How is cyber crime enabled through misuse of data?
Cyber crime and misuse of data have been on the rise for the past two decades. While our dependence on technology increases the number of targets for perpetrators, our own laxity in caring for our data, its security, and availability also play a major role. Ask yourself: when was the last time you thoroughly checked your privacy settings on Facebook? How many strangers have you talked to on the internet? How many friend requests from unknown people have you accepted? How much information have you shared, throughout our digital existence, on the internet? This article is to remind us that we need to keep a strict vigil on our data outflow and restrict the information about us that we choose to share in public- for our own good. It is time we took responsibility for our information to prevent misuse of data.
This article was co-authored with Adv. Rohit Ranjan Praveer.
BUT, WHAT IS DATA?
Data is information in digital form. Useful data is knowledge. It is also a fact, or some concept, or some instruction for a computer system. Where do we store information a.k.a data? Different forms of storage media: hard disk drives, CD drives, magnetic tapes (the ones on older ATM cards), etc. For legal purposes, the Information Technology Act defines data.
DATA LEAKAGE
Any data you wish to keep close to your chest but which finds its way outside of your controls is a leakage. The data that you willingly share in the public domain, or the data that leaks out of your personal devices or commercial organization (which could be due to many reasons) can be misused by cyber criminals.
BUT HOW?
Misuse of data is an easy exercise. Let’s take a short and simple example. In Uttar Pradesh, cybercriminals scour Facebook pages of people. Once they get to know their ‘friends list’, they send them a friend request and monitor their activities. Then they would create a duplicate account impersonating one of their close friends, who perhaps is visiting a foreign country. Now they would text the person saying, “I am stuck in an emergency here. Can you transfer Rs. 50,000 to me immediately.” (Perhaps not as simple a message as this one, but you get the idea) And that’s how keeping your friends list public cost you Rs. 50,000.
Let’s take another example. You go to a restaurant and share your phone number. The waiter at the restaurant notes that down. He has your phone number, so he can easily find you on Facebook. He sends you a friend request and identifies a good friend of yours. He simply clones your SIM card and texts that friend that he is in need of a few thousand rupees. That’s it!
Similarly, there are tons of data lying out there on Facebook, Instagram and Twitter, which have billions of users. Criminals just have to find new ways to deceive people. So, in order to ensure that you and your finances stay safe, steps need to be taken from individual to organizational levels.
BUT THE THING THAT WE ARE TALKING ABOUT, IS IT EVEN REAL?
Ex- Chief Justice of India, R.M. Lodha received an email from another Supreme Court judge for some emergency funds. And that’s how he lost Rs. 1 lakh.
India stands 3rd in victims of crime according to the Internet Crime Report for 2019 published by USA’s Internet Crime Complaint Centre (IC3) of the FBI.1 In 2019 alone, cyber crime cost Rs. 1.25 lakh crore in India.2 Losses have been increasing year after year. Hence, it becomes vital to learn about data leakage and know the means of preventing misuse of data.
WHAT DATA COULD BE MISUSED FOR?
In order to commit a crime, criminal intent is important. The reason ‘why’ a crime is committed is as important as how it is committed. A cybercriminal commits a crime for three reasons main reasons, namely, hacktivism, stealing money, or spying.
Hacktivism is the amalgamation of the words Hacking and Activism. It is done by intruders who want to hack in order to prove a political agenda or a social cause. A common example of Hacktivism is ‘Anonymous’, a group that has hacked into several websites and networks around the world in the name of activism. E.g., Panama Papers. Also, in 2015, Anonymous had declared war against ISIS after the Paris attacks, which resulted in the deletion and taking down of thousands of social media accounts and websites;
Another type of hacking is done to steal money or data from the other party. Hackers employ techniques like phishing, using known credible information, to attack. Usually, the purpose of this is to exploit the other party for financial gain. There are many examples of hacking in order to steal money or data around the world.
A cybercriminal usually sends a message on WhatsApp asking “This photo looks like you. Is that you?” The text makes people click that link curiously. The link further takes the person to a malicious website which is a bait to take the ID password of the person. Once, the ID password is taken then the scammers can use various spamming and phishing techniques in order to make money from the person or their family and friends.
Spying, on the other hand, refers to either spying by state or by organization. The purpose of spying is to find information against rival organisation or enemy countries. Its another source for misuse of data, which can be used to damage individuals’ reputations, brand image, or even create domestic security issues.
SOME OTHER EXAMPLES
Credit and Debit Card users from Indian Banks– Data of 1.3 million Credit and Debit card users from Indian banks was being sold for $100 apiece. This data breach was collected by a Singapore based cybersecurity firm who reported that the information was stolen via skimming devices installed in ATMs and PoS systems. The total database was valued over $130 million. The effect of this could be tremendous on the Indian banking system. This data could be misused to either scam such users or steal the money they have in their account;
Prime Minister’s Website– A USA based cybersecurity firm had reported that there had been a data breach on the Prime Minister’s website. According to them, data of over 5,70,000 users was available on the dark web which included names and contact details which was collected from databases of funds such as PM Relief Fund. This makes us question that if the Prime Minister’s website is vulnerable to such breaches, how safe are we?
True Caller Scam– Cybercriminals search for the names of merchants on Truecaller and once they find someone, they call the owner and pose as customers whose certain money was unpaid the last time they bought a product. Once the owner is convinced then they send a link of PhonePe which is a phishing link used by the criminals. Once, the owner types in their password then instead of paying money, the scammers take money out of the owner’s account.3
PREVENTING AGAINST DATA MISUSE
Once leaked, it is difficult to control where the data reaches and how it can be used. Data Misuse of data can cause massive losses to individuals as well as organisations. A common phrase in cybersecurity is that “a cybercriminal needs to be correct only one time but the cybersecurity needs to be correct all the time in order to stop such crimes.” Therefore, cybersecurity mechanisms must incorporate certain policies in order to ensure that such misuse does not happen. They are:
- Use Strong Passwords– Strong passwords should be used by individuals as well as organisations. In the Facebook messenger scam, the scammers had identified those who have their passwords similar to numbers or easy passwords such as “12345678” in order to hack their Facebook accounts. Therefore, a strong password might ensure that the vulnerability of a cybercriminal guessing your password reduces;
- Encrypting sensitive information– Encryption is a process by which information is encoded in a way that it is deemed unreadable by unauthorised users. Encryption of such information leads to the information being safe even if it is leaked as the cyber criminals will not be able to decrypt the information;
- Monitoring vulnerabilities in networks– Data can get leaked through any of the network channels which a particular organisation uses. An organisation needs to ensure that the data is not leaked through any of these networks. Therefore, in order to do that, they have to monitor the traffic via networks, only then can the organisation can look for vulnerabilities inside their networks;
- Verify Facts– In case of scams against you, verify facts with your banks, relatives or friends before sending money.
God forbid, but if you ever face a cyber fraud, here’s what you should do.
Do subscribe to our Telegram channelfor more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.
You can also follow us on Instagram, Facebook, LinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.
Footnotes:
[1] FBI (2020). 2019 Internet Crime Report. Available at: https://pdf.ic3.gov/2019_IC3Report.pdf
[2] Cyber crimes in India caused Rs 1.25 lakh crore loss in 2019: Official. The Financial Express
[3] Sunil Maurya (2020). साइबर क्राइम गैंग ने खुद ही बताया : OLX, QR Code और Facebook से कैसे करते हैं ठगी, बचने का तरीका भी बताया, जानिए पूरी डिटेल.