In April alone, the police of various states unearthed a string of pan-India cyber fraud operations. In Delhi, one Nasim Malitya was arrested with 22,000 SIM cards. He was allegedly the main supplier of SIMs to cyber criminals across India. His interrogation led to a further five arrests — of people from Jamtara in Jharkhand, which has acquired global notoriety for being a hub of cybercrime. The arrested criminals were running a sophisticated racket by impersonating customer care executives of private banks and e-commerce websites. They used hacked customer details to drain the bank accounts of their victims. In Tamil Nadu, the Department of Telecommunications with the help of state intelligence wings blocked 19,654 mobile numbers that were allegedly linked to various types of cybercrime.
On April 23, the Centre of Excellence for Cyber Safety of the Telangana Police unearthed a Know Your Customer (KYC) fraud in which they found 11,000 SIM cards had been issued on a single Aadhaar number in Meerut district in Uttar Pradesh. The Telangana Police stumbled upon this fraud while investigating a case in which a Hyderabad resident’s bank account was drained of several lakh rupees after fraudsters obtained bank details under the pretext of updating the person’s KYC. Some of the other mobile numbers linked to the same Aadhaar identity were used to pull off similar crimes in Telangana.
A working paper published by the International Monetary Fund (IMF) in April titled “Stacking Up The Benefits: Lessons from India’s Digital Journey” states that despite taking rapid strides in developing a robust digital public infrastructure (DPI), the lack of data protection and digital privacy laws raises cybersecurity issues. “Comprehensive data protection legislation is still missing in India. A robust data protection framework is essential to protect citizens’ privacy, prevent companies and governments from indiscriminately collecting data, and holding companies and governments accountable for data breaches to incentivise appropriate data handling and adequate investments in cybersecurity.” Now, the government push to give non-government entities access to Aadhaar data, without data protection and privacy laws in place, has been flagged by cybersecurity experts as a highly risky venture.
In the absence of adequate laws, private and government entities have been collecting enormous amounts of citizens’ personal data, leading to the creation of metadata profiles. This metadata can be used to track even the minutest of habits, choices, and activities of the people profiled. In the hands of fraudsters and criminals, it can pose a major security hazard.
People are already spammed with SMS messages containing phishing links. These are disguised as instant loan approvals, overdue electricity and phone bills, fake links of banks, and so on. In October 2022, the Telecom Regulatory Authority of India (TRAI) proposed a unified-KYC within the ambit of the Telecom Bill to prevent spamming and fraud. However, the Telecom Bill, 2022, released for public comment earlier this year, is rife with sweeping clauses that intend to extract even more data from users of WhatsApp, other messaging apps, and social media platforms.
Inadequate legal framework
According to Reserve Bank of India (RBI) data, in 2021-22 alone, Indians lost ₹258 crore in 65,893 reported cases of online and digital fraud. It is clear that law enforcement agencies, telecom service providers and regulators are helpless in controlling the rising graph of cyber and telecom fraud. The only option they seem to exercise is educating consumers about the potential of such fraud, instead of controlling cybercrime.
“The legal framework is currently very unequipped,” says Pavan Duggal, India’s foremost cyberlaw expert. He specialises in cybercrime and the cybersecurity laws of India. “We don’t have adequate legal frameworks for effectively countering cyber fraud and don’t have any dedicated laws to check cybercrime. Cybercrime at present is covered in the Information Technology Act, 2000, and subsequent amendments. These are inadequate to cover the entire gamut of cybercrime that is continuously evolving with the emergence of new technologies.”
As Jamtara’s notoriety spread far and wide, it spawned a Netflix series and many imitators. Last year, the Haryana Police busted a gang of cyber criminals in Mewat district that was operating 500,000 mobile numbers. “Earlier, there used to be one Jamtara, but now the Jamtara model of cybercrime has spread across the country,”says Duggal. “Mewat has emerged as a new hub of cyber fraud, which is 10 times larger in scale of operation compared to Jamtara. It’s extensively getting replicated in almost all urban areas, and rural areas. It has virtually become an industry now.”
Police investigators say that during the Covid-induced lockdown, when a larger number of people resorted to digital transactions, a sharp upsurge in cyber fraud was observed. According to National Payments Corporation of India (NPCI) data, a total of 2,552 lakh crore UPI transactions were recorded between August 2016 and August 2020, out of which approximately 793.40 (31%) were carried out between March and August 2020. In value terms, the six-month period accounted for ₹14.26 lakh crore out of the total of ₹43.45 lakh crore worth of transactions since UPI’s launch in August 2016.
As UPI adoption rose, so did UPI-based fraud. Though data regarding such fraud during the initial years of UPI is unreliable, the available data since 2020 shows an upward trend. According to parliamentary data, a total of 256,975 UPI-based fraud cases have been recorded between 2020 and February 2023. The government claimed that, given the total volume of UPI transactions every year, the number of fraud cases represent a minuscule percentage. Data on the money lost in such UPI-based fraud is unavailable or at best sketchy, but a 23.4% increase in the number of cases recorded in three years points towards systematic targeting of the digital payments ecosystem by fraudsters. The NPCI claims that its security protocol is unbreachable, and that most of the fraud cases are a result of users’ carelessness regarding KYC details, which the fraudsters are able to prise out of unsuspecting users of digital payment interfaces.
Other types of online or digital fraud are also rising. The scale of some of these operations is extensive and highly sophisticated. In April, the Intelligence Fusion and Strategic Operations Unit (IFSO), a special cell of Delhi Police that deals with cyber fraud, busted a network of cyber criminals involved in selling fake insurance policies. IFSO arrested six people from Begusarai in Bihar who were operating the network. It seized 1,091 ATM cards and 56 fake blank passbooks while 20 bank accounts that the gang was operating were frozen.
“The biggest challenge with cybercrime is that everything happens very fast,” says Prashant Gautam, DCP, IFSO. “The biggest issue is we don’t get data in real time from the banks. There are times when we get the data and it’s not relevant for solving the crime or we get data we didn’t even ask for. Also, getting user data from ISPs and telecom service providers is a time-consuming process. We don’t have any institutional mechanism to address this problem.”
Protecting cyber infrastructure
The Computer Emergency Response Team (CERT-In) is a national nodal agency responsible for protecting the country’s cyber infrastructure and responding to cybersecurity breaches. To this end it periodically issues alerts and advisories regarding the latest cyber threats, vulnerabilities, and countermeasures to protect computers and networks, tracking and disabling phishing websites and facilitating the investigation of fraudulent activities in coordination with service providers, regulators, and law enforcement agencies, carrying out cyber security awareness campaigns with the RBI through the Digital India Platform.
According to parliamentary data, CERT-In reported 243,855 cyber incidents between 2016 and 2021. On April 1, 2022, the Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, admitted in the Rajya Sabha that there had been a manifold rise in cyberattacks on the country’s digital infrastructure. “There are attempts from time to time to launch cyberattacks on Indian cyber space. It is observed that attackers compromise computer systems located in different parts of the world and use masquerading techniques and hidden servers to hide the identity of actual systems from which the attacks are launched,” he said. In 2019, the administrative systems of the Kudankulam Nuclear Plant came under a malware attack suspected to have been carried out by state-sponsored North Korean hackers, which has not been officially acknowledged either by the Ministry of Electronics and Information Technology (MeitY) or any other arm of the government.
On April 28, 2022, CERT-In issued a set of directions under Section 70B of the Information Technology Act, 2000, which it claimed were steps to enhance the cybersecurity ecosystem in the country. But a scrutiny revealed that the directions were more focussed on collecting user data than ensuring user data protection. The directions copped a lot of criticism from cybersecurity experts and digital rights activists.
According to the Internet Freedom Forum (IFF), these directions suffered from several drawbacks. They were drawn up without consultation of technical experts, which resulted in “multiple unwarranted directions such as mandating the retention of Know Your Customer (KYC) authentication information for virtual asset service providers”, said the IFF in its critique. Other flaws include lack of compliance with existing cyber security provisions, “ambiguity of definitions” such as “mandatorily enable logs of all their ICT systems” which is not only sweeping in definition but will also lead to data collection of individuals. Additionally, service providers are required to maintain these logs for five years in case they withdraw from India. There is also no clarity on how this data will be secured from being accessed by hackers and cyber fraudsters. It has also been directed that companies offering any kind of cyber service need to “synchronise their system clocks with the Network Time Protocol (NTP) of the National information Centre”. The IFF says there are reliability issues with NTP servers.
But the most problematic direction is to do with Virtual Private Network (VPN) services, which are intended to protect user information, including IP address, from hackers and cyber fraudsters. VPN service providers need to provide all details to CERT-In. The IFF points out that VPNs offer protection to digital rights under the Indian Constitution and this goes against the landmark Right to Privacy judgment of the Supreme Court.
Even the draft of the Data Protection Bill, 2022, is weak in providing security to individual users. The two points include:
- A data principal shall have the right to readily available means of registering a grievance with a data fiduciary.
- A data principal who is not satisfied with the response of a data fiduciary to a grievance or receives no response within seven days or such shorter period as may be prescribed, may register a complaint with the board in such manner as may be prescribed.
It is clear that existing Indian laws are not only grossly inadequate to control cyber fraud, they are also against the conventional wisdom of data protection regimes that exist in other parts of the world, especially Europe. The new laws that are in the pipeline are geared for more personal data collection rather than less.
“Agencies are pretty much behind the curve,” feels Duggal. “Capacity building, effectively enforcing legislation, creating better hygiene for cyber security are immediate necessities. Now things are getting even more complicated. The increasingly powerful tools that are being developed, powered by AI, will also pose serious challenges in the hands of cyber criminals.”