 So, we can take up the questions now. V.H.Gerthi College. One of the person who is living in Canada, he is trying to use the server which is available in US and using that server if he is making any crime in India, then any case can be filed or if it can be filed, then against it can be filed. So, your question is if somebody is hosting a Fisher's meeting in Canada and he is hosting a website on a server in the US and he is targeting a bank in India. How do you take action? This is more or less the classic case, you know, the way it happens. Before we come to the legal aspect, you know, the first thing is Fisher's normally operate from outside India, the guy who puts up the website. Now, when multiple countries are involved, it becomes very difficult for even the bank to get the logs of those websites. For example, as you said, if the phishing website is hosted in the US, the first thing that the bank wants, if I have to take any action, is to say that this page was put at this time from this IP address which probably is the IP address of the Fisher from where he connected from his home to the server in the US. Now, all this is getting very difficult. So, if you want to take legal action, it is very difficult but it falls under the category of cyber crime in India. So, the bank, if they want, can take it up with the cyber crime cell. Who then will take it up with concerned authorities in our country as well as internationally to pursue the matter? Of course, I am no legal expert. I am telling you this from my experience of working with banks. It is very difficult to pursue it legally. Techno India? My question is regarding the feeding the dummy data in the phishing website. So, what is the use of feeding the dummy data? So, if we fail something wrong data or correct data, what is the impact happening? So, if you are the Fisher, what have you done? You have set up the phishing site and whatever user ID passwords that are getting collected, you are taking it and you are using it to commit fraud. You the Fisher is making an assumption that most of these user ID passwords will be correct. Now, what I am doing as a bank is that I have detected the phishing website using automated scripts. I will just keep pumping user ID passwords that are fake but which follow the standard pattern which the bank accepts. For example, if the bank accepts only alphabets as a user ID, I will start pumping IDs which are only alphabets and if the passwords have always been alphanumeric with 8 characters, I will always put alphanumeric 8 as the dummy ID and password. Now, the Fisher, instead of getting a collection of let us say 100 user IDs and passwords which are probably the original ones, he gets a 100,000. 99,000 were pumped in by the bank and 1000 were pumped in by the customers. Now, it becomes a little difficult for the user, for the Fisher to find out which of these 1000 out of the 100,000 is the correct one. It is just making it a little more difficult for the Fisher to identify the correct user ID password from a collection, from a larger collection. That is all we are doing. So, once we know that it is a phishing website, right? So, why should we enter the details like credentials? Please differentiate. One is the phishing website is up and the phishing customer is getting fooled. If you are the customer of the bank, you should not enter. That is the first thing. But as a bank, I have no control. The website is up and running and many of my customers are sure to give it away. So, as a bank, I am trying to make it difficult for not my customers, but for the Fisher to identify the right one. That is why I am feeding dummy data. The bank is feeding dummy data, not the customer. Sir, can you tell us something about SIM cloning also? SIM card. SIM card cloning with respect to one-time password which we used to get over the mobile. It is a good question because, yeah, SIM cloning, there have been a few incidents in the, even in the last 12 months in Bombay, targeting couple of banks where SIM cloning happened. Of course, the objective of the, of cloning the SIM was to receive the one-time password, SMS that the bank is sending out, whether it is for logging or for doing a transaction. But the attacker did, in this case, where, you know, in a specific incident, I think, which was targeting ICICI, the driver of an elderly person. The elderly person was travelling outside India, you know, to the US for a long time. So, what he did, he had the copy of the, he had the copy of the driver's, you know, the address proof and the license, etc. So, he submitted it to one of the mobile providers. I think it was Vodafone or Airtel and told that the SIM card has been lost. I would like to have a duplicate. And the Airtel or the Vodafone itself issued a new SIM card. So, it was, it was like, I mean, not really, I mean, you can call it cloning from the impact. But the original mobile provider only gave the, gave the duplicate of the SIM card and the guide in the transaction, the one-time password came on the mobile and it was completed, yeah. Sir, it is a, with regard to Kendra Bank services, sir. Once somebody else has stolen my user ID, Kendra Bank user ID, and they have tried three times. So, fourth time it gets blocked automatically. So, though I am the right person to do the transaction, my account was blocked. So, how do we overcome these particular problems? Yeah, these, yeah, somebody trying to randomly guess your password was done before phishing attacks started. The phisher normally gets the right password. So, he will not have to try more than one time. He will get it right the first time only. What happened? Three or four times it's all happened. Yeah, sir. So, the account is getting blocked by the Kendra Bank. Yeah. So, sir, if you look at the way Kendra Bank is thinking, is that, you know, this specific question is not directly related to phishing. The way Kendra Bank is thinking is, security is more than, security is more important than user convenience. Now, normally, when we are typing in a password, we might make one or two errors. So, if you see most of the banks today, they don't lock out your password, even if you try it some eight, nine times. Let us not take the case of Kendra Bank. Let us just take the case of the Gmail login. If you enter your password three times wrongly, they don't lock you out. The fourth time, they will put up an image, which we technically call a capture. They will tell you, you try once more, but enter the image, whatever is displayed in the image. This is basically done to ensure that nobody can run an automated program and guess your password by trying 100,000 attempts. So, Kendra Bank has done this as a good measure to reduce the chances of somebody guessing your password. But that is at a cost of your convenience. Now, if I, sitting at my home, can lock out your account in Kendra Bank as long as I know your ID. But Kendra Bank has done it for your own good. It is better security. So, you will tell the bank that I didn't do it and of course, over tried it, was not able to crack your password and to steal any money. So, as I said, it is a balance between convenience and security. It's not really a complaint. And it is not really something bad which Kendra Bank has done. They have just put their customer security ahead of the customer's convenience. Hello, sir. I have a question related to virtual keyboard. Actually, when the user entering user ID and password to virtual keyboard, that time other computer program may record the mouse tracking information and may send a video to the hacker. Is it possible? Yes, it is technically possible. So, that is why I mentioned in one of the things that in addition to keyloggers, they have also started using screen grabber software which will track the mouse movements on the virtual keyboard. So, it is effectively like having a keylogger. So, those kind of malware are also available nowadays. I want to know that if suppose I am accessing net banking in parallel, I am accessing from another website and those containing malicious code and stealing session IDs and cookies. So, is there any possibility by getting session IDs and cookies to be affected in person at my account? Yeah, okay. So, if you are accessing net banking from one browser window on the same browser, you are accessing some malware sites. Yeah, several attacks are possible. Yeah, but in general, in general you need to remember that your session ID and your cookies are bound to the original site. The browser has controls only to submit the session ID of onlineSBA.com only to onlineSBA.com. There are several attacks like cross-site scripting, CSRF, etcetera, where the scenario you mentioned can be exploited. But directly, no. There is no harm. You can be perfectly on a hacker website and access your onlineSBA. But you need to remember that even if there is no hacker website, there is enough danger. So, why put your net banking account in even more danger by trying this? That's the only thing. Good morning, sir. Yes. I want to discuss a real-time problem that appears due to most securities on a website like onlineSBI. When we do an online transaction, it asks for OTP sent to our mobile number. But most of the time, we didn't receive a message on time and the session ends on the website. Yeah, as I said, I mean that's a good question. As I said, that's the balance that the bank has to strike between security and user convenience. So, I am a user of SBI, a very, you know, a user of SBI for paying a lot of bills and IRCTZ booking. I have never had a problem, but of course, I am living in Mumbai. So, I am not very sure which location you are and there could be some locations where the... Sometimes SBI may not be at fault, but maybe your mobile service provider who is probably not able to reach it to you. So, I am saying it's a balance. It's a balance. That is why probably SBI has not put SMS for the login, whereas many other banks have done it. So, at least you can see your account balance and do a transaction to already registered beneficiaries. It is just that the third-party transactions have been secured using SMS OTP. So, it's definitely an infrastructure-related problem, not a problem related to security. But as I said, SBI or any bank takes these calls of how much secure they should be looking at the profile of their net banking customers. If SBI has a lot of net banking customers coming from remote locations where internet is fine, but mobile is not so widespread, SBI would probably take a decision not to have this. So, of course, I cannot speak on behalf of SBI. I am just saying this is what SBI must be thinking. Dronacharya College. Sir, I want to ask two questions to you. First question is as per your experience, which bank has the best and secured login policy? You want to write, you can avoid this question. Second part of this question is basically is there any guideline from RBI to have similar kind of login policy like asking the users to change their password at a certain interval? And second point on this, thing for verifying the IP address of the machine from where you are trying to login to the bank site. This is my first question. There is no RBI policy which says that second factor of authentication has to be there for the login. It is not there. So, banks are the banks can choose to have, you know, security measures as it is as the bank thinks relevant, which is also related to the profile of the bank's customers. What I mean to say is there are several banks who have issued hardware tokens only to their corporate net banking customers but not to their retail net banking customers because the amounts which are getting transacted are much higher. So, it is not just about what the bank does. Bank, even SBI may have a different login security for retail customers vis-a-vis corporate customers. Which bank has the best login security? As I said, yeah, it is just my opinion. It is not based on any security standards. I feel banks which have put SMS as part of the login procedure and not just part of transactions are a little more secure than the others. That is what I feel. And is there a way to find out the IP address from where the user has logged in? Yes, of course, there is a way. The IP address of the user who logged it is visible in the logs of the net banking server but if your question is more directed towards in that case, can I find out the IP of the fissure from where he did a fraudulent transaction? That may not be that easy because this is at the end of the day this is an HTTP, a web-based transaction. So, the attacker sitting in Bombay can access online SBIs website through a proxy server probably sitting in Nigeria or in the US. So, what the IP address that will come on online SBIs logs of the fissure or the attacker will not be his Bombay home IP but that of the proxy server in Nigeria or the US. So, IP address will come whether the fissures IP will get revealed depends on how smart the fissure is. My second question is is there any tool or portal or website from where we can find out the registered domain owners, their details, etc. Sorry, is your question how do I find the registered domains of a specific bank? No, it is in general. It could be of any of the domain name registered on the registry. For example, we are using whois.com to find out the details. Is there any better tool than this from where we can find out the registered owner details the contact details, even address, even the house address? No, there are different. I mean, yeah, Google is so advanced today that if you just give a Google search for who owns the domain, you will get it. There used to be similar sites called all you whois.com and many others which used to provide this. Since this searching, since this information has become useful for many banks this has become a paid service by many providers. Mark Monitor is one of the providers which does that. So, if you pay them, they will give you all kinds of information, not just when you ask but as a bank, if you register for their service they will proactively inform you if any domain gets registered with the name SBI in it. But that has more become a paid service today. The basic information you can get just by Googling. Top of the mind, I cannot remember any other websites other than whois which provides this. Sir, Ramegi Institute. If at all I have entered my user ID and password, what immediate corrective measure should I take? And the second one is, why can't email service providers stop phishing messages? Okay. The first question is, yeah, is an excellent question. So as a user, the first thing you can do is to call up the bank and tell the bank that I have lost my user ID and password and my account has to be immediately disabled. That's the first thing that you can do. Some banks have put up this facility called the dead man switch wherein you yourself can login and click on disable the account. So that from that moment onwards yourself including nobody can login to that account unless the bank gives you a new password and issues a new password and you start using it again. So the first thing is call up the bank and inform them that you have lost your password and you want to account disabled. If your bank gives you to disable it yourself, login and disable it immediately. That's the first thing. Email service providers is very difficult to identify a phishing mail because a phisher is a very targeted attack. So ISPs and even the large mail providers like Google have probably perfected the detection and blocking of spam mail. But mostly phishing mail may not come under the category of spam. Phishers are really smart. They don't put unnecessary images, nothing. They just tell you this is a link and you know they just try many of the phishing mail will not fall in the radar of the spam mail. That is why it is becoming more difficult for mail providers to stop it. Sir, good morning. What are the possible ways to get OPP password from the phisher's point of view? Okay. What are the ways to get the OPP from a phisher's point of view? Yeah. One of course is what one of our participants said SIM cloning. It's not easy to not be done in a widespread manner. The method by which phishers are getting it now is through voice phishing which we call as wishing. So the phisher what you will normally do in the login page you will ask you to give the user ID password and the mobile number. So you will give the mobile number and he knows the bank is going to send the SMS to that mobile number. So he will call you or he will SMS you from his number saying that I am SMSing you from the bank's number. As part of testing we have sent you a test SMS kindly forward it back to this number. So he can get that. So either through cloning or through wishing attack the attacker, the phisher can lure you to share the OTP with him. Sir, I have one other question. As we know the user ID password is stored on the bank's server. So OK, so that's right that's a good question. It puts some things in perspective. Your online SBI password is stored in two places. One is on online SBI server and other is in your mind. So it is very difficult to break in data center and get a copy from there. That is why it is breaking it into you. Good morning. This is Dinesh Jain Dev from with Departition Baramati. Sir, my question is what is the effectiveness of web beacon method because the phisher who can easily download the source code can easily change the JavaScript also. Yes, so it again is a matter of efficiency for the phisher how easily and quickly can you replicate the website. Look at some websites today even if you look at online SBI and some of the other websites the login page is fairly complicated it is not very simple in many cases. They have got virtual keyboards they have got links to their other services they have got multiple options you want to login to the website completely or you want to login directly to the transaction page. So the phisher does not want to really waste time understanding how SBI or why SBI has the page like this. The simplest would be to copy paste but as you said if the phisher is alert he will probably examine the code but at the same time if the bank is also very you know this piece of code has to be hidden somewhere. Some places the bank will keep it in a very obvious place there are many banks who keep this code within their virtual keyboard layout logic which itself is complicated. So what the attacker will do is virtual keyboard logic the way the virtual keyboard of city bank looks very different from SBI for different reasons. So what I am saying is if you put the javascript inside the virtual keyboard code maybe the attacker will decide that I do not want to tamper otherwise the virtual keyboard color will look different or the shift key will look on the left hand side whereas it is not so you will not tamper with it. So even though the attacker can detect a bank person who is smart also will have ways to hide it really well. But having said that from my experience I can tell you that many of the phishing websites do not look very similar to the original even then users end up giving their passwords quite freely. So nowadays mobile apps are provided for mobile banking so if Fisher can generate their own app to get the passwords how to differentiate the original app and the phishing app. Thank you sir. It is a very good question in fact a new service and an offering is coming up or the banks are very much aware of this threat in fact right now if you go to the Google Play Store and search for some of the prominent banks you will already see fake mobile applications it is a reality today. But at this point of time as we speak we have examined many of those mobile applications belonging to our customers they are not really interested in phishing they are probably just trying to offer some service but if you are not an alert user you might end up putting the wrong mobile application for your bank. So it is a real threat just like a fake website a fake mobile application on the iStore or on the Play Store is a real threat the banks are trying to there is nothing the bank can do there is nothing the bank can do. Only thing you can do detect and disable as fast as you can and inform your users that this is the authentic one. It is a difficult game but that is what we are doing and many banks so there are several measures which will come up for protection I am not aware of what the bank has done but what you said as a threat exists even today and it is real. Is incognito tab in a browser safer than an ordinary tab in a browser? From the point of view of phishing no incognito normally is a mode that is given for you if you are accessing a website from a public computer and you want to ensure that you leave no traces incognito is good and probably better than the normal but it is by no means a defense for phishing. Good morning sir Myself Sandeep K. I. T. Umbrat for this my question is which logs should we analyze when we are under the phishing attack? So that is what we discussed in one of our slides earlier one of the logs that is most useful for you to analyze when you are under a phishing attack is the web server logs or sometimes we call the W3C logs of the web server I mean your net banking site will be hosted in an apache or a tomcat or a Microsoft IIS you need to examine the logs of that the logs can help you to detect if a phishing attack is in progress if as I said earlier if the phisher is redirecting the customer the bank's customer after the phish has happened if he is redirecting it to the original site that URL will come in the referrer field also going forward you know sometimes the net banking application passwords are also required to be analyzed the logs of that because that will tell you from which IP address a transaction happened sometimes the bank uses this to validate that normally a user remesh normally comes from his home and you know this source IP and now a fraud has happened it came from another IP so possibly it is a different hacker so the web server and the application logs of your net banking is what is relevant and useful sir my question is that in a response stage how we can apply the IT act being as a common person how we can apply the IT act because we have a limited area limited scope we can block the IP we can feed some data as a phishing site but how can we apply the IT act yeah this is again related to the legal aspect which another participant has asked I am by no means a legal expert but the immediate the immediate priority of the bank is to bring the site down and not to take legal action so that is why the bank of course you know many banks do not pursue legal action because if you look at the number of phishing sites that are targeting you know top bank in India like an SBI or ICICI it will run into hundreds per month so it may not be feasible even if the bank wants to pursue legal action against each and every fisher who put up a website which was alive for maybe 4 hours after which it went down and the new phishing site is started so as you said yeah there will be certain laws and IT act which may be applicable but the bank's primary goal will be to minimize the life time of a phishing site and to put measures it will ensure that even if hundreds of sites come transaction fraud cannot happen those are the two priorities for the bank yes Anamacharya Institute this is Vinit from Anamacharya Institute of Technology and Science Rajamped and sir I want to put two questions from you one is regarding key loggers like how can we trace that key loggers are installed in our system and the second question is regarding fake mailers like using fake mailers we can get the mail with the domain name of the bank like customer.care at the rate sbi.co.in so how will we differentiate whether this mail is from the legitimate user or it's a fake mail okay so first question key loggers yeah there is no specific tool the only thing if you are asking me from a point of view of you know home user who does net banking the best defense is to have an antivirus software a good leading antivirus software paid software most of the good antiviruses like a casper's key or a semantic will detect key loggers today unless they are very very sophisticated is it possible to differentiate that the mail has come from a fake contact us at online sbi.com from the original contact as an online sbi it is not possible unless the bank put some measures like digital signing of the message where you are using certificates to authenticate it there is no way that we can we can differentiate so digital certificates and all it is not that the bank is not aware of it but it will make it much more inconvenient for you so that is why when an sbi sends a mail from contact us probably sbi will put some details about you your name and your account number so that you are able to know that yes it has come from my bank not by looking at the from address but from the contents of the mail that is a more easier mechanism technically a from address can be spoofed and the original owner of the from address can do nothing about it I have two questions basically first question is for safe internet banking can you suggest me which one is the better browsing site that is mojila internet explorer or chrome this is the first question and the second one is on some net banking site even when java is enabled but the message comes as java runtime error when we close that site is running normally so can you suggest me what is this thank you which brand of browser which version is better more secure is a very wide question of course each browser has their own advantages the only thing you need to keep in mind is the banks normally test most of their new functionalities and the testing happens not security testing functionality testing happens on IE because IE is the most popular browser so and as far as phishing is concerned which brand of browser you use is going to make very less difference to whether you get phished or not it is not at all depend on the brand of the browser so regarding that specific java question maybe I am not the best person to probably answer that so the question we have two questions first question can we escape a key log attack with backspace buttons are frequently used type of password and the second question the second question is normally when we are downloading the free softwares malware also attached with it so how can we trust the free softwares okay the first question is yeah can we avoid key loggers by pressing backspace in between okay yeah depends on who is more smarter you or the person who wrote the key logger so I would not recommend that you do net banking login from a machine where you suspect some malware so I do not think we should trust our own methods of backspace and all that for that it is better to use a virtual keyboard if you are on a public computer especially on a cyber cafe it is best advice that you use the virtual keyboard facility which most banks are giving today and can you trust free software I mean I mean that is not a question for me I guess yeah in general what I would say is have a proper antivirus whether you use free software or not actually this is about finding simple and effective way to educate user in your slide you have specified some simple way to effective way for users normally all the websites have the login form like username and password the username is actually used to type as a mail ID so all the users first will give their mail ID as password so what kind of awareness should be taken by the websites to avoid this yeah normally of course if we are talking about net banking login the net banking the bank already takes some of the measures like your login ID cannot be your password or the entire login ID cannot be part of your password etc so that to some extent is ensured by most of the banks and as one of the participants mentioned some banks have even gone to the extent of saying that if you try wrong password 3 times you know you are logged out or you have to change your password once in 45 days or 90 days some of the banks like have implemented those things so as you said there is a tendency that you know not just in email sites but also in banking password that we try to choose a password which is very easy for us to remember which may be very related to the ID itself but the trick is you have to choose a password which is easy for you to remember but difficult for somebody to guess that is the trick it is not that it has to be very difficult for you only to remember it can be something that is very personal for you which you may find it easy to remember but a fissure can never guess the smart way of choosing a password not only for net banking for any of the online services that you use ok thank you very much