By "Col • Lectiu Ronda".Barcelona
The word phishing ”reaches a wide catalog of such fraudulent practices as often sophisticated with the common denominator of pretending to" fish "our personal data (hence the English verb used to baptize it) to operate on behalf of ours through online banking servicesand dispose of our heritage.
The techniques used by cybercounts in the time of taking this valuable information are almost infinite but often present a common feature: pirates are put in contact with us making them pass through our financial entity, for example, and ask us to visit theirWebsite to enter security information (secret keys, pin numbers, passwords ...) with the excuse of solving some type of problem related to our account, credit cards, etc..The problem is that neither the petition comes from the bank nor the page where we are directed is that of the entity, despite it may seem absolutely identical, and the one we are doing is to facilitate criminals the information they need to make purchases inline, order transfers or hire loans to our name.
On other occasions, the technique used by hackers is not direct and camouflaged request but through email, for example, they introduce malicious computer programs on our mobile phones and computer equipment from which they can track our activity and record dataand passwords without being aware.
These two modalities that we have just described are, without a doubt, the two most common forms of phishing today, but not the only ones.Next, we briefly explain other techniques used by cybercriminals when it comes to illicitly capturing our personal data:
Phishing based on DNS: one of the most sophisticated ways.The attackers take over the control of the company's host system (that is, of the servers where its website is housed) so that when we visit it, typing the address of the page where we want to get, we are redirected to a different pagecontrolled by themselves.This page is of identical appearance to which we wanted to visit in such a way that we can not be aware at any time that we are on a different website and that the information we are leading passes to third parties.
Phishing in search engines: sometimes, the tactics of cybercounts isnon -existent products are offered.In this case, the problem is that the data we offer to acquire these products or services are not managed through the payment catwalk of a banking entity but through a system - this fraudulent - created by the criminals themselves to capture information.In some cases, these fraudulent pages get to advertise through search engine services such as Google Ads, reinforcing the false appearance of being before a website outside any criminal mood.
Legal Web Pages Manipulation: Another very sophisticated form of data collection of individuals is one in which computer pirates manage to manipulate and replace only a part of a legal website to appropriate the data that are advocated there taking advantage of some weakness or imperfectionof the security system of the page itself.For users, this is an almost undetectable modality because the website is really what we wanted to visit and we have no way of knowing that it is acting, without any external signal, as a true zombie, under control of cybercriminals.
Fraudulent Wifi Networks: With this technique, pirates create WiFi networks available with the capacity to achieve public spaces (coffee shops, for example) that identify with the name of the establishment.When people connect they believe that they are using a service offered by the space where we are, they are actually accessing in a network where all the information we focus on is easily traceable by criminals.
Phishing through the customer service services of companies: a mode halfway between a classic "analog" scam, let's say so, and a cybernetics.Pirates get the contact data of people who have bound on social networks complaints or criticism of certain companies.They are contacting them through representatives of the company itself and end up requesting the information they require with the excuse, for example, of returning the money corresponding to a service that has not been satisfactory.
Duplicate of the SIM card: one of the phishing modalities that is acquired greater relevance by the large number of people affected is the one that has to do with the duplicate of the SIM card of mobile phones.With the data that pirates manage.In this way, when they order a fraudulent online operation - for example a transfer from our bank account to the criminals - are able to introduce the code that the entity will send us to validate the operation.
These and other phishing modality that we have just described briefly are increasingdirects a fraudulent website or installs malware programs to access the sensitive information that we can transmit at a given time.
Whatever the strategy of computer criminals, the objective is identical: appropriate our money and benefit from the huge amount of information that circulates online daily.
Conscious reinforced protection of the magnitude of the security problem that represents the activity of cybercounts, the European Union approved a directive, called Payment Services in the internal market, forcing Member States to introduce in their legal system a whole series of measuresof mandatory compliance for companies and financial institutions aimed at strengthening controls and protection of users.In the case of Spain, these measures imposed by the EU were adopted and approved through the Payment Services Law that, among other measures, established a new regulation of payment services and emphasized the need to reinforce cybersecurity, creating a frameworkextensive responsibility for entities when guaranteeing a safe digital environment for their clients and clients.
On the one hand, there is a reinforced authentication commitment, with which we have become familiar in the course of recent years and that basically implies that any payment order is subject to a double validation process.That is, to conclude an operation it is necessary not only to introduce our password or PIN code but also, additionally, some other mechanism that can only depend on the user, either using a specific application of validation installed to the mobile or factors exclusivelyinherent to the person himself as for example biometric data such as the fingerprint.
Responsibility of entities European regulations and transposition of this to Spanish legislation not only introduce significant measures in order to strengthen the safety of users.It also accentuates the responsibility of the entities themselves in the time of supervising the operations of their customers and users to detect the existence of fraudulent practices that may mean risk or indicate, even if it is indicated, that the safety of the operation could have been compromised.Therefore, the entities (which are the providers of online payment services) have to be able to detect whether the integrities of the different authentication elements used to validate an operation have been subject to subtraction or the presence of softwareMalicious (known as '*malware') to possible transactions.
Likewise, the entities have the obligation to analyze the different operations carried out through the means that it has available to their clients and clients to identify operations that can be fraudulent, to the point of being able to block them and not allow them to validate in a reliable way thatIt is the user who is really authorizing them and not someone else who has supplanted his personality for criminal purposes.
In this sense, it is very important to remember that the Payment Services Law clearly establishes that the only valid operations are those that have the consent of the person ordering and, therefore, when a user denies having granted this consent, theentities are obliged to immediately return the amount of the operation.
Duty of diligence is usual, but, when there is a of these cases in which the data has been obtained illicitly by a third party for criminal purposes, the affected client is, in the first place, with the entity's refusal to return the money.What foundation do they do it?Because basically, they intend to protect themselves in an alleged lack of diligence of the client itself in the time of conserving and protecting their personal data.
The lack of diligence, effectively, exonerates the entities of responsibility, as provided for article 46 of the Payment Services Law.However, and according to current legislation, this negligence has to be serious and imputable exclusively to the person and, in this sense, the Spanish courts do not usually appreciate negligence on the part of the users and users except the most serious cases andobvious, specifying again and again in numerous sentences that are the banks responsible for maintain.In any case, and this should be kept in mind, to be exempt from responsibility, it will have to be the bank itself who demonstrates reliably that its client has acted negligently and that the damages suffered are imputable exclusively in their own person.
What do we have to do if we have been victims of phishing?First, and essential, if we detect operations that we have not ordered, we must immediately contact our entity to cancel the means of payment intervened by cybercriminals and generate as quickly as possible a new security credentials.
Once this procedure has been done, we have to go to the police forces and forces to denounce the facts.When it comes to doing so, you have to provide all the documentation and information that is possible about what has been the means used by the pirates to get our data and how the fraud has been committed from which we have been victims.This information is capital not only to help clarify the facts but also to demonstrate before the entity that there has been no negligence on our part.
After denouncing, we must address the customer service of our entity to claim the return of the amounts corresponding to the operations carried out fraudulently by the cybercriminals informing them of the facts and the presentation of the complaint.How we explained before, it is the responsibility of the entity to restore these amounts.In case of negative to do so or if the entity is limited to saying that the authentication processes established by current regulations were followed and that the facts are not attributable, surely you will not have more alternative than undertake the relevant legal actions to force the entityto assume your responsibilities.We remember, once again, that this responsibility is contemplated by current legislation and that the obligation to demonstrate the existence of a possible negligence corresponds to the entity that, in case of not being able to do so, as usual, incurs in legal responsibilitiesand contractual respect the damage we have suffered.
The original article can be read here