• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Brand Quest
• The New Manager

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

R.K.Raghavan

A shot in the arm for cyber crime investigators in the Indian Police? The Corps of Detectives of Karnataka Police, an efficient agency with a good track record of service, recently nabbed a 12-member gang led by Joseph of Tamil Nadu that had hacked into at least 17 bank accounts in four leading banks in the State and stolen considerable sums of money.

The police identified three e-mail accounts of Joseph and found he had in his possession the account numbers and passwords of about 100 customers. The gang had used four cyber cafes in Bangalore and one in Mysore. They obtained the vital information needed for their illegal operations from gullible account holders, by offering to recharge their cell-phone accounts at heavily discounted prices.

With their getting the cell-phone numbers, it was no great feat later that they could lay hands on bank account PINs of several individuals, who had obviously either stored these numbers in their phones or had accessed their online accounts through such phones.

Also, the gang used select cyber cafes during the beginning of a month, when an unusually large number of unwary visitors usually access their bank accounts to check on credits, including their salary amounts. According to the police, freely-available key logging software was employed by the gang to steal information left behind in the computers by visitors to the cyber cafes.

Three aspects of the sensational occurrence are significant. First, the cyber café owner was alert and smart enough to give the initial lead that helped to identify at least some of the miscreants. A mere IP number in the hands of the police was not enough for the purpose, because so many individuals access the machines at a café. We need more and more of the Bangalore kind if we are to outmanoeuvre the likes of Joseph.

A CCTV facility may become mandatory to every cyber café so that images of users are available at least for a few months. If my information is right, the Tamil Nadu Police did think on these lines a few months ago. A CCTV camera also builds a certain amount of deterrence against those with criminal designs.

Second, Joseph, the main brain behind the Karnataka operation, was just a Diploma holder in engineering. This again confirms that no great technical skills are required to carry out such an exercise, a fact that should make many of us more vigilant than ever before.

Of slightly less significance is that inter-State criminals are becoming ubiquitous, a trend that renders local databases increasingly irrelevant. I do not know how long it will take for us to build a national database of cyber criminals. If one already exists, it has not been spoken of in quarters that matter!

The fact that more than others, it is financial institutions and their customers who are at risk from cyberspace predators is again borne by the results of a recent Gartner survey. Victims of Phishing lost nearly $3 billion during 2007, a sizeable increase over losses in the previous year. This is even without taking into account losses resulting from malicious software that enables intruders to steal passwords and usernames.

According to Brian Kerbs, who writes an informative column on the subject for Washington Post, in spite of tall claims made by leading banks the world over, customer education has not been all that effective. There are still those who would give away their PIN and passwords in response to an e-mail enquiry.

A large number of computer owners are blissfully unaware of the keystroke loggers and password-stealing malware carried by them in their machines, which facilitate remote control of machines by the underworld. (There are a few software packages that offer protection against key logging. Zone Lab’s Security Suite and Zone Alarm’s Force Field are mentioned by two Washington Post bloggers. You may, however, have to make further enquiries before you opt for either of them.)

Interestingly, in the US, the FBI recently released a list of seven cases in which ‘Botnets’ (computers captured by outsiders and remotely controlled by them) were used to remove funds from banks. The Bureau’s ‘Operation Bot Roast’ found that about two million independent computers had been infected by 10 individuals, acting either on their own or in concert.

A majority of the offenders were in the age group of 21 to 30. One of them, a student of University of Pennsylvania, hijacked about 50,000 PCs with the assistance of a New Zealander. Another, a youth from Tacoma (Washington State), confessed to the FBI that he had taken over hundreds of thousand computers and hired them out to spammers and those needing them to knock out existing websites. These numbers would make readers understand the dimensions of cyber crime all over the world.

Basic to preventing dishonest cyber intrusions is the need for PC owners to ensure that their computers operate in a secure environment, especially while accessing bank Web sites. This would call for observance of a drill and high computer discipline.

In specific terms, it requires the closing of all other programs before browsing such a site, deleting cookies, eliminating all temporary Internet files, looking out for a lock symbol that confirms a secure session and checking whether the site has a security certificate. Of course, opening of another browser window or tab while on a bank site has to be scrupulously avoided, and the log-off provision used before closing the browser.

Kerbs would also recommend the switching-over from an ‘administrator account’ to a ‘limited user account’ for daily needs. While you are on the former, it must be remembered that your system is vulnerable to attempts by undesirable elements to install viruses and worms. As against this, a ‘limited use’ account wards off all external attacks by denying permission to install programs or in any way change existing settings.

The only point is how many of us have the patience to alternate between the two accounts. We seem to be in a hurry all the time!

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
One for the New Year

Copyright © 2008, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line