The guiding light for Indian banks when it comes to taking precautions against cyber fraud is the report by the RBI ‘Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, 2011’.
Another influential document is ‘Cyber Crime, Securities Markets and Systemic Risk’ by IOSCO and World Federation of Exchanges. The recommendations of the first report guide all Indian banks. The recommendations of the latter report guide all Financial Market Intermediaries (FMIs) registered with stock market regulator SEBI. Now let’s take a slightly deeper dive into the recommendations followed by all Indian banks, leaving aside FMIs for now. FRAUD RISK MANAGEMENT GROUP In all Indian banks, fraud prevention, monitoring, and investigation are owned and carried out by an independent group known as the Fraud Risk Management Group (FRMG). This group sets up fraud review councils for the bank’s various businesses. These councils are expected to meet every quarter. The FRMG periodically conducts vulnerability assessments. Mystery shopping is an important part of such assessments. In addition to the FRMG, all Indian banks are expected to set up a special committee of the board to exclusively monitor and follow up frauds involving amounts of Rs 1 crore and above. The FRMG sets up limits on frauds for all businesses of the bank. When the loss amount reaches 90% of the limit set, the FRMG is required to review the processes with the concerned group. Again, all frauds involving amounts of Rs 10 lakh and above have to be reviewed immediately by the FRMG. Same goes for cyber frauds where criminals used a new mode of operation to conduct the fraud. The bank is expected to use the findings of such reviews to redesign its products and processes to prevent such frauds in future. Methods used for fraud detection: • System alerts on exceptional transactions. • Channels to take note of disputes involving customers and employees • Mystery shopping exercises • Encouraging customers and employees to report suspicious transactions CAN-HAVE FACILITIES FOR BANKS The Working Group Report suggests that banks can put in place the following mechanisms to reduce the risk of cyber fraud: • Dedicated email IDs for customers to report fraud. • A dedicated team to reply to customer concerns through the above email IDs. • A fraud helpline for customers and employees to report suspected frauds. Only an audit will reveal how many Indian banks have set up such facilities. ONUS FOR FRAUD INVOLVING MULTIPLE BANKS In cases of fraudulent credit of money into an account in one bank through another bank, the Working Group has made it clear that the investigation and reporting should be done by the bank whose customer has received the money. There could be transactions involving misuse of PoS terminals by merchants who swipe stolen or skimmed cards and abscond before the charge back of the funds. In such cases, the Working Group has made it clear that the reporting to RBI should be done by the bank which provided the (acquiring services) PoS terminal. There could be transactions involving multiple banks when a fraud is done at an ATM of one bank using a card issued by another bank. In such cases, the Working Group has made it clear that the bank acquiring the transaction (in other words, the bank which owns the ATM) should report the fraud to RBI. Banks are expected to file police complaints at the nearest Cyber Cell for all instances where the value of the fraud exceeds Rs 2 lakh, and cases involving staff where the value of the fraud exceeds Rs 20,000/. Besides, banks are also expected to notify the regulatory organization CERT-IN. e.o.m.
3 Comments
If your website is showing one type of content to site visitors, and another type to the Google bot, it is considered to be practicing the dark art of cloaking by the search engine giant. Soon Google will impose a penalty since it considers cloaking to be a violation of its Webmaster guidelines. You have to then follow an elaborate remedy process using the Fetch as Google Tool in Webmaster Tools. It is all about narrowing down and detecting that part of your site which looks different to the search bot compared with what is seen by the naked eye. The problem content has to be then removed. You are also believed to cloak if your site redirects users to a different page than what Google saw. Here the remedy is to identify those URLs doing the redirect and have them removed. Once these remedies are done, a site owner has to use the Reconsideration Tool and ask Google to remove the penalty. It’s a long process and one has to have lots of patience. It’s much better to make sure that the penalty is never slapped on your website in the first place. Because of Google’s no-nonsense stance, popular sentiment is against cloaking, which is considered a criminal activity. But please remember that site owners may have have their innocent reasons for why they did cloaking. So a blanket labeling of cloaking as ‘criminal’ is not the right approach. NETSCAPE KICKED OFF CLOAKING Recently, while reading an interview with Greg Boser, one of the pioneers in the field of Search Engine Optimisation, I got a totally different view on cloaking. According to him, cloaking began as a well-intentioned, perfectly legitimate activity. It goes like this. At one time, Netscape was warring with Microsoft for survival after the Redmond giant released its own version of a user-friendly browser (Internet Explorer) and distributed it free with its operating system. The intention was to kill Netscape, which it eventually did. Netscape was a pioneer which made Net access easy for the masses by creating a easy-to-use browser, which it had given away free. It is difficult to believe now that before Netscape came along, a user had to type in a series of code to access the World Wide Web. The Web would have remained a plaything of the nerds if a browser like Netscape hadn’t come along. To cut the story short, Netscape worried that folks at Redmond were accessing its site and doing competitive analysis constantly to find out what it was up to. To prevent this, engineers at Netscape identified the series of IP addresses used by Microsoft and prepared a dumbed down version of its website exclusively for Microsoft folks opening its website. This was how cloaking began as a perfectly legitimate activity according to Greg Boser. But of course, it was later misused a lot. e.o.m. Recently while researching the topic of security breaches at corporates, I came across this interesting nugget from the Wall Street Journal that Kellogg’s, the storied American cookie- and cereal bar-maker, is so obsessed about cyber spies ferreting away its trade secrets that it makes sure they are stored in a computer that is not connected to the internet. “Kellogg's management is especially worried that cyberattackers might try to steal the company's know-how, like the way it puts the ‘Snap, Crackle and Pop’ in Rice Krispies or the curve in Pringles potato chips, according to two people briefed on its computer defences,” wrote the WSJ. “Information on our recipes, including where they are stored, is proprietary,” said Kris Charles, a Kellogg spokeswoman. In a February 2014 securities filing, Kellogg said, “To date, we have not experienced a material breach of cybersecurity.” Looks like Kellogg’s is very happy with its tactic. But is this approach hackproof? I turned to authors Richard Torrenzano and Mark Davis for insights from their book Digital Assassination. They let us know that cybersecurity experts have a name for the process of sealing a computer by taking it off from the internet — airgapping. It refers to the belief by certain ccybersecurity experts that “a computer system that is not connected to any other computer or to the Internet is safe”. But Torrenzano and Davis are not very impressed by airgapping. They say, “If evolution teaches us anything, it is that intelligent systems like to network. Of course no computer is going to extend its own cable and plug itself in. But a computer doesn’t have to network itself, because every computer comes complete with a parasite called a human, a creature with an irrepressible desire to network.” RISKS OF A MERE NET CONNECTION So airgapped computers may not be very safe because they are handled by humans, who have a tendency to network. But what happens if a computer is plugged into the internet and allowed to run without any human intervention? Torrenzano and Davis tell us that just such an experiment was conducted by a leading IT company. In step 1, “the company’s engineers purchased a garden-variety PC from a chain retailer”. In step 2, “they installed in it the best off-the-shelf antivirus, anti-spyware protection, and firewall software packages available”. In step 3, “they connected this PC to the Internet. They did not use it for anything. They just tracked the flow of code into and out of the machine”. Any guesses on what happened next? The authors wrote, “Within four hours the engineers detected the first ping by a potential hacker. In two weeks more sophisticated software from a computer in Canada slowly embedded itself in the PC and started running its own software. The Canadian computer soon set up links between the enslaved zombie PC and a computer in Singapore, which used the PC to attack a network in Poland.” So despite the precautions taken, most computers invite security vulnerabilities merely by being connected to the internet. Imagine then the risks involved in the careless approach to security of most users? Airgapping may have its benefits in certain circumstances. Here too, a lot depends on the discipline of the human handlers. No wonder many hackers stay invested in social engineering. For most ordinary people, however, nothing much can be accomplished at work or leisure without an internet connection, especially in these days when Cloud Computing is all the rage. e.o.m Phishers cast a big enough net to catch a few fish.Make sure you are not their catch with these simple steps.Criminals phish for trouble through bulk emails or instant messages.The target victim is told to click a link or provide information.The phishing email usually pretends to be from a service provider you trust.You are told that there is some problem with your account which you need to set right,or else you are presented a situation that requires you to verify the account. If you fall for it ,and reveal your credit card information ,you could soon expect some charges ,say security experts.The criminals may also sell your card,or destroy your credit history. Experts say there are some tell-tale signs of phishing scams you should aware of. TELL-TALE SIGNS OF PHISHING SCAMS Security researchers note that the spammed email from phishers nearly always begin with a generic way to address you,Instead of addressing you by your name.Eg: << Dear Online Service User: Dear Bank Customer: Dear Credit Card Account Holder: Dear Personal Club Member: Greetings! Welcome! Warning! Security Alert! >> Almost always,they ask you to verify or confirm your account.Experts say that legitimate companies will never ask you to verify the following information online:
Some times, these criminals provide legitimate links but hijack you to land on a different site from where you thought were going. So don't forget to look at the URL of your final destination to make sure it's that of your service provider. Check whether the site you reached has a privacy policy, uses https protocol and has the lock icon of the secure sockets layer (SSL). Sometimes the criminals manage to include the names of the legitimate service providers as a sub-domain within their site. Again look at the URL carefully to find out where you are going. Many browsers have built-in phishing and malware protection facility .In Internet Explorer, it is called Smart Screen Filter, and in Chrome browser it is called Phishing and Malware Protection.Make sure these are turned on by checking the settings. e.o.m |
Archives
December 2014
AuthorI'm Georgy S. Thomas, the chief SEO architect of SEOsamraat. The Searchable site will track interesting developments in the world of Search Engine Optimization, both in India as well as abroad. Categories
All
|