BANKS
S
UNIVERSITY OF MUMBAI
PROJECT ON:
CYBER CRIME IN BANKING SECTOR
CYBER SUBMITTED BY
CRIMES
PRAJNA VASU POOJARY
PROJECT GUIDE
Prof. Ms. RINKY
SEMESTER V
(2010-11)
KALYAN (WEST)
Declaration
I student of B&I Semester V (2010-11) hereby declare that I have
completed this project on
knowledge.
Stud
ent’s Signature
Name of
Student
CERTIFICATE
This is to certify that Ms.________________________ Of TYB&I has
successfully completed the project on
__________________________
___________
Project Guide
Principal
Course Co-ordinator
External Examiner
ACKNOWLEDGEMENT
This is to express my earnest gratitude and extreme joy at being bestowed with an
opportunity to get an opportunity to get an interesting and informative project on
“CYBER CRIME IN BANKING SECTOR”. I would like to thank all the people
who have helped me in completion of project, I would avail this opportunity to express
my profound gratitude and indebtness to all those people.
I am extremely grateful to my project guide Prof. Ms. RINKY who has given
an opportunity to work on such an interesting project. She proved to be a constant source
of inspiration to me and provided constructive comments on how to make this report
better. Credit also goes to my friends whose constant encouragement kept me in good
stead.
Lastly without fail I would thank all my faculties for providing all
explicit and implicit support to me during the course of my project
EXCECUTIVE SUMMARY
Cyber crimes are any illegal activities committed using computer target of
the criminal activity can be either a computer, network operations. Cyber crimes
are genus of crimes, which use computers and networks for criminal activities.
The difference between traditional crimes and cyber crimes is the cyber crimes
can be transnational in nature. Cyber crime is a crime that is committed online in
many areas using e-commerce. A computer can be the target of an offence when
unauthorized access of computer network occurs and on other hand it affects E-
COMMERCE. Cyber crimes can be of various types such as
Telecommunications Piracy, Electronic Money Laundering and Tax Evasion,
Sales and Investment Fraud, Electronic Funds Transfer Fraud and so on…
Internet commerce has grown exponentially during the past few years and
is still growing. But unfortunately the growth is not on the expected lines because
the credit card fraud which has become common has retarded the e-commerce
growth. Credit card fraud has become regular on internet which not only affects
card holders but also online merchants. Credit card fraud can be done by taking
over the account, skimming or if the card is stolen. Certain preventive measures
can be taken to becoming a credit card victim.
The term "Internet fraud" refers generally to any type of fraud scheme that
uses one or more components of the Internet - such as chat rooms, e-mail,
message boards, or Web sites - to present fraudulent solicitations to prospective
victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to
financial institutions or to other connected with the scheme.
INTRODUCTION
The usage of internet services in India is growing rapidly. It has
given rise to new opportunities in every field we can think of – be it
entertainment, business, sports or education.
There are many pros and cons of some new types of technology
which are been invented or discovered. Similarly the new & profound technology
i.e. using of INTERNET Service, has also got some pros & cons. These cons are
named CYBER CRIME, the major disadvantages, illegal activity committed on
the internet by certain individuals because of certain loop-holes. The internet,
along with its advantages, has also exposed us to security risks that come with
connecting to a large network. Computers today are being misused for illegal
activities like e- mail espionage, credit card fraud, spams, and software piracy
and so on, which invade our privacy and offend our senses. Criminal activities in
the cyberspace are on the rise.
CYBER
CRIMES
AGAINST
AGAINST AGAINST
ORGANISATIO
INDIVIDUAL GOVERNMENT
N
AGAINST INDIVIDUALS
VIRUS
ATTACK
CYBER
STALKING HARASSMENT
AGAINST
INDIVIDUAL
DEFAMATION
THEFT
EMAIL
SPOOFING
AGAINST ORGANISATION
UNAUTHORISED
CONTROL ON
SYSTEM
UNAUTHORISED
PIRATED
INFORMATION AGAINST SOFWARE
POSSESED ORGANISATION
DISTRIBUTION
CYBER
TERRORISM
AGAINST SOCIETY
PORNOGRAPHY
TRAFIKKING FINANCIAL
CRIMES
AGAINST
SOCIETY
SALE OF
FORGERY ILLEGAL
ARTICLES
ONLINE
GAMBLING
CYBERCRIMES IN INDIA
As India become the fourth highest number of Internet users
in the world, cyber crimes in India has also increased 50 percent in 2007 over the
previous year. According to the Information Technology (IT) Act, the majority of
offenders were under 30 years of age.
CREDIT
MONEY
ATM CARD
LAUNDE SKIMMING PHISHING
FRAUDS FRAUD
RING
INDIAN SCENARIO
In India, where total number of installed ATM’s base is far less than many
developed countries. ATM-related frauds are very less. But they could increase
as more and more ATM’s will penetrate in the country, the bank should create
awareness among customers about the card- related frauds to reduce the
number of frauds in future. In India, Indian Banks Association (IBA) can take lead
to kick started.
The ATM fraud is not the sole problem of banks alone. It is a big threat
and it requires a coordinated and cooperative action on the part of the bank,
customers and the law enforcement machinery. The ATM frauds not only cause
financial loss to banks but they also undermine customers’ confidence in the use
of ATMs. This would deter a greater use of ATM for monetary transactions. It is
therefore in the interest of banks to prevent ATM frauds. There is thus a need to
take precautionary and insurance measures that give greater “protection” to the
ATMs, particularly those located in less secure areas. The nature and the extent
of precautionary measures to be adopted will, however, depend upon the
requirements of the respective banks.
WAYS TO CARD FRAUDS
Some of the popular techniques used to carry out ATM crime are:
1.Through Card Jamming ATM’s card reader is tampered with in order to trap a
customer’s card. Later on the criminal removes the card.
2.Card Skimming, is the illegal way of stealing the card’s security information
from the card’s magnetic stripe.
3.Card Swapping, through this customer’s card is swapped for another card
without the knowledge of cardholder.
4.Website Spoofing, here a new fictitious site is made which looks authentic to
the user and customers are asked to give their card number. PIN and other
information, which are used to reproduce the card for use at an ATM.
5.Physical Attack. ATM machine is physical attacked for removing the cash.
.
STEPS TO USE A CASH MACHINE
1. Give other
users space to
enter their
personal identity
number (PIN) in
private.
3. Do not accept help from "well meaning" strangers and never allow yourself to
be distracted.
4. Stand close to the cash machine and always shield the keypad to avoid
anyone seeing you enter your PIN
People make life very easy for pickpockets if they write down their PIN
and keep it in their purse or wallet. Do not write down your PIN. If you have been
given a number that you find difficult to remember, take your card along to a cash
machine and change the number to one that you will be able to remember
without writing it down.
PREVENTION FOR ATM CARDS
Most ATM frauds happen due to the negligence of customers in using,
and more importantly, negligence of banks in educating their customers about
the matters that should be taken care of while at an ATM. The number of ATM
frauds in India is more in regard to negligence of the Personal Identification
Number (PIN), than by sophisticated crimes like skimming. Banks need to
develop a fraud policy – the policy should be written and distributed to all
employees, borrowers and depositors.
3.Make smart deposits. Some ATMs allow you to directly deposit checks
and cash into your accounts without stuffing envelopes. As for the envelope-
based deposits, make sure they go through – if it gets jammed and it doesn‘t fully
go into the machine, the next person can walk up and take it out. After having
made the ATM deposit, compare your records with the account statements or
online banking records.
ATM Insecurity
Aug 09:
ATM users in India are exposed to a kind of PIN theft risk that has been
brought to focus with an arrest in Kolkata. The risk arises because the machine
(only one type of machines where the users insert the card and withdraw is said
to have this vulnerability) reads the PIN, stores in its cache memory and goes
blank under certain circumstances. The machine can then be released by
inserting a screwdriver but at that time the PIN remains in memory and can be
used to withdraw money from the account of the user whose PIN remained stuck.
This is clearly a vulnerability of the machine and the liability on account of this
vulnerability should fall on the Bank. The Bank in turn should get indemnified by
the supplier of the embedded software that runs the system with this bug.
During the past two decades, IT and Internet technologies have reached
every nook and corner of the world. E-commerce has come into existence due to
the attributes of Internet like ease of use, speed, anonymity and its International
nature. Internet has converted the world into a boundary less market place that
never sleeps. Drug peddlers and organized criminals found a natural and much
sought after ally in Internet. Computer networks and Internet, in particular, permit
transfer of funds electronically between trading partners, businesses and
consumers. This transfer can be done in many ways. They include use of credit
cards, Internet banking, e-cash, e- wallet etc. for example, smart cards like Visa
Cash, Mondex card, whose use is growing can store billions of dollars. At
present, there is an upper limit imposed by the card issuers but technically there
is no limit. In some other forms of computer-based e-money, there is no upper
limit. Mobile banking and mobile commerce are growing and these technologies
have the capability to transfer any amount of money at the touch of a bottom or
click of a mouse. They can be effective tools in the hands of money launderers.
First and foremost, the anonymity offered by internet and cyber payment systems
is being exploited to the hilt by the criminal elements.
As cyber payment systems eliminate the need for face to face interactions,
transfer of funds can be done between two trading partners directly. Two
individuals also can transfer funds directly using e- wallets. This problem is
further compounded by the fact that, in many countries, non-financial institutions
are also permitted to issue e-money. Monitoring the activities of these institutions
in a traditional manner is not possible. Earlier, cross-border transactions were
controlled by the central banks of respective countries. With the entry of Internet
commerce, the jurisdictional technicalities come into play and it is another area
that is being exploited by the money launderers. The capacity to transfer
unlimited amounts of money without having to go through strict checks makes
cyber money laundering an attractive proposition. From the point of view of law
enforcing agencies, all the above advantages cyber payments provide to
consumers and trading partners, turn out to be great disadvantages while
investigating the crimes
1. PLACEMENT
3. INTEGRATION
Integration is the third sub process. This is the stage in which the ‘cleaned’
money is ploughed back. This is achieved by making it appear as legally earned.
This is normally accomplished by the launderers by establishing anonymous
companies in countries where secrecy is guaranteed. Anyone with access to
Internet can start an e-business. This can look and function like any other e-
business as far as the outside world is concerned. This anonymity is what makes
Internet very attractive for the launderers. They can then take loans from these
companies and bring back the money. This way they not only convert their
money this way but also can take advantages associated with loan servicing in
terms of tax relief. Another way can be by placing false export import invoices
and over valuing goods.
The entire process can be explained with the help of an example . The
money launderers first activity is to set up an online commerce company which is
legal. Normally, the launderer sets up the website for his company and accepts
online payments using credit cards for the purchases made from his company’s
website. As a part of the whole scheme, launderers obtain credit cards from
some banks or financial institutions located in countries with lax rules, which are
known as safe havens. The launderer sitting at home, then, ‘makes purchases’
using this credit card from his own website. As in normal transactions, the Web-
based system then sends an invoice to the customer’s (who happens to the
launderer himself) bank, in the safe haven. The bank then pays the money into
the account of the company. Cyber space provides a secure and anonymous
opportunity to the criminals in money laundering operations. It has come to light
that many gangs are opening up the front companies and hiring information
technology specialists for nefarious activities. Incidents have also come to light
where the criminals are using cryptography for hiding their transaction.
EFFECTS ON BANKS
Almost all the banks trade in foreign exchange Money laundering in any
country or economy affects the foreign exchange market directly. The money
laundering reduces the legal volume of the banks business. It also causes
fluctuations in the exchange rate. Further, money laundering can undermine the
credibility of the banking system. Facilitating the activities of launderers even
inadvertently can push the banks into problems with law enforcement agencies
and also governments. In some reported cases, the banks survival has come
under threat. It is not difficult to see what effect it has on the profitability of banks.
OTHER EFFECTS
In one incident, an Indian national in one year handled US 81.5 bn illegal
transactions, before his arrest during 1993. This incident also shows how the
national economy gets affected. A few years before that, the Indian Government
was so short of foreign exchange that it had to pledge gold in the London bank.
One needs not be an economist understand the impact of money laundering on
economies of developing countries. The low regulation by central banks will
become difficult and consequently, there will be rise in inflation. Further, overall
income distribution in an economy is likely to get affected. Money laundering can
help in spread of parallel economy, which will result in loss to national income
due to reduced tax collections and lost jobs. On the social plane, this can result
in increased crime rate, violence in society. There may be attempts to gain
political power either directly or indirectly like Coli Cocoine Cartel’s attempt in
supporting Columbian President, Samper in 1996 elections. Because cyber
money laundering can be done from anywhere in the world without any
jurisdiction, the effects are much severe.
PREVENTION
Because of the nature of Cyber money laundering, no country can
effectively deal with it in isolation. Cyber money laundering has to be dealt with at
organizational [Bank or Financial Institution], national and international levels.
INTERNATIONAL
LEVEL
NATIONAL
LEVEL
ORGANISATIONAL
LEVEL
AT INTERNATIONAL LEVEL
The UN has taken the lead and during 1995 international community
meeting signed a convention known as ‘UN Convention Against Illict Traffic in
Narcotic Drugs and Psychotropic Substances’. Further, this convention made
money laundering a crime and provided a model. During 2000, the UN also
organized another convention against transnational organized crime. As a result
of UN the efforts, the group of seven industrialized nations established ‘Financial
Action Task Force’ (FATF). The biggest source of money laundering funds
comes from drug trade and the volume of money is large. In order to cover this
vast amount of money they need financial services industry. They eye financial
institutions that are in the business of accepting deposits from customers. After
studying this phenomenon, Financial Action Task Force (FATF) had noticed
some critical points in the modus operandi of criminals which are difficult for the
launderers to avoid. They are points of entry of cash into financial system,
transfers to and from financial system and cross-border flows of cash. Paying
attention to these issues can help in controlling cyber laundering to a
considerable extent. According to financial crimes enforcement network of US,
less than 1% money laundered in cyber space is ever detected or criminals
prosecuted. Prevention of money laundering in cyber space is proving to be
really a daunting task. Some of the suggested measures are putting an upper
limit on the amount of payment and frequency of using e-money in peer to peer
transfers. The second is making it mandatory for e- money organization to
identify their clients and also to keep a track of money movement. The third is
ensuring that Internet service providers keep a log of files involving finances for a
number of years. The fourth is making audit compulsory for all electronic
merchants and ensuring that they keep transaction records for a certain period of
time. The fifth is training law enforcement agencies in dealing effectively with this
crime. Last but not the least, is international co-operation and harmonizing the
national cyber and terrestrial laws with international can help in dealing with this
crime effectively.
AT NATIONAL LEVEL
Some countries liken UK have taken proactive steps to control this crime,
which could be cumulated by others. In UK, deposit taking institutions (including
banks) are expected to report suspicious transactions to the law enforcement
authorities. The legal provisions regarding ‘knowing the customer’ brought down
the crime to a great extent. They empowered their customs officials to seize cash
consignments of 10,000 pounds or more. Courts also permit confiscation of cash,
if the investigating authorities have strong evidence that the money has come
from illegal activities of drug trafficking. Issue of electronic money by private
parties is another factor, as in some countries regulation of these people is not
effective. Slowly, different countries are realizing the importance of this issue and
enacting suitable rules aimed at providing transparency in transactions carried
out by these institutions. The most important issues at national level are
establishing legal framework and training law enforcing officials. The major
weapon to combat this crime is controlling financial transactions including e-
transactions, through legislation. Many countries have enacted some stringent
laws to control this crime. UK, US have stringent laws in dealing with Cyber
money laundering. Many other countries are following suit. The Council of
Europe has passed Criminal Justice Act. Hong Kong has passed similar laws.
The single most important issue is harmonizing the terrestrial laws with cyber
laws.
From the 18th century until the early part of the 20th, tallymen sold clothes
in return for small weekly payments. They were called "tallymen" because they
kept a record or tally of what people had bought on a wooden stick. One side of
the stick was marked with notches to represent the amount of debt and the other
side was a record of payments. In the 1920s, a shopper's plate - a "buy now, pay
later" system - was introduced in the USA. It could only be used in the shops
which issued it.
In 1950, Diners Club and American Express launched their charge cards
in the USA, the first "plastic money". In 1951, Diners Club issued the first
credit card to 200 customers who could use it at 27 restaurants in New York.
But it was only until the establishment of standards for the magnetic strip in 1970
that the credit card became part of the information age. The first use of magnetic
stripes on cards was in the early 1960's, when the London Transit Authority
installed a magnetic stripe system. San Francisco Bay Area Rapid Transit
installed a paper based ticket the same size as the credit cards in the late 1960's.
The word credit comes from Latin, meaning “TRUST”
MEANING
Credit card fraud is a wide-ranging term for theft and fraud committed
using a credit card or any similar payment mechanism as a fraudulent source of
funds in a transaction. The purpose may be to obtain goods without paying, or to
obtain unauthorized funds from an account. Credit card fraud is also an adjunct
to identity theft. According to the Federal Trade Commission, while identity theft
had been holding steady for the last few years, it saw a 21 percent increase in
2008. However, credit card fraud, that crime which most people associate with ID
theft, decreased as a percentage of all ID theft complaints for the sixth year in a
row.
The cost of credit card fraud reaches into billions of dollars annually. In
2006, fraud in the United Kingdom alone was estimated at £535 million, or
US$750-830 million at prevailing 2006 exchange rates.
The fraud begins with either the theft of the physical card or the
compromise of data associated with the account, including the card account
number or other information that would routinely and necessarily be available to
a merchant during a legitimate transaction. The compromise can occur by many
common routes and can usually be conducted without tipping off the card holder,
the merchant or the bank, at least until the account is ultimately used for fraud. A
simple example is that of a store clerk copying sales receipts for later use. The
rapid growth of credit card use on the Internet has made database security
lapses particularly costly; in some cases, millions of accounts have been
compromised.
IF CARD IS STOLEN
When a credit card is lost or stolen, it remains usable until the holder notifies
the bank that the card is lost; most banks have toll-free telephone numbers
with 24-hour support to encourage prompt reporting. Still, it is possible for a
thief to make unauthorized purchases on that card up until the card is
cancelled. In the absence of other security measures, a thief could potentially
purchase thousands of dollars in merchandise or services before the card
holder or the bank realize that the card is in the wrong hands.
In the United States, federal law limits the liability of card holders to $50 in
the event of theft, regardless of the amount charged on the card; in practice,
many banks will waive even this small payment and simply remove the fraudulent
charges from the customer's account if the customer signs an affidavit confirming
that the charges are indeed fraudulent. Other countries generally have similar
laws aimed at protecting consumers from physical theft of the card.
Compromised Accounts
• Account number
• Expiration date
• Verification
Many Web sites have been compromised in the past and theft of credit
card data is a major concern for banks. Data obtained in a theft, like addresses
or phone numbers, can be highly useful to a thief as additional card holder
verification.
The mail and the Internet are major routes for fraud against merchants
who sell and ship products, as well Internet merchants who provide online
services. The industry term for catalog order and similar transactions is "Card Not
Present" (CNP), meaning that the card is not physically available for the
merchant to inspect. The merchant must rely on the holder (or someone
purporting to be the holder) to present the information on the card by indirect
means, whether by mail, telephone or over the Internet when the cardholder is
not present at the point of sale.
It is difficult for a merchant to verify that the actual card holder is indeed
authorizing the purchase. Shipping companies can guarantee delivery to a
location, but they are not required to check identification and they are usually are
not involved in processing payments for the merchandise. A common preventive
measure for merchants is to allow shipment only to an address approved by the
cardholder, and merchant banking systems offer simple methods of verifying this
information.
Account Takeover
There are two types of fraud within the identity theft category:
APPLICATION
FRAUD ACCOUNT
TAKEOVER
1. Application Fraud
Application fraud occurs when criminals use stolen or fake documents to
open an account in someone else's name. Criminals may try to steal documents
such as utility bills and bank statements to build up useful personal information.
Alternatively, they may create counterfeit documents.
2. Account Takeover
Customers credit card details were misused through online means for
booking air-tickets. These culprits were caught by the city Cyber Crime
Investigation Cell in pune. It is found that details misused were belonging to 100
people.
The tickets were book through online means. Police requested for the
log details and got the information of the Private Institution. Investigation
revealed that the details were obtained from State Bank of India . Shaikh was
working in the credit card department; due to this he had access to credit card
details of some customers. He gave that information to Kale. Kale in return
passed this information to his friend Lukkad. Using the information obtained from
Kale Lukkad booked tickets. He used to sell these tickets to customers and get
money for the same. He had given few tickets to various other institutions.
Cyber Cell head DCP Sunil Pulhari and PI Mohan Mohadikar A.P.I
Kate were involved in eight days of investigation and finally caught the culprits.
In this regards various Banks have been contacted; also four air-line industries
be contacted DCP Sunil Pulhari has requested customers who have fallen in to
this trap to inform police authorities on 2612-4452 or 2612-3346 if they have any
problems
SKIMMING
Skimming is the theft of credit card information used in an otherwise
legitimate transaction. It is typically an "inside job" by a dishonest employee of a
legitimate merchant, and can be as simple as photocopying of receipts. Common
scenarios for skimming are restaurants or bars where the skimmer has
possession of the victim's credit card out of their immediate view. The skimmer
will typically use a small keypad to unobtrusively transcribe the 3 or 4 digits Card
Security Code which is not present on the magnetic strip.
Instances of skimming have been reported where the perpetrator has put
a device over the card slot of a public cash machine (Automated Teller Machine),
which reads the magnetic strip as the user unknowingly passes their card
through it. These devices are often used in conjunction with a pinhole camera to
read the user's PIN at the same time.
Skimming is difficult for the typical card holder to detect, but given a large
enough sample, it is fairly easy for the bank to detect. The bank collects a list of
all the card holders who have complained about fraudulent transactions, and
then uses data mining to discover relationships among the card holders and the
merchants they use. For example, if many of the customers used one particular
merchant, that merchant's terminals (devices used to authorize transactions) can
be directly investigated.
SKIMMER
CARDING
Carding is a term used for a process to verify the validity of stolen card
data. The thief presents the card information on a website that has real-time
transaction processing. If the card is processed successfully, the thief knows that
the card is still good. The specific item purchased is immaterial, and the thief
does not need to purchase an actual product; a Web site subscription or
charitable donation would be sufficient. The purchase is usually for a small
monetary amount, both to avoid using the card's credit limit, and also to avoid
attracting the bank's attention. A website known to be susceptible to carding is
known as a cardable website
Credit card fraud prevention when dealing with credit card customers face-
to-face
1. Ask for and check other identification, such as a driver’s license or other photo
ID. Check to see if the ID has been altered in any way as a person trying to use a
stolen credit card may also have stolen or fake ID.
2. Examine the signature on the card. If the signature on the credit card is
smeared, it could be that the credit card is stolen and the person has changed
the signature to his or her own .
3.Compare signatures. Besides comparing the signature on the credit card with
the person’s signature on the credit card slip, compare the signatures as well to
those on any other ID presented.
ii. Check the credit card’s embossing. “Ghost images” of other numbers
behind the embossing are a tip-off that the card has been re-embossed. The
hologram may be damaged. (The holograms on credit cards that have not been
tampered with will show clear, three- dimensional images that appear to move
when the card is tilted.)
5. Check the presented card with recent lists of stolen and invalid credit card
numbers.
6. Call for authorization of the credit card – remembering to take both the credit
card and the sales draft with you. That way if the customer runs away while
you’re making the call, you still have the credit card. Ask for a “Code 10” if you
have reason to suspect a possible credit card fraud, such as a possible
counterfeit or stolen card.
7. Destroy all carbon copies of the credit card transaction, to ensure that no one
can steal the credit card information and help prevent future credit card fraud.
It’s also very important to be sure that your staff is educated about credit
card fraud. You can use the points above as a “to do” list for dealing with credit
card transactions. For information on the suspicious behavior that may indicate
someone trying to commit credit card fraud, see Suspicious Behaviors That May
Indicate Credit Card Fraud
When dealing with credit card customers over the phone or through
the Internet, credit card fraud prevention strategies such as scrutinizing the
credit card aren’t going to work. You can, however, be alert to suspicious
behaviors and shape your credit policies to nip credit card fraud in the bud.
2. Don’t process credit card orders that originate from free e-mail addresses or
from e-mail forwarding addresses. In such a case, ask the customer for an ISP
(Internet Service Provider) or domain-based e-mail address that can be traced
back.
3. If the shipping address and the billing address on the order are different, call
the customer to confirm the order. You may even want to make it a policy to ship
only to the billing address on the credit card.
7. Be wary of orders you’re asked to ship express, rush or overnight. This is the
shipping of choice for many credit card fraudsters. Call the customer to confirm
the order first.
9. The first is Mod10 algorithm testing. Mod10 is an algorithm that will show
whether the card number being presented is valid card number and is within the
range of numbers issued by credit card companies. It cannot give any other
details like no. issued by any other company. This test should be first to be that it
is applied to any credit card number one process. If the card fails Mod10 one can
safely assume fraud.
Phishing
Phishing is a new form of identity theft that frequently occurs on the
web. The term refers to baiting techniques implemented by a criminal to fish
personal information out of an unsuspecting user. The purpose is to use this
information to commit identity theft and other types of fraud.
Criminals who distribute phishing emails rely on the hope that some of
their recipients may actually have a relationship with the legitimate business they
are portraying. However, a recipient is much more likely to respond if the email
appears to come from a trusted source, whether there is a relationship or not.
1. Recognize it: The popularity of phishing has made this scheme easier to
detect. A user should never respond to or click on any links in an email from a
sender requesting sensitive information.
2. Report it: If you have taken the bait of a phishing scam, it is very important to
contact your credit card company or financial institution right away. You should
also report this crime to your local police department. This will provide you with
documentation that may need to be displayed to an institution to help prove your
case.
3. Prevent it: Phishing can be prevented by learning the routine practice of your
credit card company or financial institution. In most instances, they will never ask
you to confirm such sensitive information via email. By understanding how these
companies operate, you can stop schemers in their tracks and save yourself from
identity theft.
Phishing email \
email
From: :*****Bank [ mailto:support t@**** Bank.com ]
]
Sent: :08 June 2004 03:25
08 June 2004 03:25
To: :India
India
Subject: Official information from***** Bank
Official information from***** Bank
Dear valued***** Bank Customer!
Dear valued***** Bank Customer!
For security purposes your account thas been
has been
randomly chosen for verification. To verify
randomly chosen for verification. To verify
your account information we are asking you to
your account information we are asking you to
provide us with all the data we are requesting.
provide us with all the data we are requesting.
Otherwise we will not be able to verify your identity
Otherwise we will not be able to verify your identity
and access to your account will be denied. Please
and access to your account will be denied.
Pleaseclick
click
on the link below to get to the bank secure
on the link below to get to the bank secure
page and verify your account details. Thank you.
page and verify your account details. Thank you.
https://infinity.*****bank.co.in/Verify.jsp
https://infinity.*****bank.co.in/Verify.jsp
****** Bank Limited
14 February 2007
Fraudsters of cyberspace have reared its ugly head, the first of its
kind this year, by launching a phishing attack on the website of Ahmedabad-
based UTI Bank, a leading private bank promoted by India' s largest financial
institution, Unit Trust of India (UTI).
Top officials at UTI Bank said that they have reported the case to the
Economic Office Wing, Delhi Police. The bank has also engaged the services of
Melbourne-based FraudWatch International, a leading anti-phishing company
that offers phishing monitoring and take-down solutions. "We are now in the
process of closing the site. Some of these initiatives take time, but customers
have been kept in the loop about these initiatives, " said V K Ramani, President -
IT, UTI Bank.
Now there is no way for banks to know if the person logging-in with
accurate user information is a fraud," said Ramani. However, reliable sources
within the bank and security agencies confirmed that the losses due to this
particular attack were zilch.
The bank has sent alerts to all its customers informing about such
malicious websites, besides beefing up their alert and fraud response system.
"Engaging professional companies like FraudWatch help in reducing time to
respond to attacks," said Sanjay Haswar, Assistant Vice President, Network and
Security, UTI Bank.
Cyber Criminals
The cyber criminals constitute of various groups/ category. This division may be
justified on the basis of the object that they have in their mind. The following are
the category of cyber criminals-
The most straightforward is to buy the ‘finished product’. In this case we’ll
use the example of an online bank account. The product takes the form of
information necessary to gain authorized control over a bank account with a six-
figure balance. The cost to obtain this information is $400 (cyber criminals always
deal in dollars). It seems like a small figure, but for the work involved and the risk
incurred it’s very easy money for the criminal who can provide it. Also remember
that this is an international trade; many cyber-criminals of this ilk are from poor
countries in Eastern Europe, South America or South-East Asia.
Kids – so-called because of their tender age: most are under 18. They
buy, trade and resell the elementary building blocks of effective cyber-scams
such as spam lists, php mailers, proxies, credit card numbers, hacked hosts,
scam pages etc. ‘Kids’ will make less than $100 a month, largely because of the
frequency of being ‘ripped off’ by one another.
1. The browser is the weak point. Trojans and other malware like man-in-the-
browser attacks that are difficult to detect hijack the transaction inside of a
browser session, and subsequently attack the application and database on the
server. According to FinServ Strategies, most of the top 100 banks have
experienced similar incidents. Man-in-the-browser attacks are becoming
mainstream, RSA reports in its whitepaper, “Business Success in a Dark Market:
An Inside Look at How the Fraud Underground Operates,” especially in the U.S.
and Europe where two-factor authentication is already densely deployed.
But new approaches are emerging to tackle 21st century online banking
problems. Among them are the secure browser and integrated single sign on.
Banks are taking three positive steps in the right direction:
THREE WAYS TO DETER CYBER CRIMES
Using integrated, single sign on. Independent integrated SSO solutions are
appearing to fill the security gaps of online business banking and cash
management solutions, which were never intended as portal or SSO solutions.
The new integrated SSO combines user credential management for entity
Websites with browser validation with a multi-layered security approach including
strong authentication, software based keyboards to thwart keyloggers, one-time
perishable passcode generation and utilization, and strong authentication of
destination Websites to prevent DNS poisoning and pharming.
The global economic costs of cyber crime are estimated at more than one trillion
dollars and costs to the U.S. at about $8 billion. The banking industry is moving
to shared fraud analytics to detect cyber crime in flight, but it should also be
prevented at the outset. Financial products with built-in security are absolutely
essential. Industry groups, banks and technology companies are emerging to fill
the gaps and build the online experience with the proper foundation to mitigate
threats that have moved beyond network perimeters to applications and data.
Organized crime is making a big business out of stealing bank account and credit
card records, says an authoritative study released this morning. The Verizon
Business Data Breach Investigations Report found that 94 percent of all records
compromised by cybercrime in 2009 were from financial services companies.
Perhaps that’s not a surprise. “Stealing digital money from information
systems rather than vaults is basically just a less primitive form of bank robbery,”
the report said. “It represents the nearest approximation to actual cash for the
criminal.”
The full report is fascinating to read. It looked at more than 900 corporate
data breaches involving more than 900 million compromised records, and reveals
that high levels of cybercrime are carried out by insiders such as dishonest bank
employees. And it verifies what you probably already suspect: That some
breaches never even get reported.
All of that spells troubles for consumers, because there’s little you can do
to prevent your financial data from being stolen from your bank’s servers. You
can, however, limit how badly such a theft could hurt you. Here are some tips.
• Check your bank’s security policies and its policies for covering
losses due to fraud. At a minimum, a bank should have a policy of
double-checking you if you ever try to access your account from a different
computer than the one you ordinarily use. That could just mean you’re
using the computer at your parents’ house, or it could mean that a criminal
has your password. Look up your bank on the data breach list at the
Privacy Rights Clearinghouse to see if it’s had serious problems in the
past.
• Change your passwords often. And use different passwords for every
bank and brokerage account.
• Take all of the usual steps to protect your credit report, but realize
that freezes and alerts just stop thieves from opening new accounts in
your name; they don’t stop anyone from using the accounts you already
have to clean you out.
• Don’t use a debit card. I admit, that’s just me talking — some people
love them. But if someone steals your credit card number, you can usually
maintain your financial life while you get it straightened out. If someone
steals your debit card number, however, they can empty your checking
account before you know it’s gone. And then your checks will bounce and
your bills won’t get paid. Banks say they’ll make good on debit card
losses, but the stress of dealing with bounced payments and a
compromised checking account while you wait is more than I’d want to
sign up for. Carry a minimal amount of cash and use a credit card for
everyday expenses. Pay it off every month, of course, but that’s a post for
another day.
PREVENTION OF CYBER CRIME:
Prevention is always better than cure. It is always better to take certain
precaution while operating the net. The 5P mantra for online security is
Precaution, Prevention, Protection, Preservation and Perseverance.
The following things should always be kept in mind:
As an Enterprise
Employ defense-in-depth strategies, which emphasize multiple, overlapping,
and mutually supportive defensive systems to guard against single-point
failures in any specific technology or protection method. This should include
the deployment of regularly updated antivirus, firewalls, intrusion detection,
and intrusion protection systems on client systems.
Turn off and remove services that are not needed.
If malicious code or some other threat exploits one or more network
services, disable or block access to those services until a patch is applied.
Consider implementing network compliance solutions that will help keep
infected mobile users out of the network.
Enforce an effective password policy.
Configure mail servers to block or remove email that contains file
attachments that are commonly used to spread viruses, such as .VBS,
.BAT, .EXE, .PI F, and .SCR files.
Isolate infected computers quickly to prevent the risk of further infection
within the organization.
Perform a forensic analysis and restore the computers using trusted
media.
Train employees to not open attachments unless they are expected and
come from a known and trusted source, and to not execute software that
is downloaded from the Internet unless it has been scanned for viruses.
Ensure that emergency response procedures are in place. This includes
having a backup-and-restore solution in place in order to restore lost or
compromised data in the event of successful attack or catastrophic data
loss.
Educate management on security budgeting needs.
Test security to ensure that adequate controls are in place.
Be aware that security risks may be automatically installed on computers
with the installation of file sharing programs, free downloads, and freeware
and shareware versions of software. Clicking on links and/or attachments
in email messages may also expose computers to unnecessary risks.
Ensure that only applications approved by the organization are deployed
on desktop computers.
As a Consumer
Consumers should use an Internet security solution that combines
antivirus, firewall, intrusion detection, and vulnerability management for
maximum protection against malicious code and other threats.
Consumers should ensure that security patches are up to date and that
they are applied to all vulnerable applications in a timely manner.
Consumers should ensure that passwords are a mix of letters and
numbers, and should change them often. Passwords should not consist of
words from the dictionary.
Consumers should never view, open, or execute any email attachment
unless the attachment is expected and the purpose of the attachment is
known.
Consumers should keep virus definitions updated regularly. By deploying
the latest virus definitions, consumers can protect their computers against
the latest viruses known to be spreading in the wild.
CONCLUSION
Lastly I conclude by saying that
The ATM fraud is not the sole problem of banks alone. It is a big threat
and it requires a coordinated and cooperative action on the part of the bank,
customers and the law enforcement machinery. The ATM frauds not only cause
financial loss to banks but they also undermine customers' confidence in the use
of ATMs. This would deter a greater use of ATM for monetary transactions. It is
therefore in the interest of banks to prevent ATM frauds. There is thus a need to
take precautionary and insurance measures that give greater "protection" to the
ATMs, particularly those located in less secure areas. The nature and extent of
precautionary measures to be adopted will, however, depend upon the
requirements of the respective banks. Internet Banking Fraud is a fraud or theft
committed using online technology to illegally remove money from a bank
account and/or transfer money to an account in a different bank. Internet Banking
Fraud is a form of identity theft and is usually made possible through techniques
such as phishing.
Credit card fraud can be committed using a credit card or any similar
payment mechanism as a fraudulent source of funds in a transaction. The
purpose may be to obtain goods without paying, or to obtain unauthorized funds
from an account. Cyber space and cyberpayment methods are being abused by
money launderers for converting their dirty money into legal money. For carrying
out their activities launderers need banking system. Internet, online banking
facilitates speedy financial transactions in relative anonymity and this is being
exploited by the cyber money launderers. Traditional systems like credit cards
had some security features built into them to prevent such crime but issue of e-
money by unregulated institutions may have none. Preventing cyber money
laundering is an uphill task which needs to be tackled at different levels. This has
to be fought on three planes, first by banks/ financial institutions, second by
nation states and finally through international efforts. The regulatory framework
must also take into account all the related issues like development of e-money,
right to privacy of individual. International law and international co-operation will
go a long way in this regard.
That company has millions of subscribers. The fake site offered the
visitors to return $11.75 per head which, the site promoters said, had been
collected in excess by mistake from them. Believing that it was a genuine offer
from the telecom company in question, several lakh subscribers logged on to the
site to get back that little money, but in the process parted with their PINs.
Armed with all requisite data to hack the bank ATMs, the gang started its
systematic looting. Apparently, Manwani and many others of his ilk entered into a
deal with the gang behind the site and could purchase any amount of data, of
course on certain terms, or simply enter into a deal on a booty-sharing basis.
He was so enterprising that he was able to sell away a few such cards to
his contacts in Mumbai. The police are on the lookout for those persons too.
On receipt of large-scale complaints from the billed credit card users and
banks in the United States, the FBI started an investigation into the affair and
also alerted the CBI in New Delhi that the international gang had developed
some links in India too.
Manwani has since been enlarged on bail after interrogation by the CBI.
But the city police believe that this is the beginning of the end of a major cyber
crime.