In April this year, Chief Minister Mukul Sangma’s Twitter account was hacked and a message saying “If I win elections, I will legalise weed (marijuana) in Shillong” was posted.
Last month, BJP leader Safiur Rahman’s Facebook account was allegedly hacked and derogatory messages about the Garo community were posted.
On July 24, South Garo Hills Deputy Commissioner CVD Diengdoh lost around Rs 90,000 to cyber fraud. His HDFC credit card was compromised to make transactions and he did not even get a one-time password from the bank.
In the same month, Amandeep Sharma, a common man, lost around Rs 55,000 to cyber thieves.
Meghalaya is among the states which are leveraging their digital platform to fulfil Prime Minister Narendra Modi’s dream of a virtual India. However, the rising number of cyber crimes in the State does not give an encouraging picture and raises the obvious question — are we ready for it?
A senior police officer in the State says the cyber assistance cell (CAC), which was set up in February this year, is yet to equip itself to fight the faceless criminals.
There are several stumbling blocks, “the major being poor infrastructure”. “We are lagging behind many states in infrastructure and cannot handle critical cases,” says the officer.
The Government’s lack of funds and little help from the Centre are making the going even tougher.
Though several cases of cyber fraud come to the fore every month, CAC takes up cases where the stolen amount is not less than Rs 10 lakh. “For small amounts we ask the respective district police departments to investigate and the nodal office gives them technical support,” says the senior officer.
With no infrastructure at the district level, chances that the criminals will be apprehended are less.
Another hurdle that the officer points out is Section 78 of the Information Technology Act that mandates a police officer not below the rank of inspector to investigate any cognizable offence under the law.
The senior officers in the department are not thoroughly conversant with the evolving technology as their junior colleagues are. “There is a generation gap. Today’s youngsters know more about the virtual world than us. But the law prohibits them from handling cyber crime cases,” says the officer.
There are frequent training sessions, both at State and national levels, but barring a few crucial sessions by the CBI, NIA or NEPA, “most of them focus on awareness and skip the technological part”.
Cyber crime has many faces. Hacking and cracking, Trojan attack, email spoofing and spamming are some of the common forms of crimes. Sourav Dutta, a Hyderabad-based computer engineer, says the common belief is that malwares and viruses are related to computers. “But in today’s world everything is connected to some network, mostly the internet, or has smart chips that can be infected. Every last bit of infrastructure, from power plants, airports to home security systems, is connected to networks,” he says while explaining the spectre of a possible cyber attack on the State machinery.
The situation in Meghalaya might not be so threatening but the danger lurks. Most of the cyber crimes that have been reported so far in the State concern ATM frauds, shaming on social media and hackings.
For ATM frauds, the modus operandi is more or less similar. An unknown caller identifies himself as a bank employee and asks for ATM card details.
A gullible victim in most cases end up giving the details only to be shocked moments later.
A young woman from the city says she got a call from SBI a day after she registered her new mobile number with the bank. “It was so convincing and initially I did not even think about not giving him my ATM card number. Before I could realise mistake my money was gone,” says the victim who learnt a lesson at a price of Rs 2,000.
Most of the ATM fraud cases in the State have its origin in the Jharkhand’s Jamtara district. In fact, Jamtara and Giridih are notorious for cyber frauds and police of several states, the recent being Karnataka, had travelled to the remote districts in search of smart school dropout hackers.
Jamtara SP Jaya Roy says 50 cases of fraud were unearthed between January and June this year and 180 accused were forwarded to court. At the same time she says once a victim loses money, it is difficult to get it back.
Supreme Court lawyer Madan Mohan Priya rebuts the claim. “Cyber frauds are committed by a team and if one is arrested, police can easily find out where the stolen money is stacked. It cannot just vanish,” he says.
Priya also points out that the Reserve Bank of India rulebook says if a cyber fraud victim reports the theft to the bank within five days, the bank is bound to return the amount.
“But this rule is never implemented and none of the banks promote this,” says the lawyer but adds that customers too should be aware of the warnings sound out by banks on unknown callers asking for ATM card details.
The State CAC officers too feel the same way. They say most of these frauds are happening because of lack of awareness among people and late reporting of incidents.
“We organise frequent awareness programmes and warn people against sharing ATM card or any personal details with strangers. Also, we ask them to report social media and email hackings at the earliest so that we can control the damage,” says a senior officer.
The situation in the State has not gone out of control and an advisory still discourages many youngsters to be adventurous on social media, she assures.
Such advisories, however, do not stop cyber fraudsters who are operating from outside the State. A victim of hacking in the city says his Yahoo account was hacked from Nigeria but CAC could not trace the culprit.
The cyber cell justifies its failure by saying Yahoo never replied to their email. “This is another problem that we face. These companies in most cases do not get back to us. Such non-communication slows down our investigation,” says a cyber cell officer.
Another impediment for the cell is lack of a well-equipped forensic laboratory in the State. For important cases police have to depend on laboratories in Kolkata or Hyderabad and in the process, investigation is affected.
But Priya says it will be wrong to single out states or the police machinery. “The Centre is talking big about digitisation and hushing up the thousands of cyber breaches that are taking place in the country to conceal the cracks in the security system.”
In 2016, 32 lakh debit cards of various banks were compromised. In the same year, the Prime Minister’s mobile app was hacked by a 22-year-old whose intention was to point out the loophole in the system.
The pace at which cyber crime is increasing in the country, it won’t be wrong to be apprehensive about the security of one’s identity the details of which are stored under the unique identification number.
~ NM
(The contact details of the cyber assistance cell are 0364- 2504001, 9615191002 and email is
[email protected]. The cell functions from 10am to 6 pm on all working days)
Is your data safe?
By Varun Vohra
Organisational risk continues to increase with the rise in data breaches. Despite huge investments by organisations in the area of cyber and information security, bad actors are still able to get ahead of the curve and are successful in getting their hands on sensitive data with high value in cyber black markets.
Once networks and systems are breached, sensitive data seems to be pilfered at will. It is important to understand the criticality of data, location, data flow and current protection measures.
A data-centric security approach is needed to provide greater level of protection. It emphasises on the security of the data itself rather than the security of infrastructure like networks, servers or applications.
This approach also allows organisations to connect IT security and business priorities by relating security directly to the data, which is the key parameter. Data-centric security framework includes key processes like Discover: Ability to locate sensitive or critical data; Manage: Ability to define access to sensitive or critical data; Protect: Ability to protect sensitive or critical data against data loss or unauthorised access; and Monitor: Ability to continuously monitor data usage to identify abnormal behaviour.
The key question then becomes, how do you achieve the above. From a technical point of view it can be done in a number of ways. A robust risk assessment process needs to be in place which is able to classify and capture all data sitting in different parts of the systems, which in turn should govern the access policies around it, i.e. more critical the data, more stricter the access.
Logging and encryption should be implemented to prevent any data loss or unauthorised access, which can also be supplemented by stronger change management controls.
Finally, appropriate security tools should be deployed to continuously monitor the data flows for detecting any abnormal behaviour and preventing it. As the volume of data is becoming bigger, it is getting much harder for organisations to put appropriate controls to protect it while much easier for bad actors to steal it.
(The author is an audit
and compliance expert)
Cyber crime hub
By B.K Mishra
They go phishing. That’s what most “panchvi fail”, or school dropouts, allegedly do in Jharkhand’s Jamtara district to earn a living.
This is the Indian equivalent of the Romanian town of Râmnicu Vâlcea, dubbed Scamville, which is the global capital for cyber criminals.
In the first six months of this year, police arrested about 100 cybercriminals from the district and many more are on the run. Cyber fraud is said to be a household business at Jhiluwa village in Narayanpur, about 24 km from the district headquarters, which has two schools but more than 30 shops selling mobile phones for a population of 2,000. “Almost every teenager in this village has a cell phone,” said Mahendra Rajak, a shop owner.
And most of the teenagers with phones are dropouts. “We arrested one youth every day for online fraud during my posting in Jamtara. It’s amazing how these panchvi fails were conning tech-savvy people in the metros,” said Manoj Kumar Singh, a former SP in the district.
The majority of the frauds are related to phishing, wherein the caller or mailer purporting to be from a bank or a finance company seeks personal details for online transactions. The money is often used to recharge e-wallets, phone service packs and go big-time shopping.
Most of the district’s people used to be reliant on farming, government jobs, small-time trade and budget tourism. Then around a five years ago, for no apparent reason other than the spark of twisted human genius, bored young men, mostly semi-literate, with more than a passing interest in getting rich quick realised that the unpoliced internet offered a quick route up and out of the drudgery that lay in store of them.
A 14-year-old boy of Dumaria, whose name is withheld since he is a juvenile, boasted he committed his first fraud when he was 10. He asked the customers to follow his instructions and they ended up recharging other phones from their mobile talk-time balance.
Isn’t he ashamed of this work? Praveen replied hesitantly: “We are at least not killing people. Education is in a shambles. What else do we do?”
Mukesh Mandal, a 23-year-old out on bail after his arrest last year, said his elder siblings taught him online fraud tricks when he was 18 and his first crime was to transfer phone talk-time balance through easy recharge. The man admitted he knows no other work.
Data compiled by Uttar Pradesh police say more than 2,000 SIM cards issued in different part of India were used to commit online frauds in Jamtara in 2015. “How do we discourage the youth when they manage to earn lakhs through cybercrime? Even their parents are actively supporting them, which is a major concern,” Jamtara SP Jaya Roy said.
Social activists like Manoranjan Kunwar have run awareness campaigns but in vain.
Most villagers deny that the boys are engaged in cybercrime. But there’s an unofficial bar for outsiders taking pictures of these villages.
(The author is a Meghalaya
Police officer)