Saturday, April 11, 2015

Cyber scams that target senior citizens in India


A senior citizen’s primary gadget is a mobile phone which in earlier years was used to make/ receive calls and SMSes. With rising Internet penetration, children living in different cities and countries, video calls and rising costs; senior citizens have begun to use alternate communication channels like Whatsapp and Skype. Senior citizens have become easy targets for cybercriminals given their trusting nature and poor understanding on how voice and data services work.  Cybercriminals and Spammers target these four types of communication channels (voice, instant messaging, SMS and internet telephony) to defraud senior citizens. The three most prevalent types of scams are:

Missed Call or One Ring Telephone Scams

The most popular one is the “missed call” scam. A missed call from an international number is made to a senior citizen’s phone. When the senior citizen calls back, the call is connected to a premium rate number where the bill rates are significantly higher as there is a third party service charge for these services added to the bill. Senior citizens end up with large postpaid bills or find their prepaid credit wiped out. The modus operandi of these missed call scams is to ensure that once a call back is received, the caller is kept on the line for several minutes. The longer the duration the more money the scammer makes. To do so, either the caller is looped in an interactive voice response system which tells the caller to wait while the call is connected or the caller is connected to a recorded adult phone message. One senior citizen was so perturbed that she wanted to call the police because she heard a woman being beaten and screaming for help. Fortunately for her, she had limited prepaid credit and the call ran out. Many senior citizens become anxious and literarily rush to their telecommunication service provider only to receive a stoic response that they are not responsible for any calls made or received. To resolve their excess charge they are advised to take up the matter with the third party service provider, usually a dubious adult chat firm in a third world country. For the small sum of money lost, the cost of this pursuit would make it an unviable option with no guarantee of refunds.

Senior citizens can protect themselves by:

1.    Restricting outbound international calling,  if there is no necessity to make overseas call

2.    Ignore short duration missed calls from international destinations

3.    Checking the international dial code for missed numbers before returning the call. If the number originates from a country where they do not expect a call from, then it would be best not to return them

Lottery Type Scams 

In fake lottery scams, senior citizens receive SMSes or Whatsapp messages congratulating them on having won a “big lottery” and asking them to quickly claim their money.  One senior citizens though this was a valid claim because “it was not classified as spam” by the service provider. 40% of spam is not blocked by spam filters and spam filters only help but do not guarantee that a communication is legitimate. Once a request for redeeming the claim is made these scams always ask for either personal information or the payment of an advance fee, which when paid is either followed by a further request for money and the eventual disappearance act by the scamster.

 Senior citizens must not share personal data online and always avoid requests made for money to process a lottery win or to release a parcel, or to send a free gift as these are sure signs of fraudulent behavior. Senior citizens should also consult knowledgeable family members or friends before responding.

Disclosure of Personal Information

Extracting personal information which can later be sold or used to access online back accounts is another type of scam. Scammers pose as officials in position of authority (banks, police, and income tax) or as sellers of credits cards/personal loans using these “roles” to exert sufficient pressure to extract personal and financial data.

Senior citizens should always remember that however convincing the callers are information like bank accounts, financial records and passwords are never sought by authorities or banks.

Sunday, October 12, 2014

Do Indian matrimonial sites guarantee the privacy of your most sensitive information?


I personally believe users of some of the Indian matrimonial sites face the risk of unconsented use of their sensitive personal information. When, I read the privacy polices of these sites, it felt quite apparent that there was a genuine lack of understanding as to what was needed to protect the privacy of the sites users. I would advise all users to first read the Privacy Policies of these sites to select a suitable one to use and to ensure the deletion of personal data when the matchmaking process is finished.
Users of matrimonial sites fully disclose sensitive personal information to make a match. Initially in the matching process their profiles remain anonymous, but as the selection narrows down, the level of disclosure increases as the parties interact on the site. Personal information includes a person’s name, email  address, sex, age, mailing address, credit card or debit card details  medical records and history , photograph, sexual orientation, biometric information,  interests, information tracked while navigation, horoscope and occupation.  If other services linked to the sites such as chats are used, the contents of these chats may also be recorded. Interestingly, some sites also allow users to submit public and private information on behalf of others like child, relative, and friends without their explicit consent.

Information stored on these sites is used for advertising and shared with partners companies. None of these sites stated what data was shared (I presume all of it) and for what purpose. Sites have to be transparent and obtain explicit consent of users on the way in which personal data is used. Under data protection laws, blanket permissions are not allowed.
Most of the sites were nonspecific about their process for deletion of personal information, in full or part, when requested by the user. One site stated that the deletion of information would take a long time because of residual copies on servers and could not guarantee their removal from backup systems.

What was left ambiguous was information on the sites mechanism to ensure anonymity of personal information at all times, except when the user consented to selectively disclose information to a selected match. While this is an implicit assumption, it was never explicitly confirmed. The two questions that came to mind was a) on how the employees of these matrimonial sites were authorized to access to the data and b) whether the data was secured using encryption. Reading through disclosure made by sites on their security mechanisms, my conclusion was that most of the sensitive data lies unencrypted (except for credit card information). Some sites openly disclaimed their inability to secure the data.
In event of a data breach, matrimonial sites would be liable to pay compensation or penalty under section 43 A of the Indian IT Act. To avoid penalty they need to prove that their security systems were adequate enough to secure sensitive private data. Without encryption, the ability to fully delete information and restrictions on sharing copies of personal data with advertising partners, it would be difficult to convince a court that reasonable practices were in place.

To reemphasize;
I would advise all users to first read the Privacy Policies of these sites to select a suitable one to use and ensure the deletion of personal data when the matchmaking process is finished.