RBI Warns of Fraud That Leverages 'AnyDesk' AppThe App Opens the Door to Remote Access to Mobile Banking Apps
The Reserve Bank of India has warned banks that fraudsters are using the "AnyDesk" remote access application to pave the way to potentially wiping out a customer's bank account.
RBI's cybersecurity and IT examination cell issued the warning in a confidential circular to banks. ISMG obtained a copy of the circular from a banker who received it.
The cautionary notice was issued in the wake of a rising number of fraudulent transactions using the Unified Payments Interface real-time payment system platform.
There have been reports of customers losing lakhs of rupees from their bank accounts through the UPI app, some security experts say. "The problem is not on the application side. It is a clear case of users being duped by fraudsters through vishing attacks," says Prakash Kumar Ranjan, who was previously with Canara Bank as a security researcher.
The National Payments Corporation of India, an umbrella organization for all retail payments in India, too confirmed this and said a few cases have of AnyDesk fraud have been reported so far. Those attacks begin with vishing.
Fraudsters are using the AnyDesk app to carry out fraudulent transactions through any mobile banking app or payment-related apps, including UPI or wallets.
Emerging Fraud Trends
ReBIT, the IT and security arm of the Reserve Bank of India, in its latest monthly newsletter has highlighted the growing menace of vishing, phishing, card-cloning, e-wallet fraud, financial swindling via social sites.
"As digital banking technologies gain more acceptance, there is a corresponding increase in the risk of sensitive information being socially engineered off unsuspecting customers," says Nandkumar Sarvade, CEO at ReBIT. "Periodic and effective customer awareness programs and multilingual communique will go a long way in mitigating such frauds. Prompt reporting of incidents to RBI will enable timely issuance of advisories which would eventually enhance the resilience of Indian banking landscape to such frauds," he says.
How AnyDesk Scheme Works
The RBI's notification describes how the fraud scheme that leverages AnyDesk works.
First, fraudsters lure victims on some pretext to download AnyDesk app from Playstore. For instance, fraudsters, using a vishing approach, pose as bank employees and call customers saying there is a problem with their bank balance or bank account. The fraudster then asks these customers to install the AnyDesk app.
Once the app is downloaded, it generates a nine digit number, which, when shared with attackers, gives them control and access to the phone. The attackers then ask customers to download the mobile banking app. Because the attackers already have access to the phone, they can see one-time passwords for the banking app. (See: Should India's Banks Drop User-Based OTPs?)
"Once a fraudster inserts this app code on his device, he will ask the victim to grant certain permissions, which are similar to what are required while using other apps," RBI said in an advisory. The fraudster then can carry out transactions without the victim's knowledge.
Fraudsters increasingly are resorting to new techniques to trick customers.
According to the Union finance ministry, the State Bank of India's customers were reportedly robbed of Rs 50.29 crore from their accounts during 2017 and 2018. The bank registered 574 complaints, the most of any of the 53 banks operating in India. The City Union Bank was at the second followed by the American Express Banking Corporation.
All these banks were affected by vishing, phishing and financial swindling via social media, according to a report from ReBIT.
Banks Liable for Fraud
When financial fraud occurs, banks must reverse the unauthorized electronic transaction to the customer's account within 10 working days even if the fault lies with the customer, such as sharing PIN or password, RBI said in a circular last year.
But customers need to report to banks such transactions within seven working days. "This puts all the more onus on banks to create customer awareness with more vigor," Ranjan says.
Vishing attacks are successful because victims are unaware of scammers' tactics, security experts say.
"While NPCI is continuously working towards enhancing security of its products and services from such attacks, this type of frauds can be better prevented by consumer education," says Bharat Panchal, NPCI's head of risk management.
"The entire ecosystem, including banks and fintech companies, has to work collectively toward creating awareness and educating customers to refrain from sharing their account/card credentials, OTP/PIN and/or giving access to their mobile handsets to unscrupulous persons through such remote screen access apps," he adds. "The UPI platform is fully secure and is also 2FA enabled."
In addition, banks should closely monitor mobile applications by following the process of "application wrapping," security experts advise. App wrapping involves associating extra security and management features to an app and re-deploying it as a single containerized program in an enterprise app store.
"App wrapping leverages artificial intelligence and machine learning to monitor unusual activities in an app," says Ranjan. "For instance, if there is a transaction which is unusual from the normal pattern - like new device being used to carry out a financial transaction at an odd time - an alert can be generated by the bank," he says.