Cyber-crimes national/international

Mphasis Citibank scam case

It is a noteworthy case in the sense that it was dubbed as the first BPO scam case in India. The case is
about how five employees of MsourceE – the BPO arm of MphasiS got access to confidential information
of Citi customers. The employee identified loopholes in the system and the modus operandi was to siphon
off funds from Citi customers to their bank accounts which they manged to open with the help of their
friends. The victims of this scam were Citibank customers in USA. In all they were to siphon out almost
half a million dollars over a period of four months. They interesting thing about this case was the offenders
did not breach any data walls but just had access to the confidential information of the customers which
they misused.

The offenders with the help of accomplices diverted money through electronic transaction to the newly
created bank accounts and also created fictitious email accounts of the unsuspecting customers the USA
so that they are notified of the withdrawal from their account.

The first illegal transfer happened in the November of 2004. A few months later a Citi customer
complained to the bank which alerted the Citi investigative services (CIS). CIS with the help of the cyber
police in Pune laid a trap for the culprits. On 1ST April 2005 the two prime accused came to a Bank branch
for money transfer and were apprehended by the police. This was the first cyber crime to have originated
in India with victims being outside of the country.

The interesting aspect of this case was that no computer geeks or hackers were involved in this fraud.
They were not breaking through firewalls or decoding encrypted software. Instead, they are said to have
identified glaring loopholes in the system. The offenders had access to information of the customers and
used this to contact them. They coaxed them to pass on their PINs which they used for the crime.

The accused were charged under section 67 of the IT Act,2000 and IPC 420,465,467 and 671.

http://timesofindia.indiatimes.com/articleshow/1086438.cms?utm_source=contentofinterest&utm_me
dium=text&utm_campaign=cppst
Credit card data fraud

The accused Nadeem Kashmiri was an employee of the HSBC bank call centre in Bangalore. He stole the
credit card details of around 120 customers in UK. The incident was reported after the complaints from a
few customers in the UK. By the time the accused was nabbed around UK£ 2,33,000 had been siphoned.
In this case the complaint was filed against the accused by the employers themselves. The modus operandi
in this case was that the accused passed on the confidential information of the customers to a person in
UK. This person would then withdraw money from the accounts of the victims. The accused in Bangalore,
Kashmiri would get a cut for each transaction. In all he was paid INR 80,000 which he kept in the account
of his friend.

Like the Mphasis case, sufficient background checks were not done on the accused. Many of people like
him were able to secure jobs in the BPO industry because of their English proficiency. The fallout of the
case was that it brought bad name to the Indian BPO industry in the west. Security was a major reason for
slowdown in the BPO industry. The case also brought a lot of negative media attention to the BPO industry
in India. It was also one of the few cases where the accused was investigated for his links terror outfits.
There was a possibility that the accused was trying to fund terror activities in the country. It was because
of these cases that NASSCOM decide to launch a national registry of IT workers in India

O'Reilly.com/business ethics case studies

Bazee.com case

CEO of Bazee.com was arrested in December 2004 because a CD with objectionable material was being
sold on the website. The CD was also being sold in the markets in Delhi. The Mumbai city police and the
Delhi Police got into action. The MD was later released on bail. This opened up the question as to what
kind of distinction do we draw between Internet Service Provider and Content Provider. In this case the
accused was only acting as an intermediary and was not actually the creator of the content.

In this case the appellant, who was the senior manager(intermediary) of the company was accused of
selling material that was objectionable. The High court had granted him relief under section 67 of the IT
act but said that he could be still be charged under the section 292 IPC as it also dealt with obscenity.

Criminal proceeding against the MD of the company had already been quashed by the Supreme court.
The verdict given by the judge was that section 67 was a special provision and that It could override section
292 of the IPC. The counsel for the appellant said that since he was not charged under section 67 of the
IT act which overrides the section 292 of the IPC, he could also not be charged under section 292 IPC

https://www.livelaw.in/sc-quashes-charges-baazee-com-manager-mms-scam/

NASSCOM v/s Ajay Sood and others

This case is remarkable in that it dealt with case of phishing, for which there is no specific legislation.

The court clarified the concept of phishing in this case. The court stated that it is a form of internet fraud
where a person pretends to be a legitimate association, such as a bank or an insurance company in order
to extract personal data from a customer such as access codes, passwords, etc. Personal data so collected
by misrepresenting the identity of the legitimate party is commonly used for the collecting party’s
advantage. Court also stated, by way of an example, that typical phishing scams involve persons who
pretend to represent online banks and siphon cash from e-banking accounts after conning consumers into
handing over confidential banking details.

The plaintiff in this case was the National Association of Software and Service Companies (Nasscom),
India’s premier software association. The defendants were operating a placement agency involved in
head-hunting and recruitment. In order to obtain personal data, which they could use for purposes of
headhunting, the defendants composed and sent e-mails to third parties in the name of Nasscom.

The high court recognised the trademark rights of the plaintiff restrained the defendants from using the
trade name or any other name deceptively similar to Nasscom. A search of the defendant’s premises was
ordered by the court and the hardware was recovered.

Subsequently, the defendants admitted their illegal acts and the parties settled the matter through the
recording of a compromise in the suit proceedings. According to the terms of compromise, the defendants
agreed to pay a sum of Rs1.6 million to the plaintiff as damages for violation of the plaintiff’s trademark
rights. It brings the act of “phishing” into the ambit of Indian laws even in the absence of specific
legislation. It clears the misconception that there is no “damages culture” in India for violation of IP rights.
This case reaffirms IP owners’ faith in the Indian judicial system’s ability and willingness to protect
intangible property rights and send a strong message to IP owners that they can do business in India
without sacrificing their IP rights.

cyber-law-web.blogspot.com/2009/07/case-study-cyber-law-nasscom-vs-ajay.html

Fake online profile of the president of India

A very common crime these days is of creating fake online profile of people, where a person pretends to
be someone in order to malign them or to spread mischief. A very famous case came to light when a
person created a fake profile of the president of India. A complaint was made from Additional Controller,
President Household, President Secretariat regarding the four fake profiles created in the name of Hon’ble
President on social networking website, Facebook. The said complaint stated that president house has
nothing to do with Facebook and the fake profile is misleading the general public. The First Information
Report Under Sections 469 IPC and 66A Information Technology Act, 2000 was registered based on the
said complaint at the police station, Economic Offences Wing, the elite wing of Delhi Police which
specializes in investigating economic crimes including cyber offences.

http://www.legalserviceindia.com/lawforum/index.php?topic=2240.0

Some arguments against the IT act

The Supreme Court ruled that the Section 66A of the Information Technology Act was
unconstitutional in its entirety and was struck down as a “draconian” provision that had led to the
arrests of many people for posting content deemed to be “allegedly objectionable” on the Internet.
The act gained a lot of limelight because of its misuse. Many activists thought that it was restrictive
of free speech and hence there was a need to strike it down. Several cases occurred where the
validity of this act was questioned. One such famous case was when two women shared their
thoughts against the bandh called after the death of Mr. Bal Thackeray in Mumbai. PIL was filed
against this act by a law student and the act was declared unconstitutional by the Supreme court.

https://www.news18.com/news/india/flashback-list-of-cases-where-section-66a-of-it-act-
was-misused-977016.html
Another section under the IT act that is misused in India is the section 67. This act deals with
obscenity and is analogous to section 292 of the IPC. There have been many cases where this
section has been misused by authorities. It is understandable that this section is misused
because the definition of depraved or obscene in very subjective. Obscene is something that
‘reasonable men’ would find immoral and hence the cases under this section have been ever
increasing

https://thewire.in/gender/victorian-censorship-research-finds-section-67-act-grossly-
misused