Loose data privacy laws open door to hackers

Aanchal Sudhakar, director of FiscalNote India, has yet to figure out how a scammer got her phone number.

A few weeks ago, she received a call from a person impersonating a supplier at her husband’s office.

He asked Sudhakar send to him Rs 15,000 through PayTm, a payment app. According to ZoomInZ0D, a Mumbai-based “ethical hacker,” scammers mine information from various sources.

“The real name of the user can be identified from email IDs. A legitimatelooking fake WhatsApp message asking for phone numbers, email IDs or even addresses can do the trick. Information can also be mined from Google forms,” warned Zoom-INZ0D.

India still doesn’t have a comprehensive data privacy law to protect people’s personal data. The Personal Data Protection Bill — the first attempt at securing people’s data — is currently being debated in the Lok Sabha (lower house of parliament). The bill will regulate how personal data of Indian citizens is used by the government, law enforcement and companies, said Shruti Agarwal, an advocate-on-record with the Supreme Court.

In 2019, the Indian government approved an ordinance, allowing people to voluntarily use their official government-issued IDs as proof of identity for certain essential services such as opening a bank account.

However, this ordinance also allowed digital payment companies such as PayTm and Amazon Pay to ask for official identification details.

Some users were notified that they would lose access to certain services if they didn’t share data.

According to Harshil Mathur, CEO of Razorpay, one of India’s leading full-stack financial solutions companies, businesses have safeguards in place to tackle all kinds of fraud. “As a payment gateway, our key responsibility is to protect the merchants from any kind of online payment fraud,” Mathur told DW, adding that a “risk engine” keeps track of IP addresses, card issuer locations and blocks suspicious payments.

“Throughout this process, we take appropriate measures to ensure that no data is ever shared with any third party,” Mathur said.

According to Rahul De, a professor at the Indian Institute of Management (IIM), information is mainly stolen to commit financial fraud. “If you compare the number of instances of fraud, it’s mostly theft of money. Banks are getting ripped off more than individuals,” he told DW.

“A common kind of theft is where the scammers try to get your onetime password (OTP) during a transaction. This scam is rampant all over the country, driven by some gangs in Jharkhand. A person’s

mobile number can be easily procured from mobile shops. On many instances, a shop selling SIM cards also has a tie up with these criminals,” he added.

As the COVID-19 lockdown is set to continue in India, the digital payments sector will be expected to record more growth, as more people are currently buying online. Digital payments constituted a whopping 72.5% of the total 2.2 billion transactions in India during the first two weeks of the coronavirus lockdown. This will increase instances of data piracy as scammers will find new ways to con people. Some people have been receiving notifications resembling official communications from banks, offering a loan moratorium.