UNIVERSITY OF MUMBAI

PROJECT ON
CYBERCRIME IN BANKING SECTOR
BACHELOR OF COMMERCE
BANKING & INSURANCE
SEMESTER V
(2017-2018)

SUBMITTED
In partial Fulfillment of the requirement for the
Award of Degree of Bachelor of Commerce Banking & Insurance.

SUBMITTED BY,
CHAITANYA AMBRE
ROLL NO. - 04

UNDER GUIDANCE,
Asst. Prof. Kunal Soni

MAHARSHI DAYANAND COLLEGE OF ARTS, SCIENCE & COMMERCE

PAREL, MUMBAI 400 012.

MAHARSHI DAYANANDCOLLEGE
OF ARTS, SCIENCE & COMMERCE
PAREL, MUMBAI 400 012.
 CERTIFICATE

This is to certify that MR. CHAITANYA AMBRE of B. Com (Banking

& Insurance) Semester V (2017-2018) has successfully completed the
project on CYBERCRIME IN BANKING SECTOR under the guidance
of Asst. Prof. Kunal Soni.

Course Coordinator Principal

Project Guide/Internal Examiner External Examiner

 DECLARATION

I am MR. CHAITANYA AMBRE. The student of B. com (Banking &

Insurance) Semester V (2017-2018) hereby declares that I have completed
the Project on CYBERCRIME IN BANKING SECTOR. The
information submitted is true and original to the best of my knowledge.

Signature of student

Name of Student

MR. CHAITANYA AMBRE

Roll No. 04
 ACKNOWLEDGEMENT

The college, the faculty, the classmates & the atmosphere, in the college
were all the favorable contributory factors right from the point when the
topic was to be selected till the final copy was prepared. It was a very
enriching experience throughout the contribution from the following
individuals in the form in which it appears today. We feel privileged to take
this opportunity to put on record my gratitude towards them.
PROF. KUNAL SONI made sure that the resource was made available in
time & also for immediate advice & guidance throughout making this
project. The principal of our college DR. T.P. GHULE and our Vice-
Principal Mrs. SANJEEVANI PHATAK has always been inspiring &
driving force. We are thankful to Mr. SANTOSH SHINDE associated with
administration part of Financial Markets & Banking & Insurance section
has been very helpful in making the infrastructure available for data entry.
 EXECUTIVE SUMMARY
Cybercrimes are any illegal activities committed using computer target of the
criminal activity can be either a computer, network operations. Cybercrimes are
genus of crimes, which use computers and networks for criminal activities. The
difference between traditional crimes and cybercrimes is the cybercrimes can be
transnational in nature. Cybercrime is a crime that is committed online in many
areas using e-commerce. A computer can be the target of an offence
when unauthorized access of computer network
Occurs and on other hand it affects ECOMMERCE. Cybercrimes can be of
various types such as Telecommunications Piracy Electronic Money Laundering
and Tax Evasion, Sales and Investment Fraud, Electronic Funds Transfer Fraud
and so onThe modern contemporary era has replaced these traditional
monetary instruments from a paper and metal based currency to plastic money
in the form of credit cards, debit cards, etc. This has resulted in the increasing use
of ATM all over the world. The use of ATM is not only safe but is also convenient.
This safety and convenience, unfortunately, has an evil side as well that do not
originate from the use of plastic money rather by the misuse of the same. This
evil side is reflected in the form of ATM frauds that is a global problem.
Internet commerce has grown exponentially during the past few years and is still
growing. But unfortunately, the growth is not on the expected lines because the
credit card fraud which has become common has retarded the e-commerce growth.
Credit card fraud has become regular on internet which not only affects card
holders but also online merchants. Credit card fraud can be done by taking over
the account, skimming or if the card is stolen. Certain preventive measures can be
taken to becoming a credit card victim. The term "Internet fraud" refers generally
to any type of fraud scheme that uses one or more components of the Internet -
such as chat rooms, e-mail, message boards, or Web sites - to present fraudulent
solicitations to prospective victims, to conduct fraudulent transactions, or to
transmit the proceeds of fraud to financial institutions or to other connected with
the scheme.
 INDEX

SR NO TOPIC PAGE NO.

01 INTRODUCTION 01

02 OBJECTIVES OF THE STUDY 04

03 I.T. IN BANK 05

04 CYBERCRIME IN BANK 07

05 MEASURES TO PREVENT CYBERCRIME IN BANK 15

06 RBIS MEASURES TO PREVENT CYBERCRIME 29

07 CASE STUDY 32

08 CONCLUSION 34

09 RECOMMENDATIONS & SUGGESTIONS 35

10 BIBLIOGRAPHY 37
TYBBI Cybercrime in Banking Sector MD College

CHAPTER 1
INTRODUCTION

The world is fast moving online with 46.1% of total world population now
connected to the web according to internetlivestats.com (as on July 1, 2016). A
remarkable instance of this phenomena has been experienced in India with a
notable increase in the past three years i.e. 18% of the Indian population online
in 2014, 27% in 2015 and 34.8% in 2016 (as on July 1, 2016). Today activities
performed over the internet are not just limited to technology freaks for
technical uses, rather every second individual is enjoying the easy internet
availability and accessibility for day-to-day purposes like banking, ecommerce,
education, entertainment and many more. Markedly, the wave of smartphones
has acted as a catalyst to this tremendous internet growth. The banking industry
has enjoyed the ride of emerging technology to undergo significant changes.
Banks are among the biggest beneficiaries of the IT revolution and have largely
adopted Information Technology solutions for rendering the banking services to
their customers. The proliferation in online transactions mounting on
technologies like NEFT (National Electronic Fund Transfer), RTGS (Real-time
Gross Settlement Systems), ECS (Electronic Clearing Service) and mobile
transactions is a glimpse of the deep-rooted technology in banking and financial
matters. With the swift expansion of computer and internet technologies, new
forms of worldwide crimes known as Cyber Crimes has evolved in the scene.
Over a period of time, the nature and pattern of Cyber Crime incidents have
become more sophisticated and complex. Banks and Financial Institutions
remain the unabated targets of cyber criminals in the last decade. Notably
financial gain is still one of the major motivations behind most cybercriminal
activities and there is little chance of this changing in the near future (Symantec,

1
TYBBI Cybercrime in Banking Sector MD College

2015). This paper focusses on the technical aspects of various types of

cybercrimes concerning the banking and financial

sector and their related impacts. Additionally, it identifies the threat vectors
supporting these cybercrimes and develop measures to aid in the combating the
resulting cyber-attacks so that such attacks can be better prevented in the future
for enhanced security. As an increasing number of users are demanding online
services, the background mission of providing balanced security and
convenience is seeming to be a tough challenge due to numerous obtrusive
actors collectively referred to as Cyber-Crime. Simply stated, Cyber-Crime
is crime that involves a computer and a network. (Moore R, 2005). Cyber-
Crime is being considered a serious threat to all the aspects of a nations
economic growth as maximum instances of the same are being observed in
financial institutions. Cyber-Crime incidents include but are not limited to credit
card fraud, spamming, spoofing, e-money laundering, ATM fraud, phishing,
vishing, identity theft and denial of service. Today, web technology has emerged
as an integral and indispensable part of the Indian Banking sector. The
enlargement of non-cash based transactions around the globe has resulted in the
steady development of robust online payment systems. While paper-based
transactions cleared through cheques amounted to Rs 85 lakh crore in FY15,
paperless transactions, including retail electronic transactions such as ECS
(electronic clearing system) debits and credits, electronic fund transfer, card
transactions, mobile transactions and prepaid instruments were to the tune of Rs
92 lakh crore in the same. India has seen an upsurge in the volume of
debit/credit cards due to increased online acceptance through alternative
channels, including internet, ATM and mobile banking. In the days to come, this
volume will gain traction as the youth generation will enter the economic
2
TYBBI Cybercrime in Banking Sector MD College

gyration. The last few years have seen a significant increase in cybercrime
across all sectors and geographies. Given the proliferation of these technological
crime, organizations face a significant challenge to be resistant against
cyberattacks. As per Motive-wise Cases Reported under Cyber Crimes during
2015 statistics by National

Crime Records Bureau, Greed / Financial Gain is the prime motivation for
committing Cyber Crimes. This research attempts to analyses the concerns of
cyber threats to the banking sector by highlighting the underlying modus
operandi. It focusses on the preparedness of the financial organizations to deal
with incidents related to Cyber Crime.

3
TYBBI Cybercrime in Banking Sector MD College

CHAPTER 2
OBJECTIVE

To study the working of Infromation Technology in Banks

To know the impact of contribution of technology in regard to customer
satisfaction.
To know and understand the loophole in the E-banking.
To understand various aspects of Cybercrime occurring nowadays in Bank.
To analyses and recommend the various measure to minimize the online
frauds.

4
TYBBI Cybercrime in Banking Sector MD College

CHAPTER 3
Information Technology in Bank

The Indian baking industry is enjoying a joyous growth. With the credit card
and debit card users increasing every day and new technologies like internet
wallets slowly gaining popularity, the financial transactions are touching all-
time highs. This firm progression in the mounting paper less transactions
numbers where a total of 9545797438 transactions were commenced using
credit and debit cards in the year 2015 alone (Fig 1) can be partially accredited
to the recent developments in the e-banking and e-commerce verticals. Online
banking, also known as internet banking, e-banking or virtual banking, is an
electronic payment system that enables customers of a bank or other financial
institution to conduct a range of financial transactions through the financial
institution's website. The online banking system will typically connect to or be
part of the core banking system operates by a bank and is in contrast to branch
banking which was the traditional way customers accessed banking services.

To access a financial institutions online banking facility, a customer with internet

access will need to register with the institution for the service, and set up a
password and other credentials for customer verifications. The credentials for
online banking is normally not the same as for telephone or mobile banking.
Financial institutions now routinely allocate customers numbers, whether or not
customers have indicated an intention to access their online banking facility.
Customer numbers are normally not the same as account numbers, because a
number of customer accounts can be linked to the one customer number.
Technically, the customer number can be linked to any account with the
financial institution that the customer controls, though the financial institution
may limit the range of accounts that may be accessed to, say, cheque, savings,
5
TYBBI Cybercrime in Banking Sector MD College

loan, credit card and similar accounts.

The customer visits the financial institution's secure website, and enters the
online banking facility using the customer number and credentials previously
set up. The types of financial transactions which a customer may transact
through online banking are determined by the financial institution, but usually
includes obtaining account balances, a list of the recent transactions,
electronic bill payments and funds transfers between a customer's or another's
accounts. Most banks also enable a customer to download copies of bank
statements, which can be printed at the customer's premises (some banks charge
a fee for mailing hard copies of bank statements). Some banks also enable
customers to download transactions directly into the customer's accounting
software. The facility may also enable the customer to order a cheque book,
statements, report loss of credit cards, stop payment on a cheque, advise change
of address and other routine actions.

Today, many banks are internet-only institutions. These "virtual banks" have
lower overhead costs than their brick-and-mortar counterparts. In the United
States, many online banks are insured by the Federal Deposit Insurance
Corporation(FDIC) and can offer the same level of protection for the customers'
funds as traditional banks

6
TYBBI Cybercrime in Banking Sector MD College

CHAPTER 4
CYBER CRIME IN BANKING SECTOR

Cyber Crime can be simply stated as crimes that involve the use of computer
and a network as a medium, source, instrument, target, or place of a crime. With
the growing aspect of e-commerce and e-transactions, the economic crime has
drifted towards the digital world. Cybercrimes are increasing globally and India
too has been witnessing a sharp increase in cybercrimes related cases in the
recent years. In 2016, a study by Juniper Research estimated that the global
costs of cybercrime could be as high as 2.1 trillion by 2019. However, such
estimates are only indicative and the actual cost of cybercrime including
unreported damages is beyond estimation. Cyber Crimes can be broadly
classified into categories such as cyber terrorism, Cyber-bullying, Computer
Vandalism, Software Piracy, Identity Theft, Online Thefts and Frauds, Email
Spam and Phishing and many more. However, from the aspect of financial cyber
crimes committed electronically, the following categories are predominant:

Hacking: It is a technique to gain illegal access to a computer or network to

steal, corrupt, or illegitimately view data.

Phishing: It is a technique to obtain confidential information such as usernames,

passwords, and debit/credit card details, by impersonating as a trustworthy
entity in an electronic communication and replay the same details for malicious
reasons.

Vishing: Itis the criminal practice of using social engineering over the telephone
system to gain access to private personal and financial information from the
public for financial reward.
7
TYBBI Cybercrime in Banking Sector MD College

E-mail Spoofing: It is a technique of hiding an e-mails actual origin by forged

the e-mail header to appear to originate from one legitimate source instead of
the actual originating source.

Spamming: Unwanted and unsolicited e-mails usually sent in bulk in an attempt

to force the message on people who would not otherwise choose to receive it are
referred to as Spam E-mails.

Denial of Service: This attack is characterized by an explicit attempt by attackers

to prevent legitimate users of a service from using that service by "flooding" a
network to disallow legitimate network traffic, disrupt connections between
two machines to prohibit access to a service or prevent a individual from
accessing a service.

Advanced Persistent Threat: It is characterized as a set of complexes, hidden

and ongoing computer hacking processes, often targeting a specific entity to
break into a network by avoiding detection together sensitive information over a
significant period of time. The attacker usually uses some type of social
engineering, to gain access to the targeted network through legitimate means.

Advanced Persistent Threat: It is characterized as a set of complexes, hidden

and ongoing computer hacking processes, often targeting a specific entity to
break into a network by avoiding detection to gather sensitive information over
a significant period of time. The attacker usually uses some type of social
engineering, to gain access to the targeted network through legitimate means.
Successful advanced persistent threat campaigns can result in costly data
breaches.

ATM Skimming and Point of Sale Crimes: It is a technique of compromising the

ATM machine or POS systems by installing a skimming device atop the
machine keypad to appear as a genuine keypad or a device made to be affixed to

8
TYBBI Cybercrime in Banking Sector MD College

the card reader to look like a part of the machine. Additionally, malware that
steals credit card data directly can also be installed on these devices

9
TYBBI Cybercrime in Banking Sector MD College

According to the Straits Times, (8/11/99)

A copy of the most recent James Bond Film The World is Not Enough, was
available free on the internet before its official release. When creators of a work,
in whatever medium, are unable to profit from their creations, there can be a
chilling effect on creative effort generally, in addition to financial loss.
4. Dissemination of Offensive Materials
Content considered by some to be objectionable exists in abundance in
cyberspace. This includes, among much else, sexually explicit materials, racist
propaganda, and instructions for the fabrication of incendiary and explosive
devices. Telecommunications systems can also
be used for harassing, threatening or intrusive communications, from the
traditional l obscene telephone call to its contemporary manifestation in "cyber-
stalking", in w hitch persistent messages are sent to an unwilling recipient. One
man allegedly stole nude photographs of his former girlfriend and her new
boyfriend and posted them on the Internet, along with her name, address and
telephone number. The unfortunate couple, residents of Kenosha, Wisconsin,
received phone calls and e-mails from strangers as far away as Denmark who
said they had seen the photos on the Internet. Investigations also revealed that
the suspect was maintaining records about the womans movements and
compiling information about her family (Spice and Sink 1999).In another
case a rejected suitor posted invitations on the Internet under the name of a 28-
year-old woman, the would-be object of his affections that said that she had
fantasies of rape and gang rape. He then communicated via email with men who
replied to the solicitations and gave out personal information about the woman,
including her address, phone number, details of her physical appearance and
how to bypass her home security system. Strange men turned up at her home on
10
TYBBI Cybercrime in Banking Sector MD College

six different occasions and she received many obscene phone calls. While the
woman was not physically assaulted, she would not answer the phone, was

afraid to leave her home, and lost her job (Miller 1999; Miller and Maharaj
1999).One former university student in California used email to harass 5 female
students in1998. He bought information on the Internet about the women using
a professor's credit card and then sent 100 messages including death threats,
graphic sexual descriptions and references to their daily activities. He
apparently made the threats in response to perceived teasing about his
appearance (Associated Press 1999a). Computer networks may also be used in
furtherance of extortion.

The Sunday Times

(London) reported in 1996 that over 40 financial institutions in Britain and the
United States had been attacked electronically over the previous three years. In
England, financial institutions were reported to have paid significant amounts to
sophisticated computer criminals who threatened to wipe out computer systems

.
The Sunday Times
, June 2, 1996). The article cited four incidents between 1993 and 1995 in which
a total of 42.5 million Pounds Sterling were paid by senior executives of the
organizations concerned, who were convinced of the extortionists' capacity to
crash their computer systems (Denning 1999 233-4).

11
TYBBI Cybercrime in Banking Sector MD College

5. Electronic Money Laundering and Tax Evasion

For some time now, electronic funds transfers have assisted in concealing and in
moving the proceeds of crime. Emerging technologies will greatly assist in
concealing the origin of ill-gotten gains. Legitimately derived income may also
be more easily concealed from taxation authorities. Large financial institutions
will no longer be the only ones with the
ability to achieve electronic funds transfers transiting numerous
jurisdictions at the speed of light. The development of informal banking
institutions and parallel banking systems may permit central bank supervision to
be bypassed, but can also facilitate the evasion of cash transaction reporting
requirements in those nations which have them. Traditional underground banks,
which have flourished in Asian countries for centuries, will enjoy even greater
capacity through the use of telecommunications. With the emergence and
proliferation of various technologies of electronic commerce, one can easily
envisage how traditional countermeasures against money laundering and tax
evasion may soon be of limited value. I may soon be able to sell you a quantity
of heroin, in return for an untraceable transfer of stored value to my "smart-
card", which I then download anonymously to my account in a financial
institution situated in an overseas jurisdiction which protects the privacy of
banking clients. I can discreetly draw upon these funds as and when I may
require, downloading them back to my stored value card (Whaler 1996).

12
TYBBI Cybercrime in Banking Sector MD College

6. Electronic Vandalism, Terrorism and Extortion

As never, western industrial society is dependent upon complex data processing
and telecommunications systems. Damage to, or interference with, any of
these systems can
lead to catastrophic consequences. Whether motivated by curiosity or
vindictiveness s electronic intruders cause inconvenience at best, and have the
potential for inflicting massive harm While this potential has yet to be realized,
a number of individuals and protest groups have hacked the official web pages
of various governmental and commercial organizations for e.g.:(Rathmell1997).

13
TYBBI Cybercrime in Banking Sector MD College

7. Sales and Investment Fraud

As electronic commerce becomes more prevalent, the application of digital
technology to fraudulent endeavors will be that much greater. The use of the
telephone for fraudulent sales pitches, deceptive charitable solicitations, or
bogus investment overtures is increasingly common. Cyberspace now abounds
with a wide variety of investment opportunities, from traditional securities such
as stocks and bonds, to more exotic opportunities such as coconut farming, the
sale and leaseback of automatic teller machines, and worldwide telephone
lotteries (Cella and Stark 1997 837-844). Indeed, the digital age has been
accompanied by unprecedented opportunities for misinformation. Fraudsters
now enjoy direct access to millions of
prospective victims around the world, instantaneously and at minimal cost.
Classic pyramid schemes and "Exciting, Low-Risk
Investment Opportunities" are not uncommon. The technology of the
World Wide Web is ideally suited to investment solicitations. In the words of
two SEC staff "At very little cost, and from the privacy of a basement office or
living room, the fraudster can produce a home page that looks better and more
sophisticated than that of a Fortune 500 company" (Cella and Stark 1997, 822).

8. Illegal Interception of Telecommunications

Developments in telecommunications provide new opportunities for electronic
eav stropping. From activities, as time-honored as surveillance of an unfaithful
spouse, to the news

14
TYBBI Cybercrime in Banking Sector MD College

CHAPTER 5
Measures to prevent Cyber Crimes In Banking Company
Applying the modern technical means of the information security has become the
significant element of the computer crime prevention in banking (prevention
implies the access restriction or the use of the whole computer system or just part
of it. The Regulations about technical information security in Ukraine indicates that
technical information security with the restricted access in the automated systems
and means of computer engineering is directed on preventing the disturbance of
data integrity with the restricted access and its leaking in the way of :

- Unauthorized access
- intaking and analyzing the collateral electromagnetic radiations and i n d u c i n g
- the use of the laying devices
- the implementation of computer viruses and other ways of disturbance.

The engineering information security with restricted access in the automated

systems and means of computer engineering meant for forming, transferring,
accepting, transforming, displaying and keeping some information is provided with
a complex of designer, organizational, programmed and engineering measures at
all stages of their creation and their work.

The main methods and means of engineering information security with the
restricted access in the automated systems and means of computer engineering are:

- the use of protected equipment

- the regulation of users work, operating personnel, software, elements of
databases and information carriers with the restricted access (access delimitation)
15
TYBBI Cybercrime in Banking Sector MD College

- the regulation of the architecture of automated systems and means of computer

engineering
technical and engineering equipping of rooms and communications meant f o r
exploitation of the automated systems and means of computer engineering
- the search for laying devices, their revealing and blocking

These measures can play serious generally preventive role in the fight with computer
crimes at their skillful and comprehensive use.

Taking into consideration the fact that the problem dealing with computer
criminality and its preventive measures in banking in our country has been studied
only for 90 years, and in some foreign countries this problem has been studied for
a long time, we should learn the broad experience of these countries and put it into
the domestic practice considering the acting normative and legal basis of Ukraine.

There are main means of information security: physical measures, hardware means,
software means, hardware and software means, cryptographic and organizational
methods.
The physical means of protection are the measures which are necessary for outer
protection of a computer, the territory and the objects on the basis of computer
engineering which are specially meant for creating the physical obstacles on
possible ways of penetration and access of the potential infringes to the
components of information systems and data which are under protection. The
simplest and reliable method of information security from the threats of the
unauthorized access is the regime of the independent use of a computer by one
user in a specially meant room in the absence of unauthorized persons. In this case
the specially set room plays the role of an exclusive circle of protection, and the

16
TYBBI Cybercrime in Banking Sector MD College

physical security is windows, walls, a floor, a ceiling, a door. If the wall, the
ceiling, the floor and the door are substantial, the floor has no hatches adjoining to
other rooms, the windows and the door are supplied with a signaling system, then
the stability of security will depend on the performance specification of a signaling
system in the users absence in the off time.

In the working time when a computer is on, the leak of information is possible
through the channels of adjacent electromagnetic radiation. To prevent such a
threat a special examination of means (a computer itself) and devices of electronic
computer machinery (CM) (a computer in a room specially marked out) is
carried out. This examination implies is a certification procedure and
categorization of means and devices of CM with issuing the corresponding
operating permit. Moreover, the door of the room must be supplied with the
mechanical or electromechanical lock. In some cases if there is no signaling system
and the computer user is absent during a long period it is desirable to keep a
system block and the machine information carriers in the safe to provide better
safety . The use of a hardware password in the input/output system of BIOS in
some computers, which disables loading and operating ECM, does not provide
proper security against the threats of the unauthorized access, for the hardware
element of the BIOS-carrier of a password can be substituted for another one alike
in the absence of the mechanical lock on case of the system block and the absence
of a user, as the clusters (blocks) of BIOS are unified and they have the certain
password data. For this reason the mechanical lock disabling the process of a
computer switching on and its loading is the most effective measure in this case.

17
TYBBI Cybercrime in Banking Sector MD College

To provide security against the leakage the specialists suggest the mechanical
attaching of a computer to the users table. Meanwhile it is necessary to keep in
mind that in the absence of a signaling system ensuring constant access control to
the room or to the safe the reliability of locks and attachments must be of the kind
that the time the infringe needs to force them would not exceed the period when
the computer users will be absent. If this kind of security is not provided, the
signaling system is required without fail [3].

The range of modern physical security means is very wide. This group of security
means also includes various means of screening the workrooms and the data
transmission channels.

The hardware means of security are various electronic, mechanical and electronic
means and other system devices which are embedded in the serial blocks of
electronic systems of data processing and data transferring to provide internal
security of computer facilities: terminals, devices of data input and output,
processors, transmission links,
etc.

The main functions of hardware means of security are :

- the inhibition of the unauthorized remote access to the distant user

- the inhibition of the unauthorized remote access to the databases as a result of the
casual or intentional activity of staff
- the protection of the software integrity.

These functions are carried out in the way of:

18
TYBBI Cybercrime in Banking Sector MD College

- identification of the subjects (users, maintenance staff) and the objects

(resources) of a system
- authentication of the subject in accordance with the given identifier
- inspection of authorities which implies checking the permit for certain kinds of
work
- registration (logging) with reference to the forbidden resources
- registration of the attempts of unauthorized access [4]. The
implementation of these functions is carried out with the help of applying various
engineering devices of special-purpose. In , they include:

- the emitters supplying uninterrupted power of hardware, and also the device of
equalization which prevents the spasmodic voltage drop and voltage crests in the
transmission network
- the devices of hardware screening, transmission links and accommodations
where the computer machinery is located
- the devices of identification and commit of terminals and users when fulfilling
the unauthorized access to a computer
web
- the protection means of computer ports , etc.

The protection means of ports have some protective functions, in particular:

1) a comparison of the code . The computer of port security verifies the code of
the authorized users with the code required

2) a disguise. Some means of ports protection disguise the existence of ports on

the line of a telephone link in the way of synthesizing a human voice which

19
TYBBI Cybercrime in Banking Sector MD College

answers the calls of the viewer

3) a counter-bell . In the memory of a means of ports protection not only access

codes but also identification telephone numbers are kept

4) input of the automatic electronic record of access to the computer system

with fixing the main users operations [5].

Software security means are necessary to accomplish logical and intellectual

functions of security which embedded in the software tools of the system.

There are some aims of the safety which are realized with the help of software
security means:

- check of the loading and login with the help of a password system
- delimitation and check of access rights to the system resources , terminals,
exterior lives, constant and temporary data sets, etc
- file protection from viruses
- automatic control of users operations in the way of logging their activity.

The hardware and software security means are the means, which are based on the
synthesis of program and hardware means. These means are widely used in
authentication of users of the automated banking systems. Authentication is the
inspection of the users identifier before its access to the system resource.

The hardware and software safety means are also used at overlaying electronic and

20
TYBBI Cybercrime in Banking Sector MD College

digital signatures of the accountable users. The use of smart cards containing
passwords and users codes are widespread in the automated banking systems [4].

The organizational security means of the computer information make up the set of
measures concerning staff recruitment, inspection and training of the staff which
participate in all stages of information process.

The analysis of the materials of criminal cases leads to the conclusion that the main
reasons and conditions which make for committing computer crimes are mainly the
following:

- the absence of attending personnels activity control, which helps a criminal use a
computer freely as the instrument of crime
- a low level of the software which has no reference security and does not ensure
the inspection of conformity and accuracy of the information
- the imperfection of a password security system from the unauthorized access to a
workstation or its software which does not provide authentic identification of a
user according to individual biometrics parameters
- the absence of strict approach to the employees access to the secret information,
etc.

The experience of foreign countries testifies that the most effective security of
information systems is bringing in the position of the specialist on computer safety
or creating a special services, both private and centralized ones depending on a
particular situation. The availability of such a department (service) in a bank
system according to the foreign specialists decreases two-fold the undertaking of

21
TYBBI Cybercrime in Banking Sector MD College

crimes in the sphere of computer technologies .

According to the legislation of Ukraine, in the state establishments and companies

they can create subdivisions, services which arrange the work connected with
information security , with keeping the level of information security in the
automated systems and which bear responsibility for the efficiency of information
security. It is worth mentioning that this norm by nature is not imperative
(obligatory) but advisable. As appears from above said along with the Law
About the information security in the automated systems the information
security in the automated systems is the obligatory function, meanwhile it is not
obligatory to create a separate functional organizational structure on this function.
This function can be a component of another organizational structure that is it can
be carried out along with other functions.

In opinion of such native specialists as Bilenchuk P.D. and Golubev V.O., the
creation of special structures is obligatory for credit and financial establishments
and some bodies (banks of commerce, concerns, companies, etc.). They must have
specially created departments of computer safety within the framework of acting
services of economical safety and physical security whose activity should be
supervised with one official specially appointed for these purposes that is the
deputy of the security chief who has corresponding human, financial and
engineering resources in his disposal to solve the problems put by.

Duties of such persons (structural subdivisions) should include, first of all, such
organizational measures as:

22
TYBBI Cybercrime in Banking Sector MD College

1) supply of the support on the part of administration of particular enterprise of the

requirements for computer equipment security

2) working out the complex plan of information security

3) defining the priority-driven directions of information security taking into

consideration peculiarities of the companys activity

4) making the general estimate of expenditures of financing the security measures

according to the settled plan (item 2) and its approval as a supplement to the plan
of ruling by the company

5) defining the responsibility of the employees ot the enterprise for the

information safety within the scope of fixed competence by concluding a treaty
between an employee and the administration

6) working out, implementing and control of following different kinds of

operating instructions, rules and orders which regulate the access forms, levels of
the information privacy, particular persons enabled to work with secret
(confidential) data, etc.

7) working out the effective measures of fight with the infringes of computer
equipment security
The reliable means of effectiveness increase of computer equipment safety is
training and instructing of the working staff as for the organizational and
engineering measures of security which one are applied in a particular enterprise.

23
TYBBI Cybercrime in Banking Sector MD College

Moreover, such organizational measures are necessarily to carry out:

1) it is necessary to determine the access categories for all persons who have the
right of access to the computer equipment, that is the circle of official interests of
each person, kinds of information which he has the right of access to, and also the
kind of such a permit, powers of an official who is authorized to accomplish these
or those manipulations with the computer equipment facilities

2) it is necessary to determine the administrative responsibility for keeping and

authorization of access to information resources. And with all this some particular
official should be responsible for every kind of resources

3) to settle the periodic system control of the quality of information security in the
way of accomplishing scheduled tasks by a person responsible for safety as well as
in the way of involving of the competent specialists (experts) from other
enterprises

4) to make the classification of the information according to its importance, to

differentiate the means of security on its basis, to define the order of information
security and its obliterating
5) to provide the physical security of the computer equipment facilities (physical
Cryptographi cmethods of security.

To protect the information while being transmitted they usually use different
methods of data encoding before their input to the transmission link or to the

24
TYBBI Cybercrime in Banking Sector MD College

physical carrier with the following decoding. The methods of ciphering enable to
protect the computer information from the criminal trespasses rather safely.

Applying the cryptographic security that is the encoding of the text with the help of
complex mathematical algorithms, has become more and more popular. Certainly,
any of encryption algorithms does not give an uttermost warranty of security from
the malefactors but some methods of encoding are so complex that it is practically
impossible to acquaint with the contents of the encoded messages [6].

The basic cryptographic methods of security:

- encoding by means of pseudo-random numbers sensor, which is generating of

the cipher gamma with the help of the pseudo-random numbers sensor applying to
the open data taking into account the reversibility of the process

- encoding with the help of cryptographic standards of data enciphering (with the
symmetrical schema of ciphering) based on using checked and tested algorithms of
data encoding with large crypto capability

- encoding with the help of a pair of keys (with an asymmetric ciphering system)
where one key is open and it is used for encoding of the information, the second
one is enclosed and it is used for decoding the information.

The cryptographic methods of the information security are widely used in

automated banking systems and carried out in the way of hardware, program or
soft-hardware methods of security. Using the method of ciphering of the messages

25
TYBBI Cybercrime in Banking Sector MD College

along with proper arrangement of communication facilities, proper procedures of

the users identification it is possible to achieve a high level of information
interchanging security.

Cryptography is one of the best means supplying the confidentiality and control
of the information integrity. It occupies the central place among program and
engineering safety regulators. It is the basis fulfilling many of them and at the
same time it remains the last safety border.

To sum it up it is necessary to point out that some specialists in bank safety

connect reliability of bank information systems to facilities of their exterior
security, that is to the system of passwords for the input not only in the very
computer web, and on different levels of the system information depending on
access of the users. A circle of officials who have an access to the wide range of
such information when accomplishing the banking activity is very large. Therefore
the security system which is based on encoding inputs to different items of the
information is ineffective. It is necessary to find out principally new approaches
for working out and implementation concerning reliable security systems of
banking from computer crimes. Such kind of a system should be arranged in
accordance with the technology of bank document circulation and peculiarities of
the kinds of pay and credit operations.

26
TYBBI Cybercrime in Banking Sector MD College

Cybersecurity measures for banks as outlined by RBIs circular

In light of the rising frequency and impact of cyber-attacks, the RBI circular to
banks urges them to take adequate measures that are robust and resilient
which
address and tackle risks posed by cyber criminals, and in the meantime also put
in place an adaptive Incident Response Management and Recovery framework
to deal with adverse disruptions if and when they occur.

The foundation for fighting cybercrime would stem from a Bank Board
approved cyber security policy that outlines the approach for combating
cybercrime. This policy is not to be confused with the IT policy or IS security
policy and its strategy should encompass some of the following:

Identify and assess risks, technologies adopted, regulatory compliance, delivery

channels (online/ mobile, etc.), organizational culture, internal and external
threats, and processes and policies in place to manage and combat risk
Continuous surveillance by testing for vulnerabilities through a SOC (Security
Operations Centre) that is constantly updating on the nature of emerging cyber
threats
IT architecture to be conducive to security measures to be implemented by the
bank post assessment of readiness and ensure that network connections to
database are allowed through a well-defined process and by authorized
personnel only
Ensuring the confidentiality, integrity and security of customer data is
preserved, without any compromise of the same
Formulating a Cyber Crisis Management Plan (CCMP) whose primary focus
should be: detect, response, recovery and containment to address various types

27
TYBBI Cybercrime in Banking Sector MD College

of cyber threats including and not limited to: distributed denial of services
(DDoS), ransom-ware / crypto ware, destructive

malware, business email frauds including spam, email phishing, spear phishing,
whaling, vishing frauds, drive-by downloads, browser gateway fraud, ghost
administrator exploits, identity frauds, memory update frauds, password related
frauds, zero day attacks, remote access threats and more.

28
TYBBI Cybercrime in Banking Sector MD College

CHAPTER 6
RBIs latest guidelines help Indian banks combat cybercrime

Rising cybercrime in India is no secret. According to a report by Symantec,

India now ranks 3rd in the world, after the US and China, as a source of
malicious activity. In fact, the National Crime Records Bureau data reveals that
in the three years up to 2013, registered cases of cybercrime were up 350
percent, from 966 to 4356. Dubious distinctions both, and give banks and the
financial sector in India cause for worry.

Keeping in mind the dramatic swell in online economic crimes, Indias central
bank RBI (Reserve Bank of India) recently issued comprehensive circular to
all banks in India urging them to implement a cybersecurity framework. It
prescribes the ideal approach for banks on taking concrete measures to combat
cybercrime, fraudulent activities online and thereby retain customer confidence,
reduce financial losses and ensure business continuity.

29
TYBBI Cybercrime in Banking Sector MD College

Baseline Cybersecurity requirements an indicative list

Banks need to fortify the measures adopted to achieve baseline security and
resilience. For instance:

monitor logs and incidents in real time or near real time

configure hardware and software appropriately
automate network discovery and management
use the right tools and mechanisms to detect unusual activities in servers, end
points and network devices
protect customer access credentials such as logon user-id, authentication
information and tokens, access profiles, etc. against leakage/attacks
implement controls to minimize invalid logon counts, deactivate dormant
accounts
monitor any abnormal change in pattern of logon
The RBI circular mandates a detailed list of cyber defense apparatus. It is
evident that a large majority of these measures and requirements can be fulfilled
by robust software tools and products that are built for specific purposes. But
banks must also remember that from a day-to-day operations perspective, it is
imperative to have a system that monitors, tracks, alerts and preempts any
anomalies that occur in banking transactions, in real time.

Detect and prevent as it happens and not wait for end-of-the-day reporting of
incidents that are suspicious. In fact RBIs circular lists out the implementation
of risk-based transaction monitoring or surveillance process as part of fraud risk
management system across all delivery channels.

30
TYBBI Cybercrime in Banking Sector MD College

In addition to optimizing available technology to strengthen controls for

effective risk and fraud management, banks need to conduct employee and
management awareness workshops, encourage them to report any suspicious
behavior to the incident management team, and conduct targeted training for
key staff in operations/ management roles and evaluate awareness periodically.

In parallel, banks need to conduct awareness programmes for their customers

and encourage them to report phishing mails/ phishing sites, highlight the risks
of sharing their online account credentials, passwords, and other measures they
can take to protect themselves from fraudsters and people with malafide intent.

The RBI circular also touches upon the topic of governance aspects which
include dashboards, intelligence, proactive monitoring and management
capabilities with sophisticated tools for detection, quick response and backed by
data and tools for sound analytics. In addition, banks must keep in mind several
other issues while equipping themselves to fight cyber-attacks: technology
issues, people related issues and process related issues.

31
TYBBI Cybercrime in Banking Sector MD College

CHAPTER 7
CASE STUDY

INDIA'S FIRST ATM CARD FRAUD

The Chennai City Police have busted an international gang involved in
cybercrime, with the arrest of Deepak Prem Manwani (22), who was
caught red-handed while breaking into an ATM in the city in June last, it
is reliably learnt. The dimensions of the city cops' achievement can be
gauged from the fact that they have netted a man who is on the wanted
list of the formidable FBI of the United States. At the time of his
detention, he had with him Rs 7.5 lakh knocked off from two ATMs in T
Nagar and Abiramipuram in the city. Prior to that, he had walked away
with Rs 50,000 from an ATM in Mumbai. While investigating Manwani's
case, the police stumbled upon a cybercrime involving scores of persons
across the globe.Manwani is an MBA drop-out from a Pune college and
served as a marketing executive in a Chennai-based firm for some time.
Interestingly, his audacious crime career started in an Internet cafe. While
browsing the Net one day, he got attracted to a site which offered him
assistance in breaking into the ATMs. His contacts, sitting somewhere in
Europe, were ready to give him credit card numbers of a few American
banks for $5 per card. The site also offered the magnetic codes of those
cards, but charged $200 per code. The operators of the site had devised a
fascinating idea to get the personal identification number (PIN) of the
card users. They floated a new site which resembled that of a reputed
telecom companies. That company has millions of subscribers. The fake
site offered the visitors to return$11.75 per head which, the site
promoters said, had been collected in excess by mistake from them.
32
TYBBI Cybercrime in Banking Sector MD College

Believing that it was a genuine offer from the telecom company in

question, several lakhs subscribers logged on to the site to get back that
little money, but in the process parted with their Pins. Armed with all
requisite data to hack the bank ATMs, the gang started its systematic
looting.
Apparently, Manwani and many others of his ilk entered a deal with the
gang behind the site and could purchase any amount of data, of course on
certain terms, or simply enter into a deal on a booty-sharing basis.
Meanwhile, Manwani also managed to generate 30 plastic cards that
contained necessary data to enable him to break into ATMS. He was so
enterprising that he was able to sell away a few such cards to his
contacts in Mumbai. The police are on the lookout for those persons too.
On receipt of large-scale complaints from the billed credit card users and
banks in the United States, the FBI started an investigation into the affair
and also alerted the CBI in New Delhi that the international gang had
developed some links in India too.Manwani has since been enlarged on
bail after interrogation by the CBI. But the city police believe that this is
the beginning of the end of a major cybercrime.

33
TYBBI Cybercrime in Banking Sector MD College

CHAPTER 8
CONCLUSION

Indian customers are gradually preferring online services because of

convenience, cost-saving and swiftness of online transactions. In addition,
financial institutions are tossing exciting offers to customers with the
vision of upturning the volume of cashless transactions due to
comparatively lower operational costs. However, it can be concluded the
cyber security measures placed by financial institutions to curtail the curse
of cybercrime are being out- paced by dynamic technological landscape
and improved expertise of the intruders. Amidst the continuous upliftment
of the technology implemented at the backend of the financial institution,
some essential aspects were overlooked that now demand huge attention.
Cybercrime comprises its own set of unique attractive features that have
gradually started outweighing the traditional crimes. The extent of
anonymity, global victim reaches and swift results are amongst the few
that cybercriminals find most attractive. Non-existent/Inadequate
awareness campaigns further simplifies the work of the cyber criminals.
Unaware consumers are easily deceived due to lack of insight into the
latest attack methodologies and identified preventive measures.
Additionally, traditional law enforcement policies, standards and methods
have been proved insufficient to cater to the evolving cybercrimes and the
IT Act of India has been marked down time and again. On 13 April 2015,
it was announced that the Ministry of Home Affairs would form a
committee of officials from the Intelligence Bureau, Central Bureau of
Investigation, National Investigation Agency, Delhi Police and ministry
itself to produce a new legal framework. With the increasingly notable
impact of the peril of cybercrime, it has been continuously realized that
local law enforcement agencies do not have the required skills and
resources to investigate incidents related to Cybercrime.

34
TYBBI Cybercrime in Banking Sector MD College

CHAPTER 9
RECOMMENDATION & SUGGESTIONS

SAFEGUARDING THE INTERNET BANKING SECTOR

Financial organizations in todays date require well laid cyber security

teams with distinguished digital leaders. According to PWCs years
global economic crime survey, 2016, too many organizations are leaving
first response to their IT teams without adequate intervention or support
from senior management and other key players. Specialized security
teams with an upbeat mix of competent professionals should be
employed to take a proactive stance when it comes to cybersecurity and
privacy Organizations in the BFSI sector need to undergo rigorous and
continuous cybercrime risk assessments to precisely assess, identify and
improve their present security posture by viewing the organizations
policies from an a t t a c k e r s perspective and thus facilitate enhanced
security, operations, organizational management. Additionally, as long-
term planning, cyber awareness need to introduce at a fundamental level
in educational institutions with specialized security courses at graduate
level to provide hands-on training on the latest attack methodologies and
mitigation techniques using concepts like virtual cyber labs. A
comprehensive threat intelligence technology is essential to foster
organized and analyzed threat information about potential or current
attacks from the organizations perspective. Alongside, threat
intelligence helps organizations in understanding the common threat
actors including latest vulnerabilities, exploits and advanced persistent
threats (APTs) campaigns. On a national level, there is an urgent
necessity of building capability of inspecting critical infrastructure in
35
TYBBI Cybercrime in Banking Sector MD College

critical industry sectors before these are deployed in production to avoid

any malicious intruders by leveraging the trusted hardware/software.
Finally, cooperation amongst Indian government sector and industrial
groups is bound to strengthen the legal framework for cybersecurity with
each blending in a different array of cyber risks and preventive
mechanism.

36
TYBBI Cybercrime in Banking Sector MD College

CHAPTER 10
BIBLIOGRAPHY

https://www.rbi.org.in
https://www.icicibank.com/
https://www.sbi.co.in/
cybercellmumbai.gov.in/

37