RBI has recently issued Advisory (Alert 1/2019) dated 14th Feb’19 pertaining to new modus operandi to commit fraud in Digital Payment Ecosystem using Remote screen access apps. NPCI is committed to consumer safety and reiterates its commitment to support the cause stated by RBI in letter and spirit. Recently, this new type of fraud has been identified by NPCI only and proactively informed to the regulator and other authorities.
Modus Operandi (Remote Screen Access)
· Fraudster would lure the victim on some pretext to download an app called ‘AnyDesk’ from Playstore or Appstore.
· The app code (9-digit number) would be generated on victim’s device which the fraudster would ask the victim to share.
· Once fraudster inserts this app code (9-digit number) on his device, he would ask the victim to grant certain permissions which are similar to what are required while using other apps.
· Post this, fraudster will gain access to victim’s device.
· Further the mobile app credential is vished from the customer and the fraudster then can carry out transactions through the mobile app already installed on the customer’s device.
Notably the threat of this modus operandi applies to all applications (Payment/Banking/Wallets/Social Media) installed on the victim’s mobile device. Once access is granted by the victim, fraudster can not only initiate financial transactions but can also place online shopping orders or book rail/air tickets, etc. using the apps available on the victim’s phone or even steal any information stored in the mobile phone. While number of such fraud cases are few (5 cases reported so far), we are vigilant and urge consumers to be careful.
Bharat Panchal, Head of Risk Management, NPCI says, “While NPCI is continuously working towards enhancing security of its products & services from such attacks, this type of frauds can be better prevented by consumer education. The entire ecosystem including Banks & Fintech companies have to work collectively towards creating awareness & educating customers to refrain from sharing their account/card credentials, OTP/PIN and/or giving access to their mobile handsets to unscrupulous persons through such remote screen access apps. UPI platform is fully secure and is also 2FA enabled. NPCI in its endeavour to safeguard the UPI ecosystem will continue to proactively monitor the fraud space and help implement control measures wherever required.”
Taking this ahead, NPCI started with the Consumer Safety & Awareness program leveraging the mass media vehicles like newspapers and radio. Last week, NPCI started a consumer content sourcing initiative STOP. THINK. ACT on twitter to gather creative ideas from consumers to educate them. This is one of the kind initiative to co create content along with consumers, in true sense “for the consumers, by the consumers.”