Академический Документы
Профессиональный Документы
Культура Документы
Cybercrimes
A Financial Sector View
In a digital age, where online communication has become the norm, internet users and governments face increased risks of becoming the targets of cyber attacks. As cyber criminals continue to develop and advance their techniques, focusing on theft of financial information, business espionage and accessing government information is of prime requirement. To fight fastspreading cyber crime, governments must collaborate globally and with various stakeholders to develop an effective model that will control the threat. India has had its share of incidences in Cybercrimes and more often in the Financial Sector this has often significantly impacted investor confidence. It is time that cybercrimes is not just thought of as a security issue or a technology issue. It is at the very heart of how a business or Government builds trust with customers as well as how it builds and protects its Brand value. In view of the above scenario, Directorate of Information and Technology, Government of Maharashtra has planned this conference on Cybercrimes: A Financial Sector view. The aim is to share with the government authorities and financial and legal sector experts the current scenario of cybercrimes in the financial domain and the challenges faced by the legal ecosystem in keeping pace with the current leap of cybercrimes. I wish warm regards to the success of the conference and hope it will be knowledgeable and useful to the participants.
Recent reports on Cybercrimes launched against large companies specifically in the financial Sector demonstrate that protecting and securing data is more important now than ever before. Cyber attacks cause an impact on not only the brand value and revenue for the companies but more severely impact the trust of the customers involved in the system. In view of the given challenges, identifying how data compromise occurs and understanding the legal and operational challenges and identifying the different mechanisms of dealing with these challenges faced would arm the system better to fight this menace. The conference takes a peek on the current scenario of cybercrimes at the National level with a focus on Mumbai, the targeted victims, types of cybercrimes and steps to be taken for securing critical financial infrastructure. It also focuses on the current legal framework available and some of the major challenges faced by the Government Authorities, financial sectors and the judiciary itself. We also look forward to a complete session on the Challenges of dealing with the menace of Cyber Crimes in terms of the Human Capacity, Technology, Jurisdiction and legal issues. The group of panelists is highly qualified professionals from the Financial sector and the legal fraternity who bring in extensive knowledge and case study learnings in the field of Cybercrimes. This conference aims at understanding the menace well and analyzing various challenges and ways of curbing its effect and work towards a more safe and secure Technology based financial transaction environment.
Navin Agrawal
Partner, IT Advisory, KPMG in India
The increasing use of technology, particularly by businesses to drive its operations and to deliver world class services has led to the evolution of a new threat. The growth of complexity and access to technology has made us more susceptible to hi-tech crime which is also a new form of business threat that requires a fundamental shift in risk management arena of businesses, particularly in the financial domain where the risk is very high. Seriousness could be ascertained from the report published by the World Economic Forum: Global Risks 2012 in which Cyber threat is rated as serious threat to the world based on likelihood of impact. Cyber threats are real and its impact could be felt across borders, businesses and communities. KPMG in India is proud to be associated as the knowledge partner of this conference on Cyber crimes: A financial sector view and thus continue our association with this prestigious event for the Government of Maharashtra. We would like to think of this event as a confluence of thought leadership, where business and technology streams meet to discuss, share, evaluate, strategise and provide insights for the evolution of secure business practices. This conference in association with the Government of Maharashtra and Nasscom focusses on issues and trends of cyber crimes in the financial domain, and how the industry is dealing with this new type of crime. Considering the dependency of banking businesses on the internet and the mediums vast reach, cyber crime could pose a threat to the financial sector and partnerships need to be formed to fight this crime. These threats can be suitably addressed by sharing insights, experiences, ideas and key skill sets and working through these issues with subject matter specialists. This would also help create secure and robust business practices against existent threats to gain competitive business advantages through business continuity. We at KPMG would like to facilitate this entire process of collaborating thoughts on cyber security and try to present various scenarios related to cyber security in the financial domain which could impact the industry in future. As we know, technology is no longer an enabler, but seen as a business driver. We hope you will appreciate the insights and concerns presented before you and are able to benefit from the thoughts presented at this event.
Contents
Financial Service Sector Overview Technological Risk Time and money spent Threat Types of crimes in Financial sector Statistics - Global & India & focus Mumbai Legal Framework Support Key Challenges/concerns which needs to be addressed Challenges faced by governments Way forward 02 03 04 04 04 08 09 11 13 15
Currently, there are nearly 2 billion internet users and over 5 billion mobile phone connections worldwide. Everyday, 294 billion emails and 5 billion phone messages are exchanged.
50,000 Victims every hour 820 Victims every minute 14 Victims every second1
Most people around the world now depend on consistent access and accuracy of these communication channels. Among all cybercrime victims surveyed 80 percent were from emerging markets, compared to 64 percent in developed markets. The US Government estimates American businesses suffered losses of intellectual property totaling more than USD 1 trillion from cyber attacks. With over five billion mobile phones coupled with internet connectivity and cloud-based applications, daily life is more vulnerable to cyber threats and digital disruptions. The related constellation of global risks in this case highlights that incentives are misaligned with respect to managing this global challenge. Online security is now considered a public good, implying an urgent need to encourage greater private sector engagement to reduce the vulnerability of key information technology systems. A healthy digital space is needed to ensure stability in the world economy and balance of power.2
1 Symantec Cyber Crime Report 2011 2 World Economic Forum Report Global Report 2012
Overview
These are challenging times for the banking industry globally, thought provoking and extremely rewarding at the same time. Due to volatile geopolitical and global macroeconomic conditions, many financial institutions have been forced to evaluate their current operating practices and think about where they would like to be in future and more importantly, how to manage growth as well as risk management in line with stakeholder expectations. The Indian banking industry provides strategic opportunities for innovation-led growth, a moot point to meet challenges thrown by the current environment. Technology is likely to play a significant role in guiding this new approach to growth and risk management.3 In financial domain, technology is no longer an enabler, but a business driver. In last decade phenomenal growth of IT, mobile penetration and communication network has facilitated growth in extending financial services to masses. Technology has facilitated delivery of banking services to masses and changed the way of functioning of financial institutions. Technology made banking services affordable and accessible by optimizing the way these institutions operate today. Regulatory bodies, banks and other institutions/agencies have taken paradigm shift in areas of respective operations, service delivery and consumer satisfaction. Financial institutions gained efficiency, outreach, spread through technology in last two decades. The benefits of technology such as scale, speed and low error rate are also reflecting in the performance, productivity and profitability of banks, which have improved tremendously in the past decade. Technology initiatives are taken by banks in the areas of financial inclusion, mobile banking, electronic payments, IT implementation and management, managing IT risk, internal effectiveness, CRM initiatives and business innovation.
3 KPMG in India: IT in Banking Managing the present by looking to the future, August 2008,
Technological
Risk
In a digital age, where online communication has become the norm, internet users, governments and organizations face increased risks of becoming the targets of cyber attacks. As cyber criminals continue to develop and advance their techniques, they are also shifting their targets focusing less on theft of financial information and more on business espionage and accessing business information. To fight fast-spreading cyber crime, sector must collaborate globally to develop an effective model that will control the threat. The issue of primary importance is that, no national government operates an effective compilation service to identify trends in cyber-crime with the exception of the Internet Crime Complaint Center (IC3). Most cyber-crime is on such a small scale that law enforcement organizations are not interested in dealing with individual cases, and, in many cases, individuals may not care enough about the amounts involved to take action. Therefore it tends to go unreported.4
4 Cyber Crime A Growing Challenge for Governments July 2011, Volume Eight kpmg.com
Financial Risks Infrastructure Risks Technology Risks Data Risks Human Risks.
Spent
Global Scenario
USD 114 Billion is total loss of cash in 12 months USD 274 Billion is the total loss of time for victims of cyber crime On an average, 10 days were spent by victims to satisfactorily resolve hassles of cyber crime).
Indian Scenario
USD 4 billion is the total loss of cash in 12 months USD 3.6 billion is the total loss of time for victims of cyber crime On an average 15 days were spent by victims to satisfactorily resolve hassles of cyber crime.6
Threat
Among all cybercrime victims surveyed 80 percent were from emerging markets, compared to 64 percent in developed markets. Only 21percent of victims reported cybercrime to the police
7 KPMG in India: IT in Banking Managing the present by looking to the future, August 2008.
Global dimensions and borderless limits have given rise to new and innovative responses required to the issue of cyber crime or electronic crime. The growth in the off-take of the information highway and telecommunications presents as great a challenge for policing. A hi-tech crime presents a new form of business threat that requires a fundamental shift in policing methodology.8 Financial-services organization provides specialized, private banking products and services to its customers. Its services cover property, investments, capital markets and asset management. Their customer base is its biggest asset, and offering strong protection to these customers is of paramount importance both to retain and grow business, and to protect its reputation for high-quality service. Companies in financial domain have experienced increase in instances of cybercrime in past few years. Various levels of cyber crime threats are at each level of IT systems. The emergence of such threats at different levels is due to an explosion of online banking and shopping, coupled with the increasing willingness of consumers to disclose personal information over the internet. Hackers are now enabling a larger market of script-junkies whose deficient skills would otherwise shut them out of the cyber criminal enterprise.
Vendors of online security products have an interest in talking up the threats of cybercrime, while victims of cybercrime often have an interest in remaining silent. It is therefore very difficult for firms and organizations to get a clear picture of the true levels of the risk and needs for investment. Correcting such information asymmetries should be at the centre of policies to improve global cyber security and to ensure an efficient market. Firms have an incentive to invest in cyber security measures that protect their own interests, rather than in those measures that contribute to the health of the overarching critical information infrastructure. Innovative multi stakeholder collaboration will be required to tip the balance towards investment in creating systemic resilience. There are no proven secure systems, only systems whose faults have not yet been discovered, so trying to overcome hackability may be as hopeless as denying gravity. Instead, the goal should be finding ways for well-intentioned individuals to identify those faults and deploy remedies to end-users before would-be cyber criminals can discover and exploit them. Experts believe that the levels of resource devoted to this effort are nowhere near adequate, but there are signs that some industries are taking cyber threats more seriously. In November 2011, 87 banks in England participated in a mock cyber attack stress test in preparation for an anticipated increase in attacks during the 2012 Summer Olympic Games.9
8 KPMG in India: IT in Banking Managing the present by looking to the future, August 2008
Cybercrimes: A Financial Sector View | 6 Type of Attacks Details Viruses and worms are computer programs that affect the storage devices of a computer or network, which then replicate information without the knowledge of the user.
Spam emails
Spam emails are unsolicited emails or junk newsgroup postings. Spam emails are sent without the consent of the receiver potentially creating a wide range of problems if they are not filtered appropriately.
Trojan
A Trojan is a program that appears legitimate. However, once run, it moves on to locate password information or makes the system more vulnerable to future entry. Or a Trojan may simply destroy programs or data on the hard disk
Denial-of-service (DoS)
DoS occurs when criminals attempt to bring down or cripple individual websites, computers or networks, often by flooding them with messages. Malware is a software that takes control of any individuals computer to spread a bug to other peoples devices or social networking profiles. Such software can also be used to create a botnet a network of computers controlled remotely by hackers, known as herders, to spread spam or viruses. Using fear tactics, some cyber criminals compel users to download certain software. While such software is usually presented as antivirus software, after some time these programs start attacking the users system. The user then has to pay the criminals to remove such viruses Phishing attacks are designed to steal a persons login and password. For instance, the phisher can access the victims bank accounts or assume control of their social network. By targeting official online payment channels, cyber attackers can hamper processes such as tax collection or make fraudulent claims for benefits Experts believe that some government agencies may also be using cyber attacks as a new means of warfare. One such attack occurred in 2010, when a computer virus called Stuxnet was used to carry out an invisible attack on Irans secret nuclear program. The virus was aimed at disabling Irans uranium enrichment centrifuges. Stealing bank or credit card details is another major cyber crime. Duplicate cards are then used to withdraw cash at ATMs or in shops
Malware
Scareware
Phishing
Fiscal fraud
Carders
Cyber-crime has spawned many entrepreneurs, though of dubious repute. They have given rise to new criminal hacking enterprises aimed not at committing fraud but at providing services to help others commit fraud. This operation enables people to commit crime vicariously, i.e. without any direct perpetration. Another model is to create a subscription based identity theft service rather than stealing personal credentials themselves cyber criminals have hacked into PCs and then charged clients for a limited period of unfettered access. As is the case with most business services, customers willing to pay extra can obtain premium services such as a complete clean-up of the stolen data, i.e. getting rid of low-value information and assistance with indexation and tagging of data, etc.10 New skills, technologies and investigative techniques, applied in a global context, are required to detect, prevent and respond to cyber-crime. This is not just about the
Framework for Cyber threats and responses
realignment of existing effort. This new business will be characterized by new forms of crime, a far broader scope and scale of offence and victimization, the need to respond in a much more timely way, and challenging technical and legal complexities. Innovative responses such as the creation of cybercops ,cyber-courts and cyber-judges may eventually be required to overcome the significant jurisdictional issues that law and order agencies are currently facing. Law enforcement with regard to investigating crimes and handling evidence, dealing with offenders, and assisting victims, poses complex new challenges. There is an unprecedented need for international commitment, coordination and cooperation since cyber-crime is truly a global phenomenon. It is also important to have a better understanding about the nature of the problem and to address the issue of significant under-reporting of this dangerous phenomenon. Prevention and partnerships will be essential to fight cyber crime.10
10 KPMG in India: IT in Banking Managing the present by looking to the future, August 2008
Legal Framework
Support
The Data Security Council of India (DSCI) and the Department of Information Technology (DIT), India are the prime bodies looking towards the cyber security in India. To cater to the needs of cyber security issues, India has implemented IT Act 2000 and revised IT (Amendment) Act 2008.
Sec-66
Hacking (with intent or knowledge) Publication of obscene material in e-form Not complying with directions of controller Attempting or securing access to computer For breaking confidentiality of the information of computer Publishing false digital signatures, false in certain particulars Publication of Digital Signatures for fraudulent purpose
Sec-67
Sec-68
Sec-70
Sec-72
Fine upto 1 lakh and imprisonment upto 2 years Fine of 1 lakh, or imprisonment of 2 years or both. Imprisonment for the term of 2 years and fine for 1 lakh rupees
Sec-73
Sec-74
Currently, the IT Act, 2000 has been amended by the Information Technology (Amendment) Act, 2008. This law provides the legal infrastructure for Information Technology in India. The said Act along with its 90 sections is to be conceived with 23 rules called the IT rules, 2011s
media is greatly undermined, despite efforts to the contrary made by some stakeholders. Cyberlaw makers across the world have to face the unique challenge of how to effectively
regulate the misuse of social media by vested interests and further how to provide effective remedy to the victims of various criminal activities on social media.
Way Forward
The Information technology Act, 200 and its amendment in 2008, though provides certain kind of protection, but does not cover all the spheres of the IT where protection must be provided. The Copyright and Trademark violations do occur on the net, but the Copyright Act, 1976 or the Trademark Act, 1994, are silent on that which specifically deals with the issue. There is no enforcement machinery to ensure the protection of domain names on net. Transmission of e-cash and transactions online are not given protection under Negotiable Instrument Act, 1881. Online privacy is not protected; only Section 43 (penalty for damage to computer or computer system) and Section 72 (Breach of confidentiality or privacy) talks about it in some extent but doesnt hinder the violations caused in the cyberspace. Even the Internet Service Providers (ISP) who transmit some third party information some third party information without human intervention is not made liable under the Information Technology Act, 2000. Its hard to prove the commission of offence as the terms due diligence and lack of knowledge have not been defined anywhere in the Act. Even, the Act doesnt mention how the extra territoriality would be enforced. This aspect is completely ignored by the Act, where it had come into existence to look into cyber crime which is on the face of it an international problem with no territorial boundaries. The Act has its own slated advantages as it gave legal recognition to electronic records, transactions, authentication and certification of digital signatures, prevention of computer crimes etc. but at the same time is inflicted with various drawbacks also like it doesnt refer to the protection of Intellectual Property rights, domain name, cyber squatting etc. This inhibits the corporate bodies to invest in the Information technology infrastructure. Cryptography is a new phenomenon to secure sensitive information. There are very few companies in present date which have this technology. Other millions of them are still posed to the risk of cyber crimes. India needs to update the Law whether by amendments or by adopting sui generic system. Though Judiciary continues to comprehend the nature of computer related crimes there is a strong need to have better law enforcement mechanism to make the system workable.
Challenges
faced by governments
Although governments are actively focused on fighting and preventing cyber criminals from damaging infrastructure, the very nature of cyberspace poses a number of challenges to the implementation of cyber regulations in any country. Within cyberspace it is often difficult to determine political borders and culprits. Furthermore, the cyber criminal community and their techniques are continously evolving, making it more challenging for governments and companies to keep up with ever-changing techniques. Tracking the origin of crime According to Rob Wainwright, Director of Europol, criminal investigations of cyber crimes are complex, as the criminal activity itself is borderless by nature. Tracing cyber criminals poses a challenge.12 While many experts speculate that the cyber attacks on Estonia and Georgia, for instance, were directed by the Russian cyber agencies, some of the attacks have been traced to the computers originating in Western countries. Growth of the underground cyber crime economy A major threat that may hamper the fight against cyber crime is the growth of an underground economy, which for many cyber criminals can be a lucrative venture. The underground economy attracts many digital experts and talented individuals with a specialty around cyber initiative. In the cyber underworld, the hackers and organized crime rings operate by selling confidential stolen intelligence. Research shows that
12 E-Crime Survey 2009, KPMG International
criminals are trading bank account information for US$10125, credit card data for up to US$30 per card, and email account data for up to US$12.13 Often, the acquired data is used in illegal online purchases and in exchange for other monetary transactions. The untraceability of the origin of these transactions poses a major challenge to government agencies in their efforts to fight crimes of this nature. Shortage of skilled cyber crime fighters Implementing cyber security measures requires skilled manpower. However, most countries face a shortage of skilled people to counter such cyber attacks. According to Ronald Noble, Head of Interpol, An effective cyber attack does not require an army; it takes just one individual. However, there is a severe shortage of skills and expertise to fight this type of crime; not only at Interpol, but in law enforcement everywhere. Moreover, most trained or skilled people are recruited by the private sector, as it offers higher financial rewards. In the UK, the PCeU has experienced this shortage first hand, with only 40 core team members.88 Similarly, in Australia, the majority of the cyber crime incidents, particularly minor incidents, remain unsolved or are not investigated due to the lack of eForensic skills and expertise. Widespread use of pirated software One of the major challenges to preventing cyber crime is the prevalence of software piracy, as pirated software is more prone to attacks by viruses, malware and
13 War in the fifth domain, Economist, July 1, 2010 14 Will the U.S. get an Internet kill switch?, Technology Review, March 4, 2011
trojans. Experts believe that rapid growth of Consumer PC markets in emerging countries - such as India, Brazil and China has contributed largely to the rising piracy rates. The pirated software can include not only games, movies, office applications and operating systems, but also security software. Often, users prefer to obtain a pirated security software, rather than purchase and upgrade legal version, therefore increasing the vulnerability of their systems to cyber attacks. For instance, one of the reasons for the spread of the Conficker virus in 2008
was the lack of automatic security updates for unlicensed software. The issue becomes more significant for those countries where pirated software is a common occurrence. China, which is one of the largest such markets, reported that nearly US$19 billion was spent on pirated software in 2009. In India, the unlicensed software market value stands at nearly US$2 billion. Ensuring cyber security is also a major challenge for Gulf Cooperation Council (GCC) countries, where 50 percent of software is pirated.15
15 KPMG international, Issues Monitor: Cyber Crime A Growing Challenge for Governments (July 2011, Volume Eight)
Way forward
Experts believe that to fight the borderless and continuously evolving cyber crime, global leaders must collaborate in joint initiatives. Nigel Inkster, an expert on cyber threats at the International Institute for Strategic Studies, stated, Thus far, the discussion on how to set international standards on cyber has been very low profile and largely confined to the margins of the UN General Assembly. However, to overcome significant diplomatic hurdles, a concerted effort on the part of governments must be in place. In April 2010, the UN rejected a treaty on global cyber crime, due to disagreements over the national sovereignty issues and concerns for human rights. Many countries have expressed a concern over the new cyber laws. Russia, as one of the examples, has refused to endorse the Budapest Convention on Cybercrime, which allows police and other legal entities to cross national boundaries without the consent of local authorities, in order to access computer servers. However, country officials in most developed nations do agree on the establishment of policies to protect cyberspace against criminals. Experts believe that developed countries such as the US should encourage other countries to introduce policies against cyber attacks, in the similar fashion they do for nuclear weapons, missile defense and space. The US has to frame a much clearer strategy with regard to cyber (warfare), said Greg Austin, Vice President of Program Development and Rapid Response at the EastWest Institute. The US supports an International Telecommunication Union plan, which obligates the country of origin of Cyber crime acts to conduct investigation. The US also supports a Russian initiative that has called for a UN panel to work on cyber-arm limitations. However, experts believe that the implementation of such a coordinated initiative might take a few more years. Apart from bilateral and multi-lateral initiatives between governments, much can be achieved by cooperating with the private companies that own and control the majority of the cyberspace network. Network owners or internetservice providers can take more responsibility to help identify cyber attacks and attackers on user computers, and take the necessary steps to counter such attacks. Experts believe that while such preventive measures may not completely eliminate cyber espionage, it can certainly make cyberspace a much safer place.13
13 KPMG international, Issues Monitor: Cyber Crime A Growing Challenge for Governments (July 2011, Volume Eight)
Notes
Notes
Notes
Notes
kpmg.com/in
The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation. 2012 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (KPMG International), a Swiss entity. All rights reserved. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. Printed in India.