|follow us on twitter||Follow @intolegalworld|
Written By: Anwesha Ghosh
Until the mid-1990s, the banking sector in most parts of the world was simple and reliable; however, since the advent of technology, the banking sector saw a paradigm shift in the phenomenon. Banks, in order to enhance their customer base, introduced many platforms through which transactions could be done without much effort. These technologies enabled the customer to access their bank finances 24*7 and year around through, ATMs and Online banking procedures.
However, with the enhancement of technology, banking frauds have also increased likewise. Cybercriminals are using different means to steal ones bank information and ultimately their money as well.
It is, therefore, a collective consensus of banks and regulators to make policies and adopt measures in order to protect banking platforms from cyber threats. A number of technical defense and control measures like increased real-time supervision on transactions have been undertaken by the banks, however, even today the problem persists. The reason behind this is that the defense measures currently available with banks are often reactive, time-consuming and available in public domain which can be accessed even by the cybercriminal who in turn adopts measures to combat from these defenses. The attackers allocate their time in developing new means for cybercrime and also simultaneously work on finding the solutions to bridge these defense measures.
One of the ways to mitigate the problem of cybercrimes in the banking sector is to identify the factors related to banks that are general targets of such cyber-attacks, and why some banks have never faced such a situation. Banks which are general targets of cybercrimes suffer from various malware attacks in form of online phishing, keystroke-logging malware, identity theft, etc.
The concept of E-Banking:
Electronic Banking or e-banking refers to a system where banking activities are carried out using informational and computer technology over the human resource. In comparison to traditional banking services, in e-banking, there is no physical interaction between the bank and the customers. E-banking is the delivery of bank’s information and services by banks to customers via different delivery platforms that can be used with different terminal devices such as personal computer and a mobile phone with browser or desktop software, telephone or digital television.
The first initiative in the area of bank computerization was stemmed out of two successive Committees on Computerization (Rangarajan Committee). The first committee was set up in 1984 which drew the blueprint for the mechanization and computerization in the banking industry. The second Committee was set up in 1989 which paved the way for integrated use of telecommunications and computers for applying fully the technological breakthroughs to the banking operations. The focus shifted from the use of Advanced Ledger Posting Machines (ALPMs) for limited computerization to full computerization at branches and to integration of the branches. Till 1989, banks in India had 4776 ALPMs at the branch level, over 2000 programmers/ systems personnel and over 12000 Data Entry Terminal Operators.
The RBI constituted a Working Group on Internet Banking. Based on the notion of access to the banking products and services, the group divided internet banking into three systems.
(a) Informational System This system requires banks to provide information about interest rates, loan schemes, branch locations etc. to the customers. The customer can download various types of application as per the requirements. Also, customers are not required to reveal their identity and there is no realistic chance of any unauthorized person getting into the production system of the bank.
(b) Communicative System This system provides information to the customer about his account balance, transaction details etc. The customers can seek the information after authentication and log in through the passwords.
(c) Transactional System In this system a bank allows its customers to undertake transactions through its system and they are directly uploaded to the customer’s account. There is a bi-directional transaction that takes place between the bank and the customer and between the customer and the third party. This system is secured through security mechanisms like HTTP and https. E-banking is also known as Cyber Banking, Home Banking, and Virtual Banking. E-banking includes Internet Banking, Mobile Banking, RTGS, ATMs, Credit Cards, Debit Cards, and Smart Cards etc.
Cyber Crime in Banking Sector:
Cyber Crime can be simply stated as crimes that involve the use of computer and a network as a medium, source, instrument, target, or place of a crime. With the growing aspect of e-commerce and e-transactions, the economic crime has drifted towards the digital world. Cyber crimes are increasing globally and India to has been witnessing a sharp increase in cyber crimes related cases in the recent years.
In 2016, a study by Juniper Research estimated that the global costs of cybercrime could be as high as 2.1 trillion by 2019. However such estimates are only indicative and the actual cost of cybercrime including unreported damages is beyond estimation.
Cyber Crimes can be broadly classified into categories such as cyber terrorism, Cyber-bullying, Computer Vandalism, Software Piracy, Identity Theft, Online Thefts and Frauds, Email Spam and Phishing and many more.
However, from the aspect of financial cyber crimes committed electronically, the following categories are predominant:
- Hacking: It is a technique to gain illegal access to a computer or network in order to steal, corrupt, or illegitimately view data.
- Phishing: It is a technique to obtain confidential information such as usernames, passwords, and debit/credit card details, by impersonating as a trustworthy entity in an electronic communication and replay the same details for malicious reasons.
- Vishing: It is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward.
- E-mail Spoofing: It is a technique of hiding an e-mail’s actual origin by forged the e-mail header to appear to originate from one legitimate source instead of the actual originating source.
- Spamming: Unwanted and unsolicited e-mails usually sent in bulk in an attempt to force the message on people who would not otherwise choose to receive it are referred to as Spam E-mails.
- Denial of Service: This attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service by “flooding” a network to disallow legitimate network traffic, disrupt connections between two machines to prohibit access to a service or prevent a particular individual from accessing a service.
- Advanced Persistent Threat: It is characterized as a set of complex, hidden and ongoing computer hacking processes, often targeting a specific entity to break into a network by avoiding detection together sensitive information over a significant period of time. The attacker usually uses some type of social engineering, to gain access to the targeted network through legitimate means.
- ATM Skimming and Point of Sale Crimes: It is a technique of compromising the ATM machine or POS systems by installing a skimming device atop the machine keypad to appear as a genuine keypad or a device made to be affixed to the card reader to look like a part of the machine. Additionally, malware that steals credit card data directly can also be installed on these devices. Successful implementation of skimmers causes an ATM machine to collect card numbers and personal identification number (PIN) codes that are later replicated to carry out fraudulent transactions.
Recommendations to Prevent Cyber Crime:
The banking sector is the backbone of our economy. The increasing number of cyber-crime cases has resulted in huge loses to our economy. Cyber-attacks should be prevented by ensuring suitable legislation which is implemented effectively. Both the banks and the customer should be made aware of the risk involved and safeguard measures. There needs to be cooperation between the various stakeholders to counter cyber-crime. The Indian Government established an Inter-Departmental Information Security Task Force (ISTF) with the National Security Council as the nodal agency for the coordination of all matters relating to effective implementation of its cyber-security strategy. Indian Computer Emergency Response Team (CERT-In) is the national nodal agency which is made to respond to computer security incidents whenever they occur. Few of the activities undertaken by CERT-In in implementing cyber security include coordination of responses to security incidents and other major events; issuance of advisories and time-bound advice regarding imminent threats; product vulnerabilities analysis; conducting training on specialized topics of cyber-security; and evolution of security guidelines on major technology platforms.
One of the main issues related to cyber-crime is of jurisdiction. Cyber-crime can be committed in any part of the globe has its impact in any corner. Every citizen should be able to identify and report cybercrimes from anywhere regardless of the country they reside in. The existing systems present in India for reporting cyber-related offenses involves registering complaints with the local police stations or cybercrime cells. Many Indian states have set up cybercrime cells, which monitor such crimes. In several instances, where the victims of cybercrime may not be able to report a cybercrime due to several reasons, such as staying in a remote location, unawareness regarding the place to report and privacy-related issues. This tends to result in many cybercrime cases going unreported. Since there is no centralized online cybercrime reporting mechanism. Also for law enforcement agencies at various levels such as national, state, and local level, there is no centralized referral mechanism for complaints relating to cybercrime. IT Act should be amended accordingly to define cybercrime and also specify the cases where the Act will have extra-territorial jurisdiction. The scope of the IT Act needs to be broadened to include legal framework relating to cyber laws in India. The responsibility of the intermediaries is vague and must be made more clear and explicit.
Cyber Fraud Council in Banks:
Whenever a cyber-fraud is committed the victim should report to the Cyber Fraud Council that must be set up by in each and every bank to review, monitor investigate and report about cyber-crime. In case, such Council does not take perform or refuses to perform its duty then a provision to file an FIR must be made. The matter to be brought before such council can be of any value. However, when the value is high then the Council shall act expeditiously. RBI in its 2011 Report stated that when bank frauds are of less than one Crore then it may not be necessary to call for the attention of the Special Committee Board.
Education to Customer:
The customer should be educated and made aware of various bank frauds and measures should be informed to them for safety mechanisms so that they do not fall prey as victims of cyber-crime. If a customer is conscious and reports the matter of cyber-crime then in the initial stage also instances of cyber-crimes can be reduced. A customer should be made aware of the Dos and Dont’s of E-banking. It can be done through publishing it on the bank’s website, publishing in the newspaper, through advertisements, by sending SMS alerts, through poster education etc. In case a bank introduces any new policy or there are any changes which are required to be followed by all banks as per RBI then, the bank must inform the customer through emails or by informing the customer through the telephone. The awareness material should be timely updated keeping in mind the changes in the legislation and guidelines of RBI.
Training of Bank Employees:
Training and Orientation programs must be conducted for the employees by the banks. The employees must be made aware of fraud prevention measures. It can be done through newsletters or magazines throwing light on frauds related aspects of banks by senior functionaries, putting up ‘Dos and Dont’s in the workplace of the employees, safety tips being flashed on screen at the time of logging into Core Banking solution software, holding discussions on factors causing cybercrime and actions required to be undertaken in handling them. Employees who go beyond their call of duty to prevent cyber frauds if rewarded will also enhance the work dedication.
Strong Encryption-Decryption Methods:
E-banking activities must be dealt using Secure Sockets Layer (SSL). It provides encryption link of data between a web server and an internet browser. The link makes sure that the data remains confidential and secure. As per India, we follow asymmetric crypto-system which requires two keys, public and private, for encryption and decryption of data. For SSL connection an SSL Certificate is required which is granted by the appropriate authority under IT Act, 2000. To ensure security transactions RBI suggested for Public Key Infrastructure in Payment Systems such as RTGS, NEFT, and Cheque Truncation System. According to RBI, it would ensure a secure, safe and sound system of payment. Wireless security solutions should also be incorporated. In cases of Denial of Service Attacks, banks should install and configure network security devices.
Physical and Personnel Security:
Banks must execute proper physical and ecosystem controls giving regards to threats, and based on the institution’s unique geographical location, and neighboring entities etc. Also when a new employee is employed then there should be a process of verification of the applicant. The level of verification may vary depending upon the position and job profile. In ATMs, there must always be a security guard who has received proper training under the force. It is because many incidents occur where ATMs are looted. So physical security at ATMs is necessary.
Cooperation among nations to avert cyber-crime:
Cyberspace being transnational in nature requires cooperation among States to work together to avert cyber-crime. Although, a few treaties and implementation measures exist; a wholesome approach defining legal and technical measures and organizational capabilities are yet to take central importance for India in its goal to contribute to the global fight against cyber-crime. IT Act, 2000 having extra-territorial application poses a problem in the investigation, prosecution, and extradition of foreign nationals. India should actively engage as part of the international cybercrime community centred on Asia, Europe and America to seek help and also contribute to international cybercrime issues.
Indian customers are gradually preferring online services because of convenience, cost-saving, and swiftness of online transactions. In addition, financial institutions are tossing exciting offers to customers with the vision of upturning the volume of cashless transactions due to comparatively lower operational costs.
However, it can be concluded the cyber-security measures placed by financial institutions to curtail the curse of cybercrime are being out-paced by the dynamic technological landscape and improved expertise of the intruders.
Amidst the continuous upliftment of the technology implemented at the backend of the financial institution, some essential aspects were overlooked that now demand huge attention.
Cybercrime comprises its own set of unique attractive features that have gradually started outweighing the traditional crimes. The extent of anonymity, global victim reach and swift results are amongst the few that cybercriminals find most attractive.
Non-existent/Inadequate awareness campaigns further simplify the work of the cyber-criminals. Unaware consumers are easily deceived due to lack of insight into the latest attack methodologies and identified preventive measures.
 Daniel, E. (1999), Provision of electronic banking in the UK and the Republic of Ireland, International Journal of Bank Marketing, Vol. 17, No. 2, pp. 72-82.
 Committees on Computerization, available at: https://www.rbi.org.in/Scripts/PublicationsView.aspx?id=162 (Last Visited: Nov. 30, 2017, 01:20 PM).
 Dr. B R Sharma and Dr. R P Nainta, Banking Law & Negotiable Instruments Act, 4th Edn, Allahabad Law
Agency, p 183.
 Talwar S P, (1999), National Seminar on Computer Related Crime, Inaugural address by Shri S P Talwar, Deputy Governor, Reserve Bank of India, February 24, 1999.
 Reserve Bank of India, Report on Internet Banking, available at:
https://www.rbi.org.in/Scripts/PublicationReportDetails.aspx?UrlPage=&ID=243#ch2 (Last Visited: Dec 1 2017, 10:25 AM).
 Dheenadhayalan V., Automation of Banking sector in India, Yojana, February, (2010) p.32.
 Kharouni, L. (2012). Automating Online Banking Fraud Automatic Transfer System: The Latest Cybercrime
Toolkit Feature (Rep.).
 Liu, J., Hebenton, B., &Jou, S. (n.d.). Handbook of Asian Criminology.
 Threats to the Financial Services sector (Rep.). (2014). Price waterhouse Coopers.
 Net Losses: Estimating the Global Cost of Cybercrime (Rep.). (2014). Intel Security.
 Strategic national measures to combat cyber-crime: Perspective and learnings for India, available at: http://www.ey.com/Publication/vwLUAssets/ey-strategic-national-measures-to-combat-cybercrime/$FILE/ey-strategic-national-measures-to-combat-cybercrime.pdf (Last Visited: Dec 1 2017, 10:32 AM).
 Reserve Bank of India, Working Group on Information Security, Electronic Banking, Technology Risk
Management and Cyber Frauds, (21 Jan 2011).
 Section 3(2), Information Technology Act, 2000 provides authentication of Electronic Records shall be
effected by the use of asymmetric crypto system and hash function which envelop and transform the initial
electronic record into another electronic record.
 RBI for two stage verification for online banking transactions, Economic Times, Mumbai, April 22,2014.
 RBI Guidelines on Information Security, Electronic Banking, Technology Risk management and Cyber