By Stas Alforov and Christopher Thomas
- India, with the world’s second largest population and rising internet penetration, presents a significant attack surface to cybercriminal threat actors. A combination of lucrative targets and insufficient defense measures makes many Indian institutions attractive to hackers.
- Over 3.2 million Indian payment card records have been compromised and posted for sale in 2018, which has elevated India to third in the world in the total amount of stolen payment cards. Gemini identified a 219% spike in Indian payment cards added that year due to a significant rise in stolen Card Not Present (CNP) and Card Present (CP) data. The increasing demand was supported by a 150% surge in the sale price, from a median price of $6.90 USD (approx. 478.02 Indian Rupees) in 2017 to $17 USD (approx. 1,177.73 Indian Rupees) in 2018.
- The Reserve Bank of India (RBI) has recently mandated that all ATMs and point-of-sale (POS) devices become EMV-compatible by January 1, 2019. This extra security will make it far more difficult to cash out CP cards, as the magnetic stripe is significantly easier to copy than an EMV chip. For this reason, the amount of fraudulent CP transactions in India in the future is likely to decrease.
- Due to the upward trajectory of Indian cybercrime and the modest results of mitigation efforts, Gemini Advisory assesses with high confidence that fraud levels in India, particularly CNP fraud, will likely surpass those of the United Kingdom in 2019, making Indian-issued payment cards the second-most targeted cards in the world.
India, with the world’s second largest population, rising internet penetration, and rapidly increasing middle class, presents a significant attack surface to cybercriminal threat actors. A combination of lucrative targets and insufficient defense measures makes many Indian institutions attractive to hackers, as quantified by data security solutions provider Thales eSecurity in its Thales Data Threat Report 2018. According to the report, 52% of surveyed Indian companies reported a data breach in 2018, compared to the global average of 36%. Indian companies are also a full eight percentage points above the global average of companies that have ever reported data breaches, 67%. The most commonly cited obstacles to effective cybersecurity were “lack of perceived need” and “lack of organizational buy-in.”
Fortunately, there are a number of measures underway to improve Indian cybersecurity. The Unique Identification Authority of India (UIDAI)’s Aadhaar ID system, responsible for issuing residents a verifiable 12-digit identification number linked to biometric data to reduce banking and government benefits fraud, has reportedly been advocating for increased emphasis on security measures. Correspondingly, 93% of surveyed Indian companies are increasing their security spending, which is the highest percentage that Thales found anywhere in the world.
However, the Aadhaar database itself was among the government and financial institutions that have suffered severe breaches in the past year. The database contains the personally identifiable information (PII) of more than 1 billion Indian residents. A report by The Tribune revealed that for only 500 Indian Rupees ($7.29 USD), a threat actor can access any of the more than 1 billion records available in the database. This reported bribery scheme has invited widespread criticism of Aadhaar and the nation’s security standards, and the UIDAI has since launched an investigation.
In the event of a breach, who pays? Cybercrime liability in India, according to the Reserve Bank of India (RBI)’s guidelines, is roughly divided into three categories. If customers are not at fault, they must report the incident within three working days to avoid liability. If they are at fault, and their physical payment card or payment card information was compromised due to negligence, they must bear the full costs of the fraud. Finally, if neither the customers nor the bank is at fault, the customers also have three working days to report the incident or risk maximum liability ranging from 5,000 Indian Rupees ($72.63 USD) to 25,000 Indian Rupees ($363.13 USD). If the customers do not report the incident within seven working days, the bank’s liability regulations take precedence. The RBI also mandates a system to file complaints with ombudsman offices, although this system may be under-resourced, as it only mediated 31 cases in 2018. This is similar to the United States’ system for debit card fraud liability, in which notification in two days caps customer liability at $50 USD, and notification within 60 days of receiving the bank statement caps at $500 USD. However, US credit card liability is capped at $50 USD for a stolen physical card (although many banks waive this fee) and there is no liability for a stolen credit card number.
Major Indian Cybercrime Incidents
Indian financial institutions have suffered major security incidents in the past year. Among the most notable of these was the August 11, 2018 hack of Cosmos Bank in which 94.4 crore Indian Rupees (then worth $13.5 million USD) were stolen. The cybercriminals allegedly placed simultaneous withdrawals across 28 countries as well as three unauthorized payments through the SWIFT global payments network.
While the Cosmos Bank SWIFT breach was one of the largest single incidents of recent Indian cyberfraud, compromised payment cards comprise a significant portion of overall financial cybercrime. According to the Economic Times, India’s banking sector suffered from 2,059 cases of cyberfraud, totaling 109.6 crore Indian Rupees ($13.7 million USD) in the financial year 2017-2018. It should be noted that the Indian financial year runs from April 1 to March 31, so this value does not include the 2018 Cosmos Bank incident, which alone would nearly double the yearly losses. The journal did not specify whether or not this figure includes losses borne by the cardholders, or just financial institutions’ losses. However, in either case, this marks a massive increase from the 1,372 cases reported in the financial year 2016-2017 amounting to 42.3 crore Indian Rupees ($6 million USD).
According to Symantec’s 2017 Internet Security Threat Report, India is the fourth largest global source of malicious activity, and the second largest in the Asia Pacific region. It also ranks second for both spam and bot threats, up from eighteenth and seventeenth, respectively, in the previous year. These statistics indicate that India is both increasingly home to cybercriminals and is increasingly targeted by them.
Symantec’s 2019 Internet Security Threat Report ranks India as second in the world for ransomware by country at 14.3% of recorded instances, behind China and just ahead of the United States. It also comprised 23.6% of mobile malware incidents, narrowly behind the United States. The next highest country rate was Germany at 3.9%. Finally, India ranked second in the world for countries affected by targeted attack groups from 2016 to 2018, again behind the United States.
Supply and Demand
Based on the proprietary Gemini Advisory telemetry data collected from various dark web sources, analysts have determined that in 2018, over 3.2 million Indian payment card records have been compromised and posted for sale, which has elevated India to third in the world in the total amount of stolen payment cards.
During the years 2017 and 2018, over 4 million Indian payment card records have been compromised and posted for sale. Gemini identified a 219% spike in Indian payment cards added in 2018, primarily due to a significant rise in stolen CNP and CP data. While the CNP data was most prevalent, CP data also experienced a major increase despite the fact that over 86% of the compromised CP cards were EMV-enabled.
Furthermore, the spike in cards added was met with a growing demand for India-based payment records. The increasing demand was supported by a 150% surge in the sale price, from a median price of $6.90 USD (approx. 478.02 Indian Rupees) in 2017 to $17 USD (approx. 1,177.73 Indian Rupees) in 2018, with over $16.7 million USD (approx. 120 crore Indian Rupees) spent on Indian payment cards from 2017 and 2018 combined. Criminals continuously search for payment cards from specific banks that provide the highest return on investment, and largely spend money only when confident that they stand to make a profit.
There are no official statistics about the average losses per each defrauded Indian payment card. However, if analysts use the very conservative estimate that cybercriminals earn twice as much as they spend on compromised payment cards, then Indian losses in the Indian financial year of 2018 to 2019 would be around $28 million USD (approx. 190 crore Indian Rupees). For reference, the country currently with the second-most targeted payment cards, the United Kingdom, sees cybercriminals earning 25 times as much as they spend on compromised cards. Were that ratio applied to India, losses from 2018 to 2019 would be around $350 million USD (approx. 2,420 crore Indian Rupees). The true number likely lies between these two estimates, making the 2018 to 2019 fraud far higher than the Economic Times’ previously reported $13.7 million USD (109.6 crore Indian Rupees) from financial year 2017 to 2018.
The most prominent underground marketplaces specializing in the sale of stolen payment cards are operated by Russian-speaking threat actors. While it is possible that international cybercriminals are increasingly pursuing compromised Indian payment cards, this is less likely than a rise in internal demand, since it is easiest to cash out these cards from within India. This suggests a strong and ever-growing connection between Eastern European cybercriminals and Indian cybercriminals.
It should also be noted that the RBI has recently mandated that all ATMs and point-of-sale (POS) devices become EMV-compatible by January 1, 2019. This extra security will make it far more difficult to cash out CP cards, as the magnetic stripe is significantly easier to copy than an EMV chip. For this reason, the amount of fraudulent CP transactions in India is likely to decrease. Threat actors in the dark web have previously recommended India as an ideal location for using ATMs to cash out of various compromised European cards with PIN data, but, as financial institutions and merchants increasingly implement EMV technology, cashing out in this way will become an increasingly impractical option.
Gemini analysis indicated that nearly 50% of the compromised CNP records also include additional PII, primarily the email and phone number associated with the stolen payment card data. This information is recorded and stolen during payment and checkout on a breached e-commerce site. In parallel to the security measures of email and SMS notifications during online transactions implemented by Indian financial institutions, the compromised records purchased with the associated email and phone number can be used to bypass such security with the use of additional dark web resources.
These resources may include lists or databases of stolen PII. For example, in January 2019, over 2.2 billion stolen usernames and passwords surfaced in the dark web. Lists of email credentials have spread across the dark web for years, although never before on this scale. With access to such lists, cybercriminals can search for matches between an email they acquire from purchasing a payment card record and associated passwords from the list.
With access to a cardholder’s email and phone, a threat actor could potentially bypass multi-factor authentication (MFA) relying on sending verification messages to an account holder. However, targeted attacks compromising emails and phones require higher technical expertise than simply buying compromised payment records from the dark web, and while such techniques can threaten account holders irrespective of EMV adoption, they are unlikely to be as widespread as current techniques to compromise payment cards. Because of these new EMV and MFA security measures, Gemini Advisory assesses with moderate confidence that the amount of CP payment card fraud is likely to decrease overall, but that the instances of fraud that do continue will likely be more extensive and ultimately more damaging. This pattern lies in accordance with the fraud trends in countries that have previously adopted EMV technology with merchant compliance.
Gemini analysts have determined the top ten Indian cities most affected by payment card fraud. While in most Western countries, the cities with the highest populations directly correlate to those with the highest CNP fraud, this does not appear to be the case in India, as is more common in developing countries. The cities are depicted below.
However, it should be noted that India has some of the world’s strictest data localization laws, comparable to those of China or Russia. This means that international companies must store information on Indian customers in data sites located in India. Companies such as Mastercard, while communicating their intent to comply, have expressed concern that this would isolate their Indian customer data from global data and make it more difficult to identify international fraud trends. This may be particularly troublesome for cybercrime involving compromising payment card records in one country and cashing out those records in another country. Further insight into specific compromised Indian records will thus encounter obstacles not present in most countries around the world.
Because of this, the Indian banks’ implementation of additional security measures relying on email and SMS notification for online purchases may potentially fall short of mitigating the increase in payment card fraud. As of March 1, 2019, Gemini data indicates that payment card fraud in India has not been sufficiently addressed and is on track to rise to even greater levels than in 2018. Fraudsters that can obtain both payment card data and the associated phone number and email address may have the necessary tools to bypass banks’ additional layers of security to successfully conduct fraudulent transactions. In addition, they can leverage the same PII to carry out even more targeted financial attacks against the victim cardholder.
India’s 219% spike in compromised payment records from the calendar year 2017 to 2018 was nearly as high as the United Kingdom’s 305% spike, and the Q1 2019 data from both countries indicates that India’s growth is increasing faster than that of the United Kingdom. Indian financial institutions, while embracing a more proactive defensive strategy, have yet to reverse this trend. Due to the upward trajectory of Indian cybercrime and the modest results of mitigation efforts, Gemini Advisory assesses with high confidence that fraud levels in India, particularly CNP fraud, will likely surpass those of the United Kingdom in 2019, making Indian-issued payment cards the second-most targeted cards in the world.
Gemini Advisory Mission Statement
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.