Mobile Wallets – Vulnerabilities & Reducing the Transactional Risk

There are endless apps in the market with cash back and discounts, coupon codes, and vouchers. The money wallet industry rules most of the offers.

According to the Capgemini’s World Payment Report, mobile wallets will witness a compound annual growth rate (CAGR) of 148 percent over the next five years and will be $4.4 billion by 2022. The digital wallets are also supposed to outshine UPI”.

Some of the mobile wallets are mobikwik, PayU, PhonePe, Freecharge, Google Pay Paypal and many others. The most famous digital wallet in India is Paytm. These can be used either in offline such as petrol pumps, a vegetable vendor, and mobile recharge) or online stores such as bookmyshow, Ola, Swiggy and other tied up vendors.

Mobile Wallets- Growth

Mobile wallet has become one of the important payment modes in India. Let’s have a look at few of the surveys conducted.

  • Global Data’s survey shows that the share of cash or cheque (cash on delivery) in total e-commerce transaction value declined from 31% in 2013 to 16% in 2017, whereas the mobile wallet share jumped from just 7% to 29% during the same period. The usage of payment cards dropped from 38% to 32% during this period.
  • eMarketer statistics suggest that this year, 73.9 million people in India — that account to be 7.6% of the whole population of the region — will use mobile payments. That is a dramatic increase of 39.7% compared to last year.
  • The ease of using mobile payment in daily lives like for cab, mobile recharge, groceries is slowly pushing the country towards a cashless space.
  • The number of transactions also increased by around 5% to 325.28 million in July, which brings it very close to the all-time high of 325.41 million in May. Around 309.62 million transactions were recorded in June.

What happens if someone gets access to your mobile wallet?

  • Siphoning off money: This is obvious. But it is not necessary that it will be a simple wallet transfer to a different number. Most of the times, in order to avoid being traced, instead of transferring money to their numbers, attackers purchase online services like mobile/DTH recharges. They later monetise the purchase from the recharge dealers who are complicit in the hack. Never store a large amount of money in your mobile wallet.
  • Access to debit/credit card details: The next thing an attacker can do is to access the credit/debit details that are stored in your wallet. All the popular mobile wallets have options to save the card number and other details for the user’s convenience. If a hacker gets hold of your mobile wallet, he can access those details and sell them in the underground market on the Dark Web. Even if your wallet doesn’t store the CVV or the expiry date, the stolen information can be used to carry out targeted phishing attacks on you. A cyber-criminal with your card information can contact you posing as a bank executive. As he would have enough information about your activities to fool you into believing him and sharing critical information.
  • Access to your transaction history and spending pattern: Your mobile wallet stores complete details of how much, how often and what you spend on. Once your wallet is compromised, the attacker can steal all this information and either sell it to advertisement networks or use it to carry out a targeted scam.
  • Routing stolen/black money through your account: what hackers do—and which is the most dangerous scenario in the case of your mobile wallet being hacked is—they steal your money and send it to other hacked digital wallets including yours to monetise the digital money into real currency.

Vulnerabilities in digital wallets:

  • A weak user identity verification which leads to an attacker impersonating a user.
  • The possibility to login as another user from a mobile device not belonging to the real user.
  • The possibility to replicate or guess tokens assigned to different users and transactions.
  • Insecurities in wallet replenishing and money transfers.
  • Refilling the wallet with more than the Net banking or Credit/Debit card transaction by using parameter or response manipulation.
  • Transferring money fraudulently from another user’s wallet account (swapping to and from the account numbers, or using negative amounts while transferring money).
  • For any product related transactions (movie ticket buying, gift card, bill payments, etc.) tampering with parameters to perform transactions with lesser amounts than the original product cost.
  • Checking local storage for sensitive data such as PIN, stored payment tokens, encryption/decryption keys, etc.
  • Transacting using NFC.
  • Checking if the tokens stored offline for wallet payments can be replayed—using them more than once.
  • Checking to see if the tokens stored in the local database are not encrypted and using them for direct transactions.
  • Checking for flaws in other methods of transactions using NFC.

How the fraud takes place?

The Reserve Bank of India (RBI) has warned banks regarding digital banking fraud that could wipe out a customer’s bank balance by using the Unified Payment Interface (UPI) route. In an alert dated February 14, the cybersecurity and IT examination cell of the central bank said that a mobile application called ‘AnyDesk’ was majorly being used by fraudsters to access data on mobile devices.

What is ‘AnyDesk’?

‘Anydesk’ is a remote-control application. It works to connect one device to another.

How can the fraud wipe out a customer’s bank balance?

The method is simple.

  • First, fraudsters get bank customers to download the app (AnyDesk).
  • Through a nine-digit code generated on the customers’ device, hackers get remote access to their mobile.
  • After inserting the app code on the device, the hacker asks customers to grant certain permissions, which are similar to what is required while using other apps.
  • Once they gain access to the mobile phone, hackers can carry out transactions fraudulently through any mobile banking app or payment-related apps, including UPI or wallets.

Some facts and statistics related to the cyber frauds of mobile wallets:

  • According to a report by the Reserve Bank of India, a total of 2,059 cases of cyber fraud were reported in 2017-18 amounting to Rs 109.6 crore. The number of cyber fraud cases in 2016-17 was 1,372 amounting to Rs 42.3 crore.
  • A total of 5,917 bank frauds were reported in 2017-18 and nearly a third of these were cyber frauds.

Some noticeable frauds:

  1. Radhika Parekh dialled a number listed for Star Wine shop which she found on Google for alcohol stores in Powai. She was requested by the store staff over the phone to make the payment of Rs 420 on Google Pay. The person on the phone also asked her to share her UPI ID.

UPI Fraud details: Once Parekh shared her ID, she received a payment request on Google Pay. The moment she accepted the request, Rs 29,001 were debited from her account. When she called the shop and inquired, the staff apologized and said that amount was debited owing to a mistake. After she disconnected the call, another transaction of Rs 58,000 was made from her account. The store owner told Parekh that the number she called did not belong to them when she went to inquire.

  1. In the month of July, a man from Indore lost Rs 2.2 lakh, while he ordered food from a popular food ordering app. Allegedly, he searched for a customer care number, and when he called, he was tricked into revealing OTP, which led to the digital robbery.
  2. A woman from Bengaluru lost Rs 95,000, when she contacted a fake customer care number from Swiggy, and the fraudsters tricked her into revealing sensitive information about her bank accounts.
  3. Robbery Via Google Pay: Modus Operandi

When the man tried to search for customer care number of Google Pay on Google.com, he found a fake number, and called that number. The fraudsters informed that the error which he received was a common thing, and sent the man a link to be clicked on his phone. As soon as he clicked on the link, the man found Rs 96,000 transferred from this bank account, which was linked with Google Pay.

How to keep your wallet safe?

  • Do not entertain calls from unknown people, who represent themselves bank’s customer care executive.
  • Install only from the official app stores: don’t trust random apps. Never install/download apps from unknown sources like third-party app stores, website pop-ups or links in messages/emails. These apps can contain malware that can give the attacker complete access to your device which can be used to hack into your e-wallets and bank accounts. Download only reputed apps. Anything having less than 50,000 downloads can be risky.
  • Check app permission before installing: Always check the permissions that are being asked before installing any kind of app. Most people have a misconception that if the app is available on the official store of Google or Apple, then it has to be secure. However, that’s not the case. Recently there have been lots of incidents where applications on Google Play were found to contain malware and were stealing user data. If you feel that an application is asking for permission that it doesn’t need, then don’t install the app or disable those permissions. For example, if a calculator or flashlight app is asking permission to read your SMS or record audio it is not appropriate.
  • Don’t allow any app to read your SMS’s: Pay special attention the apps asking permission to read your SMS’s. If you give an app this permission, there are chances that it can also read your OTP message which is being sent via SMS. If your phone allows it by default, disable this permission manually from the settings for the apps that you feel don’t need the permissions.
  • Never share your OTP with anyone: Never share your OTP with anyone on call, via message or even verbally. There have been various cases in which users have fallen into social engineering scams and have provided the OTP that was sent to their phone. Attackers can make an attempt to login to your account by tricking you into giving out the OTP that was sent to your mobile phone and compromise all your wallets.
  • It is advisable to only contact the customer care numbers mentioned in the app, and not use Google search engine to find them. Most probably, the numbers are fake.
  • Don’t use public Wi-Fi to access sensitive data: Avoid making transactions or accessing your sensitive data while you are connected to public Wi-Fi. Many cafes provide their customers with free Wi-Fi access, which may seem convenient but can be used by attackers to steal your confidential data as they are not properly equipped with security measures.
  • Fraudsters will ask you to share your bank details and will ask you to create a new Virtual Payment Address (VPA) ID for your account and set MPIN to do transactions. Never do this at any cost