Does Your Smartphone Have Salami Theft Alert?

Salami thefts are aimed mostly against two types of targets – individual or organisation and that defines the course of the attack. Cases where individuals are targeted, their money is stolen in negligible proportions at every transaction so that it goes undetected initially. When noticed later, the cumulative amount could be significantly large, warns Reetwika, a cybersecurity expert, in the weekly column. A Different Truths exclusive.

‘Salami theft’ is a very old mind game scam, first exploited by Germany’s Nazi Party during the 1940s even before the evolution of computers and internet. However, with the advent of technology, it has become increasingly easier for the fraudsters to continue with salami techniques, without creating much of a noise.

Salami Theft Targets

Salami thefts are aimed mostly against two types of targets – individual or organisation and that defines the course of the attack. Cases where individuals are targeted, their money is stolen in negligible proportions at every transaction so that it goes undetected initially. When noticed later, the cumulative amount could be significantly large.

While for organisations the strategy is just the reverse. Large transactions often catch the eyes of vigilance department. So, to avoid that, it is broken down into insignificantly smaller transactions so that the deals go unnoticed.

In either case, the attacker makes a huge sum of money behind the screen. Since small proportions of cash are stolen to form a massive chunk, this type of cybercrime is termed as Salami theft.

How to Identify Salami Thefts

Now that we have understood how a Salami attack can be executed, as an individual the most important question that rings our mind is how to identify such an attack. Well, to check your alertness level as a user of cyber technology, you should try answering the below questions as the primary step.

During your last online banking transaction (Net banking, cards, e-wallets etc), did you notice any trivial additional deduction (maybe a few extra rupees) than the calculated amount?

Yesterday, while filling petrol at the fuel station, did you calculate the exact payable amount or just did an approximation till the tenth unit? 

Did you check your balance after receiving a blank call on your phone the other day? Was there any silent deduction?

If you are a post-paid telecom user, how diligently do you verify the call or SMS charges at the end of the month?

Even if you noticed a negligible additional cost, did you give a ring to the vendor for justification or thought how foolish that will be as the call charges will be more than the deduction?

Did these questions ring a bell in your mind? If yes, you must read a few real-life case studies available online where individuals have incurred huge losses due to Salami thefts. While organisations have their own gears to identity Salami frauds, as an individual consumer of technology, we must be more cautious to outsmart the clever cybercriminals. Here are my simple tips to prevent Salami attacks: –

Don’t Save Card Details Online, Punch Them In

Do not save your card details for faster payment at the online portals. As a user, you won’t know the backend security standard of the database where your card information is getting saved. ‘Safe payment gateway’ disclaimer does not necessarily assure ‘safe database server’. However, time-consuming it is, ensure to key in the card details every time you buy a deal online.

Verify Extra Benefits Promised by Mobile Banks

If you are using any non-financial institution’s banking solutions, (ex: your mobile network service provider’s banking app, e-wallet banks, e-malls, e-cards, e-savings accounts etc), be cautious to verify the statements at regular intervals. Are you really earning the promised higher interests, returns and benefits or are you ending up in losing insignificant amounts on a regular basis? You might have been charged for secret monthly investments with negligible premiums without your knowledge. At the end of the year, you suddenly receive a huge bill to pay the remaining amount.

It might not be the intent of the service provider but could have been caused due to their weak cybersecurity infrastructure. For example, if the service provider is not using a standard encryption software for protecting their transactions, a disgruntled insider can inject a logic bomb (a code) to the core server, deducting petty amounts (ex: Rs. 2 per transaction) from all the users on a monthly basis and deposit the same to his personal account.

Imagine if the service provider has millions of users, how much does this insider make every month? If he has an annual fraud plan, at the end of the year you may get shocking outcomes or your wallet gets washed totally. It’s all automated, none can catch hold of the attacker. He might be miles away slurping your money from a different country altogether.

Beware of Online Astrologers

Do not blindly trust any unknown virtual astrologer or tarot reader just because he has nailed few predictions correctly. It’s such an easy way to prank human mind. IPL season is in the air; just imagine tomorrow you receive an unsolicited email claiming himself a virtual astrologer saying, “I will predict the winner for tomorrow. It’s Bangalore.” And the team really wins. You don’t believe him.

A day after the match you get his second email which says, “Well that was no fluke, I can bet to predict even today’s results. The match will be abandoned due to rains.” Surprisingly, he hits the bull’s eye again. You are startled, slowly a sense of trust creeps in your mind. This gets repeated for the next ten consecutive matches and all his predictions go 100% correct – be it win, lose or no results. You are bound to grow faith in his magical prophecy skills at the recurrent victories.

Now that he has earned your full confidence, he will play his trump card, “If you wish to win cash prizes up to Rs. 10 lakhs, you can also predict the next match result. Your Astro Buddy is here to forecast the future. You can claim your total cash after the final match. To enter the online game, register here with your Name, Phone no & Email ID (a hyperlink opens up an online form where you can choose your predicted match result). There is a negligible one-time registration fee of Rs. 100. All major Cards and Net-banking accepted.”

Finding the amount as trivial as Rs. 100, you did not give it a second thought to register for the game. And your Astro Buddy’s prediction wins you the first crack. You are elated to have won thousands against just a tiny investment of Rs. 100. This charges you up for the next match. And this continues till the end of IPL season where after every match you kept paying Rs. 100 and in return got e-cash accumulated in your e-wallet.

The final match is over. Your predicted team has lifted the trophy. Wow, what a moment to celebrate! Now it’s time to claim your cash bonanza. A couple of days gone. Your Astro Buddy is silent, no emails yet. Little impatiently, you try opening the e-wallet to check the closing balance and suddenly you discover the hyperlink you had been using so far to log in to your profile does not exist anymore. Also, all your emails to the Astro Buddy’s ID are getting bounced now. Congrats! You have been successfully tricked. You still thank God, that you just lost few thousand rupees.

Was that the only impact? Let us look from the other side of the table now. The first question which should have struck you is how did he predict all the matches so accurately, without a single miss? Was the entire IPL season a fake show? Was it really compromised? Fixed so bitterly? Not at all. There is no betting involved here and the franchises did not even know about this man too. Remember? I said it’s entirely a mind game? And it’s really so. Let me prove it.

Apply simple probability theory of mathematics. For every match, there is an equal probability for both the teams – Win, Lose or No Result. The con man creates three sets of recipients (target victims) and sends the same email or SMS with three different outcomes to them in silos. After the match is over, he knows which set of users had received the correct forecast. He dumps the other two sets and follows the same trick with this batch of target victims. Again, out of three subsets, one of the sets get the results correct. He further dumps the other two and continues with only the respective winning set. And this pattern recurs till the end of the IPL season. Bingo. You were one of those (un)lucky winners!

Let us now put a little focus on the magnitude of the impact. If there are total 60 matches in an entire IPL season, out of which he sacrifices first 10 matches to win confidence, for the remaining 50 matches he makes Rs. 100 per user. That makes, Rs. 100 for 50 matches, equivalent to Rs. 5000 per user. Now, if he could trick just 10,000 users till the end, the total amount he made was as gigantic as Rs. 10 million. It would be even more if we include the intermediate collections.

If you are thinking, how will the attacker have our contact IDs, it’s not a big deal at all to collect email IDs or phone numbers of foolish people nowadays? We ourselves keep sharing them publicly here and there. All that he had to do was to create a fake website and set up a payment gateway to accept money. No rocket science, no betting, no gambling. It was simply mind hacking.

Do Not Download Free Apps from Unknown Authors

Do you check the author (or owner) before downloading amazing free apps from the app store? As a safe practice, you should always verify the identity of the app creator who owns the app or uploaded it, even if he is offering you for free. You never know behind the app, what code is he injecting into your device. It can carry a silent killer app in the backend which keeps stealing your wallet balance every day totally outside your knowledge.

With the boom of smartphones, they have become the easiest targets of Salami invaders as we hardly use any encryption, anti-virus, anti-spyware, firewalls etc on our phone and keep using it to access hell lot of online banking sites, social media profiles, e-commerce portals, mobile banks, cab payments, cinema shows, match tickets, company emails, spreadsheets, cloud storages etc. And with our every online operation, we invite fraudsters to rob us.

Be a Responsible Consumer

Whenever you are paying a bill or earning financial benefits (banking, phone, fuel, investments, restaurants, ticket counters where rounding off of changes to higher ceiling values after taxes and deductions is a common practice), whether online or offline, be diligent to calculate the exact amount up to two decimal places so that even at the slightest of deviations, you are aware of it and if the trend repeats for the next few successive transactions with the same vendor, you can take a conscious call how to report the incident. Remember, Salami Theft is a punishable offense under criminal law liable to imprisonment and/or monetary fine depending on the magnitude of reported scam.

Explorations are on; very soon a new feature would be added to every high-end smartphone where an inbuilt Salami Theft alert will be programmed in the handset. The performance accuracy may vary depending on the brand. So, next time you buy your new phone, do ask your dealer about the Salami theft feature. 

©Reetwika Banerjee

Photos from the Internet

#Smartphone #SalamiTheftAlert #Hackers #OnlineTheft #CreditCards #AstrologyApps #FreeApps #OnlineBettings #HighPerformance #MobileBanking #CyberSecurity #CyberHackers #DifferentTruths