Hackers from Bihar reportedly copied thumb impressions from a Haryana Government website and used Aadhaar-enabled payment system (AEPS) machines to withdraw money.
According to the Faridabad police, the fraudsters accessed jamabandi.nic.in (official website to get Haryana land record documents) and downloaded sale deeds. They made silicon thumbs by copying the thumb impressions of the parties who carried out the deeds. They then used these thumb impressions and other information to withdraw money.
Nitish Aggarwal, deputy commissioner of police, has informed the Director of Land Records of the situation. Because data is readily available, it is recommended that only the first page of the sale deed be made available to the general public, according to Aggarwal. He also suggested an audit of the website to close any gaps.
Regarding this issue, News18 spoke to Venkatesh Sundar, Co-founder and CMO at Indusface, a leading Tata Growth Capital Funded SaaS company.
He said: “The core of the issue here is a hacker got visibility into an ‘application loophole’ of access to fingerprint data of a user in a Sale deed form, before the application owners were aware of this risk or had time to fix it (in case they were aware of it).”
“In this case, an ‘application loophole’ was exploited to get access to fingerprint data of other users and it was used to create payment fraud. In another application, it can be the same fundamental for example; to get access to the past three transactions from a credit card or a bank statement which can be used for verifying on behalf of a client to create other types of fraud, the focus should not be on what type of fraud was committed, but on what caused it to be enabled and how can one mitigate it,” he added.
Additionally, Sundar said: “With everything going digital, applications are powering that digitisation and business and institution should take an application-centric view to build their security programme. If you secure your applications, one is more or less securing their business and mitigating security risk to a large extent.”
However, according to him, there are three steps which can be followed in order to avoid such incidents. These are:
• Businesses can stay one step ahead of the hackers as they have to worry only about their application risks vs hackers having to phish for those risks by spreading the net. It means businesses can do risk assessment more frequently and more deeply to at least be one step ahead of the hackers to be aware of those risks. A regular automated security scan assessment along with periodic Business logic testing and manual PT whenever the application goes through a major update is must-have hygiene to at least solve the problem of being aware of the risk before the hacker identifies those risks as an opportunity for them.
• Businesses need to be very agile in addressing those risks once identified, but there are practical challenges and hence a Web application firewall with managed expertise to keep them updated is must-have hygiene for any serious applications.
• Businesses need to partner with OEM who besides throwing tools for risk visibility and protection also manage it on an ongoing basis with new threat vectors, and new updates and gather insights based on actual probes and attacks that are blocked and build more dynamic defences against them as part of the policy.
Read all the Latest News , Breaking News and IPL 2022 Live Updates here.