October 7, 2008
Phishing the Boundaries ; India is Now Among the Top 10 in Internet Bank Account Hacking, With Conmen Deploying Ingenious Ways to Siphon Off Your Money.
By Swagata Sen
The Internet has suddenly emerged as an easily accessible place to steal money and identities, as most users still operate through unsafe systems and are blissfully unaware of the dangers that lurk in cyber networks.
More serious are official-looking mails ostensibly from the bank where an Internet user has his or her account, saying the bank wants to crosscheck their personal data, account numbers and passwords.
It looks official and appears to be exactly like your bank's website, but the moment you write in your personal data, the damage is done. A proxy server in any remote corner of the world, be it Nigeria or Taiwan, uses that information to then siphon off money from your account to theirs. It's that simple.
India has woken up to a plethora of phishing attacks in recent months. Last year, we were ranked 14th in phishing attacks worldwide, and this year we are in the top 10. The Bangalore police, for example, had registered over 40 cases of phishing last year.
This year, there have already been over 30 such cases registered. In November last year, Bangalore's Corps of Detectives arrested a man named Joseph Marci, who, between August 2006 and August 2007, had systematically bled 17 bank accounts in top commercial banks- including ICICI, HDFC, Axis and Citibank-siphoning small amounts regularly to have amassed Rs 3.54 lakh.
It was an eye opener, as he used a simple tool that most Internet users could fall prey to. Marci's modus operandi was to download free software called "key logger" onto public computers in Bangalore's ubiquitous cyber cafes.
Normally in the first week of the month, people check their bank accounts and type all their details. The software recorded the sequence of letters and numbers, giving Marci all the information he needed- bank account number, password, branch and so on.
A survey by Websense in 2007, which spoke to 450 CIOs (chief information officers) in India's biggest companies, revealed that 57 per cent of those companies had received phishing attacks, while 38 per cent had been attacked by a spyware, despite installing rigorous firewalls and anti-virus systems.
And while most organisations were uncertain about the financial losses they incurred due to these attacks, about 55 per cent believed to have received viruses and worms into their network due to their employees surfing the net.
The CIOs felt that some of the ways in which employees exposed their corporate networks to security threats included: free software downloads, use of Instant Messaging tools, proxy avoidance sites, visiting malicious websites and pop-up ads.
Experts also say that the Internet Explorer, a browser that most of India uses, has no built-in anti-phishing mechanism. "Mozilla or Google's new browser, Chrome, have built-in anti-phishing tools, so it's always better if you switch to them," says Ankit Fadia, India's most famous ethical hacker.
Most banks and commercial enterprises operate with just a password, which seems to be the only hurdle for phishers. Fadia explains that with plastic and e-money having become popular in India only in the last couple of years, this "could be the peak time for phishing and identity theft".
This identity theft comes in many forms. Recently, there have been many incidents of freak e-mails sent from people's personal IDs claiming that the particular person was stuck in a foreign country without money and passport and urging his or her friends to send money to a particular bank account.
From a doctor in Kerala, to a professor in Pune, to a company executive in Kolkata, they not only faced embarrassing situations, with friends in their address books actually sending the money, but also frantic calls from well-wishers who then berated them.
"I felt like a fool," says Samar Datta, one such victim. Fadia says these days there are enough ways to send mails without even knowing the password of the user. Simply put, our money is just not safe anymore.
Every time we open a bank website, it could be false. For example, icici.com could be icicic.com and we wouldn't even notice. To counter this, banks like Citibank or HSBC have now devised a small keychain-like device which changes the customer's i-pin number every 30 seconds and above.
That means, every time you log in, the current number in that device is your password which has definitely proven to be more effective than the standard i-pin.
But these matters are totally compounded by a very obsolete legal system. India's Information Technology (IT) Act, formulated in 2000, has not been updated since then and is ill-equipped to deal with the new forms of hacking and computer thefts that are emerging every day.
"The IT Act has no provisions for data theft, so we have to look for other sections in the Indian Penal Code (IPC) to file such a case, like theft or under the corporate Act, or even copyright violation," says S.R. Raviprakash, an advocate with the Karnataka High Court and a sub-committee member of the Union IT Ministry.
India's IT Act has three main offences listed-tampering source documents in computer hard disks, hacking, and publishing obscene information-all of which could earn imprisonment up to three years and/or a fine of up to Rs 2 lakh.
"So, if one is phished, he/she has no legal rights, because the person gave up that information voluntarily," adds Raviprakash. He also says that it becomes even more difficult to nail these culprits as they cannot be booked under the IT Act but under other sections of the IPC, and therefore the case is taken away from the cyber crime cell which might have been able to crack it.
Raviprakash is hopeful that the revamped IT Act, on which the ministry is now working on, will take into account all the new forms of web offences. But right now, if you've been phished, hit the panic button. Get in touch with your bank if you wish, but believe that the money is lost forever. The only alternative is to be really, really careful when it comes to transacting on the Internet.
Caught in the web?Do not leave your personal documentation at places where it can be viewed by others.Do not log in to your online bank account from an insecure computer network.When accessing a bank's website, check that the URL is correct.Do not key in your account login details on a website which you are not sure about.When available, use alternative methods to enter your account login details, like using an on-screen keyboard.Scan your computer periodically to ensure that no spyware or key logger is installed and make sure that you have automatic updates turned on.Don't respond to e-mails asking you to enter your bank account details or any other personal information.
(c) 2008 India Today. Provided by ProQuest LLC. All rights Reserved.