Digital Impersonation Scam

Introduction

MGM Resorts, which is an international company, has suffered an ongoing cyberattack which led to the shutdown of a number of its computer systems, including its website, in response to a cybersecurity issue. MGM Resorts International is in touch with external cybersecurity experts to resolve the issue since it has affected its entire Computer systems. MGM is a larger entity and operates thousands of hotel rooms across Las Vegas and the United States. MGM Resorts shared about the incident and posted that MGM recently identified a cybersecurity issue affecting some of the Company's systems. Promptly after detecting the issue, they quickly began an investigation with assistance from leading external cybersecurity experts. MGM has notified law enforcement and took prompt action to protect systems and data, including putting down certain systems. MGM further stated that the investigation is ongoing. 

‍The issue 

Basic operations such as the online reservation and booking system MGM have been affected and shut down due to the cybersecurity issue faced by a lot of visitors. Since earlier times, casino security has been the state of the art as they were very vulnerable to attacks by robbers and con artists. This is what we have also seen in a lot of movies. In today's time, con artists and robbers are now strengthened by cyber tactics. This is exactly what was seen in the case of the MGM attack. 

MGM Resorts is home to best-in-class amenities and facilities for guests, but with the increase in tourist traction, the vulnerabilities and the scope of cyber attacks have also increased. This is also because of open wifis in the establishments and the transition of casinos to e-casinos, thus causing a major shift towards digital and technology-based intervention for better customer experience and streamlining a lot of operations. 

How real is the threat? 

As reported by MGM Resorts, the following systems were impacted in the cyber security attack: 

• Slots Machines: The slot machines placed in the casino suddenly went offline and displayed an error message for the players. Some players who were already using the slot machines lost their bets and were unable to withdraw their winnings. 
• Room Keys: Some of the guests reported that the room keys became unresponsive, and in some cases, the replacement keys were also inactive for some time, causing massive chaos at the reception.  
• Booking Status: All the bookings in today's time are made online; this was one of the worst-hit segments of the cyber attacks. Most of the bookings made automatically were put on hold, and the confirmations could be made only from the hotel reception, thus causing massive cancelling of the bookings and both the hotel and customers losing out on money.
• MGM App: The official app of MGM Resorts was completely down, thus causing a situation of confusion and panic among the guests. The users also received notifications to speak to different customer care executives, but some of the numbers were unattentive and seemed to be operated by bad actors. 
• Data breach: The main focus of the cyber attack was dedicated to committing a data breach. The attack led to the breach of personal data of most of the users registered on the app or on the system of MGM Resorts. 

‍

Conclusion 

The cyber attack on the tourism industry is a major and growing concern for the industry and its customers. Seeing the volatility of the data and the regular inflow of personal information this makes the hotel's cyber security system a vulnerable choice for bad actors. The cyber attack was no less than a fire sale, where in all the segments of the services offered were impacted. Similar attacks were reported by MGM in 2019 and 2020, and subsequently, the safety measures were also deployed, but the bad actors have hit the resorts chain owners again, in such cases the most paramount defence is having a safe and regularly updated firewall, upskilling of staff for IT issues and attacks, active reporting and investigation mechanisms for assisting the LEAs. In the times of rising cyberattacks, one needs to be critical of their data management and digital footprints. The sooner we adopt safe, secure and resilient cyber hygiene practices, the safer our future will be.  

‍

References:

https://www.bleepingcomputer.com/news/security/mgm-resorts-shuts-down-it-systems-after-cyberattack/

https://www.usatoday.com/story/tech/news/2023/09/11/mgm-cyber-attack-impact-resorts-hotels-us/70828503007/

https://www.cnbc.com/2023/09/12/mgm-resorts-cybersecurity-incident-forces-system-outage.html

‍

Introduction

The Ministry of Electronics and Information Technology ( MeitY) through its Information Security Education & Awareness ( ISEA ) came up with an advisory regarding the growing cases of e-challan fraud. Cybercriminals are exploiting the beliefs of individuals by attracting them into clicking malicious links under the impression of paying traffic fines. Cybercriminals employ sending phishing messages and impersonating official e-challan notifications as a primary method. These messages are crafted in such a way that portrays a sense of urgency, provoking individuals to click on a link for spontaneous payment. For building trust, the messages are deviously created by scammers depicting official communication, which in actuality are fake messages targeting individuals for committing online financial fraud.

Unveiling the E-Challan Scam

Scammers send a text message to your phones that closely resembles e-challan alerts. The text appears from the traffic police, informing the netizens of a traffic violation that requires a fine payment. These messages contain a link and a text message urging the recipient to settle the fine by clicking on the links to make the payment.  Scammers have started trapping innocent individuals through such fake messages. These scammers are creating and sending fake messages that look like traffic challan alert messages. However, it is a completely deceptive and fake message. Such messages contain malicious links to fake website, leading users to visit the fake website and enter their bank account details, or make the payment which ultimately leads to financial loss to victims. Cyber scammers have meticulously copied the format used by the traffic authorities however a close examination can help us spot the trap. The modus operandi of such type of scam is to get the targeted individuals to click on a malicious link for payment of traffic e-challan. Once you click on such malicious payment link to pay for the e-challan the individuals unknowingly will end up paying the cyber criminals instead of the police in a bid to discharge the traffic e-challan.

How to spot a fake E-Challan?

• Verify the Vehicle Number: Make sure that the vehicle number mentioned in the message matches your vehicle’s number. Cross-check this information with your vehicle’s number plate or the smart card ( blue book) issued by the Regional Transport Office ( RTO).
• Verify the E-challan Number: Verify the validity of the e-challan number by logging into the official traffic police website or app. Legitimate e-challans will have a corresponding record that can be cross-checked for authenticity. The challan number can be verified by logging in to the official e-challan website. It is always advisable to Visit the official government website to check if you have actually been fined.
• Inspect the Message Content: Give attention to the language inculcated in the message. Hackers' messages may contain grammatical errors or unusual phrases. For example, cybercriminals might encourage victims to visit the RTO office in person. Trying to build up confidence among the victims. Also, it is important that you do not make such payments in haste. Vehicle owners must check such messages carefully before clicking on any link.

Best Practices to Stay Safe

• Be aware of unbidden messages: Be cautious when you receive unsolicited e- challan notifications. Abstain yourself by clicking on links or downloading attachments from unknown sources. 
• Always stick to legitimate or official websites: The scammers use links which look similar to the official link, and a casual glance can miss the difference. Hence it is strictly advisable to visit the official websites only. Also do note that government websites will always have the domain '.gov.in'.  The official website of Traffic Challan is https://echallan.parivahan.gov.in/ 
• Get it cross-checked through official channels: Always cross-check the authenticity of an e-challan by directly accessing official channels, such as the official traffic police website or application. 
• Connect with the RTO directly: If in doubt, independently connect with the Regional Transport Office ( RTO) using official contact details to verify the authenticity of the e-challan.  It is best not to solely rely on information received from suspicious messages. 
• Software update: Make sure that your device’s security software is up to date to protect against malware and phishing scams.

Conclusion:

Cybercriminals are exploiting the fear of traffic fines to trick individuals into clicking on malicious links and revealing their personal and financial information. These scams can lead to significant financial losses for the victims. To stay safe, it is important to be cautious of unsolicited messages, verify the authenticity of e-challans through official channels, and avoid clicking on links or downloading attachments from unknown sources. Awareness is the first line of defence in the evolving landscape of online threats. 

References:

• https://economictimes.indiatimes.com/news/new-updates/ahmedabad-residents-duped-out-of-lakhs-in-e-challan-scam-cops-arrest-jharkhand-man/articleshow/103528317.cms
• https://economictimes.indiatimes.com/wealth/save/new-traffic-e-challan-fraud-heres-how-to-identify-scam-messages-and-avoid-getting-duped/articleshow/104960817.cms
• https://www.ndtv.com/india-news/explained-the-new-e-challan-scam-how-we-can-escape-it-4342129

‍

Introduction

The Senate bill introduced on 19 March 2024 in the United States would require online platforms to obtain consumer consent before using their data for Artificial Intelligence (AI) model training. If a company fails to obtain this consent, it would be considered a deceptive or unfair practice and result in enforcement action from the Federal Trade Commission (FTC) under the AI consumer opt-in, notification standards, and ethical norms for training (AI Consent) bill. The legislation aims to strengthen consumer protection and give Americans the power to determine how their data is used by online platforms. 

The proposed bill also seeks to create standards for disclosures, including requiring platforms to provide instructions to consumers on how they can affirm or rescind their consent. The option to grant or revoke consent should be made available at any time through an accessible and easily navigable mechanism, and the selection to withhold or reverse consent must be at least as prominent as the option to accept while taking the same number of steps or fewer as the option to accept.

The AI Consent bill directs the FTC to implement regulations to improve transparency by requiring companies to disclose when the data of individuals will be used to train AI and receive consumer opt-in to this use. 
The bill also commissions an FTC report on the technical feasibility of de-identifying data, given the rapid advancements in AI technologies, evaluating potential measures companies could take to effectively de-identify user data.

The definition of ‘Artificial Intelligence System’ under the proposed bill

ARTIFICIALINTELLIGENCE SYSTEM- The term artificial intelligence system“ means a machine-based system that—

1. Is capable of influencing the environment by producing an output, including predictions, recommendations or decisions, for a given set of objectives; and
2. 2. Uses machine or human-based data and inputs to

(i) Perceive real or virtual environments;

(ii) Abstract these perceptions into models through analysis in an automated manner (such as by using machine learning) or manually; and

(iii) Use model inference to formulate options for outcomes.

Importance of the proposed AI Consent Bill USA

1. Consumer Data Protection: The AI Consent bill primarily upholds the privacy rights of an individual. Consent is necessitated from the consumer before data is used for AI Training; the bill aims to empower individuals with unhinged autonomy over the use of personal information. The scope of the bill aligns with the greater objective of data protection laws globally, stressing the criticality of privacy rights and autonomy.

2. Prohibition Measures: The proposed bill intends to prohibit covered entities from exploiting the data of consumers for training purposes without their consent. This prohibition extends to the sale of data, transfer to third parties and usage. Such measures aim to prevent data misuse and exploitation of personal information. The bill aims to ensure companies are leveraged by consumer information for the development of AI without a transparent process of consent.

3. Transparent Consent Procedures: The bill calls for clear and conspicuous disclosures to be provided by the companies for the intended use of consumer data for AI training. The entities must provide a comprehensive explanation of data processing and its implications for consumers. The transparency fostered by the proposed bill allows consumers to make sound decisions about their data and its management, hence nurturing a sense of accountability and trust in data-driven practices.

4. Regulatory Compliance: The bill's guidelines call for strict requirements for procuring the consent of an individual. The entities must follow a prescribed mechanism for content solicitation, making the process streamlined and accessible for consumers. Moreover, the acquisition of content must be independent, i.e. without terms of service and other contractual obligations. These provisions underscore the importance of active and informed consent in data processing activities, reinforcing the principles of data protection and privacy.

5. Enforcement and Oversight: To enforce compliance with the provisions of the bill, robust mechanisms for oversight and enforcement are established. Violations of the prescribed regulations are treated as unfair or deceptive acts under its provisions. Empowering regulatory bodies like the FTC to ensure adherence to data privacy standards. By holding covered entities accountable for compliance, the bill fosters a culture of accountability and responsibility in data handling practices, thereby enhancing consumer trust and confidence in the digital ecosystem.

Importance of Data Anonymization

Data Anonymization is the process of concealing or removing personal or private information from the data set to safeguard the privacy of the individual associated with it. Anonymised data is a sort of information sanitisation in which data anonymisation techniques encrypt or delete personally identifying information from datasets to protect data privacy of the subject. This reduces the danger of unintentional exposure during information transfer across borders and allows for easier assessment and analytics after anonymisation. When personal information is compromised, the organisation suffers not just a security breach but also a breach of confidence from the client or consumer. Such assaults can result in a wide range of privacy infractions, including breach of contract, discrimination, and identity theft.

The AI consent bill asks the FTC to study data de-identification methods. Data anonymisation is critical to improving privacy protection since it reduces the danger of re-identification and unauthorised access to personal information. Regulatory bodies can increase privacy safeguards and reduce privacy risks connected with data processing operations by investigating and perhaps implementing anonymisation procedures.

The AI consent bill emphasises de-identification methods, as well as the DPDP Act 2023 in India, while not specifically talking about data de-identification, but it emphasises the data minimisation principles, which highlights the potential future focus on data anonymisation processes or techniques in India.

Conclusion

The proposed AI Consent bill in the US represents a significant step towards enhancing consumer privacy rights and data protection in the context of AI development. Through its stringent prohibitions, transparent consent procedures, regulatory compliance measures, and robust enforcement mechanisms, the bill strives to strike a balance between fostering innovation in AI technologies while safeguarding the privacy and autonomy of individuals.

References:

• https://fedscoop.com/consumer-data-consent-training-ai-models-senate-bill/#:~:text=%E2%80%9CThe%20AI%20CONSENT%20Act%20gives,Welch%20said%20in%20a%20statement
• https://www.dataguidance.com/news/usa-bill-ai-consent-act-introduced-house#:~:text=USA%3A%20Bill%20for%20the%20AI%20Consent%20Act%20introduced%20to%20House%20of%20Representatives,-ConsentPrivacy%20Law&text=On%20March%2019%2C%202024%2C%20US,the%20U.S.%20House%20of%20Representatives
• https://datenrecht.ch/en/usa-ai-consent-act-vorgeschlagen/
• https://www.lujan.senate.gov/newsroom/press-releases/lujan-welch-introduce-billto-require-online-platforms-receive-consumers-consent-before-using-their-personal-data-to-train-ai-models/

‍