CYBER LAW

PROJECT ON

CYBER CRIME IN BANKING

SECTOR

SUBMITTED BY:
M.SWARNA GEETHAM
H13103
IV-BA BL (HONS)-B SEC
SOEL

DOS:
1
SYNOPSIS:
 INTRODUCTION
 CYBER CRIME IN INDIA
 REASONS FOR CYBER CRIME
 BANKING SECTOR
 CONCEPT OF E-BANKING
 CYBER CRIME IN BANKING SECTOR
 CASE STUDY
 RECOMMENDATION TO PREVENT CYBER
CRIME
 CONCLUSION
 BIBLOGRAPHY

2
INTRODUCTION:
The usage of internet services in India is growing rapidly. It has given rise to new
opportunities in every field we can think of- be it entertainment, business, sports or
education. There are some pros and cons of some new types of technology which are been
involved or discovered. Computers today are being misused for illegal activities like e-mail
espionage, credit card fraud, spam’s and software piracy and so on, which invade our privacy
and offend our senses. Criminal activities in the cyberspace are on the rise. Our economy is
one of the pillars which defines about the progress and growth of a nation. Banking sector is
considered as the backbone of the economy. For our day-to-day transactions we enter into
monetary transactions in the form of cash payments, cheques or demand drafts. However, this
trend has paved the way to a modern system of payment in the form of swiping of debit cards
or credit cards. On the recommendation of the Committee on Financial System (Narasimham
Committee) 1991-1998, information and technology in banking sector was used. On one
hand, technology has created advantage for banks and financial institutions but on the other
hand, there have been risks involved in it also. Technology risks not only have a direct impact
on a bank as operational risks but can also exacerbate other risks like credit risks and market
risks. Banking sector has witnessed expansion of its services and strives to provide better
customer facility through technology but cyber-crime remains an issue. Information which is
available online is highly susceptible to be attacked by cyber criminals. Cyber-crimes result
in huge monetary losses which are incurred not only by the customer but by the banks also
which affects economy of a nation. Non-monetary cyber-crime occurs when viruses are
created and distributed on other computers or confidential business information is posted on
Internet. The most common of it is phishing and pharming.

CYBER CRIME IN INDIA:

As India become the fourth highest number of internet user in the world, cyber crimes in
India has also increased 50% in 2016 over the previous years. According to the information
technology (IT) Act, the majority of offenders were under 30 years of age.
Around 46% of cyber crimes were related to incidents of cyber pornography,
followed by hacking. According to recent published ‘crime in 2016 report’, published by the
national crime record bureau (NCRB), in over 60% of these cases, offenders were between 18
and 30. These cyber crimes are punishable under two categories; the IT Act 2000 and the
Indian penal code (IPC). In order to tackle with cyber crime, Delhi police have trained 100 of
its officers in handling cyber crime and placed them in its economic offences wing.

3
REASONS FOR CYBER CRIME:

Hart in his work, “the concept of law” has said ‘human beings are vulnerable so rule
of law is required to protect them’. Applying this to the cyberspace we may say that
computers are vulnerable so rule of law is required to protect and safeguard them against
cyber crime. The followings are some reasons,

1. Capacity to store data in comparatively small space

2. Easy to access
3. Complex
4. Negligence
5. Loss of evidence

BANKING SECTOR:

The banking industry was once a simple and reliable business that took deposits from
investors at a lower interest rate and loaned it out to borrowers at a higher rate.

However deregulation and technology led to a revolution in the banking industry that saw
it transformed. Banks have become global industrial powerhouses that have created ever
more complex products that use risk. Through technology development, banking services
have become available 24 hours a day, 265 days a week, through ATMs, at online banking ,
and in electronically enabled exchanges where everything from stocks to currency futures
contracts can be traded.

The banking industry at its core provides access to credit. In the lenders case, this
includes access to their own savings and investments, and interest payments on those
amounts. In the case of borrowers, it includes access to loans for the creditworthy, at a
competitive interest rate. Banking services includes transactional services, such as
verification of account details, account balance details and the transfer of funds, as well as
advisory services that help individuals and institutions to property plan and manage their
finances. Online banking channels have become a key in the last 10 years.

Currently, India has 88 scheduled commercial banks – 27 public sector banks, 31 private
banks and 38 foreign banks.

4
CONCEPT OF E-BANKING:

Electronic Banking or e-banking refers to a system where banking activities are

carried out using informational and computer technology over human resource. In
comparison to traditional banking services, in e-banking there is no physical interaction
between the bank and the customers. E-banking is the delivery of bank’s information and
services by banks to customers via different delivery platforms that can be used with different
terminal devices such as personal computer and a mobile phone with browser or desktop
software, telephone or digital television. The first initiative in the area of bank
computerization was stemmed out of two successive Committees on Computerization
(Rangarajan Committee). The first committee was set up in 1984 which drew the blueprint
for the mechanization and computerization in banking industry. The second Committee was
set up in 1989 which paved the way for integrated use of telecommunications and computers
for applying fully the technological breakthroughs to the banking operations. The focus
shifted from the use of Advanced Ledger Posting Machines (ALPMs) for limited
computerization to full computerization at branches and to integration of the branches. Till
1989, banks in India had 4776 ALPMs at the branch level, over 2000 programmers/ systems
personnel and over 12000 Data Entry Terminal Operators. The RBI constituted a Working
Group on internet Banking. Based on the notion of access to the banking products and
services, the group divided internet banking into three systems.

(a) Informational System

This system requires banks to provide information about interest rates, loan
schemes, branch locations etc. to the customers. The customer can download various
types of application as per the requirements. Also customers are not required to reveal
their identity and there is no realistic chance of any unauthorized person getting into
the production system of the bank.

(b) Communicative System

This system provides information to the customer about his account balance,
transaction details etc. The customers can seek the information after authentication
and logging in through the passwords.
(c) Transactional System
In this system a bank allows its customers to undertake transactions through its
system and they are directly uploaded to the customer’s account. There is bi-
directional transaction that takes place between the bank and the customer and

5
 between the customer and the third party. This system is secured through security
mechanisms like http and https. E-banking is also known as Cyber Banking, Home
Banking and Virtual Banking. E-banking includes Internet Banking, Mobile Banking,
RTGS, ATMs, Credit Cards, Debit Cards, Smart Cards etc.
CYBER CRIME IN BANKING SECTOR:
(1) Hacking
Hacking is a crime, which means an unauthorized access made by a person to cracking
the systems or an attempt to bypass the security mechanisms, by hacking the banking sites or
accounts of the customers. The Hacking is not defined in the amended IT Act, 2000. But
under Section 43(a) read with section 66 of Information Technology (Amendment) Act, 2008
and under Section 379 & 406 of Indian Penal Code, 1860, a hacker can be punished. Before
the 2008 Amendment Act, Hacking was punishable under Section 66 of the IT Act with upto
three years of imprisonment or fine which may extend upto two lakh rupees, or both. If such
crime is proved then for such hacking offence the accused is punished under IT Act, for
imprisonment, which may extend to three years or with fine, which may be extended to five
lakh rupees or both. Hacking offence is considered as a cognizable offence, it is also a
bailable offence.
(2) Credit Card Fraud
There are many online credit card fraud are made when a customer use their credit card
or debit card for any online payment, a person who had a mala fide intention use such cards
detail and password by hacking and make misuse of it for online purchase for which the
customers card used or hacked is suffered for such kind of attract or action of a fraud made
by and evil. The hacker can misuse the credit card by impersonating the credit card owner
when electronic transactions are not secured.
(3) Phishing or Identity Theft
Phishing is a scam where Internet fraudsters request personal information from users
online. These requests are most commonly in the form of an email from an organization with
which one may or may not do business. In many cases, the email has been made to look
exactly like a legitimate organization’s email would appear complete with company logos
and other convincing information. The email usually states that the company needs to update
personal information or that the account is about to become inactive, all in an effort to gather
user to click the link to a site that only looks like the real thing. Phishing is only one of the
numerous frauds on the Internet, attempting to trick individuals into separating with their

6
cash. Phishing alludes to the receipt of spontaneous messages by customers of financial
institutions, asking for them to enter their username, password or other individual data to
access their account for some reason. Customers are directed to give a response to a mail and
also directed to click on the link mentioned in the mail when they click on the given link for
entering their information which were asked in the mail received by the fraudulent
institutions of banking website, by such kind of activities customers thus they remain
unaware that the fraud has happened with them. The fraudster then has admittance to the
client's online financial balance available in the bank account and to the funds contained in
that account by making the misuse of the detail received from the customer fraudulently. In
the case of Umashankar Sivasubramanian v. ICICI Bank, the petitioner used to receive
monthly bank account statement under the email ID of the bank, one day received a mail
asking for his personal details, which he provided, after which his account was debited with
Rs. 5 lakhs. Upon complaint, the bank said that it was a phishing mail against which he
approached the adjudicating officer. In this case, the bank was held liable according to
Section 43 and Section 85 of the IT Act, 2000, as it failed to establish due diligence and
providing adequate checks and safeguards to prevent unauthorized access into the customer’s
account. The bank was directed to pay Rs. 12.5 lakhs.
In National Association of Software and Services Companies v. Ajay Sood, a
reasoned order approving a settlement agreement between the plaintiff and the defendants in
a case which dealt with the issue of ‘phishing’, wherein a decree of ` 16 lakhs was passed in
favour of the plaintiffs. The plaintiff contended that the defendants were masquerading as
NASSCOM, and were sending emails, in order to obtain personal data from various
addresses, which they could then use for head-hunting, and they went on the website as if
they were a premiere selection and recruitment firm. The suit was filed praying for a decree
of permanent injunction restraining the defendants or any person acting under their authority
from circulating fraudulent e-mails purportedly originating from the plaintiff of using the
trademark 'NASSCOM' or any other mark confusingly similar in relation to goods or
services. A compromise application was filed before the court and the court while approving
the settlement agreement observed that “in US an Act is proposed which, if passed, will add
two crimes to the current federal law; It would criminalize the act of sending a phishing email
regardless of whether any recipients of the email suffered any actual damages. It would
criminalize the act of creating a phishing website regardless of whether any visitors to the
website suffered any actual damages.” The Hon’ble Judge further observed that “I find no
legislation in India on 'phishing'. An act which amounts to phishing, under the Indian law

7
would be a misrepresentation made in the course of trade leading to confusion as to the
source and origin of the e-mail causing immense harm not only to the consumer but even the
person whose name, identity or password is misused. It would also be an act of passing off as
is affecting or tarnishing the image of the plaintiff, if an action is brought by the aggrieved
party. Whether law should develop on the lines suggested by Robert Louis B Stevenson in his
article noted above is left by this Court for future development in an appropriate case.”
(4) Keystroke Logging or Keylogging
Key logging is a method by which fraudsters record actual keystrokes and mouse
clicks. Key loggers are “Trojan” software programs that target computer’s operating system
and are “installed” via a virus. These can be particularly dangerous because the fraudster
captures user ID and password, account number, and anything else that has been typed.
(5) Viruses
A virus is a program that infects an executable file and after infecting it causes the file
to function in an unusual way. It propagates itself by attaching to executable files like
application programs and operating system. Running the executable file may make new
copies of the virus. On the other hand there are programs, that can copy themselves, called
worms which do not alter or delete any file, but only multiply itself and send the copy to
other computers from the victim’s computer.
(6) Spyware
Spyware is the number one way that online banking credentials are stolen and used for
fraudulent activities. Spyware works by capturing information either on the computer, or
while it is transmitted between the computer and websites. Often times, it is installed through
fake “pop up” ads asking to download software. Industry standard Antivirus products detect
and remove software of this type, usually by blocking the download and installation before it
can infect the computer.
(7) Watering hole
“Watering hole” cyber fraud is considered to be a branch arising from phishing attacks.
In watering hole a malicious code is injected onto public web pages of a website which is
visited only by a small group of people. In a watering hole attack situation, when the victim
visit the site injected with malicious code by attackers the information of such victim is then
traced by the attacker. In phishing attack, victim himself gives away information innocently
whereas in watering hole the attacker waits for the victim to visit the site. There can be an
increase in watering hole incidents when there is more misuse and exploitation of zero-day
vulnerabilities in various software programs like Adobe Flash Player or Google Chrome.

8
Cyber criminals in watering hole use the kits available in black market to infect, inject and
configure a website which may be new or updated to lure people to provide them details. The
site which is to be used for an attack is usually hacked by the attackers’ months before the
actual attack. They use professional methods to perform such act. Therefore it becomes
difficult for cyber-crime cells to locate such infected website. Watering hole is thus a method
of surgical attack where the hackers aim to hit only certain specific group of people in the
internet and in comparison to phishing it is less ear-splitting.
(8) Credit Card Redirection and Pharming
Pharming is linked with the words, ‘farming’ & ‘phishing’. In Pharming a bank’s
URL is hijacked by the attackers in such a manner that when a customer log in to the bank
website they are redirected to another website which is fake but looks like an original website
of the bank. Pharming is done over Internet and Skimming is another method which occurs in
ATMs.
(9) DNS Cache Poisoning: DNS servers are deployed in an organization’s network to
improve resolution response performance by caching previously obtained query results.
Poisoning attacks against a DNS server are made by exploiting vulnerability in DNS
software. That causes the server to incorrectly validate DNS responses that ensure that
they’re from an authoritative source. The server will end up caching incorrect entries locally,
and serve them to other users that make the same request. Victims of a banking website could
be redirected to a server managed by criminals who could use it to serve malware, or to
induce bank customers to provide their credentials to a copy of a legitimate website. If an
attacker spoofs an IP address; DNS entries for a bank website on a given DNS server,
replacing them with the IP address of a server they control, makes an attacker able to hijack
customers.
(10)Malware based-attacks
Malware based-attacks are one of the most among hazardous cyber threats related to
electronic banking services. In such attacks a malicious code is designed. Now-a-days the
number of malware attacks in banking sector has been increasing. Some of the infamous
banking malware are Carbep, Tinba, Spyeye, Zeus and KINS. Zeus is the oldest out of these
malware. It was detected in July 2007 when the information was lost and stolen from United
States Department of Transportation. There are other malwares which have been identified in
previous years to commit bank fraud on a large scale. It has been noticed that almost every
virus has two features, one, that they secure a backdoor entry into the system and they steal
credential information of a user.

9
CASE STUDY:
INDIA’S FIRST ATM CARD FRAUD
The Chennai city police have busted an international gang involved in cyber crime, with
the arrest of Deepak prem manwani (22), who was caught red-handed while breaking into an
ATM in the city in June last, it is reliably learnt. The dimensions of the city cops’
achievement can be ganged from the fact that they have netted a man who is on the wanted
list of the formidable FBI of the US. At the time of his detention, he has with him Rs 7.5 lakh
knocked off from two ATMs in T Nagar and Abiramipuram in the city. Prior to that, he has
walked away with Rs 50,000 from an ATM in Mumbai.
While investigating Manwani’s case, the police stumble upon a cyber crime involving
scores of persons across the globe.
Manwani is an MBA drop-out from a pune college and served as a marketing executive
in a Chennai-based firm for some time.
Interestingly, his audacious crime career started in an internet café. While browsing the
net one day, he got attracted to a sire which offered him assistance in breaking into the
ATMs. His contacts, sitting somewhere in Europe, were ready to give him credit card number
of a few American banks for $5 per code. This site also offered the magnetic codes of those
cards, but charged $200 per code. The operator of the site has devised a fascinating idea to
get the personal identification number (PIN) of the card users. They floated a new site which
resembled that of a reputed telecom companies.
That company has millions of subscribers. The fake site offered the visitors to return
$11.75 per head which, the site promoters said, has been collected in excess by mistake from
them. Believing that it was a genuine offer the telecom company in question, several lakh
subscribers logged on to the site to get back that little money, but in the process parted with
their PINs.
Armed with all requisite data to hack the bank ATMs, the gang started its systematic
looting. Apparently, manwani and many others of his ilk entered into a deal with the gang
behind the site and could purchase any amount of data, of course on certain terms, or simply
enter into a deal on a booty-sharing basis.
Meanwhile, manwani also managed to generate 30 plastic cards that contained
necessary data to enable him to break into ATMs.

10
 He was so enterprising that he was able to sell away a few such cards to his contacts in
Mumbai. The police are on the lookout for those persons too.
On receipt of large-scale complaints from the billed credit card users and bank in the
US, the FEI started an investigation into the affair and also alerted the CBI in New Delhi that
the international gang has developed some links in India too.
Manwani has since been enlarged on bail after interrogation by the CBI. But the city
police believe that this is the beginning of the end of a major cyber crime.

RECOMMENDATION TO PREVENT CYBER CRIME:

1. Cyber Fraud Council In Banks
Whenever a cyber-fraud is committed the victim should report to the Cyber Fraud
Council that must be set up by in each and every bank to review, monitor investigate and
report about cyber-crime. In case, such Council does not take perform or refuses to perform
its duty then a provision to file an FIR must be made. The matter to be brought before such
council can be of any value. However, when the value is high then the Council shall act
expeditiously. RBI in its 2011 Report stated that when bank frauds are of less than one Crore
then it may not be necessary to call for the attention of the Special Committee Board
2. Education to Customer
The customer should be educated and made aware about various bank frauds and
measures should be informed to them for safety mechanisms so that they do not fall prey as
victims of cyber-crime. If a customer is conscious and report the matter of cyber-crime then
in the initial stage also instances of cyber-crimes can be reduced. A customer should be made
aware about the Dos and Don’ts’ of E-banking. It can be done through publishing it on the
bank’s website, publishing in the newspaper, through advertisements, by sending SMS alerts,
through poster education etc. In case a bank introduce any new policy or there are any
changes which are required to be followed by all banks as per RBI then, bank must inform
the customer through mails or by informing the customer through telephone. The awareness
material should be timely updated keeping in mind the changes in the legislation and
guidelines of RBI
3. Training of Bank Employees
Training and Orientation programs must be conducted for the employees by the
banks. The employees must be made aware about fraud prevention measures. It can be done
through newsletters or magazines throwing light on frauds related aspects of banks by senior
functionaries, putting up ‘Dos and Don’ts’ in the workplace of the employees, safety tips
being flashed on screen at the time of logging into Core Banking solution software, holding

11
discussions on factors causing cybercrime and actions required to be undertaken in handling
them. Employees who go beyond their call of duty to prevent cyber frauds if rewarded will
also enhance the work dedication
4. Strong Encryption-Decryption Methods
E-banking activities must be dealt using Secure Sockets Layer (SSL). It provides
encryption link of data between a web server and an internet browser. The link makes sure
that the data remains confidential and secure. As per India, we follow asymmetric crypto
system which requires two keys, public and private, for encryption and decryption of data.For
SSL connection a SSL Certificate is required which is granted by the appropriate authority
under IT Act, 2000. To ensure security transactions RBI suggested for Public Key
Infrastructure in Payment Systems such as RTGS, NEFT, Cheque Truncation System.
According to RBI it would ensure a secure, safe and sound system of payment. Wireless
security solutions should also be incorporated. In cases of Denial of Service Attacks, banks
should install and configure network security devices

CONCLUSION:
The study has provided an overview to the concept of E-banking by discussing deeply
various cyber-crimes, identified specifically in the banking sector. The Banking system is the
lifeblood and backbone of the economy. Information Technology has become the backbone
of the banking system. It provides a tremendous support to the ever increasing challenges and
banking requirements. Presently, banks cannot think of introducing financial product without
the presence of Information Technology. However Information Technology has an adverse
impact too on our banking sector where crimes like, phishing, hacking, forgery, cheating etc.
are committed. There is a necessity to prevent cyber-crime by ensuring authentication,
identification and verification techniques when a person enters into any kind of banking
transaction in electronic medium. The growth in cyber-crime and complexity of its
investigation procedure requires appropriate measures to be adopted. It is imperative to
increase the cooperation between the stakeholders to tackle cyber-crime. According to
National Crime Records Bureau it was found that there has been a huge increase in the
number of cyber-crimes in India in past three years. Electronic crime is a serious problem. In
cases of cyber-crime, there is not only financial loss to the banks but the faith of the customer
upon banks is also undermined. Indian banking sector cannot avoid banking activities carried
out through electronic medium as the study suggest that there has been an increase in the
number of payments in e-banking. However, the change in the banking industry must be such

12
which suits the Indian market. Lastly, it can be concluded that to eliminate and eradicate
cybercrime from the cyber space is not a seemingly possible task but it is possible to have a
regular check on banking activities and transactions. The only propitious step is to create
awareness among people about their rights and duties and to further making the
implementation of the laws more firm and stringent to check crime

BIBLIOGRAPHY:
Website:
 www.cybercellmumbai.com
 www.britannica.com
Books:
 Cyber law and IT –S.R. Myneni
 Law mantra- international monthly journal

13