Case Studies on Case Studies on Identity TheftIdentity Theft

RakeshRakesh AggarwalAggarwalCBICBI

Case StudyTheft of Domain

Name

The BackgroundThe BackgroundCase registered on the written complaint of the owner of Case registered on the written complaint of the owner of website website www.rozgar.comwww.rozgar.com

The website was providing employmentThe website was providing employment-- related services related services to subscribers and having thousand of subscribersto subscribers and having thousand of subscribers

Website was registered with M/s DirectWebsite was registered with M/s Direct--I using email id I using email id careerzone.rediffmail.comcareerzone.rediffmail.com

Website was hosted by Website was hosted by www.rediffmail.co.inwww.rediffmail.co.in

Complainant used his eComplainant used his e--mail address mail address ((singhjagpreet@indiatimes.comsinghjagpreet@indiatimes.com) to communicate with ) to communicate with RegistrarRegistrar

AllegationsAllegations

On 14.10.2006, complainant came to know that his eOn 14.10.2006, complainant came to know that his e--mail address mail address singhjagpreet@indiatimes.comsinghjagpreet@indiatimes.com has been has been hacked hacked

It was alleged that suspect had stolen the user name It was alleged that suspect had stolen the user name and password assigned to him by M/s Directand password assigned to him by M/s Direct--I to operate I to operate the website the website www.rozgar.comwww.rozgar.com and transferred the said and transferred the said domain and website out of his control and put up the domain and website out of his control and put up the same for sale.same for sale.

InvestigationInvestigation

M/s M/s DirectiDirecti informed that that the email id in the admin informed that that the email id in the admin panel has been changed from panel has been changed from singhjagpreet@indiatimes.comsinghjagpreet@indiatimes.com to to singhiapreet@indiatimes.comsinghiapreet@indiatimes.com on 05/10/06on 05/10/06Scrutiny of the administration panel login details Scrutiny of the administration panel login details revealed that it was accessed using 2 IP addresses, revealed that it was accessed using 2 IP addresses, which were of different service providers, to that of which were of different service providers, to that of complainant complainant Login details of the M/s Login details of the M/s indiatimesindiatimes ee--mail ID also led to mail ID also led to these 2 suspicious IP addressesthese 2 suspicious IP addressesThese 2 These 2 IPsIPs addresses resolved to the culprit addresses resolved to the culprit

Modus OperandiModus Operandi

Internet reconnaissance using Internet reconnaissance using ‘‘whoiswhois’’ regarding the regarding the ownership of the website ownership of the website Found out Found out indiatimesindiatimes ee--mail ID password of the mail ID password of the complainant by using the complainant by using the ‘‘forgot passwordforgot password’’ feature and feature and guessing the guessing the ‘‘City of my birthplaceCity of my birthplace’’Logged on to Logged on to www.website.inwww.website.in (of M/s. (of M/s. DirectiDirecti) and filled in ) and filled in username as username as www.singhjagpreet@indiatimes.comwww.singhjagpreet@indiatimes.com and and clicked in clicked in ‘‘forgot passwordforgot password’’ optionoptionTemporary password mailed to Temporary password mailed to www.singhjagpreet@indiatimes.comwww.singhjagpreet@indiatimes.com

Modus OperandiModus Operandi

He subsequently created fake eHe subsequently created fake e--mail ID mail ID kamgaing2007@yahoo.comkamgaing2007@yahoo.com and created an account with and created an account with another registrar another registrar www.godaddy.comwww.godaddy.com

Transferred Transferred www.rozgaar.comwww.rozgaar.com from from www.website.inwww.website.in to to www.godaddy.comwww.godaddy.com and put up the same for saleand put up the same for sale

He also changed the password of the eHe also changed the password of the e--mail ID of mail ID of complainant complainant i.ei.e singhjagpreet@indiatimes.comsinghjagpreet@indiatimes.com and and substituted the new email id substituted the new email id singhiagpreet@indiatimes.comsinghiagpreet@indiatimes.com in in ‘‘whoiswhois’’ details to befool details to befool the original ownerthe original owner

Modus OperandiModus Operandi

After transfer of domain to After transfer of domain to www.godaddy.comwww.godaddy.com he he chose the chose the ‘‘Use Default Name Server of Use Default Name Server of www.godaddy.comwww.godaddy.com’’ for hosting of websitefor hosting of websitePut up the domain name for sale on the home Put up the domain name for sale on the home pagepage

Identity theft by using knowledge of how the Identity theft by using knowledge of how the system works, vulnerability in email system system works, vulnerability in email system and softness of target (easily guessable hint and softness of target (easily guessable hint question)question)

Case StudyOnline Share Trading

Fraud

BackgroundBackgroundCase registered on the written complaint of one Case registered on the written complaint of one V.K.BhatnagarV.K.Bhatnagar

Complainant had an share trading account with M/s India Complainant had an share trading account with M/s India InfolineInfoline Securities Pvt. Ltd., New DelhiSecurities Pvt. Ltd., New Delhi

He was doing online (using a password) as well as offline He was doing online (using a password) as well as offline tradingtrading

During September 2004 to March 2005, he did not do During September 2004 to March 2005, he did not do any online trading but did offline tradingany online trading but did offline trading

BackgroundBackgroundIn February 2005, he asked for trading password from In February 2005, he asked for trading password from company as the earlier one had expired. He was issued company as the earlier one had expired. He was issued the same. It didnthe same. It didn’’t workt work

Again requested for trading password, which again didnAgain requested for trading password, which again didn’’t t workwork

He continued offline tradingHe continued offline trading

On 19.02.2005, he was informed by Delhi office of the On 19.02.2005, he was informed by Delhi office of the company that there was a debit of more than 5 company that there was a debit of more than 5 lakhlakh in his in his account, which he contested.account, which he contested.

InvestigationInvestigationDuring investigation, it was revealed that on 31.01.2005, During investigation, it was revealed that on 31.01.2005, 01.02.2005, 08.02.2005 and 14.02.2005, he did not give 01.02.2005, 08.02.2005 and 14.02.2005, he did not give any instructions over phone to broker for offline tradingany instructions over phone to broker for offline trading

Trading logsTrading logs and and access logsaccess logs for these 4 dates were for these 4 dates were obtained from India obtained from India InfolineInfoline, which revealed that 50 , which revealed that 50 trades have taken place on those 4 datestrades have taken place on those 4 dates

Trades had taken place mainly in Jai Trades had taken place mainly in Jai BharatBharat MarutiMaruti and and CANBANK F&O sharesCANBANK F&O shares

InvestigationInvestigationDetails of counter parties were obtained in case of 50 Details of counter parties were obtained in case of 50 trading from Stock exchanges NSE and BSEtrading from Stock exchanges NSE and BSE

Scrutiny revealed that in 28 instances, counter parties Scrutiny revealed that in 28 instances, counter parties matched i.e. shares were purchased and later sold to the matched i.e. shares were purchased and later sold to the same partiessame parties

Chances of trading with known counterparty Chances of trading with known counterparty –– Nearly Nearly Impossible Impossible in high liquidity and high volume sharesin high liquidity and high volume shares

Trading pattern abnormal Trading pattern abnormal

InvestigationInvestigationOut of 28 instances, 10 were found to have happened Out of 28 instances, 10 were found to have happened due to sheer chance due to low liquidity sharesdue to sheer chance due to low liquidity shares

18 instances investigated18 instances investigated

4 counter brokers found involved4 counter brokers found involved--SKSE Securities, SKSE Securities, MarwariMarwari shares and Securities, Angel Capital and shares and Securities, Angel Capital and MotilalMotilalOswalOswal SecuritiesSecurities

Subscriber accounts of these 4 brokers investigated and Subscriber accounts of these 4 brokers investigated and suspects were zeroed onsuspects were zeroed on

Modus OperandiModus OperandiOne of the accused was himself a franchisee of M/s India One of the accused was himself a franchisee of M/s India InfolineInfoline and had access to and had access to ‘‘wire loginwire login’’ through which they through which they were able to see the client data and their correspondence were able to see the client data and their correspondence with M/s. India with M/s. India InfolineInfoline

They were also able to access details of other branch They were also able to access details of other branch offices by making some changes in the URL of the offices by making some changes in the URL of the softwaresoftware

They used to collect the details of the clients whose They used to collect the details of the clients whose passwords were resetpasswords were reset

Modus OperandiModus OperandiThis was they were able to hack into the trading account This was they were able to hack into the trading account of the complainant and lured other coof the complainant and lured other co--accused to act as accused to act as counter party by opening other accounts counter party by opening other accounts

They engaged counter parties for transactions with They engaged counter parties for transactions with hacked accounthacked account

Bank accounts and mobile phones were Bank accounts and mobile phones were opened/procured on fake documents opened/procured on fake documents

Identity theft through Identity theft through ‘‘poor system designpoor system design’’

Case StudyIRCTC Case

IRCTCIRCTC

Indian Railway Catering and Tourism Corporation Indian Railway Catering and Tourism Corporation (IRCTC) is a wholly owned subsidiary of the Indian (IRCTC) is a wholly owned subsidiary of the Indian RailwaysRailways

Indian Railways is the largest employer in terms of Indian Railways is the largest employer in terms of manpower in Indiamanpower in India

www.irctc.co.inwww.irctc.co.in was the largest growing website in the was the largest growing website in the Asia Pacific regionAsia Pacific region

Website was offering a range of services for public Website was offering a range of services for public

IRCTC CaseIRCTC Case

Most popular service was booking of railway tickets Most popular service was booking of railway tickets using the website using the website

For booking tickets, one needs to create a login nameFor booking tickets, one needs to create a login name

Booking can be made using credit/debit cardBooking can be made using credit/debit card

At the relevant time, IRCTC was using two payment At the relevant time, IRCTC was using two payment gateways: Citibank and ICICI Bankgateways: Citibank and ICICI Bank

Payment Methodology

IRCTC WEBSITECUSTOMER

PAYMENT GATWAY

IRCTC CASESIRCTC CASES

The suspect was trapped while collecting ticket at New The suspect was trapped while collecting ticket at New Delhi Railway station.Delhi Railway station.Indian Railways launched its eIndian Railways launched its e--commerce services for providing commerce services for providing online purchase of Tickets.online purchase of Tickets.

Payments by using Credit card/ Debit cards.Payments by using Credit card/ Debit cards.

The tickets are either couriered (for a nominal fee) and could bThe tickets are either couriered (for a nominal fee) and could be e collected from counter (at some places).collected from counter (at some places).

They are using two payment gateways:They are using two payment gateways:

–– ICICIICICI

–– CitibankCitibank

IRCTC CASES ... Case 1IRCTC CASES ... Case 1Received information that fraudulent credit card Received information that fraudulent credit card transactions were being made on the site from various transactions were being made on the site from various IDs.IDs.

IRCTC received chargeback in respect of such tickets.IRCTC received chargeback in respect of such tickets.

The analysis of the IDs and the card numbers used The analysis of the IDs and the card numbers used revealed common links. revealed common links.

All the tickets were collected from Counter.All the tickets were collected from Counter.

The identity documents of the person who had collected The identity documents of the person who had collected the tickets were obtained.the tickets were obtained.

The PAN card used was having old address of the The PAN card used was having old address of the suspect.suspect.

IRCTC CASES ... Case 1IRCTC CASES ... Case 1

The accused was working in the Credit The accused was working in the Credit Card Section of a MultiCard Section of a Multi-- National Bank as National Bank as Sales Executive.Sales Executive.

Obtained card information by Obtained card information by social social engineeringengineering..

Purchased tickets for self or family.Purchased tickets for self or family.

Had also used Credit Card details for other Had also used Credit Card details for other purchases.purchases.

C dit d i ll d t ilC dit d i ll d t il

IRCTC CASES ... Case 2IRCTC CASES ... Case 2

Another Set of complaints led to identification of a person Another Set of complaints led to identification of a person operating from Mumbai.operating from Mumbai.

The details collected from identity documents revealed The details collected from identity documents revealed that person was residing at a hostel.that person was residing at a hostel.

The address was old as he had left the hostel long time The address was old as he had left the hostel long time back.back.

Field verification revealed that suspect was working at a Field verification revealed that suspect was working at a restaurant. restaurant.

IRCTC CASES ... Case 2IRCTC CASES ... Case 2

Field verification revealed that suspect was working at a Field verification revealed that suspect was working at a restaurant. Had left the work also.restaurant. Had left the work also.

Further field work led to his identification and arrest at Further field work led to his identification and arrest at Mumbai. Mumbai.

Used to collect credit card info. from the customers Used to collect credit card info. from the customers visiting the restaurant. Case charge sheeted. Presently visiting the restaurant. Case charge sheeted. Presently under trial. under trial.

More such cases with CBI and Mumbai Police.More such cases with CBI and Mumbai Police.

Case StudyIdentity Theft from

ISP by Hacking

ISP Hacking CaseISP Hacking CaseFIR was registered for alleged hacking into the billing and FIR was registered for alleged hacking into the billing and authentication software of an ISP and misuse/theft of authentication software of an ISP and misuse/theft of customer IDscustomer IDs

Company was in business of providing internet Company was in business of providing internet connectivity by way of WAN (cable) and connecting connectivity by way of WAN (cable) and connecting various hubs in different localitiesvarious hubs in different localities

41 user IDs were reported to be misused41 user IDs were reported to be misused

CompanyCompany’’s payment module is prepaid s payment module is prepaid PINsPINs and and subsequent renewal of the same subsequent renewal of the same

ISP Hacking CaseISP Hacking CasePINsPINs, on activation, get bonded with user Ids, IP and , on activation, get bonded with user Ids, IP and MAC IDsMAC IDs

Provision to make connection Provision to make connection IP and MAC freeIP and MAC free

Setup is being managed by the provisioning software Setup is being managed by the provisioning software called called CrestelCrestel (JISP) which does authentication, (JISP) which does authentication, authorization and accountingauthorization and accounting

Investigation revealed that each of the misused ID was Investigation revealed that each of the misused ID was accessed using a number of IP addressesaccessed using a number of IP addresses

ISP Hacking CaseISP Hacking CaseIt was revealed on analysis of authentication logs that It was revealed on analysis of authentication logs that authentication request for user ID authentication request for user ID ‘‘chrischris’’ have been have been generated from IP address and MAC ID combination of generated from IP address and MAC ID combination of 10.1.63.91 and 00:E0:4C:90:0A:AF, combination allotted 10.1.63.91 and 00:E0:4C:90:0A:AF, combination allotted to user to user ‘‘suncroreg1suncroreg1’’

It was also revealed that expiry date of PIN assigned to It was also revealed that expiry date of PIN assigned to user user ‘‘suncroreg1suncroreg1’’ has been extended has been extended

ISP Hacking CaseISP Hacking CaseGeneration of authentication requests other than their Generation of authentication requests other than their own led to zeroing of suspectsown led to zeroing of suspects

Searches at their residential premises led to seizure of Searches at their residential premises led to seizure of their computers and other documentary evidencetheir computers and other documentary evidence

Accused was collecting the user names and passwords Accused was collecting the user names and passwords by running a sniffing software (by running a sniffing software (caincain and and abelabel) on the ) on the network and sharing the same between their friends network and sharing the same between their friends

The user was further able to hack into the managing The user was further able to hack into the managing software by using poor authentication design and software by using poor authentication design and thereafter changing bandwidth and expiry datesthereafter changing bandwidth and expiry dates