Massive rise in digital frauds: How safe are your passwords?

17 percent of Indians store their passwords relating to their accounts such as ATM PIN; debit or credit card details and PIN; bank accounts on their mobile phones.

Social Media platforms always advocate using dynamic and strong passwords to protect the user data. Remember, they recommend lengthy passwords consisting of 12-16 characters long, a mix of uppercase and lowercase alphabets; numbers (1-9), and special characters (@, #, $, %, &).

These platforms also suggest avoiding guessable information such as birthdays, common words, pet names, passwords like 123456, and unique passwords to ensure that an individual’s account is harder to hack and for security too.

They also provide an icon to display character strings for flawless data entry or prefer it as just an xxxx on whatever alphabet is being typed. So that it will not be visible to anyone even if they are sitting next to an individual.

Importance of character strings

These character strings make it harder to guess patterns and reduce the risk. The Social Media platforms and many apps (applications) restrict the typing of passwords and give three to five chances for logging in to access the accounts. If the data entered is wrong within the prescribed chances, the account gets locked for the next 24 hours to 15 days depending on the platform.

What is more tedious is remembering or memorizing the complex passwords one chooses for each account. After adhering to all its stringent methods, individuals continue to lose their data and money, leading to cybercrimes.

Are passwords safe?

Are passwords safe? Time and again on this portal, we have been arguing that nothing is safe in cyberspace and people must be cautious and eagle-eyed with social media platforms and individual accounts.

Digital frauds on the rise

An RBI report says that digital frauds are up by 708 percent in the last two years. The report also points out that during 2023-2024, the number of frauds increased to 36,075 from 13,564 in the preceding year. All these cases were reported from both private and public sector banks. “Frauds have occurred predominantly in the category of digital payments (card/internet), in terms of number. In terms of value, frauds have been reported primarily in the loan portfolio (advances category),” the report said.

Another survey by LocalCircles has brought to light significant vulnerabilities in financial data security, highlighting unsafe practices adopted by the citizens in India.

The survey said that 17 percent of Indians store their passwords relating to their accounts such as ATM PIN; debit or credit card details and PIN; bank accounts on their mobile phones. Ironically they store the data and the PINs in easily accessible folders like notes, phone contact lists, and WhatsApp making them highly susceptible to data theft and financial fraud.

Meta caught storing passwords

People’s most preferred and popular platforms, Facebook, Instagram, Threads and WhatsApp owned by Mark Zuckerberg’s company Meta, were caught storing individuals’ passwords in plain text. The company has been storing more than 60 crores user’s passwords in plain text, with some easily readable for more than a decade. The company in April 2019 admitted its major security breach of crores of Instagram accounts affected by unencrypted password storage blunder on internal servers.

How did it come to light?

An anonymous employee of Meta leaked the information. It was found that the practice dated as far back as 2012, and nearly two thousand engineers made nine crore queries on that data. While this is so, Facebook issued a note, “Our investigation has determined that these stored passwords were not internally abused or improperly accessed”. In other words, they tried to convince that there was no actual risk.

This is not just an isolated case, on an earlier occasion, Facebook confirmed that it “unintentionally uploaded” the email contacts of one crore fifty lakh people without their consent.

Why did they do it?

The social media platform has been under intense surveillance ever since the emergence of the Cambridge Analytica scandal on privacy violations and data breaches. Subsequently, Facebook (now Meta) was fined 500 crores (5 billion US dollars) by the United States Federal Trade Commission (FTC) in 2019.

What is a data breach?

Does it only pertain to Meta or others involved in such malpractices? How does one define a data breach? The US National Association of Attorney Generals defines, “… the unlawful and unauthorized acquisition of personal information that compromises the security, confidentiality, or integrity of personal information.”

Bigwigs in a data breach, apart from Meta, are Google (YouTube) for Children’s Online Privacy Protection Act (COPPA) in 2019 and subsequent France fine in 2020; TikTok faced fines by United Kingdom (2023), Netherlands (2021), Italy (2021), complete ban in India (2020); Twitter FTC Fine (2022), Ireland (2021); WhatsApp, Ireland Fine (2021); Snapchat, FTC Fine (2014); LinkedIn, Ireland fine (2021), France(2020), and Clubhouse, Germany (2021).

Laws across the world mandate the organisations responsible for violations to notify individuals in the case of a data breach involving certain personal identifying information. In India, violation of any personal information relating to another person results in a punishment of up to 3 years imprisonment or a fine of up to 5 lakhs rupees or both as per Section 72A of the IT Act. Despite stringent laws by the nation, the storms of data breaches do not seem to end. Facebook owner Meta is now hit with another case of privacy penalty by Europe.

Data breaches, hefty fines

The company has been fined nearly hundred crores (€91m or £75m) at current exchange rates by the Irish Data Protection Commission (DPC) on the conclusion of a multi-layer investigation into a 2019 security breach into the storage of passwords. General Data Protection Regulation (GDPR) mandates personal data of users need to be appropriately secured, “… severe violations, listed in Art. 83(5) GDPR, the fine framework can be up to 20 million Euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.” This inquiry dates back to April 2019 after Meta notified the DPC that it had inadvertently stored certain passwords of social media users on its internal systems without encryption.

The fine was imposed by the European Union on Meta, the parent company of Facebook, after the Irish Data Protection Commission submitted a draft decision in June 2024. The draft said it has exposed its users to risk as third parties could potentially access ‘sensitive information stored in their social media accounts,’ where Meta has been found to have four breaches of General Data Protection Regulation (GDPR).

Issuing a statement, deputy commissioner Graham Doyle wrote: “It is widely accepted that user passwords should not be stored in plaintext, considering the risks of abuse that arise from persons accessing such data. It must be borne in mind that the passwords, the subject of consideration in this case, are particularly sensitive, as they would enable access to users’ social media accounts.”

Motive behind data breaches

The question is how can popular social media platforms be callous in their privacy policies and adhere to the laws of the nations? Does it inadvertently happen or is there a method behind it? These actions stem from a combination of factors. Of course, negligence adapted to user information and profit-driven motives for data monetization as seen in Cambridge Analytica of 2015 where Analytica without users’ consent built voter profiles for 71 million Americans and a smaller number of people overseas.

This sends a clear message to users to be alert and careful in sharing their genuine data on social media platforms. And why should you? Social Media platforms have perfected the art of Data collection through algorithmic processing, and branched out into several business models. As a result, mergers and acquisitions pose acute risks to user privacy.

It’s not that the platforms are unaware of the laws of the land. Yet they intentionally push the boundaries of what is legal or ethical to maximize profits. This may help them afford any fines or settlements as just another cost of doing business, but when caught, they will lose their credibility, which is their biggest asset. The exploitation must change, and subscribers must be careful in dealing with their favourite websites and adopt best practices.

Passwords and precautions

Always use strong, unique passwords for every account, not repeating the same password for all the accounts. The same password should be recorded or stored somewhere in code language that only he/she understands. Almost all websites offer multi-factor authentication. Do not feel the process is cumbersome; do it for the safety of the account and data.

Never ever share your passwords with anybody and change them regularly to avoid any data breach. Always adopt a password manager to keep track of complex passwords as the recovery is often long and costly. Remember to log out from the sites you have visited.