These days we are hearing a lot about different online wallets where we can add money to the wallet and can be used for online purchases or it can be for a taxi ride later. We are getting lot of advertisements and offers to add money to the wallet. Yes, I too agree that this is a good technology advancement. However, in case if they deduct One Rupee from this wallet without our knowledge, would you mind in contacting them to check about the details? If we contact them, for sure the telephone charges will be more than One Rupee if they do not have a toll free facility. Most of us wont mind loosing that One Rupee. How about the provider deducts One Rupee from One million customers a day without their knowledge.
I had given an example of a wallet, but it can be for your online bank account as well. We won’t think about these One Rupee incidents that seriously, but at one point if they deduct more than 10000 Rs, then it would be worse. This is what we call Salami attack or Salami slicing in Information Security. This is only one aspect of Salami attack. Most of the online wallets are trustable and won’t deduct any money like that, but things would go worse when an attacker get access to these databases. This is where Salami attack comes.
Rather than taking huge money at a time, they will deduct small amounts for a period of time and at one point it will result in taking a massive amount. It can be also an insider who can be involved in incidents like this. When we go in bus, the conductor won’t give back any amount if it is less than One Rupee and these days even more than that. He would accumulate all these small amounts and if he had done this for more than 100 passengers, the he would be getting a good amount at the end of the day. These things are not something new, but most of the people already know about it. One time I forgot to collect the balance of 490 Rs from the bus. This has nothing to do with Information Security as it is our carelessness, but I was giving a background how the Salami attack works.
If we look back about the history of Salami incidents, it got reported first in 1993. In January 1993, four executives of a rental-car franchise in Florida were charged with defrauding at least 47,000 customers using a salami technique. In Los Angeles, in October 1998, district attorneys charged four men with fraud for allegedly installing computer chips in gasoline pumps that cheated consumers by overstating the amounts pumped. In 2008, a man was arrested for fraudulently creating 58,000 accounts which he used to collect money through verification deposits from online brokerage firms a few cents at a time.
How to avoid the Salami attack?
The main resolution for this attack is educating the user. Only through user awareness, we can avoid this. Users should report back to the bank or the concerned authority if they notice any deductions without their knowledge even if it is a small amount. I won’t recommend storing any personal bank information like credit card, debit card number in any of the online websites, these days we are getting an option of saving our card details in different websites. Yes, it can save your time but it is very risky even though I am aware about the encryption standards they are using.
Another important thing is to track your money, most people don’t know their remaining balance in the account, they are not aware how money comes and goes from their account and the attackers are taking the advantage of it. For financial institutions, sharp background checks are important when they go for recruitment and most important is monitoring the employees who has access to sensitive databases.
Authored by Aju Nair