Friday, February 26, 2021

UPI and Wallet Scams

PART I

I received an interesting call today, from number +91 9832708846. The person at the other end claimed to be calling on behalf of PhonePe. Now I'm usually very skeptical of such unsolicited calls, but this one happened just 15 minutes after I had made a PhonePe payment. So it took me a few moments to understand the real motive.

Scamster: Sir mai PhonePe se baat kar raha hu. Aap Anshul bol rahe hain?
Me: Bataiye
Scamster: Sir aapko cashback mila hai
Me: (thinking I will check the app for any coupons) ok, mai dekh lunga 
Scamster: Aapko cashback chahiye ki nahi?
Me: (Confused - what is this guy talking?) Matlab?
Scamster: (loudly) Hain? Aapko cashback chahiye ki nahi 5000 rupaye ka?
Me: (Finally realising this is a scam call) Aap PhonePe se bol rahe ho?
Scamster: Haan
Me: Arey re re re, mujhe to TrueCaller pe kuch aur dikh raha hai
<Call disconnected by scamster>

I don't have TrueCaller installed, but just the mention of it was enough for the scamster to block my number from calling him back.

While I, and many other tech savvy people may safeguard themselves, it made me realise how simple scamming has become in an increasingly connected world. It got me thinking, how is such a scamster operates.

PART II

Modus operandi of the scamster:
  1. Get a list of active phone numbers from darknet
    1. Can be a curated list of numbers within a circle, or  which have active bank account 
  2. Buy set of SIM cards, Android mobile or SIM box
    1. SIM card can be bought against any legal document, no Aadhar required, courtesy our honorable supreme  court which struck down said provision of Aadhar act as
      1. privacy > other considerations
    2. The other legal documents have no biometrics, so you can fake one if resourceful
    3. prepaid SIM doesn't need physical verification of address
  3. Cold call numbers from the list in step 1
  4. Sweet talk into making the target click on a link
    1. When link is clicked
      1. Create a request to UPI/wallet for charging payment
      2. Gaslight target into accepting the information in the guise of it helping the target
  5. If victim realises s/he has been defrauded 
    1. Gaslight again and repeat step 4
  6. Block the number from calling back through Android feature
  7. Keep the amounts scammed low so that 
    1. neither the victim makes a complaint - money lost is lesser than fear of harassment
    2. nor police go through the effort of investigating - When there are scams of crores to be cracked, why go after small ticket scams? 
  8. Form a network of scamsters and keep milking the list of step 1
    1. Many fake call call centers have mushroomed all over as per news reports
Profile of the victim:
  1. Doesn't have a deep understanding of newer payment models
    1. Financially uneducated, Digitally illiterate, informationally uninformed 
  2. Gullible and can be easily manipulated into believing the stranger
  3. Has 1 number and Has a UPI / wallet linked to the primary number
Probable Solutions:
  1. Legal Institutional
    1. Make Aadhar seeding mandatory for mobile phones
      1. Was tried but failed legal challenges
      2. Needs to be brought in on security and criminal grounds
    2. Take issue seriously
      1. This hurts the credibility of digital transactions
      2. Can lead to people going for cash over blackboxes they see as unreliable
    3. Registry for reporting such incidences and effective investigation
      1. Tried to find helpline numbers where to report this call but none seemed handy
        1. The DOT website doesn't help - the grievance redressal option is against the officers, not against the internet provider
          1. The citizen's charter corresponds to 2017-18 and is directed towards ISPs and telecom operators.
        2. The TRAI website didn't help either - it has complaints sections targetted towards the telecom operator, its Value added services
        3. Same is true of the NPCI website
      2. Hence need cross agency system to tackle issues on confluence of multiple Regulator
  2. Retail consumer apps
    1. Most wallets etc simply say we do not send unsolicited mails
    2. Introduce a challenge to identify a communication was from you or not
      1. Similar to an OTP - send an SMS / app notification and make it SOP to have this challenge in all communication to establish 2-way trust
    3. Create industry body to lobby for better tracking mechanisms
      1. Customers should only need to notify their apps that someone tried to (ab)use their name for a scam
Part III

But the question remains, how do these telecallers and scamsters curate your number in their list?
Few options come to mind:
  1. Cold call a list number to check if its active - disconnect before its picked up - this dead weight on the telecom networks allows the check for free, one only needs SIM multiplexers to do this call in automated manner
  2. Somehow get hold of excels from another telecom shop / business concerns - many a times the staff can extract files with limited list of subscribers for internal marketing purpose, which can get leaked in hands of scamsters
  3. Get hold of data from a contact - while you may install only relevant apps on your device, one of your contacts may've installed a shady app on their device, which (the app) in turn used the contacts permissions to harvest all numbers
  4. Send one-off SMSes with unique URLs, which if clicked, means that the number is active.
So, let's look deeper into this option 4. A recent SMS that I received from an unknown number comes to mind. 

Now, I neither have an account ending in those last few digits, nor am I expecting a sum in that range to be transferred. But someone who is in a hurry and didn't realise the reality of the number can definitely be taken for a ride. In this case, the scamster have used only an actual number instead of a 6-character alphanumeric registered senderid, which makes things easier to identify.  

1 comment: