Friday 3 May 2013

                 RTGS - Online Fraud - Part 2

 


Introduction:

In the previous Blog RTGS – Online Fraud (http://cybercrimevigilance.blogspot.in/) we came across the news of siphoning of ` 1 Crore through RTGS by cyber thieves from the account of a cosmetics company and its aftermath.

Now we are informed by various media that the main kingpin was also arrested from Delhi/UP along with others involved in the huge theft. Refer the below links for detailed news.

http://articles.timesofindia.indiatimes.com/2013-03-12/mumbai/37650548_1_bank-e-fraud-bank-account-current-account


Till this time, the Police had done a stupendous job by arresting all those involved by following an arduous virtual & physical trail – A job well done.

Challenges Faced:

Now the real challenge is of giving justice to the victim and taking appropriate action against the wrongdoer.

Let us imagine what kind of process, the law enforcement officers might have to follow in a cyber-crime case and this will throw light on the work involved to get justice in these cases.

  1. Locating the offenders physically through various means. May take months and years on case to case basis.
  2. Then getting the correct information from the arrested person to proceed further in the case is the next big step.
  3. In the process, if the offender resides in other states of India then formalities are involved in taking the help of local police of that state. If the offender resides in another country that too if in enemy country then it will become very painful for the police.
  4. Taking the offender/criminal in to police custody and then to jail.
  5. Confiscating the devices used in the crime i.e. Computer, Mobile phone, SIM card, Printer  etc. Let us call it "Device" for our simplicity.
  6. Proper method to be followed for confiscation of Device.
  7. If proper method is not followed then the evidence will get erased/distorted and the case will stand weak in the court.
  8. Once, properly confiscated, the physical safety of the Device becomes necessary. It also needs to be protected from magnetic fields etc. and to be preserved in a special case.
  9. Then the Device needs to be sent to Government Forensics Laboratory to collect electronic evidence. These need to be examined by the “Examiner of Electronic Evidence”.
  10. This case will also come under Information Technology Act apart from other sections of IPC and Cr. Pr. Code.
  11. Drafting case papers against the offenders/criminals is a big task and requires experience and craftsmanship to include every minute detail and highlight the right point.
  12. Then the court hearing will follow leading to long drawn battle.
  13. In the meantime the wrongdoer may apply for bail and may sometimes go scot-free if timely action is not taken or electronic evidence is not maintained till the court proceedings.
  14. The offender/criminal may also contest in the court of law with regard to authenticity of the electronic evidence provided by the police. Then again it will take time to prove otherwise.
Victim’s Fate:

In the above process, the victim from whose account/s the money is stolen makes numerous visits to Police stations and advocates and also suffers from mental agony apart from financial loss.

Various Legal Sections:

Now in this case, the Police have booked accused under IPC sections 34 (common intention), 419 (impersonation ) and 420 (cheating), and under IT Act 66 (C) (identity theft) and 66 (D) (impersonation by using computer resource). (Source: TOI news http://articles.timesofindia.indiatimes.com/2013-02-03/mumbai/36720927_1_account-holders-current-account-mulund)

No further news on this case:

There is no further news about this case and we the general public are still in dark about the progress on the case. This way common man will not have much faith in the judicial system or the Government if offences/crimes like this goes unsolved/unpunished.

Repeat offender/criminal:

There might be at least one seasoned criminal in such technical cases as it requires management of manpower, money and technical knowledge and connections with other criminals.

In the case in question, the accused had got the know-how from Nigerians, sent Trojan mails to 5,000 people and kept a watch on his potential victim/s online activities. Further, the kingpin befriended 4 close aides from Tihar Jail and Mumbai in 2007 & 2008 during his arrest and also wanted by Economic Offences Wing of New Delhi. In 2011 he came out of Jail and again started his fraudulent activity. (Refer link for details: http://articles.timesofindia.indiatimes.com/2013-03-12/mumbai/37650548_1_bank-e-fraud-bank-account-current-account)

Need for Swift Action and/or Stricter Detterence:

Now the question is whether the law provides stricter deterrence/punishment to the repeat offender/s or not. Even when the accused was in jail, his mind was still not filled with remorse of wrong doing instead befriended other criminals/offenders/accused in jail to carry out another crime when released from jail and he did it again. This indicates the liniency in our law or implementation of the law which does not deter the criminals from repeating the offence.

Need Government’s Will:

Will Govt. of India review the IT Act, or other related acts and come out with a stricter rules/deterrence or rehabilitation plan for such criminals to combat cyber-crimes?

If swift action is not taken against such offenders/criminals, then they may graduate to become cyber-terrorist and act against the interest of our Nation.

Posted by at 5 comments:
Labels: , , , , , , , , , , , ,

Monday 4 February 2013

Cyber crime involving RTGS



RTGS - Online Fraud


Recently we came across a cyber fraud in the later part of December 2012 where the money was robbed from the account of a Co-operative Bank in a Nationalised Bank using RTGS. 

(http://articles.timesofindia.indiatimes.com/2012-12-27/mumbai/36021011_1_real-time-gross-settlement-rtgs-bank-customers?goback=%2Egmr_4770864%2Egde_4770864_member_205601627)

After this there is no news on the above subject. Further investigation and its outcome are not known. The Bank’s names were also withheld.

Again on 2nd February 2013 one more fraud involving RTGS came to surface and in both the cases the amount touches crore rupees. 

(http://articles.timesofindia.indiatimes.com/2013-02-02/mumbai/36702648_1_bank-account-bank-spokesperson-transactions)

Some of the questions that haunt me day in and day out are:
  1. Are we heading in the right direction?
  2. Whether, really the regulators/banks have given a very deep level of thought to the safety and security of money deposited with the banks by its customers?
  3. Whether there is a well defined policy in the Banking industry/RBI, protecting the interest of the customers? Response time etc.
  4. Whether the Banks have sensitized their call center executives/grievance redressal staffs about quick action to be taken in case of a complaint about fraudulent transaction?
  5. Whether the common man should opt out of Online banking in the absence of adequate safety and security in the banking system?

What is Real Time Gross Settlement (RTGS)?

It is the fastest way of transferring money from one bank to another on a real time in the Banking system. This payment is final and can not be revoked.

As per the vision document on payment and settlement systems vision document 2009-2012 of RBI “Safety, security, soundness and efficiency of the payment systems assume critical importance from the angle of systemic stability”

RTGS is considered as one of the safest and fastest mode of money transfer considering its various checks / control systems.

RTGS Remittance:

This can be done in two ways
  1. Giving a physical request for transfer of money.
  2. By online banking.


The following information is required to remit money through RTGS:
  1. Amount to be transferred.
  2. Account no. to be debited.
  3. Name of the beneficiary bank.
  4. Name of the beneficiary customer.
  5. Account no. of the beneficiary customer.
  6. IFSC code of the receiving branch.


Useful information to Criminals for RTGS fraud:
  1. Your bank account no.
  2. Your specimen signature. (if he uses the RTGS form for transfer of money)
  3. Your username and password of online banking. (if he uses online banking for transfer of money)
  4. Mobile no. registered with the bank. (Criminal had not deactivated the SIM card of the victim in this case.)

Mulund Case:

When it happened? The victim was in his office and he received SMS alert of RTGS transaction taking place and within a span of 45 minutes 1 Crore was stolen from his account.

Poor initial response: In his complaint the victim said when he “contacted the bank to freeze further transactions from my account, it asked that he first submit a police FIR"

Golden Hour: In such a horrifying situation whether the person should contact the Bank and stop further loss or he should go to the police station physically and lodge a formal complaint giving more time to the cyber criminals to clean his account.

No clear policies: This is where the Banks lack clear policies. The call centre staffs should be sensitised and any complaint of fraud should be attended by senior officials who can take decisions instantly to avoid further damage.

Investigation: Let us start this conversation with a Pat on Mumbai Police who have discovered the trail within a short time by arresting 11 persons and in the process teaches us a lesson on the basics of Banking.

The stolen money was transferred in 12 different account.

The 1st person called Periera was arrested whose account had only ` 600/- for the past 6 months and suddenly a credit of ` 30 Lacs appeared.

Bank’s alert monitoring system should detect such transactions i.e. unusually large credit and prompt action needs to be taken.

Another man involved when visited a cooperative bank to withdraw the stolen money slipped away before the police arrived on suspicion.

The Bank should train their staff in handling a fraudulent person in such a situation.

Rs. 39.50 Lacs was withdrawn from 4 different accounts. As per Police officers the said 4 accounts were opened with fake documents.

Banks has to increase their CASA to avail cheap funds and in the process violate KYC norms prescribed by RBI. This is the very basic step in Banking and also the main loophole in Banking Fraud.

Investigators have found that bank accounts were opened using fake documents and identities viz.. PAN card, voter’s identity card, electricity and telephone bill and stayed in rented premises.

Just like the Background verification is done before disbursing loan even for opening bank account Background verification needs to be introduced by the Banking industry to avoid such happenings.

The accused had used cyber café in commiting the fraud.

Strict regulations need to be enforced for cyber cafes.

A new rule of keeping the soft copy of photograph of the person using cyber café In addition to verifying ID proof needs to be introduced. This may help police in their investigation and deter cyber criminals.

One more pat for the Police – While searching for another culprit at Malad the Police found that he left the residence 2 years ago still the police team verified the room in which he stayed 2 years ago and found a wedding invitation of him containing true identity and another address. This led to his arrest.

While doing any investigation do not build a mental block like “this is not possible” Had the Mumbai police left without searching the room his arrest would have been next to impossible.

This person had procured 2 PAN cards in different names and used the same as KYC document to open bank accounts.



Caution: Till the time this is solved, please protect your username, password, account no. and specimen signature.

NEWS LINK:
http://www.business-standard.com/india/news/rbi-to-quiz-yes-bank-tomorrow-over-cyber-fraud/500864/
http://www.dnaindia.com/mumbai/report_vasai-resident-held-for-rs1-crore-fraud_1795604
http://rbidocs.rbi.org.in/rdocs/RTGS/PDFs/FAQs%20on%20RTGS.pdf

http://articles.economictimes.indiatimes.com/2008-09-19/news/28460027_1_bank-accounts-corporation-bank-real-time-gross-settlement Sep 19, 2008


http://articles.economictimes.indiatimes.com/2012-11-12/news/35067104_1_fund-transfer-rtgs-real-time-gross-settlement  Nov 12, 2012

http://articles.economictimes.indiatimes.com/2013-01-14/news/36331675_1_national-electronic-funds-transfer-real-time-gross-settlement-rtgs-transactions  Jan 14, 2013

http://timesofindia.indiatimes.com/city/mumbai/Cops-crack-Rs-1crore-bank-fraud/articleshow/18313968.cms  Feb 3, 2013

http://www.indianexpress.com/news/efraud-rs-46-lakh-transferred-to-12-accounts/1068624/0  Feb 03 2013

http://timesofindia.indiatimes.com/city/mumbai/Bank-fraud-Man-dodges-police-trap/articleshow/18342884.cms Feb 5, 2013

http://timesofindia.indiatimes.com/city/mumbai/Rs-1-crore-stolen-using-mobile-in-Meerut/articleshow/18358299.cms  Feb 6, 2013

http://timesofindia.indiatimes.com/city/mumbai/Scanner-on-25-year-old-in-Rs-1cr-scam/articleshow/18376703.cms Feb 7, 2013

http://articles.timesofindia.indiatimes.com/2013-02-07/mumbai/36971074_1_cyber-cafe-cyber-police-sim-cards  Feb 7, 2013

http://timesofindia.indiatimes.com/city/mumbai/Wedding-invite-leads-to-second-arrest-in-1crore-e-banking-fraud/articleshow/18393385.cms  Feb 8, 2013

http://www.dnaindia.com/mumbai/report_two-sisters-aide-arrested-for-rs1cr-online-fraud_1797592  Feb 8, 2013

http://timesofindia.indiatimes.com/city/mumbai/Wedding-invite-leads-to-second-arrest-in-1crore-e-banking-fraud/articleshow/18393385.cms  Feb 8, 2013

http://timesofindia.indiatimes.com/city/mumbai/Refused-help-card-fraud-victim-plays-cyber-cop/articleshow/18392989.cms  Feb 8, 2013 NON RTGS

http://timesofindia.indiatimes.com/city/mumbai/Man-who-gave-SIM-to-hacker-in-Rs-1cr-e-fraud-6-others-held/articleshow/18410548.cms Feb 9, 2013

http://www.dnaindia.com/mumbai/report_call-centre-employee-held-in-rs1-crore-e-fraud-case_1797991  Feb 9, 2013

http://economictimes.indiatimes.com/news/news-by-industry/banking/finance/banking/rs-1-cr-e-fraud-fake-pan-cards-used-to-open-several-bank-accounts/articleshow/18425411.cms  10 Feb, 2013

http://timesofindia.indiatimes.com/city/mumbai/11-in-custody-police-expect-more-arrests-in-e-fraud-case/articleshow/18456477.cms Feb 12, 2013

Posted by at 14 comments:
Labels:
Location: Mumbai, Maharashtra, India

Monday 28 January 2013

SIM SWAP FRAUD

What is SIM SWAP Fraud?

 While executing Net banking & Mobile Banking, in addition to username and password, One Time Password (OTP) is also required.

 OTP is received in the mobile no. and email id registered with the Bank.

The fraudster gets the username, password, and mobile no. in some fraudulent manner and places request to replace the SIM and executes the unauthorized Banking transaction after getting the new SIM card.

Modus Operandi:
The fraudster needs to get OTP and prevent the SMS alert from the Bank to your registered mobile to carry out his fraudulent online transactions.

 The steps the fraudster may follow:

  1. Fraudster requests your Mobile service provider for replacement of SIM card citing reasons like loss of SIM or Mobile Handset etc with fraudulent documents.
  2. The Mobile service provider deactivates the SIM and issues a new SIM; the delivery of which is taken by the fraudster on some pretext.
  3. Fraudster uses your username, password and OTP received in the new SIM.
  4. Executes the transaction/s get the SMS alert from Bank in the new SIM.
  5. All this while, the real SIM holder is not aware of the transactions happening in his bank account.
  6. During this time of cyber robbery, the SIM of real owner gets deactivated or the Mobile will not get signal or simply mobile will not work. Consider this as red flag.

SIM SWAP Fraud News – A Must Read

  1. http://www.hindustantimes.com/India-news/Mumbai/Man-s-SIM-changed-account-hacked/Article1-970770.aspx#.UPfJKPE1r_E.facebook
  2. http://simswapcybercrimefraud.blogspot.in/2013/01/sim-swap-cyber-fraud-by-airtel-official.html
  3. http://www.indianexpress.com/news/gang-hacks-engineer-s-bank-account-diverts-calls-to-keep-him-in-dark/1059403/0
  4. https://www.facebook.com/SimSwapCyberCrimeFraud?fref=ts
  5. http://www.deccanherald.com/content/307014/a-sim-can-empty-your.html
  6. http://ibnlive.in.com/news/cyber-fraud-two-more-held/251301-60-122.html
  7. http://www.computerworld.com/s/article/9225143/Cybercriminals_bypass_e_banking_protections_with_fraudulent_SIM_cards
  8. http://cybercrimecomplaints.com/content/fraud-done-my-hdfc-salary-account-using-netbanking
  9. http://www.consumercourt.in/net-banking/46750-fraudulent-transactions-through-internet-banking-transfers-icici-bank-c.html
  10. http://www.indianexpress.com/news/sim-card-fraud-probe-sought-against-service-provider/638660


 Safeguard: Some safeguard technique is given below which is not exhaustive.

  1. Keep handy (hard coy), Customer care no., Bank account no. etc. of your Bank and Mobile service provider so that you do not spend precious time searching the contact details during emergency.
  2. Keep a separate SIM for Internet Banking/Mobile Banking.
  3. Do not share this Mobile no. with anyone. Use it exclusively for Internet/Mobile Banking.
  4. Do not register this Mobile no. online with any website including social networking sites.
  5. If you find your mobile inactive for some time, contact your Bank immediately instead of Mobile service provider.
  6. Never switch off your mobile if it is used for Internet Banking/Mobile Banking.
  7. Never respond to unknown (phishing) emails.
  8. Change your banking passwords very frequently. (weekly)


 SIM Card Deactivation Process:

 The 3 major Mobile service providers in India states that as soon as they receive the request for replacement of SIM due to loss of Handset & SIM card the mobile service is immediately deactivated temporarily to prevent unauthorised transactions/calls and require verification of original identity documents while issuing new SIM card. 

 The link is given below for ready reference.
Idea Cellular: http://www.ideacellular.com/wps/wcm/connect/aboutus/idea/punjab/activate_and_deactivate/prepaid_plans/activation?&Connection=Prepaid&circleID=PUN
Vodafone: http://www.vodafone.in/support/pages/phones_help.aspx
Airtel: http://www.airtel.in/wps/wcm/connect/airtel.in/airtel.in/home/foryou/mobile/prepaid+services/know+more/faqs/

In spite of the above policies for deactivation, in a case the SIM was deactivated just on the phone request.

The Mobile service provider should adhere to the defined policy very strictly to help in combating SIM SWAP FRAUD.

 Quick action in case of SIM SWAP Fraud:

  1. Contact your Bank immediately and block your Net Banking, Mobile Banking, Debit card, Credit card etc.
  2. Then contact your Mobile service provider to block your SIM.
  3. Contact your nearest police station immediately with all the details and Cyber cell of your jurisdiction.

Mumbai police has conducted cyber safety month in January 2013 and issued a guidelines on cyber safety which will be useful to all of us. 

 The link is given for ready reference.
http://www.mumbaipolice.org/cyber%20month/do's%20&%20don'ts%20of%20cyber%20safety.pdf

Conclusion: Till the time a solution is found to prevent this fraud, the customer should be very cautious and take all the necessary steps and be alert all the times.

 Disclaimer: 

  1. This is just a discussion for academic purpose and does not constitute professional advice/service. 
  2. Various links related to news are given for ready reference only.
  3. Please seek professional advice for a particular situation.
     

You Are Visitor No.






View Venkatesh Rao's profile on LinkedIn


Posted by at 6 comments:
Location: Mumbai, Maharashtra, India
Subscribe to: Posts (Atom)