University of Mumbai CYBER CRIMES IN BANKING SECTOR

Bachelor of Commerce (Banking & Insurance)

Semister-V (2011-2012)

Submitted by: Nisha R Acharya Roll no. 01

Project Guide Prof. Pravin Akolkar

Shri Chinai College of Commerce & Economics Andheri (East), Mumbai: 400 069

Shri Chinai College of Commerce & Economics Andheri (East), Mumbai: 400 069

CERTIFICATE
This is to certify that Miss. NISHA R ACHARYA of B.Com. [Banking & Insurance] Semester v (2011-2012) has successfully completed the project on CYBER CRIMES IN BANK under the guidance of Prof. Pravin Akolkar.

Principal Course Coordinator

Project Guide/ Internal Examiner

External Examiner

DECLARATION I, Miss. Nisha R Acharya the student of B.Com. Banking & Insurance Semester-v (20112012) hereby declare that I have completed project on E- BANKING. The information submitted is true & best to my knowledge.

Signature student

of

the

(Nisha R Acharya) Roll No.01

CYBER CRIME TYPES OF CYBER CRIME CLASSIFICATION OF CYBER CRIME REASONS FOR CYBER CRIME MODE AND MANNER OF COMMITING CYBER BANKING SECTOR CYBER CRIME IN BANKING SECTOR CASE STUDY GENERAL TIPS ON AVOIDING INTERNET FRAUD SCHEMES POSSIBLE

01-07 08-19 20-21 22-23 25-27 28-30 3 1-61 62-63 64-65 66 67-68 69-70

2. 3. 4. 6. 7. 8. 9. 10.

11. RECENT CASES 12. CONCLUSION 13. BIBLOGRAPHY

ACKNOWLEDGEMENT

I would firstly like to thank my Institution & sincere thanks to Principal Dr. (Ms) Malini Johri for providing me support and giving me an opportunity for doing B&I course and completing this project. I also take an opportunity to highlight the invaluable contribution of our B&I Co-ordinator Prof. Pravin Akolkar who have always supported and encouraged me. I would also like to extent my profound and sincere gratitude to my project guide Prof. Pravin Akolkar who has guided my research project with his vast fund of knowledge, advice and constant encouragement. I kindly appreciate his implicit and valuable contribution in drawing up this project. I also thank my parents and all my colleagues without whom this project would have not been complete. Thank you all for your contribution toward the project whether big or small and will forever be indebted to each and every one of you. I also thanks to all those whom i have forgotten to mention in this space.

EXCECUTIVE SUMMARY
Cyber crimes are any illegal activities committed using computer target of the criminal activity can be either a computer, network operations. Cyber crimes are genus of crimes, which use computers and networks for criminal activities. The difference between traditional crimes and cyber crimes is the cyber crimes can be transnational in nature. Cyber crime is a crime that is committed online in many areas using e-commerce. A computer can be the target of an offence when unauthorized access of computer network occurs and on other hand it affects ECOMMERCE. Cyber crimes can be of various types such as Telecommunications Piracy, Electronic Money Laundering and Tax Evasion, Sales and Investment Fraud, Electronic Funds Transfer Fraud and so on The modern contemporary era has replaced these traditional monetary instruments from a paper and metal based currency to plastic money in the form of credit cards, debit cards, etc. This has resulted in the increasing use of ATM all over the world. The use of ATM is not only safe but is also convenient. This safety and convenience, unfortunately, has an evil side as well that do not originate from the use of plastic money rather by the misuse of the same. This evil side is reflected in the form of ATM frauds that is a global problem. Internet commerce has grown exponentially during the past few years and is still growing. But unfortunately the growth is not on the expected lines because the credit card fraud which has become common has retarded the e-commerce growth. Credit card fraud has become regular on internet which not only affects card holders but also online merchants. Credit card fraud can be done by taking over the account, skimming or if the card is stolen. The term "Internet fraud" refers generally to any type of fraud scheme that uses one or more components of the Internet - such as chat rooms, e-mail, message boards, or Web sites - to present fraudulent solicitations to prospective victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to financial institutions or to other connected with the scheme. Some form of internet frauds include:- spams , scams, spy ware, identity theft, phishing ,internet banking fraud. The modern thief can steal more with a computer than with a gun. Tomorrows terrorist may be able to do more damage with a keyboard than with a bomb.-National research council, computer at risk 1991

INTRODUCTION
The usage of internet services in India is growing rapidly. It has given rise to new opportunities inevery field we can think of be it entertainment, business, sports or education. There are many pros and cons of some new types of technology which are been invented or discovered. Similarly the new & profound technology i.e. using of INTERNET Service, has also got some pros & cons. These cons are named CYBER CRIME, the major disadvantages, illegal activity committed on the internet by certain individuals because of certain loop-holes. The internet, along with its advantages, has also exposed us to security risks that come with connecting to a large network. Computers today are being misused for illegal activities like email espionage, credit card fraud, spams, and software piracy and so on, which invade our privacy and offend our senses. Criminal activities in the cyberspace are on the rise. Computer crimes are criminal activities, which involve the use of information technology to gain an illegal or an unauthorized access to a computer system with intent of damaging, deleting or altering computer data. Computer crimes also include the activities such as electronic frauds, misuse of devices, identity theft and data as well as system interference. Computer crimes may not necessarily involve damage to physical property. They rather include the manipulation of confidential data and critical information. Computer crimes involve activities of software theft, wherein the privacy of the users is hampered. These criminal activities involve the breach of human and information privacy, as also the theft and illegal alteration of system critical information. The different types of computer crimes have necessitated the introduction and use of newer and more effective security measures. In recent years, the growth and penetration of internet across Asia Pacific has been phenomenal. Today, a large number of rural areas in India and a couple of other nations in the region have increasing access to the internetparticularly broadband. The challenges of information security have also grown manifold. This widespread nature of cyber crime is beginning to show negative impact on the economic growth opportunities in each of the countries. It is becoming imperative for organizations to take both preventive and corrective actions if their systems are to be protected from any kind of compromise by external malicious elements. According to the latest statistics, more than a fifth of the malicious activities in the world originate from the Asia Pacific region. The malicious attacks included denial-of-service attacks, spam, and phishing and bot attacks. Overall, spam made up 69% of all monitored e-mail traffic in the Asia Pacific region. As per the National Crime Records Bureau statistics, there has been a 255% increase in cyber crime in India alone. And mind you, these are just the reported cases. In view of this various governmental and non-governmental agencies are working towards reducing cyber crime activities. Computer crime, cybercrime, e-crime, hi-tech crime or electronic crime generally refers to criminal activity where a computer or network is the source, tool, target, or place of a crime. These categories are not exclusive and many activities can be characterized as falling in one or more category. Additionally, although the terms computer crime and cybercrime are

more properly restricted to describing criminal activity in which the computer or network is a necessary part of the crime, these terms are also sometimes used to include traditional crimes, such as fraud, theft, blackmail, forgery, and embezzlement, in which computers or networks are used.

HISTORY
The first recorded cyber crime took place in the year 1820! That is not surprising considering the fact that the abacus, which is thought to be the earliest form of a computer, has been around since 3500 B.C. in India, Japan and China. The era of modern computers, however, began with the analytical engine of Charles Babbage. In 1820, Joseph-Marie Jacquard, a textile manufacturer in France, produced the loom. This device allowed the repetition of a series of steps in the weaving of special fabrics. This resulted in a fear amongst Jacquard's employees that their traditional employment and livelihood were being threatened. They committed acts of sabotage to discourage Jacquard from further use of the new technology. This is the first recorded cyber crime! Today computers have come a long way, with neural networks and nano-computing promising to turn every atom in a glass of water into a computer capable of performing a Billion operations per second. Cyber crime is an evil having its origin in the growing dependence on computers in modern life. In a day and age when everything from microwave ovens and refrigerators to nuclear power plants is being run on computers, cyber crime has assumed rather sinister implications. Major cyber crimes in the recent past include the Citibank rip off. US $ 10 million were fraudulently transferred out of the bank and into a bank account in Switzerland. A Russian hacker group led by Vladimir Kevin, a renowned hacker, perpetrated the attack. The group compromised the bank's security systems. Vladimir was allegedly using his office computer at AO Saturn, a computer firm in St. Petersburg, Russia, to break into Citibank computers. He was finally arrested on Heathrow airport on his way to Switzerland.

CYBER CRIMES IN INDIA

As India become the fourth highest number of Internet users in the world, cyber crimes in India has also increased 50 percent in 2007 over the previous year. According to the Information Technology (IT) Act, the majority of offenders were under 30 years of age. Around 46 percent of cyber crimes were related to incidents of cyber pornography, followed by hacking. According to recent published 'Crime in 2007 report', published by the National Crime Record Bureau (NCRB), in over 60 percent of these cases, offenders were between 18 and 30. These cyber-crimes are punishable under two categories; the IT Act 2000and the Indian Penal Code (IPC). According to the report, 217 cases of cyber-crime were registered under the IT Act in 2007, which is an increase of 50 percent from the previous year. Under the IPC section, 339 cases were recorded in 2007 compared to 311 cases in 2006. Out of35 mega cities, 17 cities have reported around 300 cases of cyber-crimes under both categories that is an increase of 32.6 percent in a year. The report also shows that cyber crime is not only limited to metro cities but it also moved to small cities like Bhopal. According to the report, Bhopal, the capital of Madhya Pradesh has reported the highest incidence of cyber crimes in the country. In order to tackle with cyber crime, Delhi Police have trained 100 of its officers in handling cyber crime and placed them in its Economic Offences Wing. These officers were trained for six weeks in computer hardware and software, computer networks comprising data communication networks, network protocols, wireless networks and network security. Faculty at Guru Gobind Singh Indraprastha University (GGSIPU) were the trainers.

CHANGING FACE OF CRIME

The last year has seen a quantum jump not only in the quantity and quality but also the very nature of cyber crime activities. According to Naavi, a perceptible trend being observed is that cyber crimes are moving from 'Personal Victimization' to 'Economic Offences'. SD Mishra, ACP, IPR and Cyber Cell, Economic Offences Wing, Delhi Police concurs that the cases that are now coming up are more related to financial frauds. As opposed to obscenity, pornography, malicious emails that were more prevalent in the past, now credit card frauds, phishing attacks, online share trading, etc. are becoming more widespread. As Seth points out, initially, when the Internet boom began, certain crimes were noticeable and cyber stalking was one of the first ones. "However, with the little offences became the larger ones involving huge money and one has seen this sudden jump from smaller crimes to financial crimes in the last one year," she adds

BANKING SECTOR
The Banking Industry was once a simple and reliable business that took deposits from investors at a lower interest rate and loaned it out to borrowers at a higher rate. However deregulation and technology led to a revolution in the Banking Industry that saw it transformed. Banks have become global industrial powerhouses that have created ever more complex products that use risk. Through technology development, banking services have become available 24 hours a day, 365 days a week, through ATMs, at online banking, and in electronically enabled exchanges where everything from stocks to currency futures contracts can be traded. The Banking Industry at its core provides access to credit. In the lenders case, this includes access to their own savings and investments, and interest payments on those amounts. In the case of borrowers, it includes access to loans for the creditworthy, at a competitive interest rate. Banking services include transactional services, such as verification of account details, account balance details and the transfer of funds, as well as advisory services that help individuals and institutions to properly plan and manage their finances. Online banking channels have become a key in the last 10 years The collapse of the Banking Industry in the Financial Crisis, however, means that some of the more extreme risk-taking and complex securitization activities that banks increasingly engaged in since 2000 will be limited and carefully watched, to ensure that there is not another banking system meltdown in the future. Banking in India originated in the last decades of the 18th century. The oldest bank in existence in India is the State Bank of India, a government-owned bank that traces its origins back to June 1806 and that is the largest commercial bank in the country. Central banking is the responsibility of the Reserve Bank of India, which in 1935 formally took over these responsibilities from the then Imperial Bank of India, relegating it to commercial banking functions. After India's independence in 1947, the Reserve Bank was nationalized and given broader powers. In 1969 the government nationalized the 14 largest commercial banks; the government nationalized the six next largest in 1980.

CRIME STATISTICS
As per the National Crime Records Bureau statistics, during the year 2005, 179 cases were registered under the IT Act as compared to 68 cases during the previous year, there by reporting a significant increase of 163.2% in 2005 over 2004. During 2005, a total of 302 cases were registered under IPC sections as compared to 279 such cases during 2004, there by reporting an increase of 8.2% in 2005 over 2004. NCRB is yet to release the statistics for 2006.In 2006, 206 complaints were received in comparison with only 58 in 2005, a 255% increase in the total number of complaints received in the Cyber Cell/EOW over the last year. In terms of cases registered and investigated in 2006 (up to 22.12.06), a total of 17 cases, where the computer was the victim, a tool or a repository of evidence, have been registered in the Cyber Cell/EOW as compared to 12 cases registered in 2005. And mind you, these are just the reported cases. While the number of cyber crime instances has been constantly growing over the last few years, the past year and a half, in particular, has seen a rapid spurt in the pace of cyber crime activities. Cyber lawyers, Pavan Duggal, advocate with the Supreme Court of India and Karnika Seth, partner, Seth Associates, Advocates and Legal Consultants, testify to this, pointing out that they have seen a jump in the number of cyber crime cases that they've been handling in the last one year. One also should remember that the term 'Cyber Crime' should be applied to all offences Committed with the use of 'Electronic Documents'. Hence, cyber crimes must grow at the same rate as the use of the Internet, mobile phone, ATM, credit cards or perhaps even faster. "With the little offences came the larger ones involving huge money and one has seen this Sudden jump from smaller crimes to financial crimes in the last one year" According to Captain Raghu Raman, CEO, Mahindra Special Services Group (SSG), the contributing factors are high volume of data processing, rapid growth and major migration into the online space, especially of financial institutions and their customer transactions. However, actual numbers continue to include, considering the fact that a majority of the cases go unreported. Most victims, especially the corporate, continue to downplay on account of the fear of negative publicity thereby failing to give a correct picture of the cyber crime scene in the country. According to Cyber law expert Na Vijaya shankar (popularly known as Naavi); it is difficult to measure the growth of Cyber Crimes by any statistics, the reason being that a majority of cyber crimes don't get reported. "If we, therefore, focus on the number of cases registered or number of convictions achieved, we only get diverted from real facts," he adds .Duggal points out to the results of a survey he conducted in early 2006 on the extent of under-reporting. For every 500 instances of cyber crimes that take place in India, only fifty are reported and out of that fifty, only one is registered as an FIR or criminal case. So, the ratio effectively is1:500 and this, he points out, are conservative estimates. Giving an insight into the reasons for low reporting, Nandkumar Sarvade, director, Cyber Security and Compliance at Nasscom, points out that very often, people are not aware whether an incident is a cyber crime; there is also lack of awareness on where to lodge a complaint or whether the police will be able to understand."Added to this is the fear of losing business and hence, many cases don't come to light," he adds

Defining Cyber Crime

Information Technology Act, 2000. Defining cyber crimes, as "acts that are punishable by the Information Technology Act" would be unsuitable as the Indian Penal Code also covers many cyber crimes, such as email spoofing and cyber defamation, sending threatening emails etc. Computer crime has been defined as unauthorized use of a computer for personal gain, as in the illegal transfer of funds or to alter the data or property of others (Computer Crime, 2007).

TYPES OF CYBER CRIME

1. Theft of Telecommunications Services The "phone phreakers" of three decades ago set a precedent for what has become a major criminal industry. By gaining access to an organizations telephone switchboard (PBX)individuals or criminal organizations can obtain access to dial-in/dial-out circuits and then make their own calls or sell call time to third parties (Gold 1999). Offenders may gain access to the switchboard by impersonating a technician, by fraudulently obtaining an employee's access code, or by using software available on the internet. Some sophisticated offenders loop between PBX systems to evade detection. Additional forms of service theft include capturing "calling card" details and on-selling calls charged to the calling card account, and counterfeiting or illicitness programming of stored value telephone cards. It has been suggested that as long ago as 1990, security failures at one major telecommunications carrier cost approximately 290 million, and that more recently, up to 5% of total industry turnover has been lost to fraud (Schieck 1995: 2-5). Costs to individual subscribers can also be significant in one case; computer hackers in the United States illegally obtained access to Scotland Yard's telephone network and made 620,000 worth of international calls for which Scotland Yard was responsible (Tendler and Nuttall 1996). 2. Communications in Furtherance of Criminal Conspiracies Just as legitimate organizations in the private and public sectors rely upon information systems for communications and record keeping, so too are the activities of criminal organizations enhanced by technology. There is evidence of telecommunications equipment being used to facilitate organized drug trafficking, gambling, prostitution, money laundering, child pornography and trade in weapons (in those jurisdictions where such activities are illegal). The use of encryption technology may place criminal communications beyond the reach of law enforcement. The use of computer networks to produce and distribute child pornography has become the subject of increasing attention. Today, these materials can be imported across national borders at the speed of light.

The more overt manifestations of internet child pornography entails modest degree of organization, as required by the infrastructure of IRC and WWW, but the activity appears largely confined to individuals. By contrast, some of the less publicly visible traffic in child pornography activity appears to entail a greater degree of organization. Although knowledge is confined to that conduct which has been the target of successful police investigation, there appear to have been a number of networks which extend cross-nationally, use sophisticated technologies of concealment, and entail a significant degree of coordination. Illustrative of such activity was the Wonderland Club, an international network with members in at least 14 nations ranging from Europe, to North America, to Australia. Access tot he group was password protected, and content was encrypted. Police investigation of the activity, codenamed "Operation Cathedral" resulted in approximately 100 arrests around the world, and the seizure of over 100,000 images in September, 1998.One former university student in California used email to harass 5 female students in1998. He bought information on the Internet about the women using a professor's credit card and then sent 100 messages including death threats, graphic sexual descriptions and references to their daily activities. He apparently made the threats in response to perceived teasing about his appearance (Associated Press 1999a). Computer networks may also be used in furtherance of extortion. The Sunday Times (London) reported in 1996 that over 40 financial institutions in Britain and the United States had been attacked electronically over the previous three years. In England, financial institutions were reported to have paid significant amounts to sophisticated computer criminals who threatened to wipe out computer systems. (The Sunday Times, June 2, 1996). The article cited four incidents between 1993 and 1995 in which a total of 42.5 million Pounds Sterling were paid by senior executives of the organizations concerned, who were convinced of the extortionists' capacity to crash their computer systems(Denning 1999 233-4). 3. Telecommunications Piracy Digital technology permits perfect reproduction and easy dissemination of print, graphics, sound, and multimedia combinations. The temptation to reproduce copyrighted material for personal use, for sale at a lower price, or indeed, for free distribution, has proven irresistible to many. This has caused considerable concern to owners of copyrighted material. Each year, it has been estimated that losses of between US$15 and US$17 billion are sustained by industry by reason of copyright infringement (United States, Information Infrastructure Task Force 1995, 131). The Software Publishers Association has estimated that $7.4 billion worth of software was lost to piracy in 1993 with $2 billion of that being stolen from the Internet (Meyer and Underwood 1994).

Ryan (1998) puts the cost of foreign piracy to American industry at more than $10 billion in 1996, including $1.8 billion in the film industry, $1.2 billion in music, $3.8 billion in business application software, and $690 million in book publishing. 4. Dissemination of Offensive Materials Content considered by some to be objectionable exists in abundance in cyberspace. This includes, among much else, sexually explicit materials, racist propaganda, and instructions for the fabrication of incendiary and explosive devices. Telecommunications systems can also be used for harassing, threatening or intrusive communications, from the traditional obscene telephone call to its contemporary manifestation in "cyber-stalking", in which persistent messages are sent to an unwilling recipient. One man allegedly stole nude photographs of his former girlfriend and her new boyfriend and posted them on the Internet, along with her name, address and telephone number. The unfortunate couple, residents of Kenosha, Wisconsin, received phone calls and e-mails from strangers as far away as Denmark who said they had seen the photos on the Internet. Investigations also revealed that the suspect was maintaining records about the woman's movements and compiling information about her family (Spice and Sink 1999). In another case a rejected suitor posted invitations on the Internet under the name of a 28year-old woman, the would-be object of his affections that said that she had fantasies of rape and gang rape. He then communicated via email with men who replied to the solicitations and gave out personal information about the woman, including her address, phone number, details of her physical appearance and how to bypass her home security system. Strange men turned up at her home on six different occasions and she received many obscene phone calls. While the woman was not physically assaulted, she would not answer the phone, was afraid to leave her home, and lost her job (Miller 1999; Miller and Maharaj 1999). One former university student in California used email to harass 5 female students in1998. He bought information on the Internet about the women using a professor's credit card and then sent 100 messages including death threats, graphic sexual descriptions and references to 5. Electronic Money Laundering and Tax Evasion For some time now, electronic funds transfers have assisted in concealing and in moving the proceeds of crime. Emerging technologies will greatly assist in concealing the origin of illgotten gains. Legitimately derived income may also be more easily concealed from taxation authorities. Large financial institutions will no longer be the only ones with the ability to achieve electronic funds transfers transiting numerous jurisdictions at the speed of light. The development of informal banking institutions and parallel banking systems may permit central bank supervision to be bypassed, but can also facilitate the evasion of cash transaction reporting requirements in those nations which have them. Traditional underground banks, which have flourished in Asian countries for centuries, will enjoy even greater capacity through the use of telecommunications.

With the emergence and proliferation of various technologies of electronic commerce, one can easily envisage how traditional countermeasures against money laundering and taxes version may soon be of limited value. I may soon be able to sell you a quantity of heroin, in return for an untraceable transfer of stored value to my "smart-card", which I then download anonymously to my account in a financial institution situated in an overseas jurisdiction which protects the privacy of banking clients. I can discreetly draw upon these funds as and when Imay require, downloading them back to my stored value card (Wahlert 1996).

6. Sales and Investment Fraud As electronics commerce becomes more prevalent the application of digital technology to fraudulent endeavors will be that much greater. The use of fraudulent sales pitches, deceptive charitable solicitations, or bogus investment overtures is increasingly common. Cyberspace now abounds with a wide variety of investment opportunities, from traditional securities such as stocks and bonds, to more exotic opportunities such as coconut farming, the sale and leaseback of automatic teller machines, and worldwide telephone lotteries (Cella and Stark 1997 837-844). Indeed, the digital age has been accompanied by unprecedented opportunities for misinformation. Fraudsters now enjoy direct access to millions of prospective victims around the world, instantaneously and at minimal cost. Classic pyramid schemes and "Exciting, Low-Risk Investment Opportunities" are not uncommon. The technology of the World Wide Web is ideally suited to investment solicitations. In the words of two SEC staff "At very little cost, and from the privacy of a basement office or living room, the fraudster can produce a home page that looks better and more sophisticated than that of a Fortune 500 company" (Cella and Stark 1997, 822). 7. Illegal Interception of Telecommunications Developments in telecommunications provide new opportunities for electronic eaves dropping. From activities as time-honored as surveillance of an unfaithful spouse, to then west forms of political and industrial espionage, telecommunications interception has increasing applications. Here again, technological developments create new vulnerabilities. The electromagnetic signals emitted by a computer may themselves be intercepted. Cables may act as broad cast antennas. Existing law does not prevent the remote monitoring of computer radiation. It has been reported that the notorious American hacker Kevin Poulsen was able to gain access to law enforcement and national security wiretap data prior to his arrest in 1991 (Littman1997). In 1995, hackers employed by a criminal organization attacked the communications system of the Amsterdam Police. The hackers succeeded in gaining police operational intelligence, and in disrupting police communications (Rathmell 1997).

8. Electronic Funds Transfer Fraud Electronic funds transfer systems have begun to proliferate, and so has the risk that such transactions may be intercepted and diverted. Valid credit card numbers can be intercepted electronically, as well as physically; the digital information stored on a card can be Counter fted. Of course, we don't need Willie Sutton to remind us that banks are where they keep the money. In 1994, a Russian hacker Vladimir Levin, operating from St Petersburg, accessed the computers of Citibank's central wire transfer department, and transferred funds from large corporate accounts to other accounts which had been opened by his accomplices in The United States, the Netherlands, Finland, Germany, and Israel. Officials from one of the corporate victims, located in Argentina, notified the bank, and the suspect accounts, located in San Francisco, were frozen. The accomplice was arrested. Another accomplice was caught attempting to withdraw funds from an account in Rotterdam. Although Russian law precluded Levin's extradition, he was arrested during a visit to the United States and subsequently imprisoned. (Denning 1999, 55). The above forms of computer-related crime are not necessarily mutually exclusive, and need not occur in isolation. Just as an armed robber might steal an automobile to facilitate a quick getaway, so too can one steal telecommunications services and use them for purposes of vandalism, fraud, or in furtherance of a criminal conspiracy.1 Computer-related crime may be compound in nature, combining two or more of the generic forms outlined above.

OTHER TYPES OF CYBER CRIME

1. HACKING
Hacking in simple terms means an illegal intrusion into a computer system and/or network. There is an equivalent term to hacking i.e. cracking, but from Indian Laws perspective there is no difference between the term hacking and cracking. Every act committed towards breaking into a computer and/or network is hacking. Hackers write or use ready-made computer programs to attack the target computer. They possess the desire to destruct and they get the kick out of such destruction. Some hackers hack for personal monetary gains, such as to stealing the credit card information, transferring money from various bank accounts to their own account followed by withdrawal of money. They extort money from some corporate giant threatening him to publish the stolen information which is critical in nature. Government websites are the hot targets of the hackers due to the press coverage, it receives. Hackers enjoy the media coverage.

Motive Behind The Crime

a. Greed b. Power c. Publicity d. Revenge. e. Adventure f. Desire to access forbidden information g. Destructive mindset h. Wants to sell n/w security services

2. Child Pornography
The Internet is being highly used by its abusers to reach and abuse children sexually, worldwide. The internet is very fast becoming a household commodity in India. Its explosion has made the children a viable victim to the cyber crime. As more homes have access to internet, more children would be using the internet and more are the chances of falling victim to the aggression of pedophiles. The easy access to the pornographic contents readily and freely available over the internet lowers the inhibitions of the children. Pedophiles lure the children by distributing pornographic material, and then they try to meet them for sex or to take their nude photographs including their engagement in sexual positions. Sometimes Pedophiles contact children in the chat rooms posing as teenagers or a child of similar age, and then they start becoming friendlier with them and win their confidence. Then slowly pedophiles start sexual chat to help children shed their inhibitions about sex and then call them out for personal interaction. Then starts actual exploitation of the children by offering them some money or falsely promising them good opportunities in life. The pedophiles then sexually exploit the children either by using them as sexual objects or by taking their pornographic pictures in order to sell those over the internet. In physical world, parents know the face of dangers and they know how to avoid & face the problems by following simple rules and accordingly they advice their children to keep away from dangerous things and ways. But in case of cyber world, most of the parents do not themselves know about the basics in internet and dangers posed by various services offered over the internet. Hence the children are left unprotected in the cyber world. Pedophiles take advantage of this situation and lure the children, who are not advised by their parents or by their teachers about what is wrong and what is right for them while browsing the internet.

How Do They Operate

Pedophiles use false identity to trap the children/teenagers. Pedophiles contact children/teens in various chat rooms which are used by children/teento interact with other children/teen. Befriend the child/teen. Extract personal information from the child/teen by winning his confidence. Gets the e-mail address of the child/teen and starts making contacts on the victim e-mail and start making contact on the victims e-mail address as well Starts sending pornographic images/text to the victim including child pornographic images in order to help child/teen shed his inhibitions so that a feeling is created in the mind of the victim that what is being fed to him is normal and that everybody does it. Extract personal information from child/teen. At the end of it, the pedophiles set up a meeting with the child/teen out of the house and then drag him into the net to further sexually assault him or to use him as a sex object. In order to prevent your child/teen from falling into the trap of pedophile, read the tips under Tips & Tricks heading address as well.

3. Cyber Stalking
Cyber Stalking can be defined as the repeated acts harassment or threatening behavior of the cyber criminal towards the victim by using internet services. Stalking in General terms can be referred to as the repeated acts of harassment targeting the victim such as following the victim, making harassing phone calls, killing the victims pet, vandalizing victims property, leaving written messages or objects. Stalking may be followed by serious violent acts such as physical harm to the victim and the same has to be treated and viewed seriously. It all depends on the course of conduct of the stalker. Both kind of Stalkers Online & Offline have desire to control the victims life. Majority of the stalkers are the dejected lovers or ex-lovers, who then want to harass the victim because they failed to satisfy their secret desires. Most of the stalkers are men and victim female.

How Do They Operate

Collect all personal information about the victim such as name, family background, Telephone Numbers of residence and work place, daily routine of the victim, address of residence and place of work, date of birth etc. If the stalker is one of the acquaintances of the victim he can easily get this information. If stalker is a stranger to victim, he collects the information from the internet resources such as various profiles, the victim may have filled in while opening the chat or e-mail account or while signing an account with some website. The stalker may post this information on any website related to sex-services or dating services, posing as if the victim is posting this information and invite the people to call the victim on her telephone numbers to have sexual services. Stalker even uses very filthy and obscene language to invite the interested persons. People of all kind from nook and corner of the World, who come across this information, start calling the victim at her residence and/or work place, asking for sexual services or relationships. Some stalkers subscribe the e-mail account of the victim to innumerable pornographic and sex sites, because of which victim starts receiving such kind of unsolicited e-mails. Some stalkers keep on sending repeated e-mails asking for various kinds of favors or threaten the victim

NATURE AND EXTENT OF CYBER STALKING An existing problem aggravated by new technology. Although online harassment and threats can take many forms, cyber stalking shares important characteristics with offline stalking. Many stalkers online or offline are motivated by a desire to exert control over their victim and engage in similar types of behavior to accomplish this end. As with offline stalking, the available evidence (which is largely anecdotal) suggests that the majority of cyber stalkers are men and the majority of their victims are women, although there have been reported cases of women cyber stalking men and of same-sex cyber stalking. In many cases, the cyber stalker and the victim had a prior relationship, and the cyber stalking begins when the victim attempts to break off the relationship. However, there also have been many instances of cyber stalking by strangers. Given the enormous amount of personal information available through the Internet, a cyber stalker can easily locate private information about a potential victim with a few mouse clicks or key strokes. The fact that cyber stalking does not involve physical contact may create the misperception that it is more benign than physical stalking. This is not necessarily true. As the Internet becomes an ever more integral part of our personal and professional lives, stalkers can take advantage of the ease of communications as well as increased access to personal information. In addition, the ease of use and non-confrontational, impersonal, and sometimes anonymous

nature of Internet communications may remove disincentives to cyber stalking. Put another way, whereas a potential stalker may be unwilling or unable to confront a victim in person or on the telephone, he or she may have little hesitation sending harassing or threatening electronic communications to a victim. Finally, as with physical stalking, online harassment and threats may be a prelude to more serious behavior, including physical violence. Phishing In the field of computer security , phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT Administrators are commonly used to lure the unsuspecting public. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website that the website is fake. Phishing is an example of social engineering techniques used to fool users, and exploits the poor usability of current web security technologies. Attempts to deal with the growing number of reported phishing incidents include legislation, user training, public awareness, and technical security measures. Phishing also referred to as brand spoofing or car ding is a variation on "fishing," the idea being that bait is thrown out with the hopes that while most will ignore the bait, some will be tempted into biting. A phishing technique was described in detail in 1987, and the first recorded use of the term "phishing" was made in 1996. Phishing email From:*****Bank [mailto:support@****Bank.com] Sent: 08 June 2004 03:25 To: India Subject: Official information from***** Bank Dear valued***** Bank Customer!For security purposes your account has been randomly chosen for verification. To verify your account information we are asking you to provide us with all the data we are requesting. Otherwise we will not be able to verify your identity and access to your account will be denied. Please click on the link below to get to the bank secure page and verify your account details. Thank you. https://infinity.*****bank.co.in/Verify.j

Spam
Spam is a generic term used to describe electronic junk mail or unwanted messages sent to your email account or mobile phone. These messages vary, but are essentially commercial and often annoying in their sheer volume. They may try to persuade you to buy a product or service, or visit a website where you can make purchases; or they may attempt to trick you into divulging your bank account or credit card details. More information about spam is available from the Australian mirunications and Media Authority (ACMA website).

Scams
The power of the Internet and email communication has made it all too easy for email scams to flourish. These schemes often arrive uninvited by email. Many are related to the welldocumented Nigerian Scam or Lotto Scams and use similar tactics in one form or another. More information about scams is available from the Australian Competition and Consumer .Commission (ACCC) SCAM watch website and the Australian Securities and Investments Commission FIDO website.

Spyware
Spyware is generally considered to be software that is secretly installed on a computer and takes things from it without the permission or knowledge of the user. Spyware may take personal information, business information, bandwidth; or processing capacity and secretly gives it to someone else. It is recognized as a growing problem. More information about taking care of spyware is available from the Department of Broadband, Communication, and the Digital Economy (DBC website.

Denial Of Service Attack

This is an act by the criminal, who floods the bandwidth of the victims network or fills his email box with Spain mail depriving him of the services he is entitled to access or provide.

Virus Dissemination
Malicious software that attaches itself to other software. (Virus, worms Trojan Horse , Time bomb , Logic Bomb , Rabbit and Bacterium are the malicious softwares).

Software Piracy
Theft of software through the illegal copying of genuine programs or the counterfeiting and distribution of products intended to pass for the original. Retail revenue losses worldwide are ever increasing due to this crime. It can be done in various ways- End user copying, Hard disk loading, Counterfeiting , Illegal downloads from the internet etc

Spoof lug
Getting one computer on a network to pretend to have the identity of another computer, usually one with special access privileges, so as to obtain access to the other computers on the network.

Net Extortion
Copying the companys confidential data in order to extort said company for huge amount.

Salami attack
In such crime criminal makes insignificant changes in such a manner that such changes would go unnoticed. Criminal makes such program that deducts small amount like Rs. 2.50 per month from the account of all the customer of the Bank and deposit the same in his account. Inthis case no account holder will approach the bank for such small amount but criminal gains huge amount.

Sale of narcotics
Sale & Purchase through net. There are web sites which offer sale and shipment off contrabands drugs. They may use the techniques off stenography for hiding the messages.

CLASSIFICATION OF CYBER CRIMES

Mr. Pavan Duggal, who is the President of cyber laws, net and consultant, in a report has clearly defined the various categories and types of cybercrimes.

1. Cybercrimes against Persons Cybercrimes committed against persons include various crimes like transmission of childpornography, harassment of any one with the use of a computer such as e-mail. The trafficking, distribution, posting, and dissemination of obscene material including pornography and indecent exposure, constitutes one of the most important Cybercrimes known today. The potential harm of such a crime to humanity can hardly be amplified. This is one Cybercrime which threatens to undermine the growth of the younger generation as also leave irreparable scars and injury on the younger generation, if not controlled. A minor girl in Ahmadabad was lured to a private place through cyber chat by a man, who, along with his friends, attempted to gang-rape her. As some passersby heard her cry, she was rescued. Another example wherein the damage was not done to a person but to the masses is the case of the Melissa virus. The Melissa virus first appeared on the internet in March of 1999. It spread rapidly throughout computer systems in the United States and Europe. It is estimated that the virus caused 80 million dollars in damages to computers worldwide.

2. Cyber crimes against government The third category of Cybercrimes relate to Cybercrimes against Government. Cyber terrorism is one distinct kind of crime in this category. The growth of internet has shown that the medium of Cyberspace is being used by individuals and groups to threaten the international governments as also to terrorize the citizens of a country. This crime manifests itself into terrorism when an individual "cracks" into a government or military maintained website. The Parliament of India passed its first Cyber law, the Information Technology Act in2000. It not only provides the legal infrastructure for E-commerce in India but also at the same time, gives draconian powers to the Police to enter and search, without any warrant, any public place for the purpose of nabbing cybercriminals and preventing cybercrime. Also, the Indian Cyber law talks of the arrest of any person who is about to commit a cybercrime. The Act defines five cybercrimes damage to computer source code, hacking, publishing electronic information which is lascivious or prurient, breach of confidentiality and publishing false digital signatures. The Act also specifies that cybercrimes can only be investigated by an official holding no less a rank than that of Dy. Superintendent of Police (Dy.SP). It is common that many systems operators do not share information when they are victimized by crackers. They don't contact law enforcement officers when their computer systems are invaded, preferring instead to fix the damage and take action to keep crackers from gaining access again with as little public attention as possible. According to Sundari Nanda, SP, CBI, "most of the times the victims do not complain, may be because they are aware of the extent of the crime committed against them, or as in the case of business houses, they don't want to confess their system is not secure". As the research shows, computer crime poses a real threat. Those who believe otherwise simply have not been awakened by the massive losses and setbacks experienced by companies world wide. Money and intellectual property have been stolen, corporate operations impeded, and jobs lost as a result of computer crime. Similarly, information systems in government and business alike have been compromised. The economic impact of computer crime is staggering (great difficulty)

REASONS FOR CYBER CRIME

Hart in his work The Concept of Law has said human beings are vulnerable so rule of law is required to protect them. Applying this to the cyberspace we may say that computers are vulnerable (capable of attack) so rule of law is required to protect and safeguard them against cyber crime. The reasons for the vulnerability of computers may be said to be: 1. Capacity To Store Data In Comparatively Small SpaceThe computer has unique characteristic of storing data in a very small space. This affords to remove or derive information either through physical or virtual medium makes it much easier. 2. Easy To Access The problem encountered in guarding a computer system from unauthorized access is that there is every possibility of breach not due to human error but due to the complex technology. By secretly implanted logic bomb, key loggers that can steal access codes, advanced voice recorders; retina imagers etc that can fool biometric systems and bypass firewalls can be utilized to get past many a security system. 3. Complex The computers work on operating systems and these operating systems in turn are composed of millions of codes. Human mind is fallible and it is not possible that there might not be a lapse at any stage. The cyber criminals take advantage of these lacunas and penetrate into the computer system. 4. Negligence Negligence is very closely connected with human conduct. It is therefore very probable that while protecting the computer system there might be any negligence, which in turn provides a cybercriminal to gain access and control over the computer system. 5. Loss Of Evidence Loss of evidence is a very common & obvious problem as all the data are routinely destroyed. Further collection of data outside the territorial extent also paralyses this system of crime investigation

TYPES OF CYBER CRIMES

Automated Teller Machine
The traditional and ancient society was devoid of any monetary instruments and the entire exchange of goods and merchandise was managed by the barter system. The use of monetary instruments as a unit of exchange replaced the barter system and money in various denominations was used as the sole purchasing power. The modern contemporary era has replaced these traditional monetary instruments from a paper and metal based currency to plastic money in the form of credit cards, debit cards, etc. This has resulted in the increasing use of ATM all over the world. The use of ATM is not only safe but is also convenient. This safety and convenience, unfortunately, has an evil side as well that do not originate from the use of plastic money rather by the misuse of the same. This evil side is reflected in the form of ATM FRAUDS that is a global problem. The use of plastic money is increasing day by day for payment of shopping bills, electricity bills, school fees, phone bills, insurance premium, travelling bills and even petrol bills. The convenience and safety that credit cards carry with its use has been instrumental in increasing both credit card volumes and usage. This growth is not only in positive use of the same but as well as the negative use of the same.

INDIAN SCENARIO
In India, where total number of installed ATMs base is far less than many developed countries. ATM-related frauds are very less. But they could increase as more and more ATMs will penetrate in the country, the bank should create awareness among customers about the card- related frauds to reduce the number of frauds in future. In India, Indian Banks Association (IBA) can take lead to kick started. The ATM fraud is not the sole problem of banks alone. It is a big threat and it requires a coordinated and cooperative action on the part of the bank, customers and the law enforcement machinery. The ATM frauds not only cause financial loss to banks but they also undermine customers confidence in the use of ATMs. This would deter a greater use of ATM for monetary transactions. It is therefore in the interest of banks to prevent ATM frauds. There is thus a need to take precautionary and insurance measures that give greater protection to the ATMs, particularly those located in less secure areas. The nature and the extent of precautionary measures to be adopted will, however, depend upon the requirements of the respective banks.

WAYS TO CARD FRAUDS

Some of the popular techniques used to carry out ATM crime are: 1. Through Card Jamming ATMs card reader is tampered with in order to trap a customers card. Later on the criminal removes the card. 2. Card Skimming, is the illegal way of stealing the cards security information from the cards magnetic stripe. 3. Card Swapping, through this customers card is swapped for another card without the knowledge of cardholder. 4. Website Spoofing, here a new fictitious site is made which looks authentic to the user and customers are asked to give their card number. PIN and other information, which are used to reproduce the card for use at an ATM. 5.Physical Attack. ATM machine is physical attacked for removing the cash.

WAY TO USE CASH MACHINE

Be aware of others around you. If someone close by the cash machine is behaving suspiciously or makes you feel uncomfortable, choose another .Make sure you check the machine before you use it for any signs of tampering. Examine the machine for stick on boxes, stick on card entry slots etc. If you find it difficult to get your card into the slot, do not use it, go to another machine If there is anything unusual about the cash machine report it to the bank and police or the owner of the premises immediately. Under no circumstances should members of the public attempt to remove a device as its possible the offender may be nearby

STEPS TO USE A CASH MACHINE

1. Give other users space to enter their personal identity number (PIN) in private. 2. Be aware of your surroundings. If someone is crowding or watching you, cancel the transaction and go to another machine. Take your card with you. 3. Do not accept help from "well meaning" strangers and never allow yourself to be distracted. Stand close to the cash machine and always shield the keypad to avoid anyone seeing you enter your PIN

Precaution To Be Taken While Leaving Cash Machine

Once you have completed a transaction, discreetly put your money and card away before leaving the cash machine. If you lose your card in a cash machine, cancel the card immediately with the card issuers 24-hour emergency line, which can be found on your last bank statement. Do not assume that your bank automatically knows that the machine has withheld your card. Again, beware of help offered by "well meaning strangers". Dispose of your cash machine receipt, mini-statement or balance enquiry slip with care. Tear up or preferably shred these items before discarding them.

Card Fraud Also Happens In The Home:

Cardholders should also be warned of the risks of verifying bank details at home in unsolicited telephone conversations. Always call the person back using the advertised customer telephone number, not the telephone number they may give you.

1. Do Not Click On Hyperlinks Sent To You By Email Asking You To Confirm Your Bank Details Online:
Hyperlinks are links to web pages that have been sent to you by email and may open a dummy website designed to steal your personal details. Phone your bank instead on their main customer number or access your account. Use good antivirus and firewall protection.

2. Never Write Down Your Pin:

People make life very easy for pickpockets if they write down their PIN and keep it in their purse or wallet. Do not write down your PIN. If you have been given a number that you find difficult to remember, take your card along to a cash machine and change the number to one that you will be able to remember without writing it down.

PREVENTION FOR ATM CARDS

Most ATM frauds happen due to the negligence of customers in using, and more importantly, negligence of banks in educating their customers about the matters that should be taken care of while at an ATM. The number of ATM frauds in India is more in regard to negligence of the Personal Identification Number (PIN), than by sophisticated crimes like skimming. Banks need to develop a fraud policy the policy should be written and distributed to all employees, borrowers and depositors. The most important aspect for reducing ATM related fraud is to educate the customer. Here is a compiled list of guidelines to help your customer from being an ATM fraud victim:

1. Look for suspicious attachments.

Criminals often capture information through ATM skimming using devices that steal magnetic strip information. At a glance, the skimmer looks just like a regular ATM slot, but its an attachment that captures ATM card numbers. To spot one, the attachment slightly protrudes from the machine and may not be parallel with the inherent grooves. Sometimes, the equipment will even cut off the printed labels on the ATM. The skimmer will not obtain PIN numbers, however. To get that, fraudsters place hidden cameras facing the ATM screen. Theres also the helpful bystander (the criminal) who may be standing by to kindly inform you the machine has had problems and offer to help. If you do not feel safe at any time, press the ATM cancel button, remove your card and leave the area immediately.

2. Minimize your time at the ATM.

The more time you spend at the ATM, the more vulnerable you are. If you need to update your records after a transaction, one is advised do it at home or office, but not while at the ATM. Even when depositing a cheque at the ATM, on should not make/sign the cheque at the ATM. After the transaction, if you think you are being followed, go to an area with a lot of people and call the police.
3. Make smart deposits.

Some ATMs allow you to directly deposit checks and cash into your accounts without stuffing envelopes. As for the envelope-based deposits, make sure they go through if it gets jammed and it doesnt fully go into the machine, the next person can walk up and take it out. After having made the ATM deposit, compare your records with the account statements or online banking records.

4. EXAMPLE OF ATM FRAUD

ATM insecurity Aug 09:

ATM users in India are exposed to a kind of PIN theft risk that has been brought to focus with an arrest in Kolkata. The risk arises because the machine (only one type of machines where the users insert the card and withdraw is said to have this vulnerability) reads the PIN, stores in its cache memory and goes blank under certain circumstances. The machine can then be released by inserting a screwdriver but at that time the PIN remains in memory and can be used to withdraw money from the account of the user whose PIN remained stuck. This is clearly a vulnerability of the machine and the liability on account of this vulnerability should fall on the Bank. The Bank in turn should get indemnified by the supplier of the embedded software that runs the system with this bug.

CYBER MONEY LAUNDERING

During the past two decades, IT and Internet technologies have reached every nook and corner of the world. E-commerce has come into existence due to the attributes of Internet like ease of use, speed, anonymity and its International nature. Internet has converted the world into a boundary less market place that never sleeps. Drug peddlers and organized criminals found a natural and much sought after ally in Internet. Computer networks and Internet, in particular, permit transfer of funds electronically between trading partners, businesses and consumers. This transfer can be done in many ways. They include use of credit cards, Internet banking, e-cash, e- wallet etc. for example, smart cards like Visa Cash, Mondex card, whose use is growing can store billions of dollars. At present, there is an upper limit imposed by the card issuers but technically there is no limit. In some other forms of computer-based e-money, there is no upper limit. Mobile banking and mobile commerce are growing and these technologies have the capability to transfer any amount of money at the touch of a bottom or
click of a mouse. They can be effective tools in the hands of money launderers.

As cyber payment systems eliminate the need for face to face interactions, transfer of funds can be done between two trading partners directly. Two individuals also can transfer funds directly using e- wallets. This problem is further compounded by the fact that, in many countries, non-financial institutions are also permitted to issue e-money. Monitoring the activities of these institutions in a traditional manner is not possible. Earlier, cross-border transactions were controlled by the central banks of respective countries. With the entry of Internet commerce, the jurisdictional technicalities come into play and it is another area that is being exploited by the money launderers. The capacity to transfer unlimited amounts of money without having to go through strict checks makes cyber money laundering an attractive proposition. From the point of view of law enforcing agencies, all the above advantages cyber payments provide to consumers and trading partners, turn out to be great disadvantages while investigating the crimes

AIM OF MONEY LAUNDERING

The most important aim of money laundering is to conceal the origin of the money, which, in almost all cases, is from illegal activity. Criminal resort to this practice to avoid detection of the money by law enforcement which will lead to its confiscation and also may provide leads to the illegal activity. By laundering the money the criminals are trying to close their tracks. Further, their aims could be to increase the profits by resorting to illegal money transfer etc. and also of course, to support new criminal ventures. Money laundering from the point of view of the criminal increases the profits and, at the same time, reduces the risk. While indulging in money laundering process, the launderers also attempt to safeguard their interests. They conceal the origin and ownership of the proceeds, maintain control over proceeds and change the form of proceeds.

MONEY LAUNDERING PROC

Money laundering is normally accomplished by using a three-stage process. The three steps involved are Placement, Layering and Integration. E-money and cyber payment systems come in handy in all the three stages of the process.

1. PLACEMENT
The first activity is placement. Illegal activities like drug trafficking, extortion, generate very volumes of money. People involved in these activities cannot explain the origin and source of these funds to the authorities. There is a constant fear of getting caught. So the immediate requirement is to send this money to a different location using all available means. This stage is characterized by facilitating the process of inducting the criminal money into the legal financial system. Normally, this is done by opening up bank accounts in the names of nonexistent people or commercial organizations and depositing the money. Online banking and Internet banking make it very easy for a launderer to open and operate a bank account. Placement in cyber space occurs by depositing the illegal money with some legitimate financial institutions or businesses. This is done by breaking up the huge cash into smaller chunks. Launderers are very careful at this stage because the chances of getting caught are considerable here. Cyber payment systems can come in handy during this process.

3. LAYERING
Layering is the second sub process. In this complex layers of financial transaction are created to disguise the audit trail and provide anonymity. This is used to distance the money from the sources. This is achieved by moving the names from and to offshore bank accounts in the names of shell companies or front companies by using Electronic Funds Transfer (EFT) or by other electronic means. Every day trillions of dollars are transferred all over the world by other legitimate business and thus it is almost impossible ton as certain whether some money is legal or illegal. Launderers normally make use of commodity brokers, stock brokers in the layering process. Launderers were also found to purchase high value commodities like diamonds etc. and exporting them to a different jurisdiction. During this process, they make use of the banks wherever possible as in the legal commercial activity 4. INTEGRATION Integration is the third sub process. This is the stage in which the cleaned money is ploughed back. This is achieved by making it appear as legally earned. This is normally accomplished by the launderers by establishing anonymous companies in countries where secrecy is guaranteed. Anyone with access to Internet can start an e-business. This can look and function like any other e-business as far as the outside world is concerned. This anonymity is what makes Internet very attractive for the launderers. They can then take loans from these companies and bring back the money. This way they not only convert their money this way but also can take advantages associated with loan servicing in terms of tax relief. Another way can be by placing false export import invoices and over valuing goods. The entire process can be explained with the help of an example . The money launderers first activity is to set up an online commerce company which is legal. Normally, the launderer

sets up the website for his company and accepts online payments using credit cards for the purchases made from his companys website. As a part of the whole scheme, launderers obtain credit cards from some banks or financial institutions located in countries with lax rules, which are known as safe havens. The launderer sitting at home, then, makes purchases using this credit card from his own website. As in normal transactions, the Web-based system then sends an invoice to the customers (who happens to the launderer himself) bank, in the safe haven. The bank then pays the money into the account of the company. Cyber space provides a secure and anonymous opportunity to the criminals in money laundering operations. It has come to light that many gangs are opening up the front companies and hiring information technology specialists for nefarious activities. Incidents have also come to light where the criminals are using cryptography for hiding their transaction.

BUSINESS AREAS THAT SUPPORT OR ARE PRONE TO MONEY LAUNDERING The banks and other financial institution are the most important intermediaries in the money laundering chain. As far as the banks are concerned the countries that are considered
safe for launderers are Cayman Islands, Cyprus, Luxembourg, and Switzerland. The offshore accounts of these banks are popular because they offer anonymity and also help in tax evasion. Other financial institution like fund managers and those facilitating Electronic Fund Transfer are also being manipulated by the launderers. Banking obviously is the most affected sector by the money laundering operations. In fact, Berltlot Brecht said, If you want to steal, then buy a bank. Multinational banks are more vulnerable to money laundering operations. When BCCI bank was investigated it came to light that there were 3,000 criminal customers and they were involved in offenses ranging from financing nuclear weapon programs to narcotics. The second area is underground banking or parallel banking. This is practiced by different countries by different names. China follows a system called Fic Chin. Under this system, money is deposited in one country and the depositor is handed a chit or chop. The money is paid back in another place on production of the chit. Similar systems known as Hundi, Hawallah are practiced in India. It is much easier to launder the money using these methods as there is no physical movement of money. These practices mostly work on trust and mostly controlled by mafia in many countries. Futures and commodity markets are another area which is found to be facilitating the money laundering. The other areas include professional advisers, financing housing schemes, casinos, antique dealers and jewelers. Casinos are another business areas that is actively involved in money laundering process. In all the cases the underlying factor is paperless transactions. It was also found that launderers do take advantages of privatization in various countries by investing in them. This was observed in UK, India and Columbia. In Columbia, when the banks were privatized the Carli Cartel was reported to have invested heavily and Italian mafia reportedly purchased shares in Italian banks. This only shows the extent of the problem and also that the banks and financial institutions are the primary target of the launderers. In some countries, even political parties organizations are known to be using laundered money for their campaigns.

EFFECTS ON BANKS Almost all the banks trade in foreign exchange Money laundering in any country or economy affects the foreign exchange market directly. The money laundering reduces the
legal volume of the banks business. It also causes fluctuations in the exchange rate. Further, money laundering can undermine the credibility of the banking system. Facilitating the activities of launderers even inadvertently can push the banks into problems with law enforcement agencies and also governments. In some reported cases, the banks survival has come under threat. It is not difficult to see what effect it has on the profitability of banks.

OTHER EFFECT In one incident, an Indian national in one year handled US 81.5 bn illegal transactions, before his arrest during 1993. This incident also shows how the national economy gets
affected. A few years before that, the Indian Government was so short of foreign exchange that it had to pledge gold in the London bank. One needs not be an economist understand the impact of money laundering on economies of developing countries. The low regulation by central banks will become difficult and consequently, there will be rise in inflation. Further, overall income distribution in an economy is likely to get affected. Money laundering can help in spread of parallel economy, which will result in loss to national income due to reduced tax collections and lost jobs. On the social plane, this can result in increased crime rate, violence in society. There may be attempts to gain political power either directly or indirectly like Coli Cocoine Cartels attempt in supporting Columbian President, Samper in 1996 elections. Because cyber money laundering can be done from anywhere in the world without any jurisdiction, the effects are much severe

PREVENTION Because of the nature of Cyber money laundering, no country can effectively deal with it in isolation. Cyber money laundering has to be dealt with at organizational [Bank or
Financial Institution], national and international levels.

AT INTERNATIONAL LEVEL
The UN has taken the lead and during 1995 international community meeting signed a convention known as UN Convention Against Illicit Traffic in Narcotic Drugs and Psychotropic Substances. Further, this convention made money laundering a crime and provided a model. During 2000, the UN also organized another convention against transnational organized crime. As a result of UN the efforts, the group of seven industrialized nations established Financial Action Task Force (FATF). The biggest source of money laundering funds comes from drug trade and the volume of money is large. In order to cover this vast amount of money they need financial services industry. They eye financial institutions that are in the business of accepting deposits from customers. After studying this phenomenon, Financial Action Task Force (FATF) had noticed some critical points in the modus operandi of criminals which are difficult for the launderers to avoid. They are points of entry of cash into financial system, transfers to and from financial system and cross-border flows of cash. Paying attention to these issues can help in controlling cyber laundering to a considerable extent. According to financial crimes enforcement network of US, less than 1% money laundered in cyber space is ever detected or criminals prosecuted. Prevention of money laundering in cyber space is proving to be really a daunting task. Some of the

suggested measures are putting an upper limit on the amount of payment and frequency of using e-money in peer to peer transfers. The second is making it mandatory for e- money organization to identify their clients and also to keep a track of money movement. The third is ensuring that Internet service providers keep a log of files involving finances for a number of years. The fourth is making audit compulsory for all electronic merchants and ensuring that they keep transaction records for a certain period of time. The fifth is training law enforcement agencies in dealing effectively with this crime. Last but not the least, is international co-operation and harmonizing the national cyber and terrestrial laws with international can help in dealing with this crime effectively.

AT NATIONAL LEVEL
Some countries liken UK have taken proactive steps to control this crime, which could be cumulated by others. In UK, deposit taking institutions (including banks) are expected to report suspicious transactions to the law enforcement authorities. The legal provisions regarding knowing the customer brought down the crime to a great extent. They empowered their customs officials to seize cash consignments of 10,000 pounds or more. Courts also permit confiscation of cash, if the investigating authorities have strong evidence that the money has come from illegal activities of drug trafficking. Issue of electronic money by private parties is another factor, as in some countries regulation of these people is not effective. Slowly, different countries are realizing the importance of this issue and enacting suitable rules aimed at providing transparency in transactions carried out by these institutions. The most important issues at national level are establishing legal framework and training law enforcing officials. The major weapon to combat this crime is controlling financial transactions including e-transactions, through legislation. Many countries have enacted some stringent laws to control this crime. UK, US have stringent laws in dealing with Cyber money laundering. Many other countries are following suit. The Council of Europe has passed Criminal Justice Act. Hong Kong has passed similar laws. The single most important issue is harmonizing the terrestrial laws with cyber laws.

AT ORGANIZATIONAL [BANK] LEVEL

The banking and other financial organizations can reduce the quantum of money laundering by following the guidelines issued by central banks of respective countries in letter and spirit. The old principle of Knowing the customer well will help a great deal. It is very important to keep the records of the customer for a sufficient time, at least for 8 to 10 years. Having an eye on suspicious deals can give early warnings on the impending trouble. Any suspicious activities must be reported to law enforcement authorities. Developing internal control mechanisms is very essential in this regard. Further, working in close association with other banks and exchange of information and intelligence in this regard will be definitely helpful. Law enforcement agencies have details of criminal elements and their transactions. By working in close conjunction with them, bank can have early warning on such activities. However, banks must keep in mind the legal provisions regarding privacy of individuals.

CREDIT CARDS FRAUDS

INTRODUCTION TO CREDIT CARDS
Credit was first used in Assyria, Babylon and Egypt 3000 years ago. The bill of exchange the forerunner of banknotes - was established in the 14th century. Debts were settled by onethird cash and two-thirds bill of exchange. Paper money followed only in the 17th century. The first advertisement for credit was placed in 1730 by Christopher Thornton, who offered furniture that could be paid off weekly. From the 18th century until the early part of the 20th, tallymen sold clothes in return for small weekly payments. They were called "tallymen" because they kept a record or tally of what people had bought on a wooden stick. One side of the stick was marked with notches to represent the amount of debt and the other side was a record of payments. In the 1920s, a shopper's plate - a "buy now, pay later" system - was introduced in the USA. It could only be used in the shops which issued it. In 1950, Diners Club and American Express launched their charge cards in the USA, the first "plastic money". In 1951, Diners Club issued the first credit card to 200 customers who could use it at 27 restaurants in New York. But it was only until the establishment of standards for the magnetic strip in 1970 that the credit card became part of the information age. The first use of magnetic stripes on cards was in the early 1960's, when the London Transit Authority installed a magnetic stripe system. San Francisco Bay Area Rapid Transit installed a paper based ticket the same size as the credit cards in the late 1960's. The word credit comes from Latin, meaning TRUST

MEANING
Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also an adjunct to identity theft. According to the Federal Trade Commission, while identity theft had been holding steady for the last few years, it saw a 21 percent increase in 2008. However, credit card fraud, that crime which most people associate with ID theft, decreased as a percentage of all ID theft complaints for the sixth year in a row. The cost of credit card fraud reaches into billions of dollars annually. In 2006, fraud in the United Kingdom alone was estimated at 535 million, or US$750-830 million at prevailing 2006 exchange rates.

The fraud begins with either the theft of the physical card or the compromise of data associated with the account, including the card account number or other information that would routinely and necessarily be available to a merchant during a legitimate transaction. The compromise can occur by many common routes and can usually be conducted without tipping off the card holder, the merchant or the bank, at least until the account is ultimately used for fraud. A simple example is that of a store clerk copying sales receipts for later use. The rapid growth of credit card use on the Internet has made database security lapses particularly costly; in some cases, millions of accounts have been compromised.

IF CARD IS STOLEN
When a credit card is lost or stolen, it remains usable until the holder notifies the bank that the card is lost; most banks have toll-free telephone numbers with 24-hour support to encourage prompt reporting. Still, it is possible for a thief to make unauthorized purchases on that card up until the card is cancelled. In the absence of other security measures, a thief could potentially purchase thousands of dollars in merchandise or services before the card holder or the bank realize that the card is in the wrong hands. In the United States, federal law limits the liability of card holders to $50 in the event of theft, regardless of the amount charged on the card; in practice, many banks will waive even this small payment and simply remove the fraudulent charges from the customer's account if the customer signs an affidavit confirming that the charges are indeed fraudulent. Other countries generally have similar laws aimed at protecting consumers from physical theft of the card. The only common security measure on all cards is a signature panel, but signatures are relatively easy to forge. Many merchants will demand to see a picture ID, such as drivers license, to verify the identity of the purchaser, and some credit cards include the holders picture on the card itself. However, the card holder has a right to refuse to show additional verification, and asking for such verification may be a violation merchant's agreement with the credit card companies. Self-serve payment systems (gas stations, kiosks, etc.) are common targets for stolen cards, as there is no way to verify the card holder's identity. A common countermeasure is to require the user to key in some identifying information, such as the user's ZIP or postal code. This method may deter casual theft of a card found alone, but if the card holder's wallet is stolen, it may be trivial for the thief to deduce the information by looking at other items in the wallet. For instance, a U.S. driver license commonly has the holder's home address and ZIP code printed on it. Banks have a number of countermeasures at the network level, including sophisticated realtime analysis that can estimate the probability of fraud based on a number of factors. For example, a large transaction occurring a great distance from the card holder's home might be flagged as suspicious. The merchant may be instructed to call the bank for verification, to decline the transaction, or even to hold the card and refuse to return it to the customer.

Stolen cards can be reported quickly by card holders, but a compromised account can be hoarded by a thief for weeks or months before any fraudulent use, making it difficult to identify the source of the compromise. The card holder may not discover fraudulent use until receiving a billing statement, which may be delivered infrequently.

Compromised Accounts
Card account information is stored in a number of formats. Account numbers are often embossed or imprinted on the card, and a magnetic stripe on the back contains the data in machine readable format. Fields can vary, but the most common include: Name of card holder Account number Expiration date Verification

Many Web sites have been compromised in the past and theft of credit card data is a major concern for banks. Data obtained in a theft, like addresses or phone numbers, can be highly useful to a thief as additional card holder verification.

Mail/Internet Order Fraud

The mail and the Internet are major routes for fraud against merchants who sell and ship products, as well Internet merchants who provide online services. The industry term for catalog order and similar transactions is "Card Not Present" (CNP), meaning that the card is not physically available for the merchant to inspect. The merchant must rely on the holder (or someone purporting to be the holder) to present the information on the card by indirect means, whether by mail, telephone or over the Internet when the cardholder is not present at the point of sale. It is difficult for a merchant to verify that the actual card holder is indeed authorizing the purchase. Shipping companies can guarantee delivery to a location, but they are not required to check identification and they are usually are not involved in processing payments for the merchandise. A common preventive measure for merchants is to allow shipment only to an address approved by the cardholder, and merchant banking systems offer simple methods of verifying this information. Additionally, smaller transactions generally undergo less scrutiny, and are less likely to be investigated by either the bank or the merchant, since the cost of research and prosecution usually far outweighs the loss due to fraud. CNP merchants must take extra precaution against fraud exposure and associated losses, and they pay higher rates to merchant banks for the privilege of accepting cards. Anonymous scam artists bet on the fact that many fraud prevention features do not apply in this environment. Merchant associations have developed some prevention measures, such as single use card numbers, but these have not met with much success. Customers expect to be able to use their credit card without any hassles, and have little incentive to pursue additional security due to laws limiting customer liability in the event of fraud. Merchants can implement these prevention measures but risk losing business if the customer chooses not to use the measures.

Account Takeover
There are two types of fraud within the identity theft category: 1. Application Fraud

Application fraud occurs when criminals use stolen or fake documents to open an account in someone else's name. Criminals may try to steal documents such as utility bills
and bank statements to build up useful personal information. Alternatively, they may create counterfeit documents. 2. Account Takeover Account takeover involves a criminal trying to take over another person's account, first by gathering information about the intended victim, then contacting their bank or credit issuer masquerading as the genuine cardholder asking for mail to be redirected to a new address. The criminal then reports the card lost and asks for a replacement to be sent. The replacement card is then used fraudulently. Some merchants added a new practice to protect consumers and self reputation, where they ask the buyer to send a copy of the physical card and statement to ensure the legitimate usage of a card.

Three people held guilty in on line credit card scam

Customers credit card details were misused through online means for booking air-tickets. These culprits were caught by the city Cyber Crime Investigation Cell in pune. It is found that details misused were belonging to 100 people. Mr. Parvesh Chauhan, ICICI Prudential Life Insurance officer had complained on behalf of one of his customer. In this regard Mr. Sanjeet Mahavir Singh Lukkad, Dharmendra Bhika Kale and Ahmad Sikandar Shaikh were arrested. Lukkad being employed at a private institution, Kale was his friend. Shaikh was employed in one of the branches of State Bank of India. According to the information provided by the police, one of the customers received a SMS based alert for purchasing of the ticket even when the credit card was being held by him. Customer was alert and came to know something was fishy; he enquired and came to know about the misuse. He contacted the Bank in this regards. Police observed involvement of many Bank's in this reference. The tickets were book through online means. Police requested for the log details and got the information of the Private Institution. Investigation revealed that the details were obtained from State Bank of India . Shaikh was working in the credit card department; due to this he had access to credit card details of some customers. He gave that information to Kale. Kale in return passed this information to his friend Lukkad. Using the information obtained from Kale Lukkad booked tickets. He used to sell these tickets to customers and get money for the same. He had given few tickets to various other institutions.

Cyber Cell head DCP Sunil Pulhari and PI Mohan Mohadikar A.P.I Kate were involved in eight days of investigation and finally caught the culprits. In this regards various Banks have been contacted; also four air-line industries be contacted DCP Sunil Pulhari has requested customers who have fallen in to this trap to inform police authorities on 2612-4452 or 2612-3346 if they have any problems

SKIMMING
Skimming is the theft of credit card information used in an otherwise legitimate transaction. It is typically an "inside job" by a dishonest employee of a legitimate merchant, and can be as simple as photocopying of receipts. Common scenarios for skimming are restaurants or bars where the skimmer has possession of the victim's credit card out of their immediate view. The skimmer will typically use a small keypad to unobtrusively transcribe the 3 or 4 digits Card Security Code which is not present on the magnetic strip. Instances of skimming have been reported where the perpetrator has put a device over the card slot of a public cash machine (Automated Teller Machine), which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a pinhole camera to read the user's PIN at the same time. Skimming is difficult for the typical card holder to detect, but given a large enough sample, it is fairly easy for the bank to detect. The bank collects a list of all the card holders who have complained about fraudulent transactions, and then uses data mining to discover relationships among the card holders and the merchants they use. For example, if many of the customers used one particular merchant, that merchant's terminals (devices used to authorize transactions) can be directly investigated.

SKIMMER Sophisticated algorithms can also search for known patterns of fraud. Merchants must ensure the physical security of their terminals, and penalties for merchants can be severe in
cases of compromise, ranging from large fines to complete exclusion from the merchant banking system, which can be a death blow to businesses such as restaurants which rely on credit card processing.

CARDING Carding is a term used for a process to verify the validity of stolen card data. The thief presents the card information on a website that has real-time transaction processing. If the
card is processed successfully, the thief knows that the card is still good. The specific item purchased is immaterial, and the thief does not need to purchase an actual product; a Web site subscription or charitable donation would be sufficient. The purchase is usually for a small monetary amount, both to avoid using the card's credit limit, and also to avoid attracting the bank's attention. A website known to be susceptible to carding is known as a cardable website In the past, carders used computer programs called "generators" to produce a sequence of credit card numbers, and then test them to see which valid accounts were. Another variation would be to take false card numbers to a location that does not immediately process card numbers, such as a trade show or special event. However, this process is no longer viable due

to widespread requirement by internet credit card processing systems for additional data such as the billing address, the 3 to 4 digit Card Security Code and/or the card's expiry date, as well as the more prevalent use of wireless card scanners that can process transactions right away. Nowadays, carding is more typically used to verify credit card data obtained directly from the victims by skimming or phishing. A set of credit card details that has been verified in this way is known in fraud circles as a phish. A carder will typically sell data files of phish to other individuals who will carry out the actual fraud. Market price for a phish ranges from US$1.00 to US$50.00 depending on the type of card, freshness of the data and credit status of the victim

PREVENTION FOR CREDIT CARD FRAUD Credit card fraud is bad business. In 2004, credit card fraud cost US merchants 2,664.9 million dollars (Celent Communications). Credit card fraud is a significant problem in
Canada, too. The credit card loss total for 2007 was $304,255,215, according to the RCMP. And while 'no-card' fraud is growing, most credit card frauds are still being committed using lost, stolen or counterfeit cards. Whether you have a brick-and-mortar business or an online one, credit card fraud is costing you money. Credit card fraud prevention when dealing with credit card customers face-to-face 1. Ask for and check other identification, such as a drivers license or other photo ID. Check to see if the ID has been altered in any way as a person trying to use a stolen credit card may also have stolen or fake ID. 2. Examine the signature on the card. If the signature on the credit card is smeared, it could be that the credit card is stolen and the person has changed the signature to his or her own. 3. Compare signatures. Besides comparing the signature on the credit card with the persons signature on the credit card slip, compare the signatures as well to those on any other ID presented. 4. Have another look at the cards signature panel. It should show a repetitive colour design of the MasterCard or Visa name. Altered signature panels (those that are discolored, glued, painted, erased, or covered with white tape) are an indication of credit card fraud. 5. Check the credit cards embossing. Ghost images of other numbers behind the embossing are a tip-off that the card has been re-embossed. The hologram may be damaged. (The holograms on credit cards that have not been tampered with will show clear, threedimensional images that appear to move when the card is tilted.) 6. Check the presented card with recent lists of stolen and invalid credit card number.Call for authorization of the credit card remembering to take both the credit card and the sales draft with you. That way if the customer runs away while youre making the call, you still have the credit card. Ask for a Code 10 if you have reason to suspect a possible credit card fraud, such as a possible counterfeit or stolen card.

7. Destroy all carbon copies of the credit card transaction, to ensure that no one can steal the credit card information and help prevent future credit card fraud. 8. Its also very important to be sure that your staff is educated about credit card fraud. You can use the points above as a to do list for dealing with credit card transactions. For information on the suspicious behavior that may indicate someone trying to commit credit card fraud, see Suspicious Behaviors That May Indicate Credit Card Fraud When dealing with credit card customers over the phone or through the Internet, credit card fraud prevention strategies such as scrutinizing the credit card arent going to work. You can, however, be alert to suspicious behaviors and shape your credit policies to nip credit card fraud in the bud. 1. Dont process credit card orders unless the information is complete. 2. Dont process credit card orders that originate from free e-mail addresses or from e-mail forwarding addresses. In such a case, ask the customer for an ISP (Internet Service Provider) or domain-based e-mail address that can be traced back. 3. If the shipping address and the billing address on the order are different, call the customer to confirm the order. You may even want to make it a policy to ship only to the billing address on the credit card. 4. Be wary of unusually draft orders 5. Be wary of orders shipped to a single address but purchased with multiple cards. 6. Be wary of multiple transactions made with similar card numbers in a sequence. 7. Be wary of orders youre asked to ship express, rush or overnight. This is the shipping of choice for many credit card fraudsters. Call the customer to confirm the order first. 8. Be wary of overseas orders especially if the order exhibits any of the characteristics noted above. 9. The first is Mod10 algorithm testing. Mod10 is an algorithm that will show whether the card number being presented is valid card number and is within the range of numbers issued by credit card companies. It cannot give any other details like no. issued by any other company. This test should be first to be that it is applied to any credit card number one process. If the card fails Mod10 one can safely assume fraud. Credit card fraud may not be entirely preventable, but by establishing and following procedures to check every credit card transaction, you can cut down your credit card fraud losses.

Phishing Phishing is a new form of identity theft that frequently occurs on the web. The term refers to baiting techniques implemented by a criminal to fish personal information out of an
unsuspecting user. The purpose is to use this information to commit identity theft and other types of fraud. Phishing typically originates via email or a fraudulent website. More often than not, the design will resemble well known, trusted companies, financial institutions or government services. This makes it much easier for a criminal to persuade a user out of sensitive information, such as bank account information or usernames and passwords. In most cases, a phishing scam originating from an email will contain false statements intended to alarm the recipient. The sender may give the impression that the recipient is at the immediate risk of having their bank, credit card or financial accounts compromised. Other phishing attempts may falsely state that the recipient's credit card was declined or is being used by another individual. One live example of phishing revolved around a mass email campaign that occurred in the summer of 2004. The messages advised consumers of a prominent Canadian institution to provide their personal information because of technical difficulties. Of course, these emails were not distributed nor authorized by that particular financial institution. A phishing email can also promise a gift or other incentives to recipients. While the message may appear rewarding, the purpose remains the same: to persuade the unknowing into disclosing personal and financial data to aid in the act of identity theft. Criminals who distribute phishing emails rely on the hope that some of their recipients may actually have a relationship with the legitimate business they are portraying. However, a recipient is much more likely to respond if the email appears to come from a trusted source, whether there is a relationship or not. Unfortunately, individuals who respond to these emails are putting their assets and financial information at risk. An identity thief can use this data to access active accounts to withdraw funds or buy expensive items and services. They can also use the information to open up new accounts in the victim's name and remain under the radar by supplying a different address. The worst part of all, recipients may not realize for some time
that they have just become a victim of identity theft.

How to Combat Phishing Schemes Being that this crime has evolved so rapidly, Canada's Department of Public Safety has
teamed up with the United States Department of Justice to warn internet users about phishing. Here are three steps they recommend when being approached with this scam: 1. Recognize it: The popularity of phishing has made this scheme easier to detect. A user should never respond to or click on any links in an email from a sender requesting sensitive information. 2. Report it: If you have taken the bait of a phishing scam, it is very important to contact your credit card company or financial institution right away. You should also report this crime to

your local police department. This will provide you with documentation that may need to be displayed to an institution to help prove your case. 3. Prevent it: Phishing can be prevented by learning the routine practice of your credit card company or financial institution. In most instances, they will never ask you to confirm such sensitive information via email. By understanding how these companies operate, you can stop schemers in their tracks and save yourself from identity theft.

Phishing email
From: :*****Bank [ mail to:support t@**** Bank.com ] Sent: :08 June 2004 03:25 To: :India Subject: Official information from***** Bank Dear valued***** Bank Customer! For security purposes your account thas been randomly chosen for verification. To verify your account information we are asking you to provide us with all the data we are requesting. Otherwise we will not be able to verify your identity and access to your account will be denied. Please click on the link below to get to the bank secure page and verify your account details. Thank you. https://infinity.*****bank.co.in/Verify.jsp https://infinity.*****bank.co.in/Verify.jsp Bank Limited

UTI Bank hooked in a phishing attack

14 February 2007

Fraudsters of cyberspace have reared its ugly head, the first of its kind this year, by launching a phishing attack on the website of Ahmadabad-based UTI Bank, a leading private bank promoted by India' s largest financial institution, Unit Trust of India (UTI). A URL on Geocities that is almost a facsimile version of the UTI Bank's home page is reported to be circulating amongst email users. The web page not only asks for the account holder's information such as user and transaction login and passwords, it has also beguilingly put up disclaimer and security hazard statements. " In case you have received any e-mail from an address appearing to be sent by UTIBANK, advising you of any changes made in your personal information, account details or information on your user id and password of your net banking facility, please do not respond. It is UTI Bank's policy not to seek or send such information through email. If you have already disclosed your password please change it immediately, " the warning says. The tricky link is available on http://br.geocities/ If any unsuspecting account holder enters his login id,

password, transaction id and password in order to change his details as 'advised' by the bank, the same info is sent vide mailform.cz (the phisher's database). After investigation, we found that Mailform is a service of PC Svet, which is a part of the Czech company PES Consulting. The Webmaster of the site is a person named Petr Stastny whose e-mail can be found on the web page. Top officials at UTI Bank said that they have reported the case to the Economic Office Wing, Delhi Police. The bank has also engaged the services of Melbourne-based FraudWatch International, a leading anti-phishing company that offers phishing monitoring and take-down solutions. "We are now in the process of closing the site. Some of these initiatives take time, but customers have been kept in the loop about these initiatives, " said V K Ramani, President - IT, UTI Bank. As per the findings of UTI Bank's security department, the phishers have sent more that 1,00,000 emails to account holders of UTI Bank as well as other banks. Though the company has kicked off damage control initiatives, none of the initiatives are cent percent foolproof. " Now there is no way for banks to know if the person logging-in with accurate user information is a fraud," said Ramani. However, reliable sources within the bank and security agencies confirmed that the losses due to this particular attack were zilch. The bank has sent alerts to all its customers informing about such malicious websites, besides beefing up their alert and fraud response system. "Engaging professional companies like FraudWatch help in reducing time to respond to attacks," said Sanjay Haswar, Assistant Vice President, Network and Security, UTI Bank.

Cyber Criminals The cyber criminals constitute of various groups/ category. This division may be justified on the basis of the object that they have in their mind. The following are the
category of cyber criminals-

1. Children and adolescents between the age group of 6 18 years

The simple reason for this type of delinquent behaviour pattern in children is seen mostly due to the inquisitiveness to know and explore the things. Other cognate reason may be to prove themselves to be outstanding amongst other children in their group. Further the reasons may be psychological even. E.g. the Bal Bharati (Delhi) case was the outcome of harassment of the delinquent by his friends.

2. Organized hackers
These kinds of hackers are mostly organized together to fulfill certain objective. The reason may be to fulfill their political bias, fundamentalism, etc. The Pakistanis are said to be one of the best quality hackers in the world. They mainly target the Indian government sites with the purpose to fulfill their political objectives. Further the NASA as well as the Microsoft sites is always under attack by the hackers

3. Professional hackers / crackers Their work is motivated by the colour of money. These kinds of hackers are mostly employed to hack the site of the rivals and get credible, reliable and valuable information.
Further they are ven employed to crack the system of the employer basically as a measure to make it safer by detecting the loopholes. 4. Discontented employees This group includes those people who have been either sacked by their employer or are dissatisfied with their employer. To avenge they normally hack the system of their employee.

Working of Cyber Criminals

Cyber crime has become a profession and the demographic of your typical cyber criminal is changing rapidly, from bedroom-bound geek to the type of organized gangster more traditionally associated with drug-trafficking, extortion and money laundering.

It has become possible for people with comparatively low technical skills to steal thousands of pounds a day without leaving their homes. In fact, to make more money than can be made selling heroin (and with far less risk), the only time the criminal need leave his PC is to collect his cash. Sometimes they don't even need to do that. In all industries, efficient business models depend upon horizontal separation of production processes, professional services, sales channels etc. (each requiring specialized skills and resources), as well as a good deal of trade at prices set by the market forces of supply and demand. Cyber crime is no different: it boasts a buoyant international market for skills, tools and finished product. It even has its own currency. The rise of cyber crime is inextricably linked to the ubiquity of credit card transactions and online bank accounts. Get hold of this financial data and not only can you steal silently, but also through a process of virus-driven automation with ruthlessly efficient and hypothetically infinite frequency. The question of how to obtain credit card/bank account data can be answered by a selection of methods each involving their own relative combinations of risk, expense and skill. The most straightforward is to buy the finished product. In this case well use the example of an online bank account. The product takes the form of information necessary to gain authorized control over a bank account with a six-figure balance. The cost to obtain this information is $400 (cyber criminals always deal in dollars). It seems like a small figure, but for the work involved and the risk incurred its very easy money for the criminal who can provide it. Also remember that this is an international trade; many cyber-criminals of this ilk are from poor countries in Eastern Europe, South America or South-East Asia. The probable marketplace for this transaction will be a hidden IRC (Internet Relay Chat) chatroom. The $400 fee will most likely be exchanged in some form of virtual currency such as e-gold.

Not all cyber-criminals operate at the coalface, and certainly dont work exclusively of one another; different protagonists in the crime community perform a range of important, specialized functions. These broadly encompass: Coders comparative veterans of the hacking community. With a few years' experience at the art and a list of established contacts, coders produce ready-to-use tools (i.e. Trojans, mailers, custom bots) or services (such as making a binary code undetectable to AV engines) to the cyber crime labour force the kids. Coders can make a few hundred dollars for every criminal activity they engage in. Kids so-called because of their tender age: most are under 18. They buy, trade and resell the elementary building blocks of effective cyber-scams such as spam lists, php mailers, proxies, credit card numbers, hacked hosts, scam pages etc. Kids will make less than $100 a month, largely because of the frequency of being ripped off by one another. Drops the individuals who convert the virtual money obtained in cyber crime into real cash. Usually located in countries with lax e-crime laws (Bolivia, Indonesia and Malaysia are currently very popular), they represent safe addresses for goods purchased with stolen financial details to be sent, or else safe legitimate bank accounts for money to be transferred into illegally, and paid out of legitimately Mobs professionally operating criminal organizations combining or utilizing all of the functions covered by the above. Organized crime makes particularly good use of safe drops, as well as recruiting accomplished coders onto their payrolls. Gaining control of a bank account is increasingly accomplished through phishing. There are other cyber crime techniques, but space does not allow their full explanation. All of the following phishing tools can be acquired very cheaply: a scam letter and scam page in your chosen language, a fresh spam list, a selection of php mailers to spam-out 100,000 mails for six hours, a hacked website for hosting the scam page for a few days, and finally a stolen but valid credit card with which to register a domain name. With all this taken care of, the total costs for sending out 100,000 phishing emails can be as little as $60. This kind of phishing trip will uncover at least 20 bank accounts of varying cash balances, giving a market value of $200 $2,000 in e-gold if the details were simply sold to another cybercriminal. The worst-case scenario is a 300% return on the investment, but it could be ten times that. Better returns can be accomplished by using drops to cash the money. The risks are high, though: drops may take as much as 50% of the value of the account as commission, and instances of ripping off or grassing up to the police are not uncommon. Cautious phishers often separate themselves from the physical cashing of their spoils via a series of drops that do not know one another. However, even taking into account the 50% commission, and a 50% rip-off rate, if we assume a single stolen balance of $10,000 $100,000, then the phisher is still looking at a return of between 40 and 400 times the meagre outlay of his/her phishing trip.

In large operations, offshore accounts are invariably used to accumulate the criminal spoils. This is more complicated and far more expensive, but ultimately safer. The alarming efficiency of cybercrime can be illustrated starkly by comparing it to the illegal narcotics business. One is faster, less detectable, more profitable (generating a return around 400 times higher than the outlay) and primarily non-violent. The other takes months or years to set-up or realise an investment, is cracked down upon by all almost all governments internationally, fraught with expensive overheads, and extremely dangerous. Add phishing to the other cyber-criminal activities driven by hacking and virus technologies such as carding, adware/spyware planting, online extortion, industrial spying and mobile phone dialers and youll find a healthy community of cottage industries and international organizations working together productively and trading for impressive profits. Of course these people are threatening businesses and individuals with devastating loss, financial hardship and troubling uncertainty and must be stopped. On top of viruses, worms, bots and Trojan attacks, organizations in particular are contending with social engineering deception and traffic masquerading as legitimate applications on the network. In a reactive approach to this onslaught, companies have been layering their networks with stand alone firewalls, intrusion prevention devices, anti-virus and anti-spyware solutions in a desperate attempt to plug holes in the armoury. They're beginning to recognize it's a failed strategy. After all, billions of pounds are being spent on security technology, and yet security breaches continue to rise. To fight cyber crime there needs to be a tightening of international digital legislation and of cross-border law enforcement co-ordination. But there also needs to be a more creative and inventive response from the organizations under threat. Piecemeal, reactive security solutions are giving way to strategically deployed multi-threat security systems. Instead of having to install, manage and maintain disparate devices, organizations can consolidate their security capabilities into a commonly managed appliance. These measures combined, in addition to greater user education are the best safeguard against the deviousness and pure innovation of cyber-criminal activities.

Three Ways to Deter Cyber Crime

Ironically, as businesses move from risky paper check payments to a safer means of electronic B2B payments, the online banking systems through which payments are originated have become an attractive fraud target. Although businesses are using payment fraud control devices such as ACH Positive Pay and ACH Debit Filter, they only mitigate fraud after it occurs. There are at least five fresh reasons to step up the security investment. 1. The browser is the weak point. Trojans and other malware like man-in-the-browser attacks that are difficult to detect hijack the transaction inside of a browser session, and subsequently attack the application and database on the server. According to Fiserv Strategies, most of the top 100 banks have experienced similar incidents. Man-in-the-browser attacks are becoming mainstream, RSA reports in its whitepaper, Business Success in a Dark Market: An Inside

Look at How the Fraud Underground Operates, especially in the U.S. and Europe where two-factor authentication is already densely deployed. 2. The customer is the endpoint .Banks deliver services to business customers through the browser; however, they arent in control of the businesss computing environment. Businesses are legally responsible for their transaction banking environment, but 20 million U.S. small businesses are particularly vulnerable to cyber fraud as they dont have the experience or resources to combat fraud, yet they initiate high risk payments transactions (e.g., ACH, wires). Many banks provision online services to small businesses on consumer systems with inadequate security for business activity. 3. Tweet this. multichannel banking is here. The cyber threat environment is growing more complex, especially as Web banking expands from Web and file transfer to mobile/smart phone and social channels and as the workforce grows younger. An integrated multichannel approach to information, transactions and fraud is necessary to lower costs and increase effectiveness. 4. Single sign on lags business banking. Banks are seeking new corporate/business portal solutions or independent SSO applications to solve the security usability problem. If the bank looks for an SSO solution in an existing packaged online banking offering, it may not get the integrated authentication and entitlements it needs. Most solutions secure the session, says Nick Owen of WIKID systems. As malware is now attacking at the application level, transaction authentication needs to be cryptographically distinct from the session. 5. Fuhgettaboudit - cyber crime is organized crime. According to RSA , Internet fraudsters have created an end-to-end supply chain to advance malware attacks and the online vector used to efficiently deploy them. While the security technology market is creating security-as-aservice solutions, criminals are creating fraud-as-a-service and fraud has moved from the consumer to businesses that initiate payments and bank online. But new approaches are emerging to tackle 21st century online banking problems. Among them are the secure browser and integrated single sign on. Banks are taking three positive steps in the right direction:

Organizing to combat fraud.

Business fraud incidents are significant (albeit under reported) as related by major security companies and members of industry entities such as the Financial Services-Information Sharing and Analysis Center. Formed by presidential directive in 1999, FS-ISAC, now has 4,100 members from institution, brokerage and insurance sectors. Members successfully share threat vulnerabilities through a network of trust that guarantees anonymity, while reporting important threat information to financial industry, government and other industry sectors, says FS-ISAC president William B. Nelson.

Implementing secure browsers

The secure browser solves the openness problem of the Internet without plunging the world back into private networks. Much like a dedicated business to bank connection, the secure browser uses only the rendering portion of the browser and restricts URL

destinations with a bank and company controlled list through entitlements and self-tests for changes indicating malware such as Trojans. This creates a secure connection akin to a virtual private network, but without the technical requirements and cost overhead. Like a regular browser, the secure browser performs site authentication, but it shuts the user down if a site is not authenticated, rather than asking the normal user to decide whether it is okay to continue during an abnormal event.

Using integrated, single sign on.

Independent integrated SSO solutions are appearing to fill the security gaps of online business banking and cash management solutions, which were never intended as portal or SSO solutions. The new integrated SSO combines user credential management for entity Websites with browser validation with a multi-layered security approach including strong authentication, software based keyboards to thwart key loggers, one-time perishable pass code
generation and utilization, and strong authentication of destination Websites to prevent DNS poisoning and pharming. The global economic costs of cyber crime are estimated at more than one trillion dollars and costs to the U.S. at about $8 billion. The banking industry is moving to shared fraud analytics to detect cyber crime in flight, but it should also be prevented at the outset. Financial products with built-in security are absolutely essential. Industry groups, banks and technology companies are emerging to fill the gaps and build the online experience with the proper foundation to mitigate threats that have moved beyond network perimeters to applications and data.

GENERAL TIPS FOR AVOIDING POSSIBLE INTERNET FRAUD SCHEMES

Organized crime is making a big business out of stealing bank account and credit card records, says an authoritative study released this morning. The Verizon Business Data Breach Investigations Report found that 94 percent of all records compromised by cybercrime in 2009 were from financial services companies. Perhaps thats not a surprise. Stealing digital money from information systems rather than vaults is basically just a less primitive form of bank robbery, the report said. It represents the nearest approximation to actual cash for the criminal. The full report is fascinating to read. It looked at more than 900 corporate data breaches involving more than 900 million compromised records, and reveals that high levels of cybercrime are carried out by insiders such as dishonest bank employees. And it verifies what you probably already suspect: That some breaches never even get reported. All of that spells troubles for consumers, because theres little you can do to prevent your financial data from being stolen from your banks servers. You can, however, limit how badly such a theft could hurt you. Here are some tips.

Check your banks security policies and its policies for covering losses due to fraud.
At a minimum, a bank should have a policy of double-checking you if you ever try to access your account from a different computer than the one you ordinarily use. That could just mean youre using the computer at your parents house, or it could mean that a criminal has your password. Look up your bank on the data breach list at the Privacy Rights Clearinghouse to see if its had serious problems in the past.

Change your passwords often.

And use different passwords for every bank and brokerage account. Read all of your statements like a hawk. As soon as anything shows up on your bank statement or credit card bill that seems wrong, contact your financial institution and keep a record of your complaint. Keep your business accounts and your personal accounts separate and protected by different passwords. Commercial accounts dont always receive the protection that personal accounts do. If you have a business account with a big line of credit and a criminal cleans it out, your bank might not make you whole, as Forbes details in a recent troubling story. Take all of the usual steps to protect your credit report, But realize that freezes and alerts just stop thieves from opening new accounts in your name; they dont stop anyone from using the accounts you already have to clean you out. Dont use a debit card. I admit, thats just me talking some people love them. But if someone steals your credit card number, you can usually maintain your financial life while you get it straightened out. If someone steals your debit card number, however, they can empty your checking account before you know its gone. And then your checks will bounce and your bills wont get paid. Banks say theyll make good on debit card losses, but the stress of dealing with bounced payments and a compromised checking account while you wait is more than Id want to sign up for. Carry a minimal amount of cash and use a credit card for everyday expenses. Pay it off every month, of course, but thats a post for another day.

PREVENTION OF CYBER CRIME:

Prevention is always better than cure. It is always better to take certain precaution while operating the net. The 5P mantra for online security is Precaution, Prevention, Protection, Preservation and Perseverance. The following things should always be kept in mind:

As an Enterprise
Employ defense-in-depth strategies, which emphasize multiple, overlapping, and mutually supportive defensive systems to guard against single-point failures in any specific technology or protection method. This should include the deployment of regularly updated antivirus, firewalls, intrusion detection, and intrusion protection systems on client systems. 1. Turn off and remove services that are not needed. 2. If malicious code or some other threat exploits one or more network services, disable or block access to those services until a patch is applied. 3. Consider implementing network compliance solutions that will help keep infected mobile users out of the network. 4. Enforce an effective password policy. 5. Configure mail servers to block or remove email that contains file attachments that are commonly used to spread viruses, such as .VBS, .BAT, .EXE, .PI F, and SCR files. 6. Isolate infected computers quickly to prevent the risk of further infection within the organization. 7. Perform a forensic analysis and restore the computers using trusted media. 8. Train employees to not open attachments unless they are expected and come from a known and trusted source, and to not execute software that is downloaded from the Internet unless it has been scanned for viruses. 9. Ensure that emergency response procedures are in place. This includes having a backup-andrestore solution in place in order to restore lost or compromised data in the event of successful attack or catastrophic data loss. 10. Educate management on security budgeting needs. 11. Test security to ensure that adequate controls are in place. 12. Be aware that security risks may be automatically installed on computers with the installation of file sharing programs, free downloads, and freeware and shareware versions of software. Clicking on links and/or attachments in email messages may also expose computers to

unnecessary risks. Ensure that only applications approved by the organization are deployed on desktop computers. Consumers should use an Internet security solution that combines antivirus, firewall, intrusion detection, and vulnerability management for maximum protection against malicious code and other threats. Consumers should ensure that security patches are up to date and that they are applied to all vulnerable applications in a timely manner. Consumers should ensure that passwords are a mix of letters and numbers, and should change them often. Passwords should not consist of words from the dictionary. Consumers should never view, open, or execute any email attachment unless the attachment is expected and the purpose of the attachment is known. Consumers should keep virus definitions updated regularly. By deploying the latest virus definitions, consumers can protect their computers against the latest viruses known to be spreading in the wild.

As a Consumer

CONCLUSION
Lastly I conclude by saying that

Thieves are not born, but made out of opportunities.

This quote exactly reflects the present environment related to technology, where it is changing very fast. By the time regulators come up with preventive measures to protect customers from innovative frauds, either the environment itself changes or new technology emerges. This helps criminals to find new areas to commit the fraud. Computer forensics has developed as an indispensable tool for law enforcement. But in the digital world, as in the physical world the goals of law enforcement are balanced with the goals of maintaining personal liberty and privacy. Jurisdiction over cyber crimes should be standardized around the globe to make swift action possible against terrorist whose activities are endearing security worldwide. The National institute of justice, technical working group digital evidence are some of the key organization involved in research. The ATM fraud is not the sole problem of banks alone. It is a big threat and it requires a coordinated and cooperative action on the part of the bank, customers and the law enforcement machinery. The ATM frauds not only cause financial loss to banks but they also undermine customers' confidence in the use of ATMs. This would deter a greater use of ATM for monetary transactions. It is therefore in the interest of banks to prevent ATM frauds. There is thus a need to take precautionary and insurance measures that give greater "protection" to the ATMs, particularly those located in less secure areas. The nature and extent of precautionary measures to be adopted will, however, depend upon the requirements of the respective banks. Internet Banking Fraud is a fraud or theft committed using online technology to illegally remove money from a bank account and/or transfer money to an account in a different bank. Internet Banking Fraud is a form of identity theft and is usually made possible through techniques such as phishing. Credit card fraud can be committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Cyber space and cyberpayment methods are being abused by money launderers for converting their dirty money into legal money. For carrying out their activities launderers need banking system. Internet, online banking facilitates speedy financial transactions in relative anonymity and this is being exploited by the cyber money launderers. Traditional systems like credit cards had some security features built into them to prevent such crime but issue of e-money by unregulated institutions may have none. Preventing cyber money laundering is an uphill task which needs to be tackled at different levels. This has to be fought on three planes, first by banks/ financial institutions, second by nation states and finally through international efforts. The regulatory framework must also take into account all the related issues like development of e-money, right to privacy of individual. International law and international co-operation will go a long way in this regard.

Capacity of human mind is unfathomable. It is not possible to eliminate cyber crime from the cyber space. It is quite possible to check them. History is the witness that no legislation has

succeeded in totally eliminating crime from the globe. The only possible step is to make people aware of their rights and duties (to report crime as a collective duty towards the society) and further making the application of the laws more stringent to check crime. Undoubtedly the Act is a historical step in the cyber world. Further I all together do not deny that there is a need to bring changes in the Information Technology Act to make it more effective to combat cyber crime

CASE STUDY
INDIA'S FIRST ATM CARD FRAUD

The Chennai City Police have busted an international gang involved in cyber crime, with the arrest of Deepak Prem Manwani (22), who was caught red-handed while breaking into an ATM in the city in June last, it is reliably learnt. The dimensions of the city cops' achievement can be gauged from the fact that they have netted a man who is on the wanted list of the formidable FBI of the United States. At the time of his detention, he had with him Rs 7.5 lakh knocked off from two ATMs in T Nagar and Abiramipuram in the city. Prior to that, he had walked away with Rs 50,000 from an ATM in Mumbai. While investigating Manwani's case, the police stumbled upon a cyber crime involving scores of persons across the globe. Manwani is an MBA drop-out from a Pune college and served as a marketing executive in a Chennai-based firm for some time. Interestingly, his audacious crime career started in an Internet cafe. While browsing the Net one day, he got attracted to a site which offered him assistance in breaking into the ATMs. His contacts, sitting somewhere in Europe, were ready to give him credit card numbers of a few American banks for $5 per card. The site also offered the magnetic codes of those cards, but charged $200 per code. The operators of the site had devised a fascinating idea to get the personal identification number (PIN) of the card users. They floated a new site which resembled that of a reputed telecom companies. That company has millions of subscribers. The fake site offered the visitors to return $11.75 per head which, the site promoters said, had been collected in excess by mistake from them. Believing that it was a genuine offer from the telecom company in question, several lakh subscribers logged on to the site to get back that little money, but in the process parted with their PINs. Armed with all requisite data to hack the bank ATMs, the gang started its systematic looting. Apparently, Manwani and many others of his ilk entered into a deal with the gang behind the site and could purchase any amount of data, of course on certain terms, or simply enter into a deal on a booty-sharing basis. Meanwhile, Manwani also managed to generate 30 plastic cards that contained necessary data to enable him to break into ATMS.He was so enterprising that he was able to sell away a few such cards to his contacts in Mumbai. The police