E Banking Frauds

@NLS
Naavi

Naavi

Agenda

Types of Frauds that affect Bankers

The law regarding Cyber Frauds
Due Diligence Requirements

Naavi

Case Study

Phishing

Naavi

The Case

An NRI customer having account in Tirunelveli

branch of ICICI Bank

Receives monthly statement from

customerservice@icicibank.com
One day he received a mail from the same address

Stating that his account is being deactivated for security

reasons unless he logs in immediately and confirm that the
account has to be continued.

A hyperlink is provided in the same mail to the Banks website.

Customer logs in and confirms

Naavi

The Phone Call

Next day evening, at 6.00 pm IST, he received a

phone call from his Bank informing him and asking
for confirmation about his having withdrawn
withdrawn Rs 6.46 lakhs from his account and
having transferred to the account of Uday
Enterprises at Fort Bombay branch of ICICI Bank

Customer denies any such transaction and immediately

follows up with e-mail and fax to the Bank denying the
transaction and restoration of his balance in the account.

Naavi

Internal Investigations

Bank conducts an internal investigation which

reveals the following

customer had received a phishing mail in the name of

customerservice@abcbank.com and had responded to the
same
The amount of 6.46 lakhs had been then transferred to the
Fort Branch branch in lots of Rs 1 lakh in four transactions
on 6th September and two more transactions and again
46000/- on 7th September
The customer (Uday Enterprises) had drawn Rs 4 lakhs in
cash across the counter on 7th September, 35000/- was
adjusted to the OD outstanding in the account. Balance was
lying in the account.
Naavi

Response

Bank writes to the customer that he was a victim of

Phishing and should file a complaint with the Police
and pursue.

Refuses to re-credit the amount to customers account

Refuses to file a complaint in Mumbai to trace the customer
Internal investigation reveals that the account was in arrears
of Rs 35000/- for more than 6 months, the proprietor had
changed address 2 years back and was not traceable

Naavi

Follow Up

Customer files a complaint with the Banking

Ombudsman who after verification concludes that it
does not come within his jurisdiction as it is a crime
related issue and not a service related issue
As suggested by the Bank, a complaint is filed at
Tirunelveli.. Police suggest that it is a cyber crime
and complaint has to be filed in Chennai

Complaint is filed including the Bank as a co accused

Adjudication proceeding has been completed. Verdict
awaited.

Naavi

Additional Information

The Internal investigator had reported that

the CCTV in the Banking hall should have
captured the cash withdrawal transaction and
should be checked.

Bank never acted on this suggestion made within

a few days of the incident and the service
provider responsible for the maintenance of the
CCTV service is reported to have deleted the
data( after one month)
Naavi

Further developments..

Later it was found that the IP address

indicated that all transactions were
conducted from Mumbai

where as the customer was known to be an NRI

in Dubai.
The current account of uday Enterprises was
owned by one Mohammed Zulfiquar Hasim Khan

10

Why one Zulfiquar Hasim Khan should open a current

account in the name of Uday Enterprises?..
Naavi

Adjudication

Adjudication application was filed in Chennai

After the filing,

Bank paid the balance amount of Rs 150071/- which was

lying in the account of Uday enterprises.

After several hearings, Bank offered to pay the entire

fraud amount of RS 646000/- provided a suitable
indemnity was provided.
No agreement was however reached on the terms of
the indemnity.

11

Claiming the entire amount lost along with interest and

damages

Matter awaiting release of the award

Naavi

Other Frauds like Phishing

Credit Card frauds, Theft of Debit card/password

All these frauds occur through Electronic Forgery.

In case of payment of a forged cheque.. Who is liable?

Canara Bank Vs Canara Sales Corporation AIR 1987 SC 1603

Citizen Co-opertive Bank Ltd Vs Ritesh Mittal,-2004 CTJ 211 (Jammu and Kashmir High Court)
N. Venkanna Vs Andhra Bank, National Disputes Redressal Commission, 11th January, 2005
Bhagwandas Vs Creet (1903)31, Cal.249
L. Pirbhu Dayal Vs Jwala bank, AIR 1958 All. 374
Dawood Vs Firm Pereinan Chetty, AIR 1924 Rang.264

Why would it be different in case of Phishing?

12

All these cases hold the Bank liable even if the customer had shown negligence of some sort.

Banks can escape liability only if the customer has abetted or is estopped for some reason to
claim that the withdrawal was wrong.

In Germany and Denmark, Banks are held responsible for such technical crimes
India too has no option to follow suit
Banks should therefore put strategies to protect themselves from the Phishing
liabilities.

Naavi

Other Frauds involving Banks

Nigerian Mails, Job Frauds, Lottery Frauds

All involving remittances to foreign countries

where the Bank as an Authorised Dealer is
expected to enquire about the purpose of
remittance and approve

13

or other accounts in the Bank

Salami frauds, Software bugs

Naavi

Other means..

Stolen laptops

Shared Desktops

Somebody elses negligence in allowing a key

logger

Written down in a diary

14

If data is not encrypted

Common pick pocket?

Naavi

Most Dangerous

A virus may execute a Man in the Browser

attack using an authenticated session to place
an unauthorized transaction.

Customer thinks that he is making a genuine

transaction and therefore completes all authentication
requirements himself
But the transaction executed is different from the one
contemplated.
Bank will swear that the transaction was done only by
the customer

15

See here

Naavi

Emerging Threats

Trojans which use Man in the Browser

technique

16

Zeus and SpyEye Variants

Modify content after they are entered in the
browser and before it reaches the Banks server
Display modified content on the browser which
may not be in sync with the server information
Can fool both the customer and the bank
Naavi

At the Organization..

What can go wrong?

17

Naavi

18

Naavi

19

Naavi

20

Naavi

List of Trojans.. A gift to visitors to the

website of a Bank..

Website compromised on 29th August 2007

Email-Worm.Win32.Agent.l
Rootkit.Win32.Agent.dw
Rootkit.Win32.Agent.ey
Trojan-Downloader.Win32.Agent.cnh
Trojan-Downloader.Win32.Small.ddy
Trojan-Proxy.Win32.Agent.nu
Trojan-Proxy.Win32.Wopla.ag
Trojan.Win32.Agent.awz
Trojan-Proxy.Win32.Xorpix.Fam
Trojan-Downloader.Win32.Agent.ceo
Trojan-Downloader.Win32.Tibs.mt
Trojan-Downloader.Win32.Agent.boy
Trojan-Proxy.Win32.Wopla.ah
Trojan-Proxy.Win32.Wopla.ag
Rootkit.Win32.Agent.ea
Trojan.Pandex
Trojan-Proxy.Win32.Cimuz.G
TSPY_AGENT.AAVG (Trend Micro)
Trojan.Netview

21

Website closed from 30th August to 4th September 2007

Naavi

ATM/Credit Card Cloning

22

Naavi

E Banking dispute resolution system

Three Modes

If the cause of action is

Violation of an RBI Guidelines

A deficiency of Service

Consumer Forum

An offence /contravention of ITA 2000/8

23

Banking Ombudsman

Adjudication process as per ITA 2000/8

Naavi

Cyber Law College

Banking Ombudsman Scheme

Effective from January 1 2006

24

Banking ombudsman scheme 2005

Amended in May 24, 2007 and Feb 3, 2009

Is essentially a mediation process

Naavi

Cyber Law College

Essence of Banking Ombudsman (BO)

Scheme

Powers and Jurisdiction

Territorial: BOs have been set up in 15 different regional

offices of RBI
BO s shall receive and consider complaints

relating to deficiencies in banking or other services

filed on the grounds mentioned in clause 8 and

25

facilitate their satisfaction or settlement by agreement or through

conciliation and mediation between the bank concerned and the
aggrieved parties or by passing an Award in accordance with the
Scheme.

Maximum compensation Rs 10 lakhs (actual loss)

In Credit card related complaints additional compensation of
Rs 1 lakh is payable for harassment, mental anguish etc.

Naavi

Cyber Law College

Grounds of Complaint (Clause 8)

26

(a) non-payment or inordinate delay in the payment

or collection of cheques, drafts, bills etc.;
(b) non-acceptance, without sufficient cause, of
small denomination notes tendered for any purpose,
and for charging of commission in respect thereof;
(c) non-acceptance, without sufficient cause, of coins
tendered and for charging of commission in respect
thereof;
(d) non-payment or delay in payment of inward
remittances ;
Naavi

Cyber Law College

Grounds of Complaint (Clause 8)

27

(e) failure to issue or delay in issue of drafts, pay orders

or bankers' cheques;
(f) non-adherence to prescribed working hours ;
(g) failure to provide or delay in providing a banking
facility (other than loans and advances) promised in
writing by a bank or its direct selling agents;
(h) delays, non-credit of proceeds to parties' accounts,
non-payment of deposit or non-observance of the
Reserve Bank directives, if any, applicable to rate of
interest on deposits in any savings, current or other
account maintained with a bank ;

Naavi

Cyber Law College

Grounds of Complaint (Clause 8)

28

(i) complaints from Non-Resident Indians having accounts in India in

relation to their remittances from abroad, deposits and other bank
related matters;
(j) refusal to open deposit accounts without any valid reason for
refusal;
(k) levying of charges without adequate prior notice to the customer;
(l) non-adherence by the bank or its subsidiaries to the instructions of
Reserve Bank on ATM/Debit card operations or credit card operations;
(m) non-disbursement or delay in disbursement of pension (to the
extent the grievance can be attributed to the action on the part of the
bank concerned, but not with regard to its employees);

Naavi

Cyber Law College

Grounds of Complaint (Clause 8)

29

(n) refusal to accept or delay in accepting

payment towards taxes, as required by Reserve
Bank/Government;
(o) refusal to issue or delay in issuing, or failure
to service or delay in servicing or redemption of
Government securities;
(p) forced closure of deposit accounts without
due notice or without sufficient reason;
(q) refusal to close or delay in closing the
accounts;
Naavi

Cyber Law College

Grounds of Complaint (Clause 8)

30

(r) non-adherence to the fair practices code as

adopted by the bank;
(s)non-adherence
to
the
provisions
of the Code of
Bank's Commitments to
Customers issued by Banking Codes and Standards
Board of India and as adopted by the bank ;
(t) non-observance of Reserve Bank guidelines on
engagement of recovery agents by banks; and
(u) any other matter relating to the violation of the
directives issued by the Reserve Bank in relation to
banking or other services.
Naavi

Cyber Law College

Procedure for Filing Complaint

31

Complaint may be filed by the customer or

his authorized representative (Other than an
advocate)
A complaint made through electronic means
shall also be accepted by the Banking
Ombudsman and a print out of such
complaint shall be taken on the record of the
Banking Ombudsman
Naavi

Cyber Law College

Pre-requisites..

32

No reply from the Bank for one month or is

not satisfied with the reply given to him by
the bank
Complaint within 13 months after date of
representation to the Bank

Naavi

Cyber Law College

Grounds of Rejection

33

a) not on the grounds of complaint referred to in clause 8 or

otherwise not in accordance with sub clause (3) of clause 9
(Ed: notice to Bank); or
(b) beyond the pecuniary jurisdiction of Banking Ombudsman
prescribed under clause 12 (5) and 12 (6) or
(c) requiring consideration of elaborate documentary and oral
evidence and the proceedings before the Banking Ombudsman
are not appropriate for adjudication of such complaint; or
(d) without any sufficient cause; or
(e) that it is not pursued by the complainant with reasonable
diligence; or
(f) in the opinion of the Banking Ombudsman there is no loss or
damage or inconvenience caused to the complainant
Naavi

Cyber Law College

1PPEAL BEFORE THE

APPELLATE AUTHORITY:

34

Any person aggrieved by an Award under

clause 12 or rejection of a complaint for the
reasons referred to in sub clauses (d) to (f)
of clause 13,may within 30 days of the date
of receipt of communication of Award or
rejection of complaint, prefer an appeal
before the Appellate Authority;

Naavi

Adjudication Process

Under ITA 2000/8

35

Naavi

Cyber Law College

What is Adjudication

Adjudication is the system suggested by ITA 2000

to provide speedy disposal of civil disputes arising
out of contravention of ITA 2000

36

Under Sec 46 of ITA 2000

Adjudication is the first step for claiming damages for

contraventions of ITA 2008.
Appeal from Adjudicator lies with Cyber Appellate
Tribunal (CAT)
Appeal from CAT lies with the High Court
Naavi

Cyber Law College

Notification of 25th March 2003-MIT,

GOI

The Secretary of Department of

Information Technology of each of the Sta
tes or of Union Territories is hereby appo
inted as Adjudicating Officer for the
purposes of the Information Technology Act,
2000.

37

shall provide the infrastructure and

maintain the records of the matters handled by
AO functioning in the States/Union Territories
Naavi

Cyber Law College

Powers under Sec 46

(1)For the purpose of adjudging

38

under this Chapter

whether any person has committed a contravention of any
of the provisions of this Act or of any rule, regulation,
direction or order made thereunder which renders him liable
to pay penalty or compensation,
the Central Government shall, subject to the provisions of
sub-section(3), appoint any officer not below the rank of a
Director to the Government of India or an equivalent officer
of a State Government to be an adjudicating officer for
holding an inquiry in the manner prescribed by the Central
Government.
Naavi

Cyber Law College

Sec 46-contd

39

(1A) The adjudicating officer appointed

under sub-section (1) shall exercise
jurisdiction to adjudicate matters in which the
claim for injury or damage does not exceed
rupees five crore
Provided that the jurisdiction in respect of
claim for injury or damage exceeding rupees
five crore shall vest with the competent court
Naavi

Cyber Law College

Sec 46..contd

40

2)The adjudicating officer shall, after giving the person referred

to in sub-section (1) a reasonable opportunity for making
representation in the matter and if, on such inquiry, he is
satisfied that the person has committed the contravention, he
may impose such penalty as he thinks fit in accordance with the
provisions of that section.
(3) No person shall be appointed as an adjudicating officer
unless he possesses such experience in the field of Information
Technology and Legal or Judicial experience as may be
prescribed by the Central Government.
(4)Where more than one adjudicating officers are appointed,
the Central Government shall specify by order the matters and
places with respect to which such officers shall exercise their
jurisdiction.
(

Naavi

Cyber Law College

Sec 46..contd

41

(5) Every adjudicating officer shall have the powers of a civil

court which are conferred on the Cyber Appellate Tribunal
under sub-section (2) of section 58, and (a) all proceedings before it shall be deemed to be judicial
proceedings within the meaning of sections 193 and 228 of the
Indian Penal Code;
(b)shall be deemed to be a civil court for the purposes of
sections 345 and 346 of the Code of Criminal Procedure,
1973.
(c)shall be deemed to be a Civil Court for purposes of order XXI
of the Civil Procedure Code, 1908

Naavi

Cyber Law College

Sec 47: Factors to be taken into account

by the adjudicating officer

While adjudging the quantum of compensation under

this Chapter the adjudicating officer shall have due
regard to the following factors, namely -

(a)the amount of gain of unfair advantage, wherever

quantifiable, made as a result of the default;
(b)the amount of loss caused to any person as a
result of the default;
(c) the repetitive nature of the default

42

Naavi

Cyber Law College

What are the contraventions?

Only 43 and 43 A (After ITA 2008) are

applicable

Sec 43

Sec 43A

43

8 contraventions in ITA 2000

2 more added in ITA 2008
Not maintaining reasonable security practices by a body
corporate in posession of sensitive personal information
of an individual

Naavi

Cyber Law College

What is the scope of Sec 43?

Applies where the specified action occurs

Without the permission of the owner of the

computer
Liability is

44

damages payable to the person who has suffered the

loss
Payable by the person who contravened any or the 10
contraventions

Naavi

Cyber Law College

Is adjudication subordinate to
registration of a criminal case?

Adjudication is a civil process

Not dependent on the Police filing an FIR

Notification of 17/03/2003 (MIT)

Provides suomoto powers to the adjudicator

45

At any time or on receipt of a report of contravention from an

aggrieved person,or by a Government agency or suo-moto,
the Adjudicating Officer, may get the matter or the report
investigated from an officer in the Office of Controller or CERTIND or from the concerned Deputy Superintendent of Poli
ce, to ascertain more facts and whether prima facie there is a
case for adjudicating in the matter or not.
Naavi

Cyber Law College

Procedure

Not bound by Civil Proceedure Code

Victim not bound to give all details of the accused..

46

Can be like an enquiry

Rules to be defined by the adjudicator
Not mandatory to get a legal counsel
Can examine documents and witnesses
Simple application as per draft will suffice
Where required investigation can be ordered by the
adjudicator
Evidence that a contravention has occurred is sufficient.

Naavi

Cyber Law College

61. Civil court not to have jurisdiction

47

No court shall have jurisdiction to entertain any suit

or proceeding in respect of any matter which an
adjudicating officer appointed under this Act or the
Cyber Appellate Tribunal constituted under this Act
is empowered by or under this Act to determine and
no injunction shall be granted by any court or other
authority in respect of any action taken or to be
taken in pursuance of any power conferred by or
under this Act.

Naavi

Cyber Law College

Scope

48

Jurisdiction for Chapter IX in the State in

which posted
Location of Computer s defined in subsection
2 of Section 75

Naavi

Cyber Law College

Application

49

Complaint in plain paper as per proforma

Together with fees prescribed

Naavi

Cyber Law College

Manner of Holding Enquiry

AO to issue a notice together with all the

documents

50

To the necessary parties

Fixing date and time
Indicating the time and place of contravention, the
person against whom the contravention was
committed etc

Naavi

Cyber Law College

Time Limit

51

As far as possible, every application shall be

heard and decided in four months and the
whole matter in six months

Naavi

Cyber Law College

Cases for Reference

S.Umashankar Vs ICICI Bank

Gujarat Petrosynthese Ltd Vs Axis Bank

52

Adjudicator of Tamil Nadu

Adjudicator of Karnataka

Naavi

Cyber Law College

Cyber Evidence

53

Naavi

Cyber Law College

Law of Digital Evidence in India

Derived from the amendments made to Indian

Evidence Act

Consequent to the passing of Information Technology Act

2000

Effective from October 17, 2000

54

Gave legal recognition to Electronic documents

Defined Digital Signature as a means of authentication of an
electronic document
Imposed certain presumptory value to digitally signed electronic
documents
Defined Admissibility of Evidence under Indian Evidence Act

Naavi

Cyber Law College

What Constitutes Evidence?

Indian Evidence Act (Sec 3) amended to include

Electronic documents

Evidence means and Includes Electronic Records produced

for inspection of the court

Electronic Record" means data, record or data generated,

image or sound stored, received or sent in an electronic form
or micro film or computer generated micro fiche

55

(microfiche=small sheet of microfilm on which many pages of

material have been photographed. Equipment is available that
accepts a data stream from a and exposes film to produce
images as if the stream had been sent to a line printer and the
listing had been microfilmed. )

Naavi

Cyber Law College

Admissibility of Electronic Records

65B (IEA). (1) Notwithstanding anything contained

in this Act, any information contained in an
electronic record which is printed on a paper,
stored, recorded or copied in optical or magnetic
media produced by a computer (hereinafter
referred to as the computer output)

56

shall be deemed to be also a document, if the conditions

mentioned in this section are satisfied in relation to the
information and computer in question and
shall be admissible in any proceedings, without further
proof or production of the original as evidence of any
contents of the original or of any fact ' stated therein
of which direct evidence would be admissible.
Naavi

Cyber Law College

Admissibility of Evidence..2

(2) The conditions referred to in sub-section (1) in

respect of a computer output shall be the following,
namely

57

(a) the computer output containing the information was

produced by the computer during the period over which the
computer was used regularly to store or process
information for the purposes of any activities regularly
carried on over that period by the person having lawful
control over the use of the computer;

Naavi

Cyber Law College

Admissibility of Evidence..3

58

(b) during the said period, information of the

kind contained in the electronic reform or of
the kind from which the information so
contained is derived was regularly fed into
the computer in the ordinary course of the
said activities;

Naavi

Cyber Law College

Admissibility of Evidence..4

59

(c) throughout the material part of the said

period, the computer was operating properly
or, if not, then in any respect of any period in
which it was not operating properly of was
out of operation during that part of
the period, was not such as to affect the
electronic record or the accuracy of
its contents; and
Naavi

Cyber Law College

Admissibility of Evidence..5

60

(d) the information contained in the electronic

record reproduces or is derived from such
information fed into the computer in the
ordinary course of the said activities.

Naavi

Cyber Law College

Admissibility of Evidence..6

(3) Where over any period, the function of storing or

processing information for the purposes of any
activities regularly carried on over that period as
mentioned in clause (a) of sub-section (2) was
regularly performed by computers, whether

61

(a) by a combination of computers operating over that period;

or
(b) by different computers operating in succession over that
period; or
(c) by different combinations of computers operating in
succession over that period; or
(d) in any other manner involving the successive operation
over that period, in whatever order, of one or more
computers and one or more combinations of computers,
Naavi

Cyber Law College

Admissibility of Evidence..7

62

all the computers used for that purpose

during that period shall be treated for the
purposes of this section as constituting a
single computer; and references in this
section to a computer shall be construed
accordingly.

Naavi

Cyber Law College

Certification of Documents

63

(4)In any proceedings where it is desired to

give a statement in evidence by virtue of this
section, a certificate doing any of the
following things, that is to say (a) identifying the electronic record
containing the statement and describing the
manner in which it was produced;

Naavi

Cyber Law College

Certification of Documents..2

64

(b) giving such particulars of any device

involved in the production of that electronic
record as may be appropriate for the purpose
of showing that the electronic record was
produced by a computer;
(c) dealing with any of the matters to which
the conditions mentioned in sub-section (2)
relate,
Naavi

Cyber Law College

Certification of Documents..3

65

and purporting to be signed by a person

occupying a responsible official position in
relation to the operation of the relevant
device or the management of the relevant
activities (whichever is appropriate)
shall be evidence of any matter stated in the
certificate;

Naavi

Cyber Law College

Certification of Documents..4

66

and for the purposes of this sub-section it

shall be sufficient for a matter to be stated to
the best of the knowledge and belief of the
person stating it.

Naavi

Cyber Law College

Certification of Documents..5

According to amendment made to Section

67,(IEA)

Except in the case of a secure digital signature, if the

digital signature of any subscriber is alleged to have
been affixed to an electronic record the fact that such
digital signature is the digital signature of
the subscriber must be proved

67

Secured digital signature is defined by a notification in

October 2004 as a digital signature where the
cryptographic key/smart card is used to securely store and
use the private key

Naavi

Cyber Law College

www.ceac.in

68

Naavi

Cyber Law College

For Further Reference

www.naavi.org

Copy of Internet Banking guidelines

Copy of GGWG guidelines
Copy of judgments in respect of Umashankar and
Gujarat Petro synthese Ltd

69

Etc

Also visit E Safe Banking page on Face Book

Naavi

Cyber Law College

Thank You..Questions?

Contact

www.naavi.org
www.cyberlawcollege.com
www.ceac.in

E-Mail: naavi@vsnl.com

70

Naavi