NAME OF THE SUBJECT : Management of bank and Finance

NAME OF THE TOPIC : Cyber Frauds and Prevention in Banks

CLASS: MFM ( SEM 5)

NAME OF THE INSTITUTE : MET Institute of Management

ACADEMIC YEAR : 2015-18

 ASHOK ANCHAN : 61

MERLYN COELHO 65 JANCY RANI NADAR :85

OLSON PEREIRA 89 SWATI SHETTY : 96

UJWALA TODKAR :102

What is CYBERFRAUD
??
????
??????
????????
??????????
????????????
???????????????
?????????????????
Cyberfraud refers to any type of deliberate deception for unfair or unlawful gain
that occurs online.

The most common form is online credit card theft.

Other common forms of monetary cyberfraud include nondelivery of paid
products purchased through online auctions &
nondelivery of merchandise or software bought online.

Cyberfraud also refers to data break-ins, identity theft, and cyberbullying, all of
which are seriously damaging.

Eg of Cyber Fraud: Online theft of credit card number, expiration date, and
other information for criminal use.
What are the different kinds of
Cyber Fraud
 Identity theft
Identity theft and fraud is one of the most common types of cybercrime. The term
Identity Theft is used, when a person purports to be some other person, with a view
to creating a fraud for financial gains. When this is done online on the Internet, its is
called Online Identity Theft. The most common source to steal identity information
of others, are data breaches affecting government or federal websites. It can be data
breaches of private websites too, that contain important information such as – credit
card information, address, email ID’s, etc.
 Ransomware
This is one of the detestable malware-based attacks. Ransomware enters
your computer network and encrypts your files using public-key encryption,
and unlike other malware this encryption key remains on the hacker’s server.
 DoS attacks
DoS(Denial of Service) attacks are used to make an online service unavailable and
bring it down, by bombarding or overwhelming it with traffic from multiple
locations and sources. Large networks of infected computers, called Botnets are
developed by planting malware on the victim computers. The idea is normally to
draw attention to the DDOS attack, and allow the hacker to hack into a system.
Extortion and blackmail could be the other motivations.
 Spam and Phishing
Spamming and phishing are two very common forms of cybercrimes. There is not
much you can do to control them. Spam is basically unwanted emails and
messages. They use Spambots.

Phishing is a method where cyber criminals offer a bait so that you take it and
give out the information they want. The bait can be in form of a business
proposal, announcement of a lottery to which you never subscribed, and anything
that promises you money for nothing or a small favor.

There are online loans companies too, making claims that you can get insecure
loans irrespective of your location. Doing business with such claims, you are sure
to suffer both financially and mentally. Phishing has its variants too – notably
among them are Tabnabbing, Tabjacking. and Vishing and Smishing.

Such spamming and phishing attempts are mostly emails sent by random people
whom you did not ever hear of. You should stay away from any such offers
especially when you feel that the offer is too good.

.
 Social Engineering
Social engineering is a method where the cyber criminals make a
direct contact with you using emails or phones – mostly the latter.
They try to gain your confidence and once they succeed at it, they get
the information they need. This information can be about you, your
money, your company where you work or anything that can be of
interest to the cyber criminals
 Malvertising

Malvertising is a method whereby users download malicious code by simply

clicking at some advertisement on any website that is infected. In most cases, the
websites are innocent. It is the cyber criminals who insert malicious
advertisements on the websites without the knowledge of the latter. It is the work
of advert companies to check out if an advertisement is malicious but given the
number of advertisements they have to deal with, the malverts easily pass off as
genuine ads.

In other cases, the cyber criminals show clean ads for a period of time and then
replace it with malverts so that the websites and advertisements do not suspect.
They display the malverts for a while and remove it from the site after meeting
their targets. All this is so fast that the website does not even know they were used
as a tool for cybercrime. Malvertising is one of the fastest, increasing types of
cybercrime.
 Indian Banks been hacked by
Hackers
Banks in India will either replace or ask users to change the security codes of as
many as 3.2 million debit cards in what's emerging as one of the biggest ever
breaches of financial data in India, people aware of the matter said. Several
victims have reported unauthorised usage from locations in China.

3.2 million debit cards compromised; SBI, HDFC Bank, ICICI, YES Bank and
Axis worst hit.
Of the cards, 2.6 million are said to be on the Visa and Master-Card platform and
600,000 on the RuPay platform. The worst-hit of the card-issuing banks are State
Bank of India, HDFC, ICICI, YES Bank and Axis Bank.

Banks had been receiving multiple complaints from customers about cards being
used in China at various ATMs and point of sale terminals.
32 lakh bank cards hacked: India needs data breach disclosure
law and needs it now

All of this started around a month ago, when hundreds of thousands of people

India got a SMS telling them that they needed to reset the ATM pin for their debit
cards. They were also told that the limit on international transactions on their
cards was reduced to Rs 7,000. No other information was provided, even though
customers of several banks, including the big ones like HDFC and ICICI, got
these messages.

This was a very cryptic message and low on information. Why the PIN needed to
be changed? What really happened? Were the customers at some serious risk
from cyber criminals? Was the information related to their cards leaked? None of
these questions were answered.
That is until today. Now we have some -- but still fairly vague -- information.
There is a report that says the information related to 32 lakh debit cards has been
leaked. These cards belong to a number of banks, including SBI, HDFC and
ICICI.

Although SBI has seemingly confirmed that the information of its six lakh cards
has been leaked other banks are still not not talking, or at least not talking in the
manner that clears the air.

The banks in India, or for that matter any other company that deals in private and
confidential data, has no obligation and no liability towards consumers for any
data breach. The breaches happen in India all the time but no one really knows
who is at fault or what sort of cyber security practices banks follow here

We don't know how details of 32 lakh ATM cards leaked in this instances. We
don't know if the breach was at RBI or some private bank part of network. We
don't know if it was Hitachi's systems that leaked information or if it happened
due to some issue at Master Card or Visa.
Following are the Preventive steps
against Cybercrime
 Keep your computer current with the latest patches and
updates.

One of the best ways to keep attackers away from your computer is to apply
patches and other software fixes when they become available. By regularly
updating your computer, you block attackers from being able to take advantage of
software flaws (vulnerabilities) that they could otherwise use to break into your
system.

While keeping your computer up-to-date will not protect you from all attacks, it
makes it much more difficult for hackers to gain access to your system, blocks
many basic and automated attacks completely, and might be enough to discourage
a less-determined attacker to look for a more vulnerable computer elsewhere.

More recent versions of Microsoft Windows and other popular software can be
configured to download and apply updates automatically so that you do not have
to remember to check for the latest software. Taking advantage of "auto-update"
features in your software is a great start toward keeping yourself safe online.
 Make sure your computer is configured securely.

Keep in mind that a newly purchased computer may not have the right level
of security for you. When you are installing your computer at home, pay
attention not just to making your new system function, but also focus on
making it work securely.

Configuring popular Internet applications such as your Web browser and

email software is one of the most important areas to focus on. For example,
settings in your Web browser such as Internet Explorer or Firefox will
determine what happens when you visit Web sites on the Internet
 Choose strong passwords and keep them safe.

Passwords are a fact of life on the Internet today—we use them for everything
from ordering flowers and online banking to logging into our favorite airline Web
site to see how many miles we have accumulated.
The following tips can help make your online experiences secure:

Selecting a password that cannot be easily guessed is the first step toward keeping
passwords secure and away from the wrong hands. Strong passwords have eight
characters or more and use a combination of letters, numbers and symbols (e.g., #
$ % ! ?). Avoid using any of the following as your password: your login name,
anything based on your personal information such as your last name, and words
that can be found in the dictionary. Try to select especially strong, unique
passwords for protecting activities like online banking.

Keep your passwords in a safe place and try not to use the same password for
every service you use online.

Change passwords on a regular basis, at least every 90 days. This can limit the
damage caused by someone who has already gained access to your account.
 Protect your computer with security software.
Several types of security software are necessary for basic online security. Security
software essentials include firewall and antivirus programs. A firewall is usually
your computer's first line of defense-it controls who and what can communicate
with your computer online. You could think of a firewall as a sort of "policeman"
that watches all the data attempting to flow in and out of your computer on the
Internet, allowing communications that it knows are safe and blocking "bad"
traffic such as attacks from ever reaching your computer.

The next line of defense many times is your antivirus software, which monitors all
online activities such as email messages and Web browsing and protects an
individual from viruses, worms, Trojan horse and other types malicious programs.
More recent versions of antivirus programs, such as Norton AntiVirus, also
protect from spyware and potentially unwanted programs such as adware.

Having security software that gives you control over software you may not want
and protects you from online threats is essential to staying safe on the Internet.
Your antivirus and antispyware software should be configured to update itself, and
it should do so every time you connect to the Internet.
 Protect your personal information
.
Exercise caution when sharing personal information such as your name, home
address, phone number, and email address online. To take advantage of many online
services, you will inevitably have to provide personal information in order to handle
billing and shipping of purchased goods. Since not divulging any personal
information is rarely possible
The following list contains some advice for how to share personal information
safely online:

Keep an eye out for phony email messages. Things that indicate a message may be
fraudulent are misspellings, poor grammar, odd phrasings, Web site addresses with
strange extensions, Web site addresses that are entirely numbers where there are
normally words, and anything else out of the ordinary.

Don't respond to email messages that ask for personal information. Legitimate
companies will not use email messages to ask for your personal information. When
in doubt, contact the company by phone or by typing in the company Don't click on
the links in these messages as they make take you to a fraudulent, malicious
 Online offers that look too good to be true usually are.
The old saying "there's no such thing as a free lunch" still rings true today.
Supposedly "free" software such as screen savers or smileys, secret investment
tricks sure to make you untold fortunes, and contests that you've surprisingly won
without entering are the enticing hooks used by companies to grab your attention.

Review bank and credit card statements regularly.

The impact of identity theft and online crimes can be greatly reduced if you can
catch it shortly after your data is stolen or when the first use of your information
is attempted. One of the easiest ways to get the tip-off that something has gone
wrong is by reviewing the monthly statements provided by your bank and credit
card companies for anything out of the ordinary.
India's Response to Cyber Threat
Unfortunately India Inc's response to Cyber risks has not been robust. India ranks
third globally as a source of malicious activities and its enterprises are the sixth
most targeted by Cyber criminals. This needs to change.

. The key challenge for Indian Companies is that most view Cyber security as
an IT issue. Cyber risks do not get appropriate Top management attention

There are 3 high level components of Cyber resilience

a) Sense: Sense is the ability of organization to predict and detect Cyber threats.
This can be done by simply investing in Cyber intelligence.

b) Resist: Resist mechanisms are basically the corporate shield to Cyber attacks. It
begins with assessing an organizations risk appetite.

c) React : If sense fails(the organization did not see the threat coming) and there
is a breakdown in Resist(control measures were not strong enough), with the
disruption, ready with incident response capabilities and mechanisms to manage
the crisis.
Activate your Defences
 Take an Unorthodox Approach:
In the face of today's unpredictable and unprecdented cyber threats, a fail-safe
approach can no longer be the only option. The new aim should be to design a
system that is safe-to smarter as well as stronger, with a soft-resilence approach.
This means that on sensing a threat, there are mechanisms that have been designed
to absorb the attack and reduce the velocity.

From protection to Sacrifice :

Technologies today make it possible to sacrifice portions of information or
operations in the interests of protecting the larger network. If configured correctly
to the organization's risk appetite, this can be performed as an automated
response.

The role of Leadership:

Executive leadership and support is critical for effective cyber resilience. Unlike
the sense and traditional resist activities, which can be seens as the domain of the
CISO or CIO, cyber resilence requires senior executive to actively take part in
safeguarding the vital and confidential resources.
Hackers recently infiltrated the systems of three government-owned banks — two
headquartered in Mumbai and one in Kolkata — to create fake trade documents
that may have been used to raise finance abroad or facilitate dealings in banned
items.

The banks in question discovered that their SWIFT systems — the global
financial messaging service banks use to move millions of dollars and documents
across borders every day — have been compromised to create fake documents.
The banks are still unsure about the origin of the attack and the intention of the
hackers
.

It’s learnt that soon after the breaches were reported to the Reserve Bank of India,
the regulator last month directed several banks to cross-check all trade documents
issued over the past one year.
 An LC, serving as a guarantee, is a letter that one bank writes to another bank
(particularly in another country) to ensure payment to the supplier of goods when
certain conditions are met. Besides messages for fund transfers, the SWIFT
system is also used to communicate trade documents.

Thus, a cyber-criminal who generates fake LC may attempt to place it with an

offshore bank for finance. The Indian bank (whose system has been misused to
create false LC) may later face a monetary claim when the foreign bank tries to
recover the money released against an LC or guarantee.

Following RBI’s instruction, banks now have to match the documents shared
through SWIFT with the actual documents in their base or core banking system to
find out whether systems have been misused. It is possible that some banks may
not be aware that an outsider has crawled into the system. Since there is no
immediate loss of money, a bank may take a long time to sense that its SWIFT
system has been hacked and misused,” said a cyber security professional.
 Conclusion
Beware of fraudulent activities requesting online
banking security details !