The Hindu Business Line : Bang goes your buck

Every five minutes, somewhere in the world, people fall in love, babies are born - and someone is trying to steal your credit card information. For, as cyberspace expands, so do criminal activities. While identity theft and cyber squatting are predominant, `Phishing' and increasingly `innovative ways' to steal financial data and commit monetary frauds are coming into play.

eWorld did a status scan of the scene. Here goes:

"Cyber-squatting is a serious issue as it might be used to carry out a phishing attack. In a typical phishing attack, the fraudsters design a Web site that would look just like the site of a legitimate bank. Suppose, someone registers www.icicbank.com (notice the missing `i'), and designs a login and password page that looks just like the legitimate site , then he can collect the login name and password of a genuine customer, if the customer mistypes the URL.

The fraudster then uses it at the legitimate Web site and defrauds the customer! Similarly, cyber-squatters also register unused extensions such as co.in, .net, and .biz, among others. A bank should, as far as possible, register all extensions and then redirect the other extensions to a single Web site. Also, banks ought to report these incidents and get known phishing sites disabled," says Pradeep Akkunoor, co-founder and Director of Indiaforensic Consultancy Services (ICS), a Pune-based Forensic Accounting and Fraud Investigations consulting firm.

Valuable lessons came from the phishing case - where the perpetrator of the crime sent out e-mails to a leading bank's customers asking for details such as passwords to Internet Banking accounts. Some customers were taken in since the mail seemed genuine and had a URL that opened on to sites very like the official one. The fraud was exposed when the bank's information security cell received the e-mail forwarded by customers seeking to verify its validity.

Suspect e-mails

Difficult to control, phishing cases only seem to be getting more `sophisticated.' "We recently reported one attack directed at a leading bank in India. A customer would receive an e-mail stating that someone has attempted to login to his/her account and advising a change of password by clicking on the link. On clicking, you are taken to a Web site that looks just like the legitimate Web site.

You are likely to enter your login name and password, which will be read by the fraudster and used to defraud you. The basic precaution that customers can take is to call up the bank and check if it has sent such an e-mail.

Usually banks do not send such mails. A phone call to customer care would clarify the issue. Also, one should get familiar with the security aspects and directives given by the bank, when using the Internet banking facility. Please report anything even remotely suspicious to your bank," cautions Akkunoor.

"The huge expansion in banking transactions consequent to the transition of banks to mass banking and large-scale computerisation have played a major role in the perpetration of the frauds," says Mayur Sharad Joshi, founder and Chairman of Indiaforensic, an anti-fraud community.

SMS alerts - the smart option

We all know we need to take extra care of our credit cards. Consumers often believe ATM cards are difficult to access as they are personal identification number (PIN)-protected.

The arrest of Deepak Prem Manwani while breaking into an ATM in Chennai is probably among the earliest ATM related crimes in India. This MBA drop-out from a Pune college started out when he stumbled upon a site that was defrauding American banks for $5 per card and getting the PIN of the card users by floating a new site resembling that of a reputed telecom company.

Most leading banks have an SMS service to inform customers about transactions. "Please use the SMS alert facility provided, wherein any transaction over a certain amount set by you is reported through an SMS. So if you receive an SMS stating that a certain unauthorised amount has been withdrawn from the ATM or that your credit card has been used to make an unauthorised purchase, you can immediately inform your bank and the police as well, which will help in limiting the damage and assist in tracing the culprit. For credit cards, make sure you memorise the CVV (card verification value) number, and stick a small opaque sticker on it (at the back of the credit card), so if you give it to a waiter at a restaurant, he wouldn't be able to note that number. Use SMS alerts for credit cards too," says Akkunoor.

Data protection

Not just India, data security is an important issue for most enterprises in the Asia-Pacific. "Companies with consumer data may be concerned about US/EU type regulations regarding public disclosure of data breaches/theft, or theft of intellectual property, or may use security as a way to differentiate themselves if they're working with US/EU clients, such as outsourcing service providers. Also, the Asia-Pacific operations of organisations based in the US/EU may be required to comply with the same regulations (HIPAA, SoX, EU Data Privacy regulation) as their parent companies in the home countries.

In countries without regulations mandating specific data privacy/security guidelines, organisations are considering security solutions from the business risk mitigation perspective, especially where there is a potential risk to reputation or a legal/financial risk on losing sensitive information," says Soumitro Agarwal, Marketing Director, Network Appliance Systems, (India) Pvt Ltd.

In India, Nasscom (National Association of Software and Service Companies) has been exploring various initiatives to check cyber criminals. Its initiative includes creating the right awareness about security and security issues in the ITES/BPO sector. It also includes setting up and defining guidelines from time-to-time on security and risk management, creating special training on Information Security, introducing certifications and exploring concepts of shared services wherein the focus will be on "defining a set of services that can be shared across members, which could include background checks, education and employment verification, ethical hacking and intrusion testing of a member's public Web site and communications links and risk monitoring."

Working with police officers, lawyers and industry bodies to ensure that enforcement and constant checks are in place has resulted in the Cybercell in Mumbai, a joint initiative between Nasscom and Mumbai police, with plans for more such programmes in the country.

Says Rakesh Goyal, Director, Centre for Research and Prevention of Computer Crimes, "Security has to be planned at the conceptualisation and design stage. Then it can be aligned and made part of the business processes with smooth ease-of-use.

The problem is further compounded by half-baked technical solutions implemented by technologists or IT managers. Many people think that by just putting a firewall or antivirus, we are secure, which is wrong. Further, if firewalls are not properly configured, that may itself become a security risk.

Most security breaches in banks and other organisations happen due to a lack of comprehensive planning for IT Security; IT risk assessment; absence of or improper IT Security policies and procedures; lack of implementation of these policies and procedures and the lack of regular review and update of IT security strategy. In most cases, the weakest links are human beings. Either they are not trained or not regularly re-trained or not involved in the security process implementation. In many cases, initial exceptions, such as no-access-checking for CEO, are a risk factor as later it might become the rule for everyone gradually."

Common crime devices

Cyber squatting: The webopedia (http://www.webopedia.com/TERM/C/cybersquatting.html) explains it as "the act of registering a popular Internet address — usually a company name — with the intent of selling it to its rightful owner. The Organisation (WIPO) has also outlined anti-cybersquatting tactics, which have been endorsed by ICANN (Ironically enough, someone recently registered www.wipo.com in order to sell it back to WIPO for several thousand dollars)."

Data diddling: The Niagara Regional Police Service (http://www.nrps.com/community/comprev.asp) describes it as "changing data prior or during input into a computer. This is one of the simplest methods of committing a computer-related crime, because it requires almost no computer skills whatsoever.

For example, a person entering accounting may change data to show that their account, or that or a friend or family member, is paid in full. By changing or failing to enter the information, they are able to steal from the company."

Email spoofing: The Carnegie Melon Software Engineering Institute (http://www.cert.org/tech_tips/email_spoofing.html) illustrates it as "Email spoofing may occur in different forms, but all have a similar result: a user receives e-mail that appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords)."

Salami attack: We aren't talking about a giant hamburger here. Its main victims are individuals and financial institutions. It is unique in the sense that the alterations that it creates are so small that they go practically unnoticed but when put together can ad up to millions. For example a bank employee can steal as little as one rupee a day from all the accounts in the bank.

Webjacking: The Wikepedia (http://en.wikibooks.org/wiki/The_Computer_Revolution/ Internet/Hackers#webjack) says, "Webjacking is when hackers take Web pages that you frequent and then take you to other Web sites that are used to scam people."

Phishing: Wikepedia (http://en.wikibooks.org/wiki/The_Computer_Revolution/ Internet/Hackers#webjack) says, "Hackers involved in phishing and `pharming' are undertaking illegal activities for the purpose of getting personal/confidential information from computer users (i.e., personal, financial or password data). Phishers `bait their hooks,' `cast their net' and `fish' for information in the hope of `luring' and ultimately `catching' identity victims `hook, line and sinker' into a trap that leads the user into divulging their financial and/or password information."

Alerts for banks

Expect fraud: Nowhere in the world can fraud be avoided, hence banks can be no exceptions.

Develop a fraud policy: The policy should be written and distributed to all employees, borrowers and depositors. Maintain a zero tolerance for violations.

Assess risk: Look at the ways fraud can happen in the organisation. Some of the big nationalised banks maintain databases of the fraud cases reported in their banks. But they yield nothing unless they are analysed effectively.

Establish regular fraud-detection procedures: It could be in the form of Internal audit or it could also be in the form of inspections. The Institute of Chartered Accountants of India has issued an Accounting and Assurance standard on internal controls, which is a real guideline to test internal controls.

Segregate duties in critical areas: No single person should have control of the books of accounts and the physical asset.

Conduct pre-employment screening: Know whom you are hiring. More than 20 per cent of resumes contain false statements.

Screen and monitor borrowers: Bad borrowers cause the biggest losses to banks. Look at their ownership, clients, references, and litigation history. In many cases, potential fraudsters have a history of defaulting in some other bank or financial institution.

Courtesy: Mayur S. Joshi— CA, CFE Certified Fraud Examiner (US)

paromita@thehindu.co.in

More Stories on : Internet | Security | Economic Offences

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
IT's money in oil

War gaming

Bang goes your buck

Workaholics, enjoy!

`This copy of Windows is not genuine'

Growing the network

One-stop security

Track your library

Tagging smartness to systems

An eye on the trolleys...

e-filing: A `taxing' exercise

Quiz

Cartoon

Creating awareness