NATIONAL UNIVERSITY OF STUDY AND RESEARCH IN LAW
RANCHI
BANKING & INSURANCE
RESEARCH TOPIC: CYBER FRAUDS IN BANKING
SUBMITTED BY: - SUBMITTED TO:-
ANWESHA GHOSH DR. RAJESH KUMAR
LL.M., 1st Semester
Roll No. LM 33
0
�Introduction:
Until mid-1990s, banking sector in most parts of the world was simple and reliable; however
since the advent of technology, the banking sector saw a paradigm shift in the phenomenon.
Banks in order to enhance their customer base introduced many platforms through which
transactions could be done without much effort. These technologies enabled the customer to
access their bank finances 24*7 and year around through, ATMs and Online banking
procedures.
However, with the enhancement in technology, banking frauds have also increased likewise.
Cybercriminals are using different means to steal one s bank information and ultimately their
money as well.
It is therefore, a collective consensus of banks and regulators to make policies and adopt
measures in order to protect banking platforms from cyber threats. A number of technical
defence and control measures like increased real-time supervision on transactions have been
undertaken by the banks, however, even today the problem persists. The reason behind this is
that the defence measures currently available with banks are often reactive, time consuming
and available in public domain which can be accessed even by the cybercriminal who in turn
adopts measures to combat from these defences. The attackers allocate their time in
developing new means for cybercrime and also simultaneously work on finding the solutions
to bridge these defence measures.
One of the ways to mitigate the problem of cybercrimes in banking sector is to identify the
factors related to banks that are generally targets of such cyber-attacks, and why some banks
have never faced such a situation. Banks which are generally targets of cybercrimes suffer
from various malware attacks in form of online phishing, keystroke-loggings malwares,
identity theft, etc.
Concept of E-Banking:
Electronic Banking or e-banking refers to a system where banking activities are carried out
using informational and computer technology over human resource. In comparison to
traditional banking services, in e-banking there is no physical interaction between the bank
and the customers. E-banking is the delivery of bank’s information and services by banks to
1
�customers via different delivery platforms that can be used with different terminal devices
such as personal computer and a mobile phone with browser or desktop software, telephone
or digital television.1
The first initiative in the area of bank computerization was stemmed out of two successive
Committees on Computerization (Rangarajan Committee).2 The first committee was set up in
1984 which drew the blueprint for the mechanization and computerization in banking
industry. The second Committee was set up in 1989 which paved the way for integrated use
of telecommunications and computers for applying fully the technological breakthroughs to
the banking operations. The focus shifted from the use of Advanced Ledger Posting
Machines (ALPMs) for limited computerization to full computerization at branches and to
integration of the branches.3 Till 1989, banks in India had 4776 ALPMs at the branch level,
over 2000 programmers/ systems personnel and over 12000 Data Entry Terminal Operators.4
The RBI constituted a Working Group on internet Banking. Based on the notion of access to
the banking products and services, the group divided internet banking into three systems.5
(a) Informational System This system requires banks to provide information about interest
rates, loan schemes, branch locations etc. to the customers. The customer can download
various types of application as per the requirements. Also customers are not required to
reveal their identity and there is no realistic chance of any unauthorized person getting into
the production system of the bank.6
(b) Communicative System This system provides information to the customer about his
account balance, transaction details etc. The customers can seek the information after
authentication and logging in through the passwords.7
1
Daniel, E. (1999), Provision of electronic banking in the UK and the Republic of Ireland, International
Journal of Bank Marketing, Vol. 17, No. 2, pp. 72-82.
2
Committees on Computerization, available at: https://www.rbi.org.in/Scripts/PublicationsView.aspx?id=162
(Last Visited: Nov. 30, 2017, 01:20 PM).
3
Dr. B R Sharma and Dr. R P Nainta, Banking Law & Negotiable Instruments Act, 4th Edn, Allahabad Law
Agency, p 183.
4
Talwar S P, (1999), National Seminar on Computer Related Crime, Inaugural address by Shri S P Talwar,
Deputy Governor, Reserve Bank of India, February 24, 1999.
5
Reserve Bank of India, Report on Internet Banking, available at:
https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=243#ch2 (Last Visited: Dec 1
2017, 10:25 AM).
6
Ibid.
7
Ibid.
2
�(c) Transactional System In this system a bank allows its customers to undertake transactions
through its system and they are directly uploaded to the customer’s account. There is bi-
directional transaction that takes place between the bank and the customer and between the
customer and the third party. This system is secured through security mechanisms like http
and https. E-banking is also known as Cyber Banking, Home Banking and Virtual Banking.
E-banking includes Internet Banking, Mobile Banking, RTGS, ATMs, Credit Cards, Debit
Cards, and Smart Cards etc.8
Cyber Crime in Banking Sector:
Cyber Crime can be simply stated as crimes that involve the use of computer and a network
9
as a medium, source, instrument, target, or place of a crime. With the growing aspect of e-
commerce and e-transactions, the economic crime has drifted towards the digital world.
Cyber crimes are increasing globally and India too has been witnessing a sharp increase in
cyber crimes related cases in the recent years.
In 2016, a study by Juniper Research estimated that the global costs of cybercrime could be
as high as 2.1 trillion by 2019.10 However such estimates are only indicative and the actual
cost of cybercrime including unreported damages is beyond estimation.
Cyber Crimes can be broadly classified into categories such as cyber terrorism, Cyber-
bullying, Computer Vandalism, Software Piracy, Identity Theft, Online Thefts and Frauds,
Email Spam and Phishing and many more.
However, from the aspect of financial cyber crimes committed electronically, the following
categories are predominant:
Hacking: It is a technique to gain illegal access to a computer or network in order to
steal, corrupt, or illegitimately view data.
Phishing: It is a technique to obtain confidential information such as usernames,
passwords, and debit/credit card details, by impersonating as a trustworthy entity in an
electronic communication and replay the same details for malicious reasons.
8
Dheenadhayalan V., Automation of Banking sector in India, Yojana, February, (2010) p.32.
9
Kharouni, L. (2012). Automating Online Banking Fraud Automatic Transfer System: The Latest Cybercrime
Toolkit Feature (Rep.).
10
Liu, J., Hebenton, B., &Jou, S. (n.d.). Handbook of Asian Criminology.
3
� Vishing: It is the criminal practice of using social engineering over the telephone system
to gain access to private personal and financial information from the public for the
purpose of financial reward.11
E-mail Spoofing: It is a technique of hiding an e-mail’s actual origin by forged the e-mail
header to appear to originate from one legitimate source instead of the actual originating
source.
Spamming: Unwanted and unsolicited e-mails usually sent in bulk in an attempt to force
the message on people who would not otherwise choose to receive it are referred to as
Spam E-mails.
Denial of Service: This attack is characterized by an explicit attempt by attackers to
prevent legitimate users of a service from using that service by "flooding" a network to
disallow legitimate network traffic, disrupt connections between two machines to prohibit
access to a service or prevent a particular individual from accessing a service.12
Advanced Persistent Threat: It is characterised as a set of complex, hidden and ongoing
computer hacking processes, often targeting a specific entity to break into a network by
avoiding detection together sensitive information over a significant period of time. The
attacker usually uses some type of social engineering, to gain access to the targeted
network through legitimate means.
ATM Skimming and Point of Sale Crimes: It is a technique of compromising the ATM
machine or POS systems by installing a skimming device atop the machine keypad to
appear as a genuine keypad or a device made to be affixed to the card reader to look like a
part of the machine. Additionally, malware that steals credit card data directly can also be
installed on these devices. Successful implementation of skimmers cause in ATM
machine to collect card numbers and personal identification number (PIN) codes that are
later replicated to carry out fraudulent transactions.
Recommendations to Prevent Cyber Crime:
Banking sector is the backbone of our economy. The increasing number of cyber-crime cases
has resulted in huge loses to our economy. Cyber-attacks should be prevented by ensuring
suitable legislation which is implemented effectively. Both the banks and the customer
should be made aware about the risk involved and safeguard measures. There needs to be
11
Threats to the Financial Services sector (Rep.). (2014). Price waterhouse Coopers.
12
Net Losses: Estimating the Global Cost of Cybercrime (Rep.). (2014). Intel Security.
4
�cooperation between the various stakeholders to counter cyber-crime. The Indian
Government established an Inter Departmental Information Security Task Force (ISTF) with
the National Security Council as the nodal agency for the coordination of all matters relating
to effective implementation of its cyber security strategy. Indian Computer Emergency
Response Team (CERT-In) is the national nodal agency which is made to respond to
computer security incidents whenever they occur. Few of the activities undertaken by CERT-
In in implementing cyber security include coordination of responses to security incidents and
other major events; issuance of advisories and time bound advice regarding imminent threats;
product vulnerabilities analysis; conducting trainings on specialized topics of cyber security;
and evolution of security guidelines on major technology platforms.13
One of the main issues related with cyber-crime is of jurisdiction. Cyber-crime can be
committed in any part of the globe having its impact in any corner. Every citizen should be
able to identify and report cybercrimes from anywhere regardless of the country they reside
in. The existing systems present in India for reporting cyber related offences involves
registering complaints with the local police stations or cybercrime cells. Many Indian states
have setup cybercrime cells, which monitor such crimes. In several instances, where the
victims of cybercrime may not be able to report a cybercrime due to several reasons, such as
staying in a remote location, unawareness regarding the place to report and privacy related
issues. This tends to result in many cybercrime cases going unreported. Since, there is no
centralized online cybercrime reporting mechanism. Also for law enforcement agencies at
various levels such as national, state, and local level, there is no centralized referral
mechanism for complaints relating to cybercrime.14 IT Act should be amended accordingly to
define cybercrime and also specify the cases where the Act will have extra-territorial
jurisdiction. The scope of the IT Act needs to be broadened to include legal framework
relating to cyber laws in India. The responsibility of the intermediaries is vague and must be
made more clear and explicit.
Cyber Fraud Council in Banks:
Whenever a cyber-fraud is committed the victim should report to the Cyber Fraud Council
that must be set up by in each and every bank to review, monitor investigate and report about
13
Strategic national measures to combat cyber-crime: Perspective and learnings for India, available at:
http://www.ey.com/Publication/vwLUAssets/ey-strategic-national-measures-to-combat-cybercrime/$FILE/ey-
strategic-national-measures-to-combat-cybercrime.pdf (Last Visited: Dec 1 2017, 10:32 AM).
14
Ibid.
5
�cyber-crime. In case, such Council does not take perform or refuses to perform its duty then a
provision to file an FIR must be made. The matter to be brought before such council can be
of any value. However, when the value is high then the Council shall act expeditiously. RBI
in its 2011 Report stated that when bank frauds are of less than one Crore then it may not be
necessary to call for the attention of the Special Committee Board.15
Education to Customer:
The customer should be educated and made aware about various bank frauds and measures
should be informed to them for safety mechanisms so that they do not fall prey as victims of
cyber-crime. If a customer is conscious and report the matter of cyber-crime then in the initial
stage also instances of cyber-crimes can be reduced. A customer should be made aware about
the Dos and Don’ts’ of E-banking. It can be done through publishing it on the bank’s website,
publishing in the newspaper, through advertisements, by sending SMS alerts, through poster
education etc. In case a bank introduce any new policy or there are any changes which are
required to be followed by all banks as per RBI then, bank must inform the customer through
mails or by informing the customer through telephone.16 The awareness material should be
timely updated keeping in mind the changes in the legislation and guidelines of RBI.17
Training of Bank Employees:
Training and Orientation programs must be conducted for the employees by the banks. The
employees must be made aware about fraud prevention measures. It can be done through
newsletters or magazines throwing light on frauds related aspects of banks by senior
functionaries, putting up ‘Dos and Don’ts’ in the workplace of the employees, safety tips
being flashed on screen at the time of logging into Core Banking solution software, holding
discussions on factors causing cybercrime and actions required to be undertaken in handling
them. Employees who go beyond their call of duty to prevent cyber frauds if rewarded will
also enhance the work dedication.
15
Reserve Bank of India, Working Group on Information Security, Electronic Banking, Technology Risk
Management and Cyber Frauds, (21 Jan 2011).
16
Ibid.
17
Ibid.
6
�Strong Encryption-Decryption Methods:
E-banking activities must be dealt using Secure Sockets Layer (SSL). It provides encryption
link of data between a web server and an internet browser. The link makes sure that the data
remains confidential and secure. As per India, we follow asymmetric crypto system which
requires two keys, public and private, for encryption and decryption of data.18 For SSL
connection a SSL Certificate is required which is granted by the appropriate authority under
IT Act, 2000. To ensure security transactions RBI suggested for Public Key Infrastructure in
Payment Systems such as RTGS, NEFT, and Cheque Truncation System. According to RBI it
would ensure a secure, safe and sound system of payment.19 Wireless security solutions
should also be incorporated. In cases of Denial of Service Attacks, banks should install and
configure network security devices.
Physical and Personnel Security:
Banks must execute proper physical and ecosystem controls giving regards to threats, and
based on the institution’s unique geographical location, and neighbouring entities etc. Also
when a new employee is employed then there should be a process of verification of the
applicant. The level of verification may wary depending upon the position and job profile.20
In ATMs there must always be a security guard who has received proper training under the
force. It is because many incidents occur where ATMs are looted. So physical security at
ATMs is necessary.
Cooperation among nations to avert cyber crime:
Cyberspace being transnational in nature requires cooperation among States to work together
to avert cyber-crime. Although, a few treaties and implementation measures exist; a
wholesome approach defining legal and technical measures and organizational capabilities is
yet to take central importance for India in its goal to contribute to the global fight against
cybercrime. IT Act, 2000 having extra-territorial application poses a problem in investigation,
18
Section 3(2), Information Technology Act, 2000 provides authentication of Electronic Records shall be
effected by the use of asymmetric crypto system and hash function which envelop and transform the initial
electronic record into another electronic record.
19
RBI for two stage verification for online banking transactions, Economic Times, Mumbai, April 22,2014.
20
RBI Guidelines on Information Security, Electronic Banking, Technology Risk management and Cyber
Frauds, 2012.
7
�prosecution and extradition of foreign nationals. India should actively engage as part of the
international cybercrime community centered on Asia, Europe and America to seek help and
also contribute to international cybercrime issues.21
Conclusion:
Indian customers are gradually preferring online services because of convenience, cost-
saving and swiftness of online transactions. In addition, financial institutions are tossing
exciting offers to customers with the vision of upturning the volume of cashless transactions
due to comparatively lower operational costs.
However, it can be concluded the cyber security measures placed by financial institutions to
curtail the curse of cybercrime are being out- paced by dynamic technological landscape and
improved expertise of the intruders.
Amidst the continuous upliftment of the technology implemented at the backend of the
financial institution, some essential aspects were overlooked that now demand huge attention.
Cybercrime comprises its own set of unique attractive features that have gradually started
outweighing the traditional crimes. The extent of anonymity, global victim reach and swift
results are amongst the few that cybercriminals find most attractive.
Non-existent/Inadequate awareness campaigns further simplifies the work of the cyber
criminals. Unaware consumers are easily deceived due to lack of insight into the latest attack
methodologies and identified preventive measures.
21
Ibid.
