Rushi Mehta : It is time to turn Apps smarter and integrate fraud risk management features inside apps rather than putting the onus on customers for awareness. Some of the common ways criminals use social engineering to conduct cyber financial frauds like Account Takeover, Impersonation etc are:
OTP theft using call conferencing / Android Trojan
Fake Calls / Impersonation
Remote Access — Refund fraud
Fake SMS / Phishing Links over SMS
A small code put inside the android app may help to identify and pacify such fraudulent attempts and protect customers’ hard-earned money that is being massively drained off by cyber criminals. Here are some of the ways to implement the same by warning customers in real-time upon detection of fraud activity at endpoint (customer’s phone).
1. Phishing Impersonation SMS Detection Code
- Android Permission: Read SMS, Notification
- Team: Fraud Template collating team. (Indicators of Frauds Repository from social media, victims and honeypot phone)
- Infrastructure: Repository of fraud SMS template, Fraud Links, Numbers, Headers at centralized server, Automated real-time detection in apps BG process and intimation to a centralized server in real-time.
- Problem Solved: All phishing SMS-related attack attempts by notifying customers in real-time.
This feature will solve the maximum issues pertaining to fraud impersonation SMS. Instead of relying on customers for awareness, it will be an automatic detection and flagging mechanism
2. Remote Access App Detection Code
- Code: Screen Overlay, Query All Packages (need extra effort in android 11). Many Apps like PayTM, Axis Bank have done the same.
- Problem Solved: Remote access-based tech support/refund scam
3. SIM Card Binding
- Code Needed: Detect the presence of registered mobile number / SIM before running an App
- Problem Solved: Account Takeover using duplicate SIM
4. Ponzi Scheme / Fraud Campaign URL detection
- Team Needed: Monitoring the new fraud of gaming, phishing, instant loan or ponzi scheme fraud, KYC expiry, electricity disconnection scam etc executed as mass level to feed in a centralized database.
- Problem Solved: Customers losing their money due to digital illiteracy
5. Drastic Geographic Location / Fraud IP detection
- Repository: Fraud IP address, Locations etc. Service can be taken from IP Info or similar providers for VPN, Proxy detection
6. Push Notification/ Banner based real-time fraud advisory
- Code Needed: Push Notification & Trend Research Team
- Problem Solved: Customer Awareness Issue
7. Active call state detection
- Code Needed: App operation detection during an active call (may result in false positive)
- Problem Solved: OTP-based call theft, social engineering frauds.
8. Customer profiling-based awareness campaign
- Code Needed: Installed App List (Profiles cyber literacy of customer), Contact List (Demographic Profiling), Timings etc.
- Backend Data: Customer Age, Education, Income etc.
Once a customer profile is established, a targeted awareness campaign, especially to home maker women, senior citizens, students, and labourers who are often seem to be less cyber literate may be executed.
A consortium/collection of such Indicators of Frauds (IOFs) may be developed and consumed for better information sharing amongst app providers. Technology is always used to grow business; some investment in safeguarding customers will yield good faith and long-term trust in platform.
The writer – Rushi Mehta is a Trekker, Hacker, Meditator and Enjoyer of Life ! The story first appeared in his Medium blog.