Cybercrime:
Issues of Concern to Bankers
N.S. Saravade
Superintendent of Police
Central Bureau of
Investigation
Mumbai
1. Introduction
The phrase ‘Cybercrime’ combines two very intriguing words in the English language. Crime has always been a subject of immense public interest, which is borne out by the enduring popularity of such authors as Sir Arthur Conan Doyle and Agatha Christie. The terminology associated with Cybernetics has also gained currency in the past few years. Cybernetics is defined as the theoretical study of communication and control processes in biological, mechanical and electronic systems. The work comes from the Greek work Kubernan, meaning ‘to govern’. Cybercrime can be defined as an act of creating, disturbing, altering, misusing and destroying information through the computer manipulation of cyber space, without the use of physical force and against the will or the interest of the victim.
It is of tremendous importance that all citizens understand and appreciate the impact the new technological change is going to have on the very nature of social and financial transactions. As Bankers deal with large public funds, it becomes imperative for them to study and understand Cybercrime.
2. Growth
of Networking and Internet
Though computers have existed for several decades now, the real impact of use of computers in day to day affairs of the common man, commerce and industries as a whole has begun to be noticed very recently. The concept of computer network has now become synonymous with Internet, though they are not identical concepts. Each large organisation is now having an internal network of computers to handle processing of information. These are mostly Local Area Networks (LAN), though in nation-wide organisations such as banks, Wide Area Networks (WAN) also operate. These are linked through various connecting devices, such as leased data lines, telephone lines and V-SAT (Satellite). These internal networks of organisations are also now getting connected to the Internet.
In banking, various customer-oriented services are now made available to the general people at the convenience of a mouse-click, enabling them to access their statements of accounts and enabling routine payments such as telephone and electricity bills, eliminating the need for physical visits to the Bank. The number of such users is likely to explode in coming times, as seen from the example of Automatic Teller Machines (ATMs). Indeed, the effects of computerisation are already visible in the shrinking manpower requirements in the banking sector. Since computerisation and networking have become imperative for survival in the competitive world of banking, the dangers and pitfalls of the same cannot be overlooked.
3. Some
Statistics
In order to gain an idea of the globalisation of the banking business and the volume of the transactions involved, following data will be of use.
S.W.I.F.T. (Society for Worldwide Interbank Financial Telecommunications) supplies secure messaging, interface software and 24-hour global support to 6,848 financial institutions in 189 countries. In 1999, S.W.I.F.T.'s global network carried over 1 billion messages. The average daily value of payments messages on the S.W.I.F.T. network is estimated to be above USD 5 trillion. S.W.I.F.T. helps its customers reduce costs, improve automation and manage risk. Today, in addition to its 2,263 member banks live on the network, S.W.I.F.T. users include sub-members and participants such as brokers, investment managers, securities depositories and clearing organizations, and stock exchanges.
The significance of new technology has also been appreciated by the RBI, which has introduced the following measures.
· Electronic payment mechanism: This includes mechanised clearing of cheques using Magnetic Ink Character Recognition (MICR) technology in metros and other centres.
·
Inter
City Clearing among MICR Centres.
· Electronic funds transfer: This is a scheme introduced by RBI to enable customers to remit funds from their Bank accounts in the four metros within the span of 24 hrs.
· Electronic clearing services: This service is for clearing of bulk payments like dividends/warrants. The bank accounts of the customers can be credited with dividends, interest on bonds, salary, pension etc. Similarly payments of telephone bills, electricity charges, school fees, credit card due and tax paymnets can also be made through this service.
According to data published by Indian Banks’ Association, following was the progress of the computerization, as on 30 September 1999.
Total No. of Branches in India |
45837 |
No. of branches eligible for Partial/Total Branch Computerization |
10281 |
No. of branches Partially Computerized |
9751 |
No. of branches identified for Total Bank Computerization |
7827 |
No. of Fully Computerized Branches |
4460 |
Total ATMs installed |
240 |
On-line terminals at Corporate Customer sites installed |
1108 |
Credit Cards issued |
881815 |
Smart Card (as Electronic Purse) issued |
323 |
Debit Cards issued |
40150 |
Branches covered under RBI's EFT Scheme |
3944 |
Corporate Customers availing of ECS-Credit clearing |
52 |
Corporate Customers under (Utility Services) under ECS- Debit/RAPID |
33 |
New MICR Cheque Clearing Centres to be set up |
48 |
Nodes on internal Captive network in banks |
480 |
Nodes on RBINET in banks |
116 |
Branches connected to other networks |
1215 |
Nodes on VSAT Network for the industry |
150 |
Branches connected to SWIFT |
636 |
Currency Chest & other branches linked to NICNET |
371 |
E-MAIL Connections |
2631 |
Banks & Branches covered under the Customs-Banks EDI Project |
11 banks, 24 branches |
* Data
pertains to Public Sector banks only
* Compiled by RBI
The present extent of the computerisation is less than 20%. This also has to be seen in light of the directives from the CVC that 70% of the bank work has to be computerised by the year 2001.
A study made by NASSCOM (National Association of Software and Service Companies) has predicted that the volume of E-Commerce transactions in India, which was Rs. 450 crores in 1999-2000 will go upto Rs. 3500 crores during 2000-01 and will jump to Rs. 15000 crores in 2001-2002. It is also estimated that a number of connections of Internet users in India, which is about 2.8 million at present, will rise to 16 millions in March, 2003.
4. Types
of Cybercrimes
From the point of view of the banking industry, following are the important categories of Cybercrime.
a) Fraud
Most common kind of cybercrime is the theft of credit card information and their fraudulent use. This is showing a rising trend and is likely to be seen in India as well once level of credit card penetration and e-commerce go up in our country.
b) Forgery
These involve alternations of computerised documents. Since the advent of high-resolution colour laser copier, which can produce high quality counterfeit copies, it has become increasingly common to come across counterfeit currency notes and high value negotiable instruments.
c) Computer
Sabotage
This is achieved with the use of computer viruses, worms, Trojan horses and logic bombs. A computer network can be sabotaged by business adversaries, thereby effectively delivering a fatal blow to the entire business of the organization.
d) Unauthorised
access to computerised service
This involves unauthorised access to the network by circumventing the established security procedures.
e) Denial of
Service Attack
This is achieved by bombarding the servers of the company with volumious e-mail so that the servers are unable to cope with the increased traffic and as a result getting knocked out and disrupting the normal business.
An important aspect of cybercrime is that it is mostly international in nature, where, for example, a person sitting in one country can bring about the fraudulent and unauthorised transactions of money to his account, as happended with Citibank, when in 1995, one Russian person viz. Vladimir Levin could embezzle millions of dollars by exploiting the weaknesses in the computer system.
In the U.S., where statistics have been compiled on a regular basis, the computer security breaches were found to have increased by 16% within one year. For 1998, the figure of loss due to security breach was put at $136 million. These included unauthorised access by employees (44%), Denial of Service attack (25%), system penetration from the outside (24%), theft of proprietary information (18%), financial fraud (15%) and sabotage data or networks (14%). There have been instances of disgruntled former or current employees sabotaging the computer system as they have easy access to the same.
As mentioned above, the famous case of Vladimir Levin involved transfer of funds from the offices of Citibank customers to bank accounts in California, England, Germany, Netherland, Switzerland and Israel between June to October, 1994. He gained access over 40 times to Citibank’s cash management system, using personal computers and stolen passwords. Levin was arrested in March 1995 in London and subsequently extradited to the US on 24 February 1998. He was sentenced to a 3-year imprisonment. Citibank was able to recover all but $400 thousand, of the $10 million illegally transferred funds.
5. The Indian Scenario
Government of India as enacted an act called Information Technology Act, 2000, which has received presidential assent and was notified in the Gazette of India, on 9 June 2000. This act provides legal recognition to transactions carried out by means of electronic data interchange and other means of electronic communication, which involve use of alternatives to paper based method of communication and storage of information. It further amends Indian Penal Code, Indian Evidence Act, Bankers Book Evidence Act and RBI Act. While the act is a comprehensive document, dealing with various aspect of electronic commerce, from the point of view of Cybercrime, Chapter IX, which deals with penalties and adjudication, is of special significance. Sec. 43 of the Act proclaims the following acts as illegal:
1. Unauthorised access.
2. Copying or downloading data.
3. Introduction of computer viruses.
4. Damage to the computer system.
5. Disruption of the computer system or network.
6. Denial of access to other authorised persons.
The penalty prescribed is damages upto Rs. 1 crore.
Sec. 44 deals with penalty for failure to furnish information etc.
While the above-mentioned sections prescribe fines, Chapter XI deals with offences relating to computer system. Under section 65, tampering with computer sources codes has been made an offence. A person stealing or destroying any computer source code, required to be maintained by law, is punishable with imprisonment of 3 years. Section 66 deals with hacking with computer system. Any person destroying or altering any information with malicious intent is punishable upto imprisonment of 3 years. Section 67 deals with dissemination of information, which obscene in nature. This attracts imprisonment upto 5 years on first conviction and upto 10 years in subsequent convictions. Section 80 lays down the power of Police Officers and other officers to enter any public premises without warrant and conduct a search of the premises.
In recent times, a couple of cases of computer fraud have been reported in a public sector bank in Mumbai. Both the cases involved the employees of the Bank, who made fraudulent transfers of cash, totalling Rs. 8.83 lakh and Rs. 9.33 lakh respectively, to their and their relatives’ accounts through debit and credit vouchers. The amounts involved in each transfer were comparatively small and none of the affected parties, except one, made any complaint to the Bank authorities. In both the cases, it was found that the bank employees had, even after being transferred, visited the earlier branches and effected further transfers. The incidents display the casual approach regarding resetting of passwords after transfer of an employee and loaning of passwords to subordinate officials.
6. Conclusion
It is seen that the changing technology in the day-to-day business of the banks, alongwith globalisation of the banking industry and increasing volumes of cash being transacted through the banking system have made it prone to large frauds. Today, an individual is in a position to have access to large funds by manipulating the access procedures and diverting and misusing them for his own ends. It is essential for all banks to understand the technology and its security implications. While the improvements in the operating system and software being used will improve the reliability, there is no substitute for monitoring the human factor in the working of the bank and having well established systems and procedures. Ensuring their compliance and building in elements of redundancy have to be enforced, if the banking is to be kept free from the burgeoning frauds in the financial sector.