India is yet to recover from the shock of the alleged leak of personal details from CoWIN, an Indian government web portal for COVID-19 vaccination registration. How would the leak of personal information affect an individual? What precautionary measures should be adopted to ensure data security? This report is based on a discussion Malayala Manorama had with two experts in data security.

It is often asked what would hackers do with my data? Shouldn't only the rich fear the leak? Google already has all the information. What else is there to be leaked? These three are the frequently asked questions on data security. While some raise these questions out of ignorance, a few others ask them for the sake of argument.

The answers to these questions lie in the fake-loan scam carried out through the Indiabulls-owned Dhani app in February 2022. Several prominent personalities, including actor Sunny Leone, fell prey to the scam.

Many victims found unaccounted loans in their credit history. Several people received notices from recovery agents for defaulting on loans they had not taken. Their credit scores, too, dipped. Leone's credit score crashed for not repaying a fake loan of Rs 2,000.

Panic spread as the people could not identify the person or persons who had availed of loans using their details. Dhani later gave an explanation: "Fraudsters availed of loans using your PAN card and identification details.

There is no better answer to those who ask what would happen if PAN and personal other details are leaked. Data security is of utmost importance these days since even textile showrooms seek the customers' names and phone numbers.

CBIC issues warning

The Central Board of Indirect Taxes and Customs (CBIC) recently cautioned the public against sharing Aadhaar and PAN details. Fraudsters take the poor to Aadhaar Seva Kendras, collect fingerprints, and create fake entities with a different number, the CBIC said in an official media statement.

Once the Aadhaar-linked phone number is changed, the card's control will be on the other person. Meanwhile, the real owner won't realise the danger since the card is still with him/her. They won't even know that Aadhaar could be controlled using a mobile phone number.

Since the Aadhaar authentication SMSes go to the new phone number, the real owner would be in the dark about the activities carried out using the card.

In situations where OTP or biometric authentications are not required (for instance, checking into a hotel room) a fraudster could forge a fake entity using your name and number in identification documents such as Aadhaar.

The Union government recently said several shell companies used a single photograph to create multiple fake Aadhaar cards with different names to get fake GST registration. If any official agencies probe tax evasions, the unsuspecting owner will be in trouble.

Sharma's challenge

When data provided to CoWIN was shared over Telegram, several people searched for the Aadhaar number of RS Sharma, UIDAI's founding boss and now the Chief Executive Officer of the National Health Authority. Interestingly, a person from Meghalaya had used Sharma's number to register on CoWIN.

There is a story behind Sharma's Aadhaar number landing in the public domain. Sharma tweeted his Aadhaar number on July 28, 2018.

"My Aadhaar number is **** **** ****. Now I give this challenge to you: Show me one concrete example where you can do any harm to me," he dared.

The response was quick. Several people responded to Sharma's tweet after finding his mobile phone numbers, G-Mail address, Yahoo! address, residential address, date of birth, frequent flyer number, bank account numbers, and WhatsApp profile picture. Cyber security experts, who found that Sharma was using an iPhone, even sent money to his UPI ID.

Another person ordered a OnePlus-6 mobile phone to his residential address, in cash-on-delivery mode.

Sharma still stood his ground, asking if any harm had come to him. Realising that Sharma's act was snowballing into a controversy, the UIDAI stepped in and warned against publishing the Aadhaar number on social media.

If fraudsters get some personal details of an individual, they could dig into the internet for that person's complete information. With the details, they could blackmail or even impersonate for gains.

How your social media account could put you at risk

The social media account of a person is the best medium to understand a person’s family, assets, financial status, food habits, vehicle, shopping style, politics, religion, and travels.

The date of birth which a person usually hides on Facebook to guard their privacy can be easily gauged. For example, if a person posts that ‘I turn 40 this month’, even if nothing is given on that person’s DOB, a swindler may be able to spot his/her DOB by surfing through various dates in the month. In online dealings, the DOB is crucial data.

A fraudster can easily approach a person who posts his family pictures regularly as someone who knows him personally. Who won’t believe when someone comes out with posers like, “Hey, did your son Stephen left the job?” “I met your elder son’s family when they came from the US,” etc. Who won’t believe when someone reels out his/her PAN, AADHAR, bank account, and credit card numbers as if he has got it from the bank?

Data even in waste bin

The waste bin that we scoff at too is a treasure trove of data. Already there are gangs involved in collecting data from the waste bin of big institutions.

Hence, several organizations have made paper shredder machines mandatory. All papers after use should be thrown into such machines and turned into smithereens.

Earlier, the printout that comes out from the ATM machine after one has withdrawn money had the full account number and balance of money of the holder. It was because of the misuse possibility that it was hidden partially.

Mule account that gains currency

In the data trade sector, the most in demand these days are bank accounts. Those who engage in cyber fraud are fond of mule accounts in the name of others so that they can safely accept money and keep them temporarily. They will get dummy mobile numbers to operate the accounts. Such accounts are started after collecting documents and information from various people and making use of them.

What should be done and what not

  • Never post on social media photos of documents like the Aadhar, driving license, debit/credit card, passport, and boarding pass
  • Allow to swipe/tap the debit/credit card only in front of you. Don’t ever give personal information on unauthorized sites.
  • Photostat copies that contain personal information, bills, and the address portion in the e-commerce delivery box should be destroyed without a trace.
  • Use the two-factor authentication on whichever site that offers the same. In such cases, even if the password is stolen, the account will be safe.
  • Please hide in social media, your DOB, phone number, and email id.

Experts react

“The health data of an entrepreneur is vital for his competitors. What all diseases is he suffering from, and how long will he be active, etc can be figured out. There are accounts of certain spy organizations even collecting the biological samples of international leaders from washrooms to assess their health conditions. Even if leaders avail treatment with the tax money of the public, they need not publicly share all the details of their illnesses,” Sanuj Suseelan (Data Analyst, McAfee Cyber Security Lab).

“Some people post images of new credit cards as soon as they receive the same. Then another lot hands over their cards to waiters at hotels to stripe or tap. All these acts involve the possibility of misuse of the cards. Only seconds are needed to copy the image of the cards. One should note down the CVV number given on the backside of the card somewhere else and then rub it off the card. Similarly, it’s not advisable to keep PIN numbers along with debit cards,” Rahul Sasi, CEO of CloudSEK Cyber Security Company.

Onmanorama had published a series on online fraud.

Read part 1 here: Don't take the bait, ignore that missed call please!

Read part 2 here: How Sim cards, bank accounts of poor are misused for cyber crimes

Read part 3 here: Bank accounts for sale, a US trooper, and the 'terror' parcel