iOS Lockdown Mode Feature: The Cyber Bouncer for Your iPhone!

Introduction

The Chairman of Vardhman Group, Mr SP Oswal, an India-based textile manufacturer, fell victim to a cyber fraud scheme that cost him ₹7 crore. The scam unfolded on August 28 and 29, conning Mr Oswal into transferring Rs 7 crore into multiple bank accounts. As per the recent reports, the Police have managed to freeze these accounts and recover over Rs 5 crore as of now. The fraudsters convinced Mr SP Oswal that he was a suspect in a money laundering investigation and held on a “Digital Arrest”. These are sophisticated cyber frauds where cyber-criminals impersonate law enforcement officials or other authorities and target innocent individuals with manipulative tactics. The scam targets are often contacted out of the blue, on Instant messaging apps like WhatsApp and informed that their bank accounts, digital identities, or other online assets have been compromised. Criminals play into the victims' fear by threatening them with imminent arrest, legal consequences, or public humiliation if they don't cooperate with a series of urgent demands.

Posing as Officials, Fraudsters Orchestrate ₹7 Crore Scam

The investigation revealed that the fraudsters posed as members of the Central Bureau of Investigation (CBI). They had contacted Mr Oswal and claimed that his Aadhaar had been misused in a case involving fake passports and financial fraud. The imposter conducted a video call in a police uniform using a background with the CBI logo. The fraud escalated further, Mr Oswal got a fake "arrest warrant" on  WhatsApp allegedly authorised by the Supreme Court. Fraudsters convinced Mr Oswal to transfer ₹7 crores to facilitate bail proceedings, claiming he was under "digital arrest". The meticulously planned scam involved fake documents, a virtual courtroom, and relentless intimidation tactics leaving Mr Oswal effectively under "digital arrest" for two days. While the police have successfully recovered over Rs 5 crore so far, this case highlights the alarming threat of digital impersonation of law enforcement authorities.

Legal Outlook on the Validity of Digital Arrests

In India, the main laws governing cyber crimes are the Information Technology Act, of 2000 and the rules made under therein, and the newly enacted Bhartiya Nyaya Sanhita, 2023. Recently enacted new criminal laws do not provide for any provision for law enforcement agencies conducting a digital arrest.  The law only provides for service of the summons and the proceedings in an electronic mode. Hence, there are no provisions for conducting 'digital arrests' as per the laws of the country. 

Further, It should be noted that the Indian Cyber Crime Coordination Centre (I4C), under the Ministry of Home Affairs, coordinates the activities related to combating cybercrime in the country. MHA works closely with other ministries to counter these frauds. The I4C also provides technical support to the police authorities of states/UTs for the identification and investigation of these cases. 

Best Practices to Avoid Digital Arrest Scams 

• To protect yourself from scams, it is crucial to verify the identity of individuals claiming to be law enforcement or government officials and use official contact channels to confirm their credentials. 
• Be cautious of pressure tactics used by fraudsters, especially demands for quick payment over unverified communication platforms like WhatsApp. 
• Cross-check official documents with legal advisors or relevant authorities. 
• Never share sensitive personal information, such as your Aadhaar number, over phone calls, emails, or messages without verifying the request's authenticity. 
• Avoid untraceable payments, such as cryptocurrency or prepaid cards, without validating the transaction's legitimacy, especially under duress. 
• Stay informed on scam techniques, particularly those involving impersonation and digital threats. 
• Enable Two-Factor Authentication (2FA) for sensitive online accounts to prevent misuse. 
• Consult advice from legal professionals if you receive threatening communication involving digital arrest or legal actions and do not take any action on the asks of persons posing as legitimate authorities. 
• In case of any cybercrime, you can file a complaint at cybercrime.gov.in or helpline number 1930. You can also seek assistance from the CyberPeace helpline at +91 9570000066.

Conclusion

The digital arrest of Vardhman Group's CEO underscores the increasing sophistication of cyber fraud schemes, which exploit fear and urgency, leading to severe financial and reputational harm. No one is immune from cybercrime, vigilance is essential at all leadership levels. While laws like the IT Act and initiatives taken by the I4C help combat cybercrime, rapidly evolving threats demand proactive safety measures. Beyond the possibility of financial loss, incidents like this jeopardise brand reputation, investor confidence, and operational stability. Be cautious of such threats and exercise due care and caution while navigating the digital landscape. Be aware of such kinds of scams and the manipulative tactics used by fraudsters to avoid them. By staying vigilant and aware we can avoid the growing scam of digital arrests. 

References

• https://www.business-standard.com/companies/news/digital-arrest-and-rs-7-crore-heist-how-vardhman-group-head-was-tricked-124100100832_1.html
• https://www.hindustantimes.com/business/vardhman-group-chairman-sp-oswal-duped-of-rs-7-crore-fraudsters-posed-as-cbi-101727666912738.html 
• https://www.msspalert.com/native/digital-arrests-the-new-frontier-of-cybercrime

‍

Modern international trade heavily relies on data transfers for the exchange of digital goods and services. User data travels across multiple jurisdictions and legal regimes, each with different rules for processing it. Since international treaties and standards for data protection are inadequate, states, in an effort to protect their citizens' data, have begun extending their domestic privacy laws beyond their borders. However, this opens a Pandora's box of legal and administrative complexities for both, the data protection authorities and data processors. The former must balance the harmonization of domestic data protection laws with their extraterritorial enforcement, without overreaching into the sovereignty of other states. The latter must comply with the data privacy laws in all states where it collects, stores, and processes data. While the international legal community continues to grapple with these challenges, India can draw valuable lessons to refine the Digital Personal Data Protection Act, 2023 (DPDP) in a way that effectively addresses these complexities.

Why Extraterritorial Application? 

Since data moves freely across borders and entities collecting such data from users in multiple states can misuse it or use it to gain an unfair competitive advantage in local markets, data privacy laws carry a clause on their extraterritorial application. Thus, this principle is utilized by states to frame laws that can ensure comprehensive data protection for their citizens, irrespective of the data’s location.  The foremost example of this is the European Union’s (EU) General Data Protection Regulation (GDPR), 2016,  which applies to any entity that processes the personal data of its citizens, regardless of its location. Recently, India has enacted the DPDP Act of 2023, which includes a clause on extraterritorial application.

The Extraterritorial Approach: GDPR and DPDP Act

The GDPR is considered the toughest data privacy law in the world and sets a global standard in data protection. According to Article 3, its provisions apply not only to data processors within the EU but also to those established outside its territory, if they offer goods and services to and conduct behavioural monitoring of data subjects within the EU. The enforcement of this regulation relies on heavy penalties for non-compliance in the form of fines up to €20 million or 4% of the company’s global turnover, whichever is higher, in case of severe violations. As a result, corporations based in the USA, like Meta and Clearview AI, have been fined over  €1.5 billion and €5.5 million respectively, under the GDPR. 

Like the GDPR, the DPDP Act extends its jurisdiction to foreign companies dealing with personal data of data principles within Indian territory under section 3(b). It has a similar extraterritorial reach and prescribes a penalty of up to Rs 250 crores in case of breaches. However, the Act or DPDP Rules, 2025, which are currently under deliberation, do not elaborate on an enforcement mechanism through which foreign companies can be held accountable. 

Lessons for India’s DPDP on Managing Extraterritorial Application 

1. Clarity in Definitions: GDPR clearly defines ‘personal data’, covering direct information such as name and identification number,  indirect identifiers like location data, and, online identifiers that can be used to identify the physical, physiological, genetic, mental, economic, cultural, or social identity of a natural person. It also prohibits revealing special categories of personal data like religious beliefs and biometric data to protect the fundamental rights and freedoms of the subjects. On the other hand, the DPDP Act/ Rules define ‘personal data’ vaguely, leaving a broad scope for Big Tech and ad-tech firms to bypass obligations. 
2. International Cooperation: Compliance is complex for companies due to varying data protection laws in different countries. The success of regulatory measures in such a scenario depends on international cooperation for governing cross-border data flows and enforcement. For DPDP to be effective, India will have to foster cooperation frameworks with other nations. 
3. Adequate Safeguards for Data Transfers: The GDPR regulates data transfers outside the EU via pre-approved legal mechanisms such as standard contractual clauses or binding corporate rules to ensure that the same level of protection applies to EU citizens’ data even when it is processed outside the EU. The DPDP should adopt similar safeguards to ensure that Indian citizens’ data is protected when processed abroad.
4. Revised Penalty Structure: The GDPR mandates a penalty structure that must be effective, proportionate, and dissuasive. The supervisory authority in each member state has the power to impose administrative fines as per these principles, up to an upper limit set by the GDPR. On the other hand, the DPDP’s penalty structure is simplistic and will disproportionately impact smaller businesses. It must take into regard factors such as nature, gravity, and duration of the infringement, its consequences, compliance measures taken, etc.
5. Governance Structure: The GDPR envisages a multi-tiered governance structure comprising of   

• National-level Data Protection Authorities (DPAs) for enforcing national data protection laws and the GDPR, 
• European Data Protection Supervisor (EDPS) for monitoring the processing of personal data by EU institutions and bodies,  
• European Commission (EC) for developing GDPR legislation
• European Data Protection Board (EDPB) for enabling coordination between the EC, EDPS, and DPAs

In contrast, the Data Protection Board (DPB) under DPDP will be a single, centralized body overseeing compliance and enforcement. Since its members are to be appointed by the Central Government, it raises questions about the Board’s autonomy and ability to apply regulations consistently. Further, its investigative and enforcement capabilities are not well defined.

Conclusion 

The protection of the human right to privacy ( under the International Covenant on Civil and Political Rights and the Universal Declaration of Human Rights) in today’s increasingly interconnected digital economy warrants international standard-setting on cross-border data protection. In the meantime, States relying on the extraterritorial application of domestic laws is unavoidable. While India’s DPDP takes measures towards this, they must be refined to ensure clarity regarding implementation mechanisms. They should push for alignment with data protection laws of other States, and account for the complexity of enforcement in cases involving extraterritorial jurisdiction. As India sets out to position itself as a global digital leader, a well-crafted extraterritorial framework under the DPDP Act will be essential to promote international trust in India’s data governance regime.

Sources

• https://gdpr-info.eu/art-83-gdpr/ 
• https://gdpr-info.eu/recitals/no-150/ 
• https://gdpr-info.eu/recitals/no-51/ 
• https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf 
• https://www.eqs.com/compliance-blog/biggest-gdpr-fines/#:~:text=ease%20the%20burden.-,At%20a%20glance,In%20summary 
• https://gdpr-info.eu/art-3-gdpr/ 
• https://www.legal500.com/developments/thought-leadership/gdpr-v-indias-dpdpa-key-differences-and-compliance-implications/#:~:text=Both%20laws%20cover%20'personal%20data,of%20personal%20data%20as%20sensitive. 

‍

Introduction

Web applications are essential in various sectors, including online shopping, social networks, banking, and healthcare systems. However, they also pose numerous security threats, including Cross-Site Scripting (XSS), a client-side code injection vulnerability. XSS attacks exploit the trust relationship between users and websites, allowing them to change web content, steal private information, hijack sessions, and gain full control of user accounts without breaking into the core server. This vulnerability is part of the OWASP Top 10 Web Application Security Risks.

‍

What is Cross-Site Scripting (XSS)?

An XSS attack occurs when an attacker injects client-side scripts into web pages viewed by other users. When users visit the affected pages, their browsers naively execute the inserted scripts. The exploit takes advantage of web applications that allow users to submit content without properly sanitising inputs or encoding outputs. These scripts can cause a wide range of damage, including but not limited to stealing session cookies for session hijacking, redirecting users to malicious sites, logging keystrokes to capture credentials, and altering the DOM to display fake or phishing content.

‍

How Does XSS Work?

1. Injection: A malicious user submits code through a website input, like a comment or form.
2. Execution: The submitted code runs automatically in the browsers of other users who view the page.
3. Exploitation:The attacker can steal session information, capture credentials, redirect users, or modify the page content.

The fundamental cause behind the XSS vulnerabilities is the application of:

• Accepting trusted input from the users.  
• After users' input, web pages have the strings embedded without any sanitisation.  
• Not abiding by security policies like Content Security Policy (CSP).  

With such vulnerabilities, attackers can generate malicious payloads like:  <script>alert('XSS');</script>  

‍

This code might seem simple, but its execution provides the attacker with the possibility to do the following:  

• Copy session tokens through hidden HTTP requests.  
• From attacker-controlled domains, load attacker scripts.  
• Change the DOM structure to show fake login forms for phishing.

‍

Types of XSS Attacks: XSS (Cross-Site Scripting) attacks can occur in three main variations: 

1. Stored XSS: This type of attack occurs when an attacker injects an administered payload into the database or a message board. The script then runs whenever a user visits the affected board.
2. Reflected XSS: In this attack, the danger lies in a parameter of the URL. Its social engineering techniques are attacks, in which it requires tricking people to click on a specially designed link. For example:
3. DOM-Based XSS: This technique injects anything harmful without the need for server-side scripts, in contrast to other approaches. It targets JavaScript client-side scripts such as `document.write` and `innerHTML`. Without carrying out any safety checks, these scripts will alter the page's look (DOM stands for Document Object Model). If the hash is given a malicious string, it is run directly within the browser.

‍

What Makes XSS a Threat?  

‍

A Cross-Site Scripting attack is only a primary attack vector, and can lead to significant damage that includes the following: 

• Statement Hijacking. This uses scripts to steal cookies, which are then used to pose as authorized users.  
• Theft of Credentials. Users’ passwords and usernames are wrenched from keystroke trackers.  
• Phishing. Users are prompted with deceitful login forms that are used to capture sensitive details.  
• Website Vandalism. Modified website material lowers the esteem of the brand.  
• Monetary and Legal Consequences. There are compounding effects to GDPR and DPDP Act compliance in case of Data breaches, which incur penalties and fines.  ‍

‍

Incidents in the Real World  

In 2021, an XSS Stored attack occurred on a famous e-commerce platform eBay, through their product review system. The malicious JavaScript code was set to trigger every time an infected product page was accessed by customers. This caused a lot of problems, including account takeovers, unauthorised purchases, and damage to the company’s reputation. This example further worsens the fact that even reputed platforms can be targeted by XSS attacks.

‍‍

How to Prevent XSS?

Addressing XSS vulnerabilities demands attention to detail and coordinated efforts across functions, as illustrated in the steps below:

 Input Validation and Output Encoding:

• Ensure input validation is in place on the client and server.
• Perform output encoding relative to context: HTML: <, >, &.
• JavaScript: Escape quotes and slashes

Content Security Policy (CSP): CSP allows scripts to be executed only from the verified sources, which helps diminish the odds of harmful scripts running on your website. For example, the Header in the code could look to some degree like this: Content-Security-Policy: script-src 'self';

Unsafe APIs should be dodged: Avoid the use of document.write(), innerHTML, and eval(), and make sure to use:

• TextContent for inserting text.
• CreateElement() and other DOM creation methods for structured content.

Secure Cookies: Apply the HttpOnly and Secure cookie flags to block JavaScript access. 

Framework Protections: Use the protective features in frameworks such as:

• React, which escapes data embedded in JSX automatically.
• Angular, which uses context-aware sanitisation.

Periodic Security Assessment:

• Use DAST tools to test the security posture of an application.
• Perform thorough penetration testing and security-oriented code reviews.

‍

‍Best Practices for Developers: Assume a Secure Development Lifecycle (SDLC) integrating XSS stoppage at each point.

• Educate developers on OWASP secure coding guidelines.
• Automate scanning for vulnerabilities in CI/CD pipelines.

‍

‍Conclusion:

To reduce the potential danger of XSS, both developers and companies must be diligent in their safety initiatives, ranging from using Content Security Policies (CSP) to verifying user input. Web applications can shield consumers and the company from the subtle but long-lasting threat of Cross-Site Scripting if security controls are implemented during the web application development stage and regular vulnerability scans are conducted.

‍

References

• https://owasp.org/www-community/attacks/xss/
• https://www.paloaltonetworks.com/cyberpedia/xss-cross-site-scripting
• https://developer.mozilla.org/en-US/docs/Glossary/Cross-site_scripting
• https://www.cloudflare.com/learning/security/threats/cross-site-scripting/

‍

‍