Cyber Crimes and other Economic Offences

The phenomenon of

Cyber Crimes and other Economic Offences

in relation to Online Banking

Rupak Ghosh . Enrollment Number: PGDBL/ON/11-12/008

Number of words . Introduction: 285, Objective: 139, Methodology:64, Main body 7350, Conclusion: 99

Total: 7937

A

-- PH

Acknowl

It aANR

I J

R

-----------------HENOMENON OF C

ledgeme

t would not ssistance o

Assistant PrNational UniRainmaker f

I am extremuridical Sci

Rupak Ghos

----------------CYBER CRIMES AN

ents

t have beenof Rainmarofessor aniversity of Jfor their kin

mely gratefiences for d

sh

----------------ND OTHER ECONOM

.

n possible faker. I owend Mr ShJuridical Scd assistanc

for me to ce a large mouvik Kr.

ciences. I amce and guid

carry out thmeasure oGuha, Re

m thankful dance.

his study wiof gratitudeesearch Asto Aparna

ithout the e to Profes

ssociate, ofDas and S

encouragemsor Shamef the Wes

Sankalp Sh

ment and eek Sen, t Bengal harma of

ful to everydesigning th

yone from Rhis nice cou

Rainmaker urse.

and West Bengal Naational Univ

-----------------MIC OFFENCES IN

----------------RELATION TO ONL

-----------------LINE BANKING

-----------------

versity of

------------------- i

--------------------------------------------------------------------------------------------------------------------------------- PHENOMENON OF CYBER CRIMES AND OTHER ECONOMIC OFFENCES IN RELATION TO ONLINE BANKING ii

Preface .

The revolutionary progresses in information technology have a deep rooted impact in global communication and that’s also having a great impact in the national as well as the global business environment.

Online Banking is gaining importance day by day as its easy, quick and cost effective. Along with all benefits, it has also brought about a new orientation to risks and even new forms of risks, the risk of Cyber Crime.

Crime in cyber space is multidimensional. So the ways to prevention have various aspects like legal, administrative, technological and awareness. Proper implementation of preventive strategies will make online banking more secure in future.

--------------------------------------------------------------------------------------------------------------------------------- PHENOMENON OF CYBER CRIMES AND OTHER ECONOMIC OFFENCES IN RELATION TO ONLINE BANKING iii

Content . Page number Acknowledgements i Preface ii Content iii Details of Word Count iii

Page number Introduction 1 Objective 1 Methodology 1 Main body 2 - 21 General Idea on Cyber Crime 2

Types of Cyber Crime Hacking Cyber Stalking, Child Pornography, Denial of Service Online Fraud Software Piracy,Spoofing, Usenet Newsgroup, Credit Card, Debit Card, ATM Fraud , Virus Dissemination Cyber Crime for Financial Gain Cyber Crime for Revenge Recreational Cyber Crime

2 - 6 3 4

4-5 5

5 5-6 6

Cyber crimes, Economic offences and Online banking Distinctive features of i-banking/ Online Banking Various Issues Set of risks Cyber Crime Related to Automated Teller Machine Credit Card fraud Money laundering and cybercrime Online Frauds

6 – 16 8

8 - 9 9 - 10 10 - 12 12 - 14

14 15 - 16

Preventive Measures Awareness initiatives among users Legal Issues involved Administrative Measures Technological Measures

16 – 20 16

17 - 19 19

19 -20

Recommendations 20 - 21 Conclusion 21

‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐ PHENOMENON OF CYBER CRIMES AND OTHER ECONOMIC OFFENCES IN RELATION TO ONLINE BANKING 1

Introduction: Now we’re in the age of information technology, it connected the whole world. The revolutionary progresses in information technology have a deep rooted impact in global communication and that’s also having a great impact in the business environment. Business communities are providing various information technologies enables services to their customers. This way of business is getting stronger day by day. Banks have traditionally been in the forefront of harnessing technology to improve their products, services and efficiency. Internet banking; both as a medium of delivery of banking services and as a strategic tool for business development, has gained wide acceptance internationally and is fast catching up in India with more and more banks entering the fray. India can be said to be on the threshold of a major banking revolution with net banking having already been unveiled. Along with all benefits, it has also brought about a new orientation to risks and even new forms of risks. Money is the most common motive behind all crime. So this medium attracts criminal activities i.e. Cyber Crime. This medium is based on logical computer languages so some of those criminal activities are high-tech in nature. Sometime those activities are done by making the user fool. Preventive measures are required in order to make the platform sustainable. Due to the complexity and specialty nature of such crimes it requires special legislations, administrative measures in dealing with such crime. India enacted its first law on Information Technology namely, the Information Technology Act, 2000. Later Information Technology (Amendment) Act, 2008 was made effective from 27 October 2009. Technological progress, Users awareness, effective legal and administrative measures will make the dimension secure and effective tools for progress of our civilization. Objective: The revolutionary progresses in information technology have a deep rooted impact in global communication and that’s also having a great impact in the national as well as the global business environment. Online banking is one of the most important aspects of it. It is becoming popular day by day as it is easier, cheaper faster than traditional banking. However it also has some risk due to crimes in cyber space. Cyber crimes are some time very complicated from technical point of view, some time they are simple tricks. Prevention of those crimes is essential in order to make online banking safe and secure. This research will enlighten me regarding various types of Cyber Crime especially economic offences in relation to online banking and their prevention. Involvements of various technological, legal, social aspects make this topic interesting for me. Research Methodology: The study has been conducted mainly through secondary data analysis. Sources are mainly legal documents like judgments of some cases, legislations and various other literatures. The analyses of various websites give an idea regarding the processes of Cyber crime especially in online banking, and prevention of such crimes. The analysis of legislations and some cases are the main backbone of this research.


Main Body

General Idea on Cyber Crime What is cyber-crime? Law enforcement experts and legal commentators are divided. Some experts believe that computer crime is nothing more than ordinary crime committed by high-tech computers and that current criminal laws on the books should be applied to the various laws broken, such as trespass, larceny, and conspiracy. Others view cybercrime as a new category of crime requiring a comprehensive new legal framework to address the unique set of challenges that traditional crime does not deal with; such as jurisdiction, international cooperation, intent, and the difficulty of identifying the perpetrator. The term ‘cyber crime’ has not been defined in any Statute or Act. The Oxford Reference Online defines cyber crime as crime committed over the Internet. The Encyclopedia Britannica defines cyber crime as any crime that is committed by means of special knowledge or expert use of computer technology. So what exactly is Cyber Crime? Cyber crime could reasonably include a wide variety of criminal offences and activities. The Internet – or Cyber Space as it’s sometimes called, is a borderless environment unlike a brick and mortar world. Even though it is indispensable as a knowledge bank, it is an ideal tool for someone with a criminal bent of mind, who can use this environment to his/ her maximum advantage. It is not a surprise that Cyber Crimes like money cyber stalking, denial of service, e-mail abuse, chat abuse and other crimes are on the rise. Cyber Terrorist and cyber mafia are emerging with great force, whose activities are going to threaten the sovereignty of nations and world order. CBI Manual defines cyber crime as: (i) Crimes committed by using computers as a means, including conventional crimes. (ii)Crimes in which computers are targets.1 A generalized definition of cyber crime may be “unlawful acts where in the computer is either a tool or target or both”.2 In India, The Information Technology act, 2000 is the mother legislation that deals with issues related to use of computer, computer systems, computer networks and the internet, but the act does not define the term cyber crime. Cyber crime can generally be defined as a criminal activity in which information technology systems are the means used for the commission of the crime. Types of Cyber Crime The revolutionary progress in information technology made the cyber space wide. The cyberspace is basically a Virtual Reality developed by logic based computer software and hardware languages. Technical developments are making it easier, faster and smarter. That’s why it’s becoming more and more popular. Firstly increasing number people are becoming dependent on it for their economic, social and personal life. Like all segment of society cyber space couldn’t be independent from crime. Due to its complex architecture, criminal activities by utilizing it are also multi dimensional. From technical perspective some important types of cyber crimes are as follows: 1 Cyber crimes, CBI (crime) manual 2005, chapter 18, 2 Nagpal R. – What is Cyber Crime?


(A) Hacking: Hacking in simple terms means an illegal intrusion into a computer system and/or network. There is an equivalent term to hacking i.e. cracking, but from Indian Laws perspective there is no difference between the term hacking and cracking. Every act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made computer programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction. Some hackers hack for personal monetary gains, such as to stealing the credit card information, transferring money from various bank accounts to their own account followed by withdrawal of money. They extort money from some corporate giant threatening him to publish the stolen information which is critical in nature. Government websites are the hot targets of the hackers due to the press coverage, it receives. Hackers enjoy the media coverage. A total of 112 government websites in India were hacked from December to February, a federal minister said on March 13th, reflecting India's continuing problem with online security.

CBI website hacked by 'Pak Cyber Army'3

IMD-Kolkata's webpage, which has been hacked4

3 http://ibnlive.in.com (Dec 04, 2010) 4 The Hindu (October 27, 2011)


(B) Cyber Stalking: Cyber Stalking can be defined as the repeated acts harassment or threatening behavior of the cyber criminal towards the victim by using internet services. Stalking in General terms can be referred to as the repeated acts of harassment targeting the victim such as following the victim, making harassing phone calls, killing the victims pet, vandalizing victims property, leaving written messages or objects. Both kind of Stalkers, Online & Offline – have desire to control the victims life. Majority of the stalkers are the dejected lovers or ex-lovers, who then want to harass the victim because they failed to satisfy their secret desires. Most of the stalkers are men and victim female. (C) Child Pornography: The Internet is being highly used by its abusers to reach and abuse children sexually, worldwide. The internet is very fast becoming a household commodity in India. Its explosion has made the children a viable victim to the cyber crime. As more homes have access to internet, more children would be using the internet and more are the chances of falling victim to the aggression of pedophiles. (D) Denial of Service: This is an act by a criminal, who floods the bandwidth of the victim’s network or fills his e-mail box with spam mail depriving him of the services he is entitled to access or provide. This act is committed by a technique called spoofing and buffer overflow. The criminal spoofs the IP address and flood the network of the victim with repeated requests. Since the IP address is fake, the victim machine keeps waiting for response from the criminal’s machine for each request. This consumes the bandwidth of the network which then fails to serve the legitimate requests and ultimately breaks down (E) Online Fraud: The net is a boon for people to conduct business effectively, very quickly. It saves businesses a lot of time, money and resources. Unfortunately, the net is also an open invitation to scams and fraudsters and online frauds are becoming increasingly rampant Spoof websites and email security alerts: Fraudsters create authentic looking websites that are actually nothing but a spoof. The purpose of these websites is to make the user enter personal information. This information is then used to access business and bank accounts. Fraudsters are increasingly turning to email to generate traffic to these websites. A lot of customers of financial institutions recently received such emails. Such emails usually contain a link to a spoof website and mislead users to enter User ids and passwords on the pretence that security details can be updated, or passwords changed. Virus hoax emails: It is a sad fact of life that there are those who enjoy exploiting the concerns of others. Many emailed warnings about viruses are hoaxes, designed purely to cause concern and disrupt businesses. Lottery Frauds: These are letters or emails, which inform the recipient that he/ she has won a prize in a lottery. To get the money, the recipient has to reply. After which another mail is received asking for bank details so that the money can be directly transferred. The email also asks for a processing fee/ handling fee. Of course, the money is never transferred in this case, the processing fee is swindled and the banking details are used for other frauds and scams.


Spoofing: Spoofing means illegal intrusion, posing as a genuine user. A hacker logs-in to a computer illegally, using a different identity than his own. He is able to do this by having previously obtained actual password. He creates a new identity by fooling the computer into thinking he is the genuine system operator. The hacker then takes control of the system. He can commit innumerable number of frauds using this false identity. (F) Software Piracy: Theft of software through the illegal copying of genuine programs or the counterfeiting and distribution of products intended to pass for the original is termed as termed as software piracy. (G) Spoofing: Spoofing means a hacker logs-in to a computer illegally using a different identity than his own. (H) Usenet Newsgroup: Usenet is a popular means of sharing and distributing information on the web with respect to specific topic or subjects (I) Credit Card, Debit Card, ATM Fraud: The unauthorized and illegal use of a credit card, Debit Card to purchase property. This type of cyber crime is done by utilizing technological competency and by social engineering. Social engineering is simply making the people fool. (J) Virus Dissemination: A computer virus is a program that can ‘infect’ other legitimate programs by modifying them to include a possibly ‘evolved’ copy of it. Viruses can spread themselves, without the knowledge or permission of the users, to potentially large numbers of programs on many machines. A computer virus passes from computer to computer like a biological virus passes from person to person. Cyber Crime can be divided into three different categories on the basis of reason behind it. They are: (A) Cyber Crime for Financial Gain: Money is the most common motive behind all crime. The same is also true for cyber crime. Globally it is being observed that more and more cyber crimes are being committed for financial motives rather than for "revenge" or for "fun". With the tremendous increase in the use of internet and mobile banking, online share trading, dematerialization of shares and securities, this trend is likely to increase unabated. Financial crimes include cyber cheating, credit card frauds, money laundering, hacking, accounting scams etc., into bank servers, computer manipulation5. Illegal activities like shelling of illegal material like prohibited drugs, pornographic contend, sex rackets are some time operated by using web space, social networks. (B) Cyber Crime for Revenge: Revenge is an important motivator behind cyber crime. The crime can be done against Person, Company or Country. Victims generally face losses in term of financial or public image.

5 cyberlawconsulting.com


Hactivists launch politically motivated attacks on public web pages or e-mail servers. The hacking groups and individuals, or Hacktivists, overload e-mail servers by sending massive amounts of e-mail to one address and hack into web sites to send a political message. Employees that steal confidential information and trade secrets account for thirty-five percent of the theft of proprietary information.6 In fact, data suggests that serious economic losses linked to computer abuse have been and continue to be attributed to current and former employees of the victimized organization rather than to outside hackers with modems.7 (C) Recreational Cyber Crime: “Recreational hackers” break into computer networks for the thrill of the challenge or for bragging rights in the hacking community.8 While hacking once required a fair amount of skill or computer knowledge, the recreational hacker today can now download attack scripts and protocols from the Internet and launch them against victim sites with little knowledge of the systems they are attacking.9 There are countless web sites on the Internet that provide “newbies” (inexperienced hackers, or “wannabes”) with detailed instructions on hacking techniques and downloadable, do-it-yourself hacking tools.10 Cyber crimes, Economic offences and Online banking Money is the most common motive behind all crime. The same is also true for cyber crime. In terms of financial value it is as big as illegal drugs trade. In 2011 USD $388 Billion lost due to Cyber Crime. For India Cash Costs of it is $4 bn and Time Costs, $3.6 bn11

In 2011 USD $388

Billion12 Lost

Victims Valued

the Time they lost to Cyber Crime

$274 bn

AS BIG A CRIME AS...

$288bn

The illegal trade in Marijuana, Cocaine & Heroin

BETTER WAYS TO SPEND $388BN…

100

TIMES MORE CARE FOR KIDS - The 2011 bill for cybercrime is more than 100 times the global annual expenditure of UNICEF ($3.65bn)14

90 YEARS FIGHTING MALARIA would plug the annual funding gap to fight malaria for the next 90

6 David Noack, Employees, Not Hackers, Greatest Computer Threat 7 Richard C. Hollinger & Lonn Lanza-Kaduce, The Process of Criminalizaton: The Case of Computer Crime Laws 8 See Cyberattack Investigation, supra note 26. 9 See Internet Security Systems, <http://www.iss.net/customer_care/resource_center/whitepapers> 10 Hackers learn hacking techniques from a variety of sources, hacking web sites such as <http://www.flashback.se> and <http://www.lopht.com/>; as well as hacking search engines, such as <http://astalavista.box.sk/>. 11 Norton cybercrime report 2011 12 Norton cybercrime report 2011


The direct cash costs of cyber

crime – (money stolen)

$114bn

$411bn The entire illegal drugs trade13

years15

38 YEARS DOUBLING EDUCATION - $10bn a year would be enough to double university education in sub-Saharan Africa16

Major parts of Cyber Crime motivated by Financial Gain are related to internet banking. Banks have traditionally been in the forefront of harnessing technology to improve their products, services and efficiency. They have, over a long time, been using electronic and telecommunication networks for delivering a wide range of value added products and services. The delivery channels include direct dial - up connections, private networks; public networks etc and the devices include telephone, Personal Computers including the Automated Teller Machines, etc. With the popularity of PCs, easy access to Internet and World Wide Web (WWW), Internet is increasingly used by banks as a channel for receiving instructions and delivering their products and services to their customers. This form of banking is generally referred to as Internet Banking, although the range of products and services offered by different banks vary widely both in their content and sophistication. Broadly, the levels of banking services offered through INTERNET can be categorized in to three types: (i) The Basic Level Service is the banks' websites which disseminate information on different products and services offered to customers and members of public in general. It may receive and reply to customers' queries through e-mail, (ii) In the next level are Simple Transactional Websites which allow customers to submit their instructions, applications for different services, queries on their account balances, etc, but do not permit any fund-based transactions on their accounts, (iii) The third level of Internet banking services are offered by Fully Transactional Websites which allow the customers to operate on their accounts for transfer of funds, payment of different bills, subscribing to other products of the bank and to transact purchase and sale of securities, etc. The above forms of Internet banking services are offered by traditional banks, as an additional method of serving the customer or by new banks, who deliver banking services primarily through Internet or other electronic delivery channels as the value added services. Some of these banks are known as `virtual' banks or `Internet only' banks and may not have any physical presence in a country despite offering different banking services. From the perspective of banking products and services being offered through Internet, Internet banking is nothing more than traditional banking services delivered through an electronic communication backbone, viz, Internet. But, in the process it has thrown open issues which

14 http://www.unicef.org Annual report of the Executive Director, Apr 2011 13 Source: www.havocscope.com 15 http://www.rollbackmalaria.org/keyfacts.html 16 http://www.arp.harvard.edu/AfricaHigherEducation/Economics2.html


have ramifications beyond what a new delivery channel would normally envisage and, hence, has compelled regulators world over to take note of this emerging channel. Some of the distinctive features of i-banking/ online banking are: (i) It removes the traditional geographical barriers as it could reach out to customers of different countries / legal jurisdiction. This has raised the question of jurisdiction of law / supervisory system to which such transactions should be subjected, (ii) It has added a new dimension to different kinds of risks traditionally associated with banking, heightening some of them and throwing new risk control challenges, (iii) Security of banking transactions, validity of electronic contract, customers' privacy, etc., which have all along been concerns of both bankers and supervisors have assumed different dimensions given that Internet is a public domain, not subject to control by any single authority or group of users, (iv) It poses a strategic risk of loss of business to those banks who do not respond in time, to this new technology, being the efficient and cost effective delivery mechanism of banking services, (v) A new form of competition has emerged both from the existing players and new players of the market who are not strictly banks. The Regulatory and Supervisory concerns in i-banking arise mainly out of the distinctive features outlined above. These concerns can be broadly addressed under three broad categories, viz, (i) Legal and regulatory issues: Legal issues cover those relating to the jurisdiction of law, validity of electronic contract including the question of repudiation, gaps in the legal / regulatory environment for electronic commerce. On the question of jurisdiction the issue is whether to apply the law of the area where access to Internet has been made or where the transaction has finally taken place. Allied to this is the question where the income has been generated and who should tax such income. There are still no definite answers to these issues. (ii) Security and technology issues: Security of i-banking transactions is one of the most important areas of concerns to the regulators. Security issues include questions of adopting internationally accepted state of-the art minimum technology standards for access control, encryption / decryption (minimum key length etc), firewalls, verification of digital signature, Public Key Infrastructure (PKI) etc. The regulator is equally concerned about the security policy for the banking industry, security awareness and education. (iii) Supervisory and operational issues: The supervisory and operational issues include risk control measures, advance warning system, Information technology audit and re-engineering of operational procedures. The regulator would also be concerned with whether the nature of products and services offered are within the regulatory framework and whether the transactions do not camouflage money-laundering operations. A major driving force behind the rapid spread of i-banking all over the world is its acceptance as an extremely cost effective delivery channel of banking services as compared to other existing


channels. However, Internet is not an unmixed blessing to the banking sector. However, Internet is not an unmixed blessing to the banking sector. Along with reduction in cost of transactions, it has also brought about a new orientation to risks and even new forms of risks to which banks conducting i-banking expose themselves. In the following paragraphs a generic set of risks are discussed. (i) Operational risk: Operational risk, also referred to as transactional risk is the most common form of risk associated with i-banking. It takes the form of inaccurate processing of transactions, non enforceability of contracts, compromises in data integrity, data privacy and confidentiality, unauthorized access / intrusion to bank's systems and transactions etc. Such risks can arise out of weaknesses in design, implementation and monitoring of banks' information system. Besides inadequacies in technology, human factors like negligence by customers and employees, fraudulent activity of employees and crackers / hackers etc. can become potential source of operational risk. (ii) Security risk: Security risk arises on account of unauthorized access to a bank's critical information stores like accounting system, risk management system, portfolio management system, etc. A breach of security could result in direct financial loss to the bank. For example, hackers operating via the Internet could access, retrieve and use confidential customer information and also can implant virus. This may result in loss of data, theft of or tampering with customer information, disabling of a significant portion of bank's internal computer system thus denying service, cost of repairing these etc. Other related risks are loss of reputation, infringing customers' privacy and its legal implications etc. (iii) Reputational risk: Reputational risk is the risk of getting significant negative public opinion, which may result in a critical loss of funding or customers. Such risks arise from actions which cause major loss of the public confidence in the banks' ability to perform critical functions or impair bank-customer relationship. The main reasons for this risk may be system or product not working to the expectations of the customers, significant system deficiencies, significant security breach (both due to internal and external attack), inadequate information to customers about product use and problem resolution procedures, significant problems with communication networks that impair customers' access to their funds or account information especially if there are no alternative means of account access. Such situation may cause customer-discontinuing use of product or the service. (iv) Legal risk: Legal risk arises from violation of, or non-conformance with laws, rules, regulations, or prescribed practices, or when the legal rights and obligations of parties to a transaction are not well established. Given the relatively new nature of Internet banking, rights and obligations in some cases are uncertain and applicability of laws and rules is uncertain or ambiguous, thus causing legal risk. (v) Money laundering risk: As Internet banking transactions are conducted remotely banks may find it difficult to apply traditional method for detecting and preventing undesirable criminal activities. Application of money laundering rules may also be inappropriate for some forms of electronic payments. Thus banks expose themselves to the money laundering risk. This may result in legal sanctions for non-compliance with "know your customer" laws.


(vi) Cross border risks: Internet banking is based on technology that, by its very nature, is designed to extend the geographic reach of banks and customers. Such market expansion can extend beyond national borders. This causes various risks. It includes legal and regulatory risks, as there may be uncertainty about legal requirements in some countries and jurisdiction ambiguities with respect to the responsibilities of different national authorities. (vii) Strategic Risk: This risk is associated with the introduction of a new product or service. Degree of this risk depends upon how well the institution has addressed the various issues related to development of a business plan, availability of sufficient resources to support this plan, credibility of the vendor (if outsourced) and level of the technology used in comparison to the available technology etc. (viii) Other risks: Traditional banking risks such as credit risk, liquidity risk, interest rate risk and market risk are also present in Internet banking.

a) Credit risk is the risk that a counter party will not settle an obligation for full value, either when due or at any time thereafter. Banks may not be able to properly evaluate the credit worthiness of the customer while extending credit through remote banking procedures, which could enhance the credit risk. b) Liquidity Risk arises out of a bank's inability to meet its obligations when they become due without incurring unacceptable losses, even though the bank may ultimately be able to meet its obligations.

Some Common types of cyber crime discussed below:

Cyber Crime Related to Automated Teller Machine: An automated teller machine or automatic teller machine (ATM), also known as an automated banking machine (ABM) in Canada, and a Cash point (which is a trademark of Lloyds TSB), cash machine or sometimes a hole in the wall in British English, is a computerized telecommunications device that provides the clients of a financial institution with access to financial transactions in a public space without the need for a cashier, human clerk or bank teller. ATMs are known by various other names including ATM machine, automated banking machine, and various regional variants derived from trademarks on ATM systems held by particular banks. The total number of ATMs under the National Financial Switch (NFS) now stands at 75,178. SBI and associate banks own the largest number of ATMs at 25,060 followed by Axis Bank (6,270), ICICI Bank (6,104), HDFC Bank (5,471) and Punjab National Bank (5,050).Nearly 19,000 ATMs were added last fiscal to the National Financial Switch.17 Due to rapid increase in number and use Cyber Crime related to it also increased. Some of the popular techniques used to carry out ATM crime are: I. The Lebanese Loop: Many thieves are using external devices to confiscate your card. In this scam, a blocking device (which can be as simple as some film glued to trap ATM cards), is

17 Economic Times (Apr 8, 2011)


inserted into the card slot of the ATM machine. Unwittingly, you place your card into the machine and enter your PIN. All the while, someone nearby may be watching you enter your PIN number. II. Card Skimming: Skimmers are devices added to ATM machines to capture your card's information, including your account number, balance, and PIN number. These devices often mounted alongside a machine and labeled 'card cleaners,' are difficult to notice unless you're looking for them. III. Shoulder Surfing, Fake PIN Pads, and Even Fake Machines: Another way to glean your ATM PIN number is for thieves to mount a wireless video camera inside the ATM area. It can look as harmless as a brochure holder. Once the scammers have your number, magnetic strips are easy to make and thieves are able to easily reproduce ATM cards. IV. Cash Trapping: Similar to the Lebanese Loop where a thin sleeve traps your card, this time your cash is trapped by a sleeve or device slipped inside the cash dispenser. Your transaction will operate normally, but you won't receive the cash you've withdrawn. V. Phishing: We mentioned above how easy it is for thieves to replicate ATM cards. All they need is a magnetic strip and a plastic card. Armed with an ATM card, all a would-be thief needs is a PIN number. Some email phishing scams have been designed to find out just that. Representing your bank, a scammer can send you an email with a notice on it saying something about incomplete account information or that you need to update your account information. You click on the link and follow the directions but you're not at your bank, you're at a site designed to look like your bank by thieves. They collect your information and are free to replicate your ATM card or simply withdraw your money from your account via online banking.

Three persons were arrested today for allegedly conning people and stealing money from their bank accounts through an ATM kiosk. Police said the trio used to stand in the ATM queue and target customers who looked old and not accustomed to using debit cards. Though their modus operandi is not clear yet, police suspect the three used to shout and make new ATM card users nervous and then trick them into leaving the ATM kiosk hurriedly without cancelling their transaction. In the old ATM machines, it generally takes at least 30 seconds for a transaction to end. “The failure of the card user to press the ‘cancel’ button before leaving the ATM kiosk acted as a boon for the fraudsters. Interrogations are on to find out exactly how the three took out the money from others’ accounts,” superintendent of police (SP) Kim said.

The trio were arrested outside an ATM kiosk of State Bank of India at the Sichai Bhawan building on Bailey Road under Sachivalaya police station. 18

18 The Telegraph (January 8 , 2012)


Another instance of fraudulent withdrawal of money from an ATM was reported on Sunday when Dr Sangeeta Arora, a professor in the Department of Statistics at Panjab University learnt in the morning that Rs 80,000 has been withdrawn from her bank account without her knowledge.19

Credit Card Fraud: Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also an adjunct to identity theft. According to the Federal Trade Commission, while identity theft had been holding steady for the last few years, it saw a 21 percent increase in 2008. However, credit card fraud, that crime which most people associate with ID theft, decreased as a percentage of all ID theft complaints for the sixth year in a row.

In yet another case of international bank cards fraud, customers at a petrol pump in the city of Leicester last week found that their card details were used to withdraw money from various places across the world, including India. 20

19 THE INDIAN EXPRESS (Mon Aug 23 2010) 20 The Indian Express (London, Thu May 14 2009)


There are several ways of this type of cyber crime, like: I. Stolen cards: When a credit card is lost or stolen, it remains usable until the holder notifies the issuer that the card is lost. II. Compromised accounts: Card account information is stored in a number of formats. Account numbers – formally the Primary Account Number (PAN) – are often embossed or imprinted on the card, and a magnetic stripe on the back contains the data in machine readable format. Fields can vary, but the most common include: Name of card holder, Account number, Expiration date, Verification/CVV code III. Card not present transaction: The mail and the Internet are major routes for fraud against merchants who sell and ship products, and affects legitimate mail-order and Internet merchants. If the card is not physically present (called CNP, card not present) the merchant must rely on the holder (or someone purporting to be so) presenting the information indirectly, whether by mail, telephone or over the Internet. While there are safeguards to this,21 it is still more risky than presenting in person, and indeed card issuers tend to charge a greater transaction rate for CNP, because of the greater risk.

i. Identity theft: Identity theft can be divided into two broad categories: Application fraud and account takeover. Application fraud: Application fraud happens when a criminal uses stolen or fake

documents to open an account in someone else's name. Criminals may try to steal documents such as utility bills and bank statements to build up useful personal information. Or they may create counterfeit documents. Account takeover: Account takeover happens when a criminal tries to take over another

person's account, first by gathering information about the intended victim, and then contacting their card issuer while impersonating the genuine cardholder, and asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent.

ii. Skimming: Skimming is the theft of credit card information used in an otherwise legitimate transaction. The thief can procure a victim's credit card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device (skimmer) to swipe and store hundreds of victims’ credit card numbers. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view.22 The thief may also use a small keypad to unobtrusively transcribe the 3 or 4 digits Card Security Code which is not present on the magnetic strip. Call centers are another area where skimming can easily occur.23 Skimming can also occur at merchants such as gas stations when a third-party card-reading device is installed either out-side or inside a fuel dispenser or other card-swiping terminal. This device allows a

21 Adsit, Dennis (February 21, 2011). "Error-proofing strategies for managing call center fraud" 22 Inside Job/Restaurant card skimming. Journal Register 23 "Overseas credit card scam exposed". bbc.co.uk.com. March 19, 2009


thief to capture a customer’s cred-it and debit card information, including their PIN, with each card swipe.24

iii. Carding: Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a website that has real-time transaction processing.

iv. BIN attack: Credit cards are produced in BIN ranges. Where an issuer does not use random generation of the card number, it is possible for an attacker to obtain one good card number and generate valid card numbers by changing the last four numbers using a generator. The expiry date of these cards would most likely be the same as the good card.

Money laundering and cyber crime:

Money laundering is going to be another future thrust area. The impact of this illegal activity on the economy of the country is profound. If the economy of the country is to move to a higher growth path, strong curbs on hawala operations and money laundering will become essential.25 The emergence of electronic money and global systems of electronic payments formed a parallel banking system. It has the entire network of semi-legal financial institutions. The unique opportunities of quickly shaped infrastructure drew attention of criminal groups at once. It allowed anyone to rapidly transfer monetary fund’s to any country, anonymously, through tangled routes. Heretofore, electronic transfers interested criminals as the efficient tool to conceal sources of money intakes, to launder illegally earned money and to conceal their incomes to evade taxes. Here's one of the criminal schemes of payment operations. There operations can be hardly tracked by law enforcement: upon receipt of merchandise, let's say drugs, the buyer electronically transfers money to the credit card of the supplier. The last at one stroke transfers this money through the system of electronic payments to his bank account in the country with Strong bank secrecy laws. Then the supplier can simply transfer his money to the card account in parts and can easily use this money. In Russia, one of the registered forms of computer crimes purposing to evade taxes is the use of computers to interfere with pool memory of electronic cashier registers installed at shops. As a result of such interference, the registry of payments is modified or deleted. It allows hiding real incomes from tax administrations.26 Money laundering is normally accomplished by using a three-stage process. The three steps involved are Placement, Layering and Integration. E-money and cyber payment systems come in handy in all the three stages of the process.

24 NACS Magazine | Skimmming 25 Cyber crimes, CBI (crime) manual 2005 26 http://www.crime-research.org


Online Frauds:

It includes Phishing attacks, Lottery Scams, Tax Rebate Scam etc. Basic aim of such attack is to make victims fool so that they discloses their vital information including passwords, or to compel them to pay some amount by showing false greater opportunity.

Tax Rebate Scam

“CLICK HERE” opened the Phishing web page of sbi online: the attached link on that page directs to a phishing site http://forum-numismatica.com/develop/sbi/login.php27 which has an interface same to https://www.onlinesbi.com/. Simple Awareness can prevent it

27 Currently the link has been removed


Email Scam.

Online

Preventive Measures:

In order to make the modernist way of business stable, secure and sustainable prevention of Cybercrime is essential. Awareness among users, necessary continues development in security systems, Legal and administrative measures are important in order to prevent Cyber Crime.

Awareness initiatives among users: A large number of cybercrime happens due to ignorance or lack of awareness of users. Attackers make their victim fool and get password and other necessary details. Those things can easily be prevented by making the user aware, like: • Following appropriate security steps when using ATM, like entering personal identity number (PIN) in private, pressing clear buttons when leaving ATM, don’t taking help from any strangers. • Remain aware about payment gateway address or web addresses when doing online transactions or entering important personal information. • Using updated antivirus in PC or laptop. etc Government, financial organizations or companies using online system should take responsibility to make their user aware regarding cyber crime and its preventive measures.


Legal Issues involved

Government of India has enacted The Information Technology Act, 2000, in order to provide legal recognition for transactions carried out by means of electronic data interchange and other means of electronic communication, commonly referred to as 'electronic commerce'...The Act, which has also drawn upon the Model Law, came into force with effect from October 17, 2000. The Act has also amended certain provisions of the Indian Penal Code, the Indian Evidence Act, 1872, The Bankers Book of Evidence Act, 1891 and Reserve Bank of India Act 1934 in order to facilitate e- commerce in India. Some important Provisions of Information technology Act 2000 • Section 44 - Penalty for failure to furnish information, return, etc. - If any person who is required under the Act or any rules or regulations made there under. • Section 45 (Residuary penalty) further covers all other offences that may possibly arise under the act. • Section 46 (Power to adjudicate - Adjudicating Officer) • Section 47 prescribes the factors to be taken into account by the adjudicating officer while adjudging the quantum of compensation • Section 65 - Tampering with computer source documents - Tampering with computer source documents was discussed in Syed Asifuddin and Ors. v. The State of Andhra Pradesh and Anr., 2005 Cri L J 4314, Jigar Mayurbhai Shah v. State of Gujarat, (2008)2GLR1134, Pootholi Damodaran Nair v. Babu, 2005(2)KLT707, and Ravi Shankar Srivastava v. State of Rajasthan, 2005(2)WLC612.28 • Section 66 (Computer related offences)- This Section deals with hacking the Computer The case of Nirav Navinbhai Shah v. State of Gujarat and Anr., MANU/GI/8458/2006 involved Section 66. • Section 67 - Punishment for publishing or transmitting obscene material in electronic form : This Section was in question in Dr. Prakash v. State of Tamil Nadu and Ors., AIR 2002 SC 3533, Fatima Riswana v. State Rep. by A.C.P., Chennai and Ors., (2005) 1 SCC 582, Assistant Commissioner of Police, Crime Record Bureau, Inspector of Police v. Saravanan and others, MANU/TN/1776/2003, Avnish Bajaj v. State (N.C.T.) of Delhi, (2005) 3 Comp L J 364(Del), M.Saravanan v. State of Tamilnadu, MANU/TN/8296/2006, and Maqbool Fida Husain v. Raj Kumar Pandey, MANU/DE/0757/2008 • Sections 76, 68(2), 69 and 70 have been amended by the Information Technology Amendment Act 2008, Also See Firos v. State of Kerala, AIR 2006 Ker 279. • Section 71 (Penalty for misrepresentation) This Section prescribes a penalty for any misrepresentation or suppression of any material fact • Section 72 (Penalty for breach of confidentiality and privacy) • Section 73 (Penalty for publishing (Electronic Signature) Certificate false in certain particulars) Section 74 (Publication for fraudulent purpose). Such unlawful purpose shall be punished with imprisonment for a term which may extend to two years, or with fine which may extend to one lakh rupees, or with both. • Section 75 (Act to apply for offences or contravention committed outside India). • Section 77 (Compensation, penalties or confiscation not to interfere with other punishment). Section 79 (Exemption from liability of intermediary in certain cases)- This issue

28 http://www.indiankanoon.org


was also discussed in the case of Sanjay Kumar Kedia v. Narcotics Control Bureau and Anr., (2008)2 SCC 294. • The Amendments brought about by the Information technology Act in the Indian Penal Code, 1860 and the Indian Evidence Act, 1872 came up for consideration in State of Punjab and Ors. v. Amritsar Beverages Ltd. and Ors, (2006) (7) SCC 7, In Re: Sr. Abaya 2006 Cri.L.J. 3843, SICOM Ltd v. Harjindersingh and Ors., AIR 2004 Bom 337, Vishal Paper Tech India Ltd. and Ors. v. State of A.P. and Anr., 2005Cri L J 1838, Sri. P. Padmanabh v. Syndicate Bank Limited, AIR 2008 Kant 42, Steel Tubes of India v. Steel Authority of India, 2006 Cri L J 1988, V.K. Soman Achari v.: Sabu Jacob and Anr., 2007 Cri L J 1042, Indira Priyadarshini Forum v. State of Kerala, 2001 Cri L J 2652, etc.29 Some important sections of information Technology Amendment Act 2008 and Indian Penal Code dealing with Cyber Crime are given in a table.

Cyber Crime ITAA2008 Act Section's IPC Section's

Email spoofing 66D 416,417,463,465,419

Hacking 66 ,43 378,379,405,406

Web-jacking 65 383

Online sale of narcotics - NDPS Act

Virus attacks 43, 66 -

Logic bombs 43, 66 -

Salami attacks 66 -

Denial of Service attacks 43 -

Email bombing 66 -

Pornography & Child Pornography

67 , 67B 292,293,294

Online sale of weapons - Arms Act

Bogus websites, cyber frauds

- 420

Forgery of electronic records

- 463, 465, 470, 471

Sending defamatory messages by email

66A 499, 500

29 Detection of Cyber Crime and Investigation by Justice K.N.BASHA, Judge, Madras High Court


Sending threatening messages by email

66A 503, 506

Financial Crime - 415,384,506,511

Cyber Terrorism 66F 153A, UAPA 15-22

Identity Theft 66C 417A, 419A

Website Defacement 65 463,464,468,469

Data Diddling 65, 43 -

Administrative Measures:

Law is enforced by administration, so proper administrative instruments are essential in order to prevent Cyber Crimes, online banking crimes. Police departments, investigation agencies should have proper infrastructures and Cyber Crime Investigation Cell to deal with cyber crime. Cyber Crime Investigation Cell should be well equipped by technology and human resource. Some important Cyber Crime Investigation Cells are Cyber Crime Investigation Cell of CBI30, Cyber Crime Police Station, Bangalore31, Cyber Crime Investigation Cell, Mumbai32, Cyber Crime Cell, CID, West Bengal33 etc.

Technological Measures:

Cyber crime is highly technological in neature so technological measures are very essential. Some Technological measures are:

a) Physical security: Physical security is most sensitive component, as prevention from cyber crime Computer network should be protected from the access of unauthorized persons.

b) Access Control34: Access Control system is generally implemented using firewalls,

which provide a centralized point from which to permit or allow access. Firewalls allow only authorized communications between the internal and external network.

c) Password: Proof of identity is an essential component to identify intruder.

d) Finding the hole in Network: System managers should track down the holes before the

intruders do.

e) Using Network Scanning Programs: There is a security administration’s tool called UNIX, which is freely available on Internet.

30 cbi.nic.in/ 31 http://www.cyberpolicebangalore.nic.in/ 32 http://cybercellmumbai.gov.in 33 http://cidwestbengal.gov.in/special-units-cyber-crime-cell.php 34 http://norton.com


f) Using Intrusion Alert Programs: As it is important to identify and close existing security holes, you also need to put some watchdogs into service.

g) Using Encryption35: Encryption is able to transform data into a form that makes it almost impossible to read it without the right key. This key is used to allow controlled access to the information to selected people.

Recommendations Keeping in view the terms of reference, the Group has made a number of recommendations in preceding chapters. A summary of these recommendations is given below. Technology and Security Standards: The role of the network and database administrator is pivotal in securing the information system of any organization. Some of the important functions of the administrator via-a-vis system security are to ensure that only the latest versions of the licensed software with latest patches are installed in the system. Several steps like, Access Control, Firewalls, Isolation of Dial Up Services, Security Infrastructure Development, Isolation of Application Servers, Security Log (audit Trail), Penetration Testing, Physical Access Controls, Back up & Recovery, Monitoring against threats, Education & Review, Log of Messages, Certified Products, Maintenance of Infrastructure, should be taken to make the system secure. Legal Issues Section 40A(3) of the Income Tax Act, 1961 recognizes only payments through a crossed cheque or crossed bank draft, where such payment exceeds Rs. 20000/-, such transfers through internet banking should also be recognized under the above provision. The Income Tax Act, 1961 should be amended suitably. In Internet banking scenario there is very little scope for the banks to act on stop- payment instructions from the customers. Hence, banks should clearly notify to the customers the timeframe and the circumstances in which any stop-payment instructions could be accepted. Even though, The Information Technology Act, 2000 has provided for penalty for denial of access to a computer system (Section-43) and hacking (Section - 66), the liability of banks in such situations is not clear. The banks providing Internet banking may assess the risk and insure themselves against such risks. The Information Technology Act, 2000, in Section 72 has provided for penalty for breach of privacy and confidentiality. Further, Section 79 of the Act has also provided for exclusion of liability of a network service provider for data traveling through their network subject to certain conditions. Thus, the liability of banks for breach of privacy when data is traveling through network is not clear. This aspect needs detailed legal examination. Consumer Awareness Initiatives: Most of the cases of Cyber Crime happen due to ignorance or lack of awareness. In most of the cases the victim become fool and discloses their details, like Phishing attacks, ATM Frauds can

35 http://norton.com


easily prevented if the user become aware. Banking organizations should take awareness initiatives to make their consumer aware regarding cyber crime.

Conclusion:

Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from the cyber space. It is quite possible to check them. Online Banking is gaining importance day by day as its easy, quick and cost effective. Involvement of monetary transactions attracts criminal activity, i.e. Cyber Crime. Special preventive measures are required in order to check those crimes by legislative measure, administrative measures, technological development and awareness among its users. Proper preventive measures will make the platform of modern business safe and secure and it will have a great impact in development of our civilization.

Date post:	15-Jul-2015
Category:	Law
Upload:	rupak-ghosh
View:	84 times
Download:	1 times