Identity theft is the act of unlawfully obtaining and using someone else's personal information such as their name, address, bank details, Aadhaar number, or online credentials, without their knowledge or consent, typically for fraudulent or criminal purposes. It can occur through various means, including phishing scams, data breaches, ATM skimming, or social engineering tactics, etc. Once the information is stolen, it may be used to open bank accounts, make unauthorized transactions, apply for loans, or commit other forms of fraud.

Identity theft in the banking sector is committed through various deceptive and illegal methods aimed at accessing a person’s financial information or funds. Here are some common ways it happens:

1. Phishing: Fraudsters send fake emails, SMS (smishing), or make calls (vishing) pretending to be from a bank to trick customers into revealing sensitive details like account numbers, passwords, or OTPs.

2. ATM Skimming: Devices are illegally installed on ATMs to capture card details and PINs when a customer uses the machine. The stolen data is then used to clone cards and withdraw money.

3. Data Breaches: Hackers infiltrate banks or third-party financial service providers to steal large amounts of customer data, which can be sold or misused. Example: In 2022, a data breach at the Employees’ Provident Fund Organisation (EPFO) exposed sensitive details like Aadhaar numbers, bank accounts, and salary records. This information could be misused to impersonate individuals and fraudulently access financial services or government benefits.

4. Fake Banking Apps or Websites: Fraudsters create lookalike banking apps or websites to steal login credentials when users unknowingly enter their information. like sbi-online-login.com or icicibank.verifyaccount.in. These counterfeit sites are designed to trick users into entering their login credentials and OTPs, which are then stolen through phishing scams. Similarly, fake versions of popular payment apps like Google Pay, PhonePe, Paytm, and BHIM are circulated through unofficial app stores or shared via malicious links, putting users at risk of identity theft and financial fraud. In 2021, authorities identified numerous fake apps mimicking Google Pay, featuring logos and interfaces that closely resembled the original, making it difficult for users to distinguish them from the legitimate app. Even fake loan Apps are created with an intention to defraud the debtor.

5. SIM Card Cloning or Swapping: Criminals duplicate a victim's SIM card or convince the telecom provider to issue a new SIM with the victim’s number, allowing them to intercept OTPs and banking alerts. Example: Since 2018, Mumbai and Delhi have witnessed a series of SIM swap fraud cases in which victims lost lakhs of rupees from their bank accounts. In these incidents, fraudsters obtained personal details of individuals and used forged documents to convince telecom operators to issue duplicate SIM cards linked to the victims’ phone numbers. Once they gained control over the mobile number, they were able to intercept One-Time Passwords (OTPs) used for banking authentication. This allowed them to carry out unauthorized transactions, often draining entire bank accounts within minutes. The cases exposed critical vulnerabilities in mobile-based verification systems and underscored the urgent need for stronger telecom and banking safeguards.

6. Social Engineering: Criminals gather personal information through social media or public sources and use it to answer security questions or impersonate the victim.

7. Malware and Spyware: Viruses or software installed on a device without the user’s knowledge can record keystrokes or capture login credentials used for online banking.

8. Man-in-the-Middle Attacks: These occur when an attacker secretly intercepts and possibly alters the communication between two trusted parties, such as a user and a bank’s server without either party realizing it. This allows the attacker to steal sensitive information like login credentials, account numbers, or authentication tokens.

9. Security Flow Vulnerabilities: These include weaknesses in the design or implementation of a banking application’s security mechanisms. For example, the use of hardcoded encryption keys or API tokens within the app's code makes it easier for attackers to reverse-engineer the app and exploit these static credentials to gain unauthorized access.

10. Non-Compliance with OWASP Guidelines: Many banking apps fail to follow the best practices and security protocols outlined by the Open Web Application Security Project (OWASP), which are designed to prevent common vulnerabilities like SQL injection, insecure authentication, and improper session management. This negligence significantly increases the risk of exploitation.

11. Insufficient Runtime Application Self-Protection (RASP): RASP is a security technology that runs within an application and monitors it in real-time to detect and block threats. When banks do not implement adequate RASP mechanisms, their applications remain vulnerable during execution, making it easier for malicious actors to tamper with app behavior or inject malicious code at runtime.

Methods For Impersonation

1. Lax KYC (Know Your Customer) Procedures: Weak or poorly enforced KYC processes allow fraudsters to create bank accounts or access financial services using fake or stolen identities. When financial institutions fail to thoroughly verify customer information, such as identity proof, address, or facial match, it opens the door to identity theft and fraudulent transactions.

   • Example: In 2022, Dhani app, operated by Indiabulls, became the center of a major identity theft controversy when several individuals discovered that bank accounts and loans had been fraudulently opened in their names, despite never having used the app. This was made possible due to flawed Know Your Customer (KYC) procedures, which allowed fraudsters to use fake or stolen documents to bypass verification and access financial services. As a result, victims suffered significant consequences, including damaged credit scores and receiving recovery notices for loans they had no knowledge of or involvement in. This incident highlighted serious gaps in digital onboarding and identity verification systems.

2. Fake Documentation on Officially Valid Documents (OVDs): Fraudsters can manipulate or forge identity documents, like Aadhaar cards, PAN cards, or driving licenses using easily accessible online tools. These fake IDs often contain photos of other individuals or synthetic faces, making it difficult for automated systems to detect fraud.

3. Compromised Devices (Lost or Stolen): Mobile phones and laptops, which often store sensitive banking apps and OTP enabled authentication, become high-risk if lost or stolen. If not protected by strong passwords or biometric locks, these devices can provide easy access to personal banking information and accounts.

4. Exposure of First-Party Information: Personal data such as phone numbers, addresses, Aadhaar numbers, or PAN cards is often shared or sold on underground forums and messaging platforms like Telegram. Once obtained, this data can be used to impersonate individuals and access their financial services or apply for loans and credit cards in their name.

5. Biometric Fraud via Synthetic Identities: With the rise of AI-generated images and deepfake technology, fraudsters are now able to create entirely synthetic identities. Some Platforms generate hyper-realistic faces that do not belong to real individuals, which can be used to trick facial recognition systems during eKYC or biometric authentication.

Offence of Identity Theft

In India, identity theft is recognized as an offence under a combination of laws, primarily focusing on cybercrime, fraud, and misuse of personal data. The key legal provisions include:

1. Information Technology Act, 2000

1. Section 66C: Punishes identity theft , the dishonest or fraudulent use of someone else's electronic signature, password, or other unique identification features.

   • Punishment: Up to 3 years imprisonment and/or fine up to ₹1 lakh.

2. Section 66D: Covers cheating by personation using computer resources, such as pretending to be someone else online for fraud.

   • Punishment: Up to 3 years imprisonment and/or fine up to ₹1 lakh.

2. Indian Penal Code (IPC), 1860 (Now Bhartiya Nyay Sanhita)

1. Section 420/ 318(4): Cheating and dishonestly inducing delivery of property.

   • Often used in identity theft cases involving financial fraud.

   • Punishment: Up to 7 years imprisonment and fine.

2. Section 468: Forgery for the purpose of cheating.

   • Used when fake documents or forged IDs are involved.

   • Punishment: Up to 7 years imprisonment and fine.

3. Section 471: Using a forged document as a genuine one.

   • Often invoked when fake Aadhaar or PAN cards are used.

   • Punishment: Same as for forgery (up to 7 years and fine).

4. Section 465: General provision on forgery.

   • Punishment: Up to 2 years imprisonment, or fine, or both.

Legal Remedies

1. Filing a Police Complaint / FIR: Victims of identity theft should immediately file a First Information Report (FIR) at the nearest cybercrime police station or through the online portal, www.cybercrime.gov.in. The FIR can be filed under the aforesaid sections of IT Act and IPC/BNS 2023.

2. Reporting to Financial Institutions: Victims should promptly notify their bank or financial service provider to take necessary actions, such as:

   • Freezing or securing affected accounts.

   • Reversing unauthorized transactions, as per RBI's Limited Liability Policy.

   • Strengthening account security (e.g., changing passwords, updating KYC details).

3. Complaint to UIDAI (for Aadhaar misuse): If Aadhaar details are misused, victims should file a complaint with the UIDAI at uidai.gov.in or call their toll-free number: 1947. For added security, individuals can also lock their Aadhaar to prevent unauthorized use.

4. Reserve Bank of India (RBI) Grievance Redressal: In cases where the bank fails to address the issue properly, victims can escalate the matter by filing a complaint with the Banking Ombudsman under RBI. Complaints can be submitted through the RBI CMS portal: cms.rbi.org.in.

5. Civil Remedies: Victims of identity theft can pursue civil remedies by filing a suit for damages or compensation in cases where the fraud leads to monetary loss or reputational harm. Legal action can be taken under tort law (for privacy violations or defamation) or consumer protection law (if a service provider was negligent in safeguarding personal data).

6. Other Forums: If identity theft results from a data breach or misuse by a company, victims can file a data protection complaint with CERT-In (Indian Computer Emergency Response Team) or the relevant sectoral regulator, depending on the nature of the breach.

Avoiding Identity Theft

To prevent identity theft in the banking sector, both individuals and financial institutions must take proactive steps to protect sensitive personal and financial data. Here are some essential preventive measures:

1. Use Strong and Unique Passwords: Ensure your online banking passwords are strong, combining uppercase and lowercase letters, numbers, and symbols. Avoid using easily guessable passwords; Regularly update passwords for your online banking accounts to enhance security.

2. Enable Two-Factor Authentication (2FA): Enable two-factor authentication (2FA) for your online banking accounts. This adds an additional layer of security by requiring a second form of verification (e.g., OTP sent to your phone or email) in addition to your password; Consider using dedicated authentication apps (e.g., Google Authenticator or Authy) rather than relying on SMS-based OTPs, which can be intercepted.

3. Monitor Your Bank Statements and Transactions Regularly: Regularly check your bank statements and transaction history for any unauthorized or suspicious activity; Enable transaction alerts for all your banking activities so that you are instantly notified of any withdrawals or transfers.

4. Avoid Phishing and Fraudulent Emails/SMS: Avoid clicking on links in emails, SMS, or social media messages that seem suspicious or are from unfamiliar senders. Banks never ask for sensitive information (e.g., passwords or PINs) via email; If you receive a message claiming to be from your bank, contact the bank directly using their official contact details to verify the request.

5. Be Cautious of Public Wi-Fi and Shared Devices: Do not access your online banking accounts when connected to public Wi-Fi, as these networks are often insecure and can be targeted by cybercriminals; If you must access banking services on public Wi-Fi, always use a VPN (Virtual Private Network) to encrypt your data.

6. Use Trusted Devices and Software: Only use trusted devices (computers, smartphones, tablets) for online banking and ensure they are protected with a password or biometric authentication; Protect your devices from malware and spyware with up-to-date antivirus software, and ensure your operating system and apps are regularly updated.

7. Shred Documents Containing Personal and Banking Information: Shred physical documents that contain banking information, such as bank statements or credit card offers, to prevent them from being accessed by fraudsters.

8. Update and Secure Your KYC Information: Ensure that your Know Your Customer (KYC) details with your bank are up to date and accurate. Update your personal information and address details as needed; Never share KYC documents with unauthorized or unverified third parties.

9. Secure Your ATM/PIN Details: Be cautious when using ATMs. Always check for skimming devices before entering your PIN, and cover your hand when typing your PIN; Change your ATM PIN periodically and avoid using easily guessable numbers (e.g., birthdates).

10. Use a Credit Freeze or Fraud Alert: Consider placing a credit freeze on your account with credit bureaus to prevent fraudsters from opening new credit accounts in your name. You can also set up a fraud alert with your bank or credit reporting agency to notify them if any suspicious activity is detected.

11. Report Suspicious Activity Immediately: If you notice any suspicious activity in your bank account, report it immediately to your bank’s fraud department; Request the bank to temporarily freeze your account to prevent further unauthorized transactions.