Вы находитесь на странице: 1из 54

SECURE *

‘S’ for Security for citizens,


‘E’ for Economic development,
‘C’ for Connectivity in the region,
‘U’ for Unity,
‘R’ for Respect of sovereignty and
integrity, and
‘E’ for Environment protection.

Shri Narendra Modi


Hon’ble Prime Minister
@Asian Summit SCO, Bats For ‘SECURE’

India’s Digital economy is on the high way


of great growth and my department has
taken a commitment that we will make
India’s digital economy a one trillion dollar
economy in the coming 5 to 7 years.
When I talk about digital economy I mean
communication, IT and IT enabled services
, e-commerce, cyber security , digital
payment and electronic manufacture
Shri Ravi Shankar Prasad
Hon’ble Union Minister Law and Justice and
Electronics and Information Technology
Government of India

Reference* : https://www.msn.com/en-in/sports/ipl-videos/pm-modi-at-asian-summit-
sco-bats-for-secure/vp-AAyrwVr

2 www.infosecawareness.in
PREFACE
In today’s digital world, most of the financial transactions, financial investments and holding
of financial investments are held in electronic form and transacted through the cyber space
taking over traditional banking/investing system. Majority of the population has moved to
online methods of financial investments and transactions. Online means of investments to
attain financial security are less expensive in terms of operational costs for both the bank
and consumer, but they expose both banks and customer to a large number of cyber security
risks. Considering the amount of confidential information held by a financial institution and
the amount of financial transactions taking place on daily basis, cyber security risks in fi-
nance sector have to be taken care of with great significance.

The negative side of cyber world is both inevitable and unavoidable in the financial sector. It’s
the reality that cyber criminals are targeting financial institutions as well as individuals by
taking advantage of vulnerabilities used in the financial applications and lack of awareness
among the end users. We take special care and safety measures to protect our family and
children from the social threats prone to them in the cyber world. Similarly, it is equally im-
portant to cyber secure your financial savings from cyber threats. Today we share our finan-
cial data in many places like online shopping, e-wallets, POS terminals, online ticket booking,
hotel booking and many more without even knowing whether these places can provide secu-
rity to your sensitive information or not. Therefore, its our responsibility to protect and take
care of our personal sensitive data.

The importance of cyber security in the current scenario of digital transformation going on
India was identified and the initiation was taken by Ministry of Electronics and Information
Technology (MeitY) which has approved a project titled Information Security Education and
Awareness (ISEA). The main objective of this project is to spread awareness on Information
security among people of India. Considering the relevance of digital payments where Indian
economy is in the phase of moving towards cashless economy this cyber security handbook
on ‘Digital Financial Transactions’ has great importance to impart awareness among people.
This handbook covers all the various digital transactions systems in India and the threats
associated with them. It also gives an insight to the mitigation methods to stay safe in this
digital world. Let us together take the first step of being aware of what can happen in digital
world in terms of financial frauds; and to safeguard ourselves and our family.

Our Sincere Acknowledgements for the support provided by


Ministry of Electronics and Information Technology (MeitY), Government of India

Toll Free No. 1800 425 6235 3


CONTENTS
Page Introduction Page Point-Of-Sale Machines
5 Digital payment 26 Introduction
How to use
methods in India Threats to Point-Of-Sale machines
Best practices to stay safe for users

Page Debit/Credits Cards Page Micro ATMS


8 Introduction
How to use
28 Introduction
How to use
Threats to Banking cards Threats to Mobile Banking
Best practices to stay safe for users Best practices to stay safe for users

Page Unified Payment Interface Page Online banking


12 Introduction
How to use
30 Introduction
How to use
Threats to UPI Threats to Internet Banking
Best practices to stay safe for user Best practices to stay safe for users

Page Bharat Interface for Money Page Mobile Banking


14 (BHIM) app 34 Introduction
How to use
Introduction
How to use Threats to Mobile Banking
Threats to BHIM App Best practices to stay safe for users
Best practices to stay safe for users

Page USSD Page Cyber Laws in India


16 Introduction
How to use
36 Advantages of Cyber Laws
Importance of IPC
Threats to USSD Frauds relating to computers
Best practices to stay safe for users

Page Aadhaar Enabled Payment Page Guidelines to report


20 System (AEPS)
Introduction
46 financial frauds in India
If you find an unauthorized transac-
How to use tion on your account.
Threats to AEPS How to file a cyber crime complaint
Best practices to stay safe for users in India
Cyber cells in India
Page E-Wallet IT laws
22 Introduction
How to use
Threats to E-wallets
Best practices to stay safe for users

4 www.infosecawareness.in
CREDITS

Ministry of Electronics
and Information Technology
Government of India

Message from
E Magesh
Shri.Sitaram Chamarthy ( TCS ) Director, C-DAC Hyderabad

Shri U Rammohan Rao, CID, Securing your hard earned money is a


Telangana State prime task to everyone.
Shri G V Raghunathan, With the bloom of digitalization in India, there has
(Retd) Sr Director, MeitY been manifold increase in the digital transactions
in India by touching almost one lakh crore rupees
Shri Magesh E, Director,
a month. At the same time there is a significant
C-DAC Hyderabad
jump in the number of financial frauds and the
Shri S K Vyas, MeitY value, making it a major concern to the people in
India and elsewhere.
Shri Ch A S Murty
Mrs Soumya M Each day fraudsters devise new methods to execute
Mrs Indrakeerthi K & frauds. Financial fraud both online and offline can
ISEA Team Members, impact the individual with direct financial loss
C-DAC Hyderabad leading to emotional and psychological stress. The
current edition of handbook will help the readers
Honorary Professor. N Balakrishnan to understand the complete scenario of financial
Prof. Sukumar Nandi frauds and how to secure your money. With the
Prof. V Kamakoti advent of low-cost Internet services, it can be seen
Prof. M S Gaur that the more number of the population accessing
online services more proactively.
Action Group Members
A K Pipal, HoD (HRD), MeitY
Shri.Sitaram Chamarthy Most of the Physical money transactions are
Prof. M S Gaur replaced by online transactions. With this there is
Prof. Dr.Dhiren R Patel a need to raise awareness among people on the
Representative of Chairman types of financial frauds and methods employed
( CBSE ) by fraudsters to commit fraud. C-DAC Hyderabad,
CEO, DSCI (NASSCOM) being the coordinating center for creating mass
Representative of Prasar Bharati, awareness on Information Security under the
Member of I & B purview of ISEA Project Phase II, is glad to release
Shri U Rama Mohan Rao this handbook on such an important topic, which
( SP, Cyber Crimes, CID, is of interest for most of the stake holders.
Hyderabad, Andhra Pradesh )
Shri S K Vyas, Additional Director,
MeitY

Toll Free No. 1800 425 6235 5


Introduction

Indian economy is undergo- banking followed by use of services, details about the
ing a transformation through credit cards. Current dec- government policies, the var-
‘Digital India ’, the flagship ade is witnessing a popular- ious threats which they may
programme of Government ization for digital payments face while using these digital
of India to create a digital- like electronic wallets, swipe services and also about the
ly empowered society and cards, debit cards, card less various mitigation methods
knowledge economy. To payment methods etc. We to be safe while using digital
achieve the dream of cash- need to take a leap forward payment services. In view of
less economy, it is important towards achieving the dream this Ministry of Electronics
that all sections of the socie- of Digital India and cashless and Information Technology
ty be aware of various meth- economy. (MeitY) has approved a pro-
ods of financial transactions ject entitled Information Se-
and also gets equal opportu- Lack of awareness on digital curity Education and Aware-
nity and participates in na- financial literacy, especially ness (ISEA). In the present
tion building. Government of among the rural population scenario where in the life
India has taken measures to is a major challenge for the of an individual, technology
promote a cashless economy country. Digital methods of plays a vital role, it is better
through digital payments. financial services are a ma- to be aware on how to detect,
jor target for cyber criminals. how to protect and how to re-
Government has supported The Debit/Credit cards, Net cover from cyber threats in
by introducing various on- Banking solutions and even financial sector?
line methods of payments the transaction websites of
like Aadhaar Enabled Pay- the financial institutions and In this handbook we give an In-
ment System (AEPS), Bharat banks are hacked by the cy- sight to the (i) Different types
Interface for Money (BHIM), ber criminals. This has led of Digital Payment methods
Immediate Payment Service to an urgent need to create in India, (ii) How to Use those
IMPS, Unified payment Inter- awareness among the citi- Digital Payment methods
face(UPI), PoS machines etc. zens, especially in rural and (iii) What are the various
India has shown a tremen- semi-urban areas regarding threats in these methods (iv)
dous progress in banking digital finance services and Different mitigation methods
methodologies from tradi- also enable/support them to to stay safe (v) Guidelines to
tional banking to Electronic access various digital finance report financial fraud in India.

6 www.infosecawareness.in
Digital payment methods in India

A digital transaction is a systems will have three key agents, to offer basic finan-
seamless system, where components of any such digi- cial services at greater con-
transactions are effected tal financial services: a digital venience, scale and lower
without the need for Physical transactional platform, retail cost than traditional banking
cash. To use digital payment agents, and the use by cus- allows. The major types of
methods, the user will have tomers and agents of a de- Digital payment Methods are
an existing bank account vice, usually a mobile phone, as follows: Banking Cards,
which they own and should to transact via the platform. USSD, Aadhaar Enabled Pay-
have available funds in their ment System (AePS), Uni-
accounts to make cash pay- Banks, microfinance insti- fied Payment Interface (UPI),
ments or to receive revenue tutions, mobile operators, E-Wallet, bank pre paid cards,
via digital platforms includ- and third party providers are Point-Of-Sale, Internet bank-
ing mobile devices, person- leveraging mobile phones, ing, Mobile Banking, Bharat
al computers or the inter- point-of-sale devices, along Interface for Money (BHIM)
net. Ideally digital payment with networks of small-scale app.

Toll Free No. 1800 425 6235 7


Cards are among the
most widely used payment
methods and come with vari-
DEBIT/CREDIT ous features and benefits such
as security of payments, con-
CARDS venience, etc. These are usual-
ly issued by banks and can be
What are the different of money
classified on the basis of their
present in his
types of cards? issuance, usage and payment
bank account.
There are three types of But there is a by the card holder.
cards: Debit cards, Credit limit for each
cards and prepaid cards. credit card up
to which extra well-known card payment
Debit Cards: money can be withdrawn. systems are Visa, Rupay and
Issued by the Bank where Also there is a time limit and MasterCard, among others.
you have an account. It is interest charges to be paid Banking cards can be used
linked to the bank account. back. for online purchases, in digi-
User can use this card to tal payment apps, ATM ma-
withdraw cash up to the Prepaid Cards: chines, PoS machines, online
limit present in his/her bank These are pre-loaded from transactions, etc.
account. It can also be used a customer’s bank account. Apply with your respective
only for domestic fund trans- It can be used for limited bank and provide Know Your
fer from one person to an- amount of transaction. These Customer (KYC) details his
other. can be recharged like mobile respective bank branch. Deb-
recharge and are very safe to it cards can be exchanged
Credit Cards: use. The main advantage of with Rupay Card. Bank ac-
Issued by banks / other enti- debit/credit or prepaid bank- count is mandatory to get
ties approved by RBI. Unlike ing cards is that they can be the card. As per Government
debit cards, in case of credit used to make other types orders, all the Jhan Dhan ac-
cards, a customer can also of digital payments. Some count holders will be issued
withdraw beyond the amount of the most reputed and Rupay Cards.

How to use Debit/Credit Cards ?


yy To withdraw money from withdrawn per day is set cheque or money, getting
an ATM, user needs to by the bank. a mini statement, etc.
insert his/her debit/cred- yy With debit card, user can without visiting the bank
it card and type in your also use the ATM to carry branch.
unique PIN Number (4 out other financial and yy While shopping at major
digits) which is provided nonfinancial transac- retail stores and shops,
by the bank. The maxi- tions such as finding out follow the process shown
mum amount that can be bank balance, depositing in figure :

User gives the debit Merchant runs Merchant types in


Comsumer types in
card to the cashier at the card through the amount of the
the PIN of the card
the store PoS machine purchase

Customer gets Merchant keeps the Bank debits (de-


Machine prints out a
SMS on his registered signed receipt and ducts) the amount
receipt which has to
mobile for transaction hands a copy to the of purchase directly
be signed by the user
completed user for records from user’s account

8 www.infosecawareness.in
Online Transactions using Debit / Credit cards
Individuals have started mum limit on the amount with small amount. The
opting for social media that can be transferred. main feature of IMPS
and mobile apps for most RTGS : In RTGS the service is that it is avail-
of the banking transac- transactions are settled able 24/7 including Sun-
tion. There are three dif- individually and not in day and bank holidays
ferent ways like RTGS,
batches. The transaction throughout the year,
NEFT and IMPS through
is processed immedi- which makes is particu-
which we can transfer
funds from one bank ac- ately after it is execut- larly helpful during emer-
ed throughout the RTGS gencies. IMPS is basi-
count to another.
business hours. The cally used for transfers
RTGS window is open using the mobile phone
NEFT is an electron-
from 8 am to 4 pm be- number through apps or
ic fund transfer system
tween Monday and Sat- mobile banking. You can
which operates on a DNS
urday except 2nd and 4th also use IMPS in your
(Deferred Net Settle-
Saturday as well as bank netbanking services for
ment) basis which settles
holidays. The minimum when you want to trans-
transactions in batches.
limit on transfer of funds fer using account number
You can use the NEFT
at a time is Rs 2 lakhs. details. The process is
service through the bank
the same as NEFT. There
branch through cheques,
IMPS : It is an instant is a limit of Rs 2 lakhs if
DD or you can make the
payment service availa- you use the online trans-
transfer using net bank-
ble for money transfer to fer using bank account in
ing facility in your bank
bank accounts in India. It netbanking.
account. There is no mini-
is ideal for transactions

Toll Free No. 1800 425 6235 9


Threats to Debit / Credit cards
Credit/debit card fraud
Credit card fraud is committed by making use of credit/debit card of
others for obtaining goods or services. The threat emerges due to steal-
ing of information like Credit card number, PIN number, password etc.
Theft of cards and cloning of cards are also employed to commit such
frauds. Hackers use complex techniques like Phishing, Skimming etc. to
gain credit card information from innocent users.

Phishing
Phishing is a way of attempting to acquire information such as user-
names, passwords, and credit card details by masquerading as a trust-
worthy entity through e-mail. Phishing is typically carried out by e-mail
spoofing and it often directs users to enter details at a fake website
whose look and feel are almost identical to the legitimate one.

Skimming
Skimming is the theft of credit card / Debit card information. Thief can
procure victim’s credit card number using basic methods such as pho-
tocopying receipts or more advanced methods such as using a small
electronic device (skimmer) to swipe and store hundreds of victim’s
credit card numbers. Common scenarios for skimming are restaurants
or bars where the skimmer has possession of the victim’s credit card
and makes note of card details for further use.

Vishing
It is one of the method of social engineering over the telephone system,
most often using features facilitated by Voice over IP (VoIP), to gain
access to private personal and financial information from the public for
the purpose of financial reward. The term is a combination of “voice”
and “phishing”.

Social Engineering
Social engineering involves gaining trust hence the fraudster poses as
a member of staff or even security guard. The fraudster would then ask
the customer to check the card for damages. The fraudster would have
gained confidence from his prey using various tactics such as offering
assistance to the customer who perhaps would have tried to use the
ATM without success or perhaps the customer who is not familiar with
use of ATM machine and requires assistance.

10 www.infosecawareness.in
Best practices for users to remain safe
yy Do not share your card in- transaction receipt when your computer hard drive
formation over the phone you are done with it. Tear it or email account. If the ac-
or internet with ANYONE, or shred it. Dumpster divers count gets hacked, there is
irrespective of whether you are known to sift through every possibility that an un-
know them or not. garbage bags meticulously authorized transaction will
yy Do not give any card or and retrieve all your card re- take place.
personal information while lated information that can yy While making a payment
answering a telephone call then be used to conduct over the internet, check for
where the caller claims to unauthorized purchases, the security logo on the
represent the card issuing especially over the internet. website confirming it as a
bank or any related organ- yy While using an ATM, en- safe site. If in doubt, check
ization. You can always call sure that no one is watch- with the concerned compa-
back the bank on publicly ing your finger movement ny before making any such
displayed numbers, if re- as you type your PIN. Watch payment.
quired. out for cameras within the yy Avoid keeping your credit or
yy While making payment at premises that can easily debit card in the wallet. In
a merchant location or ser- capture your PIN number. case your wallet gets sto-
vice provider like restau- Try and cover your hand len, you will at least have
rants, etc, insist on punch- while you type in the PIN. access to money at that
ing in your PIN rather than yy Always memorize your card moment.
hand over your card for pro- and PIN numbers, and in yy Download banking apps di-
cessing the payment. case of any loss or theft, rectly from the bank web-
yy Always check the bill. report immediately to the site and avoid using links
yy Always retain the transac- concerned bank so that that you receive via email
tion receipt for comparing they can temporarily freeze or SMS to download your
against the card statement your account and prevent banking app.
that you receive at the end any further unauthorized yy As card users, have to do
of the month. Most people transaction until you re- your part towards secur-
throw this away and do not ceive your card replace- ing your hard earned mon-
match against the amount ment. ey, while the banks need to
charged in the statement. yy Never save your card pass- work harder towards secur-
yy Do not throw away the word in a regular folder in ing information and money.

Toll Free No. 1800 425 6235 11


UNIFIED PAYMENT
INTERFACE (UPI)
Today UPI is the best way to digital payments. People want to know the
use of UPI in SBI Pay, Paytm, Phonepe, Tez and other apps. In fact, all
these apps are riding on UPI wave. After the launch of UPI, the mobile app
payment has setback.

UPI is a type of interoperable payment system through which any cus-


tomer holding any bank account can send and receive money through
a UPI-based app. The service allows a user to link more than one bank
account on a UPI app on their smart phone to seamlessly initiate fund
transfers and make collect requests on a 24/7 basis and on all 365 days a
year. The main advantage of UPI is that it enables users to transfer mon-
ey without a bank account or IFSC code. All you need is a Virtual Payment
Address (VPA). There are many UPI apps in the market and it is available
on both Android and iOS platforms. To use the service one should have
a valid bank account and a registered mobile number, which is linked to
the same bank account. There are no transaction charges for using UPI.
Through this, a customer can send and receive money and make balance
enquiries.

How to use UPI ? such as SPI Pay, Baroda Pay,


iMobile etc. On the other hand,
To use the UPI payment sys- they have also sponsored the
tem we need a mobile app. The apps of some other companies
app communicates with the such as Yes Bank is sponsoring
UPI system and facilitates the Phonepe, ICICI Bank and SBI is
sponsoring Tez. This process doesn’t require
fund transfer. But to keep the
either the payee or payer to
whole system secure, a bank
How it works share bank details. The VPA
has to play the role of inter-
acts as their financial address
mediary. That is why every UPI
app must be sponsored by a For using Unified Payment In- and users need not remember
bank. Every participating bank terface, users need to create beneficiary account number,
of UPI can sponsor or make a Virtual ID or Virtual Payment IFSC codes or net banking user
many apps. The banks have Address (VPA) of their choice id/password for sending or re-
made their own UPI based app to link it to any bank account. ceiving money.

Steps for Registration

1 2 3
User downloads the Unified User creates his/ her profile User goes to “Add/Link/Man-
Payment Interface application by entering details like name, age Bank Account” option and
from the App Store / Banks virtual id (payment address), links the bank and account
website. password etc. number with the virtual id.

12 www.infosecawareness.in
Generating M-PIN
User selects the bank account from which he/she wants to initiate the transaction.
User clicks on the given options as required.
Choose
your uniue
Download Give
ID (Aadhaar, Set M-PIN for
any bank Select account Registration
mobile no.) validating
app or 3rd your bank details for completed
as virtual Transactions
party app first time
payment ad-
dress (VPA)

Performing a Unified Payment Interface Transaction


PUSH-sending money using PULL-Requesting money notification and opens his
virtual address • User logs in to his bank’s banks UPI app where he re-
• User logs in to UPI applica- UPI application. views payment request.
tion. • After successful login, user • Payer then decides to click
• After successful login, user selects the option of collect on accept or decline.
selects the option of Send money (request for pay- • In case of accept payment,
Money / Payment. ment). payer will enter MPIN to au-
• User enters beneficiary’s • User enters remitters / pay- thorize the transaction.
/ Payee virtual id, amount ers virtual id, amount and • Transaction complete, pay-
and selects account to be account to be credited. er gets successful or de-
debited. • User gets confirmation cline transaction notifica-
• User gets confirmation screen to review the pay- tion.
screen to review the pay- ment details and clicks on • Payee / requester get no-
ment details and clicks on confirm. tification and SMS from
Confirm. • The payer will get the no- bank for credit of his bank
• User now enters MPIN. tification on his mobile for account.
• User gets successful or fail- request money.
ure message. • Payer now clicks on the
Enter pay-
Choose ees virtual Write
Enter Confirm the
send payment remarks for Hit “SEND”
amount details
money address transaction
(VPA)

Best Practices for Users to remain safe


• Beware of Mobile phishing: known callers claiming to • Keep your SIM card locked
always download legiti- be from your bank. with a Pin to avoid misuse,
mate UPI applications from • Use biometric authentica- in case of loss or theft of
bank’s official website, and tion if possible. the mobile device; You can
be cautious before you • Update your mobile OS and contact your subscriber to
download it from App store. applications as often as block the subscription of
• Keep strong passwords for possible to be secure from the SIM card.
your phone as well as for vulnerabilities. • Avoid connecting phones
your UPI application. • It is advisable for users to to unsecured wireless net-
• Do not share MPIN with an- enable encryption, remote works that do not need
ybody (not even with bank), wipe abilities and anti-virus passwords to access.
and be suspicious of un- software on the phone.
Toll Free No. 1800 425 6235 13
The BHIM app allows users to make
payments using the UPI application. This
also works in collaboration with UPI and
transactions can be carried out using a
VPA. One can link his/her bank account
with the BHIM interface easily. It is also
possible to link multiple bank accounts.
The BHIM app can be used by anyone who
has a mobile number, debit card and a
valid bank account. Money can be sent to
different bank accounts, virtual addresses
or to an Aadhaar number. There are also
many banks that have collaborated with
the NPCI and BHIM to allow customers to
use this interface.

BHARAT INTERFACE FOR MONEY


(BHIM) APP
How to use BHIM App ?
nn Download and install the BHIM app
oo Choose a language
pp Register for the service by providing mobile number linked to bank account
qq Add bank-related information and set up a UPI PIN by following the given instructions

14 www.infosecawareness.in
Send money
The option is simple to use. Tap on it > enter the phone number of the person
who is going to receive the money. The number will be verified and if a UPI/BHIM
account has been set up for that number, the app will accept the number and `
will take you to the next screen where you can put in the money and send it.If
there is no number or UPI ID, you can also send the money using Bank Account
+ IFSC code. To access this option, click on three dots (settings) on the send
money page.

Request money
Again, tap on the request button. Put in the number, let the app verify it. Once the
` verification is done, you can request the money.

Scan and pay


This is the place where QR codes come into picture. The app generates a QR for every
user, which can then be shared or printed and pasted. To make a payment to the QR
+
code owner, just scan it and pay.

Threats to BHIM app


SQL injection vulnerability Denial of services’ attack money to his or her own ac-
SQL stands for Structured Hackers flood servers with count, without making any
Query Language, used to fake transactions to bring real transaction but in the
communicate with a data- them down. The app allows process, possibly clogging
base. The code is written us- a user to have sender and re- the system if other controls
ing SQL inline method, which ceiver’s account as the same, are not in place--something
is largely considered an inse- which means one can contin- that may lead to a Denial of
cure way of storing data. ue to send small amounts of Service attack.

Best practices for users to remain safe


The steps to be taken care to protect yourselves from financial fraud through BHIM
App.
nn Check the payment collect request details with the merchant before making the
payment
oo Be sure to keep UPI based Apps updated.
pp Make sure you transfer money only to known beneficiaries.

Toll Free No. 1800 425 6235 15


UNSTRUCTURED
SUPPLEMENTARY
SERVICE DATA
Another type of digital payment method, *99#, can be used to car-
ry out mobile transactions without downloading any app. These types
of payments can also be made with no mobile data facility. This facility
is backed by the USSD along with the National Payments Corporation
of India (NPCI). The main aim of this type of digital payment service is
to create an environment of inclusion among the underserved sections
of society and integrate them into mainstream banking. This service
can be used to initiate fund transfers, get a look at bank statements
and make balance queries. Another advantage of this type of payment
system is that it is also available in Hindi. However, this payment meth-
od can be used only for small value transactions up to Rs 5000 as per
RBI guidelines.

In USSD, direct communication between sender and recipients is es-


tablished and this promotes faster data transmission. USSD commu-
nication is session-oriented and it is easily implementable while being
more user-friendly. The developer community prefers USSD channels
for development of mobile payment application because of these pow-
erful features.

How to use USSD ? Services Offered

nn Provide KYC (Know Your Customer) nn The various


information to open a new account services offered are
oo Mobile no. should be linked with bank a/c Balance enquiry,
pp Register for USSD/Mobile Banking Mini Statement,
qq Get MMID (Mobile Money Identifier) Funds transfer,
qq Get MPIN (Mobile PIN) MMID,A/c no.,
Aadhaar, Know
MMID, Change
M-PIN, Generate OTP.

16 www.infosecawareness.in
How to use USSD ?

nn This service oo To use the service the mobile number of


can be used the customer should be the same as the
by dialling one linked to the bank accountRegister for
*99#, after USSD/Mobile Banking
which the pp The next step is to register for USSD, MMID
customer can (Mobile Number Identifier) and MPIN
interact with
an interactive Transaction Cost
voice menu nn NIL by system
through their oo Rs. 0.50 charged to customer
mobile screen.

Threats to USSD
As previously mentioned, requests and responses. or application is unable
each bank has a unique short- This may cause confusion to authenticate the USSD
code, but this is also backed for the legitimate user and request originator, then
by unique infrastructure. In can also lead to fraudu- it can perform fraudulent
fact, nearly all mobile finan- lent transactions. This re- transactions.
cial service providers (banks, quest and response tam-
mobile money operators and pering is possible through • USSD Server Response
payment service suppliers, hardware and software in- Tests
etc.) operate unique applica- terceptors. Weak encrypt- The USSD application
tions in providing USSD ser- ed request and response server should respond
vices to customers. There- messages are prime con- properly upon valid re-
fore, it is possible that the cerns in such threat vec- quests generated by an
risk exposure of USSD trans- tors. authenticated user. Weak
actions increases because encrypted response mes-
each financial service provid- • USSD Request/Response sage, response delay and
er uses its own technology, Message Replay Attacks response exception han-
meaning there is no universal When a phone is lost, an dling (in case of buffer
standard for all channels. adversary may perform overrun, delivery notifica-
More importantly, messages fraudulent transactions tion) are the prime con-
over USSD channels are not through an installed USSD cerns in USSD application
encrypted, leaving them vul- application. An applica- server response mecha-
nerable to being hacked. tion must authenticate nism.
USSD request originator
• USSD Commands Re- (authentication through
quest/Response Tamper- combination of MSISDN,
ing IMEI, PIN and unique Mes-
A malicious user can tam- sage Tracking ID). If this
per with USSD command USSD application server

Toll Free No. 1800 425 6235 17


• USSD Content Error Tests transaction success mes- • Improper Session Man-
Improper USSD content sages and alerts. agement
error-handling may re- In this case, an adversary
veal sensitive informa- • Verify Strong Cryp- gets physical access to a
tion about customer data, tographic Implementation victim’s phone which has
USSD application and the Weak cryptography im- a USSD application in-
service provider’s sensi- plementation for critical stalled on it. The adver-
tive data. data (customer number, sary may perform any ma-
card numbers, PIN, ben- licious activity on financial
• USSD Response Time eficiary details – account transaction modules (e.g.
Tests numbers, balance sum- send money) due to im-
Improper USSD response mary) can be tampered proper session time-out
time implementation may with, leading to fraudulent implementation. It is also
result in delay or tamper- transactions. applicable to all financial
ing delivery notifications, transactions modules

Best practices for users to remain safe


Avoid the following for a safe for a notification on such • In absence of such confir-
and successful USSD banking : transaction. mation and your account is
• Do not reveal your PIN or • Your phone should be debited, contact your bank
BVN to a third party. charged to avoid loss of immediately to resolve the
• Do not repeat a transaction power in the midst of the transaction.
delayed or interrupted by transaction. • In case of transfer, call the
the network.This is because • Double-check the receiv- receiver to confirm receipt
the transaction might have er’s account number when of the fund. If the response
been processed. If you re- transferring funds or pay- is no and your account has
peat such transaction your ing bill. You must wait for been debited, contact your
account might be debited the confirmation text from bank to resolve it immedi-
twice. All you need do is the bank that the transac- ately.
to wait for an hour or more tion is successful.

18 www.infosecawareness.in
AADHAAR
ENABLED
PAYMENT Expanded as Aadhaar Enabled
Payment System, AePS, can be
SYSTEM (AePS) used for all banking transactions
such as balance enquiry, cash
withdrawal, cash deposit, payment
transactions, Aadhaar to Aadhaar
fund transfers, etc.

It uses the Aadhaar number and


biometric fingerprint of the user.
AePS financial transactions are
performed using Aadhaar enabled
POS machines. AePS does not
require anyOTP orPIN forverification.
It depends on data available with the
UIDAI CIDR repository, which holds
your authenticated data during the
How to use AePS Aadhaar enrolment process. AePS
It is very simple to use AePs, all you need to do is performs payment transactions
to provide the accurate Aadhaar number and the using the Bank Account linked with
payment will be successfully made to the con- the Aadhaar Number of the user.
cerned merchant. While using AePS do balance
check of your Account, Aadhaar to Aadhaar fund
transfer, Cash withdrawal, Cash deposit, Pur- All transactions are carried out
chase at Fair Price Shops with AePS. through a banking correspondent
• Go to a micro ATM or banking correspondent based on Aadhaar verification.
• Provide Aadhaar number and bank name
• Choose the type of transaction you want to
There is no need to physically visit
make a branch, provide debit or credit
• Provide verification through fingerprint/iris cards, or even make a signature
scan on a document. This service can
• Collect your receipt
A customer will have to register his/her Aadhaar
only be availed if your Aadhaar
number to their existing bank account, provided number is registered with the bank
their bank is AePS enabled. Through AEPS, the where you hold an account. This is
customer can withdraw or deposit cash, make another initiative taken by the NPCI
the balance enquiry, and transfer funds. The
maximum amount of transaction per account
to promote digital payments in the
per day is Rs.50, 000. country.

20 www.infosecawareness.in
Threats to AePS

• Aadhaar enabled pay- my finger method. Using Payment Systems vulner-


ments are built on a plat- gummy finger method able to fraud.
form, which is Aadhaar. If your duplicate fingerprint • The merchant uses the
any vulnerability effects can be made, just by using Aadhaar enabled pay-
aadhaar, then Aadhaar gum/glue. Fraudsters can ment system, to authen-
enabled payments a pay- make a transaction using ticate your fingerprints.
ment system which is built your fingerprints and you Your biometric data could
on Aadhaar, will also be can lose money. Cloning be stored on this device
vulnerable and you may a debit/credit card is not or the merchant can store
lose money. very easy, but the gum- your biometric data on his
• The Aadhaar Based Pay- my finger method where smart phone. This makes
ment Systems may be you need just gum/glue, you vulnerable to fraud
vulnerable to the gum- makes Aadhaar Based

Best practices for users to remain safe


• Always verify Aadhaar (POS and Biometric cap- your customers’ private
number before transfer- ture machine) are not tam- and critical information or
ring money. pered with only certified manipulate sensitive data
• Use a Aadhaar ID to car- devices are being used. to suit their goals to pro-
ryout transactions only at • To secure the biometric tect financial transactions
POS and biometric data data from unauthorized from fraudsters
capture device. or malicious users who
• Ensure that the devices may attempt to access

AePS gives a lot of convenience to the rural people. It brings the bank to
their doorstep and saves much time and transport expense. It would be just
like a visit of the ATM at every doorstep. That is why government calls the
POS as micro ATM.

Toll Free No. 1800 425 6235 21


E-WALLET
An Electronic-wallet(e-wallet) is an electronic application that en-
ables online e-commerce transactions like purchasing goods, paying util-
ity bills, transferring money, booking flight etc. with a financial instrument
(such as a credit card or a digital currency) using smart phones or computers.
A plethora of these e-wallets are provided online for downloading through
“apps” to support both point of sale transactions and peer-to-peer transac-
tions between individuals. Being preloaded with currency by the user, they are
designed to be convenient to them over the traditional-wallets, by providing
better manageability over their payments, accounts, receiving of offers, alerts
from merchants, storing digital receipts and warranty information and being
secure by requiring to access only through correct passphrase, password and
such authentication information.

A number of IT companies, Banks, Telecoms firms, online e-commerce


portal, taxi-services, supermarket chains etc. provide e-wallets. A num-
ber of personally identifiable information (PII’s) of the customer like his
name, mobile phone number and his protected personal information
like Customer card numbers, secret PIN, net banking credentials etc is
permanently stored in e-wallets, requiring just final authorization from
the user through means like biometrics authentication, one-time pass-
words(OTP) etc. The payment process involves security mechanisms
like certificate pinning and use of encryption.
Threats to E-Wallets and countermeasures

Impersonation, SIM swap- which was blocked, and is- ers and support staff will
ping sues a new SIM to the fraud- never ask their custom-
Impersonation occurs when ster who then generates one- ers for sharing their pri-
a fraudster steals informa- time passwords using stolen vate information such as
tion and then poses as a information. passwords or payment
genuine user to do a transac- account numbers over
tion using the stolen e-wallet email requests or phone
details and password. inquiries etc.
SIM swaps occurs when • Some Mobile network
fraudsters first collect the operators send an SMS
user’s information, and use it to alert their customers
to get his mobile phone SIM of a SIM swap, the af-
card blocked, and obtain a For prevention against Im- fected customer can act
duplicate one by visiting the personation and SIM swap- and stop this fraud in its
mobile operator’s retail out- ping attacks: tracks by contacting the
let with fake identity proof. • Avoid falling prey to so- mobile operator immedi-
The mobile operator deacti- cial engineering tricks: ately.
vates the genuine SIM card, Financial service provid-

22 www.infosecawareness.in
Man-in-the-middle attack • To do so, go to File > Prop-
and Phishing erties > Certificates or
Sophisticated threats like double click on the Pad-
Man-in-the-Browser or Man- lock symbol at the upper
in-the-Middle attacks inter- right or bottom corner
cept online transactions by of the browser window.
reading payment data from Emails or text messages
the Internet browser while For prevention against asking the user to con-
the user is typing his credit phishing attacks: firm or provide personal
card or bank account details. • The URL of the web-page information (Debit/Cred-
Phishing attacks are used to should be verified, by es- it/ATM pin, CVV, expiry
steal users’ login details and tablishing the authen- date, passwords, etc.)
personal data, making e-wal- ticity of the website by should be ignored.
let accounts susceptible to validating its digital cer-
fraud. tificate.

Malware Attacks For prevention against Mal- the computer or mobile


Malware ware attacks: is also significant to keep
attacks on • Keep the wallet software the wallet environment
apps have up to date: Using the lat- safer.
threatened est version of software • Use security software:
the safety of allows receiving impor- Applications for detect-
user’s money. tant stability and securi- ing and removing threats,
An attacker ty fixes timely. Updates including firewalls, virus
can inject a can prevent problems and malware detection
malware to attack the app of various severities, in- and intrusion-detection
and collect details from his clude new useful features systems, mobile security
phone to misuse it. and help keep the wallet solutions should be in-
safe. Installing updates stalled and activated.
for all other software on

Toll Free No. 1800 425 6235 23


Best practices for users to remain safe while using e-wallets

• Enable Passwords On Devices:


Strong passwords should be enabled on the user’s phones, tablets, and other devices before
e-wallets can be used. Additional layers of security provided by these devices should be used.
• Use Secure Network Connections:
It’s important to be connected only to the trusted networks. Avoid the use of public Wi-Fi
networks. More secure and trusted WiFi connections identified as “WPA or WPA2” requiring
strong passwords should be used.
• Install Apps From Trusted Sources:
Reading the user ratings and reviews can provide some clues about the integrity of the e-wal-
let app. The user must check for the e-wallet provider to be showing strong legacy of securely,
reliably and conveniently handling sensitive financial data and providing customer support (in
the event of card loss or account fraud).
• Keep Login Credential Secure:
Avoid writing down information used to access the digital wallets in plain view or storing them
in an unprotected file to avoid their misuse.
• Create a Unique Password for Digital Wallet:
Use hard-to-guess password unique to the digital wallet to prevent against the risk of unau-
thorized access.
• Stay vigilant and aware of cellphone’s network connectivity status and register for Alerts
through SMS and emails:
The user should not switch off his cellphone in the event when numerous annoying calls are
received, rather answering the calls should be avoided. This could be a ploy to get him to turn
off his phone or put it on silent to prevent him from noticing that his connectivity has been
tampered with. The customer should realize that when he is not receiving any calls or SMS no-
tifications for a long time against his e-wallet uses, he should make enquiries with his mobile
operator to be sure about not falling victim to such scam.
• Identify Points of Contact in case of Fraudulent Issues:
For any fraudulent activity occurring on the user’s account in the scenarios like when phone
is lost or stolen, an individual card stored in the wallet is lost or account has been hacked, ap-
propriate points of contact for resolving the issues should be understood by the user. The user
must completely understand the e-wallet providers contract terms and conditions.
POINT OF SALE
The point of sale (POS) is the place where a retail
transaction occurs and the merchant calculates the
amount owed by the customer, indicates the amount,
prepares an invoice for the customer, and indicates
the options for the customer to make payment. It
is also the point at which a customer makes a pay-
ment to the merchant in exchange for goods or after provision of a ser-
vice. After receiving the payment, the merchant issues a receipt for the
transaction, this is usually printed, but is increasingly being dispensed
with by sending it electronically.

POS systems consist of card is collected and pro- al account and it includes
hardware as well as soft- cessed by the items such as the cardhold-
ware that tell the hardware ers name as well as the ac-
what to do with the infor- attached device. The data count number. Track 2 data
mation it captures. When stored on the magnet- contains information such
consumers use a credit or ic stripe is referred to as as the credit card number
debit card at a POS system, Track 1 and Track 2 data. and expiration date.
the information stored on Track 1 data is information
the magnetic stripe of the associated with the actu-

Threats to POS Systems:

Skimming small device that scans a


Skimming is an electronic credit/debit card and stores
method of capturing the information contained
a victim’s personal in the magnetic strip.
information used by identity Skimming can take place
thieves. The skimmer is a during a legitimate
transaction at a business.
point of sale (POS) terminals
POS Malware with the intent to obtaining
Point-of-sale malware credit card and debit card
(POS malware) is a type information by reading the
of malicious software device memory from the
(malware) that is used by retail checkout point of sale
cybercriminals to target system.

26 www.infosecawareness.in
Best Practices for Users to remain safe

Owners and operators of POS systems should follow best practices to increase
the security of POS systems and prevent unauthorized access.

For organizations / prevent unauthorized ac- tems to gain access to


service providers: cess to, or from, a private these networks. To pre-
• Update POS Software network by screening out vent unauthorized access
Applications: traffic from hackers, vi- of POS systems, disallow
Keep all POS Systems ruses, worms, or other remote access to the POS
regularly updated includ- types of malware specif- network at all times.
ing POS application soft- ically designed to com- • Review all Logs:
ware. promise a POS system. Organizations and mer-
• Use Antivirus: • Restrict Access to Inter- chants providing POS
It is suggested to contin- net: services should review
ually update the antivirus Apply access control lists all system logs for any
programs for it to be ef- on the router configura- strange or unexplained
fective on a POS network. tion to limit un authorized activity on a regular ba-
• Install a Firewall: traffic to POS devices. sis.
Firewalls should be uti- • Disallow Remote Access: • Encrypt transmission of
lized to protect POS Cyber Criminals can ex- card holder data across
systems from outside ploit remote access con- open, public network.
attacks. A firewall can figurations on POS sys-

For Merchants: • POS systems should not Merchants may modu-


• Update POS Software be used for general inter- late the signal strength
Applications: net access by retailers. of their Wi-Fi network so
Keep all POS Systems • Use Strong Passwords: that it does not extend
regularly updated includ- All POS devices owners too far from the area of
ing POS application soft- should change passwords use or shop or building.
ware. to their POS systems on • Ensure that no electron-
• Review all Logs: a regular basis, using ic / magnetic devices are
Organizations and mer- unique account names attached with POS sys-
chants providing POS and complex passwords. tems. Enter the PIN num-
services should review • Merchants should en- bers in a secret manner.
all system logs for any sure that all their Wi-Fi • Merchants should always
strange or unexplained and internet connections purchase POS Systems
activity on a regular ba- are secured. Merchants from reputable dealers.
sis. may use a network name • If any suspected transac-
• Account Lock out policy: that is extremely generic tions are observed, con-
Locking out accounts af- but unique keeping the tact the service provider /
ter N number of incorrect network simple and in- bank immediately.
login attempts. conspicuous. In addition,

Toll Free No. 1800 425 6235 27


MICRO ATMS
Micro ATMs are Point of Sale(PoS)
Devices that work with minimal pow-
er, connect to central banking servers
through GPRS, thereby reducing the op-
erational costs considerably. Micro ATM
solution enables the unbanked rural
people to easily access micro banking
services in a very effective manner.

How to Use Micro ATMs The micro ATM will support the following
The basic interoperable transaction types that means of authentication for interoperable
the micro ATM will support are: transactions:
1. Deposit 1. Aadhaar + Biometric
2. Withdrawal 2. Aadhaar + OTP
3. Funds transfer 3. Magnetic stripe card + Biometric
4. Balance enquiry and mini-statement. 4. Magnetic stripe card + OTP
5. Magnetic stripe card + Bank PIN

Threats to Micro ATMs:

Data Vulnerabilities successful. The way to min- Social Engineering


With respect to POS data imize this risk is by encrypt- Social engineering involves
vulnerabilities, there are ing the card data as soon as gaining trust - hence the
three specific areas that possible and keeping it en- fraudster poses as a mem-
should be given attention in- crypted to the maximum ex- ber of staff. The fraudster
cluding data in memory; data tend throughout its life with- would then ask the customer
in transit; data at rest. Data in the system. Point to Point to check the card for damag-
in memory in this context is Encryption (P2PE) could be es. The fraudster would have
when the card track data is used to address the issue of gained confidence from his
brought into the system at encrypting data in memory. prey using various tactics
the POS system via a POI such as offering assistance
(Point of Interface or some Skimming to the customer who per-
other input device). Data in Skimming is the theft of haps would have tried to use
memory is nearly impossi- credit card / Debit card infor- the ATM without success or
ble to defend if an attacker mation. Thief can obtain vic- perhaps the customer who is
has access to the POS sys- tim’s credit card number us- not familiar with use of micro
tem. Traditionally, data input ing a small electronic device ATM machine and requires
into the POS system was in near the card acceptance assistance.
memory in clear text, which slot and store hundreds of
is what allowed, attackers¿ victim’s credit card numbers.
memory scrapers to be very

28 www.infosecawareness.in
Best Practices for Users to remain safe

• Before using micro ATM, • Shred anything that con- to anyone, even if he/she
please ensure that there tains credit card number claims to represent the
are no strange objects in written on it.(bills etc) bank.
the insertion panel of the • Notify credit/debit card • Do not get carried away
ATM(to avoid skimming) issuers in advance for by strangers who try to
• Cover the PIN pas while change of address. help you use the micro-
entering PIN. Destroy the • Don not accept the card ATM machine.
transaction receipts se- received directly from • Do not transfers or share
curely after reviewing. bank in case if it is dam- account details with un-
• Change ATM PIN on a aged or seal is open. known/non validated
regular basis. • Do not write PIN number source.
• Keep a close eye on bank on credit/debit card. • In case of any suspected
statements, and dispute • Do not disclose Credit transactions or loss of
any unauthorized charg- Card Number/ATM PIN to cards, contact the service
es or withdrawals imme- anyone. provider/bank immedi-
diately. • Do not hand over the card ately.

Toll Free No. 1800 425 6235 29


Most industries have deployed inter-
net technologies as an essential part of
their business operations. The banking
industry is one of the industries that has
adopted internet technologies for their
business operations and in their plans,
policies and strategies to be more acces-
sible, convenient, competitive and eco-
nomical as an industry. The aim of these
ONLINE strategies was to provide online banking
customers the facilities to access and
BANKING manage their bank accounts easily and
globally.

Online banking, also known as internet


banking, e-banking or virtual banking, is
an electronic payment system that ena-
Threats to Online Banking bles customers of a bank or other financial
There are some information securi- institution to conduct a range of financial
ty threats and risks associated with
the use of online banking systems. transactions through the financial insti-
The confidentiality, privacy and tution’s website. The online banking sys-
security of internet banking trans- tem will typically connect to or be part of
actions and personal information the core banking system operated by a
are the major concerns for both
the banking industry and internet bank and is in contrast to branch banking
banking. Attacks on online bank- which was the traditional way customers
ing today are based on deceiving accessed banking services. Online bank-
the user to steal login data. Phish- ing has been deployed more frequently
ing, pharming, Cross-site script-
ing, adware, key loggers, malware, over the past few decades to support and
spyware, Trojans and viruses are improve the operational and managerial
currently the most common online performance within the banking industry.
banking security threat and risks.

30 www.infosecawareness.in
The following are the major (CBA), involves intercept- takes place in the appli-
attack scenarios: ing the communication cation layer between the
• A credential stealing between the client side user and the browser. The
attack (CSA), is where and the banking server, adversary is granted with
fraudsters try to gather by masquerading as the privileges to read, write,
user’s credentials, either server to the client and change and delete brows-
with the use of a mali- vice versa. er’s data whilst the user is
cious software or through • A content manipulation unaware about it.
phishing. also called man-in-the
• A channel breaking attack browser (MiTB) attack, it

Best practices for Online Banking Users

For Users sions/security enhance- ONE your security access


Protect your PC: ments from the vendor’s codes: Bank will never in-
• Install anti-virus software web site itiate or contact you for
and keep it updated on your e-banking or ATM
a regular basis to guard Protect your personal infor- PINs, card or account
against new viruses mation: numbers, personal identi-
• Install anti-spyware se- • Create hard-to-guess se- fication information, nei-
curity software against curity access codes (User ther over the phone nor
those programs that mon- ID & password) for Online in any electronic or writ-
itor, record and extract Banking and make them ten message. Also refrain
the personal information unique (e.g. they should from providing ATM pin for
you type in your PC (pass- not be the same as those ecommerce transactions.
words, card numbers, ID you use to access your • Never leave your PC unat-
numbers, etc.) e-mail account) tended when logged into
• Install personal firewalls • Change your security ac- Online Banking
to protect your PC against cess codes periodically • Always remember to log
unauthorized access by • Memorize your security off from your online ses-
hackers access codes, avoid writ- sion using the “Log-off”
• Keep your operating sys- ing them down and keep button when finished us-
tem and internet browser them strictly personal and ing the e-banking services
up to date, checking for confidential
and downloading new ver- • Do not disclose to ANY-

Toll Free No. 1800 425 6235 31


Use the Internet cautiously: ic the Bank’s site and to played at the top left side
• Always access Online lure you into giving out of the Online Banking
Banking internet only by your sensitive personal Home page
typing the URL in the ad- information (PIN, account • Once logged into Online
dress bar of your browser. or card numbers, personal Banking, you can also
• Never attempt to access identification information monitor the actions per-
Online Banking internet et al.) formed online
through an external link • Never click on a link con-
of unknown or suspicious tained in suspicious Prompt reporting of suspi-
origin appearing on other e-mails cious activity:
websites, search engines • Avoid using Online Bank- • Contact your bank imme-
or e-mails ing from public shared diately, if you think some-
• Before logging in, check PCs (as in internet cafes, one knows your security
for the Bank’s Security libraries, etc.) to avoid the access code or in case of
Certificate details and the risk of having your sensi- theft of your code/ money
various signs (e.g. green tive private information or in case you have forgot-
address line and Lock, copied and abused ten your credentials.
HTTPs) that confirm you • Forward any suspicious
are visiting the secure Stay alert: e-mails to the bank on
pages of Bank. • Sign-on to Online Banking their phishing reporting
• Ignore and delete imme- regularly and review your email as well as on CERT-
diately suspicious fraud- account transactions, In email incident@cert-in.
ulent (phishing, spoof, checking for any fraudu- org.in
hoax) e-mails that appear lent activity on your ac- • Your prompt action is cru-
to be from Bank, asking count (e.g. transactions cial to prevent any (fur-
you to urgently click a link you do not recognize) ther) damage
to a fraudulent (spoof) • Keep track of your last
website that tries to mim- log-on date and time, dis-

32 www.infosecawareness.in
The increasing usage of Smartphone’s has
enabled individuals to use various applications
including mobile banking applications. More
and more individuals have started using mobile
applications for banking as compared to the
traditional desktop/Web-based banking appli-
cations. Mobile banking refers to the use of a
Smartphone or other cellular device to perform
online banking tasks while away from your home
computer for various uses such as monitoring
account balances, viewing mini statement, ac-
count statement, transferring funds between
MOBILE
accounts, bill payment etc.
BANKING
Threats to Mobile Banking

Mobile Banking Malwares: download and then become firewalls, virus and malware
There have been incidents infected. detection and intrusion-de-
that involved sophisticated tection systems, mobile se-
virus infecting bank’s mobile For prevention against Mal- curity solutions should be
apps users to steal pass- ware attacks: installed and activated.
word details and even pre- Download and use anti-mal- Reputed applications should
vent two-factor authentica- ware protection for the mo- only be download onto the
tion, by presenting victims bile phone or tablet device. smart phone from the mar-
with a fake version of the Keep the Banking App soft- ket after look at the develop-
login screen when they ac- ware up to date: Using the er’s name, reviews and star
cess their legitimate bank- latest version of software ratings and check the per-
ing application. A key vector allows receiving important missions that the application
by which the mobile banking stability and security fixes requests and ensuring that
malware get into the mobile timely. the requests match the fea-
device is through malicious Use security software: Ap- tures provided by that appli-
applications posing as legiti- plications for detecting and cation.
mate applications that users removing threats, including

Phishing/Smishing/Vishing share their sensitive or per- expiry date, passwords, etc.)


Attack sonal information. should be ignored. SSL (Se-
An attacker attempts phish- cure Sockets Layer) and TLS
ing on to a mobile phone For prevention against (Transport Layer Security)
through SMS (Short Mes- phishing attacks: should be adequately imple-
sage Service), text message, Emails or text messages mented in mobile banking
telephone call, fax, voice- asking the user to confirm or apps thus helping to prevent
mail etc. with a purpose to provide personal information phishing and man-in-the-
convince the recipients to (Debit/Credit/ATM pin, CVV, middle attacks.

34 www.infosecawareness.in
Jailbroken or Rooted critical functions such as an existing online banking
Devices: SMS. Thus the mobile bank- session to steal funds and
This is practiced to gain un- ing app security is exposed credentials. For prevention:
restricted or administrative to extreme risk on a jailbro- Use Secure Network Con-
access to the device’s entire ken device. nections: It’s important to be
file system, at the risk of ex- connected only to the trust-
posing the device vulner- Outdated OSs and No Se- ed networks. Avoid the use of
able to the malicious apps cure Network Connections: public Wi-Fi networks. More
download by breaking its Risk factors such as outdat- secure and trusted WiFi con-
inherent security model and ed operating system ver- nections identified as “WPA
limitations, allowing mobile sions, use of no secure Wi-Fi or WPA2” requiring strong
malware and rogue apps to network in mobile devices al- passwords should be used.
infect the device and control low cybercriminals to exploit

Best practices for users to remain safe

• Enable Passwords On De- • The user should report the Market. User can alter-
vices: Strong passwords loss of mobile phone to nately check the Bank’s
should be enabled on the the bank for them to dis- website for the details of
user’s phones, tablets, and able the user’s IPIN and the ways to receive App
other mobile devices be- his access to the bank’s download URL, whether in
fore mobile banking apps account through Mobile the response to his SMS or
can be used. Additional Banking app. email to the bank and then
layers of security inher- • When downloading the install the application. The
ently provided by these Bank’s Mobile app in the app from any other third
devices should be used. mobile device, the user party source should not
• Bank account number or should go to a trusted be downloaded.
IPIN should not be stored source such as the App
on the user’s mobile Store on the iPhone® and
phone. iPod touch® or Android

Best practices for users to be safe while doing Online shopping

Before you log on and make it’s a secure website. Al- • Shop online only with a
your first purchase, keep so, addresses beginning secure network. Although
these ideas in mind to pro- with “https” (and not just you might be enjoying a
tect your credit card and keep “http”) indicate additional nice cup of coffee at a
your bank account informa- web security. coffee shop, avoid using
tion safe: the public Wi-Fi in order to
• Only visit secure shop- keep your payment infor-
ping websites—look for mation safe.
the “lock.” Check the
address bar for a pad- • Protect your personal in-
lock symbol indicating formation. Never click the

Toll Free No. 1800 425 6235 35


box to “remember” or save ber, tax ID, bank account stored on your comput-
your password or credit number, credit card infor- er’s Internet browser by
card information. It only mation, ID questions like default. The purpose of
“mother’s maiden name” cookies is to store set-
or account password. If tings and information for
web pages that you have
accessed. Turn off cookies
from settings of the web
browser and apps that you
use for shopping.

you receive a suspicious


takes a few seconds to en- email, please report it
ter this information when immediately by sending
you revisit a site. (This is it as an attachment to
not only a good idea for stop-spoofing@amazon.
shopping, but should be com. (Likewise, if you are
a general rule for keeping reporting a suspicious
your passwords safe.) URL, put it in the body of • Use Secure payment
the email and send it to methods:
• Watch out for frauds. stop-spoofing@amazon. Only shop on sites that
With online shopping, you com.) take secure payment
typically receive a confir- methods, such as credit
mation for the order and • Monitor your purchas- cards, as they likely give
another when shipping oc- es. This is another list you buyer protection just
curs. One current phishing to “check twice.” Hope- in case there’s a dispute.
scam sends a fake email fully, you are reviewing
indicating a problem with your credit card and bank
your order and includes a statements throughout
link or attachment to click. the year. During the hol-
Another phishing scam is idays, it is even more im-
targeting Amazon shop- portant to be vigilant so
pers. Amazon will never you can catch any suspi-
send you an unsolicited cious activity on your ac-
email asking for sensitive counts.
personal information like • Avoid use of cookies:
your social security num- Cookies are typically

Watch out for fake shopping Apps

• Thieves are trying to steal your credit card and identity with fake shopping apps .Be sure you
are downloading the legitimate app by getting it from the company’s official website or, if
downloading from an app store directly, check to see it’s been around for a few years and has
high ratings from many users. Never be the first to download a new shopping app.
• If you are interacting with brands on social media, make sure they are “verified,” with the lit-
tle blue checkmark by their profile, which means the company is legit.

36 www.infosecawareness.in
CYBER LAWS
IN INDIA
When Internet was devel- in cyberspace. Hence the both the houses of the In-
oped, the founding fathers need for Cyberlaws in In- dian Parliament passed the
of Internet hardly had any dia. Cyberlaw is important Information Technology
inclination that Internet because it touches almost Bill. The Bill received the
could transform itself into all aspects of transactions assent of the President in
an all-pervading revolution and activities on and con- August 2000 and came to
which could be misused cerning the Internet, the be known as the Informa-
for criminal activities and World Wide Web and Cy- tion Technology Act, 2000.
which required regulation. berspace. Initially it may Cyber laws are contained
Today, there are many dis- seem that Cyberlaws is a in the IT Act, 2000.This Act
turbing things happen- very technical field and aims to provide the legal
ing in cyberspace. Due to that it does not have any infrastructure for e-com-
the anonymous nature of bearing to most activities in merce in India. And the cy-
the Internet, it is possible Cyberspace. But the actual ber laws have a major im-
to engage into a variety truth is that nothing could pact for e-businesses and
of criminal activities with be further than the truth. the new economy in India.
impunity and people with Whether we realize it or So, it is important to under-
intelligence, have been not, every action and every stand what are the various
grossly misusing this as- reaction in Cyberspace has perspectives of the IT Act,
pect of the Internet to per- some legal and Cyber legal 2000 and what it offers.
petuate criminal activities perspectives.In May 2000,

38 www.infosecawareness.in
The Information Technology Act, 2000 also aims to provide for the legal framework so that
legal sanctity is accorded to all electronic records and other activities carried out by elec-
tronic means. The Act states that unless otherwise agreed, an acceptance of contract may
be expressed by electronic means of communication and the same shall have legal validity
and enforceability.

Advantages
of Cyber Laws

The IT Act 2000 attempts to


change outdated laws and
provides ways to deal with cy-
ber crimes. We need such laws
so that people can perform
contain many positive as- on IPC rather on the ITA.
purchase transactions over
pects. Firstly, the implications
the Net through credit cards
of these provisions for the Thus the need for an amend-
without fear of misuse. The
e-businesses would be that ment – a detailed one – was
Act offers the much-needed
email would now be a valid felt for the I.T. Act. Major in-
legal framework so that in-
and legal form of commu- dustry bodies were consult-
formation is not denied legal
nication in our country that ed and advisory groups were
effect, validity or enforceabil-
can be duly produced and ap- formed to go into the per-
ity, solely on the ground that
proved in a court of law. ceived lacunae in the I.T. Act
it is in the form of electronic
and comparing it with similar
records.
The IT Act 2000, being the legislations in other nations
first legislation on technolo- and to suggest recommen-
In view of the growth in trans-
gy, computers, e-commerce dations. Such recommen-
actions and communications
and e-communication, the dations were analyzed and
carried out through electron-
was the subject of extensive subsequently taken up as a
ic records, the Act seeks to
debates, elaborate reviews comprehensive Amendment
empower government de-
with one arm of the industry Act and after considerable
partments to accept filing,
criticizing some sections of administrative procedures,
creating and retention of of-
the Act to be draconian and the consolidated amendment
ficial documents in the digital
other stating it is too dilut- called the Information Tech-
format. The Act has also pro-
ed and lenient. There were nology Amendment Act 2008
posed a legal framework for
some obvious omissions too was placed in the Parliament
the authentication and origin
resulting in the investiga- and passed at the end of
of electronic records / com-
tors relying more and more 2008 (just after Mumbai ter-
munications through digital
on the time-tested (one and rorist attack of 26 November
signature.
half century-old) Indian Pe- 2008 had taken place). The
nal Code even in technology IT Amendment Act 2008 got
From the perspective of
based cases with the IT Act the President assent on 5 Feb
e-commerce in India, the IT
also being referred in the pro- 2009 and was made effective
Act 2000 and its provisions
cess with the reliance more from 27 October 2009.

Toll Free No. 1800 425 6235 39


• Email Account Hacking
If victim’s email account is hacked and obscene emails are sent to people
in victim’s address book. Provisions Applicable:- Sections 43, 66, 66A, 66C,
67, 67A and 67B of IT Act.

• CreditCardFraud
Unsuspecting victims would use infected computers to make online trans-
actions.Provisions Applicable:- Sections 43, 66, 66C, 66D of IT Act and sec-
tion 420 of the IPC.

• Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs


All of the above are some sort of malicious programs which are used to de-
stroy or gain access to some electronic information. Provisions Applicable:-
Sections 43, 66, 66A of IT Act and Section 426 of Indian Penal Code.

• Phishing and Email Scams


Phishing involves fraudulently acquiring sensitive information through mas-
querading a site as a trusted entity. (E.g. Passwords, credit card informa-
tion)Provisions Applicable:- Section 66, 66A and 66D of IT Act and Section
420 of IPC

• Theft of Confidential Information


Many business organizations store their confidential information in com-
puter systems. This information is targeted by rivals, criminals and disgrun-
tled employees.Provisions Applicable:- Sections 43, 66, 66B of IT Act and
Section 426 of Indian Penal Code.

• Tax Evasion and Money Laundering


Money launderers and people doing illegal business activities hide their in-
formation in virtual as well as physical activities.Provisions Applicable: In-
come Tax Act and Prevention of Money Laundering Act. IT Act may apply
case-wise.

• Online Share Trading Fraud


It has become mandatory for investors to have their demat accounts linked
with their online banking accounts which are generally accessed unauthor-
ized, thereby leading to share trading frauds.Provisions Applicable: Sections
43, 66, 66C, 66D of IT Act and Section 420 of IPC

40 www.infosecawareness.in
Indian Penal Code (IPC)
The Indian Penal Code (IPC) is the criminal code of India.
It is a comprehensive code intended to cover all sub-
stantive aspects of criminal law. The code was draft-
ed in 1860 on the recommendations of first law com-
mission of India established in 1834 under the Charter
Act of 1833 under the Chairmanship of Lord Thomas
Babington Macaulay. It came into force in British India
during the early British Raj period in 1862. However,
it did not apply automatically in the Princely states,
which had their own courts and legal systems until the
1940s. The Code has since been amended several times and is now supplemented
by other criminal provisions.

The Indian Penal Code works on the basic format and it lists all the cases and pun-
ishments that are liable to be charged on a person committing a crime. It covers any
and every person of Indian Origin. The Indian Penal Code of 1860 is subdivided into
twenty-three chapters comprising of five hundred and eleven sections. Although
every Indian individual comprises under Indian Penal Code, the military, air and oth-
er armed forces are exceptions to IPC and contain their own tribunals for the pun-
ishment against a crime or an offence.

Importance of IPC
The Indian Penal Code holds a very important place when it comes to setting
the rules and regulations and thus proves to be of a great importance for the
system to be operated in an appropriate way. IPC is considered as one of the
main criminal codes of India.
IPC and Banking Frauds Perpetrators of frauds in banking transactions are lia-
ble to be prosecuted under the criminal law of the country for which adequate
provisions of punishment have been prescribed under the Indian Penal Code,
1860. Some of the important provisions of the IPC in this regard are discussed
hereunder-

Toll Free No. 1800 425 6235 41


• Section 403 in Indian Penal Code-Dishonest misappropriation of property: According to this
provision, whoever dishonestly misappropriates or convert to his own use, any movable prop-
erty, shall be punished with imprisonment for a term which may extend to two years or with
fine or with both.

• Section 405 in Indian Penal Code -Criminal breach of trust: According to this provision, an-
ybody entrusted with the property dishonestly misappropriates or converts to his own use or
dishonestly uses or disposes of that property in violation of any 3 direction of law prescribing
the mode in which such trust is to be discharged, or of any legal contract, which he has made
touching the discharging of such trust, commits criminal breach of trust.

• Section 406 in Indian Penal Code prescribes punishment for criminal breach of trust which is
imprisonment extending to three years or fine or both.

• Section 409 in Indian Penal Code prescribes higher imprisonment of upto ten years in respect
of criminal breach of trust by a public servant or by a banker or merchant or agent.

• Section 463 in Indian Penal Code -Forgery: It is defined as- “ Whoever makes any false doc-
ument or false electronic record or, part of a document, or electronic record, with intent to
cause damage or injury, to the public or to any person, or to support any claim or title, or to
cause any person to part with property, or to enter into express or implied contract, or with
intent to commit fraud or that fraud may be committed, commits forgery”.

• Section 465 in Indian Penal Code prescribes a punishment for forgery which is imprisonment
for a term which may extend to two years or with fine or with both.

• Section 489-A in Indian Penal Code – Counterfeiting of currency notes: This section provides
that whoever counterfeits, or knowingly performs any part of the process of counterfeiting,
any currency note or bank note, shall be punished for imprisonment for life, or with imprison-
ment of eight years

• Cheating is described under Section 415 and Implications of fraud are found u/s sections
421,422,423 and 424 of IPC.
• The legal definition of Fraud is “A false representation of a matter of fact whether by words or
by conduct, by false or misleading allegations, or by concealment of what should have been
disclosed that deceives and is intended to deceive another so that the individual will act upon
it to her or his legal injury.

42 www.infosecawareness.in
• Section 415 in The Indian Penal Code 415. Cheating. — Whoever, by deceiving any person,
fraudulently or dishonestly induces the person so deceived to deliver any proper¬ty to any
person, or to consent that any person shall retain any property, or intentionally induces the
person so deceived to do or omit to do anything which he would not do or omit if he were not so
deceived, and which act or omission causes or is likely to cause damage or harm to that person
in body, mind, reputation or property, is said to “cheat”.
Explanation. — A dishonest concealment of facts is a deception within the meaning of this
section.

• Section 25 in The Indian Penal Code


“Fraudulently”.—A person is said to do a thing fraudulently if he does that thing with intent to
defraud but not otherwise. Implications of fraud are found in these following sections of IPC
namely, 421,422,423 and 424.

• Section 421 in Indian Penal Code: Dishonest or fraudulent removal or concealment of property
to prevent distribution among creditors.
Whoever dishonestly or fraudulently removes, conceals or delivers to any person, or transfer or
causes to be transferred to any person, without adequate consideration, any property, intend-
ing thereby to pre¬vent, or knowing it to be likely that he will thereby prevent, the distribution
of that property according to law among his creditors or the creditors of any other person, shall
be punished with imprisonment of either description for a term which may extend to two years,
or with fine, or with both

• Section 422 in Indian Penal Code: Dishonestly or fraudulently preventing debt being avail-
able for creditors. Whoever dishonestly or fraudulently prevents any debt or demand due to
himself or to any other person from being made available according to law for payment of
his debts or the debts of such other person, shall be punished with imprisonment of either
description for a term which may extend to two years, or with fine, or with both.

• Section 423 in Indian Penal Code: Dishonest or fraudulent execution of the deed of transfer
con¬taining false statement of consideration.
Whoever dishonestly or fraudulently signs, executes or becomes a party to any deed or in-
strument which purports to transfer or subject to any charge any property, or any interest
therein, and which contains any false statement relating to the consideration for such trans-
fer or charge, or relating to the person or persons for whose use or benefit it is really intended
to operate, shall be punished with imprisonment of either description for a term which may
extend to two years, or with fine, or with both.

• Section 424 in Indian Penal Code: Dishonest or fraudulent removal or concealment of prop-
erty. Whoever dishonestly or fraudulently conceals or removes any property of himself or any
other person, or dishonestly or fraud¬ulently assists in the concealment or removal thereof,
or dishon-estly releases any demand or claim to which he is entitled, shall be punished with
imprisonment of either description for a term which may extend to two years, or with fine, or
with both.

Toll Free No. 1800 425 6235 43


Frauds relating to computers

To provide efficient and fast service, most of the branches of the banks
except the ones in the rural and remote areas have been computerized. Not
many frauds relating to computers have yet been reported so far as comput-
erization in the Indian banks is of recent origin. But in the western countries
where virtually everything is computerized, a large number of cyber crimes in
the banking sector are reported on a regular basis.

There is a need to ana- stored in the computers are committed normally


lyse the nature of such and slow down the entire not for any material gain
computer system. It is but to derive mental sat-
crimes so that appropri-
sometimes alleged that isfaction out of other’s
ate preventive measures the manufacturers of an- sufferings.
may be devised. Nor- ti-virus software them-
mally following types of selves create virus so • Wire tapping is a crime
frauds are committed- that their product may be committed by tapping the
sold in the market. wire of the ATMs of the
• Spy software are devised banks to withdraw mon-
by the cyber criminals • Hackers are computer ey out of other person’s
to crack the passwords. experts who steal the account. The fraudster,
They enter into the com- passwords and access in this case, attaches a
puter system of the banks the classified informa- wireless microphone to
and manipulate the data tion stored in the com- the telephone line con-
to transfer the money puter system. They do necting the ATM with
from other’s accounts. not even fear to “raid” the the bank’s computer and
government departments records signals through
• Computer virus are creat- including military estab- wire tapping while a cus-
ed by the mischief mon- lishments to carryout tomer is using the ATM.
gers which find way into their nefarious design to These signals are later on
the computer system by destroy and mutilate the utilized for withdrawing
way of e-mails. These date stored in the com- money.
virus destroy the data puter systems. Such acts

The Government of India enacted the Information Technology Act, 2000 to provide for punish-
ment and penalties in respect of frauds committed in respect of computers. Section 43 of the
said Act provides for hefty damages upto rupees ten lakhs payable by the offender to the person
affected in case there are unauthorized acts committed in respect of another person’s computer
system like access, downloads or taking copies of the information or data stored, introduction of
computer contaminant or computer virus, damages to the computer or its system etc. Further,
the said Act also provides for punishment with imprisonment upto three years for tampering with
computer source documents and for hacking the computer systems.

44 www.infosecawareness.in
Information Technology Act, 2000(Amendment 2008) ,66C:
Fraudulently or dishonestly usage of identity.
An offender who fraudulently or dishonestly uses the photograph and other personal details of the
victim for creating the fake profile is guilty of “identity theft”.
Punishment:which is punishable with “imprisonment up to three years and fine up to one lakh rupees”.

Section 469 in The Indian Penal Code:


If the fake profile contains objectionable content, it amounts to forgery for the purpose of harming
reputation.
Punishment: which is punishable with “imprisonment up to three years and fine”.
Section 66 of the Information Technology Act, 2000:
If the offender dishonestly or fraudulently uses the fake profile to introduce viruses or other computer
contaminants in computers or computer networks, or for spamming or for committing data theft.
Punishment: which is punishable with a“imprisonment up to three years or/and fine up to five lakh
rupees”.
Section 43 in The Indian Penal Code
The word “illegal” is applicable to everything which is an offence or which is prohib¬ited by law, or
which furnishes ground for a civil action; and a person is said to be “legally bound to do” whatever it
is illegal in him to omit.
Section 67 of the Information Technology Act:
If the offender posts obscene material on the fake profile.
Punishment: punishable with “imprisonment up to three years and with fine up to five lakh rupees”.
In the event of second or subsequent conviction with “imprisonment up to five years and with fine
which may extend to ten lakh rupees”. Sections 292, 293 of the IPC may also be invoked against
such offenders.

Section 67A of the Information Technology Act, 2000:


Publishing or transmitting of material containing the sexual explicit act, etc. in the electronic form
Punishment: If the fake profile contains “sexually explicit act or conduct”, the offender will invite
more stringent punishment of “imprisonment up to five years and fine up to ten lakh rupees
The event of second or subsequent conviction, imprisonment up to seven years and fine up to ten
lakh rupees”.
Section 67B of the Information Technology Act, 2000:
Publishing or transmitting of material depicting children in the sexual explicit act, etc. in the elec-
tronic form.
Punishment: If such sexually explicit act or conduct relates to children below 18 years of age, then
even the people visiting that profile or promoting or advertising it (by posting links on their own pro-
file) would invite the same punishment.
Section 471 in Indian Penal Code:
Whoever fraudulently or dishonestly uses as genuine any document which he knows or has reason
to believe to be a forged document.
Punishment: The offence under section 471 is cognizable, non-bailable and non-compoundable, and
is triable by magistrate of the first class
Section 420 in The Indian Penal Code:
Cheating and dishonestly inducing delivery of property
Whoever cheats and thereby dishonestly induces the person de¬ceived to deliver any property to
any person, or to make, alter or destroy the whole or any part of a valuable security, or anything
which is signed or sealed, and which is capable of being converted into a valuable security, shall be
punished with imprisonment of either description for a term which may extend to seven years, and
shall also be liable to fine.

Toll Free No. 1800 425 6235 45


The various sections and corresponding punishments are as follows :

Section Contents Imprisonment Fine


66 Hacking with computer system dishonestly or 3 years or/and 500,000
fraudulently

66C Identity Theft - fraudulently or dishonestly make 3 years and 100,000


use of the electronic signature, password or any
other unique identification feature of any other
person

67 Publish or transmit Obscene material - 1st time 3 years and 500,000


Subsequent Obscene in elec. Form 5 years and 10,00,000

67A Publishing or transmitting material containing Sex- 5 years and 10,00,000


ually Explicit Act - 1sttime 7 years and 10,00,000
Subsequent

67B Publishing or transmitting material containing Chil- 5 years and 10,00,000


dren in Sexually Explicit Act - 1st time 7 years and 10,00,000
Subsequent

67C Contravention of Retention or preservation of infor- 3 years and Not Defined


mation by intermediaries

GUIDELINES TO REPORT FINANCIAL


FRAUDS IN INDIA
Follow these steps if you find an unauthorized transaction on your account.
• Contact Your Bank. As per RBI regulations Illegal transaction if reported immediately bank will
pay back the lost amount if bank finds there is no fault with the account holder.
• File a Fraud or Police Report.
• Block your current account and move your money to Your New Account or Card.
• Monitor Your Account and Credit Closely.

46 www.infosecawareness.in
How to file a cyber crime complaint in India

According to the IT Act, a cyber crime comes under the purview of global jurisdiction. This
means that a cyber crime complaint can be registered with any of the cyber cells in India,
irrespective of the place where it was originally committed. At present, most cities in India
have a dedicated cyber crime cell. List of all cyber crimes cells are given below.

Step 1: Step 3: police station. In case your


The very first step to file a In case you are a victim of complaint is not accepted
cyber crime complaint is to online harassment, a legal there, you can approach the
register a written complaint counsel can be approached Commissioner or the city’s
with the cyber crime cell of to assist you with reporting Judicial Magistrate.
the city are currently in. it to the police station. Addi-
tionally, you may be asked to Step 5:
Step 2: provide certain documents Certain cyber crime offenses
When filing the cyber crime with the complaint. This come under the Indian Penal
complaint, you need to pro- would, however, depend on Code. You can register a cy-
vide your name, contact de- the nature of the crime. ber crime FIR at the nearest
tails, and address for mailing. local police station to report
You need to address the writ- Step 4: them.
ten complaint to the Head of Register a Cyber Crime FIR:
the Cyber Crime Cell of the If you do not have access to Step 6:
city where you are filing the any of the cyber cells in India, You can report at CERT In of-
cyber crime complaint. you can file a First Informa- ficial website.
tion Report (FIR) at the local

CERTIn is the national nodal agency for responding to computer security incidents as and when
they occur. As per the Information Technology Amendment Act 2008 and Section 70B of IT Act
2000, CERTIn has been designated to serve as the national agency to perform the following func-
tions in the area of cyber security: Collection, analysis and dissemination of information on cyber
incidents, Forecast and alerts of cyber security incidents, Emergency measures for handling cyber
security incidents, Coordination of cyber incident response activities. Issue guidelines, advisories,
vulnerability notes and whitepapers relating to information security practices, procedures, pre-
vention, response and reporting of cyber incidents. Such other functions relating to cyber security
as may be prescribed.

Toll Free No. 1800 425 6235 47


CYBERCRIME POLICE STATIONS
Place Address
Assam CID HQ,Dy.SP.
Assam Police
Ph: +91-361-252-618, +91-9435045242
E-mail: ssp_cod@assampolice.com
Bangalore Cyber Crime Police Station
C.O.D Headquarters, Carlton House, # 1, Palace Road,
Bangalore – 560 001
+91-80-2220 1026 +91-80-2294 3050
+91-80-2238 7611 (FAX)
Delhi CBI Cyber Crime Cell:
Superintendent of Police,
Cyber Crime Investigation Cell
Central Bureau of Investigation,
5th Floor, Block No.3, CGO Complex, Lodhi Road,
New Delhi – 3
+91-11-4362203, +91-11-4392424, E-Mail: cbiccic@bol.net.in
Pune Deputy Commissioner of Police(Crime)
Office of the Commissioner Office,
2, Sadhu Vaswani Road, Camp,Pune 411001
+91-20-26123346, +91-20-26127277, +91-20-2616 5396
+91-20-2612 8105 (Fax)
E-Mail: crimecomp.pune@nic.in, punepolice@vsnl.com
Jharkhand IG-CID,Organized Crime
Rajarani Building,Doranda Ranchi, 834002
Ph: +91-651-2400 737/ 738
E-mail: a.gupta@jharkhandpolice.gov.in
Haryana Cyber Crime and Technical Investigation Cell,
Joint Commissioner of Police
Old S.P.Office complex, Civil Lines, Gurgaon
E-mail: jtcp.ggn@hry.nic.in
Jammu SSP,Crime, CPO Complex,Panjtirthi, Jammu-180004
Ph: +91-191-257-8901
E-mail: sspcrmjmu-jk@nic.in
Meghalaya SCRB,Superintendent of Police, Meghalaya
Ph: +91 98630 64997
E-mail: scrb-meg@nic.in
Bihar Cyber Crime Investigation Unit
Dy.S.P.Kotwali Police Station, Patna
Ph: +91 94318 18398, E-mail: cciu-bih@nic.in
Chennai Assistant Commissioner of Police
Cyber Crime Cell, Central Crime Branch,
Commissioner office Campus
Vepery, Chennai- 600007
Contact Details: +91-40-2345 2348, 2345 2350
For Rest of Tamil Nadu, Cyber Crime Cell, CB, CID, Chennai
Ph:+91 44 2250 2512
E-mail id: cbcyber@tn.nic.in

48 www.infosecawareness.in
CYBERCRIME POLICE STATIONS
Place Address
Hyderabad Cyber Crime Police Station
Crime Investigation Department,
3rd Floor, D.G.P. office, Lakdikapool,
Hyderabad – 500004
+91-40-2324 0663, +91-40-2785 2274
+91-40-2785 2040, +91-40-2329 7474 (Fax)
Thane 3rd Floor, Police Commissioner Office
Near Court Naka, Thane West, Thane 400601.
+91-22-25424444, E-Mail: police@thanepolice.org
Gujarat DIG, CID, Crime and Railways
Fifth Floor, Police Bhavan
Sector 18, Gandhinagar 382 018
+91-79-2325 4384, +91-79-2325 0798, +91-79-2325 3917 (Fax)
Madhya Pradesh IGP, Cyber Cell,
Police Radio Headquarters Campus,
Bhadadhadaa Road,
Bhopal (M.P.) Ph: 0755-2770248, 2779510
Mumbai Cyber Crime Investigation Cell
Office of Commissioner of Police office, Annex -3 Building,
1st floor, Near Crawford Market, Mumbai-01.
+91-22-22630829, +91-22-22641261
E-mail id: officer@cybercellmumbai.com
Himachal Pradesh CID Cyber Cell ,
Superintendent of Police, Cyber Crime, State CID, Himachal
Pradesh, Shimla-2
Ph: 0177-2621714 Ext: 191, 0177-2627955
E-mail:cybercrcell-hp@nic.in,
Kerala Hi-tech Cell, Police Head Quarters
Thiruvananthapuram
+91-471 272 1547, +91-471 272 2768,
E-mail: hitechcell@keralapolice.gov.in
Orissa Cyber Crime Police Station,
CID, CB, Odisha, Cuttack-753001
Ph. No.0671-2305485, E-mail ID:- sp1cidcb.orpol@nic.in
Punjab Cyber Crime Police Station
DSP Cyber Crime,
S.A.S Nagar,Patiala, Punjab, Ph: +91 172 2748 100
Uttar Pradesh Cyber Crime Cell,, Agra Range 7,Kutchery Road,
Baluganj,Agra-232001, Uttar Pradesh
Ph:+91-562-2210551
e-mail: digraga@up.nic.in, cybercrimeag-up@nic.in,
Cyber Crime Cell,
Crime Branch, Law Enforcement Agency,
Police Line, Agra – 282001

Toll Free No. 1800 425 6235 49


CYBER CRIMES MAPPING
WITH ITAA 2008,
IPC AND SPECIAL AND LOCAL LAWS
Sl.No Nature of complaint Applicable section (s) and punish- Applicable section (S)
ments under ITA under other laws and
2000 & ITAA 2008 punishmen

1 Mobile phone lost/stolen - Section 379 IPC 3 years


imprisonment or fine or
both
2 Receiving stolen com- Section 66 B of ITAA 2008-3 year Section 411 IPC - 3 years
puter/mobile phone / imprisonment or fine up to rupees one imprisonment or fine or
data (data or computer or lakh fine or both both
mobile phone owned by
you is found in the hands
of someone else.)
3 Data owned by you or your Section 66c of ITAA 2008- 3 years Section 379 IPC - 3
company in any form is imprisonment or fine up to rupees five years imprisonment or
stolen lakh or both fine or both
4 A Password is stolen and Section 66c of ITAA 2008- 3 years Section 419 IPC - 3
used by someone else for imprisonment or fine up to rupees one years imprisonment or
fraudulent purpose lakh Section 66D ITAA 2008 - 3 years fine Section 420 IPC - 7
imprisonment and fine up to Rupees years imprisonment and
one Lakh fine
5 An e-mail is read by some- Section 66 of ITAA 2008- 3 years
one else by fraudulently imprisonment or fine up to Rupees five
making use of password lakh or both Section 66C of ITAA 2008
- 3 years imprisonment and fine up to
Rupees one lakh
6 A Biometric thumb im- Section 66C of ITAA 2008- 3 years
pression in misused imprisonment and fine up to Rupees
one lakh
7 An electronic signature or Section 66C ITAA 2008 - 3 years im-
digital signature is mis- prisonment and fine up to Rupees one
used lakh
8 A Phishing e-mail is sent Section 66D of ITAA 2008 - 3years Section 419 IPC - 3
out in your name, asking imprisonment and fine up to Rupees yeas imprisonment or
for login credentials one lakh fine or both
9 Capturing, publishing, or Section 66E of ITAA 2008 - 3 years Section 292 IPC - Two
transmitting the image of imprisonment or fine not exceeding years imprisonment and
the private area without Rupees two lakh or both fine Rupees 2000 and 5
any person’s consent or years and rupees 5000
knowledge for second and subse-
quent conviction
10 Tampering with computer Section 65 of ITAA 2008-
source Documents 3 years imprisonment or fine up to
Rupees two lakh or both Section 66of
ITAA 2008 - 3 years imprisonment or
fine up to Rupees five lakh or both

* This content has been taken from “Basic AWareness on Cyebr Technology Cyber Law,
Cyebr Investigation & Cyber Forensics” - by U Rama Mohan, Superintendent of Police,
Cyebr Crimes, CID, TS, Hyderabad

50 www.infosecawareness.in
CYBER CRIMES MAPPING
WITH ITAA 2008,
IPC AND SPECIAL AND LOCAL LAWS
Sl.No Nature of complaint Applicable section (s) and pun- Applicable section (S) un-
ishments under ITA der other laws and punish-
2000 & ITAA 2008 men
11 Data Modification Section 66 of ITAA 2008 - 3 years
imprisonment or fine up to Rupees
five lakh or both
12 Sending offensive mes- Section 500 IPC - 2years or
sages through communi- fine or both s
cation service, etc. Section 504 IPC - 2years or
fine or both section 50 6 IPC
- 2 years or fine or both - if
threat be to cause death or
grievous hurt, etc. - 7 years
or fine or both Section 507
IPC - 2 years along with pun-
ishment under section 506
IPC Section 508 IPC - 1 year
or fine or both Section 509
IPC - 1 years or fine or both
of IPC as applicable
13 Publishing or transmitting Section 67 of ITAA 2008 first Section 292 IPC - two years
obscene material in elec- conviction - three years and 5 lakh imprisonment and fine Ru-
tronic form second or subsequent conviction - pees 2000 and five years and
5 years and up to 10 lakh rupees 5000 for second and
subsequent.
14 Publishing or transmitting Section 67A of ITAA 2008 first Section 292 IPC - two years
obscene material in elec- conviction - three years and 5 lakh imprisonment and fine Ru-
tronic form second or subsequent conviction - pees 2000 and five years and
5 years and up to 10 lakh rupees 5000 for second and
subsequent.
15 Publishing or transmitting Section 67B of ITAA 2008 first Section 292 IPC - two years
obscene material in elec- conviction - three years and 5 lakh imprisonment and fine Ru-
tronic form second or subsequent conviction - pees 2000 and five years and
5 years and up to 10 lakh rupees 5000 for second and
subsequent.
16 Misusing a Wi-Fi connec- Section 66 - three years imprison-
tion for acting against the ment or fine up to Rupees five lakh
state or both section 66 F - life imprison-
ment of ITAA 2008
17 Planting a computer virus Section 66 - 3 years imprisonment
that acts against the state or fine up to Rupees five lakh or
both 66F - life imprisonment
18 Conducting a denial of Section 66 of ITAA 2008 - 3 years
service attack against a imprisonment or fine up to Rupees
government computer five lakh or both section 66F of
ITAA 2008 - life imprisonment

* This content has been taken from Basic AWareness on Cyebr Technology Cyber Law,
Cyebr Investigation & Cyber Forensics

Toll Free No. 1800 425 6235 51


CYBER CRIMES MAPPING
WITH ITAA 2008,
IPC AND SPECIAL AND LOCAL LAWS
Sl.No Nature of complaint Applicable section (s) and punish- Applicable section (S)
ments under ITA under other laws and
2000 & ITAA 2008 punishmen

19 Stealing data from a gov- Section 66 of ITAA 2008 - 3 years


ernment computer that imprisonment or fine up to Rupees five
has significance from na- lakh or both 66F - life imprisonment.
tional security perspective
20 Not allowing the author- Section 69 of ITAA 2008 imprisonment
ities to decrypt all com- up to 7 years and fine
munication that passes
through your computer or
network.
21 Intermediaries not provid- Section 69 of ITAA 2008 imprisonment
ing access to information up to 7 years and fine
stored on their computer
to the relevant authorities
22 Failure to Block Web Sites. Section 69A of ITAA 2008 imprison-
When ordered ment up to 7 years and fine
23 Sending threatening mes- Section 504- 2 years or
sages by E-Mail. fine or both
24 Word, gesture or act in- Section 509 IPC – 1 year
tended to insult the mod- or fine or both – IPC as
esty of a woman applicable
25 Sending defamatory mes- Section 500 IPC – 2
sages by E-Mail years or fine or both
26 Bogus Web sites, Cyber Section 66D of ITAA 2008 – 3years Section 419 IPC – 3
frauds imprisonment and fine up to Rupees years imprisonment or
one lakh fine Section 420 IPC – 7
years imprisonment and
fine
27 E-Mail Spoofing Section 66C of ITAA 2008 – 3 years Section 465 IPC – 2
imprisonment and fine up to Rupees years or fine or both
one lakh Section 468 IPC – 7
years imprisonment
and fine
28 Making a false document Section 66D of ITAA 2008- 3 years Section 465 IPC - 2 years
imprisonment and fine up to Rupees or fine or both
one lakh
29 Forgery for purpose of Section 66D of ITAA 2008 – 3 years Section 468 IPC – 7
cheating imprisonment and fine up to Rupees years imprisonment and
one lakh fine
30 Forgery for purpose of Section 66D of ITAA 2008 – 3 years Section 469 IPC – 3
harming reputation imprisonment and fine up to Rupees years and fine
one lakh

* This content has been taken from “Basic AWareness on Cyebr Technology Cyber Law,
Cyebr Investigation & Cyber Forensics” - by U Rama Mohan, Superintendent of Police,
Cyebr Crimes, CID, TS, Hyderabad

52 www.infosecawareness.in
CYBER CRIMES MAPPING
WITH ITAA 2008,
IPC AND SPECIAL AND LOCAL LAWS
Sl.No Nature of complaint Applicable section (s) and punish- Applicable section (S)
ments under ITA under other laws and
2000 & ITAA 2008 punishmen

31 E-Mail Abuse Sec. 500 IPC – 2 years


or fine or both
32 Punishment for criminal Sec. 506 IPC – 2 years
intimidation or fine or both – if threat
be to cause death or
grievous hurt, etc. – 7
years or fine or both
33 Criminal intimidation by Sec. 507 IPC – 2 years
an anonymous commu- along with punishment
nication under section 506 IPC
34 Copyright Infringement Section 66 of ITAA 2008 – 3 years Sec. 63, 63B Copyright
imprisonment of fine up to Rupees act 1957
five lakh or both
35 Theft of Computer Sec. 376 IPC 3 years
Hardware imprisonment of fine or
both
36 Online Sale of Drugs NDPS Act
37 Online Sale of Arms Arms Act

References
• https://www.bankbazaar.com/ifsc/digital-payment.html?ck=Y%2BziX71XnZjIM9ZwEflsyDYl-
RL7gaN4W0xhuJSr9Iq7aMYwRm2IPACTQB2XBBtGG&rc=
• http://digitalindia.gov.in/empowerment
• http://serviceonline.gov.in/resources/homePage/99/PDF/pkg_dipankar.pdf
• https://s3.amazonaws.com/DFIAA/Handbook%20Digital%20Finance%20for%20Rural%20
India-%20FINAL%20Final%20%281%29.pdf
• https://www.mapsofindia.com/my-india/government/beware-over-30-lakh-debit-cards-are-
at-risk
• https://pdfs.semanticscholar.org/bb7d/b61404fbccf2b6beb91577bb21c115b00edf.pdf
• https://upipayments.co.in/aadhaar-enabled-payment-system/
• http://www.cert-in.org.in/
• https://www.thehindubusinessline.com/info-tech/bhim-may-expose-you-to-data-theft/arti-
cle9485614.ece
• https://ifflab.org/how-to-file-a-cyber-crime-complaint-in-india/

* This content has been taken from Basic AWareness on Cyebr Technology Cyber Law,
Cyebr Investigation & Cyber Forensics

Toll Free No. 1800 425 6235 53


To Share Tips / Latest News, mail us to
isea@cdac.in
About ISEA
Looking at the growing importance for the Information Security, Ministry of Electronics & Information Technology has identified
this as a critical area. Information Security Education and Awareness (ISEA) Project was formulated and launched by the Govt.
of India. One of the activities under this programme is to spread Information Security Awareness among children, teachers,
home users, IT and non-IT professionals throughout the country. C-DAC Hyderabad has been assigned the responsibility of
executing this project by Ministry of Electronics & Information Technology, Government of India. As part of this activity C-DAC,
Hyderabad has been preparing Information Security Awareness material, coordinating with Participating Institutes (PI’s) in
organizing the various Information Security Awareness events all over India.

About C-DAC
Centre for Development of Advanced Computing (C-DAC) is the premier R&D organization of the Ministry of Electronics and
Information Technology (MeitY) for carrying out R&D in IT, Electronics and associated areas.

C-DAC has today emerged as a premier R&D organization in IT&E (Information Technologies and Electronics) in the country
working on strengthening national technological capabilities in the context of global developments in the field and responding
to change in the market need in selected foundation areas. In that process, C-DAC represents a unique facet working in
close junction with MeitY to realize nation’s policy and pragmatic interventions and initiatives in Information Technology. As
an institution for high-end Research and Development (R&D), C-DAC has been at the forefront of the Information Technology
(IT) revolution, constantly building capacities in emerging/enabling technologies and innovating and leveraging its expertise,
caliber, skill sets to develop and deploy IT products and solutions for different sectors of the economy, as per the mandate of
its parent, the Ministry of Electronics and Information Technology, Ministry of Communications and Information Technology,
Government of India and other stakeholders including funding agencies, collaborators, users and the market-place.

For queries on Information security


Call us on Toll Free No.

1800 425 6235


ISEA Whatsapp Number for Incident Reporting

+91 9490771800
between 9.00 AM to 5.30 PM

Subscribe us on

https://www.youtube.com/c/
InformationSecurityEducationandAwareness

Follow us on

https://twitter.com/InfoSecAwa

Connect us with

https://www.facebook.com/infosecawareness