Professional Documents
Culture Documents
uiopasdfghjklzxcvbnmqwertyuiopasd
fghjklzxcvbnmqwertyuiopasdfghjklzx
cvbnmqwertyuiopasdfghjklzxcvbnmq
RISKS AND FRAUDS IN
ONLINE BANKING
wertyuiopasdfghjklzxcvbnmqwertyui
Project Report
opasdfghjklzxcvbnmqwertyuiopasdfg
12/2/2010
hjklzxcvbnmqwertyuiopasdfghjklzxc
D. Vamsi Krishna (109)
vbnmqwertyuiopasdfghjklzxcvbnmq
P. Pavan Kumar(114)
wertyuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiopasdfg
hjklzxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvbnmq
wertyuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiopasdfg
hjklzxcvbnmrtyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyuiopas
INTRODUCTION
An EFT is the electronic exchange or transfer of money from one account to another,
either within the same financial institution or across multiple institutions. In modern society,
many of our banking activities are performed electronically. Whether a customer is
withdrawing money from an ATM, using a credit card at a gas station, paying bills and
buying products online or transferring money from an account to another through a financial
institution‟s website, it is an EFT being performed. EFTs can even be performed from a cell
phone or Personal Digital Assistant (PDA). And there are often many steps. In US, for
example, before an EFT can be posted as either a debit or credit, it must first pass through an
Automated Clearing House (ACH), a system of the US Federal Reserve Bank that provides
EFTs between banks.
Several types of electronic fraud specifically target online banking. Some of the more popular
types are:
Phishing attacks
Phishing attacks use fake email messages from an agency or individual pretending to
represent your bank or financial institution. The email asks you to provide sensitive
information (name, password, account number, and so forth) and provides links to a
counterfeit web site. If you follow the link and provide the requested information, intruders
can access your personal account information and finances and make financial transactions
from your account.
In some cases, pop-up windows can appear in front of a copy of a genuine bank web
site. The real web site address is displayed; however, any information you type directly into
the pop-up will go to unauthorized users. In a similar scheme, called “Vishing,” a person calls
you and pretends to be a bank representative seeking to verify account information. The box
below shows an example of a phishing attack which I got to my mail. It is about an
International Lottery for which my e-mail was selected and to claim this lottery I need to send
my details of
Flag this message
From:
To:
Undisclosed-recipients
Dear Sir/Madam,
Due to mix up of some numbers and names, we ask that you keep your
winning information confidential until your claims have been fully
processed and your money remitted to you. This is part of our security
protocol to avoid multiple claims and unwarranted abuse of this program
by some participants. All participants were selected through a computer
ballot system drawn from over 20,000 company and 30,000,000 individual
email addresses and names from all over the world. This promotional
program takes place every five years.
For Claims, We require you fill this form and return to your claims
agent immediately.
Name(In Full):___________________________
Age:__________________________________
Sex:__________________________________
Phone Number (Home):___________________
Mobile:________________________________
Office Number:__________________________
Country:_______________________________
Present Occupation:_____________________
Scanned Copy Of Identity:________________
Ref. Number: _____________BTL/491OXI/04
Batch Number:_________ 12/25/0304
Ticket Number:_________ 564 75600545-188
Serial Number:_________ 5388/02
Bank A/C No. : _________________________
Yours faithfully,
Working of Pharming
1. The attacker targets the DNS service used by the customer. This server can be a DNS
server on the LAN or the DNS server hosted by an ISP for all users. The attacker, using
various techniques, manages to change the IP address of „www.nicebank.com‟ to the IP
address of a web server which contains a fake replica of nicebank.com.
2. User wants to go the website „www.nicebank.com‟ and types the address in the web
browser.
3. User‟s computer queries the DNS server for the IP address of „www.nicebank.com‟.
4. Since the DNS server has already been „poisoned‟ by the attacker, it returns the IP
address of the fake website to the user‟s computer.
5. The user‟s computer is tricked into thinking that the poisoned reply is the correct IP
address of the website. The user has now been fooled into visiting the fake website controlled
by the attacker rather than the original www.nicebank.com website.
In the year 2009, CERT-In handled more than 8000 incidents. The types of incidents
handled were mostly of Phishing, Malicious Code, Website compromise & propagation of
malware and Network Scanning & Probing.
The year-wise summary of various types of incidents handled is given below:
Incident Statistics
Various types of incidents handled by CERT-In are given below
Cyber threats business and consumers should expect consequences of online banking
are devastating in nature. Increased mobile device processing power will mean more
opportunity for malware to run on these devices. As their numbers and use increase, they
become a viable target for attackers. Future social networking threats continue to be a
persuasive force and will continue to be exploited as a means of running confidence tricks.
E-mail spam is going to remain in excess of 90% of all email. Botnets will continue to be a
major threat and a major source of spam.
Conclusion
Online banking involves certain risks. It is important to educate yourself about these
risks, how unauthorized access to your financial information occurs, and the steps you can
take to protect your financial information. Learning about your rights and responsibilities as
an online banking consumer can make a difference to your financial well-being by changing
the age-old saying “A penny saved is a penny earned” to “A penny saved is a penny kept.”