Fraud Alert: Password Remains Weakest Link in Govt Depts; Honey Trap and Investment Scams Continue To Loot People
Yogesh Sapkale | 03 February 2023
Share
0
Across the world, governments tend to play 'big brother', especially in cyberspace, so it is no wonder that we receive frequent sermons from government agencies about maintaining online hygiene. A few years ago, the Indian government asked its employees to refrain from using private email IDs like Gmail for official use, but a few government officials continue to use such private email IDs. However, this is not the issue I want to discuss. My bigger concern is about weak passwords used in government offices. One regulator in the US built its own password-cracking rig to test the robustness of passwords used in its offices. Within the first 90 minutes, the watchdog recovered nearly 14,000 employee passwords or about 16% of all department accounts. One can only imagine what would happen in India.
 
Later in this column, I will also write about a call centre busted by the Mumbai police that was set up to lure foreigners into parting with their money on the offer of higher returns. Another example of fraud to watch out for is criminals extorting money from people by impersonating a government investigation agency official. I will write more about it later.
 
Password, the Weakest Link!
 
The office of the inspector general of the United States Department of the Interior (USDOI) spent less than US$15,000 on building a password-cracking rig—a setup of a high-performance computer working together—and, within 90 minutes, 'cracked' the passwords of 14,000 or 16% of its employees. The department of the interior is an executive agency that manages federal land, national parks and a budget of billions of dollars in the US.
 
The inspector general's office, which has oversight and watchdog functions, launched its investigation after a previous test of the agency's cybersecurity defences found lax password policies and requirements across the department of the interior's dozen-plus agencies and bureaus.
 
"The watchdog found that close to 5% of all active user account passwords were based on some variation of the word "password" and that the department did not "timely" wind down inactive or unused user accounts, leaving at least 6,000 user accounts vulnerable to compromise," says a report from TechCrunch (https://techcrunch.com/2023/01/10/interior-department-watchdog-passwords/).
 
More than a fifth of the passwords protecting network accounts at the USDOI —included Password1234, Password1234!, and ChangeItN0w! There were weak enough to be cracked using standard methods.
 
According to the report, the watchdog was also able to recover hundreds of accounts belonging to senior government employees and other accounts with elevated security privileges for accessing sensitive data and systems.
 
If this is the state of affairs in the US, the most advanced and cyber-savvy nation, one can only imagine the status in India. I have no doubt if there is any security audit for passwords in any government office, most employees, from top to bottom, would be found using the most common or simple passwords of few letters and digits.
 
According to a report from NordPass (https://nordpass.com/most-common-passwords-list/), in India, 'password' is the most commonly used password combination. More than 1.7 lakh people use the same password followed by the numerals 123456 or less. Nearly 1.14 lakh people in India use 12345678. Other most used passwords are bigbasket, 123456789, pass@123, 1234567890, anmol123, abcd1234 and google dummy.
 
 
NordPass says, despite growing cybersecurity awareness, old habits die hard and its research shows that people still use weak passwords to protect their accounts.
 
Passwords are the first line of defence mechanism in securing almost all electronic information, networks, servers, devices, accounts, databases, files, and more. This also means if your password/s are weak and poorly managed, it would lead to incidents like unauthorised access, credential leaks and data breaches. (Read: Fraud Alert: Password Management )
 
Call Center Offering Huge Returns on Investment
 
Mumbai police busted a fake call centre from where a gang duped Indian and foreign nationals claiming to invest their money in shares, commodities and forex trading and guaranteeing high-value returns. Police told mid-day that people working in the call centre used to lure victims into investing US$200 initially, and then increase the amount to US$1,000 and US$2,000.
 
"They would send their victims a web link to log in and monitor the profit, which they would manipulate. When the victim wanted to withdraw the 'profit' from their account, the gang would ask them to pay additional money as processing fee and taxes and then vanish," police told the newspaper.
 
Police detained the manager and four employees working in the call centre and seized eight computer systems, hard discs and pen drives.
 
As regulators and experts keep warning, one does not need to invest money in products or schemes that you do not understand. And never invest money based on a phone call or emails. To invest your hard-earned money, use a trusted financial institute, registered with a regulator.
 
Honey Trap Cost Rs2.62 Crore
 
Last month, the Ahmedabad cyber crime cell arrested a 22-year-old youth from Rajasthan on charges of laying a honey trap, impersonating an officer from CBI and extorting Rs2.69 crore from a businessman.
 
According to a report from IANS, the youth befriended the Ahmedabad-based businessman as 'Riya' on WhatsApp. "One day, in the name of virtual sex, he filmed the businessman nude, which he used to blackmail and extort money. A few days later, he called up the businessman impersonating as a CBI inspector. He informed the businessman that Riya with whom he had virtual sex, had committed suicide because of the nude video clip, and her family had lodged a complaint so that he may be arrested. To evade arrest, he forced the businessman to transfer Rs2.69 crore in various bank accounts," the report says.
 
This is the typical modus operandi of the honey-trap gangs operating from the Mewat region in the tri-junction of Haryana, Rajasthan and Uttar Pradesh. Mewat has fast emerged as the 'New Jamtara' of sextortion or honey-trap rackets. The youth arrested by Ahmedabad police is just an 11th-pass.
 
In all honey-trap or sextortion cases, criminals use the fear factor to extort money from the victim. However, instead of fear, the victim needs guidance from someone who knows and understands these issues and should file a police complaint to ensure that proper action is taken against the criminals.
 
How To Report Cyberfraud?
 
Do report cybercrimes to the national cybercrime reporting portal http://cybercrime.gov.in or call the toll-free national helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c).
 
 
Stay Safe, Stay Secure!