qwertyuiopasdfghjklzxcvbnmqwerty

uiopasdfghjklzxcvbnmqwertyuiopasd
fghjklzxcvbnmqwertyuiopasdfghjklzx
cvbnmqwertyuiopasdfghjklzxcvbnmq
RISKS AND FRAUDS IN
ONLINE BANKING
wertyuiopasdfghjklzxcvbnmqwertyui
Project Report
opasdfghjklzxcvbnmqwertyuiopasdfg
12/2/2010
hjklzxcvbnmqwertyuiopasdfghjklzxc
D. Vamsi Krishna (109)
vbnmqwertyuiopasdfghjklzxcvbnmq
P. Pavan Kumar(114)
wertyuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiopasdfg
hjklzxcvbnmqwertyuiopasdfghjklzxc
vbnmqwertyuiopasdfghjklzxcvbnmq
wertyuiopasdfghjklzxcvbnmqwertyui
opasdfghjklzxcvbnmqwertyuiopasdfg
hjklzxcvbnmrtyuiopasdfghjklzxcvbn
mqwertyuiopasdfghjklzxcvbnmqwert
yuiopasdfghjklzxcvbnmqwertyuiopas
INTRODUCTION

Internet banking is now a mass-market product that is demanded as an essential

service by increasing numbers of bank customers. More and more people rely upon the
convenience and ease of use of Internet banking services in their daily life. More and more,
the quality of a bank‟s Internet banking service can affect the overall level of satisfaction and
loyalty of its customers. The growing availability and popularity of Internet banking has
created the biggest challenge to its continued viability and growth. Fraudsters are attracted by
the huge potential for online theft and are posing increasingly sophisticated and effective
threats to the security of customer transactions carried out over the Internet.
Online banking continues to present challenges to financial security and personal
privacy. Millions of people have had their checking accounts compromised, mainly as a
result of online banking. If we are going to use online banking to conduct financial
transactions, we should be aware of the risks and take precautions to minimize them.
Financial fraud has many faces. Whether it involves swindling, debit or credit card
fraud, real estate fraud, drug trafficking, identity theft, deceptive telemarketing, or money
laundering, the goal of cybercriminals is to make as much money as possible within a short
time and to do so inconspicuously.
The growing popularity of Electronic Funds Transfers (EFTs) may soon make paper
bills obsolete, as more individuals discover the ease of accessing their bank accounts and
transferring money electronically each day. EFT services are quickly becoming one of the
fastest growing segments of the financial services industry in the US and abroad. However,
with this trend, an increasing number of frauds involving money laundering and identity theft
in EFTs are continuing to emerge. While affording convenience, EFTs put the customer at
risk for serious security problems. In the US alone, an estimated $500 billion is electronically
transferred among financial institutions daily, providing criminals and financial terrorists vast
opportunities to intercept funds. To further complicate the problem, evidence suggests that
credit risk and fraud are of even more concern during weak economic periods, when
bankruptcies and business failures are more prevalent.
Therefore, it is imperative that financial institutions be fully aware of the dangers
EFTs pose and the steps they must take in order to maintain the security of their funds, as
well as the funds of their customers. In order to protect their customers against fraud,
financial institutions must be proactive in their approach to training their staff on how to the
identify risks associated with EFTs.
ELECTRONIC FUNDS TRANSFER (EFT)

An EFT is the electronic exchange or transfer of money from one account to another,
either within the same financial institution or across multiple institutions. In modern society,
many of our banking activities are performed electronically. Whether a customer is
withdrawing money from an ATM, using a credit card at a gas station, paying bills and
buying products online or transferring money from an account to another through a financial
institution‟s website, it is an EFT being performed. EFTs can even be performed from a cell
phone or Personal Digital Assistant (PDA). And there are often many steps. In US, for
example, before an EFT can be posted as either a debit or credit, it must first pass through an
Automated Clearing House (ACH), a system of the US Federal Reserve Bank that provides
EFTs between banks.

ATTACKS THAT TARGET ONLINE BANKING

Several types of electronic fraud specifically target online banking. Some of the more popular
types are:

Phishing attacks
Phishing attacks use fake email messages from an agency or individual pretending to
represent your bank or financial institution. The email asks you to provide sensitive
information (name, password, account number, and so forth) and provides links to a
counterfeit web site. If you follow the link and provide the requested information, intruders
can access your personal account information and finances and make financial transactions
from your account.
In some cases, pop-up windows can appear in front of a copy of a genuine bank web
site. The real web site address is displayed; however, any information you type directly into
the pop-up will go to unauthorized users. In a similar scheme, called “Vishing,” a person calls
you and pretends to be a bank representative seeking to verify account information. The box
below shows an example of a phishing attack which I got to my mail. It is about an
International Lottery for which my e-mail was selected and to claim this lottery I need to send
my details of
Flag this message

Online result from our office (BNL)

Sunday, September 30, 2007 7:47 PM

From:

"Mrs. Tracy Kelly" <jfarris21@chartertn.net>

Add sender to Contacts

To:

Undisclosed-recipients

British National Lottery

P O Box 1010
Liverpool, L70 1NL
UNITED KINGDOM

Dear Sir/Madam,

We are pleased to inform you of the result of the Winners in our

British International Lottery Program held on the 28th of September
2007. Your e-mail address attached to ticket number 564 75600545-188
with serial number 5388/02 drew lucky numbers 7-14-18-31-45, which
consequently won in the 2ND category, you have therefore been approved
for a lump sum pay out of £100,000 (One hundred thousand pounds
sterling).

Due to mix up of some numbers and names, we ask that you keep your
winning information confidential until your claims have been fully
processed and your money remitted to you. This is part of our security
protocol to avoid multiple claims and unwarranted abuse of this program
by some participants. All participants were selected through a computer
ballot system drawn from over 20,000 company and 30,000,000 individual
email addresses and names from all over the world. This promotional
program takes place every five years.

To begin your claims process therefore, you are advised to

expeditiously contact our Director of finance for the processing of
your winning and remittance to your designated bank account after all
statutory obligations have been satisfactorily dispensed with.

To file for your claim, please contact our fiduciary agent:

Mr. Paul Walters (BRITISH NATIONAL LOTTERY)

32 Palmstraat, Liverpool, L70 1NL London.
E-Mail: infoweb@notiz.us

Our winners are assured of the utmost standards of confidentiality, and

press anonymity until the end of proceedings, and beyond where they so
desire. Be further advised to maintain the strictest level of
confidentiality until the end of proceedings to circumvent problems
associated with fraudulent claims. This is part of our precautionary
measure to avoid double claiming and unwarranted abuse of this program.

For Claims, We require you fill this form and return to your claims
agent immediately.

Name(In Full):___________________________
Age:__________________________________
Sex:__________________________________
Phone Number (Home):___________________
Mobile:________________________________
Office Number:__________________________
Country:_______________________________
Present Occupation:_____________________
Scanned Copy Of Identity:________________
Ref. Number: _____________BTL/491OXI/04
Batch Number:_________ 12/25/0304
Ticket Number:_________ 564 75600545-188
Serial Number:_________ 5388/02
Bank A/C No. : _________________________

Please note in order to avoid unnecessary delays and complications,

remember to quote your reference number and batch numbers in all
correspondence.

Yours faithfully,

Mrs. Tracy Kelly

Zonal Co-ordinator.
British Lottery International (co-coordinator)

BRITISH LOTTERY INTERNATIONAL

COPYRIGHT © 2007 ALL RIGHT RESERVED.
Open 7 days 8am-11pm
Malware
Malware is the term for maliciously crafted software code. Special computer
programs now exist that enable intruders to fool you into believing that traditional security is
protecting you during online banking transactions. Attacks involving malware are a factor in
online financial crime. In fact, it is possible for this type of malicious software to perform the
following operations:
• Account information theft - Malware can capture the keystrokes for your login
information. Malware can also monitor and capture other data you use to authenticate your
identity (for example, special images that you selected or “magic words” you chose).
• Fake web site substitution - Malware can generate web pages that appear to be legitimate
but are not. They replace your bank‟s legitimate web site with a page that can look identical,
except that the web address will vary in some way. Such a “man-in the middle attack” site
enables an attacker to intercept your user information. The attacker adds additional fields to
the copy of the web page opened in your browser. When you submit the information, it is
sent to both the bank and the malicious attacker without your knowledge.
• Account hijacking - Malware can hijack your browser and transfer funds without your
knowledge. When you attempt to login at a bank web site, the software launches a hidden
browser window on your computer, logs in to your bank, reads your account balance, and
creates a secret fund transfer to the intruder-owned account.
Pharming
Pharming attacks involve the installation of malicious code on your computer;
however, they can take place without any conscious action on your part. In one type of
pharming attack you open an email, or an email attachment, that installs malicious code on
your computer. Later, you go to a fake web site that closely resembles your bank or financial
institution. Any information you provide during a visit to the fake site is made available to
malicious users. All the attack types listed above share one characteristic; they are created
using technology but, in order to succeed, they need you to provide information:
• In phishing attacks, you must provide the information or visit links.
• With malware, you must be tricked into performing actions you would not normally do.
In case of malware we would have to install the malware on our computer either by
running a program, such as an email attachment, or by visiting a web site through email or
instant message link. Then, you would have to submit your bank login information. Financial
information would be at risk only after we perform all these steps.
• With pharming attacks, we must open an email, or email attachment, to become vulnerable.
You then visit a fake website and, without your knowledge, provide information that
compromises your financial identity.

Working of Pharming
1. The attacker targets the DNS service used by the customer. This server can be a DNS
server on the LAN or the DNS server hosted by an ISP for all users. The attacker, using
various techniques, manages to change the IP address of „www.nicebank.com‟ to the IP
address of a web server which contains a fake replica of nicebank.com.
2. User wants to go the website „www.nicebank.com‟ and types the address in the web
browser.
3. User‟s computer queries the DNS server for the IP address of „www.nicebank.com‟.
4. Since the DNS server has already been „poisoned‟ by the attacker, it returns the IP
address of the fake website to the user‟s computer.
5. The user‟s computer is tricked into thinking that the poisoned reply is the correct IP
address of the website. The user has now been fooled into visiting the fake website controlled
by the attacker rather than the original www.nicebank.com website.

INDIAN SCENARIO OF BANKING FRAUDS

CERT-In is a functional organisation of Department of Information Technology,

Ministry of Communications and Information Technology, Government of India, with the
objective of securing Indian cyber space. CERT-In provides Incident Prevention and
Response services as well as Security Quality Management Services.
In the Information Technology (Amendment) Act 2008, CERT-In has been designated to
serve as the national agency to perform the following functions in the area of cyber security:
• Collection, analysis and dissemination of information on cyber incidents
• Forecast and alerts of cyber security incidents
• Emergency measures for handling cyber security incidents
• Coordination of cyber incident response activities
• Issue guidelines, advisories, vulnerability notes and whitepapers relating to information
security practices, procedures, prevention, response and reporting of cyber incidents
• Such other functions relating to cyber security as may be prescribed

Incident Handling Reports

Computer Security Incidents handled by CERT-In during 2009

In the year 2009, CERT-In handled more than 8000 incidents. The types of incidents
handled were mostly of Phishing, Malicious Code, Website compromise & propagation of
malware and Network Scanning & Probing.
The year-wise summary of various types of incidents handled is given below:

Incident Statistics
Various types of incidents handled by CERT-In are given below

Tracking of Indian Website Defacements

CERT-In has been tracking the defacements of Indian websites and suggesting
suitable measures to harden the web servers to concerned organizations. In all 6023 numbers
of defacements have been tracked. Most of the defacements were done for the websites under
.in domain. In total 3042 .in domain websites were defaced.
Indian websites defaced during 2009 (Top level domains)
Symantec Report
In a recent report, top security vendor Symantec had studied this underground
economy and listed the top selling and advertised products. The report has some very
interesting observations and it is surprising to know that sensitive data like Credit Card
information is available for as low as $0.85.
The underground economy is an evolving and self-sustaining black market
where underground economy servers, or black market forums, are used for the promotion and
trade of stolen information and services. This information can include government-issued
identification numbers such as Social Security numbers (SSNs), credit card numbers, debit
card information, user accounts, email address lists, and bank accounts.
Following are the top selling products and services in malware infection economy.
Bank account credentials: may consist of name, bank account number (including transit and
branch number), address, and phone number. Online banking logins and passwords are often
sold as a separate item.
Cash out: a withdrawal service where purchases are converted into true currency. This could
be in the form of online currency accounts or through money transfer systems and typically,
the requester is charged a percentage of the cash out value as a fee.
Bank account credentials: may consist of name, bank account number (including transit and
branch number), address, and phone number. Online banking logins and passwords are often
sold as a separate item.
Credit card information: includes credit card number and expiry date. It may also contain
the cardholder name, Credit Verification Value 2 (CVV2) number, PIN, billing address,
phone number, and company name (for a corporate card). CVV2 is a three or four-digit
number on the credit card and used for card-not-present transactions such as Internet or phone
purchases. This was created to add an extra layer of security for credit cards and to verify that
the person completing the transaction was in fact, in possession of the card.
Email accounts: includes user ID, email address, password. In addition, the account may
contain personal information such as addresses, other account information, and email
addresses in the contact list.
Email addresses: consists of lists of email addresses used for spam or phishing activities.
The email addresses can be harvested from hacking databases, public sites on the Internet, or
from stolen email accounts. The sizes of lists sold can range from 1 MB to 150 MB.
Full identities: may consist of name, address, date of birth, phone number, and government-
issued number. It may also include extras such as driver‟s license number, mother‟s maiden
name, email address, or “secret” questions/answers for password recovery.
Mailers: an application that is used to send out mass emails (spam) for phishing attacks.
Examples of this are worms and viruses.
Proxies: Proxy services provide access to a software agent, often a firewall mechanism,
which performs a function or operation on behalf of another application or system while
hiding the details involved, allowing attackers to obscure their path and make tracing back to
the source difficult or impossible. This can involve sending email from the proxy, or
connecting to the proxy and then out to an underground IRC server to sell credit cards or
other stolen goods.
Shell scripts: used to perform operations such as file manipulation and program execution.
They can also be used as a command line interface for various operating systems.
Tips for Safe Online Banking
When it comes to online banking, there is no way to absolutely guarantee your safety.
However, good practices do exist that can reduce the risks posed to your online accounts. The
following sections describe these practices.
Review your bank’s information about its online privacy policies and practice
By law, banks are required to send a copy of their privacy policies and practices
annually; Bank web sites should also have this information. As you read this information, pay
particular attention to any mention of the methods used for encrypting transactions and
authenticating user information. Also, check the information to see if the bank requires
additional security information before authorizing a payment to a business or individual that
has never received a payment before.
Before setting up any online bill payment, check the privacy policy of the company or
service you will be sending payment to.
You have the right to limit the information an online bank shares with both its parent
organization and any other financial institutions. Be aware that some online banks may
have separate procedures for handling each of these requests. You may also want to use a
service such as the Better Business Bureau to view any existing history of outstanding
consumer complaints about privacy violations.
For security purposes, choose an online personal identification number (PIN) that is
unique and hard to guess.
Be sure to change your PIN regularly. Do not choose a PIN that contains personal
information such as your birthday or Social Security number; an attacker might be able to
guess these. Regardless of the circumstances, never give someone access to your current PIN
number.
Install anti-virus, firewall, and anti-spyware programs on your computer and keep them up
to date.
Installing and updating this software protects your computer and its contents against
unauthorized access. You should turn on automatic updates for these programs or, if
prompted, always agree to download system updates as soon as they are available.
Regularly check your online account balance for unauthorized activity.
Timing is a factor in your response to unauthorized electronic fund transactions. If
you receive a paper account balance, make sure that you reconcile it with your online
balance.
Use a credit card to pay for online goods and services.
Credit cards usually have stronger protection against personal liability claims than
debit cards. Some credit cards limit personal liability for unauthorized transactions to $50.
Personal liability for debit cards can be higher. According to the Federal Reserve‟s
Regulation E, if you report an electronic fund transaction problem involving debit cards to a
bank or financial institution in the first two days, you are only liable for $50. Reporting that
same incident between 3 and 60 days increases your personal liability to $500. After 60 days,
there are no financial restrictions placed on your personal liability.
Avoid situations where personal information can be intercepted, retrieved, or viewed by
unauthorized individuals.
You should conduct online bank transactions in locations that are not subject to public
monitoring. When you are entering login information, you should avoid using unsecured or
public network connections (for example, at a coffee shop or library). As a general rule, you
should avoid using any computer that other people can freely access; the end result could be
unauthorized access of your financial information. Remember, it is possible for your account
information to be stored in the web browser‟s temporary memory.
If you receive email correspondence about a financial account, verify its authenticity by
contacting your bank or financial institution.
You should not reply to any email requests for security information, warnings of an
account suspension, opportunities to make easy money, overseas requests for financial
assistance, and so forth. Also, links found in these suspicious emails should not be clicked.
Forward a copy of the suspicious email to the Federal Trade Commission at uce@ftc.com and
then delete the email from your mailbox.
If you have disclosed financial information to a fraudulent web site, file reports with the
following organizations:
• your bank
• the local police
• the Federal Trade Commission – http://www.ftc.gov
• the Internet Crime Complaint Center – http://www.ic3.gov
• the three major credit bureaus – Equifax, Experian, and TransUnion
Cyber Threats expected in Future

Cyber threats business and consumers should expect consequences of online banking
are devastating in nature. Increased mobile device processing power will mean more
opportunity for malware to run on these devices. As their numbers and use increase, they
become a viable target for attackers. Future social networking threats continue to be a
persuasive force and will continue to be exploited as a means of running confidence tricks.
E-mail spam is going to remain in excess of 90% of all email. Botnets will continue to be a
major threat and a major source of spam.

Conclusion

Online banking involves certain risks. It is important to educate yourself about these
risks, how unauthorized access to your financial information occurs, and the steps you can
take to protect your financial information. Learning about your rights and responsibilities as
an online banking consumer can make a difference to your financial well-being by changing
the age-old saying “A penny saved is a penny earned” to “A penny saved is a penny kept.”