Online banking saves time and effort. But how secure could it be when one email message may be enough for a hacker to get through to your account?
N. Vijayshankar, cyber law consultant and founder of the cyber security website naavi.org, says the simplest clicking form of access into online bank accounts is through phishing, which uses emails posing as “official” correspondence from the bank. The mail takes the user to a website, which mimics the original website where the gullible user keys in his account details.
A more complicated technique involves the use of keyloggers. “Keyloggers are installed when the user clicks on a spam mail. These record keystrokes, including passwords, of the user which is then sent over the Internet to the fraudster,” Mr. Vijayshankar says.
The Trojan way
Unauthorised transaction can also be done using a Trojan or a virus installed in a computer. Called ‘coat tailing', Trojans follow the users log into their account. “With access to the online account, the Trojan furtively transmits its transactions along with transactions of the account holder,” Mr. Vijayshankar says.
The technology aspect of an e-banking fraud is, perhaps, the easier part of it. This is because to complete the transaction into the cyber criminal's account, a fake account needs to be set up.
More often than not, the account is set up within the same bank, albeit in another branch, which makes transactions simpler (read, lesser security layers to go through). Otherwise, says Mr. Vijayshankar, a ‘mule' can also be employed. A ‘mule' is a people tricked into setting up a bank account by an ‘agent' who will have complete access to it. When the fraud is detected, the trail of money can be traced to the ‘mule', he says.
“That a false account could be created in a bank points to a failure in the ‘Know Your Customer' (KYC) system at the bank,” he adds.
The modus operandi
Calling the procedure of tracking down cyber criminals “a never-ending game”, where the modus operandi is constantly updated to evade systems used to track them, M. Palanisamy, RBI Banking Ombudsman, also lays the blame on banks and the unfiltered “distribution” of Internet banking options to customers.
“Banks should allow Internet banking on a need-by-need basis, and the option should be activated only after educating the account holder on all steps involved,” he says.
Statistics for malicious activity during online banking are ambiguous at best. Mr. Palanisamy puts complaints received at more than 10 a month, more than double of what it was a year ago. The National Crime Records Bureau statistics shows that Karnataka had 91 cases of hacking, which broadly includes online banking frauds, registered in 2010 under the Information Technology Act 2000.
According to the Symantec Internet Security Threat Report 2010, online scams accounted for 20 per cent in India (compared to 11 per cent globally), while phishing accounted for 19 per cent in India (10 per cent globally).
Banks would inevitably be taken to court for lack of security measures in online banking and the most notable of these cases was the Umashankar Sivasubramanian vs. ICICI Bank.
Adhering to KYC norms
On April 2010, IT Secretary of Tamil Nadu, who was the adjudicator of the case, directed the bank to pay compensation to Mr. Sivasubramanian, who lost Rs. 6.46 lakh from his Tuticorin account to the account of a fictitious company after he clicked on a phishing email. In his verdict, the adjudicator stated that the bank was liable as it failed to use digital signatures and the “bank's lack of KYC responsibility”.
The case resulted in the tightening of Internet banking. However, even the one-time password pin system — where the account user is sent a password on the phone to authenticate the transaction — is not foolproof, says Mr. Vijayshankar.
The 2011 report by the Working Group on Electronic Banking set up by the Reserve Bank of India recommends the use of Risk Management Systems (RMS) and digital signatures to tackle banking frauds.
How it works
RMS essentially either flag IP addresses that the account holder does not normally use for transaction (that is, flags computers used by hackers) or flags any transaction that does not fit the average transaction pattern of the account holder (that is, large transactions or transactions late in the night).
A digital signature, as is required by the IT Act 2000, is an external drive. Only on insertion of a token into the external drive, would the transaction occur. As the token is in personal possession of the user, this eliminates the threat of phishing or of simple keyloggers, which do not read data from external drives.
