies, procedures and training can further prevent attacks and raise user awareness to be mindful of clicking links, executing files or sharing account information. “When building cyber security capabilities, a Chief Security Officer must be able to identify data in an organizational environment, know the systems, devices and networks on which they are located, and build a security profile around them that addresses potential vulnerabilities,”

A strong cyber defense strategy should address how to prepare and monitor attacks, respond and ultimately recover from breaches. At a minimum, security architecture should be able to stall adversarial efforts, thwart attacks at each phase and facilitate a rapid response. Today, there are several cyber security frameworks that organizations may use as guidelines - such as ISO, COBIT and NIST - to develop security architecture. By overlaying these with counter-responses to the tactics, techniques and procedures that a threat adversary may employ, CISO’s can develop a robust defensive infrastructure. 

Many of these defensive strategies can be broadly characterised into the following three classifications:

1. Mitigate threats before they enter a network by having the basic controls in place -such as ensuring that operating systems and anti-malware, web filtering and antivirus software on servers and endpoints are updated and patched to reduce the risk of vulnerabilities and infections. At a primary level, preventive measures can be employed by implementing layers of firewall technology to stop known attacks. At a secondary level, the potential damage of a breach can be mitigated through automated alerts and notifications that quickly activate appropriate response measures according to security protocols. By training employees and building a culture of cyber security from top management to workers on ground, many breaches can be prevented upstream through user awareness of potentially malicious links, emails, websites, advertisements and files. As Kevin Mitnick notes in his book, The Art of Deception: Controlling the Human Element of Security, these technological methods of protecting information may be effective in their respective ways; however, many losses are not caused by a lack of technology or faulty technology but rather by users of technology and faulty human behavior. It stands to reason then that people not only can be part of the problem, but also they can and should be part of the solution.

2. Discover threats that have entered or tried to enter systems. No organization can prevent every cyberattack, but it is important to build a response system that can alert your security staff, rapidly identify a breach and its scope, and notify other enforcement points so that a breach can be contained without extensive collateral damage. Depending on the adversary, an organization may be better served by disrupting and throttling an attack rather than responding with a knee-jerk reaction that tips off an adversary to engage in additional attacks.

3. Respond to any threats that have breached the network. In addition to deploying sandbox appliances which can test and detect novel threats, it may be recommended for some organizations to deploy internal network firewalls and mitigate an attack once a network has already been breached. Depending on the extent to which data is stored on internal or external servers, organizations may need to develop coordinated responses to a breach with other entities.

The risk of cyber attacks is no longer limited to the IT desk, it is a key business issue that must be addressed by the Board. No organization can be completely immune from cyber attacks and adversaries. However, they can take appropriate measures to erect defenses and integrate cyber security into the business environment and culture. Management buy-in, establishing policies and updating them regularly, identifying and communicating the security awareness goals and message clearly and often, and performing assessments are crucial to a successful cyber security awareness program. By implementing some of these changes, organizations can achieve higher levels of cyber security awareness maturity and benefit from a stronger cyber security culture. 

Definitions for Cyber World

Definitions for Cyber World

Cyberspace 

Cyberspace is the total landscape of technology-mediated

communication. This includes not only the internet and the World Wide

Web but also mobile and fixed phone networks, satellite and cable

television, radio, the Global Positioning System (GPS), air traffic control

systems, military rocket guidance systems, sensor networks, etc. As more

devices become interlinked through the processes of digital convergence,

cyberspace is rapidly covering more of our physical world and channels of

communication and expression. Importantly, cyberspace also includes the

people that use these devices and networks.

The Internet 

A subset of cyberspace, the internet is a system of

interconnected computer networks. The internet is comprised of both

hardware and software that facilitate data transfer across a network of

networks, ranging from local to global in scale, and encompassing private,

public, corporate, government and academic networks. Functioning

primarily as a global data exchange system, it carries a wide range of

resources such as email, instant messaging, file transfer, virtual worlds,

peer-to-peer file sharing, and the 

World Wide Web(WWW)

The Web The World Wide Web (or, simply, web) is a more recent

development than the internet, with its origins in the European academic

community of the late 1980s. The web is one of the many services reliant

on the internet. It consists of an assemblage of files (audio, video, text,

and multimedia), each assigned an address, which are connected to one

another through the formation of hyperlinks (more commonly, links). The

contents of the web are (usually) accessed via the internet using software

known as browsers.

User-generated Content 

User-generated content (also usercreated

content) is an umbrella term referring to a wide range of

online materials that are created by internet users themselves. Usergenerated

content has blurred the distinction between the ‘producers’

and ‘consumers’ of information. It is thought to be behind the massive

expansion of the internet in recent years, which now encompasses a wide

variety of blogs, discussion and review sites, social networking sites, and

video and photo sharing sites. Radicalisation Most of the definitions currently in circulation

describe radicalisation as the process (or processes) whereby individuals

or groups come to approve of and (ultimately) participate in the use of

violence for political aims. Some authors refer to ‘violent radicalisation’ in

order to emphasise the violent outcome and distinguish the process from

non-violent forms of ‘radical’ thinking. 

Extremism 

Extremism can be used to refer to political ideologies

that oppose a society’s core values and principles. In the context of liberal

democracies this could be applied to any ideology that advocates racial

or religious supremacy and/or opposes the core principles of democracy

and universal human rights. The term can also be used to describe the

methods through which political actors attempt to realise their aims, that is,

by using means that ‘show disregard for the life, liberty, and human rights

of others’.

Zee 24 Taas Rokthok,WhatsApp Issues Adv Prashant Mali

Cyber Pornography in India – Sprouting of a Hydra’s head

Cyber Pornography in India – Sprouting of a Hydra’s head

By Adv. Prashant Mali, Cyber Law & Cyber Security Expert, Author, Speaker

Email : prashant.mali@cyberlawconsulting.com | Mobile : +919821763157

The etymology of pornography can be traced to graphos (writing or description) and porneia (prostitutes) and hence it means the description of the life, manners, etc. of prostitutes and their patrons. The first known use of the word to describe something similar to pornography as understood today was in eighteenth century, when the city of Pompeii was discovered. The entire city was full of erotic art and frescoes, symbols, inscriptions and artifacts that were regarded by its excavators as ‘pornographic’. One of the commonly accepted definitions of “pornography” in modern times defines it as sexually explicit material that is primarily designed to produce sexual arousal in viewers. In India, pornography is seen as an aggravated form of obscenity.

In the India Amateur pornography production with or without consent from women is higher than the consumption of industry-produced porn.

There needs to be an amalgamation of Education, Law, Technology and Governance for effective control of pornography over the Internet. The law alone will be toothless if not enforceable.

Now, if rightly said 2/3 part of India’s population is below 35 years, that also signifies a sexually active population in a timid culture of India where anything related to sex itself is a taboo. Watching Cyber pornography is the way out for these sex oppressed minds to exercise their Right to Privacy and feed their information related hungry minds.

Digression is synonymic with excursion then yes the age we are discussing have all right to do so. Distortion, if you believe cyber pornography as “act committed by real humans” is a wrong word in the context itself. Distress if synonyms to pain and suffering then it only signifies to the petitioners feelings coz audience to the cyber pornography never feel the distress unless physically incapacitated. Seeing Cyber Pornography as Manoranjan itself is a half cooked thought. I feel Cyber pornography is viewed for pleasure (i.e for prasannata, Khushi, anannd) . To argue further, I would refer to Freudian psychology, the pleasure principle is the instinctual seeking of pleasure and avoiding of pain in order to satisfy biological and psychological needs. Specifically, the pleasure principle is the driving force guiding the individual identification or id. Epicurus in the ancient world, and Jeremy Bentham in the modern laid stress upon the role of pleasure in directing human life, the latter stating:"Nature has placed mankind under the governance of two sovereign masters, pain and pleasure. Cyber pornography has grown so much coz it is associated with pleasure and not with manoranjan  (entertainment) as claimed by petitioner.

Manobhanjan(Destruction of Mind), some gurus have said that to attend Samadhi, Manobhanjan that is destroying the mind is also another path, so this theory and idea becomes debatable.    

The statistics used in the said petition under discussion are based on News Paper reports, never a credible evidence in any courts of Law, it states that 70% of the traffic online is connected to pornography. The survey done by the company in 2010 namely ExtremeTech reveals that it is exactly the opposite that only 30% of the internet traffic relates to pornography. India now has over 20 crore Internet users in around 121 crore population and labeling 14 crore people as cyber pornography watchers is more than ambitious.

Concerns raised by the petitioner with regards to Child pornography are justified but I think around 120 countries including India has strong laws related to child pornography due to the ratification of the Optional Protocol on Child Pornography.  Section 67B of The IT Act, 2000 deals with child pornography and not only watching or transmitting child pornography is a crime but even searching for child pornography related material on Google is a Non-Bailable and Cognizable offence. So it is clear when it comes to child pornography India already has Law, the question is of equal enforcement throughout the country and effective preemptive measures. Indian ISP association along with police should have a monthly review meeting to ban certain branded websites spreading child pornography and some types of extreme porn. Even though I sympathize with the view of Government that not all porn sites can be banned due to technological issues, but I strongly suggest that there has to be concerted efforts by the stake holders to show some action which can serve as detrimental to child porn industry operating or exhibiting within cyber boundaries of India. Action speaks louder than thousand words that is what is missing when it comes to banning few known websites, even if websites sprout like Hydras head  .

With almost negative or miniscule amount of sexual education across the country, limited pornography also serves as a tool to sexual education for information seekers. If pornography is a threat to women then I feel  they should be protected by better implementation of legal reforms and stronger rights against invasion of their privacy, this includes exploitation of her body by taking image or video without her consent. Sexually explicit material has been around in India in the form of temple statues, Kamasutra e.t.c. but that was what we call soft porn (and should not be confused with violent porn). Even print porn has only been around in India for last 2 decades or so and is strictly censured, again to soft porn levels. What India is being exposed to right now, all of a sudden, is violent porn from the west.

Law as it stands :

Pornography or obscenity is very sensitive issue all over the world yet there is no settled definition of the word under any law. Whether a given pornographic ‘work’ may be termed obscene will be determined by applying what is known as the Miller test (the three-prong obscenity test), which was developed by the US Supreme Court in the landmark case of Miller v. California. This test poses three fundamental questions about the work under scrutiny:

§  Whether the average person, applying ‘contemporary community standards’, would find that the work, taken as a whole, appeals to the prurient interest

§  Whether the work depicts or describes, in a patently offensive way, sexual conduct specifically defined by applicable state law

§  Whether the work, taken as a whole, lacks serious literary, artistic, political, or scientific value

Section 292 of the Indian Penal Code (IPC) defines obscenity as that which is

‘lascivious or appeals to the prurient interest or tends to deprave or corrupt persons’. In recent supreme court judgment  Aveek Sarkar & Anr Versus State of West Bengal & Ors on obscenity, it was held that nude picture of women is not obscene per se. This judgment overruled the Hecklin test which was used to interpret obscenity by courts till date for deciding cases on obscenity.

Besides shunning the temptation of sharing salacious videos, the mobile user should be wary of misusing his mobile to invade somebody's privacy. Section 66E, one of the amendments made to the IT Act, 2000, introduced punishment up to three years for whoever "intentionally or knowingly captures, publishes or transmits the image of a private area of any person without his or her consent, under circumstances violating the privacy of that person".

Under S.354C of the Indian Penal Code on voyeurism, the offences included are capturing the image of a woman in a private or sexual act with a hidden camera or device, without the consent of the woman. If the woman consents to the capture of the images but not to its dissemination, then it is still an offence under the same law and the imprisonment is from three to seven years. Forcibly showing pornography to a woman is also included under sexual harassment under S.354A of the Indian Penal Code.

Summing up Section 66E,67,67A,67B of The IT Act, 2000 addresses issues of pornography and Child Pornography along the lines of POCSO. 

Cyber Pornography and Right to Privacy

Canadians have the right to be anonymous on the internet, and police must obtain a warrant to uncover their identities, Canada's top court has ruled in R. v. Spencer, 2014 SCC 43. The landmark decision from the Supreme Court  bars internet service providers from disclosing the names, addresses and phone numbers of their customers to law enforcement officials voluntarily in response to a simple request .

In India, our Constitution does not contain a specific provision as to privacy but the right to privacy has been spelt out by our Supreme Court  from the provisions of Art. 19(1)(a) dealing with freedom of speech and expression, Art. 19(1)(d) dealing with right to freedom of movement and from Art. 21, which deals with right to life and liberty In Govind v. State of MP, Mathew J. developed the law of privacy. The learned Judge held that privacy claims deserves to be denied only when important countervieling interest is shown to be superior, or where a compelling state interest was shown If the court then finds that a claimed right is entitled to protection as a fundamental privacy right, a law infringing it must satisfy the compelling state interest test. Then the question would be whether the state interest is of such paramount importance as would justify an infringement of the right. In Naz Foundation v. Government of NCT of Delhi, the Delhi High Court took the right of privacy the Delhi High Court took the right of privacy to new level. The Court held that privacy recognises a right to a sphere of private intimacy and autonomy which allows us to establish and nurture human relationships without interference from the outside community. The way in which one gives expression to one’s sexuality is at the core of this area of private intimacy. If, in expressing one’s sexuality, one acts consensually and without harming the other, invention of that precinct will be a breach of privacy. Now, since manufacturing and viewing of pornography are medium of expression of one’s sexuality, it must fall within the ambit of right to privacy, provided it is manufactured and viewed privately by consenting adults and thereby not causing any harm to the others.

Conclusion

The line demarcating the ‘decent’ from the ‘obscene’ is still vague, and the distinction is purely ambiguous as it is based on individual interpretation. The concept of only ‘Violent Pornography’ which includes (rape, fetish, kinky, sadomasochism) needs to be adequately defined  in any existing  Law, to enable insertions of  new sections competent to deal with it, or modify the existing provisions in law to effectively tackle the problem. The restriction on ‘Violent Pornography’ via using” Intelligent Filters “ linked to globally available databases or self created updatable databases at ISP levels can prove as an efficacious remedy to arrest it in some proportions as completely eradicating cyber pornography would be like plucking out hydra’s sprouted heads which are known to regenerate.

How Phishing is Done via Malicious Code

Hackers to phish out your personal data  very easily as it is to sit in a canoe on a still pond, cast the bait and wait for the fish to bite.

So many people fail to learn about phishing scams, a favorite and extremely prevalent scam among cybercriminals.

A type of phishing scam is to lure the user onto a malicious website. ZeuS (Zbot) is such an example, planted on websites; visit that site and it will download a virus to your device that will steal your online banking information, then forward it to a remote server, where the thief will obtain it. Very clever.

But that ingenuity is contingent on someone being gullible enough to open a phishing e-mail, and then taking that gullibility one step further by clicking on the link to the malicious site.

10 Phishing Alerts

• An unfamiliar e-mail or sender. If it’s earth-shaking news, you’ll probably be notified in person or via a voice phone call.
• An e-mail that requests personal information, particularly financial. If the message contains the name and logo of the business’s bank, phone the bank and inquire about the e-mail.
• An e-mail requesting credit card information, a password, username, etc.
• A subject line that’s of an urgent nature, particularly if it concludes with an exclamation point.

Additional Tips

• Keep the computer browser up-to-date.
• If a form inside an e-mail requests personal information, enter “delete” to chuck the e-mail.
• The most up-to-date versions of Chrome, IE and Firefox offer optional anti-phishing protection.
• Check out special toolbars that can be installed in a web browser to help guard the user from malicious sites; this toolbar provides fast alerts when it detects a fraudulent site.