Friday, 3 May 2013

                 RTGS - Online Fraud - Part 2

 


Introduction:

In the previous Blog RTGS – Online Fraud (http://cybercrimevigilance.blogspot.in/) we came across the news of siphoning of ` 1 Crore through RTGS by cyber thieves from the account of a cosmetics company and its aftermath.

Now we are informed by various media that the main kingpin was also arrested from Delhi/UP along with others involved in the huge theft. Refer the below links for detailed news.

http://articles.timesofindia.indiatimes.com/2013-03-12/mumbai/37650548_1_bank-e-fraud-bank-account-current-account


Till this time, the Police had done a stupendous job by arresting all those involved by following an arduous virtual & physical trail – A job well done.

Challenges Faced:

Now the real challenge is of giving justice to the victim and taking appropriate action against the wrongdoer.

Let us imagine what kind of process, the law enforcement officers might have to follow in a cyber-crime case and this will throw light on the work involved to get justice in these cases.

  1. Locating the offenders physically through various means. May take months and years on case to case basis.
  2. Then getting the correct information from the arrested person to proceed further in the case is the next big step.
  3. In the process, if the offender resides in other states of India then formalities are involved in taking the help of local police of that state. If the offender resides in another country that too if in enemy country then it will become very painful for the police.
  4. Taking the offender/criminal in to police custody and then to jail.
  5. Confiscating the devices used in the crime i.e. Computer, Mobile phone, SIM card, Printer  etc. Let us call it "Device" for our simplicity.
  6. Proper method to be followed for confiscation of Device.
  7. If proper method is not followed then the evidence will get erased/distorted and the case will stand weak in the court.
  8. Once, properly confiscated, the physical safety of the Device becomes necessary. It also needs to be protected from magnetic fields etc. and to be preserved in a special case.
  9. Then the Device needs to be sent to Government Forensics Laboratory to collect electronic evidence. These need to be examined by the “Examiner of Electronic Evidence”.
  10. This case will also come under Information Technology Act apart from other sections of IPC and Cr. Pr. Code.
  11. Drafting case papers against the offenders/criminals is a big task and requires experience and craftsmanship to include every minute detail and highlight the right point.
  12. Then the court hearing will follow leading to long drawn battle.
  13. In the meantime the wrongdoer may apply for bail and may sometimes go scot-free if timely action is not taken or electronic evidence is not maintained till the court proceedings.
  14. The offender/criminal may also contest in the court of law with regard to authenticity of the electronic evidence provided by the police. Then again it will take time to prove otherwise.
Victim’s Fate:

In the above process, the victim from whose account/s the money is stolen makes numerous visits to Police stations and advocates and also suffers from mental agony apart from financial loss.

Various Legal Sections:

Now in this case, the Police have booked accused under IPC sections 34 (common intention), 419 (impersonation ) and 420 (cheating), and under IT Act 66 (C) (identity theft) and 66 (D) (impersonation by using computer resource). (Source: TOI news http://articles.timesofindia.indiatimes.com/2013-02-03/mumbai/36720927_1_account-holders-current-account-mulund)

No further news on this case:

There is no further news about this case and we the general public are still in dark about the progress on the case. This way common man will not have much faith in the judicial system or the Government if offences/crimes like this goes unsolved/unpunished.

Repeat offender/criminal:

There might be at least one seasoned criminal in such technical cases as it requires management of manpower, money and technical knowledge and connections with other criminals.

In the case in question, the accused had got the know-how from Nigerians, sent Trojan mails to 5,000 people and kept a watch on his potential victim/s online activities. Further, the kingpin befriended 4 close aides from Tihar Jail and Mumbai in 2007 & 2008 during his arrest and also wanted by Economic Offences Wing of New Delhi. In 2011 he came out of Jail and again started his fraudulent activity. (Refer link for details: http://articles.timesofindia.indiatimes.com/2013-03-12/mumbai/37650548_1_bank-e-fraud-bank-account-current-account)

Need for Swift Action and/or Stricter Detterence:

Now the question is whether the law provides stricter deterrence/punishment to the repeat offender/s or not. Even when the accused was in jail, his mind was still not filled with remorse of wrong doing instead befriended other criminals/offenders/accused in jail to carry out another crime when released from jail and he did it again. This indicates the liniency in our law or implementation of the law which does not deter the criminals from repeating the offence.

Need Government’s Will:

Will Govt. of India review the IT Act, or other related acts and come out with a stricter rules/deterrence or rehabilitation plan for such criminals to combat cyber-crimes?

If swift action is not taken against such offenders/criminals, then they may graduate to become cyber-terrorist and act against the interest of our Nation.

Monday, 4 February 2013

Cyber crime involving RTGS



RTGS - Online Fraud


Recently we came across a cyber fraud in the later part of December 2012 where the money was robbed from the account of a Co-operative Bank in a Nationalised Bank using RTGS. 


After this there is no news on the above subject. Further investigation and its outcome are not known. The Bank’s names were also withheld.

Again on 2nd February 2013 one more fraud involving RTGS came to surface and in both the cases the amount touches crore rupees. 


Some of the questions that haunt me day in and day out are:
  1. Are we heading in the right direction?
  2. Whether, really the regulators/banks have given a very deep level of thought to the safety and security of money deposited with the banks by its customers?
  3. Whether there is a well defined policy in the Banking industry/RBI, protecting the interest of the customers? Response time etc.
  4. Whether the Banks have sensitized their call center executives/grievance redressal staffs about quick action to be taken in case of a complaint about fraudulent transaction?
  5. Whether the common man should opt out of Online banking in the absence of adequate safety and security in the banking system?

What is Real Time Gross Settlement (RTGS)?

It is the fastest way of transferring money from one bank to another on a real time in the Banking system. This payment is final and can not be revoked.

As per the vision document on payment and settlement systems vision document 2009-2012 of RBI “Safety, security, soundness and efficiency of the payment systems assume critical importance from the angle of systemic stability”

RTGS is considered as one of the safest and fastest mode of money transfer considering its various checks / control systems.

RTGS Remittance:

This can be done in two ways
  1. Giving a physical request for transfer of money.
  2. By online banking.


The following information is required to remit money through RTGS:
  1. Amount to be transferred.
  2. Account no. to be debited.
  3. Name of the beneficiary bank.
  4. Name of the beneficiary customer.
  5. Account no. of the beneficiary customer.
  6. IFSC code of the receiving branch.


Useful information to Criminals for RTGS fraud:
  1. Your bank account no.
  2. Your specimen signature. (if he uses the RTGS form for transfer of money)
  3. Your username and password of online banking. (if he uses online banking for transfer of money)
  4. Mobile no. registered with the bank. (Criminal had not deactivated the SIM card of the victim in this case.)

Mulund Case:

When it happened? The victim was in his office and he received SMS alert of RTGS transaction taking place and within a span of 45 minutes 1 Crore was stolen from his account.

Poor initial response: In his complaint the victim said when he “contacted the bank to freeze further transactions from my account, it asked that he first submit a police FIR"

Golden Hour: In such a horrifying situation whether the person should contact the Bank and stop further loss or he should go to the police station physically and lodge a formal complaint giving more time to the cyber criminals to clean his account.

No clear policies: This is where the Banks lack clear policies. The call centre staffs should be sensitised and any complaint of fraud should be attended by senior officials who can take decisions instantly to avoid further damage.

Investigation: Let us start this conversation with a Pat on Mumbai Police who have discovered the trail within a short time by arresting 11 persons and in the process teaches us a lesson on the basics of Banking.

The stolen money was transferred in 12 different account.

The 1st person called Periera was arrested whose account had only ` 600/- for the past 6 months and suddenly a credit of ` 30 Lacs appeared.

Bank’s alert monitoring system should detect such transactions i.e. unusually large credit and prompt action needs to be taken.

Another man involved when visited a cooperative bank to withdraw the stolen money slipped away before the police arrived on suspicion.

The Bank should train their staff in handling a fraudulent person in such a situation.

Rs. 39.50 Lacs was withdrawn from 4 different accounts. As per Police officers the said 4 accounts were opened with fake documents.

Banks has to increase their CASA to avail cheap funds and in the process violate KYC norms prescribed by RBI. This is the very basic step in Banking and also the main loophole in Banking Fraud.

Investigators have found that bank accounts were opened using fake documents and identities viz.. PAN card, voter’s identity card, electricity and telephone bill and stayed in rented premises.

Just like the Background verification is done before disbursing loan even for opening bank account Background verification needs to be introduced by the Banking industry to avoid such happenings.

The accused had used cyber café in commiting the fraud.

Strict regulations need to be enforced for cyber cafes.

A new rule of keeping the soft copy of photograph of the person using cyber café In addition to verifying ID proof needs to be introduced. This may help police in their investigation and deter cyber criminals.

One more pat for the Police – While searching for another culprit at Malad the Police found that he left the residence 2 years ago still the police team verified the room in which he stayed 2 years ago and found a wedding invitation of him containing true identity and another address. This led to his arrest.

While doing any investigation do not build a mental block like “this is not possible” Had the Mumbai police left without searching the room his arrest would have been next to impossible.

This person had procured 2 PAN cards in different names and used the same as KYC document to open bank accounts.



Caution: Till the time this is solved, please protect your username, password, account no. and specimen signature.

NEWS LINK:
http://rbidocs.rbi.org.in/rdocs/RTGS/PDFs/FAQs%20on%20RTGS.pdf

http://articles.economictimes.indiatimes.com/2008-09-19/news/28460027_1_bank-accounts-corporation-bank-real-time-gross-settlement Sep 19, 2008


http://articles.economictimes.indiatimes.com/2012-11-12/news/35067104_1_fund-transfer-rtgs-real-time-gross-settlement  Nov 12, 2012

http://articles.economictimes.indiatimes.com/2013-01-14/news/36331675_1_national-electronic-funds-transfer-real-time-gross-settlement-rtgs-transactions  Jan 14, 2013

http://timesofindia.indiatimes.com/city/mumbai/Cops-crack-Rs-1crore-bank-fraud/articleshow/18313968.cms  Feb 3, 2013

http://www.indianexpress.com/news/efraud-rs-46-lakh-transferred-to-12-accounts/1068624/0  Feb 03 2013

http://timesofindia.indiatimes.com/city/mumbai/Bank-fraud-Man-dodges-police-trap/articleshow/18342884.cms Feb 5, 2013

http://timesofindia.indiatimes.com/city/mumbai/Rs-1-crore-stolen-using-mobile-in-Meerut/articleshow/18358299.cms  Feb 6, 2013

http://timesofindia.indiatimes.com/city/mumbai/Scanner-on-25-year-old-in-Rs-1cr-scam/articleshow/18376703.cms Feb 7, 2013

http://articles.timesofindia.indiatimes.com/2013-02-07/mumbai/36971074_1_cyber-cafe-cyber-police-sim-cards  Feb 7, 2013

http://timesofindia.indiatimes.com/city/mumbai/Wedding-invite-leads-to-second-arrest-in-1crore-e-banking-fraud/articleshow/18393385.cms  Feb 8, 2013

http://www.dnaindia.com/mumbai/report_two-sisters-aide-arrested-for-rs1cr-online-fraud_1797592  Feb 8, 2013

http://timesofindia.indiatimes.com/city/mumbai/Wedding-invite-leads-to-second-arrest-in-1crore-e-banking-fraud/articleshow/18393385.cms  Feb 8, 2013

http://timesofindia.indiatimes.com/city/mumbai/Refused-help-card-fraud-victim-plays-cyber-cop/articleshow/18392989.cms  Feb 8, 2013 NON RTGS

http://timesofindia.indiatimes.com/city/mumbai/Man-who-gave-SIM-to-hacker-in-Rs-1cr-e-fraud-6-others-held/articleshow/18410548.cms Feb 9, 2013

http://www.dnaindia.com/mumbai/report_call-centre-employee-held-in-rs1-crore-e-fraud-case_1797991  Feb 9, 2013

http://economictimes.indiatimes.com/news/news-by-industry/banking/finance/banking/rs-1-cr-e-fraud-fake-pan-cards-used-to-open-several-bank-accounts/articleshow/18425411.cms  10 Feb, 2013

http://timesofindia.indiatimes.com/city/mumbai/11-in-custody-police-expect-more-arrests-in-e-fraud-case/articleshow/18456477.cms Feb 12, 2013

Monday, 28 January 2013

SIM SWAP FRAUD

What is SIM SWAP Fraud?

While executing Net banking & Mobile Banking, in addition to username and password, One Time Password (OTP) is also required.

OTP is received in the mobile no. and email id registered with the Bank.

The fraudster gets the username, password, and mobile no. in some fraudulent manner and places request to replace the SIM and executes the unauthorized Banking transaction after getting the new SIM card.

Modus Operandi:
The fraudster needs to get OTP and prevent the SMS alert from the Bank to your registered mobile to carry out his fraudulent online transactions.

The steps the fraudster may follow:

  1. Fraudster requests your Mobile service provider for replacement of SIM card citing reasons like loss of SIM or Mobile Handset etc with fraudulent documents.
  2. The Mobile service provider deactivates the SIM and issues a new SIM; the delivery of which is taken by the fraudster on some pretext.
  3. Fraudster uses your username, password and OTP received in the new SIM.
  4. Executes the transaction/s get the SMS alert from Bank in the new SIM.
  5. All this while, the real SIM holder is not aware of the transactions happening in his bank account.
  6. During this time of cyber robbery, the SIM of real owner gets deactivated or the Mobile will not get signal or simply mobile will not work. Consider this as red flag.

SIM SWAP Fraud News – A Must Read

  1. http://www.hindustantimes.com/India-news/Mumbai/Man-s-SIM-changed-account-hacked/Article1-970770.aspx#.UPfJKPE1r_E.facebook
  2. http://simswapcybercrimefraud.blogspot.in/2013/01/sim-swap-cyber-fraud-by-airtel-official.html
  3. http://www.indianexpress.com/news/gang-hacks-engineer-s-bank-account-diverts-calls-to-keep-him-in-dark/1059403/0
  4. https://www.facebook.com/SimSwapCyberCrimeFraud?fref=ts
  5. http://www.deccanherald.com/content/307014/a-sim-can-empty-your.html
  6. http://ibnlive.in.com/news/cyber-fraud-two-more-held/251301-60-122.html
  7. http://www.computerworld.com/s/article/9225143/Cybercriminals_bypass_e_banking_protections_with_fraudulent_SIM_cards
  8. http://cybercrimecomplaints.com/content/fraud-done-my-hdfc-salary-account-using-netbanking
  9. http://www.consumercourt.in/net-banking/46750-fraudulent-transactions-through-internet-banking-transfers-icici-bank-c.html
  10. http://www.indianexpress.com/news/sim-card-fraud-probe-sought-against-service-provider/638660


Safeguard: Some safeguard technique is given below which is not exhaustive.

  1. Keep handy (hard coy), Customer care no., Bank account no. etc. of your Bank and Mobile service provider so that you do not spend precious time searching the contact details during emergency.
  2. Keep a separate SIM for Internet Banking/Mobile Banking.
  3. Do not share this Mobile no. with anyone. Use it exclusively for Internet/Mobile Banking.
  4. Do not register this Mobile no. online with any website including social networking sites.
  5. If you find your mobile inactive for some time, contact your Bank immediately instead of Mobile service provider.
  6. Never switch off your mobile if it is used for Internet Banking/Mobile Banking.
  7. Never respond to unknown (phishing) emails.
  8. Change your banking passwords very frequently. (weekly)


SIM Card Deactivation Process:

The 3 major Mobile service providers in India states that as soon as they receive the request for replacement of SIM due to loss of Handset & SIM card the mobile service is immediately deactivated temporarily to prevent unauthorised transactions/calls and require verification of original identity documents while issuing new SIM card. 

The link is given below for ready reference.
Idea Cellular: http://www.ideacellular.com/wps/wcm/connect/aboutus/idea/punjab/activate_and_deactivate/prepaid_plans/activation?&Connection=Prepaid&circleID=PUN
Vodafone: http://www.vodafone.in/support/pages/phones_help.aspx
Airtel: http://www.airtel.in/wps/wcm/connect/airtel.in/airtel.in/home/foryou/mobile/prepaid+services/know+more/faqs/

In spite of the above policies for deactivation, in a case the SIM was deactivated just on the phone request.

The Mobile service provider should adhere to the defined policy very strictly to help in combating SIM SWAP FRAUD.

Quick action in case of SIM SWAP Fraud:

  1. Contact your Bank immediately and block your Net Banking, Mobile Banking, Debit card, Credit card etc.
  2. Then contact your Mobile service provider to block your SIM.
  3. Contact your nearest police station immediately with all the details and Cyber cell of your jurisdiction.

Mumbai police has conducted cyber safety month in January 2013 and issued a guidelines on cyber safety which will be useful to all of us. 

The link is given for ready reference.
http://www.mumbaipolice.org/cyber%20month/do's%20&%20don'ts%20of%20cyber%20safety.pdf

Conclusion: Till the time a solution is found to prevent this fraud, the customer should be very cautious and take all the necessary steps and be alert all the times.

Disclaimer: 

  1. This is just a discussion for academic purpose and does not constitute professional advice/service. 
  2. Various links related to news are given for ready reference only.
  3. Please seek professional advice for a particular situation.
     

You Are Visitor No.






View Venkatesh Rao's profile on LinkedIn


Thursday, 20 December 2012

IDENTITY THEFT


Introduction:

Identity Theft
Identity Theft

This Blog is meant for common man who does not understand the nitty-gritty of the Cyber world. This Blog tries to simplify his understanding of the Cyber Crime and the Golden Steps one should take to avoid unauthorized access of Bank Account and transferring money to another account.

We often come across news of Cyber-Crime particularly siphoning of huge amounts from Bank accounts of unsuspecting account holders and also disrupting the SMS Notification sent by the Bank in case of withdrawal of money from the account.

However, after reading such news we often feel or falsely assure ourselves that “This will not happen to me”. Isn’t it is very strange behavior on our part?

The purpose of this Blog is to Inform and Empower you to take care of your money in any Bank on the Planet Earth if you use Internet Banking.


Understanding Internet Banking:
Here, the bank handovers the lock (username) and key (password) to your Bank Account to you so that you have the convenience of accessing your account any time and from anywhere on this planet provided you have an instrument (Mobile Phone/Computer) with internet connection.

One should understand that unlike physical world in virtual world, no one monitors whether the lock of your account is opened using duplicate key or key obtained through unlawful means.

In physical world, whenever we lose a key or the key is damaged very often we seek the service of a local “Key maker”. He makes a duplicate key for any kind of lock using his simple instruments, experience and skill.

If an illiterate person with simple instrument and access to the place can open a hardcore lock then accessing a Bank Account by intelligent professional thieves having the lock and key (username and password) should not be surprising.

Just like we doubly secure the physical keys of our house we should secure the virtual lock and key of our Bank account. Few simple steps will allow you to prevent theft of your hard earned money from your Bank account.

Physical crimes are being done from time immemorial and Police personnel have also gained experience and developed skills over the years to crack the toughest of the case but Cyber-Crimes are new to the World and it’s detection is Very Difficult, Time Consuming and Costly.

Even if one detects the thief with great difficulty, catching the culprit becomes next to impossible if the thief is not residing in your country. Then the law enforcement agency has to follow a number of steps/rules and still co-operation of the other country is not guaranteed.

News Around the World:
Recently you might have read the news of Kandivli resident who was robbed of `1.75 lakhs by Cyber Criminals. He was using Mobile banking as appeared in the news articles. Refer News Article for details:

http://www.hindustantimes.com/StoryPage/Print/971197.aspx
Here the thieves are so intelligent and do their job meticulously with proper planning that they change the “SIM’ of the Mobile by giving a fake request to the telecom operator so that the Account Holder do not receive the SMS notification sent by the Bank.

Few links containing similar news is given below for your information and knowledge which will help you in securing the Lock and Key of your Bank Account online.


http://www.hindustantimes.com/StoryPage/Print/970770.aspx

http://www.hindustantimes.com/StoryPage/Print/971197.aspx

http://daily.bhaskar.com/article/SCT-NEWS-sim-card-%E2%80%98deactivated-it-could-be-a-netbanking-fraud-1718131.html

http://www.telegraphindia.com/1111010/jsp/orissa/story_14603720.jsp#

http://articles.timesofindia.indiatimes.com/2012-12-06/coimbatore/35646824_1_bank-account-icici-bank-private-bank

http://www.indianexpress.com/story-print/557444/

http://articles.timesofindia.indiatimes.com/2011-03-30/computing/29361096_1_sim-card-bank-account-numbers

http://itsecurityguru.org/blogs/sim-ple-130312 (For Mobile Banking Users)



Simple Don’ts:

Take your online banking lightly. Be serious enough as you would have been in case of your House Key.

Click on unknown links in the email inbox. Before doing anything, call your Bank’s contact center and confirm the same with them.

Use unsecured network and browsers to do online financial transactions.

Disclose your PIN, Passwords, Usernames, CVV No. of your Debit card and Credit card to anyone.

Discuss your finance, money matters in public places, lifts, public transport, etc.

Share all your personal details including full Date of Birth in social networking websites, websites of suspicious nature.

Share your photographs over the internet which is freely available to the whole world. Beware your photograph can be misused by Cyber Criminals.

Simple Dos:

Search all your personal information in the internet and you will be surprised most of your details may be available freely to the whole world. (Remember your details mean your Username or Password or Tools to Obtain Password).

Secure all your personal details in the Cyber World either by putting restrictions on the accessibility or delete your details from the internet.

Change your passwords more frequently say weekly or daily.

Create difficult password which should contain alphabets, numbers, symbols like !@#$%^&*()_+= etc. The password should be long enough.

While shifting residence, intimate your Bank, Telecom Provider about the new address and obtain acknowledgment.

Check with your mobile operator immediately without delay if you don’t get network for a while.

How Our Personal Information May be Used (Misused) by Cyber Criminals?
For your clear understanding, how the Cyber Criminals may use your Personal Information for any unlawful purpose is given below:

Your Name, Employer Name, Date of Birth, Address, Mobile No., Email ID: 

Can be used while speaking to your Bank’s call center posing as yourself.

Can be used to give a fake request for change of your SIM card.

After Change of SIM card there are chances of your mobile no. being used for Criminal activities or even Terror activities.

Family Details like Name of spouse, children, parents etc. and your likes and dislikes:
Can be used to guess password as people make the mistake of using the names of their favorite place, person, and things as their password to avoid the pain of remembering difficult password.

Remember Cyber Criminals are intelligent and lot of support functions are available to them. Do not underestimate them.


ID Details like PAN, Driving License, Employer ID:
PAN & Driving License is a Government issued document and can be used (misused) in many places as an Identity Proof and Address Proof. (Generally these are shared with unknown agencies while applying for credit cards).

Please post your doubts and get clarification before it becomes too late.

You Are Visitor No.






View Venkatesh Rao's profile on LinkedIn