17% citizens surveyed admit to storing sensitive financial passwords in their mobile contact list or notes, leaving them highly vulnerable to financial fraud

April 13, 2023, New Delhi: The Reserve Bank of India report for April – September 2022 reported 5406 instances of financial frauds vis-à-vis 4069 in the same period, a year ago. In terms of frauds, the modus operandi shifted to card or internet-based transactions, the RBI says. Though, the number is likely to be significantly higher than the RBI reported number as most victims of online identity thefts or other banking and financial frauds don’t report or are not taken seriously enough by police to register and take action as in case of laptop or mobile phone thefts, which can pose major risks to the owners due to the habit of storing passwords on these devices. Despite some efforts by the Reserve Bank of India (RBI) to promote risk awareness among people through digital financial literacy, a large majority lacks the knowledge of how to store sensitive financial data safely.

There are many ways in which identity thefts occur. Some of the most common are when credit card or debit card skimming happens when criminals replace card readers with a counterfeit device at cash counters or other point-of-sale systems, such as in grocery stores, gas stations, or ATMs. This device captures data contained in the magnetic strip of credit cards and debit cards and passes it to the skimmer. Sometimes, a small camera is set up to capture entries like ZIP codes and ATM PINs. Various other avenues including WhatsApp and other social media platforms, SMS, Phone calls, etc., are also known to be vulnerable to scams. For instance, redeeming expiring reward points or cashback offers many shared credentials or OTP codes, making them targets of scams. Once the hackers get the login credentials, they are able to use them on other websites. The situation becomes worse if you are in the habit of using the same credentials/ passwords across multiple websites.

Some people use easy-to-remember passwords, while others have one complex password for all their accounts. Neither option is recommended since it becomes easy for identity thieves and other criminals to steal your credentials. Some service providers recommend using a password manager software that helps users create strong passwords, store them in a digital vault protected by a single master password, and then retrieve them as needed when logging into accounts. This option may not be feasible or attractive for a large majority as it involves payment of monthly fees.

LocalCircles, through another national survey, has strived to find out what has changed on the financial data safety front since 2021 when online financial transactions witnessed a big leap during the second wave of Covid. The new survey received over 32,000 responses from citizens located in 337 districts of India, 65%of which were men and 35% women. 43% of respondents were from tier1, 36% from tier 2 and 27% were from tier 3, 4, and rural districts.

17% citizens store important (bank, ATM/ debit/credit card) passwords in their mobile contact list or mobile notes

One of the devices that is commonly with every individual these days is the mobile phone and hence by default people tend to store their sensitive financial information like pins and passwords on their phone. To the first question in the survey “Where do you store your important passwords (ATM, Debit Card, Credit Card, bank account, App/ Play stores, others)?”, 24% of the respondents shared that mobile phone has been their preferred choice whether as notes, in the contact list, in password app or another place in the device. Out of 11,236 respondents to the survey question, 8% indicated mobile phone notes; 9% in the mobile contact list; 2% in the password app on the phone; and 5% on other apps or places in the mobile phone. Of the remainder, only 14% stated that they “have them memorized” while 18% have such details stored “on my computer/laptop” and 39% have such important personal data stored in “another place/ way”. In addition, 2% of respondents keep such information in their wallet/ purse and another 3% gave no clear response. The response shows that nearly 4 out of 10 individuals are not taking any risk by storing banking/ debit or credit card details on devices that can be stolen and hacked. Overall, 17% of those surveyed like to store sensitive financial information in the mobile contact list or mobile notes. This is extremely concerning because many apps these days seek access to contact lists. The mobile notes are also not secure and do not have a password on them to secure them making users vulnerable.

Percentage of consumers storing sensitive financial passwords in an unsafe way on mobile phones rises from 11% to 17% in last 2 years

In comparison, the LocalCircles survey in 2021 had revealed that 11% of citizens store their credentials or sensitive financial passwords and other information in mobile contact list or notes. Despite rising data theft and financial frauds, the new survey reveals that there has been a rise in people who use their mobile phones to store sensitive financial information with 17% of those surveyed admitting to doing so.

30% of respondents trust close family members and staff with important details to enable them to withdraw money using debit or credit card

To the question “Who all have access to your ATM, Debit card(s), Credit card(s) numbers and pin other than you”24% out of 10,962 respondents indicated one or more “of my close family members”; 6% indicated one or more “of my domestic or office staff”. Of the remaining, 67% revealed that they have not shared such details with anyone while 3% respondents gave no clear response. The responses show that despite the risk, 30% people still trust close family members and staff with important details to enable them to withdraw money from their bank or use it with a debit or credit card. Despite all efforts to raise awareness among people, the new survey reveals that those sharing such vital details with others – family members, staff or friends is not reducing. This is of importance because anytime one shares their sensitive financial details with others, they have added risk based on how their contact stores this information.

Proof of identity shared in various places: 88% respondents indicated Aadhar card, 58% PAN card, 47% driving license, 42% passport, 35% voter ID card

Though there is much talk about protecting data security and less paperwork and more governance, the fact is that for most Government services like vehicle registration or private services like a hotel check in, one has to share a copy of their identity with the officer or customer service agent. This adds a new dependency as many times such information is shared on personal whatsapp or email address of employees or in paper format making it vulnerable to misuse and theft. Focusing on this issue, the LocalCircles survey sought to know “what are all the identities that you have submitted a photocopy/printout/digital version of for various applications, proofs, hotels, other bookings, etc., in the last 5 years” to which most of 10,650 respondents selected more than one options. The largest chunk of 88% respondents indicated Aadhar card, 58% PAN card, 47% driving license, 42% passport, 35% voter ID card, and 9% other ID. In effect, as the survey reveals citizens are expected to give digital and/ or paper proof of their ID at several places. In some cases, more than one ID is expected to be given. With such a trail of ID proofs, the vulnerability of citizens is a serious issue particularly in the event of data theft.

The LocalCircles survey to gauge magnitude of financial fraud conducted in June 2022 found that 42% citizens surveyed had faced some type of financial fraud in the three year period of June 2019 - June 2022. The survey also found that 74% of them failed to get their money back. Recently, the Cyberabad police arrested a man in Haryana for selling identities and personal data of 66.9 crore Indians which included data from major e-platforms, edtech apps and even data of defence personnel. When such information is combined with sensitive financial passwords easily available in mobile contact lists and mobile notes, it is only a matter of time before one is subject to financial fraud. Many apps including payment and social media apps require such mobile contact lists be shared with them and several of them have reported data breaches in the last 3 years. With the survey finding that 17% Indians are currently storing sensitive financial information in contact lists or notes on their mobile, 30% of them sharing them with their family members, staff, others and people having to commonly give copies of their Aadhaar and Pan Card to Government and private entities and individuals, it is only a matter of time before such fraud impacts each one of us. The need of the hour here is for regulators and Ministries like Consumer Affairs, Information Technology and Finance to take this issue up in Mission Mode. The data protection bill, which has already taken 7 years in drafts is yet to be approved by the Parliament and the best value add it may provide over say a 5-year period is holding private and Government entities accountable in case of personal data breach. With all the vulnerabilities outlined above and new AI models with the hackers being able to crack simpler passwords in a heartbeat, it is time for action now.

LocalCircles will share the findings of this report with various Government Ministries and the Reserve Bank of India for their awareness and action.