E-BANKING INTRODUCTION AND CRIMES

A PROJECT REPORT

SUBMITTED BY

MRS. MEGHA JADHAV

IN FULFILLMENT FOR THE AWARD OF THE DEGREE OF POST-GRADUATE DIPLOMA IN DIGITAL AND CYBER FORENSICS AND RELATED LAW.

ACKNOWLEDGMENT

First and foremost, I would like to express my sincere gratitude to the guidance provided by the project supervisor Mrs. Shilpa Mirge and Miss Seema Kotalwar throughout the work of the project. The author also wishes to thank Mr.Sanjay, Co-ordinator, Institute of Forensic Science, Mumbai and the other faculty members for their valuable suggestions and directions. The author also thanks his batch mates for providing constant encouragement, support and valuable suggestions during the development of the project. I would also like to thanks Mrs. Pranjali who was ready with a positive comment all the time, whether it was an off-hand comment to encourage me or a constructive piece of criticism. Last but not the least, I would thanks all the staff members and the institute, in general, for extending a helping hand at all times.

INSTITUTE OF FORENSIC SCIENCE, 15, MADAM CAMA ROAD, MUMBAI

This is to certify that the Project work entiteld E -banking-Introduction and Crimes has been carried out by the student Mrs. Megha Hitesh Jadhav of the Institute of Forensic Science, Mumbai enrolled in Post Graduate Diploma in Digital and Cyber Forensic Science and related Law, during the academic Year 2010 -2011.

Project Guide

Mrs Shilpa Mirge Lecturer Institute of Forensic Science Mumbai

Mr.Jagtap Co-ordinator Institute of Forensic Science Mumbai

CONTENTS Introduction 1.1 1.2 1.3 Introduction. Literature review.. Objectives .

CHAPTER 1: E-banking 2.1 2.2 2.3 Definition of e-banking.. Forms of E-baking.. Benefits and concern with E-banking.

CHAPTER 3 : E-BANKING GLOBAL PERSPECTIVE 3.1 3.2 3.3 E-banking strategy E-banking scenario... E-banking trends..

CHAPTER 4 : ISSUES IN E -BANKING 4.1 ISSUES IN e-BANKING .. 4.2 ISSUES IN E-BANKING SYSTEMS CHAPTER 5: ONLINE E-BANKING CRIMES. 5.1 5.2 5.3 5.4 5.3 5.3 IDENTITY THEFT PHISHIG. VISHING AND SMSIHING. TROGAN HORSE MAN-IN-MIDDLE AND MAN IN THE BROWSER ATTACK. PHARMING

CHAPTER 6: OTHER E -BANKING CRIMES. 6.1 6.2 6.3 ATM CRIMES. SPYWARE. SALAMI SLICING.

Conclusion and SUGESSTIONS

1.1 Introduction In order for customers to use their banks online services they need to have a personal computer and Internet connection. Their personal computer becomes their virtual banker who will assist them in their banking errands. Examples of e -banking services that customers can get online are: Attaining information about accounts and loans, Conducting transfers amongst different accounts, even between external banks, Paying bills, Buying and selling stocks and bonds by depot, Buying and selling fund shares39 These services that are offered by e-banking are changing and being improved because of the intense competition between the banks online. Banking industry must adapt to the electronics age, which in its turn is changing all the time. EFT transactions require authorization and a method to authenticate the card and the card holder. Whereas a merchant may manually verify the card holder's signature, EFT transactions require the card holder's PIN to be sent online in an encrypted form for validation by the card issuer. Other information may be included in the transaction, some of which is not visible to the card holder (for instance magnetic stripe data), and some of which may be requested from the card holder (for instance the card holder's address or the CVV2 security value printed on the card). EFT transactions are activated during e-banking procedures. Various methods of e-banking include: Telephone banking Online banking Short Message Service (S MS ) banking Mobile banking Interactive-TV banking. Independent of location or time, you can execute your payments and stock market orders and you get detailed information on your accounts and custody accounts.

1.2 Objectives 1.2.1 Purpose of the study The main purpose of this study to get an overview of the internet banking sector in the Indian economy and study as to how it has helped change the banking habits of various individuals 1.2.2 Research Objectives of the study Objectives of a project tell us why project has been taken under study. It helps us to know more about the topic that is being undertaken and helps us to explore future prospects of the topic. Basically it tells what all have been studied while making the project. The various research objectives of the study are:   customers    To gain insights about functioning of internet banking. To explore the future prospects of internet banking. To study the benefits that are provided to the individual under internet banking To study the internet banking facilities offered by the banks to its customers To study as to how much internet banking has penetrated in the minds of the

1.2.3 MODE OF DATA COLLECTION   Primary Data: - The sources of Primary data were books Secondary data: - the sources of secondary data were internet, and

newspaper articles.

1.2.4 NEED FOR THIS STUDY Since the 80s, there has been turbulence in the banking and finance industry worldwide as the pace of changes continues to accelerate. Changes are being driven, above all by competition, technology and customer demand. The Internet both an opportunity and threat for banks - will intensify these effects. The globalization process and the opening up of the Indian economy; have given reason for the banking sector to rethink its existing strategies. The penetration of computers and growth in Internet usage is making the customers crave for more more services, more convenience! People want to put their PC to as many uses as possible. E-Banking is one such use; and a very important one at that. These reasons and more have given rise to the need for such a project. Although many researches and projects have been conducted on this topic before, this project is not redundant because e-banking is a very dynamic subject in todays scenario and hence it needs to be constantly updated and studied. Due to the vastness of this subject, it is impossible to include every single detail, hence wherever necessary, annexure have been attached.

IS E-BANKING FOR YOU? For months, you received mailers and statement inserts promoting your banks Internet banking capabilities. You kept thinking to yourself, "What does this do for me?" and "does it really work?"Youre not alone. Millions of consumers across the country have wrestled with the same questions. The following set of questions will help a customer decide if e-banking is really beneficial to him.

Do you value your time? Traditional banks bind you to their opening and closing times to do transactions. If you are often stretched for time to do your banking, then you are an ideal candidate to try banking online. You can do it at your convenience, and at any time of the day. Would you like to reduce your banking fees? What a question to ask? But most people don't realize that on an average a checking account costs hundreds of rupees per year, in transaction costs, lower yields and ongoing fees. Many online banks now offer free unlimited checking accounts. Are you equipped to transact online? Do you have access to a computer, have the devices to go online, and have an Internet Service Provider (ISP) service. Since you intend to bank online, access to such a computer is key to your ability to bank. Are you comfortable with transacting online? If you are already browsing online, you must be familiar with secure Internet protocols that are used to transfer information over the Internet in an encrypted fashion. Do you feel secure transferring or paying money online? How frequently do you go to your bank branch? If you rarely need certified cheques, drafts and foreign exchange or many such services that require use of bank tellers, then you may be better served banking online. If your nearest bank branch is miles away, then elect to try out banking online. Do you get paid via direct deposit? If you do then you may be able to get a very good deal from your online bank, many of whom will waive charges if you get your pay deposited directly into your bank account with them. Do you mail a lot of cheques towards your bill payments? Making cheque payments towards
your bills costs not only postage, but also valuable time. In addition, traditional banks will charge you for every transaction. Using online banking you can pay your bills online, often

with the ability to make scheduled payments when you want them -- very much like issuing a post-dated check. No more delayed payments lost in the mail.

Do you use personal finance software? If you use Microsoft Money 2000, or Quicken 2000 you will love banking online, since these packages support banking online. You can download bank statements directly from your bank's website. That makes the task of maintaining records, and financial planning a lot easier. Are you comfortable banking at an ATM (Automated Teller Machine)?You may be one of those people who rarely need to go to your bank branch because you are already 'ATM friendly'. Many online banks offer you the ability to do your banking from ATMs where you can deposit checks and withdraw money, and they offer rebates on a limited number of transactions at ATMs. Do you trade stocks online? Many online brokers are now beginning to offer products similar to online banks. So if you do already trade stocks online, consider moving your banking online too, since many brokers may offer very attractive deals for your banking business -- the objective is to keep your money within their group. PAYING SAFE When you bank online, make sure your transactions are secure, your personal information is protected, and your fraud sensors are sharpened. Although you can't control fraud or deception on the Internet, you can take steps to recognize it, avoid it, and report it. Here's how: Use a secure browser - software that encrypts or scrambles the purchase information you send over the Internet - to guard the security of your online transactions. Most computers come with a secure browser already installed. You also can download some browsers for free over the Internet.  Keep records of your online transactions. Read your e-mail merchants may send you important information about your purchases.

Be prompt about reviewing your monthly bank and credit card statements for any billing errors or unauthorized purchases. Notify your credit card issuer or bank immediately if your credit card or checkbook is lost or stolen.

Read the policies of Web sites you visit - especially the disclosures about a Web site's security, its refund and return policies, and its privacy policyon collecting and using your personal information. Some Web sites'disclosures are easier to find than others are - look at the bottom of thehome page, on order forms, or in the "About" or "FAQs" section of a site.If you can't find a privacy policy, consider shopping elsewhere.

Keep your personal information private. Don't disclose your personal information your address, telephone number, Social Security number, ore-mail address - unless you know who's collecting the information, whythey're collecting it, and how they'll use it.

Give payment information only to businesses you know and trust, and only in appropriate places like order forms.

 

Never give your password to anyone online, even your Internet service provider. Evaluate The Site - Make sure the online banking site you are considering has depth (many pages), and is well designed. Unless you know a bank islegitimate, don't accept a poorly designed site with broken images. If youare unsure as to whether a online bank is legitimate look for a different bank.

Go to the bank, don't let the bank come to you - Don't accept unsolicited email recommendations for online banks. You should search for the bank;don't let a bank search for you. In this way you won't be the victim of aweb site masquerading as a bank when they are not. In the past few yearshackers have gotten email addresses of customers of some financialservice companies and sent email to them inviting them to

fraudulent sitesin order to try to get personal information from them. PayPal experiencedthis problem, when con-artists sent a email asking consumer to go to theweb site to review a large payment in their account. They gave the url ofPayPa1.com instead of the correct url PayPal.com (They substituted a 1for the L). Know your banks online address and go directly to it.  Don't choose an obvious password or username - Don't use variations of any obvious people, numbers, or things related to your life. Do use a combination of random numbers and letters. Many banks will provide a random password and/or user name for you; use these. If possible changet he password to one only you know, and change it online over a secure connection into the bank's official web site.

Chapter: 2 E-banking

DEFINITION OF E-BANKING

Electronic banking, also known as electronic funds transfer (EFT), is simply the use of electronic means to transfer funds directly from one account to another, rather than by cheque or cash. You can use electronic funds transfer to:  Have your paycheck deposited directly into your bank or credit union

checking account.  Withdraw money from your checking account from an ATM machine with a

personal identification number (PIN), at your convenience, day or night.  Instruct your bank or credit union to automatically pay certain monthly bills

from your account, such as your auto loan or your mortgage payment.  Have the bank or credit union transfer funds each month from your checking

account to your mutual fund account.  Have your government social security benefits check or your tax refund

deposited directly into your checking account.  Buy groceries, gasoline and other purchases at the point-of-sale, using a check

card rather than cash, credit or a personal check.  Use a smart card with a prepaid amount of money embedded in it for use

instead of cash at a pay phone, expressway road toll, or on college campuses at the library's photocopy machine or bookstores.  Use your computer and personal finance software to coordinate your total

personalfinancial management process, integrating data and activities related to your income spending, saving, investing, recordkeeping, bill-paying and taxes, along with basic financial analysis and decision making.

VARIOUS FORMS OF E-BANKING: INTERNET BANKING:

Internet Banking lets you handle many banking transactions via your personal computer. For instance, you may use your computer to view your account balance, request transfers between accounts, and pay bills electronically. Internet banking system and method in which a personal computer is connected by a network service provider directly to a host computer system of a bank such that customer service requests can be processed automatically without need for inte rvention by customer service representatives. The system is capable of distinguishing between those customer service requests which are capable of automated fulfillment and those requests which require handling by a customer service representative. The system is integrated with the host computer system of the bank so that the remote banking customer can access other automated services of the bank. The method of the invention includes the steps of inputting a customer banking request from among a menu of banking requests at a remote personnel computer; transmitting the banking requests to a host computer over a network; receiving the request at the host computer; identifying the type of customer banking request received; automatic logging of the service request, comparing the received request to a stored table of request types, each of the request types having an attribute to indicate whether the request type is capable of being fulfilled by a customer service representative or by an automated system; and, depending upon the attribute, directing the request either to a queue for handling by a customer service representative or to a queue for processing by an automated system.

AUTOMATED TELLER MACHINES (ATM): An unattended electronic machine in a public place, connected to a data system and related equipment and activated by a bank customer to obtain cash withdrawals and other banking services. Also called automatic teller machine, cash machine; Also called money machine.

An automated teller machine or automatic teller machine (ATM) is an electronic computerized telecommunications device that allows a financial institution's customers to directly use a secure method of communication to access their bank accounts, order or make cash withdrawals (or cash advances using a credit card) and check their account balances without the need for a human bank teller (or cashier in the UK). Many ATMs also allow people to deposit cash or cheques, transfer money between their bank accounts, top up their mobile phones' pre-paid accounts or even buy postage stamps. On most modern ATMs, the customer identifies him or herself by inserting a plastic card with a magnetic stripe or a plastic smartcard with a chip, that contains his or her account number. The customer then verifies their identity by entering a passcode, often referred toas a PIN (Personal Identification Number) of four or more digits. Upon successful entry of the PIN, the customer may perform a transaction. If the number is entered incorrectly several times in a row (usually three attempts per card insertion), some ATMs will attempt retain the card as a security precaution to prevent an unauthorised user from discovering the PIN by guesswork. Captured cards areoften destroyed if the ATM owner is not the card issuing bank, as non-customer'sidentities cannot be reliably confirmed. The Indian market today has approximately more than 17,000 ATMs.

TELE BANKING: Undertaking a host of banking related services including financial transactions from the convenience of customers chosen place anywhere across the GLOBE and any time of date and night has now been made possible by introducing on-line Telebanking services. By

dialing the given Telebanking number through a landline or a mobile from anywhere, the customer can access his account and by following the user-friendly menu, entire banking can be done through Interactive Voice Response (IVR) system. With sufficient numbers of hunting lines made available, customer call will hardly fail. The system is bi-lingual and has following facilities offered           Automatic balance voice out for the default account. Balance inquiry and transaction inquiry in all Inquiry of all term deposit account Statement of account by Fax, e-mail or ordinary mail. Cheque book request Stop payment which is on-line and instantaneous Transfer of funds with CBS which is automatic and instantaneous Utility Bill Payments Renewal of term deposit which is automatic and instantaneous Voice out of last five transactions.

SMART CARD:

A smart card usually contains an embedded 8-bit microprocessor (a kind of computer chip). The microprocessor is under a contact pad on one side of the card. Think of the microprocessor as replacing the usual magnetic stripe present on a credit card or debit card. The microprocessor on the smart card is there for security. The host computer and card reader actually "talk" to the microprocessor. The microprocessor enforces access to the data on the card. The chips in these cards are capable of many kinds of transactions. For example, a person could make purchases from their credit account, debit account or from a stored account value that's reload able. The enhanced memory and processing capacity of the smart card is many times that of traditional magnetic-stripe cards and can accommodate several different applications on a single card. It can also hold identification information, which means no more shuffling through cards in the wallet to find the right one -- the Smart Card will be the only one needed.

Smart cards can also be used with a smart card reader attachment to a personal computer to authenticate a user. Smart cards are much more popular in Europe than in the U.S. In Europe the health insurance and banking industries use smart cards extensively. Every German citizen has a smart card for health insurance. Even though smart cards have been around in their modern form for at least a decade, they are just starting to take off in the U.S.

DEBIT CARD:

Debit cards are also known as check cards. Debit cards look like credit cards or ATM(automated teller machine) cards, but operate like cash or a personal check. Debit cards are different from credit cards. While a credit card is a way to "pay later," a debit card is away to "pay now." When you use a debit card, your money is quickly deducted from your checking or savings account. Debit cards are accepted at many locations, including grocery stores, retail stores, gasoline stations, and restaurants. You can use your card anywhere merchants display your card's brand name or logo. They offer an alternative to carrying a checkbook or cash. E-CHEQUE:

 

An e-Cheque is the electronic version or representation of paper cheque. The Information and Legal Framework on the E-Cheque is the same as that of the

paper cheques.   It can now be used in place of paper cheques to do any and all remote transactions. An E-cheque work the same way a cheque does, the cheque writer "writes" the e-

Cheque using one of many types of electronic devices and "gives" the e-Cheque to the payee electronically. The payee "deposits" the Electronic Cheque receives credit, and the payee's bank "clears" the e-Cheque to the paying bank. The paying bank validates the e-Cheque and then "charges" the check writer's account for the check.

OTHER FORMS OF ELECTRONIC BANKING  Direct Deposit  Electronic Bill Payment

 Electronic Check Conversion  Cash Value Stored, Etc.

BENEFITS/CONCERNS OF E-BANKING For Banks: Price- In the long run a bank can save on money by not paying for tellers or for managing branches. Plus, it's cheaper to make transactions over the Internet. Customer Base- the Internet allows banks to reach a whole new market- and a well off one too, because there are no geographic boundaries with the Internet. The Internet also provides a level playing field for small banks who want to add to their customer base.

Efficiency- Banks can become more efficient than they already are by providing Internet access for their customers. The Internet provides the bank with an almost paper less system.

Customer Service and Satisfaction- Banking on the Internet not only allow the customer to have a full range of services available to them but it also allows them some services not offered at any of the branches. The person does not have to go to a branch where that service may or may not be offer. A person can print of information, forms, and applications via the Internet and be able to search for information efficiently instead of waiting in line and asking a teller. With more better and faster options a bank will surely be able to create better customer relations and satisfaction. Image- A bank seems more state of the art to a customer if they offer Internet access. A person may not want to use Internet banking but having the service available gives a person the feeling that their bank is on the cutting image. For Customers:

Bill Pay: Bill Pay is a service offered through Internet banking that allows the customer to set up bill payments to just about anyone. Customer can select the person or company whom he wants to make a payment and Bill Pay will withdraw the money from his account and send the payee a paper check or an electronic payment Other Important Facilities: E- banking gives customer the control over nearly every aspect of managing his bank accounts. Besides the Customers can, Buy and Sell Securities, Check Stock Market Information, Check Currency Rates, Check Balances, See which checks are cleared, Transfer Money, View Transaction History and avoid going to an actual bank. The best benefit is that Internet banking is free. At many banks the customer doesn't have to maintain a required minimum balance. The second big benefit is better interest rates for the customer. CONCERNS WITH E-BANKING As with any new technology new problems are faced. Customer support - banks will have to create a whole new customer relations department o help customers. Banks have to make sure that the customers receive assistance quickly if they need help. Any major problems or disastrous can destroy the banks reputation quickly and easily. By showing the customer that the Internet is reliable you are able to get the customer to trust online banking more and more. Laws - While Internet banking does not have national or state boundaries, the law does. Companies will have to make sure that they have software in place software market, creating a monopoly. Security: customer always worries about their protection and security or accuracy. There are always question whether or not something took place. Other challenges: lack of knowledge from customers end, sit changes by the banks, etc..

SOME ADDITIONAL BENEFITS OF E-BANKING Consumers are embracing the many benefits of Internet banking. The following are a few advantages that e-banking gives to customers:

Consumers can use their computers and a telephone modem to dial in from home or any site where they have access to a computer.

 

The services are available seven days a week, 24 hours a day Transactions are executed and confirmed quickly, although not instantaneously. Processing time is comparable to that of an ATM transaction.

In general, the customer will find lower fees and higher interest rates for deposits due to the reduced cost of operating online and not needing numerous physical bank branches.

And the range of transactions available is fairly broad. Customers can do everything from simply checking on an account balance to applying for a mortgage.

The interface is very user-friendly and often intuitive. Additionally, business customers will most likely use the Internet for more than cash management, and they will be accustomed to a similar "look and feel among all applications that they use.

DISADVANTAGES OF E-BANKING The most obvious disadvantage is: Technophobes need not apply i.e. if you are still not comfortable using a computer, e-banking is not for you. The other disadvantages are:  Investment of time upfront can be formidable. The data entry is necessary before the numbers can be massaged and money managed successfully.Online bill payment is an example of an effort that requires setting upwhich leads to ultimate convenience.

Switching software or banks can mean re-entry of data, although Internet-based systems are less impacted by this. But competition seems to be minimizing this problem. The personal finance management software Microsoft Money enables users of competing software to import data easily.

Like anything that deals with the transfer of large amounts of money, security is a major factor of Online Banking. It is taken very seriously during Online Banking procedures.

With a system as complex as Online Banking, some errors are inevitable. i.e.: An interrupted online session; late arrival of payments etc. A mistake made by either the user or the bank in question, can affect both, causing problems. For Example: An 'Infinity' (ICICIs Online Banking Brand name) customer from Bangalore (who did not want to be named) paid his cell phone bill through the bank, only to receive another bill the following month, with late fees. The amount had been debited from his account but not passed on to the cellular operator.

When dealing with computers, there is always the concern of the system crashing, viruses entering the system or a power cut. These are larger problems and are not as easily solved. In all three cases, many peoplewould be affected, information may be lost and a back-up plan would have to be initiated.

Need an account with an Internet Service Provider (ISP)

CHAPTER 3. E-BANKING GLOBAL PERSPECTIVE

E-BANKING GLOBAL PERSPECTIVE The advent of Internet has initiated an electronic revolution in the global banking sector. The dynamic and flexible nature of this communication channel as well as its ubiquitous reach has helped in leveraging a variety of banking activities. New banking intermediaries offering entirely new types of banking services have emerged as a result of innovative e-business models. The Internet has emerged as one of the major distribution channels of banking products and services, for the banks in US and in the European countries.

Initially, banks promoted their core capabilities i.e., products, services and advice through Internet. Then, they entered the e-commerce market as providers/distributors of their own products and services. More recently, due to advances in Internet security and the advent of relevant protocols, banks have discovered that they can play their primary role as financial intermediates and facilitators of complete commercial transactions via electronic networks especially through the Internet. Some banks have chosen a route of establishing a direct web presence while others have opted for either being an owner of financial services centric electronic marketplace or being participants of a non-financial services centric electronic marketplace. The trend towards electronic delivery of banking products and services is occurring partly as a result of consumer demand and partly because of the increasing competitive environment in the global banking industry. The Internet has changed the customers' behaviors who are demanding more customized products/services at a lower price. Moreover, new competition from pure online banks has put the profitability of even established brick and mortar banks under pressure. However, very few banks have been successful in developing effective strategies for fully exploiting the opportunities offered by the Internet. For traditional banks

to define what niche markets to serve and decide what products/services to offer there is a need for a clear and concise Internet commerce strategy. Banking transactions had already started taking place through the Internet way back in1995. The Internet promised an ideal platform for commercial exchange, helping banks to achieve new levels of efficiency in financial transactions by strengthening customer relationship, promoting price discovery and spend aggregation and increasing the reach. Electronic finance offered considerable opportunities for banks to expand their client base and rationalize their business while the customers received value in the form of savings in time and money.

Global E-banking industry is covered by the following four sections:  E-banking Scenario: It discusses the actual state, prospects, and issues related to Ebanking in Asia with a focus on India, US and Europe. It also deals with the impact of E-banking on the banking industry structure.  E-banking Strategies: It reveals the key strategies that banks must implement to derive maximum value through the online channel. It also brings guidance for those banks, which are planning to build online businesses.  E-banking Transactions: It discusses how Internet has radically transformed banking transactions. The section focuses on cross border transactions, B2B transactions, electronic bill payment and presentment and mobile payments. In spite of all the hype, E-banking has been a non-starter in several countries.  E-banking Trends: It discusses the innovation of new technologies in banks. E-BANKING SCENARIO: The banking industry is expected to be a leading player in E-business. While the banks in developed countries are working primarily via Internet as non-branch banks, banks in the

developing countries use the Internet as an information delivery tool to improve relationship with customers. In early 2001, approximately 60 percent of E-business in UK was concentrated in the financial services sector, and with the expected 10-fold increase of the British E-business market by 2005, the share of the financial services will further increase. Around one fifth of Finish and Swedish bank customers are banking online, while in US, according to UNCTAD, online banking is growing at an annual rate of 60 percent and the number of online accounts has approximately reached 15 million by 2006. Banks have established an Internet presence with various objectives. Most of them are using the Internet as a new distribution channel. Financial services, with the use of Internet, may be offered in an equivalent quantity with lower costs to the more potential customers. There may be contacts from each corner of the world at any time of day or night. This means that banks may enlarge their market without opening new branches. The banks in US are using the Web to reach opportunities in three different categories i.e., to market information, to deliver banking products and services, and to improve customer relationship.

In Asia, the major factor restricting growth of E-banking is security, in spite of several countries being well connected via Internet. Access to high-quality E-banking products is an issue as well. Majority of the banks in Asia are just offering basic services compared with those of developed countries. Still, E-banking seems to have a future in Asia. It isconsidered that E-banking will succeed if the basic features, especially bill payment, arehandled well. Bill payment was the most popular feature, cited by 40 percent ofrespondents of the survey. However, providing this service would be difficult for banksin Asia because it requires a high level of security and involves arranging transactionswith a variety of players.

In 2001, over 50 percent of the banks in the US were offering E-banking services.However, large banks appeared to have a clear advantage over small banks in the rangeof services they offered. Some banks in US were targeting their Internet strategiestowards business customers. Apart from affecting the way customers received bankingservices; E-banking was expected to influence the banking industry structure. Theeconomics of E-banking was expected to favor large banks because of economies of scaleand scope, and the ability to advertise heavily. Moreover, E-banking offered entry andexpansion opportunities that small banks traditionally lacked. In Europe, the Internet is accelerating the reconfiguration of the banking industry intothree separate businesses: production, distribution and advice. This reconfiguration isbeing further driven by the Internet, due to the combined impact of: The emergence of new and more focused business models New technological capabilities that reduces the banking relationship and transaction costs. High degree of uncertainty over the impact that new entrants will have on current business models. Though E-banking in Europe is still in the evolutionary stage, it is very clear that it ishaving a significant impact on traditional banking activities. Unlike in the US, thoughlarge banks in the Europe have a competitive edge due to their ability to invest heavily innew technologies, they are still not ready to embrace E-banking. Hence, medium-sizedbanks and start-ups have an important role to play on the E-banking front if they can takeconcrete measures quickly and effectively. E-BANKING STRATEGIES: Though E-banking offers vast opportunities, yet even less than one in three banks have anEbanking strategy in place. According to a study, less than 15 percent of banks withtransactional websites will realize profits directly attributable to those sites. Hence,

banksmust recognize the seriousness of the challenge ahead and develop a strategy that willenable them to leverage the opportunities presented by the Internet. No single E-banking strategy is right for every banking company. But whether they adoptan offensive or a defensive posture, they must constantly re-evaluate their strategy. In thefastpaced e-economy, banks have to keep up with the constantly evolving businessmodels and technology innovations of the Internet space. Early e-business adopter likeWells Fargo not only entered the E-banking industry first but also showed flexibility tochange as the market developed. Not many banks have been as e-business-savvy. But thepressure is now building for all banks to develop sound e-business strategies that will attract and retain increasingly discriminating customers. The major problem with the banks, which have already invested huge amounts in their online initiatives, is that their online offerings remain unprofitable. Though banks have enrolled some existing customers in their online programs, they are not getting customers in large numbers. This has made banks wonder whether there is any value in the online channel. Just enrolling customers for online banking may not be sufficient until and unless they use the site actively. Banks must make efforts to increase their site usage by customers and effectively co-ordinate the online channel with branches and call centers. Then only they will be able to derive maximum value that includes cost reduction, cross-selling opportunities, and higher customer retention. Customers have some rational reasons for staying offline. Some of these reasons include usability features of the site, concerns about security and frequent complaints that signing up is complicated and time-consuming. Banks can solve these problems by refocusing investment on improving the site's basic functionality and user-friendliness, and avoiding advanced features that most customers neither understand nor value. Developing advanced features that appeal to a relatively small numbers of customers, creates far less value than

strengthening core capabilities and getting customers to use them. Banks must make efforts to familiarize customers with their sites and show them how easy and efficient the online channel is to use. Integrating the online channel with the rest of the bank is another important issue that banks must focus upon. This is important because nearly all the value of the online channel is realized offline _ in cross sales completed in other channels and in cost reductions. An actively used online channel should also serve as a medium to sell banking services for the branch staff, the call center, and the relationship manager. Integrated channels working together are far more effective than a group of channels working without any coordination. To facilitate this integration, banks must formulate paths that people in various customer segments are likely to take among the channels. The interactions in each channel can then be worked around these paths. For example, a call center representative must work out which channel(s) the customer used before coming to her, and which channel(s) the customer is likely to visit next. Each channel must have entry and exit points that must welcome customers and then send to other channels. Hence, the overall goal of banks is to create a seamless multichannel experience. On the other hand, those banks that are planning to build their online businesses will have to understand several strategic issues like do they have the right business model for E-banking? How should they price their E-banking products and services? Bankers planning to move into E-banking have to explore different options make investments and have to develop a variety of partnerships. They have to put their time and efforts to identify the best opportunities. In the case of traditional banks, if they are too aggressive in using price incentives to build their e-business, they risk the profitability of their traditional business. However, if they do not offer sufficient price incentives for customers to bank online, their efforts to build a sound ebanking business may not Banks have to be creative in rethinking organizational structures

and management processes Traditional banks that are conservative in nature may find it difficult to attract and retain online talent. Moreover, getting people in the traditional business to help build an e-enterprise would not be an easy task. To make all this happen, requires a major revision of incentive systems, planning and budgeting processes, and management roles. Banks can exploit the opportunities provided by the Internet if they demonstrate courage, use their imagination, and take decisive action. While most of the banks have started focusing on E-banking activities, a new challenge in the form of mobile banking has emerged. M-Banking is both an additional opportunity for banks to offer their online services and an additional channel from which to access new customers and cross-sell to existing customers. Rapidly changing lifestyles of customers and their demand for more speed and convenience has subdued the role of branch banking to a certain extent. With the proliferation of new technologies, disintermediation of traditional channels is being witnessed. Banks can go beyond their traditional role as a channel for banking/financial services and can become providers of personalized information. They can successfully leverage E-banking to: Provide personalized products and services to specific customers and thus increase customer loyalty. Exploit additional sources of revenue from subscriptions, transactions and third-party referrals. M-Banking gives banks the opportunity to significantly expand their customer relationships provided they position themselves effectively. To leverage these opportunities, they must form structured alliances with service affiliates, and acquire competitive advantage in collecting, processing and deploying customer information E-BANKING TRANSACTIONS:

The introduction of new technologies has radically transformed banking transactions. In the past, customers had to come physically into the bank branch to do banking transactions including transfers, deposits and withdrawals. Banks had to employ several tellers to physically make all those transactions. Automatic Teller Machines (ATMs) were then introduced which allowed people to do their banking on their own, practically anytime and anywhere. This helped the banks cut down on the number of tellers and focus on managing money. The Internet then brought another venue with which customers could do banking, reducing the need for ATMs. Online banking allowed customers to do financial transactions from their PCs at home via Internet. Now, with the emergence of Wireless Application Protocol (WAP) technology, banks can use the infrastructure and applications developed for the Internet and move it to mobile phones. Now people no longer have to be tied to a desktop PC to do their banking. The WAP interface is much faster and convenient than the Internet, allowing customers to see account details, transaction details, make bill payments, and even check credit card balance. The cost of the average payment transaction on the Internet is minimum. Several studies found that the estimated transaction cost through mobile phone is16 cents, a fully computerized bank using its own software is 26 cents, a telephone bank is 54 cents, a bank branch, $1.27, an ATM, 27 cents, and on the Internet it costs just 13 cents. As a result, the use
of the Internet for commercial transactions started to gain momentum in1995. More than 2,000 banks in the world now have transactional websites and the growth of online lending solutions is making them more cost efficient. Recent developments are now encouraging banks to target small businesses as a separate lending category online.

Banks are increasingly building payment infrastructure with various security mechanisms (SSL, SET) because there is tremendous potential for profit, as more and more payments will pass through the Internet. However, the challenge for banks is to offer a payments back-bone

system that will be open enough to support multiple payment instruments (credit cards, debit cards, direct debit to accounts, e-checks, digital money etc.) and scalable enough to allow for a stable service regardless of the workload. The market for Electronic Bill Presentment and Payment (EBPP) is growing. According to a study, 18 million households in the US are expected to pay their bills online by 2003compared to 2 million households in 2001. As more number of bill payers are getting online, several banks are making efforts to find ways to meet the growing needs of EBPP. Established banks can emerge as key online integrators of customer bills and can capitalize on this high potential market. Growing with the popularity of EBPP is also the paying of multiple bills at a single site known as bill aggregation. Offering online bill payment and aggregation will increase the competitiveness and attractiveness of E-banking services and will allow banks to generate service-fee income from the billers.B2B In the B2B segment, the customer value proposition for online bill payment is more compelling. B2B e-commerce is expected to grow from $406 bn in 2000 to $2.7 tn by2004, and more than half of all transactions will be routed through online B2Bmarketplaces. There is a need for automated payment systems to reduce cost and human error, and enhance cash-flow management. To meet this need, a group of banks and non-financial institutions led by Citibank and Wells Fargo have formed a company called Financial Settlements Matrix (FSMx). It provides business buyers and sellers with access to secure payment processing, invoicing and other services that participating financial services firms offer. A B2B marketplace would provide minimum value to its customers if it just matches buyers and sellers, leaving the financial aspects of transactions to be handled through traditional nonInternet channels. Hence, the marketplace must be capable of providing the payments processing, treasury management services, payables/receivables data flows, and credit solutions to complete the full cycle of a commercial transaction on the Internet. The web-

based B2B e-commerce offers tremendous opportunities for banks, payment technology vendors and e-commerce companies to form strategic alliances. This new form of collaboration between partners with complementary core competencies may prove to be an effective business model fore-business.

E-BANKING TREND: Internet banking is gaining ground. Banks increasingly operate websites through which customers are able not only to inquire about account balances and interest and exchange rates but also to conduct a range of transactions. Unfortunately, data on Internet banking are scarce, and differences in definitions make cross-country comparisons difficult. Even so, one finds that Internet banking is particularly widespread in Austria, Korea, the Scandinavian
countries, Singapore, Spain, and Switzerland, where more than 75 percent of all banks offer such services (see chart). The Scandinavian countries have the largest number of Internet users, with up to one-third of bank customers in Finland and Sweden taking advantage of E-banking.

In the United States, Internet banking is still concentrated in the largest banks. In mid-2001, 44 percent of national banks maintained transactional websites, almost double the number in the third quarter of 1999. These banks account for over 90 percent of national banking system assets. The larger banks tend to offer a wider array of electronic banking services, including loan applications and brokerage services. While most U.S. consumers have accounts with banks that offer Internet services, only about 6 percent of them use these services. To date, most banks have combined the new electronic delivery channels with traditional brick and mortar branches ("brick and click" banks), but a small number have emerged that offer their products and services predominantly, or only, through electronic distribution channels. These "virtual" or Internet-only banks do not have a branch network but might have a physical presence, for example, an administrative office or nonbranch facilities like kiosks

or automatic teller machines. The United States has about30 virtual banks; Asia has launched in 2000 and 2001; and the European Union has severaleither as separately licensed entities or as subsidiaries or branches of brick and mortar banks.

Impact of e-banking on traditional services One of the issues currently being addressed is the impact of e- banking on traditional banking players. After all, if there are risks inherent in going into e-banking there are other risks in not doing so. It is too early to have a firm view on this yet. Even to practitioners the future of e-banking and its implications are unclear. It might be convenient nevertheless to outline briefly two views that are prevalent in the market. The view that the Internet is a revolution that will sweep away the old order holds much sway. Arguments in favor are as follows: E-banking transactions are much cheaper than branch or even phone transactions. This could turn yesterday competitive advantage - a large branch network, into a comparative disadvantage, allowing e-banks to undercut bricks-and-mortar banks. This is commonly known as the "beached dinosaur" theory. E-banks are easy to set up so lots of new entrants will arrive. Old-world systems, cultures and structures will not encumber these new entrants. Instead, they will be adaptable and responsive. E-banking gives consumers much more choice. Consumers will be less inclined to remain loyal. E-banking will lead to an erosion of the endowment effect currently enjoyed by the major UK banks. Deposits will go elsewhere with the consequence that these banks will have to fight to regain and retain their customer base. This will increase their cost of funds, possibly making their business less viable. Lost revenue may even result in these banks taking more risks to breach the gap. Portal providers are likely to attract the most

significant share of banking profits. Indeed banks could become glorified marriage brokers. They would simply bring two parties together eg buyer and seller, payer and payee. The products will be provided by monolines, experts in their field. Traditional banks may simply be left with payment and settlement business even this could be cast into doubt. Traditional banks will find it difficult to evolve. Not only will they be unable to make acquisitions for cash as opposed to being able to offer shares, they will be unable to obtain additional capital from the stock market. This is in contrast to the situation for Internet firms for whom it seems relatively easy to attract investment. There is of course another view which sees e-banking more as an evolution than a revolution. E-banking is just banking offered via a new delivery chan nel. It simply gives consumers another service (just as ATMs did). Like ATMs, e-banking will impact on the nature of branches but will not remove their value. Traditional banks are starting to fight back. The start-up costs of an e-bank are high. Establishing a trusted brand is very costly as it requires significant advertising expenditure in addition to the purchase of expensive technology (as security and privacy are key to gaining customer approval).E -banks have already found that retail banking only becomes profitable once a large critical mass is achieved. Consequently many e-banks are limiting themselves to providing a tailored service to the better off. Nobody really knows which of these versions will triumph. This is something that the market will determine. However, supervisors will need to pay close attention to the impact of e- banks on the traditional banks, for example by surveillance of: i. ii. iii. strategy customer levels earnings and costs

iv. v. vi. vii.

advertising spending margins funding costs merger opportunities and threats.

CHAPTER 4. ISSUES IN E-BANKING

Issues in Electronic Banking Security Authentication Trust Privacy Non-repudiation

Security - one of the main issue in e- banking systems and Banks have to provide a level of logical and physical security for sensitive Information of users, as these transactions are vulnerable to interception and alteration, like hardware or software sniffers that can obtain passwords, account numbers, credit card numbers, etc. Authentication- In cyberspace, as in the physical world, customers, banks, and merchants should be aware of the identity of the person they are dealing with. Banks usually use asymmetric (public/private key) cryptography to authenticate parties. Non-repudiation- is the undeniable proof of participation by both parties in a transaction. Public key encryption was developed to authenticate electronic messages and prevent denial or repudiation by the parties. Trust- Public and private key cryptographic systems can be used to secure information and authenticate parties in transactions in cyberspace. A trusted third party is a necessary part of the process: the certification authority. Privacy- Use of personal information are increasing with the continued growth of electronic commerce and the Internet, hence adequate and comprehensive Data privacy policies are of high importance

ISSUE IN E-BANKING SYSTEM E-banking as we take it today is a very superficial phenomenon. A very complex network commitment of thousands of people, extensive market research, hug technological structure, series of integrated computers and many more things stand behind the products that has made job of a banking and life of a bank client easy as well as mechanical. We will highlight some important issues from both the producer and consumer prospect.

E- Banking - The Producer Side The producers are bankers. These are the people who lead the bank and design the policies following issues need a particular attention as the discussion comes to e-banking A. Location Customer

As a bank moves on to e-banking or comes on line or start internet banking. Its market at once expands to the other corner of the world. As the market expands the potential customers and the competitors also increase. These places more responsibility on the shoulders of the bank management to locate more clients to justify the huge investment that bank has made to come online. A bank is required to know the values of its global customers. He is required to broaden his view so as to develop the art of seeing the invisible.

B. User Friendliness

How effective is online service of the bank? The effectiveness can be judge from the degree of the user friendliness. Every client of the bank need not be a computer expert

as well. So he might get irritated if the online service requires him to perform many tasks that demand technical knowledge of the computer programming. For better results the e-banking should be made free of all kind of unwanted technical details C. Computer Crime Cyber terrorism is increasing with the passage of time. Banks are one of the greatest victims of it. Money manipulation and embezzlement by ATMs and online technology is a threat to the success of the e-banking (I think all us remember how the kind in famous movie Terminator 2 decodes the accounts and takes money from ATM) D. Human Element Well would any one of us like to live a life at place where there would be all amenities of life but no other human being? Absolutely No. There is an extent to which we make our life mechanical. Beyond that we need a human element to heal the ailments of mechanical life. Similar is the case of e-banking, there is a need to identify places where a client needs a representation from a good looking neatly dressed bank employee in an amicable way. A computer assisted voice message or email message is likely to irritate the client at such places. So e- banking is good but not very time.

CHAPTER 5: ONLINE E-BANKING CRIMES

IDENTITY THEFT Identity theft, also known as ID theft is a crime in which a criminal obtains key pieces of personal information, such as Social Security or driver's license numbers, in order to pose as someone else. The information can be used to obtain credit, merchandise, and services using the victims name. Identity theft can also provide a thief with false credentials for immigration or other applications. One of the biggest problems with identity theft is that very often the crimes committed by the identity theft expert are often attributed to the victim. There are two main types of identity theft account takeover and true name theft. Account takeover identity theft refers to the type of situation where an imposter uses the stolen personal information to gain access to the persons existing accounts. Often the identity thief will use the stolen identity to acquire even more credit products by changing your address so that you never see the credit card bills that the thief runs up. True name identity theft means that the thief uses personal information to open new accounts. The thief might open a new credit card account, establish cellular phone service, or open a new checking account in order to obtain blank checks. The Internet has made it easier for an identity thief to use the information they've stolen because transactions can be made without any real verification of someones identity. All a thief really needs today is a series of correct numbers to complete the crime. Some types of identity thieves hack into databases to steal personal information. However this type of thievery is much rarer than the use of old fashioned methods such as scouring the garbage for old receipts or looking over someones shoulder while they are doing a financial transaction. You should also be wary of such criminals at the Department of Motor Vehicles or anywhere else where filling out a long application could provide a thief with enough information to inspire an identity theft.

Types Sources such as the non-profit Identity Theft Resource Center sub-divide identity theft into five categories:
    

Business/commercial identity theft (using another's business name to obtain credit) Criminal identity theft (posing as another person when apprehended for a crime) Financial identity theft (using another's identity to obtain credit, goods and services) Identity cloning (using another's information to assume his or her identity in daily life) Medical identity theft (using another's identity to obtain medical care or drugs)

Identity theft may be used to facilitate or fund other crimes including illegal immigration, terrorism, and espionage. There are cases of identity cloning to attack payment systems, including online credit card processing and medical insurance. Identity thieves occasionally impersonate others for non-financial reasonsfor instance, to receive praise or attention for the victim's achievements.

Identity cloning and concealment In this situation, the identity thief impersonates someone else in order to conceal their own true identity. Examples might be illegal immigrants, people hiding from creditors or other individuals, or those who simply want to become "anonymous" for personal reasons. Unlike identity theft used to obtain credit which usually comes to light when the debts mount, concealment may continue indefinitely without being detected, particularly if the identity thief is able to obtain false credentials in order to pass various authentication tests in everyday life.

Criminal identity theft When a criminal fraudulently identifies himself to police as another individual at the point of arrest, it is sometimes referred to as "Criminal Identity Theft." In some cases criminals have previously obtained state-issued identity documents using credentials stolen from others, or have simply presented fake ID. Provided the subterfuge works, charges may be placed under the victim's name, letting the criminal off the hook. Victims might only learn of such incidents by chance, for example by receiving court summons, discovering their drivers licenses are suspended when stopped for minor traffic violations, or through background checks performed for employment purposes. It can be difficult for the victim of a criminal identity theft to clear their record. The steps required to clear the victim's incorrect criminal record depend on what jurisdiction the crime occurred in and whether the true identity of the criminal can be determined. The victim might need to locate the original arresting officers and prove their own identity by some reliable means such as fingerprinting or DNA fingerprinting, and may need to go to a court hearing to be cleared of the charges. Obtaining an expungement of court records may also be required. Authorities might permanently maintain the victim's name as an alias for the criminal's true identity in their criminal records databases. One problem that victims of criminal identity theft may encounter is that various data aggregators might still have the incorrect criminal records in their databases even after court and police records are corrected. Thus it is possible that a future background check will return the incorrect criminal records.This is just one example of the kinds of impact that may continue to affect the victims of identity theft for some months or even years after the crime, aside from the psychological trauma that being 'cloned' typically engenders. Synthetic identity theft

A variation of identity theft which has recently become more common is synthetic identity theft, in which identities are completely or partially fabricated. The most common technique involves combining a real social security number with a name and birth date other than the ones associated with the number. Synthetic identity theft is more difficult to track as it doesn't show on either person's credit report directly, but may appear as an entirely new file in the credit bureau or as a subfile on one of the victim's credit reports. Synthetic identity theft primarily harms the creditors who unwittingly grant the fraudsters credit. Individual victims can be affected if their names become confused with the synthetic identities, or if negative information in their sub files impacts their credit ratings. Medical identity theft Medical identity theft occurs when someone uses a person's name and sometimes other parts of their identitysuch as insurance informationwithout the person's knowledge or consent to obtain medical services or goods, or uses the persons identity information to make false claims for medical services or goods. Medical identity theft frequently results in erroneous entries being put into existing medical records, which may in turn lead to inappropriate and potentially life-threatening decisions by medical staff.

Techniques for obtaining and exploiting personal information for identity theft Identity thieves typically obtain and exploit personally identifiable information about individuals, or various credentials they use to authenticate themselves, in order to impersonate them. Examples include:
 

Rummaging through rubbish for personal information (dumpster diving) Retrieving personal data from redundant IT equipment and storage media including PCs, servers, PDAs, mobile phones, USB memory sticks and hard drives that have

been disposed of carelessly at public dump sites, given away or sold on without having been properly sanitized


Using public records about individual citizens, published in official registers such as electoral rolls

Stealing bank or credit cards, identification cards, passports, authentication tokens typically by pick pocketing, housebreaking or mail theft

Skimming information from bank or credit cards using compromised or hand-held card readers, and creating clone cards

Using 'contactless' credit card readers to acquire data wirelessly from RFID-enabled passports

Observing users typing their login credentials, credit/calling card numbers etc. into IT equipment located in public places (shoulder surfing)

Stealing personal information from computers using malware, particularly Trojan horse key logging programs or other forms of spyware

Hacking computer networks, systems and databases to obtain personal data, often in large quantities

Exploiting breaches that result in the publication or more limited disclosure of personal information such as names, addresses, Social Security number or credit card numbers

Advertising bogus job offers in order to accumulate resumes and applications typically disclosing applicants' names, home and email addresses, telephone numbers and sometimes their banking details

Exploiting insider access and abusing the rights of privileged IT users to access personal data on their employers' systems

Infiltrating organizations that store and process large amounts or particularly valuable personal information

Impersonating trusted organizations in emails, SMS text messages, phone calls or other forms of communication in order to dupe victims into disclosing their personal information or login credentials, typically on a fake corporate website or data collection form (phishing)

Brute-force attacking weak passwords and using inspired guesswork to compromise weak password reset questions

Obtaining castings of fingers for falsifying fingerprint identification ... or famously using gummy bears to fool low quality fingerprint scanners

Browsing social networking websites for personal details published by users, often using this information to appear more credible in subsequent social engineering activities

Diverting victims' email or post in order to obtain personal information and credentials such as credit cards, billing and bank/credit card statements, or to delay the discovery of new accounts and credit agreements opened by the identity thieves in the victims' names

Using false pretenses to trick individuals, customer service representatives and help desk workers into disclosing personal information and login details or changing user passwords/access rights (pretesting)

Stealing checks to acquire banking information, including account numbers and bank routing numbers

Guessing Social Security numbers by using information found on Internet social networks such as Facebook and MySpace

Individual identity protection

The acquisition of personal identifiers is made possible through serious breaches of privacy. For consumers, this is usually a result of them naively providing their personal information or login credentials to the identity thieves as a result of being duped but identity-related documents such as credit cards, bank statements, utility bills, checkbooks etc. may also be physically stolen from vehicles, homes and offices, or directly from victims by pickpockets and bag snatchers. Guardianship of personal identifiers by consumers is the most common intervention strategy recommended by the US Federal Trade Commission, Canadian Phone Busters and most sites that address identity theft. Such organizations offer recommendations on how individuals can prevent their information falling into the wrong hands. Identity theft can be partially mitigated by not identifying oneself unnecessarily (a form of information security control known as risk avoidance). This implies that organizations, IT systems and procedures should not demand excessive amounts of personal information or credentials for identification and authentication. Requiring, storing and processing personal identifiers (such as Social Security number, national identification number, drivers license number, credit card number, etc.) increases the risks of identity theft unless this valuable personal information is adequately secured at all times. To protect themselves against electronic identity theft by phishing, hacking or malware, individual are well advised to maintain computer security, for example by keeping their operating systems fully patched against known security vulnerabilities, running antivirus software and being cautious in their use of IT. Identity thieves sometimes impersonate dead people, using personal information obtained from death notices, gravestones and other sources to exploit delays between the death and the closure of the person's accounts, the inattentiveness of grieving families and weaknesses in the processes for credit-checking. Such crimes may continue for some time until the deceased's families or the authorities notice and react to anomalies.

In recent years, commercial identity theft protection/insurance services have become available in many countries. These services purport to help protect the individual from identity theft or help detect that identity theft has occurred in exchange for a monthly or annual membership fee or premium. The services typically work either by setting fraud alerts on the individual's credit files with the three major credit bureaus or by setting up credit report monitoring with the credit bureaux. While identity theft protection/insurance services have been heavily marketed, their value has been called into question. Identity protection by organizations In their May 1998 testimony before the United States Senate, the Federal Trade Commission (FTC) discussed the sale of Social Security numbers and other personal identifiers by credit-raters and data miners. The FTC agreed to the industry's self-regulating principles restricting access to information on credit reports. According to the industry, the restrictions vary according to the category of customer. Credit reporting agencies gather and disclose personal and credit information to a wide business client base. Poor stewardship of personal data by organizations, resulting in unauthorized access to sensitive data, can expose individuals to the risk of identity theft. The Privacy Rights Clearinghouse has documented over 900 individual data breaches by US companies and government agencies since January 2005, which together have involved over 200 million total records containing sensitive personal information, many containing social security numbers. Poor corporate diligence standards which can result in data breaches include:
  

failure to shred confidential information before throwing it into dumpsters failure to ensure adequate network security the theft of laptop computers or portable media being carried off-site containing vast amounts of personal information. The use of strongencryption on these devices can reduce the chance of data being misused should a criminal obtain them.

the brokerage of personal information to other businesses without ensuring that the purchaser maintains adequate security controls

Failure of governments, when registering sole proprietorships, partnerships, and corporations, to determine if the officers listed in the Articles of Incorporation are who they say they are. This potentially allows criminals access to personal information through credit-rating and data mining services. The failure of corporate or government organizations to protect consumer

privacy, client confidentiality and political privacy has been criticized for facilitating the acquisition of personal identifiers by criminals. Using various types of biometric information, such as fingerprints, for identification and authentication has been cited as a way to thwart identity thieves; however there are technological limitations and privacy concerns associated with these methods as well.

Phishing The term Phishing is derived from fishing. Phishing involves an e-mail that appears to be from a known business entities or institutions. The message usually states that, due to problems in database updating process, problem occurred in server, security/identity theft concerns etc, of the institution or bank, the recipient is required to update personal data such as passwords, bank account information, driver's license numbers, social security numbers, Personal Identification Numbers (PIN), etc. There are mainly four techniques of phishing; Dragnet Method: involves spammed e-mails, imitating corporate identification (e.g., trademarks, logos, and corporate names), that are addressed to the customers of a particular financial institution or members of a particular auction site leading to a fake website or popup window.

 Rod-and-Reel method: The prospective victims are targeted with forged information and with whom initial contact is already made, are fooled to disclosure their personal and financial details. Lobsterpot Method: involves creating lookalike websites to legitimate corporate websites by phishers, whereby the victims are fooled to believe the spoofed website as a legitimate site and disclose their personal datas. Gillnet phishing: In this malicious codes are injected into emails and websites or another sites pop-up window and simply opening that email, or browsing that website may result in the introduction of Trojan horse into the systems, which may even change the users systems settings resulting in redirecting the user, who want to visit their banking websites, to a phishing site and the malicious code may collect users keystrokes and passwords and transmit it to the phishers

Types of Phishing Attacks URL Obfuscation Attacks: It involves making minor changes to the URL by using the secrets of the TCP/IP and the user is tricked to follow a hyperlink (URL) that leads to the attackers server, without the users realizing that he has been tricked. Cross-site Scripting: Cross-site scripting attacks make use of custom URL or code injection into a valid but vulnerable coding of web-based application URL and direct the user to sign in at their bank or service's own web page, where everything from the web address to the security certificates appears to be genuine , but the link to the website is crafted to carry out the attack, making it very difficult to spot without specialist knowledge. Such a flaw was used in 2006 against PayPal. Malware-Based Phishing; In this kind of Phishing Malware are introduced as an email attachment, as a downloadable file from a web site, or by intruding into the users PC through

its security vulnerabilities of those who are not always able to keep their software applications up to date. Session Hijacking; is an attack wherein the users' activities are constantly monitored when they sign into a targeted account or transaction and the malicious software takes over and undertakes unauthorized actions, such as transferring funds, without the user's knowledge. System Reconfiguration Attacks; are indented to modify the settings on a user's PC for fraudulent purposes. For example: a bank s website URL may be changed from "bankofabc.com" to "bancofabc.com". DNS-Based Phishing ("Pharming"); Pharming is a kind of phishing, which modifies the host file or Domain Name System (DNS) resulting in redirecting the user to a fake site similar to a genuine website as and when the user requests for URLs or name service, leading the users to disclose confidential information to the hackers.

 Modus Operandi of phishing attack used to target bank customers in India: The hackers created fake websites similar to the target Bank and sent emails to the customers of the bank luring them to provide their login details for upgrading the server by hosting the web page containing URL Links of the bank along with their associates from foreign countries like Nigeria, Russia etc.  Before a transfer of funds through internet banking is executed, the bank sends a SMS to the transferor in order to confirm the transaction. The fraudsters, when they get hold of the customers personal information changed the contact numbers of customers with their own, so that the transfer of funds through victim account to beneficiary accounts goes unnoticed.

 In these cases, when the customers fell into trap and passed on their Internet banking password and user name, the fraud was perpetuated in three forms:    i) The account to account transfer from the victims account to a beneficiary account. ii) For recharging the mobile phones. iii) Making purchases online permissible by net banking facility. The beneficiary account in which the funds were transferred were fake accounts which were opened by giving fake ID documents, like fake passports, fake election I Cards, Fake Pan Cards etc.  The phishing scam revealed the involvement of Nigerians but the beneficiary accounts were opened in the name of Indians as the account with Nigerian names would arouse suspicion. Some of the beneficiary account holders were carrier of the hackers while some of the beneficiarys accounts were opened by luring the persons by giving them some consideration in lieu of their services to open the account in their names and get the ill-gotten money transferred in their accounts.  The suspected IP addresses from which the fraudulent internet transaction took place were of various foreign countries which indicate the use of proxy IPs by the hackers to mislead the investigation agencies.  It has been revealed that the amount has been withdrawn immediately by the hacker after the account has been compromised. Example of Phishing

Citibank (Nov 10)

Links to http://82.90.165.65/cit i

VISHING What i vi hi

Vishing is the practice of leveraging IP-based voice messaging technologies (primarily Voice over Internet Protocol, or VoIP) to socially engineer the intended victim into

providing personal, financial or other confidential information for the purpose of financial reward. The term vishing is derived from a combination of voice and phishing. The use of landline telephony systems to persuade someone to perform unintended actions has existed since the birth of the telephone. Who didnt make prank phone calls as a child? However, landline telephony services have traditionally terminated at a physical location known to the telephone company and could therefore be tracked back to a specific bill payer. The recent massive increase in IP telephony has meant that many telephone services can now start or terminate at a computer anywhere in the world. In addition, the cost of making a telephone call has dropped to a negligible amount. This combination of factors has made it financially practical for phishers to leverage VoIP in their attacks. Vishing is expected to have a much higher success rate than other phishing vectors because:  Telephone systems have a much longer record of trust than newer,Internet-

based messaging  A greater percentage of through e-mail  There is widespread adoption and general validation systems  The telephone makes certain population groups, such as reachable   Timing of message delivery can be leveraged to increase odds of success The telephone allows greater personalization of the socialengineering message the elderly,more acceptance of automated phone the population can be reached via a phone call than

Increased use

of call centers means that the population is more confidential

accepting

of

strangers who may have accents asking for

information.

The most valuable information to the phisher is likely to be: Credit card details (including expiration data and card security codes) Account numbers and their corresponding personal identification numbers (PINs) Birthdays Social Security numbers Customer loyalty Passport numbers. The primary methods for delivering this attack are: Internet e-mail Mobile text messaging Voicemail Live phone call. card numbers

Internet e-mail In some attack scenarios, victims receive an e-mail that invites, solicits or provides an incentive to call a phone number owned by the phisher. The e-mails are almost identical to the classic phishing attacks that instruct the message recipient to click on an embedded URL that takes the victim to a fake Web site to steal authentication credentials. However, in this case, the victim dials the number, and an automated voice prompts the caller to provide authentication information Mobile text messaging Related closely to the Internet e-mail initiation vector, the phisher may also use small messages over mobile protocols such as SMS and Multimedia Messaging Service (MMS) to

invite solicit or provide an incentive to the potential victim to either phone a number or respond to the text message using SMS or MMS.

Voicemail Whether by making use of classical war-dialing techniques or newer Session Initiation Protocol (SIP) queries, the phisher can quickly cycle through possible phone numbers or telephony end points to enumerate live numbers. Once enumerated, the phisher can easily send a prerecorded message to each phone, typically targeting a users voicemail inbox. Voicemail systems are targeted because message delivery scales more easily and requires less technical effort by the phisher

Live phone call The ability to mask or impersonate various caller IDs is particularly important to phishers. By changing caller ID data, they can help reinforce their social engineering story as well as make it more difficult to track the source of an attack. IP telephony services that allow Internet phones to use local dialing code point of presence (POP) exit points (i.e., a phone number within the same regional calling code) can similarly increase the success of an attack.By merely leveraging this ability as well as the ability to place an Internet call from anywhere in the world the phisher can also conduct what could best be called live attacks. In a live attack, the phisher initiates the call to the potential victim, who then encounters an automated voice system that encourages him to supply personal information. To be successful, the phisher will either impersonate a well-known national entity (a major bank or retail chain) or a local business (a local radio station or government office) and use an appropriate caller ID. As the cost of Internet calling falls even further, it will be financially viable for organized criminals to essentially build their own call centers to manually walk potential victims

through the vishing scam. In other words, they will not be required to use a recorded message. Such a manual attack vector would likely have the highest success rates of all vishing scams. Fraudulent live attacks can similarly use the social engineering aspects described in the previous sections of this paper but may be more successful by using more local, timely and interactive messages, such as the following: Paid survey after answering the electronic questions, the victim is asked to enter

bank card details so that money can be immediately credited to the account. Tax alert the victim is warned that, as a resident of a certain county, he may be

able to benefit from a recent tax change. All he has to do is say his name, address and Social Security number. SMiShing SMiShing scams are similar to phishing scams. You get a message from a bank or service provider asking you to do something. However, the SMiShing is really a message from a scam artist. While most people are familiar with email phishing scams, they're less skeptical when receiving SMiShing messages. How SMiShing Works? SMiShing scams often direct you to visit a website or call a phone number. If you dial the number, youll be asked for sensitive information like a credit card number. If you visit the website, it may attempt to infect your computer with malware. Scammers continually get more and more creative. Most consumers are savvy enough not to fall for the old "we need your bank account password" email. However, a text message seems less threatening.

Instead of just trying to get money from you, like they do in cashier's check scams, SMiShing schemes often just try to get information such as credit card numbers. Then they use or sell the information later.

What You Need to Know About SMiShing If you get a suspicious message, don't fall for it. Call a bank from a phone number the you trust - one that you get from your statement or from the bank's website, for example. If you get a message about some "service" you've been signed up for and will have to cancel, search the web for other reports of the message. TROGAN HORSE A Trojan horse is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and do its chosen form of damage, such as ruining the file allocation table on your hard disk. In one celebrated case, a Trojan horse was a program that was supposed to find and destroy computer viruses. A Trojan horse may be widely redistributed as part of a computer virus. The term comes from Greek mythology about the Trojan War, as told in the Aeneid by Virgil and mentioned in the Odyssey by Homer. According to legend, the Greeks presented the citizens of Troy with a large wooden horse in which they had secretly hidden their warriors. During the night, the warriors emerged from the wooden horse and overran the city. How do they get on your machine? Trojans may come into your system as an email attachment, as a file via your instantmessaging application, or even through file-sharing software. The file may appear to be a photograph, a document, a sound file or even a game of some sort. When you try to open the file, it often appears as though nothing has happened. At this point, many users assume that the file didnt work and forget the whole thing In actual fact, you may just have installed

something quite nasty on your system, and chances are that the Trojan will make sure it runs every time you start your computer. Effectively youve just installed a backdoor into your system. Not only do you not know that its there, but it can be easily and discretely used without your knowledge or permission. What can they do to your system? There are many different trojans in circulation. At the time of writing this text, the a-squared Anti-Malware software can detect over 3 million different trojans and malware files, and this number will continue to rise in the future.Some of them may be relatively harmless to your system, and may simply use your computer as part of a co-ordinate Denial of Service attack on another system. Some of them may open up the possibility of someone accessing your machine, but may remain unused for years.Other Trojans pose a far greater effect to your computer and your data. Some may monitor your internet connection and grab your email addresses and access passwords. Perhaps your email will be intercepted, perhaps credit card details that you store or enter will be copied, or perhaps someone, somewhere, will simply have a wander through your hard drive, seeing if theres anything of interest.When theyve finished, maybe theyll leave the door open to others, maybe theyll come back at a later date, or maybe theyll install something even worse on your system, just for the hell of it.Whatever the Trojan, and whatever the result of it being there, one thing is for certain. You dont want it there, and you need to protect your system from this happening. TYPES OF TROGAN
Remote Access Trojans : Remote access Trojans are potentially the most damaging. These give control of your computer and, therefore, access to all of your files and folders to the hacker. In theory they can read all of your personal files, and even your cookies and auto fill preferences. This can give them easy access to your online accounts Data Sending Trojans: Data sending Trojans are commonly used for advertising purposes, although again they could be easily used for data theft. As the name would suggest these

Trojans take information from your computer and transmit them back to the hacker. In the case of advertising Trojans this information is used to serve adverts on your PC that you are apparently more likely to click. Destructive Trojans: Destructive Trojans may not result in Data theft but can be damaging anyway. Once the Trojan is installed on your computer it will begin to systematically or completely randomly delete information from your computer. This can include files, folders, registry entries, and important system files. Eventually a destructive Trojan is likely to cause the failure of your operating system and, therefore, your computer. Proxy Trojans: A Proxy Trojan is less damaging in some ways but can cause untold damage in other ways. Hackers need to hide their identity and their location. A proxy Trojan installs on your computer and is then used by the hacker to access the Internet. Any action they take is then registered to your computer. Often this can be relatively harmless but potentially you could have your IP registered for spamming and you could even be investigated for online crimes. FTP Trojans : An FTP Trojan acts like an FTP server once it has been installed on a computer. This means that the hacker can download any program or file from your computer and, similarly, he or she can download anything onto your computer. Not only can this, once again, lead to data or identity theft but it also provides hackers with a way to install further malware on your computer to wreak even more havoc. Other Trojans : More specific Trojans include security software disablers that disable antivirus and anti-spyware programs. These leave you open to attack from a great many sources and because a Trojan is already on your computer it is likely that it can perform other, more damaging actions. DoS Trojans are installed on your computer and while they may not cause you damage they can bring down major websites. They do this by installing on numerous members computers from that website. They then bombard the site with

requests and cause it to suffer from outage. This has attacked even some of the major ecommerce sites like Amazon.

Signs & Symptoms Your Computer Is Infected With A Trojan Horse

y y y y y y y

CD-ROM drawer opening and closing on its own. Documents or messages printing on your printer by themselves Your computer screen inverts or flips upside down. Your mouse moves all by itself. Your mouse starts leaving trails Your right and left mouse buttons reverse their functions Your mouse pointer completely disappears. The hacker does this by taking the liberty to turn off your mouse.

Your programs load and unload all by themselves. Many times your antivirus software is altered or altogether deleted.

Your computer plays recordings,that you never recorded, of things in your computer room. If your computer has a microphone, the hacker can record and listen to what is going on in your room. just to scare you, he might play back some of his recordings while you are in the room. How scary is that?!?

Your sound volume turns up or down all by its lonesome. The hacker does this to get your attention and scare you.

y y

Your Windows Start button disappears Your computer starts conversing with you. Some Trojans allow the hacker to type anything that he wants to say to you in a box and then make it appear that your computer is talking to you. Often this feature is used along with the sound option and web cam so that he can see and hear you as he converses. How terrifying?!?

y y y

Your computer starts reading the contents of your computer clip board. Strange chat boxes appear on your computer screen, and you are forced to chat with some stranger. Your wall paper or background settings change all by themselves.

Your computer goes to a strange or unknown web page by itself, even when you haven't even launched your web browser.

y y y

Your Windows color settings change all by its lonesome. Your screen saver settings change by themselves. You get complaints from your ISP that your computer has been port scanning. You might even get an email from your ISP warning you that your account will be terminated if such activity continues.

Man-In-The-Middle Man-In-The-Middle attack is a type of Trojan attack where hackers intrude or intercept an existing transaction of data and inject false information into it. It is a type of eavesdropping on a transaction, intruding into it, intercepting messages, and purposefully modifying data. The process involves establishing a virus in personal computers due to widespread use of the Internet, like the Trojan horse that acts as the interface between two points, by the users who will be unaware that the information that is exchanged is intercepted and captured by the Intermediate virus. Executed mainly to gain access to valuable informations like passwords, login details, and credit card numbers, of an individual.

The techniques used for MITM attacks can be classified below in consideration of the following three network environment types:
  

Local Area Network From Local To Remote (through a gateway) Remote

Local Area Network

 

ARP spoofing Briefing: ARP (Address Resolution Protocol) spoofing is also known as "ARP poisoning" or ARP Poison Routing. The attacker may use ARP spoofing to sniff data frames on LAN and to modify the packets. The attacker may corrupt the ARP caches of directly connected hosts and finally take over the IP address of the victim host.

  

Tools used: ARPoison is a UNIX Command-line tool that can be used to create spoofed ARP packets. Ettercap can be used for filtering, hijacking, poisoning, sniffing, including SSH v.1 sniffing (transparent attack).

 

Dsniff can be used for poisoning, sniffing, including SSH v.1 sniffing (proxy attack) Parasite is a daemon used to watch a LAN for ARP requests and automatically send spoofed ARP replies.

 

DNS spoofing Briefing: The attacker starts by sniffing the ID of any DNS request, and then replies to the target requests before the real DNS server.

    

Tools used: ADM DNS spoofing tools can spoof DNS packets via various active and passive methods. Ettercap (Plugin needed: phantom plugin) Dsniff (dnsspoof) Zodiac can be used for DNS name server versioning, DNS local spoofing (answering DNS queries before the remote name server), DNS jizz spoofing, and DNS ID spoofing.

 

IP address spoofing Briefing: The attacker creates IP packets with a forged source IP address in order to conceal the identity of the packet sender or to impersonate another computer system. (This method of attack on a remote system can be very difficult, because it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between endpoints.)

 

Tools used: Hping can be used to prepare spoofed IP datagrams with only a one-line command, and the attacker can send the prepared datagrams to almost any target victim.

  

Spoofed IP Port stealing Briefing: The term "Port Stealing" refers to the MITM technique used to spoof the switch forwarding database (FDB) and usurp the switch port of the victim host for packet sniffing on Layer 2 switched networks. The attacker starts by flooding the switch with the forged ARP packets that contain the same source MAC address as that of the victim host and the same destination MAC address as that of the attacker host. Note that those packets are invisible to other host on the same network. Now that the victim host also sends packets to the switch at the same time, the switch will receive packets containing the same source MAC address with

two different ports. Therefore, the switch will repeatedly alter the MAC address binding to either of the two ports by referencing the relevant information in the packets. If the attacker's packets are faster, the switch will send the attacker the packets intended for the victim host. Then the attacker sniffs the received packet, stops flooding and sends an ARP request for the victims IP address. After receiving the ARP reply from the victim host, the attacker will manage to forward the "stolen" packet to the victim host. Finally, the flooding is launched again for another attacking cycle.
 

Tools used: Dsniff :Dsniff is claimed as a tool suite developed for network auditing and penetration testing, but the attacker can use it for SSL MITM attacks. Its components "dsniff", "filesnarf", "mailsnarf", "msgsnarf", "urlsnarf", and "webspy" can be used to passively monitor a network for sensitive data (e-mail, files and passwords). Its other components like "arpspoof", "dnsspoof", and "macof" allow the attacker to intercept network packets normally unavailable to the attacker. Its components "SSHMITM" and "WEBMITM" may help the attacker to launch active man-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

STP (Spanning-Tree Protocol) mangling refers to the technique used for the attacker host to be elected as the new root bridge of the spanning tree. The attacker may start either by forging BPDUs (Bridge Protocol Data Units) with high priority assuming to be the new root, or by broadcasting STP Configuration/Topology Change Acknowledgement BPDUs to get his host elected as the new root bridge. By taking over the root bridge, the attacker will be able to intercept most of the traffic.


Ettercap (Plugin needed: Lamia plugin): Ettercap is a multipurpose hacking suite for the switched LAN environment. As a LAN-based sniffer, interceptor and logger, it is chiefly featured by live-connection sniffing and content filtering on the fly. It supports the active and passive dissection of many protocols (even the ciphered ones) and includes some functionalities for network and host analysis. Ettercap can be used to launch an MITM attack via ARP poisoning or port stealing.

Yersinia : Yersinia takes its name from the bacteria "Yersinia pestis." It can be used to exploit the vulnerabilities of the following network protocols: STP, CDP, DTP, DHCP, HSRP, IEEE 802.1Q, IEEE 802.1X, ISL (Inter -Switch Link Protocol), and VTP (VLAN Trunking Protocol).

Yersinia supports multithreading: multiple users and multiple attacks per user. It has three main modes: command line, network client and ncurses GUI. The attacker can use it to listen to the network, sniff packets, edit protocol fields, intercept network data in pcap format, analyze captured packets and replay them with the attacker's modifications. Yersinia can be used for 29 types of attacks. In STP cases, the MITM attacker may use it on computers with two Ethernet cards to disguise as a root role dual-homed switch. In HSRP cases, the MITM attacker may use it to become an active router

From Local To Remote (through a gateway)

  

ARP poisoning DNS spoofing DHCP spoofing (e.g., Spoofing the DHCP Server)* is a type of attack on DHCP server to obtain IP addresses using spoofed DHCP messages Gateway spoofing (usually, spoofing the default gateway) ICMP redirection IRDP spoofing - route mangling Remote

  

  

DNS poisoning Route mangling Traffic tunneling

MAN IN THE BROWSER ATTACK

man in the browser attack is a relatively new application that is capable of stealing login credentials, account numbers and various types of financial information. The attack combines the use of Trojan horses with a unique phishing approach to insinuate a window that Man in the browser attacks are designed to capture confidential information that can be utilized to the advantage of the entity that launched the attack. As part of the function, the man in the browser process begins with the establishment of the Trojan on the hard drive.

The Trojan embeds in a file and is often hard to isolate. Once in place, the Trojan is in place, the virus launches a transparent overlay on the browser that is highly likely to be detected. overlays the browser on a given computer. The presence of the Trojan horse is transparent to the user, as it does not interfere with the normal use of the browser to visit web sites and engage in transactions on those sites.

PHARMING Pharming seeks to obtain personal or private (usually financial related) information through domain spoofing. Rather than being spammed with malicious and mischievous email requests for you to visit spoof Web sites which appear legitimate, pharming 'poisons' a DNS server by infusing false information into the DNS server, resulting in a user's request being redirected elsewhere. Your browser, however will show you are at the correct Web site, which makes pharming a bit more serious and more difficult to detect. Phishing attempts to scam people one at a time with an e-mail while pharming allows the scammers to target large groups of people at one time through domain spoofing.

CHAPTER 6: OTHER E-BANKING CRIMES.

ATM An automated teller (also known as an ATM or Cash Machine), is a machine computerized device that provides the customers of a financial institution with the ability to perform financial transactions without the need for a human clerk or bank teller. Most modern ATMs identify the customer by the plastic card that the customer inserts into the ATM. The plastic card can contain a magnetic stripe or a chip that contains a unique card number and some security information, such as an expiration date and card validation code (CVC). Authentication of the user is provided by the customer entering a personal identification number (PIN). When using an ATM, customers can access their bank accounts in order to make cash withdrawals (or credit card cash advances) and can check their account balances as well as purchasing mobile phone prepaid credit, paying bills and so on. There are three basic types of ATM attacks: Attempts to steal a customer s bank card information; Computer and Network attacks against ATM s to gather bank card information; Physical attacks against the ATM.

Theft of customers bank card information

The main focus of ATM crime is the theft of the data stored on the bank card. Until recently bank cards used a magnetic stripe to store information to identify the customer and a PIN code to authenticate them and allow them to perform transactions at an ATM. Unfortunately the magnetic stripe information is simple to copy and counterfeit. As a result thieves have focused on methods of collecting this information.

Card Skimming

This is when the card magnetic stripe details and PIN are captured at the ATM by a modified card reader known as a skimming device. The skimming device is placed on the ATM in such a way that disguises its presence but allows it to capture the information on the magnetic stripe of the card and the input of the customer s PIN. The customer inserts their card into the ATM that has been modified with a skimming device, performs a normal transaction, and retains the card. The customer leaves the ATM unaware that their card has been compromised. The captured information is then used to produce counterfeit cards for subsequent fraudulent cash withdrawals. The customer will only become aware of the fact when unauthorised cash withdrawals/transactions are made from their bank account. Because the skimming devices are very sophisticated, and often difficult to detect, multiple cards are compromised. Several different methods are used by criminals to do this, and the PIN is obtained either by the usage of a small spy camera, or by a PIN pad overlay (false PIN pad). Increasingly blue tooth wireless technology (9) is used to transmit card and PIN details to a laptop at a remote location. This information can then easily be sent anywhere in the world to allow the fast production of counterfeit cards. Typical methods used to skim cards A small skimming device placed over the mouth of the card reader (false panel over the card reader), with a fake PIN pad overlay (or a small spy camera) to capture the PIN.

Figure 5: Image is Courtesy of EAST

Figure 6: Image is Courtesy of EAST

Card trapping This is when a card is physically captured by the ATM combined with any number of methods used to capture the customer s PIN. When the customer leaves the ATM without their card, the card is retrieved by the thieves and used to make fraudulent cash withdrawals or to make other purchases (either in store, telephone, or online). Typically only one card is lost in each attack. The criminals have to withdraw the whole device each time a card is trapped, although recently a card trapping device has been seen that can stay in place for a period of time and that allows removal of trapped cards without the removal of the device. The most common variant is known as Lebanese Loop . Thieves place a device fitted with

a loop of tape, wire, or strong thread over an ATM card reader. This allows a card to be inserted and read by the ATM, but not returned. The criminals obtain the PIN by watching the user entering the PIN (shoulder-surfing), and retrieve the card after the victim has left the ATM under the impression that the card has been retained by the ATM for other reasons. There are multiple techniques used to capture the customer s PIN including the use of video cameras, offering advice and distracting the customer while they input their PIN. Another variant of card trap is known as the Algerian V. Distraction theft or manual skimming This is similar to card trapping, the difference being that instead of a trap capturing the card it is actually removed from the card reader by the criminals. Having observed the entry of the PIN, a group of criminals distract the user and cancel the transaction. While two criminals keep the user busy (often by dropping a bank note and asking the user if belongs to the user) another criminal hits the stop key and takes the customer's card. When the user turns back to the ATM they are informed that the ATM is faulty and will not return their card.

Shoulder surfing This is a method used by criminals to obtain a PIN, typically when trapping cards, or when stealing cards by distraction theft. Standing behind the victim, a criminal reads the PIN as it is entered and either memorises it, writes it down, or enters it straight into a mobile phone. Leaving transaction Live This when a criminal completes an uncompleted transaction after the victim has left the ATM. This is typically done by making the victim believe the ATM is out of order while they are in the middle of a transaction, or any other means of moving the victim away from the ATM while in the process of withdrawing funds. Cash trapping Criminals fix a device to the cash-dispensing slot, causing notes to get stuck inside when customers attempt to do a withdrawal. The customer leaves assuming that the machine is out of order or goes inside the bank to report the incident and the thieves return to retrieve the notes.

Figure 11: Images are Courtesy of EAST

Network attacks against ATMs ATMs communicate with the banking systems through a network connection. Some of these connections use private networks and proprietary network protocols but more often these connections now occur via the Internet and using standard network protocols. Thieves will use computer programs (malware) to attack the ATM in order to gain access through a software or computer flaw. Once they have gained access to the ATM, the thieves will install

software that collects card information and PINs. An ATM that has been compromised is not physically recognisable from one that has not and often users will be unaware of the danger. Viruses and malicious software ATMs often now use publically available operating systems and off the shelf hardware and as a result are susceptible to being infected with viruses and other malicious software. The malicious software is injected into the ATM through network attacks, or through other infected devices. Once installed on the ATM, the malicious software will collect card information and PINs. PIN cash-out attacks Thieves use sophisticated programming techniques (13) to break into websites which reside on a financial institution's network. Using this access, the thieves access the bank's systems to locate the ATM database. The thieves collect card numbers, and if necessary, alter the PIN for the cards they are planning to use. The thieves then sell the cards and their data to other thieves. Those thieves create ATM cards using the stolen information, and use the cards to withdraw cash from the accounts. The original thieves usually receive a percentage of the proceeds. Physical ATM attacks ATM physical attacks are carried out with the intention of gaining access to the cash within the ATM safe or the ATM security enclosure. Some of the most common methods include ram raids, explosive attacks (gas and non-gas) and cutting (e.g. rotary saw, blow torch, thermal lance, diamond drill). Robbery can also occur when ATMs are being replenished or serviced. Staffs are either held up as they are carrying money to or from an ATM, or when the ATM safe is open and cash cassettes replaced.

SPYWARE

Spyware is any technology that aids in gathering information about a person or organization without their knowledge. On the Internet (where it is sometimes called a spybot or tracking software), spyware is programming that is put in someone's computer to secretly gather information about the user and relay it to advertisers or other interested parties. Spyware can get in a computer as a software virus or as the result of installing a new program. Data collecting programs that are installed with the user's knowledge are not, properly speaking, spyware, if the user fully understands what data is being collected and with whom it is being shared. However, spyware is often installed without the user's consent, as a driveby download, or as the result of clicking some option in a deceptive pop-up window. Software designed to serve advertising, known as adware, can usually be thought of as spyware as well because it almost invariably includes components for tracking and reporting user information. However, marketing firms object to having their products called "spyware." As a result, McAfee (the Internet security company) and others now refer to such applications as "potentially unwanted programs" (PUP). EXAMPELS OF SPYWARE


CoolWebSearch, a group of programs, takes advantage of Internet Explorer vulnerabilities. The package directs traffic to advertisements on Web sites including coolwebsearch.com. It displays pop-up ads, rewrites search engine results, and alters the infected computer'shosts file to direct DNS lookups to these sites.

Internet Optimizer, also known as DyFuCa, redirects Internet Explorer error pages to advertising. When users follow a broken link or enter an erroneous URL, they see a page of advertisements. However, because password-protected Web sites (HTTP Basic authentication) use the same mechanism as HTTP errors, Internet Optimizer makes it impossible for the user to access password-protected sites.

HuntBar, aka WinTools or Adware.Websearch, was installed by an ActiveX driveby download at affiliate Web sites, or by advertisements displayed by other spyware programsan example of how spyware can install more spyware. These programs add toolbars to IE, track aggregate browsing behavior, redirect affiliate references, and display advertisements.

Movieland, also known as Moviepass.tv and Popcorn.net, is a movie download service that has been the subject of thousands of complaints to the Federal Trade Commission (FTC), the Washington State Attorney General's Office, the Better Business Bureau, and other agencies. Consumers complained they were held hostage by a cycle of oversized pop-up windows demanding payment of at least $29.95, claiming that they had signed up for a three-day free trial but had not cancelled before the trial period was over, and were thus obligated to pay.[33][34] The FTC filed a complaint, since settled, against Movieland and eleven other defendants charging them with having "engaged in a nationwide scheme to use deception and coercion to extract payments from consumers."

Weather Studio has a plugin that displays a window-panel near the bottom of a browser window. The official website notes that it is easy to remove (uninstall) Weather Studio from a computer, using its own uninstall-program, such as under C:\Program Files\Weather Studio .Once Weather Studio is removed, a browser returns to the prior display appearance, without the need to modify the browser settings.

Zango (formerly 180 Solutions) transmits detailed information to advertisers about the Web sites which users visit. It also alters HTTP requests

for affiliate advertisements linked from a Web site, so that the advertisements make unearned profit for the 180 Solutions company. It opens pop-up ads that cover over the Web sites of competing companies (as seen in their [Zango End User License Agreement]

Zlob trojan, or just Zlob, downloads itself to a computer via an ActiveX codec and reports information back to Control Server. Some information can be the search-

history, the Websites visited, and even keystrokes. More recently, Zlob has been known to hijack routers set to defaults.
 

SALAMI SLICING A technique employed successfully by criminally inclined IT staff to acquire large

sums of money, by means of very small amounts. Essentially it needs something like a Foreign Exchange business environment where there are large numbers of transactions involving more than 2 decimal places. As currencies, generally, only use two places decimals beyond this point are rounded off. Salami Slicing programs will always round down the amount, and transfer the additional places to a separate, hidden account which has a balance accumulating, over time, to a significant figure; multi-million dollar sums have been involved. This approach can only really work with systems handling huge numbers of transactions and where the amounts will not be noticed.

Very difficult to spot, and usually only comes to light (if at all) when the individuals involved leave the organisation, or are observed to be living well beyond their salary levels with no visible other means of support other means of support.

SUGGESTIONS
The openness of the Internet has dramatically changed global communications, making it possible for people around the world to easily exchange information. Anyone can access the that great frontier called the world wide web. Sadly, not everyone has good intentions. Some people maliciously release destructive software programs, while others view hacking computer networks as sport. Then there are people with criminal goals in mind. These people often use malicious software, spam, and phishing scams to steal your identity. In fact, identity theft happens to be one of the fastest growing crimes in Canada and the USA. I was shocked to read that a 2007 study by Consumer Reports estimates the cost of cybercrime to U.S. consumers at $7 billion! Fortunately, there are a few simple steps that you can take to greatly

enhance your Internet security and privacy. Below, are some Internet security tips, to guard you against Internet security and privacy threats and scams.

When visiting a web site that you login to such as Hotmail or your financial institution web site, make sure that you log out and close the browser window.This is especially important when using public internet access, like libraries and Internet Cafe's. Otherwise the next person using the internet terminal could have full access to your account! In fact, never use public or Internet caf computers to access online financial services accounts or perform financial transactions. Never disclose personal, financial, or credit card information to little-known or suspect web sites. Your identity could be stolen and you could become yet another victim of identity theft. Never use a computer or a device that cannot be fully trusted. Use antivirus and anti-spyware software. Install firewall software. Window XP and Vista includes a free firewall. Enable Windows Updates - To do this in Windows XP, right click on "My Computer". Select "Properties" followed by "Automatic Updates". Make sure that "Keep My Computer Up To Date" is checked. Never open an email attachment from someone you don't know. Don't even open an email attachment from someone you know, unless you know exactly what the attachment is. Those "cute little jokes" aren't always that "cute" and can be infected with a nasty virus. Use an alternative web browser such as Opera or Mozilla Firefox. Use passwords that aren't easy for someone else to guess, but at the same time easy for you to remember. Use passwords with a combination of letters, numbers, and punctuation marks that are at least eight digits long. Memorize your password, not writing it down or emailing it. Use a different password for every site that you use that requires a password or at least use a variety of passwords. Change your passwords every 90 days. Finally, don't ever use your name, your spouse's name, the name of your pet, your phone number, your birthday, your favorite food, or any other personal information hackers could easily guess. Never click the hyper links in an e-mail, even if it looks perfectly legitimate. Instead, get into the habit of typing the URL directly into your browser. Use trusted software from reputable companies. Check carefully before you download, run, or use any software that doesn't come from well-known, trustworthy sources. Disconnect your computer from the Internet when not in use. The longer your computer is on

y y y y

y y

y y

the Internet the greater the chance of your computer being hacked.
y y y

Protecting your PIN Keep the banks emergency number at hand To enable to spot a fraudulent withdrawal, a cardholder should regularly check his bank transactions and account balances.