E Banking - Cyber Frauds in India

8/9/2019 E Banking - Cyber Frauds in India

1/70

@NLS

Naavi

E Banking Frauds

Naavi1


2/70

Agenda

Types of Frauds that affect Bankers

The law regarding Cyber Frauds

Due Diligence Requirements

Naavi2


3/70

Phishing

Naavi3

Case Study


4/70

The Case

An NRI customer having account in Tirunelveli

branch of ICICI Bank

– Receives monthly statement from

[email protected] – One day he received a mail from the same address

Stating that his account is being deactivated for security

reasons unless he logs in immediately and confirm that the

account has to be continued. – A hyperlink is provided in the same mail to the Bank’s website.

Customer logs in and confirms

Naavi4


5/70

The Phone Call

Next day evening, at 6.00 pm IST, he received a

phone call from his Bank informing him and asking

for confirmation about his having withdrawn

withdrawn Rs 6.46 lakhs from his account andhaving transferred to the account of Uday

Enterprises at Fort Bombay branch of ICICI Bank

– Customer denies any such transaction and immediately

follows up with e-mail and fax to the Bank denying the

transaction and restoration of his balance in the account.

Naavi5


6/70

Internal Investigations

Bank conducts an internal investigation whichreveals the following – customer had received a phishing mail in the name of

[email protected] and had responded to the

same – The amount of 6.46 lakhs had been then transferred to the

Fort Branch branch in lots of Rs 1 lakh in four transactionson 6th September and two more transactions and again46000/- on 7th September

– The customer (Uday Enterprises) had drawn Rs 4 lakhs incash across the counter on 7th September, 35000/- wasadjusted to the OD outstanding in the account. Balance waslying in the account.

Naavi6


7/70

Response

Bank writes to the customer that he was a victim of

Phishing and should file a complaint with the Police

and pursue.

– Refuses to re-credit the amount to customer’s account

– Refuses to file a complaint in Mumbai to trace the customer

– Internal investigation reveals that the account was in arrears

of Rs 35000/- for more than 6 months, the proprietor had

changed address 2 years back and was not traceable

Naavi7


8/70

Follow Up

Customer files a complaint with the BankingOmbudsman who after verification concludes that itdoes not come within his jurisdiction as it is a crime

related issue and not a service related issue As suggested by the Bank, a complaint is filed at

Tirunelveli.. Police suggest that it is a cyber crimeand complaint has to be filed in Chennai

– Complaint is filed including the Bank as a co accused – Adjudication proceeding has been completed. Verdict

awaited.

Naavi8


9/70

Additional Information

The Internal investigator had reported that

the CCTV in the Banking hall should have

captured the cash withdrawal transaction andshould be checked.

– Bank never acted on this suggestion made within

a few days of the incident and the service

provider responsible for the maintenance of the

CCTV service is reported to have deleted the

data( after one month)

Naavi9


10/70

Further developments..

Later it was found that the IP address

indicated that all transactions were

conducted from Mumbai – where as the customer was known to be an NRI

in Dubai.

– The current account of uday Enterprises was

owned by one Mohammed Zulfiquar Hasim Khan

Why one Zulfiquar Hasim Khan should open a current

account in the name of Uday Enterprises?..

Naavi10


11/70

Adjudication

Adjudication application was filed in Chennai – Claiming the entire amount lost along with interest and

damages

After the filing, – Bank paid the balance amount of Rs 150071/- which was

lying in the account of Uday enterprises.

After several hearings, Bank offered to pay the entirefraud amount of RS 646000/- provided a suitable

indemnity was provided. No agreement was however reached on the terms of

the indemnity. – Matter awaiting release of the award

Naavi11


12/70

Other Frauds like Phishing

Credit Card frauds, Theft of Debit card/password – All these frauds occur through Electronic Forgery.

– In case of payment of a forged cheque.. Who is liable? Canara Bank Vs Canara Sales Corporation AIR 1987 SC 1603

Citizen Co-opertive Bank Ltd Vs Ritesh Mittal,-2004 CTJ 211 (Jammu and Kashmir High Court)

N. Venkanna Vs Andhra Bank, National Disputes Redressal Commission, 11th January, 2005

Bhagwandas Vs Creet (1903)31, Cal.249 L. Pirbhu Dayal Vs Jwala bank, AIR 1958 All. 374

Dawood Vs Firm Pereinan Chetty, AIR 1924 Rang.264 – All these cases hold the Bank liable even if the customer had shown negligence of some sort.

Banks can escape liability only if the customer has abetted or is estopped for some reason toclaim that the withdrawal was wrong.

Why would it be different in case of Phishing?

– In Germany and Denmark, Banks are held responsible for such technical crimes – India too has no option to follow suit

– Banks should therefore put strategies to protect themselves from the Phishingliabilities.

Naavi12


13/70

Other Frauds involving Banks

Nigerian Mails, Job Frauds, Lottery Frauds

– All involving remittances to foreign countries

where the Bank as an Authorised Dealer is

expected to enquire about the purpose of

remittance and approve

or other accounts in the Bank

Salami frauds, Software bugs

Naavi13


14/70

Other means..

Stolen laptops

– If data is not encrypted …

Shared Desktops – Somebody else’s negligence in allowing a key

logger

Written down in a diary – Common pick pocket?

Naavi14


15/70

Most Dangerous

A virus may execute a “Man in the Browser”attack using an authenticated session to placean unauthorized transaction. –

Customer thinks that he is making a genuinetransaction and therefore completes all authenticationrequirements himself

– But the transaction executed is different from the onecontemplated.

– Bank will swear that the transaction was done only bythe customer See here

Naavi15


16/70

Emerging Threats

Trojans which use “Man in the Browser”

technique

–

Zeus and SpyEye Variants – Modify content after they are entered in the

browser and before it reaches the Bank’s server

– Display modified content on the browser which

may not be in sync with the server information

– Can fool both the customer and the bank

Naavi16


17/70

What can go wrong?

At the Organization..

Naavi17


18/70

Naavi18


19/70

Naavi19


20/70

Naavi20


21/70

List of Trojans.. A gift to visitors to thewebsite of a Bank..

Website compromised on 29th August 2007 – Email-Worm.Win32.Agent.l

Rootkit.Win32.Agent.dwRootkit.Win32.Agent.eyTrojan-Downloader.Win32.Agent.cnhTrojan-Downloader.Win32.Small.ddyTrojan-Proxy.Win32.Agent.nuTrojan-Proxy.Win32.Wopla.agTrojan.Win32.Agent.awzTrojan-Proxy.Win32.Xorpix.FamTrojan-Downloader.Win32.Agent.ceoTrojan-Downloader.Win32.Tibs.mtTrojan-Downloader.Win32.Agent.boyTrojan-Proxy.Win32.Wopla.ah

Trojan-Proxy.Win32.Wopla.agRootkit.Win32.Agent.eaTrojan.PandexTrojan-Proxy.Win32.Cimuz.GTSPY_AGENT.AAVG (Trend Micro)Trojan.Netview Website closed from 30th August to 4th September 2007

Naavi21


22/70

ATM/Credit Card Cloning

Naavi22


23/70

E Banking dispute resolution system

Three Modes

– If the cause of action is

Violation of an RBI Guidelines

– Banking Ombudsman

A deficiency of Service

– Consumer Forum

An offence /contravention of ITA 2000/8

– Adjudication process as per ITA 2000/8

Naavi Cyber Law College23


24/70

Banking Ombudsman Scheme

Effective from January 1 2006

– Banking ombudsman scheme 2005

Amended in May 24, 2007 and Feb 3, 2009 Is essentially a mediation process



25/70

Essence of Banking Ombudsman (BO)Scheme

Powers and Jurisdiction – Territorial: BOs have been set up in 15 different regional

offices of RBI

– BO s shall receive and consider complaints

relating to deficiencies in banking or other services filed on the grounds mentioned in clause 8 and

– facilitate their satisfaction or settlement by agreement or throughconciliation and mediation between the bank concerned and theaggrieved parties or by passing an Award in accordance with theScheme.

– Maximum compensation Rs 10 lakhs (actual loss) – In Credit card related complaints additional compensation of

Rs 1 lakh is payable for harassment, mental anguish etc.



26/70

Grounds of Complaint (Clause 8)

(a) non-payment or inordinate delay in the paymentor collection of cheques, drafts, bills etc.;

(b) non-acceptance, without sufficient cause, of

small denomination notes tendered for any purpose,and for charging of commission in respect thereof;

(c) non-acceptance, without sufficient cause, of coinstendered and for charging of commission in respect

thereof; (d) non-payment or delay in payment of inward

remittances ;



27/70


(e) failure to issue or delay in issue of drafts, pay ordersor bankers' cheques;

(f) non-adherence to prescribed working hours ;

(g) failure to provide or delay in providing a banking

facility (other than loans and advances) promised inwriting by a bank or its direct selling agents;

(h) delays, non-credit of proceeds to parties' accounts,non-payment of deposit or non-observance of theReserve Bank directives, if any, applicable to rate ofinterest on deposits in any savings, current or otheraccount maintained with a bank ;



28/70


(i) complaints from Non-Resident Indians having accounts in India inrelation to their remittances from abroad, deposits and other bankrelated matters;

(j) refusal to open deposit accounts without any valid reason for

refusal; (k) levying of charges without adequate prior notice to the customer;

(l) non-adherence by the bank or its subsidiaries to the instructions ofReserve Bank on ATM/Debit card operations or credit card operations;

(m) non-disbursement or delay in disbursement of pension (to the

extent the grievance can be attributed to the action on the part of thebank concerned, but not with regard to its employees);



29/70


(n) refusal to accept or delay in acceptingpayment towards taxes, as required by ReserveBank/Government;

(o) refusal to issue or delay in issuing, or failureto service or delay in servicing or redemption ofGovernment securities;

(p) forced closure of deposit accounts without

due notice or without sufficient reason; (q) refusal to close or delay in closing the

accounts;



30/70


(r) non-adherence to the fair practices code asadopted by the bank;

(s)non-adherence to the provisionsof the Code of Bank's Commitments to

Customers issued by Banking Codes and StandardsBoard of India and as adopted by the bank ;

(t) non-observance of Reserve Bank guidelines onengagement of recovery agents by banks; and

(u) any other matter relating to the violation of thedirectives issued by the Reserve Bank in relation tobanking or other services.



31/70

Procedure for Filing Complaint

Complaint may be filed by the customer or

his authorized representative (Other than an

advocate)

A complaint made through electronic means

shall also be accepted by the Banking

Ombudsman and a print out of such

complaint shall be taken on the record of the

Banking Ombudsman



32/70

Pre-requisites..

No reply from the Bank for one month or is

not satisfied with the reply given to him by

the bank

Complaint within 13 months after date of

representation to the Bank



33/70

Grounds of Rejection

a) not on the grounds of complaint referred to in clause 8 or otherwise not in accordance with sub clause (3) of clause 9(Ed: notice to Bank); or

(b) beyond the pecuniary jurisdiction of Banking Ombudsmanprescribed under clause 12 (5) and 12 (6) or

(c) requiring consideration of elaborate documentary and oralevidence and the proceedings before the Banking Ombudsmanare not appropriate for adjudication of such complaint; or

(d) without any sufficient cause; or

(e) that it is not pursued by the complainant with reasonablediligence; or

(f) in the opinion of the Banking Ombudsman there is no loss or damage or inconvenience caused to the complainant



34/70

1PPEAL BEFORE THEAPPELLATE AUTHORITY:

Any person aggrieved by an Award under

clause 12 or rejection of a complaint for the

reasons referred to in sub clauses (d) to (f)

of clause 13,may within 30 days of the date

of receipt of communication of Award or

rejection of complaint, prefer an appeal

before the Appellate Authority;

Naavi34


35/70

Under ITA 2000/8


Adjudication Process


36/70

What is Adjudication

Adjudication is the system suggested by ITA 2000

to provide speedy disposal of civil disputes arising

out of contravention of ITA 2000

– Under Sec 46 of ITA 2000

Adjudication is the first step for claiming damages for

contraventions of ITA 2008.

Appeal from Adjudicator lies with Cyber AppellateTribunal (CAT)

Appeal from CAT lies with the High Court



37/70

Notification of 25th March 2003-MIT,GOI

The Secretary of Department ofInformation Technology of each of the States or of Union Territories is hereby appo

inted as Adjudicating Officer for thepurposes of the Information Technology Act,2000.

– shall provide the infrastructure and – maintain the records of the matters handled by

AO functioning in the States/Union Territories



38/70

Powers under Sec 46

(1)For the purpose of adjudging – under this Chapter

– whether any person has committed a contravention of anyof the provisions of this Act or of any rule, regulation,

direction or order made thereunder which renders him liableto pay penalty or compensation,

– the Central Government shall, subject to the provisions ofsub-section(3), appoint any officer not below the rank of a

Director to the Government of India or an equivalent officerof a State Government to be an adjudicating officer forholding an inquiry in the manner prescribed by the CentralGovernment.



39/70

Sec 46-contd

(1A) The adjudicating officer appointed

under sub-section (1) shall exercise

jurisdiction to adjudicate matters in which the

claim for injury or damage does not exceed

rupees five crore

Provided that the jurisdiction in respect of

claim for injury or damage exceeding rupees

five crore shall vest with the competent court



40/70

Sec 46..contd

(2)The adjudicating officer shall, after giving the person referredto in sub-section (1) a reasonable opportunity for makingrepresentation in the matter and if, on such inquiry, he issatisfied that the person has committed the contravention, hemay impose such penalty as he thinks fit in accordance with the

provisions of that section. (3) No person shall be appointed as an adjudicating officer

unless he possesses such experience in the field of InformationTechnology and Legal or Judicial experience as may beprescribed by the Central Government.

(4)Where more than one adjudicating officers are appointed,the Central Government shall specify by order the matters andplaces with respect to which such officers shall exercise their jurisdiction.



41/70

Sec 46..contd

(5) Every adjudicating officer shall have the powers of a civilcourt which are conferred on the Cyber Appellate Tribunalunder sub-section (2) of section 58, and -(a) all proceedings before it shall be deemed to be judicial

proceedings within the meaning of sections 193 and 228 of theIndian Penal Code;

(b)shall be deemed to be a civil court for the purposes ofsections 345 and 346 of the Code of Criminal Procedure,1973.

(c)shall be deemed to be a Civil Court for purposes of order XXIof the Civil Procedure Code, 1908



42/70

Sec 47: Factors to be taken into accountby the adjudicating officer

While adjudging the quantum of compensation underthis Chapter the adjudicating officer shall have dueregard to the following factors, namely -

(a)the amount of gain of unfair advantage, whereverquantifiable, made as a result of the default;

(b)the amount of loss caused to any person as a

result of the default; (c) the repetitive nature of the default



43/70

What are the contraventions?

Only 43 and 43 A (After ITA 2008) are

applicable

– Sec 43

8 contraventions in ITA 2000

2 more added in ITA 2008

– Sec 43A

Not maintaining reasonable security practices by a bodycorporate in posession of sensitive personal information

of an individual



44/70

What is the scope of Sec 43?

Applies where the specified action occurs

– Without the permission of the owner of the

computer

– Liability is

damages payable to the person who has suffered the

loss

Payable by the person who contravened any or the 10contraventions



45/70

Is adjudication subordinate toregistration of a criminal case?

Adjudication is a civil process

– Not dependent on the Police filing an FIR

Notification of 17/03/2003 (MIT)

– Provides suomoto powers to the adjudicator At any time or on receipt of a report of contravention from an

aggrieved person,or by a Government agency or suo-moto,

the Adjudicating Officer, may get the matter or the report

investigated from an officer in the Office of Controller or CERT-

IND or from the concerned Deputy Superintendent of Poli

ce, to ascertain more facts and whether prima facie there is a

case for adjudicating in the matter or not.



46/70

Procedure

Not bound by Civil Proceedure Code – Can be like an enquiry

– Rules to be defined by the adjudicator

– Not mandatory to get a legal counsel

– Can examine documents and witnesses

Victim not bound to give all details of the accused.. – Simple application as per draft will suffice

– Where required investigation can be ordered by theadjudicator

– Evidence that a contravention has occurred is sufficient.



47/70

61. Civil court not to have jurisdiction

No court shall have jurisdiction to entertain any suit

or proceeding in respect of any matter which an

adjudicating officer appointed under this Act or the

Cyber Appellate Tribunal constituted under this Actis empowered by or under this Act to determine and

no injunction shall be granted by any court or other

authority in respect of any action taken or to be

taken in pursuance of any power conferred by orunder this Act.



48/70

Scope

Jurisdiction for Chapter IX in the State in

which posted

Location of Computer s defined in subsection

2 of Section 75



49/70

Application

Complaint in plain paper as per proforma

Together with fees prescribed



50/70

Manner of Holding Enquiry

AO to issue a notice together with all the

documents

– To the necessary parties

– Fixing date and time

– Indicating the time and place of contravention, the

person against whom the contravention was

committed etc



51/70

Time Limit

As far as possible, every application shall be

heard and decided in four months and the

whole matter in six months



52/70

Cases for Reference

S.Umashankar Vs ICICI Bank

– Adjudicator of Tamil Nadu

Gujarat Petrosynthese Ltd Vs Axis Bank

– Adjudicator of Karnataka



53/70

Cyber Evidence



54/70

Law of Digital Evidence in India

Derived from the amendments made to Indian

Evidence Act

– Consequent to the passing of Information Technology Act

2000

Effective from October 17, 2000

– Gave legal recognition to Electronic documents

– Defined “Digital Signature” as a means of authentication of an

electronic document

– Imposed certain presumptory value to digitally signed electronicdocuments

– Defined “Admissibility of Evidence” under Indian Evidence Act



55/70

What Constitutes Evidence?

Indian Evidence Act (Sec 3) amended to include

Electronic documents

– Evidence means and Includes Electronic Records produced

for inspection of the court

Electronic Record" means data, record or data generated,

image or sound stored, received or sent in an electronic form

or micro film or computer generated micro fiche

– (microfiche=small sheet of microfilm on which many pages of

material have been photographed. Equipment is available thataccepts a data stream from a and exposes film to produce

images as if the stream had been sent to a line printer and the

listing had been microfilmed. )



56/70

Admissibility of Electronic Records

65B (IEA). (1) Notwithstanding anything containedin this Act, any information contained in anelectronic record which is printed on a paper,stored, recorded or copied in optical or magnetic

media produced by a computer (hereinafterreferred to as the computer output) – shall be deemed to be also a document, if the conditions

mentioned in this section are satisfied in relation to theinformation and computer in question and

– shall be admissible in any proceedings, without furtherproof or production of the original as evidence of anycontents of the original or of any fact ' stated thereinof which direct evidence would be admissible.



57/70

Admissibility of Evidence..2

(2) The conditions referred to in sub-section (1) inrespect of a computer output shall be the following,

namely

– (a) the computer output containing the information was

produced by the computer during the period over which the

computer was used regularly to store or process

information for the purposes of any activities regularlycarried on over that period by the person having lawful

control over the use of the computer;



58/70


(b) during the said period, information of the

kind contained in the electronic reform or of

the kind from which the information so

contained is derived was regularly fed intothe computer in the ordinary course of the

said activities;



59/70


60/70


(d) the information contained in the electronic

record reproduces or is derived from such

information fed into the computer in the

ordinary course of the said activities.



61/70


(3) Where over any period, the function of storing orprocessing information for the purposes of anyactivities regularly carried on over that period asmentioned in clause (a) of sub-section (2) wasregularly performed by computers, whether – (a) by a combination of computers operating over that period;

or (b) by different computers operating in succession over thatperiod; or (c) by different combinations of computers operating insuccession over that period; or (d) in any other manner involving the successive operationover that period, in whatever order, of one or morecomputers and one or more combinations of computers,



62/70


all the computers used for that purposeduring that period shall be treated for the

purposes of this section as constituting a

single computer; and references in thissection to a computer shall be construed

accordingly.



63/70

Certification of Documents

(4)In any proceedings where it is desired togive a statement in evidence by virtue of this

section, a certificate doing any of the

following things, that is to say -(a) identifying the electronic record

containing the statement and describing the

manner in which it was produced;



64/70

Certification of Documents..2

(b) giving such particulars of any deviceinvolved in the production of that electronic

record as may be appropriate for the purpose

of showing that the electronic record wasproduced by a computer;

(c) dealing with any of the matters to which

the conditions mentioned in sub-section (2)relate,



65/70


and purporting to be signed by a personoccupying a responsible official position in

relation to the operation of the relevant

device or the management of the relevantactivities (whichever is appropriate)

shall be evidence of any matter stated in the

certificate;



66/70


and for the purposes of this sub-section itshall be sufficient for a matter to be stated to

the best of the knowledge and belief of the

person stating it.



67/70


According to amendment made to Section67,(IEA) – Except in the case of a secure digital signature, if the

digital signature of any subscriber is alleged to have

been affixed to an electronic record the fact that suchdigital signature is the digital signature ofthe subscriber must be proved Secured digital signature is defined by a notification in

October 2004 as a digital signature where the

cryptographic key/smart card is used to securely store anduse the private key


www.ceac.in


68/70



69/70

For Further Reference

www.naavi.org – Copy of Internet Banking guidelines

– Copy of GGWG guidelines

– Copy of judgments in respect of Umashankar and

Gujarat Petro synthese Ltd

Etc

– Also visit E Safe Banking page on Face Book



70/70

Thank You..Questions?

Contact – www.naavi.org

– www.cyberlawcollege.com

– www.ceac.in

E-Mail: [email protected]

Naavi70

E Banking - Cyber Frauds in India

Documents

Transcript of E Banking - Cyber Frauds in India