IN

BANKS
S

UNIVERSITY OF MUMBAI

PROJECT ON:
CYBER CRIME IN BANKING SECTOR

CYBER SUBMITTED BY
CRIMES
PRAJNA VASU POOJARY

PROJECT GUIDE
 Prof. Ms. RINKY

BANKING AND INSURANCE

SEMESTER V

(2010-11)

BIRLA COLLEGE OF ARTS, SCIENCE & COMMERCE,

KALYAN (WEST)

Declaration
I student of B&I Semester V (2010-11) hereby declare that I have
completed this project on

The information submitted is true & original to the best of my

knowledge.
 Stud
ent’s Signature

Name of
Student

CERTIFICATE
This is to certify that Ms.________________________ Of TYB&I has
successfully completed the project on

__________________________

_____________________ under the guidance of_________________

___________

Project Guide

Principal
 Course Co-ordinator

External Examiner

ACKNOWLEDGEMENT

This is to express my earnest gratitude and extreme joy at being bestowed with an
opportunity to get an opportunity to get an interesting and informative project on
“CYBER CRIME IN BANKING SECTOR”. I would like to thank all the people
who have helped me in completion of project, I would avail this opportunity to express
my profound gratitude and indebtness to all those people.

I am extremely grateful to my project guide Prof. Ms. RINKY who has given
an opportunity to work on such an interesting project. She proved to be a constant source
of inspiration to me and provided constructive comments on how to make this report
better. Credit also goes to my friends whose constant encouragement kept me in good
stead.

Lastly without fail I would thank all my faculties for providing all
explicit and implicit support to me during the course of my project

EXCECUTIVE SUMMARY

Cyber crimes are any illegal activities committed using computer target of
the criminal activity can be either a computer, network operations. Cyber crimes
are genus of crimes, which use computers and networks for criminal activities.
The difference between traditional crimes and cyber crimes is the cyber crimes
can be transnational in nature. Cyber crime is a crime that is committed online in
many areas using e-commerce. A computer can be the target of an offence when
unauthorized access of computer network occurs and on other hand it affects E-
COMMERCE. Cyber crimes can be of various types such as
Telecommunications Piracy, Electronic Money Laundering and Tax Evasion,
Sales and Investment Fraud, Electronic Funds Transfer Fraud and so on…

The modern contemporary era has replaced these traditional monetary

instruments from a paper and metal based currency to “plastic money” in the
form of credit cards, debit cards, etc. This has resulted in the increasing use of
ATM all over the world. The use of ATM is not only safe but is also convenient.
This safety and convenience, unfortunately, has an evil side as well that do not
originate from the use of plastic money rather by the misuse of the same. This
evil side is reflected in the form of “ATM frauds” that is a global problem.

Internet commerce has grown exponentially during the past few years and
is still growing. But unfortunately the growth is not on the expected lines because
the credit card fraud which has become common has retarded the e-commerce
growth. Credit card fraud has become regular on internet which not only affects
card holders but also online merchants. Credit card fraud can be done by taking
over the account, skimming or if the card is stolen. Certain preventive measures
can be taken to becoming a credit card victim.

The term "Internet fraud" refers generally to any type of fraud scheme that
uses one or more components of the Internet - such as chat rooms, e-mail,
message boards, or Web sites - to present fraudulent solicitations to prospective
victims, to conduct fraudulent transactions, or to transmit the proceeds of fraud to
financial institutions or to other connected with the scheme.

Some form of internet frauds include:- spam’s , scams spy ware,

identity theft, phishing ,internet banking fraud.
 “The modern thief can steal more with a
computer than with a gun. Tomorrows terrorist may
be able to do more damage with a keyboard than
with a bomb.”
-National research council, “computer at risk “ 1991
 INDEX PAGE
SR. NO
NO
CYBER CRIME

INTRODUCTION
The usage of internet services in India is growing rapidly. It has
given rise to new opportunities in every field we can think of – be it
entertainment, business, sports or education.

There are many pros and cons of some new types of technology
which are been invented or discovered. Similarly the new & profound technology
i.e. using of INTERNET Service, has also got some pros & cons. These cons are
named CYBER CRIME, the major disadvantages, illegal activity committed on
the internet by certain individuals because of certain loop-holes. The internet,
along with its advantages, has also exposed us to security risks that come with
connecting to a large network. Computers today are being misused for illegal
activities like e- mail espionage, credit card fraud, spams, and software piracy
and so on, which invade our privacy and offend our senses. Criminal activities in
the cyberspace are on the rise.

Computer crimes are criminal activities, which involve the use

of information technology to gain an illegal or an unauthorized access to a
computer system with intent of damaging, deleting or altering computer data.
Computer crimes also include the activities such as electronic frauds, misuse of
devices, identity theft and data as well as system interference. Computer crimes
may not necessarily involve damage to physical property. They rather include the
manipulation of confidential data and critical information. Computer crimes
involve activities of software theft, wherein the privacy of the users is hampered.
These criminal activities involve the breach of human and information privacy, as
also the theft and illegal alteration of system critical information. The different
types of computer crimes have necessitated the introduction and use of newer
and more effective security measures.

In recent years, the growth and penetration of internet across

Asia Pacific has been phenomenal. Today, a large number of rural areas in India
and a couple of other nations in the region have increasing access to the internet
—particularly broadband. The challenges of information security have also grown
manifold. This widespread nature of cyber crime is beginning to show negative
impact on the economic growth opportunities in each of the countries.

It is becoming imperative for organizations to take both

preventive and corrective actions if their systems are to be protected from any
kind of compromise by external malicious elements. According to the latest
statistics, more than a fifth of the malicious activities in the world originate from
the Asia Pacific region. The malicious attacks included denial-of-service attacks,
spam, and phishing and bot attacks. Overall, spam made up 69% of all
monitored e-mail traffic in the Asia Pacific region. As per the National Crime
Records Bureau statistics, there has been a 255% increase in cyber crime in
India alone. And mind you, these are just the reported cases. In view of this,
various governmental and non-governmental agencies are working towards
reducing cyber crime activities.

Computer crime, cybercrime, e-crime, hi-tech crime or

electronic crime generally refers to criminal activity where a computer or
network is the source, tool, target, or place of a crime. These categories are
not exclusive and many activities can be characterized as falling in one or more
category. Additionally, although the terms computer crime and cybercrime are
more properly restricted to describing criminal activity in which the computer or
network is a necessary part of the crime, these terms are also sometimes used to
include traditional crimes, such as fraud, theft, blackmail, forgery, and
embezzlement, in which computers or networks are used. As the use of
computers has grown, computer crime has become more important.

Defining Cyber Crime

Information Technology Act, 2000.

Defining cyber crimes, as "acts that are punishable by the Information

Technology Act" would be unsuitable as the Indian Penal Code also covers many
cyber crimes ,such as email spoofing and cyber defamation, sending threatening
emails etc.
Computer crime has been defined as “unauthorized use of a computer for
personal gain, as in the illegal transfer of funds or to alter the data or property of
others” (“Computer Crime”, 2007).

CLASSIFICATION OF CYBER CRIMES

CYBER
CRIMES

AGAINST
AGAINST AGAINST
ORGANISATIO
INDIVIDUAL GOVERNMENT
N
 AGAINST INDIVIDUALS

VIRUS
ATTACK

CYBER
STALKING HARASSMENT

AGAINST
INDIVIDUAL

DEFAMATION
THEFT

EMAIL
SPOOFING
AGAINST ORGANISATION
 UNAUTHORISED
CONTROL ON
SYSTEM

UNAUTHORISED
PIRATED
INFORMATION AGAINST SOFWARE
POSSESED ORGANISATION
DISTRIBUTION

CYBER
TERRORISM

AGAINST SOCIETY
 PORNOGRAPHY

TRAFIKKING FINANCIAL
CRIMES

AGAINST
SOCIETY

SALE OF
FORGERY ILLEGAL
ARTICLES

ONLINE
GAMBLING

The history of cyber crime

. The first recorded cyber crime took place in the year 1820! That is
not surprising considering the fact that the abacus, which is thought to be the
earliest form of a computer, has been around since 3500 B.C. in India, Japan
and China. The era of modern computers, however, began with the analytical
engine of Charles Babbage.
In 1820, Joseph-Marie Jacquard, a textile manufacturer in
France, produced the loom. This device allowed the repetition of a series of steps
in the weaving of special fabrics. This resulted in a fear amongst Jacquard's
employees that their traditional employment and livelihood were being
threatened. They committed acts of sabotage to discourage Jacquard from
further use of the new technology. This is the first recorded cyber crime!
Today computers have come a long way, with neural networks and
nano-computing promising to turn every atom in a glass of water into a computer
capable of performing a Billion operations per second.
Cyber crime is an evil having its origin in the growing dependence
on computers in modern life. In a day and age when everything from microwave
ovens and refrigerators to nuclear power plants is being run on computers, cyber
crime has assumed rather sinister implications. Major cyber crimes in the recent
past include the Citibank rip off. US $ 10 million were fraudulently transferred out
of the bank and into a bank account in Switzerland. A Russian hacker group led
by Vladimir Kevin, a renowned hacker, perpetrated the attack. The group
compromised the bank's security systems. Vladimir was allegedly using his office
computer at AO Saturn, a computer firm in St. Petersburg, Russia, to break into
Citibank computers. He was finally arrested on Heathrow airport on his way to
Switzerland.

CYBERCRIMES IN INDIA
 As India become the fourth highest number of Internet users
in the world, cyber crimes in India has also increased 50 percent in 2007 over the
previous year. According to the Information Technology (IT) Act, the majority of
offenders were under 30 years of age.

Around 46 percent of cyber crimes were related to incidents

of cyber pornography, followed by hacking. According to recent published 'Crime
in 2007 report', published by the National Crime Record Bureau (NCRB), in over
60 percent of these cases, offenders were between 18 and 30. These cyber-
crimes are punishable under two categories; the IT Act 2000 and the Indian
Penal Code (IPC). According to the report, 217 cases of cyber-crime were
registered under the IT Act in 2007, which is an increase of 50 percent from the
previous year. Under the IPC section, 339 cases were recorded in 2007
compared to 311 cases in 2006. Out of 35 mega cities, 17 cities have reported
around 300 cases of cyber-crimes under both categories that is an increase of
32.6 percent in a year. The report also shows that cyber crime is not only limited
to metro cities but it also moved to small cities like Bhopal. According to the
report, Bhopal, the capital of Madhya Pradesh has reported the highest incidence
of cyber crimes in the country.
In order to tackle with cyber crime, Delhi Police have trained 100 of
its officers in handling cyber crime and placed them in its Economic Offences
Wing. These officers were trained for six weeks in computer hardware and
software, computer networks comprising data communication networks, network
protocols, wireless networks and network security. Faculty at Guru Gobind Singh
Indraprastha University (GGSIPU) was the trainers. cases go unreported. Most
victims, especially the corporate, continue to downplay on account of the fear of
negative publicity thereby failing to give a correct picture of the cyber crime
scene in the country. According to Cyber law expert Na Vijayashankar (popularly
known as Naavi); it is difficult to measure the growth of Cyber Crimes by any
statistics, the reason being that a majority of cyber crimes don't get reported. "If
we, therefore, focus on the number of cases registered or number of convictions
achieved, we only get diverted from real facts," he adds. Duggal points out to the
results of a survey he conducted in early 2006 on the extent of under- reporting.
For every 500 instances of cyber crimes that take place in India, only fifty are
reported and out of that fifty, only one is registered as an FIR or criminal case.
So, the ratio effectively is 1:500 and this, he points out, are conservative
estimates. Giving an insight into the reasons for low reporting, Nandkumar
Sarvade, director, Cyber Security and Compliance at Nasscom, points out that
very often, people are not aware whether an incident is a cyber crime; there is
also lack of awareness on where to lodge a complaint or whether the police will
be able to understand. "Added to this is the fear of losing business and hence,
many cases don't come to light," he adds.
CHANGING FACE OF CRIME
The last year has seen a quantum jump not only in the quantity and quality
but also the very nature of cyber crime activities. According to Naavi, a
perceptible trend being observed is that cyber crimes are moving from 'Personal
Victimization' to 'Economic Offences'. SD Mishra, ACP, IPR and Cyber Cell,
Economic Offences Wing, Delhi Police concurs that the cases that are now
coming up are more related to financial frauds. As opposed to obscenity,
pornography, malicious emails that were more prevalent in the past, now credit
card frauds, phishing attacks, online share trading, etc. are becoming more
widespread. As Seth points out, initially, when the Internet boom began, certain
crimes were noticeable and cyber stalking was one of the first ones. "However,
with the little offences came the larger ones involving huge money and one has
seen this sudden jump from smaller crimes to financial crimes in the last one
year," she adds
 BANKING SECTOR
The Banking Industry was once a simple and reliable business that took
deposits from investors at a lower interest rate and loaned it out to borrowers at a
higher rate.

However deregulation and technology led to a revolution in the Banking

Industry that saw it transformed. Banks have become global industrial
powerhouses that have created ever more complex products that use risk.
Through technology development, banking services have become available 24
hours a day, 365 days a week, through ATMs, at online banking, and in
electronically enabled exchanges where everything from stocks to currency
futures contracts can be traded.
 The Banking Industry at its core provides access to credit. In the
lenders case, this includes access to their own savings and investments, and
interest payments on those amounts. In the case of borrowers, it includes access
to loans for the creditworthy, at a competitive interest rate.

Banking services include transactional services, such as verification of

account details, account balance details and the transfer of funds, as well as
advisory services that help individuals and institutions to properly plan and
manage their finances. Online banking channels have become a key in the last
10 years

The collapse of the Banking Industry in the Financial Crisis, however,

means that some of the more extreme risk-taking and complex securitization
activities that banks increasingly engaged in since 2000 will be limited and
carefully watched, to ensure that there is not another banking system meltdown
in the future.
 Banking in India originated in the last decades of the 18th century. The
oldest bank in existence in India is the State Bank of India, a government-owned
bank that traces its origins back to June 1806 and that is the largest commercial
bank in the country. Central banking is the responsibility of the Reserve Bank of
India, which in 1935 formally took over these responsibilities from the then
Imperial Bank of India, relegating it to commercial banking functions. After India's
independence in 1947, the Reserve Bank was nationalized and given broader
powers. In 1969 the government nationalized the 14 largest commercial banks;
the government nationalized the six next largest in 1980.

Currently, India has 88 scheduled commercial banks (SCBs) - 27 public

sector banks (that is with the Government of India holding a stake), 31 private
banks (these do not have government stake; they may be publicly listed and
traded on stock exchanges) and 38 foreign banks. They have a combined
network of over 53,000 branches and 17,000 ATMs. According to a report by
ICRA Limited, a rating agency, the public sector banks hold over 75 percent of
total assets of the banking industry, with the private and foreign banks holding
18.2% and 6.5% respectively.
TYPES OF CYBER CRIMES
 CYBER
CRIME IN
BANKIN
G
SECTOR

CREDIT
MONEY
ATM CARD
LAUNDE SKIMMING PHISHING
FRAUDS FRAUD
RING

AUTOMATED TELLER MACHINE

 The traditional and ancient society was devoid of any monetary
instruments and the entire exchange of goods and merchandise was managed
by the “barter system”. The use of monetary instruments as a unit of exchange
replaced the barter system and money in various denominations was used as the
sole purchasing power. The modern contemporary era has replaced these
traditional monetary instruments from a paper and metal based currency to
“plastic money” in the form of credit cards, debit cards, etc. This has resulted in
the increasing use of ATM all over the world. The use of ATM is not only safe but
is also convenient. This safety and convenience, unfortunately, has an evil side
as well that do not originate from the use of plastic money rather by the misuse of
the same. This evil side is reflected in the form of “ATM FRAUDS” that is a
global problem. The use of plastic money is increasing day by day for payment of
shopping bills, electricity bills, school fees, phone bills, insurance premium,
travelling bills and even petrol bills. The convenience and safety that credit cards
carry with its use has been instrumental in increasing both credit card volumes
and usage. This growth is not only in positive use of the same but as well as the
negative use of the same. The world at large is struggling to increase the
convenience and safety on the one hand and to reduce it misuse on the other.

INDIAN SCENARIO
In India, where total number of installed ATM’s base is far less than many
developed countries. ATM-related frauds are very less. But they could increase
as more and more ATM’s will penetrate in the country, the bank should create
awareness among customers about the card- related frauds to reduce the
number of frauds in future. In India, Indian Banks Association (IBA) can take lead
to kick started.

The ATM fraud is not the sole problem of banks alone. It is a big threat
and it requires a coordinated and cooperative action on the part of the bank,
customers and the law enforcement machinery. The ATM frauds not only cause
financial loss to banks but they also undermine customers’ confidence in the use
of ATMs. This would deter a greater use of ATM for monetary transactions. It is
therefore in the interest of banks to prevent ATM frauds. There is thus a need to
take precautionary and insurance measures that give greater “protection” to the
ATMs, particularly those located in less secure areas. The nature and the extent
of precautionary measures to be adopted will, however, depend upon the
requirements of the respective banks.
 WAYS TO CARD FRAUDS

Some of the popular techniques used to carry out ATM crime are:

1.Through Card Jamming ATM’s card reader is tampered with in order to trap a
customer’s card. Later on the criminal removes the card.

2.Card Skimming, is the illegal way of stealing the card’s security information
from the card’s magnetic stripe.

3.Card Swapping, through this customer’s card is swapped for another card
without the knowledge of cardholder.

4.Website Spoofing, here a new fictitious site is made which looks authentic to
the user and customers are asked to give their card number. PIN and other
information, which are used to reproduce the card for use at an ATM.
5.Physical Attack. ATM machine is physical attacked for removing the cash.

WAY TO USE CASH MACHINE

Be aware of others around you. If someone close by the cash machine is

behaving suspiciously or makes you feel uncomfortable, choose another .Make
sure you check the machine before you use it for any signs of tampering.
Examine the machine for stick on boxes, stick on card entry slots etc. If you find it
difficult to get your card into the slot, do not use it, go to another machine
 If there is anything unusual about the cash machine report it to the bank
and police or the owner of the premises immediately. Under no circumstances
should members of the public attempt to remove a device as it’s possible the
offender may be nearby

.
 STEPS TO USE A CASH MACHINE

1. Give other
users space to
enter their
personal identity
number (PIN) in
private.

2. Be aware of your surroundings. If someone is crowding or watching you,

cancel the transaction and go to another machine. Take your card with you.

3. Do not accept help from "well meaning" strangers and never allow yourself to
be distracted.

4. Stand close to the cash machine and always shield the keypad to avoid
anyone seeing you enter your PIN

Precaution To Be Taken While Leaving Cash Machine

 Once you have completed a transaction, discreetly put your money and
card away before leaving the cash machine.

If you lose your card in a cash machine, cancel the card

immediately with the card issuer’s 24-hour emergency line, which can be found
on your last bank statement. Do not assume that your bank automatically knows
that the machine has withheld your card. Again, beware of help offered by "well
meaning strangers".

Dispose of your cash machine receipt, mini-statement or

balance enquiry slip with care. Tear up or preferably shred these items before
discarding them.

Card Fraud Also Happens In The Home:

Cardholders should also be warned of the risks of verifying bank details at

home in unsolicited telephone conversations. Always call the person back using
the advertised customer telephone number, not the telephone number they may
give you.

1.Do Not Click On Hyperlinks Sent To You By Email Asking You To

Confirm Your Bank Details Online:

 Hyperlinks are links to web pages that have been sent to you by email and
may open a dummy website designed to steal your personal details. Phone your
bank instead on their main customer number or access your account using the
bank's main website address.

Use good antivirus and firewall protection.

2.NEVER Write Down Your Pin:

People make life very easy for pickpockets if they write down their PIN
and keep it in their purse or wallet. Do not write down your PIN. If you have been
given a number that you find difficult to remember, take your card along to a cash
machine and change the number to one that you will be able to remember
without writing it down.
PREVENTION FOR ATM CARDS
Most ATM frauds happen due to the negligence of customers in using,
and more importantly, negligence of banks in educating their customers about
the matters that should be taken care of while at an ATM. The number of ATM
frauds in India is more in regard to negligence of the Personal Identification
Number (PIN), than by sophisticated crimes like skimming. Banks need to
develop a fraud policy – the policy should be written and distributed to all
employees, borrowers and depositors.

The most important aspect for reducing ATM related fraud is

to educate the customer.

Here is a compiled list of guidelines to help your customer from being an

ATM fraud victim:

1. Look for suspicious attachments. Criminals often capture information

through ATM skimming – using devices that steal magnetic strip information. At a
glance, the skimmer looks just like a regular ATM slot, but it‘s an attachment that
captures ATM card numbers. To spot one, the attachment slightly protrudes from
the machine and may not be parallel with the inherent grooves. Sometimes, the
equipment will even cut off the printed labels on the ATM. The skimmer will not
obtain PIN numbers, however. To get that, fraudsters place hidden cameras
facing the ATM screen. There‘s also the helpful bystander (the criminal) who may
be standing by to kindly inform you the machine has had problems and offer to
help. If you do not feel safe at any time, press the ATM cancel button, remove
your card and leave the area immediately.
 2.Minimize your time at the ATM. The more time you spend at the ATM,
the more vulnerable you are. If you need to update your records after a
transaction, one is advised do it at home or office, but not while at the ATM. Even
when depositing a cheque at the ATM, on should not make/sign the cheque at
the ATM. After the transaction, if you think you are being followed, go to an area
with a lot of people and call the police.

3.Make smart deposits. Some ATMs allow you to directly deposit checks
and cash into your accounts without stuffing envelopes. As for the envelope-
based deposits, make sure they go through – if it gets jammed and it doesn‘t fully
go into the machine, the next person can walk up and take it out. After having
made the ATM deposit, compare your records with the account statements or
online banking records.

EXAMPLE OF ATM FRAUD

ATM Insecurity

Aug 09:

ATM users in India are exposed to a kind of PIN theft risk that has been
brought to focus with an arrest in Kolkata. The risk arises because the machine
(only one type of machines where the users insert the card and withdraw is said
to have this vulnerability) reads the PIN, stores in its cache memory and goes
blank under certain circumstances. The machine can then be released by
inserting a screwdriver but at that time the PIN remains in memory and can be
used to withdraw money from the account of the user whose PIN remained stuck.
This is clearly a vulnerability of the machine and the liability on account of this
vulnerability should fall on the Bank. The Bank in turn should get indemnified by
the supplier of the embedded software that runs the system with this bug.

CYBER MONEY LAUNDERING

During the past two decades, IT and Internet technologies have reached
every nook and corner of the world. E-commerce has come into existence due to
the attributes of Internet like ease of use, speed, anonymity and its International
nature. Internet has converted the world into a boundary less market place that
never sleeps. Drug peddlers and organized criminals found a natural and much
sought after ally in Internet. Computer networks and Internet, in particular, permit
transfer of funds electronically between trading partners, businesses and
consumers. This transfer can be done in many ways. They include use of credit
cards, Internet banking, e-cash, e- wallet etc. for example, smart cards like Visa
Cash, Mondex card, whose use is growing can store billions of dollars. At
present, there is an upper limit imposed by the card issuers but technically there
is no limit. In some other forms of computer-based e-money, there is no upper
limit. Mobile banking and mobile commerce are growing and these technologies
have the capability to transfer any amount of money at the touch of a bottom or
click of a mouse. They can be effective tools in the hands of money launderers.
First and foremost, the anonymity offered by internet and cyber payment systems
is being exploited to the hilt by the criminal elements.

As cyber payment systems eliminate the need for face to face interactions,
transfer of funds can be done between two trading partners directly. Two
individuals also can transfer funds directly using e- wallets. This problem is
further compounded by the fact that, in many countries, non-financial institutions
are also permitted to issue e-money. Monitoring the activities of these institutions
in a traditional manner is not possible. Earlier, cross-border transactions were
controlled by the central banks of respective countries. With the entry of Internet
commerce, the jurisdictional technicalities come into play and it is another area
that is being exploited by the money launderers. The capacity to transfer
unlimited amounts of money without having to go through strict checks makes
cyber money laundering an attractive proposition. From the point of view of law
enforcing agencies, all the above advantages cyber payments provide to
consumers and trading partners, turn out to be great disadvantages while
investigating the crimes

AIM OF MONEY LAUNDERING

The most important aim of money laundering is to conceal the origin of the
money, which, in almost all cases, is from illegal activity. Criminal resort to this
practice to avoid detection of the money by law enforcement which will lead to its
confiscation and also may provide leads to the illegal activity. By laundering the
money the criminals are trying to close their tracks. Further, their aims could be
to increase the profits by resorting to illegal money transfer etc. and also of
course, to support new criminal ventures. Money laundering from the point of
view of the criminal increases the profits and, at the same time, reduces the risk.
While indulging in money laundering process, the launderers also attempt to
safeguard their interests. They conceal the origin and ownership of the proceeds,
maintain control over proceeds and change the form of proceeds

MONEY LAUNDERING PROCESS

Money laundering is normally accomplished by using a three-stage

process. The three steps involved are Placement, Layering and Integration. E-
money and cyber payment systems come in handy in all the three stages of the
process.
 PROCESS

PLACEMENT LAYERING INTEGRATION

1. PLACEMENT

The first activity is placement. Illegal activities like drug trafficking,

extortion, generate very volumes of money. People involved in these activities
cannot explain the origin and source of these funds to the authorities. There is a
constant fear of getting caught. So the immediate requirement is to send this
money to a different location using all available means. This stage is
characterized by facilitating the process of inducting the criminal money into the
legal financial system. Normally, this is done by opening up bank accounts in the
names of non-existent people or commercial organizations and depositing the
money. Online banking and Internet banking make it very easy for a launderer to
open and operate a bank account. Placement in cyber space occurs by
depositing the illegal money with some legitimate financial institutions or
businesses. This is done by breaking up the huge cash into smaller chunks.
Launderers are very careful at this stage because the chances of getting caught
are considerable here. Cyber payment systems can come in handy during this
process.
2. LAYERING

Layering is the second sub process. In this complex layers of financial

transaction are created to disguise the audit trail and provide anonymity. This is
used to distance the money from the sources. This is achieved by moving the
names from and to offshore bank accounts in the names of shell companies or
front companies by using Electronic Funds Transfer (EFT) or by other electronic
means. Every day trillions of dollars are transferred all over the world by other
legitimate business and thus it is almost impossible ton as certain whether some
money is legal or illegal. Launderers normally make use of commodity brokers,
stock brokers in the layering process. Launderers were also found to purchase
high value commodities like diamonds etc. and exporting them to a different
jurisdiction. During this process, they make use of the banks wherever possible
as in the legal commercial activity

3. INTEGRATION

Integration is the third sub process. This is the stage in which the ‘cleaned’
money is ploughed back. This is achieved by making it appear as legally earned.
This is normally accomplished by the launderers by establishing anonymous
companies in countries where secrecy is guaranteed. Anyone with access to
Internet can start an e-business. This can look and function like any other e-
business as far as the outside world is concerned. This anonymity is what makes
Internet very attractive for the launderers. They can then take loans from these
companies and bring back the money. This way they not only convert their
money this way but also can take advantages associated with loan servicing in
terms of tax relief. Another way can be by placing false export import invoices
and over valuing goods.
 The entire process can be explained with the help of an example . The
money launderers first activity is to set up an online commerce company which is
legal. Normally, the launderer sets up the website for his company and accepts
online payments using credit cards for the purchases made from his company’s
website. As a part of the whole scheme, launderers obtain credit cards from
some banks or financial institutions located in countries with lax rules, which are
known as safe havens. The launderer sitting at home, then, ‘makes purchases’
using this credit card from his own website. As in normal transactions, the Web-
based system then sends an invoice to the customer’s (who happens to the
launderer himself) bank, in the safe haven. The bank then pays the money into
the account of the company. Cyber space provides a secure and anonymous
opportunity to the criminals in money laundering operations. It has come to light
that many gangs are opening up the front companies and hiring information
technology specialists for nefarious activities. Incidents have also come to light
where the criminals are using cryptography for hiding their transaction.

BUSINESS AREAS THAT SUPPORT OR ARE PRONE TO

MONEY LAUNDERING
The banks and other financial institution are the most important
intermediaries in the money laundering chain. As far as the banks are concerned
the countries that are considered safe for launderers are Cayman Islands,
Cyprus, Luxembourg, and Switzerland. The offshore accounts of these banks are
popular because they offer anonymity and also help in tax evasion. Other
financial institution like fund managers and those facilitating Electronic Fund
Transfer are also being manipulated by the launderers. Banking obviously is the
most affected sector by the money laundering operations. In fact, Berltlot Brecht
said, ‘If you want to steal, then buy a bank.’ Multinational banks are more
vulnerable to money laundering operations. When BCCI bank was investigated it
came to light that there were 3,000 criminal customers and they were involved in
offenses ranging from financing nuclear weapon programs to narcotics. The
second area is underground banking or parallel banking. This is practiced by
different countries by different names. China follows a system called ‘Fic Chin’.
Under this system, money is deposited in one country and the depositor is
handed a chit or chop. The money is paid back in another place on production of
the chit. Similar systems known as Hundi, Hawallah are practiced in India. It is
much easier to launder the money using these methods as there is no physical
movement of money. These practices mostly work on trust and mostly controlled
by mafia in many countries.

Futures and commodity markets are another area which is found to be

facilitating the money laundering. The other areas include professional advisers,
financing housing schemes, casinos, antique dealers and jewelers. Casinos are
another business areas that is actively involved in money laundering process. In
all the cases the underlying factor is paperless transactions. It was also found
that launderers do take advantages of privatization in various countries by
investing in them. This was observed in UK, India and Columbia. In Columbia,
when the banks were privatized the ‘Carli Cartel’ was reported to have invested
heavily and Italian mafia reportedly purchased shares in Italian banks. This only
shows the extent of the problem and also that the banks and financial institutions
are the primary target of the launderers. In some countries, even political parties
organizations are known to be using laundered money for their campaigns.

EFFECTS ON BANKS
Almost all the banks trade in foreign exchange Money laundering in any
country or economy affects the foreign exchange market directly. The money
laundering reduces the legal volume of the banks business. It also causes
fluctuations in the exchange rate. Further, money laundering can undermine the
credibility of the banking system. Facilitating the activities of launderers even
inadvertently can push the banks into problems with law enforcement agencies
and also governments. In some reported cases, the banks survival has come
under threat. It is not difficult to see what effect it has on the profitability of banks.

OTHER EFFECTS
In one incident, an Indian national in one year handled US 81.5 bn illegal
transactions, before his arrest during 1993. This incident also shows how the
national economy gets affected. A few years before that, the Indian Government
was so short of foreign exchange that it had to pledge gold in the London bank.
One needs not be an economist understand the impact of money laundering on
economies of developing countries. The low regulation by central banks will
become difficult and consequently, there will be rise in inflation. Further, overall
income distribution in an economy is likely to get affected. Money laundering can
help in spread of parallel economy, which will result in loss to national income
due to reduced tax collections and lost jobs. On the social plane, this can result
in increased crime rate, violence in society. There may be attempts to gain
political power either directly or indirectly like Coli Cocoine Cartel’s attempt in
supporting Columbian President, Samper in 1996 elections. Because cyber
money laundering can be done from anywhere in the world without any
jurisdiction, the effects are much severe.

PREVENTION
Because of the nature of Cyber money laundering, no country can
effectively deal with it in isolation. Cyber money laundering has to be dealt with at
organizational [Bank or Financial Institution], national and international levels.
 INTERNATIONAL
LEVEL

NATIONAL
LEVEL

ORGANISATIONAL
LEVEL

AT INTERNATIONAL LEVEL
The UN has taken the lead and during 1995 international community
meeting signed a convention known as ‘UN Convention Against Illict Traffic in
Narcotic Drugs and Psychotropic Substances’. Further, this convention made
money laundering a crime and provided a model. During 2000, the UN also
organized another convention against transnational organized crime. As a result
of UN the efforts, the group of seven industrialized nations established ‘Financial
Action Task Force’ (FATF). The biggest source of money laundering funds
comes from drug trade and the volume of money is large. In order to cover this
vast amount of money they need financial services industry. They eye financial
institutions that are in the business of accepting deposits from customers. After
studying this phenomenon, Financial Action Task Force (FATF) had noticed
some critical points in the modus operandi of criminals which are difficult for the
launderers to avoid. They are points of entry of cash into financial system,
transfers to and from financial system and cross-border flows of cash. Paying
attention to these issues can help in controlling cyber laundering to a
considerable extent. According to financial crimes enforcement network of US,
less than 1% money laundered in cyber space is ever detected or criminals
prosecuted. Prevention of money laundering in cyber space is proving to be
really a daunting task. Some of the suggested measures are putting an upper
limit on the amount of payment and frequency of using e-money in peer to peer
transfers. The second is making it mandatory for e- money organization to
identify their clients and also to keep a track of money movement. The third is
ensuring that Internet service providers keep a log of files involving finances for a
number of years. The fourth is making audit compulsory for all electronic
merchants and ensuring that they keep transaction records for a certain period of
time. The fifth is training law enforcement agencies in dealing effectively with this
crime. Last but not the least, is international co-operation and harmonizing the
national cyber and terrestrial laws with international can help in dealing with this
crime effectively.

AT NATIONAL LEVEL
Some countries liken UK have taken proactive steps to control this crime,
which could be cumulated by others. In UK, deposit taking institutions (including
banks) are expected to report suspicious transactions to the law enforcement
authorities. The legal provisions regarding ‘knowing the customer’ brought down
the crime to a great extent. They empowered their customs officials to seize cash
consignments of 10,000 pounds or more. Courts also permit confiscation of cash,
if the investigating authorities have strong evidence that the money has come
from illegal activities of drug trafficking. Issue of electronic money by private
parties is another factor, as in some countries regulation of these people is not
effective. Slowly, different countries are realizing the importance of this issue and
enacting suitable rules aimed at providing transparency in transactions carried
out by these institutions. The most important issues at national level are
establishing legal framework and training law enforcing officials. The major
weapon to combat this crime is controlling financial transactions including e-
transactions, through legislation. Many countries have enacted some stringent
laws to control this crime. UK, US have stringent laws in dealing with Cyber
money laundering. Many other countries are following suit. The Council of
Europe has passed Criminal Justice Act. Hong Kong has passed similar laws.
The single most important issue is harmonizing the terrestrial laws with cyber
laws.

AT ORGANIZATIONAL [BANK] LEVEL

The banking and other financial organizations can reduce the quantum of
money laundering by following the guidelines issued by central banks of
respective countries in letter and spirit. The old principle of ‘Knowing the
customer’ well will help a great deal. It is very important to keep the records of
the customer for a sufficient time, at least for 8 to 10 years. Having an eye on
suspicious deals can give early warnings on the impending trouble. Any
suspicious activities must be reported to law enforcement authorities. Developing
internal control mechanisms is very essential in this regard. Further, working in
close association with other banks and exchange of information and intelligence
in this regard will be definitely helpful. Law enforcement agencies have details of
criminal elements and their transactions. By working in close conjunction with
them, bank can have early warning on such activities. However, banks must
keep in mind the legal provisions regarding privacy of individuals.

CREDIT CARDS FRAUDS

INTRODUCTION TO CREDIT CARDS

 Credit was first used in Assyria, Babylon and Egypt 3000 years ago. The
bill of exchange - the forerunner of banknotes - was established in the 14th
century. Debts were settled by one- third cash and two-thirds bill of exchange.
Paper money followed only in the 17th century. The first advertisement for credit
was placed in 1730 by Christopher Thornton, who offered furniture that could be
paid off weekly.

From the 18th century until the early part of the 20th, tallymen sold clothes
in return for small weekly payments. They were called "tallymen" because they
kept a record or tally of what people had bought on a wooden stick. One side of
the stick was marked with notches to represent the amount of debt and the other
side was a record of payments. In the 1920s, a shopper's plate - a "buy now, pay
later" system - was introduced in the USA. It could only be used in the shops
which issued it.

In 1950, Diners Club and American Express launched their charge cards
in the USA, the first "plastic money". In 1951, Diners Club issued the first
credit card to 200 customers who could use it at 27 restaurants in New York.
But it was only until the establishment of standards for the magnetic strip in 1970
that the credit card became part of the information age. The first use of magnetic
stripes on cards was in the early 1960's, when the London Transit Authority
installed a magnetic stripe system. San Francisco Bay Area Rapid Transit
installed a paper based ticket the same size as the credit cards in the late 1960's.
The word credit comes from Latin, meaning “TRUST”

MEANING

Credit card fraud is a wide-ranging term for theft and fraud committed
using a credit card or any similar payment mechanism as a fraudulent source of
funds in a transaction. The purpose may be to obtain goods without paying, or to
obtain unauthorized funds from an account. Credit card fraud is also an adjunct
to identity theft. According to the Federal Trade Commission, while identity theft
had been holding steady for the last few years, it saw a 21 percent increase in
2008. However, credit card fraud, that crime which most people associate with ID
theft, decreased as a percentage of all ID theft complaints for the sixth year in a
row.

The cost of credit card fraud reaches into billions of dollars annually. In
2006, fraud in the United Kingdom alone was estimated at £535 million, or
US$750-830 million at prevailing 2006 exchange rates.
 The fraud begins with either the theft of the physical card or the
compromise of data associated with the account, including the card account
number or other information that would routinely and necessarily be available to
a merchant during a legitimate transaction. The compromise can occur by many
common routes and can usually be conducted without tipping off the card holder,
the merchant or the bank, at least until the account is ultimately used for fraud. A
simple example is that of a store clerk copying sales receipts for later use. The
rapid growth of credit card use on the Internet has made database security
lapses particularly costly; in some cases, millions of accounts have been
compromised.

IF CARD IS STOLEN

When a credit card is lost or stolen, it remains usable until the holder notifies
the bank that the card is lost; most banks have toll-free telephone numbers
with 24-hour support to encourage prompt reporting. Still, it is possible for a
thief to make unauthorized purchases on that card up until the card is
cancelled. In the absence of other security measures, a thief could potentially
purchase thousands of dollars in merchandise or services before the card
holder or the bank realize that the card is in the wrong hands.
 In the United States, federal law limits the liability of card holders to $50 in
the event of theft, regardless of the amount charged on the card; in practice,
many banks will waive even this small payment and simply remove the fraudulent
charges from the customer's account if the customer signs an affidavit confirming
that the charges are indeed fraudulent. Other countries generally have similar
laws aimed at protecting consumers from physical theft of the card.

The only common security measure on all cards is a signature

panel, but signatures are relatively easy to forge. Many merchants will demand to
see a picture ID, such as a driver's license, to verify the identity of the purchaser,
and some credit cards include the holder's picture on the card itself. However,
the card holder has a right to refuse to show additional verification, and asking for
such verification may be a violation of the merchant's agreement with the credit
card companies.

Self-serve payment systems (gas stations, kiosks, etc.) are common

targets for stolen cards, as there is no way to verify the card holder's identity. A
common countermeasure is to require the user to key in some identifying
information, such as the user's ZIP or postal code. This method may deter casual
theft of a card found alone, but if the card holder's wallet is stolen, it may be trivial
for the thief to deduce the information by looking at other items in the wallet. For
instance, a U.S. driver license commonly has the holder's home address and ZIP
code printed on it.

Banks have a number of countermeasures at the network level, including

sophisticated real-time analysis that can estimate the probability of fraud based
on a number of factors. For example, a large transaction occurring a great
distance from the card holder's home might be flagged as suspicious. The
merchant may be instructed to call the bank for verification, to decline the
transaction, or even to hold the card and refuse to return it to the customer.

Stolen cards can be reported quickly by card holders, but a compromised

account can be hoarded by a thief for weeks or months before any fraudulent
use, making it difficult to identify the source of the compromise. The card holder
may not discover fraudulent use until receiving a billing statement, which may be
delivered infrequently.

Compromised Accounts

Card account information is stored in a number of formats. Account

numbers are often embossed or imprinted on the card, and a magnetic stripe on
the back contains the data in machine readable format. Fields can vary, but the
most common include:

• Name of card holder

• Account number

• Expiration date

• Verification
 Many Web sites have been compromised in the past and theft of credit
card data is a major concern for banks. Data obtained in a theft, like addresses
or phone numbers, can be highly useful to a thief as additional card holder
verification.

Mail/Internet Order Fraud

The mail and the Internet are major routes for fraud against merchants
who sell and ship products, as well Internet merchants who provide online
services. The industry term for catalog order and similar transactions is "Card Not
Present" (CNP), meaning that the card is not physically available for the
merchant to inspect. The merchant must rely on the holder (or someone
purporting to be the holder) to present the information on the card by indirect
means, whether by mail, telephone or over the Internet when the cardholder is
not present at the point of sale.

It is difficult for a merchant to verify that the actual card holder is indeed
authorizing the purchase. Shipping companies can guarantee delivery to a
location, but they are not required to check identification and they are usually are
not involved in processing payments for the merchandise. A common preventive
measure for merchants is to allow shipment only to an address approved by the
cardholder, and merchant banking systems offer simple methods of verifying this
information.

Additionally, smaller transactions generally undergo less scrutiny, and are

less likely to be investigated by either the bank or the merchant, since the cost of
research and prosecution usually far outweighs the loss due to fraud. CNP
merchants must take extra precaution against fraud exposure and associated
losses, and they pay higher rates to merchant banks for the privilege of accepting
cards. Anonymous scam artists bet on the fact that many fraud prevention
features do not apply in this environment.
 Merchant associations have developed some prevention measures, such
as single use card numbers, but these have not met with much success.
Customers expect to be able to use their credit card without any hassles, and
have little incentive to pursue additional security due to laws limiting customer
liability in the event of fraud. Merchants can implement these prevention
measures but risk losing business if the customer chooses not to use the
measures.

Account Takeover

There are two types of fraud within the identity theft category:

TYPES OF IDENTITY THEFT FRAUD

APPLICATION
FRAUD ACCOUNT
TAKEOVER

1. Application Fraud
 Application fraud occurs when criminals use stolen or fake documents to
open an account in someone else's name. Criminals may try to steal documents
such as utility bills and bank statements to build up useful personal information.
Alternatively, they may create counterfeit documents.

2. Account Takeover

Account takeover involves a criminal trying to take over another person's

account, first by gathering information about the intended victim, then contacting
their bank or credit issuer — masquerading as the genuine cardholder — asking
for mail to be redirected to a new address. The criminal then reports the card lost
and asks for a replacement to be sent. The replacement card is then used
fraudulently.

Some merchants added a new practice to protect consumers and self

reputation, where they ask the buyer to send a copy of the physical card and
statement to ensure the legitimate usage of a card

Three people held guilty in on line credit card scam

Customers credit card details were misused through online means for
booking air-tickets. These culprits were caught by the city Cyber Crime
Investigation Cell in pune. It is found that details misused were belonging to 100
people.

Mr. Parvesh Chauhan, ICICI Prudential Life Insurance officer had

complained on behalf of one of his customer. In this regard Mr. Sanjeet Mahavir
Singh Lukkad, Dharmendra Bhika Kale and Ahmad Sikandar Shaikh were
arrested. Lukkad being employeed at a private institution, Kale was his friend.
Shaiklh was employed in one of the branches of State Bank of India .

According to the information provided by the police, one of the

customer received a SMS based alert for purchasing of the ticket even when the
credit card was being held by him. Customer was alert and came to know
something was fishy; he enquired and came to know about the misuse. He
contacted the Bank in this regards. Police observed involvement of many Bank's
in this reference.

The tickets were book through online means. Police requested for the
log details and got the information of the Private Institution. Investigation
revealed that the details were obtained from State Bank of India . Shaikh was
working in the credit card department; due to this he had access to credit card
details of some customers. He gave that information to Kale. Kale in return
passed this information to his friend Lukkad. Using the information obtained from
Kale Lukkad booked tickets. He used to sell these tickets to customers and get
money for the same. He had given few tickets to various other institutions.

Cyber Cell head DCP Sunil Pulhari and PI Mohan Mohadikar A.P.I
Kate were involved in eight days of investigation and finally caught the culprits.

In this regards various Banks have been contacted; also four air-line industries
be contacted DCP Sunil Pulhari has requested customers who have fallen in to
this trap to inform police authorities on 2612-4452 or 2612-3346 if they have any
problems
SKIMMING
 Skimming is the theft of credit card information used in an otherwise
legitimate transaction. It is typically an "inside job" by a dishonest employee of a
legitimate merchant, and can be as simple as photocopying of receipts. Common
scenarios for skimming are restaurants or bars where the skimmer has
possession of the victim's credit card out of their immediate view. The skimmer
will typically use a small keypad to unobtrusively transcribe the 3 or 4 digits Card
Security Code which is not present on the magnetic strip.

Instances of skimming have been reported where the perpetrator has put
a device over the card slot of a public cash machine (Automated Teller Machine),
which reads the magnetic strip as the user unknowingly passes their card
through it. These devices are often used in conjunction with a pinhole camera to
read the user's PIN at the same time.

Skimming is difficult for the typical card holder to detect, but given a large
enough sample, it is fairly easy for the bank to detect. The bank collects a list of
all the card holders who have complained about fraudulent transactions, and
then uses data mining to discover relationships among the card holders and the
merchants they use. For example, if many of the customers used one particular
merchant, that merchant's terminals (devices used to authorize transactions) can
be directly investigated.
 SKIMMER

Sophisticated algorithms can also search for known patterns of fraud.

Merchants must ensure the physical security of their terminals, and penalties for
merchants can be severe in cases of compromise, ranging from large fines to
complete exclusion from the merchant banking system, which can be a death
blow to businesses such as restaurants which rely on credit card processing.

CARDING

Carding is a term used for a process to verify the validity of stolen card
data. The thief presents the card information on a website that has real-time
transaction processing. If the card is processed successfully, the thief knows that
the card is still good. The specific item purchased is immaterial, and the thief
does not need to purchase an actual product; a Web site subscription or
charitable donation would be sufficient. The purchase is usually for a small
monetary amount, both to avoid using the card's credit limit, and also to avoid
attracting the bank's attention. A website known to be susceptible to carding is
known as a cardable website

In the past, carders used computer programs called "generators" to

produce a sequence of credit card numbers, and then test them to see which
were valid accounts. Another variation would be to take false card numbers to a
location that does not immediately process card numbers, such as a trade show
or special event. However, this process is no longer viable due to widespread
requirement by internet credit card processing systems for additional data such
as the billing address, the 3 to 4 digit Card Security Code and/or the card's expiry
date, as well as the more prevalent use of wireless card scanners that can
process transactions right away. Nowadays, carding is more typically used to
verify credit card data obtained directly from the victims by skimming or phishing.
 A set of credit card details that has been verified in this way is known in
fraud circles as a phish. A carder will typically sell data files of phish to other
individuals who will carry out the actual fraud. Market price for a phish ranges
from US$1.00 to US$50.00 depending on the type of card, freshness of the data
and credit status of the victim

PREVENTION FOR CREDIT CARD FRAUD

Credit card fraud is bad business. In 2004, credit card fraud cost US
merchants 2,664.9 million dollars (Celent Communications). Credit card fraud is
a significant problem in Canada, too. The credit card loss total for 2007 was
$304,255,215, according to the RCMP. And while 'no-card' fraud is growing,
most credit card frauds are still being committed using lost, stolen or counterfeit
cards. Whether you have a brick-and-mortar business or an online one, credit
card fraud is costing you money.

Credit card fraud prevention when dealing with credit card customers face-
to-face

1. Ask for and check other identification, such as a driver’s license or other photo
ID. Check to see if the ID has been altered in any way as a person trying to use a
stolen credit card may also have stolen or fake ID.

2. Examine the signature on the card. If the signature on the credit card is
smeared, it could be that the credit card is stolen and the person has changed
the signature to his or her own .
3.Compare signatures. Besides comparing the signature on the credit card with
the person’s signature on the credit card slip, compare the signatures as well to
those on any other ID presented.

4. Check the security features of the credit card.

i. Have another look at the card’s signature panel. It should show a

repetitive colour design of the MasterCard or Visa name. Altered signature
panels (those that are discoloured, glued, painted, erased, or covered with white
tape) are an indication of credit card fraud.

ii. Check the credit card’s embossing. “Ghost images” of other numbers
behind the embossing are a tip-off that the card has been re-embossed. The
hologram may be damaged. (The holograms on credit cards that have not been
tampered with will show clear, three- dimensional images that appear to move
when the card is tilted.)

5. Check the presented card with recent lists of stolen and invalid credit card
numbers.

6. Call for authorization of the credit card – remembering to take both the credit
card and the sales draft with you. That way if the customer runs away while
you’re making the call, you still have the credit card. Ask for a “Code 10” if you
have reason to suspect a possible credit card fraud, such as a possible
counterfeit or stolen card.

7. Destroy all carbon copies of the credit card transaction, to ensure that no one
can steal the credit card information and help prevent future credit card fraud.
 It’s also very important to be sure that your staff is educated about credit
card fraud. You can use the points above as a “to do” list for dealing with credit
card transactions. For information on the suspicious behavior that may indicate
someone trying to commit credit card fraud, see Suspicious Behaviors That May
Indicate Credit Card Fraud

When dealing with credit card customers over the phone or through
the Internet, credit card fraud prevention strategies such as scrutinizing the
credit card aren’t going to work. You can, however, be alert to suspicious
behaviors and shape your credit policies to nip credit card fraud in the bud.

1. Don’t process credit card orders unless the information is complete.

2. Don’t process credit card orders that originate from free e-mail addresses or
from e-mail forwarding addresses. In such a case, ask the customer for an ISP
(Internet Service Provider) or domain-based e-mail address that can be traced
back.
3. If the shipping address and the billing address on the order are different, call
the customer to confirm the order. You may even want to make it a policy to ship
only to the billing address on the credit card.

4. Be wary of unusually draft orders

5. Be wary of orders shipped to a single address but purchased with multiple

cards.
6. Be wary of multiple transactions made with similar card numbers in a
sequence.

7. Be wary of orders you’re asked to ship express, rush or overnight. This is the
shipping of choice for many credit card fraudsters. Call the customer to confirm
the order first.

8. Be wary of overseas orders – especially if the order exhibits any of the

characteristics noted above.

9. The first is Mod10 algorithm testing. Mod10 is an algorithm that will show
whether the card number being presented is valid card number and is within the
range of numbers issued by credit card companies. It cannot give any other
details like no. issued by any other company. This test should be first to be that it
is applied to any credit card number one process. If the card fails Mod10 one can
safely assume fraud.

Credit card fraud may not be entirely preventable, but by

establishing and following procedures to check every credit card
transaction, you can cut down your credit card fraud losses.

Phishing
 Phishing is a new form of identity theft that frequently occurs on the
web. The term refers to baiting techniques implemented by a criminal to fish
personal information out of an unsuspecting user. The purpose is to use this
information to commit identity theft and other types of fraud.

Phishing typically originates via email or a fraudulent website. More

often than not, the design will resemble well known, trusted companies, financial
institutions or government services. This makes it much easier for a criminal to
persuade a user out of sensitive information, such as bank account information
or usernames and passwords.

In most cases, a phishing scam originating from an email will contain

false statements intended to alarm the recipient. The sender may give the
impression that the recipient is at the immediate risk of having their bank, credit
card or financial accounts compromised. Other phishing attempts may falsely
state that the recipient's credit card was declined or is being used by another
individual.

One live example of phishing revolved around a mass email campaign

that occurred in the summer of 2004. The messages advised consumers of a
prominent Canadian institution to provide their personal information because of
technical difficulties. Of course, these emails were not distributed nor authorized
by that particular financial institution.

A phishing email can also promise a gift or other incentives to

recipients. While the message may appear rewarding, the purpose remains the
same: to persuade the unknowing into disclosing personal and financial data to
aid in the act of identity theft.

Criminals who distribute phishing emails rely on the hope that some of
their recipients may actually have a relationship with the legitimate business they
are portraying. However, a recipient is much more likely to respond if the email
appears to come from a trusted source, whether there is a relationship or not.

Unfortunately, individuals who respond to these emails are putting

their assets and financial information at risk. An identity thief can use this data to
access active accounts to withdraw funds or buy expensive items and services.
They can also use the information to open up new accounts in the victim's name
and remain under the radar by supplying a different address. The worst part of
all, recipients may not realize for some time that they have just become a victim
of identity theft.
 How to Combat Phishing Schemes

Being that this crime has evolved so rapidly, Canada's Department of

Public Safety has teamed up with the United States Department of Justice to
warn internet users about phishing. Here are three steps they recommend when
being approached with this scam:

1. Recognize it: The popularity of phishing has made this scheme easier to
detect. A user should never respond to or click on any links in an email from a
sender requesting sensitive information.

2. Report it: If you have taken the bait of a phishing scam, it is very important to
contact your credit card company or financial institution right away. You should
also report this crime to your local police department. This will provide you with
documentation that may need to be displayed to an institution to help prove your
case.

3. Prevent it: Phishing can be prevented by learning the routine practice of your
credit card company or financial institution. In most instances, they will never ask
you to confirm such sensitive information via email. By understanding how these
companies operate, you can stop schemers in their tracks and save yourself from
identity theft.

Phishing email \

email
From: :*****Bank [ mailto:support t@**** Bank.com ]
]
Sent: :08 June 2004 03:25
08 June 2004 03:25
To: :India
India
Subject: Official information from***** Bank
Official information from***** Bank
Dear valued***** Bank Customer!
Dear valued***** Bank Customer!
For security purposes your account thas been
has been
randomly chosen for verification. To verify
randomly chosen for verification. To verify
your account information we are asking you to
your account information we are asking you to
provide us with all the data we are requesting.
provide us with all the data we are requesting.
Otherwise we will not be able to verify your identity
Otherwise we will not be able to verify your identity
and access to your account will be denied. Please
and access to your account will be denied.
Pleaseclick
click
on the link below to get to the bank secure
on the link below to get to the bank secure
page and verify your account details. Thank you.
page and verify your account details. Thank you.
https://infinity.*****bank.co.in/Verify.jsp
https://infinity.*****bank.co.in/Verify.jsp
****** Bank Limited

UTI Bank hooked in a phishing attack

14 February 2007

Fraudsters of cyberspace have reared its ugly head, the first of its
kind this year, by launching a phishing attack on the website of Ahmedabad-
based UTI Bank, a leading private bank promoted by India' s largest financial
institution, Unit Trust of India (UTI).

A URL on Geocities that is almost a facsimile version of the UTI Bank's

home page is reported to be circulating amongst email users. The web page not
only asks for the account holder's information such as user and transaction login
and passwords, it has also beguilingly put up disclaimer and security hazard
statements. "

In case you have received any e-mail from an address appearing to

be sent by UTIBANK, advising you of any changes made in your personal
information, account details or information on your user id and password of your
net banking facility, please do not respond. It is UTI Bank's policy not to seek or
send such information through email. If you have already disclosed your
password please change it immediately, " the warning says. The tricky link is
available on http://br.geocities/ If any unsuspecting account holder enters his
login id, password, transaction id and password in order to change his details as
'advised' by the bank, the same info is sent vide mailform.cz (the phisher's
database).

After investigation, we found that Mailform is a service of PC Svet,

which is a part of the Czech company PES Consulting. The Webmaster of the
site is a person named Petr Stastny whose e-mail can be found on the web page.

Top officials at UTI Bank said that they have reported the case to the
Economic Office Wing, Delhi Police. The bank has also engaged the services of
Melbourne-based FraudWatch International, a leading anti-phishing company
that offers phishing monitoring and take-down solutions. "We are now in the
process of closing the site. Some of these initiatives take time, but customers
have been kept in the loop about these initiatives, " said V K Ramani, President -
IT, UTI Bank.

As per the findings of UTI Bank's security department, the phishers

have sent more that 1,00,000 emails to account holders of UTI Bank as well as
other banks. Though the company has kicked off damage control initiatives, none
of the initiatives are cent percent foolproof. "

Now there is no way for banks to know if the person logging-in with
accurate user information is a fraud," said Ramani. However, reliable sources
within the bank and security agencies confirmed that the losses due to this
particular attack were zilch.

The bank has sent alerts to all its customers informing about such
malicious websites, besides beefing up their alert and fraud response system.
"Engaging professional companies like FraudWatch help in reducing time to
respond to attacks," said Sanjay Haswar, Assistant Vice President, Network and
Security, UTI Bank.
Cyber Criminals
The cyber criminals constitute of various groups/ category. This division may be
justified on the basis of the object that they have in their mind. The following are
the category of cyber criminals-

1. Children and adolescents between the age group of 6 – 18 years

The simple reason for this type of delinquent behaviour pattern in children is
seen mostly due to the inquisitiveness to know and explore the things. Other
cognate reason may be to prove themselves to be outstanding amongst other
children in their group. Further the reasons may be psychological even. E.g. the
Bal Bharati (Delhi) case was the outcome of harassment of the delinquent by his
friends.
2. Organized hackers
These kinds of hackers are mostly organized together to fulfill certain objective.
The reason may be to fulfill their political bias, fundamentalism, etc. The
Pakistanis are said to be one of the best quality hackers in the world. They
mainly target the Indian government sites with the purpose to fulfill their political
objectives. Further the NASA as well as the Microsoft sites is always under
attack by the hackers
3. Professional hackers / crackers
Their work is motivated by the colour of money. These kinds of hackers are
mostly employed to hack the site of the rivals and get credible, reliable and
valuable information. Further they are ven employed to crack the system of the
employer basically as a measure to make it safer by detecting the loopholes.
4. Discontented employees
This group includes those people who have been either sacked by their employer
or are dissatisfied with their employer. To avenge they normally hack the system
of their employee.

Working of Cyber Criminals

 Cyber crime has become a profession and the demographic of your
typical cyber criminal is changing rapidly, from bedroom-bound geek to the type
of organized gangster more traditionally associated with drug-trafficking, extortion
and money laundering.

It has become possible for people with comparatively low technical

skills to steal thousands of pounds a day without leaving their homes. In fact, to
make more money than can be made selling heroin (and with far less risk), the
only time the criminal need leave his PC is to collect his cash. Sometimes they
don't even need to do that.

In all industries, efficient business models depend upon horizontal

separation of production processes, professional services, sales channels etc.
(each requiring specialized skills and resources), as well as a good deal of trade
at prices set by the market forces of supply and demand. Cyber crime is no
different: it boasts a buoyant international market for skills, tools and finished
product. It even has its own currency.
 The rise of cyber crime is inextricably linked to the ubiquity of credit
card transactions and online bank accounts. Get hold of this financial data and
not only can you steal silently, but also – through a process of virus-driven
automation – with ruthlessly efficient and hypothetically infinite frequency.

The question of how to obtain credit card/bank account data can be

answered by a selection of methods each involving their own relative
combinations of risk, expense and skill.

The most straightforward is to buy the ‘finished product’. In this case we’ll
use the example of an online bank account. The product takes the form of
information necessary to gain authorized control over a bank account with a six-
figure balance. The cost to obtain this information is $400 (cyber criminals always
deal in dollars). It seems like a small figure, but for the work involved and the risk
incurred it’s very easy money for the criminal who can provide it. Also remember
that this is an international trade; many cyber-criminals of this ilk are from poor
countries in Eastern Europe, South America or South-East Asia.

The probable marketplace for this transaction will be a hidden IRC

(Internet Relay Chat) chatroom. The $400 fee will most likely be exchanged in
some form of virtual currency such as e-gold.

Not all cyber-criminals operate at the coalface, and certainly don’t

work exclusively of one another; different protagonists in the crime community
perform a range of important, specialized functions. These broadly encompass:

Coders – comparative veterans of the hacking community. With a few

years' experience at the art and a list of established contacts, ‘coders’ produce
ready-to-use tools (i.e. Trojans, mailers, custom bots) or services (such as
making a binary code undetectable to AV engines) to the cyber crime labour
force – the ‘kids’. Coders can make a few hundred dollars for every criminal
activity they engage in.

Kids – so-called because of their tender age: most are under 18. They
buy, trade and resell the elementary building blocks of effective cyber-scams
such as spam lists, php mailers, proxies, credit card numbers, hacked hosts,
scam pages etc. ‘Kids’ will make less than $100 a month, largely because of the
frequency of being ‘ripped off’ by one another.

Drops – the individuals who convert the ‘virtual money’ obtained in

cyber crime into real cash. Usually located in countries with lax e-crime laws
(Bolivia, Indonesia and Malaysia are currently very popular), they represent ‘safe’
addresses for goods purchased with stolen financial details to be sent, or else
‘safe’ legitimate bank accounts for money to be transferred into illegally, and paid
out of legitimately.

Mobs – professionally operating criminal organizations combining or

utilizing all of the functions covered by the above. Organized crime makes
particularly good use of safe ‘drops’, as well as recruiting accomplished ‘coders’
onto their payrolls.

Gaining control of a bank account is increasingly accomplished

through phishing. There are other cyber crime techniques, but space does not
allow their full explanation.

All of the following phishing tools can be acquired very cheaply: a

scam letter and scam page in your chosen language, a fresh spam list, a
selection of php mailers to spam-out 100,000 mails for six hours, a hacked
website for hosting the scam page for a few days, and finally a stolen but valid
credit card with which to register a domain name. With all this taken care of, the
total costs for sending out 100,000 phishing emails can be as little as $60. This
kind of ‘phishing trip’ will uncover at least 20 bank accounts of varying cash
balances, giving a ‘market value’ of $200 – $2,000 in e-gold if the details were
simply sold to another cybercriminal. The worst-case scenario is a 300% return
on the investment, but it could be ten times that.

Better returns can be accomplished by using ‘drops’ to cash the

money. The risks are high, though: drops may take as much as 50% of the value
of the account as commission, and instances of ‘ripping off’ or ‘grassing up’ to the
police are not uncommon. Cautious phishers often separate themselves from the
physical cashing of their spoils via a series of ‘drops’ that do not know one
another. However, even taking into account the 50% commission, and a 50%
‘rip-off’ rate, if we assume a single stolen balance of $10,000 – $100,000, then
the phisher is still looking at a return of between 40 and 400 times the meagre
outlay of his/her phishing trip.

In large operations, offshore accounts are invariably used to accumulate the

criminal spoils. This is more complicated and far more expensive, but ultimately
safer.

The alarming efficiency of cybercrime can be illustrated starkly by

comparing it to the illegal narcotics business. One is faster, less detectable, more
profitable (generating a return around 400 times higher than the outlay) and
primarily non-violent. The other takes months or years to set-up or realise an
investment, is cracked down upon by all almost all governments internationally,
fraught with expensive overheads, and extremely dangerous.

Add phishing to the other cyber-criminal activities driven by hacking

and virus technologies – such as carding, adware/spyware planting, online
extortion, industrial spying and mobile phone dialers – and you’ll find a healthy
community of cottage industries and international organizations working together
productively and trading for impressive profits. Of course these people are
threatening businesses and individuals with devastating loss, financial hardship
and troubling uncertainty – and must be stopped.

On top of viruses, worms, bots and Trojan attacks, organizations in

particular are contending with social engineering deception and traffic
masquerading as legitimate applications on the network. In a reactive approach
to this onslaught, companies have been layering their networks with stand alone
firewalls, intrusion prevention devices, anti-virus and anti-spyware solutions in a
desperate attempt to plug holes in the armoury. They're beginning to recognize
it's a failed strategy. After all, billions of pounds are being spent on security
technology, and yet security breaches continue to rise.

To fight cyber crime there needs to be a tightening of international

digital legislation and of cross-border law enforcement co-ordination. But there
also needs to be a more creative and inventive response from the organisations
under threat. Piecemeal, reactive security solutions are giving way to strategically
deployed multi-threat security systems. Instead of having to install, manage and
maintain disparate devices, organizations can consolidate their security
capabilities into a commonly managed appliance. These measures combined, in
addition to greater user education are the best safeguard against the
deviousness and pure innovation of cyber-criminal activities.
Three Ways to Deter Cyber Crime

Ironically, as businesses move from risky paper check payments to a

safer means of electronic B2B payments, the online banking systems through
which payments are originated have become an attractive fraud target. Although
businesses are using payment fraud control devices such as ACH Positive Pay
and ACH Debit Filter, they only mitigate fraud after it occurs. There are at least
five fresh reasons to step up the security investment.

1. The browser is the weak point. Trojans and other malware like man-in-the-
browser attacks that are difficult to detect hijack the transaction inside of a
browser session, and subsequently attack the application and database on the
server. According to FinServ Strategies, most of the top 100 banks have
experienced similar incidents. Man-in-the-browser attacks are becoming
mainstream, RSA reports in its whitepaper, “Business Success in a Dark Market:
An Inside Look at How the Fraud Underground Operates,” especially in the U.S.
and Europe where two-factor authentication is already densely deployed.

2. The customer is the endpoint. Banks deliver services to business customers

through the browser; however, they aren’t in control of the business’s computing
environment. Businesses are legally responsible for their transaction banking
environment, but 20 million U.S. small businesses are particularly vulnerable to
cyber fraud as they don’t have the experience or resources to combat fraud, yet
they initiate high risk payments transactions (e.g., ACH, wires). Many banks
provision online services to small businesses on consumer systems with
inadequate security for business activity.

3. Tweet this - multichannel banking is here. The cyber threat environment is

growing more complex, especially as Web banking expands from Web and file
transfer to mobile/smart phone and social channels and as the workforce grows
younger. An integrated multichannel approach to information, transactions and
fraud is necessary to lower costs and increase effectiveness.

4. Single sign on lags business banking. Banks are seeking new

corporate/business portal solutions or independent SSO applications to solve the
security usability problem. If the bank looks for an SSO solution in an existing
packaged online banking offering, it may not get the integrated authentication
and entitlements it needs. “Most solutions secure the session,” says Nick Owen
of WiKID systems. As malware is now attacking at the application level,
transaction authentication needs to be cryptographically distinct from the session.

5. Fuhgettaboudit - cyber crime is organized crime. According to RSA , Internet

fraudsters have created an end-to-end supply chain to advance malware attacks
and the online vector used to efficiently deploy them. While the security
technology market is creating security-as-a-service solutions, criminals are
creating fraud-as-a-service and fraud has moved from the consumer to
businesses that initiate payments and bank online.

But new approaches are emerging to tackle 21st century online banking
problems. Among them are the secure browser and integrated single sign on.
Banks are taking three positive steps in the right direction:
 THREE WAYS TO DETER CYBER CRIMES

Organizing to combat fraud

Implementing secure browsers

Using integrated, single sign on

Organizing to combat fraud. Business fraud incidents are significant (albeit

under reported) as related by major security companies and members of industry
entities such as the Financial Services-Information Sharing and Analysis Center.
Formed by presidential directive in 1999, FS-ISAC, now has 4,100 members
from institution, brokerage and insurance sectors. “Members successfully share
threat vulnerabilities through a network of trust that guarantees anonymity, while
reporting important threat information to financial industry, government and other
industry sectors,” says FS-ISAC president William B. Nelson.

. Implementing secure browsers The secure browser solves the openness

problem of the Internet without plunging the world back into private networks.
Much like a dedicated business to bank connection, the secure browser uses
only the rendering portion of the browser and restricts URL destinations with a
bank and company controlled list through entitlements and self-tests for changes
indicating malware such as Trojans. This creates a secure connection akin to a
virtual private network, but without the technical requirements and cost overhead.
Like a regular browser, the secure browser performs site authentication, but it
shuts the user down if a site is not authenticated, rather than asking the normal
user to decide whether it is okay to continue during an abnormal event.

Using integrated, single sign on. Independent integrated SSO solutions are
appearing to fill the security gaps of online business banking and cash
management solutions, which were never intended as portal or SSO solutions.
The new integrated SSO combines user credential management for entity
Websites with browser validation with a multi-layered security approach including
strong authentication, software based keyboards to thwart keyloggers, one-time
perishable passcode generation and utilization, and strong authentication of
destination Websites to prevent DNS poisoning and pharming.

The global economic costs of cyber crime are estimated at more than one trillion
dollars and costs to the U.S. at about $8 billion. The banking industry is moving
to shared fraud analytics to detect cyber crime in flight, but it should also be
prevented at the outset. Financial products with built-in security are absolutely
essential. Industry groups, banks and technology companies are emerging to fill
the gaps and build the online experience with the proper foundation to mitigate
threats that have moved beyond network perimeters to applications and data.

GENERAL TIPS FOR AVOIDING POSSIBLE INTERNET FRAUD

SCHEMES

Organized crime is making a big business out of stealing bank account and credit
card records, says an authoritative study released this morning. The Verizon
Business Data Breach Investigations Report found that 94 percent of all records
compromised by cybercrime in 2009 were from financial services companies.
 Perhaps that’s not a surprise. “Stealing digital money from information
systems rather than vaults is basically just a less primitive form of bank robbery,”
the report said. “It represents the nearest approximation to actual cash for the
criminal.”

The full report is fascinating to read. It looked at more than 900 corporate
data breaches involving more than 900 million compromised records, and reveals
that high levels of cybercrime are carried out by insiders such as dishonest bank
employees. And it verifies what you probably already suspect: That some
breaches never even get reported.

All of that spells troubles for consumers, because there’s little you can do
to prevent your financial data from being stolen from your bank’s servers. You
can, however, limit how badly such a theft could hurt you. Here are some tips.

• Check your bank’s security policies and its policies for covering
losses due to fraud. At a minimum, a bank should have a policy of
double-checking you if you ever try to access your account from a different
computer than the one you ordinarily use. That could just mean you’re
using the computer at your parents’ house, or it could mean that a criminal
has your password. Look up your bank on the data breach list at the
Privacy Rights Clearinghouse to see if it’s had serious problems in the
past.

• Change your passwords often. And use different passwords for every
bank and brokerage account.

• Read all of your statements like a hawk. As soon as anything shows up

on your bank statement or credit card bill that seems wrong, contact your
financial institution and keep a record of your complaint.
• Keep your business accounts and your personal accounts separate
and protected by different passwords. Commercial accounts don’t
always receive the protection that personal accounts do. If you have a
business account with a big line of credit and a criminal cleans it out, your
bank might not make you whole, as Forbes details in a recent troubling
story.

• Take all of the usual steps to protect your credit report, but realize
that freezes and alerts just stop thieves from opening new accounts in
your name; they don’t stop anyone from using the accounts you already
have to clean you out.

• Don’t use a debit card. I admit, that’s just me talking — some people
love them. But if someone steals your credit card number, you can usually
maintain your financial life while you get it straightened out. If someone
steals your debit card number, however, they can empty your checking
account before you know it’s gone. And then your checks will bounce and
your bills won’t get paid. Banks say they’ll make good on debit card
losses, but the stress of dealing with bounced payments and a
compromised checking account while you wait is more than I’d want to
sign up for. Carry a minimal amount of cash and use a credit card for
everyday expenses. Pay it off every month, of course, but that’s a post for
another day.
PREVENTION OF CYBER CRIME:
Prevention is always better than cure. It is always better to take certain
precaution while operating the net. The 5P mantra for online security is
Precaution, Prevention, Protection, Preservation and Perseverance.
The following things should always be kept in mind:
As an Enterprise
Employ defense-in-depth strategies, which emphasize multiple, overlapping,
and mutually supportive defensive systems to guard against single-point
failures in any specific technology or protection method. This should include
the deployment of regularly updated antivirus, firewalls, intrusion detection,
and intrusion protection systems on client systems.
 Turn off and remove services that are not needed.
 If malicious code or some other threat exploits one or more network
services, disable or block access to those services until a patch is applied.
 Consider implementing network compliance solutions that will help keep
infected mobile users out of the network.
 Enforce an effective password policy.
 Configure mail servers to block or remove email that contains file
attachments that are commonly used to spread viruses, such as .VBS,
.BAT, .EXE, .PI F, and .SCR files.
 Isolate infected computers quickly to prevent the risk of further infection
within the organization.
 Perform a forensic analysis and restore the computers using trusted
media.
 Train employees to not open attachments unless they are expected and
come from a known and trusted source, and to not execute software that
is downloaded from the Internet unless it has been scanned for viruses.
 Ensure that emergency response procedures are in place. This includes
having a backup-and-restore solution in place in order to restore lost or
compromised data in the event of successful attack or catastrophic data
loss.
 Educate management on security budgeting needs.
 Test security to ensure that adequate controls are in place.
 Be aware that security risks may be automatically installed on computers
with the installation of file sharing programs, free downloads, and freeware
and shareware versions of software. Clicking on links and/or attachments
in email messages may also expose computers to unnecessary risks.
 Ensure that only applications approved by the organization are deployed
on desktop computers.
As a Consumer
 Consumers should use an Internet security solution that combines
antivirus, firewall, intrusion detection, and vulnerability management for
maximum protection against malicious code and other threats.
 Consumers should ensure that security patches are up to date and that
they are applied to all vulnerable applications in a timely manner.
 Consumers should ensure that passwords are a mix of letters and
numbers, and should change them often. Passwords should not consist of
words from the dictionary.
 Consumers should never view, open, or execute any email attachment
unless the attachment is expected and the purpose of the attachment is
known.
 Consumers should keep virus definitions updated regularly. By deploying
the latest virus definitions, consumers can protect their computers against
the latest viruses known to be spreading in the wild.

CONCLUSION
Lastly I conclude by saying that

“Thieves are not born, but made out of opportunities.”

 This quote exactly reflects the present environment related to technology,
where it is changing very fast. By the time regulators come up with preventive
measures to protect customers from innovative frauds, either the environment
itself changes or new technology emerges. This helps criminals to find new areas
to commit the fraud. Computer forensics has developed as an indispensable tool
for law enforcement. But in the digital world, as in the physical world the goals of
law enforcement are balanced with the goals of maintaining personal liberty and
privacy. Jurisdiction over cyber crimes should be standardized around the globe
to make swift action possible against terrorist whose activities are endearing
security worldwide. The National institute of justice, technical working group
digital evidence are some of the key organization involved in research.

The ATM fraud is not the sole problem of banks alone. It is a big threat
and it requires a coordinated and cooperative action on the part of the bank,
customers and the law enforcement machinery. The ATM frauds not only cause
financial loss to banks but they also undermine customers' confidence in the use
of ATMs. This would deter a greater use of ATM for monetary transactions. It is
therefore in the interest of banks to prevent ATM frauds. There is thus a need to
take precautionary and insurance measures that give greater "protection" to the
ATMs, particularly those located in less secure areas. The nature and extent of
precautionary measures to be adopted will, however, depend upon the
requirements of the respective banks. Internet Banking Fraud is a fraud or theft
committed using online technology to illegally remove money from a bank
account and/or transfer money to an account in a different bank. Internet Banking
Fraud is a form of identity theft and is usually made possible through techniques
such as phishing.

Credit card fraud can be committed using a credit card or any similar
payment mechanism as a fraudulent source of funds in a transaction. The
purpose may be to obtain goods without paying, or to obtain unauthorized funds
from an account. Cyber space and cyberpayment methods are being abused by
money launderers for converting their dirty money into legal money. For carrying
out their activities launderers need banking system. Internet, online banking
facilitates speedy financial transactions in relative anonymity and this is being
exploited by the cyber money launderers. Traditional systems like credit cards
had some security features built into them to prevent such crime but issue of e-
money by unregulated institutions may have none. Preventing cyber money
laundering is an uphill task which needs to be tackled at different levels. This has
to be fought on three planes, first by banks/ financial institutions, second by
nation states and finally through international efforts. The regulatory framework
must also take into account all the related issues like development of e-money,
right to privacy of individual. International law and international co-operation will
go a long way in this regard.

Capacity of human mind is unfathomable. It is not possible to eliminate

cyber crime from the cyber space. It is quite possible to check them. History is
the witness that no legislation has succeeded in totally eliminating crime from the
globe. The only possible step is to make people aware of their rights and duties
(to report crime as a collective duty towards the society) and further making the
application of the laws more stringent to check crime. Undoubtedly the Act is a
historical step in the cyber world. Further I all together do not deny that there is a
need to bring changes in the Information Technology Act to make it more
effective to combat cyber crime
CASE STUDY

INDIA'S FIRST ATM CARD FRAUD

The Chennai City Police have busted an international gang involved in

cyber crime, with the arrest of Deepak Prem Manwani (22), who was caught red-
handed while breaking into an ATM in the city in June last, it is reliably learnt.
The dimensions of the city cops' achievement can be gauged from the fact that
they have netted a man who is on the wanted list of the formidable FBI of the
United States. At the time of his detention, he had with him Rs 7.5 lakh knocked
off from two ATMs in T Nagar and Abiramipuram in the city. Prior to that, he had
walked away with Rs 50,000 from an ATM in Mumbai.

While investigating Manwani's case, the police stumbled upon a cyber

crime involving scores of persons across the globe.

Manwani is an MBA drop-out from a Pune college and served as a

marketing executive in a Chennai-based firm for some time.

Interestingly, his audacious crime career started in an Internet cafe. While

browsing the Net one day, he got attracted to a site which offered him assistance
in breaking into the ATMs. His contacts, sitting somewhere in Europe, were
ready to give him credit card numbers of a few American banks for $5 per card.
The site also offered the magnetic codes of those cards, but charged $200 per
code. The operators of the site had devised a fascinating idea to get the personal
identification number (PIN) of the card users. They floated a new site which
resembled that of a reputed telecom companies.

That company has millions of subscribers. The fake site offered the
visitors to return $11.75 per head which, the site promoters said, had been
collected in excess by mistake from them. Believing that it was a genuine offer
from the telecom company in question, several lakh subscribers logged on to the
site to get back that little money, but in the process parted with their PINs.

Armed with all requisite data to hack the bank ATMs, the gang started its
systematic looting. Apparently, Manwani and many others of his ilk entered into a
deal with the gang behind the site and could purchase any amount of data, of
course on certain terms, or simply enter into a deal on a booty-sharing basis.

Meanwhile, Manwani also managed to generate 30 plastic cards that

contained necessary data to enable him to break into ATMS.

He was so enterprising that he was able to sell away a few such cards to
his contacts in Mumbai. The police are on the lookout for those persons too.

On receipt of large-scale complaints from the billed credit card users and
banks in the United States, the FBI started an investigation into the affair and
also alerted the CBI in New Delhi that the international gang had developed
some links in India too.

Manwani has since been enlarged on bail after interrogation by the CBI.
But the city police believe that this is the beginning of the end of a major cyber
crime.