prev
next
out of 6

SSRN-id1289190

Embed Size (px)

Citation preview

  • 8/3/2019 SSRN-id1289190

    1/6

    Impact of cyber crime on Banking- Dr.S.Arumuga perumal

    1

    Impact of cyber crime on virtual Banking

    Dr.S.Arumuga perumal

    Reader and Head

    Department of Computer Science

    S.T.Hindu collge,Nagercoil-2Email :[email protected]

    AbstractThe fast development of network communication leads to the expansion of

    Information technology which in turn leads to the influence of access control system inIT sectors and banking sectors which sails in to the sea of Network security the mostessential scenario in our daily life. So we are in a position to keep the companyworkers/customers knowledge base up-to-date on any new dangers that they should becautious about. There are many technologies available to counteract intrusion, butcurrently no method is absolutely secured. The most dangerous frauds that causes in dayto day banking activity is phising, a criminal activity using social engineering techniques.Phishers attempt to fraudulently acquire sensitive information, such as usernames,passwords and credit card details, by masquerading as a trustworthy entity in anelectronic communication. According to the latest research, 93 percent of phising attackspecifically involving attempts to rob customers of financial services companies. The aimof this paper is to discuss the various ways by which the phising affects the internetbanking and also discuss the implementation of safety security measures adopted by theusers.

    Introduction

    For the majority of businesses and organizations, information is considered to bean asset, and so worthy of protection. Information security can support a wide variety ofobjectives, including: Compliance with laws and regulations; Reducing the risk of fraud or other falsification of data to an acceptable level Reducing the risk of unauthorized access or disclosure to an acceptable level

    The protection afforded to information is usually expressed in terms of thefollowing categories

    Confidentiality: Concerned with protecting information from unauthorized disclosureIntegrality: Protecting information from unauthorized modification in order to preserve

    its accuracy and completenessAvailability: Ensuring that authorized people are able to access information when theyneed to without undue delayNon Repudiation: Ensuring that a user who performs an action that could have animpact on security of information cannot later refute that action.

    Authentication has a significant contribution to provide all these services. Now adays in Indian banking system, the authentication is done through password that is not up

    http://en.wikipedia.org/wiki/Criminalhttp://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29http://en.wikipedia.org/wiki/Fraudhttp://en.wikipedia.org/wiki/Passwordhttp://en.wikipedia.org/wiki/Credit_cardhttp://en.wikipedia.org/wiki/Credit_cardhttp://en.wikipedia.org/wiki/Passwordhttp://en.wikipedia.org/wiki/Fraudhttp://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29http://en.wikipedia.org/wiki/Criminal

  • 8/3/2019 SSRN-id1289190

    2/6

    Impact of cyber crime on Banking- Dr.S.Arumuga perumal

    2

    to the level of high security measure. There is an urgent need to acclimatize the securitymeasure in the banking system.

    No one technique, device or procedure is going to provide all of these services.Acceptable authentication processes allow an organization to have a reasonable degreeof assurance that the people who read, originate, send or alter material on an information

    system are: Who they claim to be. Have the authority to do what ever it is they are doing. Cannot avoid accountability for their actions.

    Counteracting risk

    Risk from crackers are sure to remain with us for any foreseeable future. Thechallenge for IT personnel will be to keep one step ahead of crackers.Members of the ITfield need to keep learning about the types of attacks and methods of counteractingsecurity risks. There are many technologies available to counteract network intrusion, butcuretnly no method is absolutely secure. The best strategy may be to combine a numberof security measures. Some of the steps to take towards securing a network are All devices need to be secured All users need to be educated in network security All networks are actively monitored for weakness and breaches.

    Virtual banking

    Any banking service delivered to the customer by means of a computer-controlledsystem that does not directly involve the usual bank's branch is called virtual banking. Invirtual banking the traditional paradigm of a customer's integration with the bank isreplaced by an electronic paradigm, which is new and innovative in banking sectors.Customer demands, commercial motivation and technological developments are the keydrivers of virtual banking. In the changing environment adaptation to market realities aswell as technology is causing the virtual banking revolution. Customer pull and bankingpush are the two engines to drive the virtualization.Factors to be considered in virtual banking The routine banking transaction was becoming both costly and time consuming.

    The banks resorted to computerization to cut cost and time overheads in handlingroutine transactions

    The introduction of automated teller machine (ATM) impart flexibility to bankcustomers and gave further boost to virtual banking

    The introduction of credit cards and debit cards helps both the consumers andretailers to be free from cash handling.

    These payment systems save time and offered security in its rouse

    Phising idea

    The most of electronic banking have built-in security features such as encryption,prescription of maximum monetary limits and authorizations, the system operators haveto be extremely vigilant and provide clear-cut guidelines for operations. On the largerissue of electronically initiated funds transfer, issues like authentication of paymentsinstructions, the responsibility of the customer for secrecy of the security procedurewould also need to be addressed.

  • 8/3/2019 SSRN-id1289190

    3/6

    Impact of cyber crime on Banking- Dr.S.Arumuga perumal

    3

    The most dangerous frauds that causes in day to day banking activity is phising, acriminal activity using social engineering techniques. Phishers attempt to fraudulentlyacquire sensitive information, such as usernames, passwords and credit card details, bymasquerading as a trustworthy entity in an electronic communication. More recentphishing attempts have targeted the customers of banks and online payment services.

    Most recent research has shown that phishers may in principle be able to establish whatbank a potential victim has a relationship with, and then send an appropriate spoofedemail to this victim. Targeted versions of phishing have been termed spear phishing.Experiments show a success rate of over 70% for phishing attacks on social networks.

    Phisng attempts using Linking Manipulation

    Most methods of phishing use some form of technical deception designed to makea linkin an email (and the spoofed website it leads to) appear to belong to the spoofedorganization. Misspelled URLs or the use of subdomains are common tricks used by

    phishers, such as this example URL, http://www.yourbank.com.example.com/ .Another common trick is to make the anchor text for a linkappear to be valid, when the

    link actually goes to a phisherss site.An old method of spoofing used links containing the '@' symbol, originallyintended as a way to include a username and password (contrary to the standard). For

    example, the link http://[email protected]/ might deceive a

    casual observer into believing that it will open a page on www.google.com, whereas it

    actually directs the browser to a page on members.tripod.com, using a username ofwww.google.com: the page opens normally, regardless of the username supplied. SuchURLs were disabled in Internet Explorer, while the Mozilla and Opera web browsersopted to present a warning message and give the option of continuing to the site orcancelling.

    Phisng attempts using Website forgeryOnce the victim visits the website the deception is not over. Some phishing scamsuse JavaScript commands in order to alter the address bar. This is done either by placinga picture of a legitimate URL over the address bar, or by closing the original address barand opening a new one with legitimate URL.

    An attacker can even use flaws in a trusted website's own scripts against thevictim. These types of attacks (known as cross-site scripting) are particularlyproblematic, because they direct the user to sign in at their bank or service's own webpage, where everything from the web address to the security certificates appears correct.In reality, the link to the website is crafted to carry out the attack, although it is verydifficult to spot without specialist knowledge.

    A Universal Man-in-the-middle Phishing Kit, discovered by RSA Security,provides a simple-to-use interface that allows a phisher to convincingly reproducewebsites and capture log-in details entered at the fake site.

    Phisng attempts using voice

    Not all phishing attacks require a fake website. Messages that claimed to be froma bank told users to dial a phone number regarding problems with their bank accounts.Once the phone number (owned by the phisher, and provided by a Voice over IP service)

    http://en.wikipedia.org/wiki/Criminalhttp://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29http://en.wikipedia.org/wiki/Fraudhttp://en.wikipedia.org/wiki/Passwordhttp://en.wikipedia.org/wiki/Credit_cardhttp://en.wikipedia.org/wiki/Spear_phishinghttp://en.wikipedia.org/wiki/Uniform_Resource_Identifierhttp://en.wikipedia.org/wiki/Website_spoofinghttp://en.wikipedia.org/wiki/Uniform_Resource_Identifierhttp://en.wikipedia.org/wiki/HTML_element#Links_and_anchorshttp://en.wikipedia.org/wiki/Internet_Explorerhttp://en.wikipedia.org/wiki/Mozilla_Firefoxhttp://en.wikipedia.org/wiki/Opera_%28web_browser%29http://en.wikipedia.org/wiki/JavaScripthttp://en.wikipedia.org/wiki/URL_barhttp://en.wikipedia.org/wiki/Cross-site_scriptinghttp://en.wikipedia.org/wiki/URLhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/Man-in-the-middle_attackhttp://en.wikipedia.org/wiki/RSA_Securityhttp://en.wikipedia.org/wiki/Voice_over_IPhttp://en.wikipedia.org/wiki/Voice_over_IPhttp://en.wikipedia.org/wiki/RSA_Securityhttp://en.wikipedia.org/wiki/Man-in-the-middle_attackhttp://en.wikipedia.org/wiki/Transport_Layer_Securityhttp://en.wikipedia.org/wiki/URLhttp://en.wikipedia.org/wiki/Cross-site_scriptinghttp://en.wikipedia.org/wiki/URL_barhttp://en.wikipedia.org/wiki/JavaScripthttp://en.wikipedia.org/wiki/Opera_%28web_browser%29http://en.wikipedia.org/wiki/Mozilla_Firefoxhttp://en.wikipedia.org/wiki/Internet_Explorerhttp://en.wikipedia.org/wiki/HTML_element#Links_and_anchorshttp://en.wikipedia.org/wiki/Uniform_Resource_Identifierhttp://en.wikipedia.org/wiki/Website_spoofinghttp://en.wikipedia.org/wiki/Uniform_Resource_Identifierhttp://en.wikipedia.org/wiki/Spear_phishinghttp://en.wikipedia.org/wiki/Credit_cardhttp://en.wikipedia.org/wiki/Passwordhttp://en.wikipedia.org/wiki/Fraudhttp://en.wikipedia.org/wiki/Social_engineering_%28computer_security%29http://en.wikipedia.org/wiki/Criminal

  • 8/3/2019 SSRN-id1289190

    4/6

    Impact of cyber crime on Banking- Dr.S.Arumuga perumal

    4

    was dialed, prompts told users to enter their account numbers and PIN. Voice phishingsometimes uses fake caller-ID data to give the appearance that calls come from a trustedorganization. The damage caused by phishing ranges from loss of access to email tosubstantial financial loss

    This style of identity theft is becoming more popular, because of the ease with

    which unsuspecting people often divulge personal information to phishers, includingcredit card numbers, social security numbers, and mothers' maiden names. There are alsofears that identity thieves can add such information to the knowledge they gain simply byaccessing public records. Once this information is acquired, the phishers may use aperson's details to create fake accounts in a victim's name, ruin a victim's credit, or evenprevent victims from accessig their own accounts.

    Statistical study

    It is estimated that between May 2004 and May 2005, approximately 1.2 millioncomputer users in the United States suffered losses caused by phishing, totalingapproximately US$929 million. U.S. businesses lose an estimated US$2 billion per year

    as their clients become victims. In the United Kingdom losses from web banking fraudmostly from phishingalmost doubled to 23.2m in 2005, from 12.2m in 2004. while1 in 20 users claimed to have lost out to phising in 2005.

    According to the latest research released by security applications makerSymantec, the company's Probe Network detected 157,477 unique phishing e-mailcampaigns during the first six months of 2006, an 81 percent increase over the 86,906phishing attempts it tracked during the second half of 2005. Similarly discouragingresults recently published by the Anti-Phishing Working Group indicate that uniquephishing sites doubled during the 12 months between June 2005 and June 2006, with 93percent of those attacks specifically involving attempts to rob customers of financialservices companies.

    http://en.wikipedia.org/wiki/Vishinghttp://en.wikipedia.org/wiki/Identity_thefthttp://en.wikipedia.org/wiki/Credit_card_numbershttp://en.wikipedia.org/wiki/Social_securityhttp://en.wikipedia.org/wiki/Credit_%28finance%29http://en.wikipedia.org/wiki/United_Stateshttp://en.wikipedia.org/wiki/Billionhttp://en.wikipedia.org/wiki/United_Kingdomhttp://en.wikipedia.org/wiki/United_Kingdomhttp://en.wikipedia.org/wiki/Billionhttp://en.wikipedia.org/wiki/United_Stateshttp://en.wikipedia.org/wiki/Credit_%28finance%29http://en.wikipedia.org/wiki/Social_securityhttp://en.wikipedia.org/wiki/Credit_card_numbershttp://en.wikipedia.org/wiki/Identity_thefthttp://en.wikipedia.org/wiki/Vishing

  • 8/3/2019 SSRN-id1289190

    5/6

    Impact of cyber crime on Banking- Dr.S.Arumuga perumal

    5

    A chart showing the increase in phishing reports from October 2004 to June 2005

    Safety security measures

    Anti-phishing measures have been implemented as features embedded inbrowsers, as extensions or toolbars for browsers, and as part of website login procedures

    Helping users identify legitimate sites Augmenting passwords logins Eliminating phinsing mail Monitoring and takedown

    Customer Vigilance

    Customers may take a number of steps to avoid becoming a victim of a phishingattack that involve inspecting content that is presented to them and questioning itsauthenticity.General vigilance includes:

    If you get an email that warns you, with little or no notice, that an account ofyours will be shut down unless you reconfirm billing information, do not reply orclick on the link in the email. Instead, contact the company cited in the emailusing a telephone number or Web site address you know to be genuine.

    Never respond to HTML email with embedded submission forms. Anyinformation submitted via the email (even if it is legitimate) will be sent in cleartext and could be observed.

    Avoid emailing personal and financial information. Before submitting financialinformation through a Web site, look for the "lock" icon on the browser's statusbar. It signals that your information is secure during transmission.

    Review credit card and bank account statements as soon as you receive them todetermine whether there are any unauthorized charges. If your statement is late bymore than a couple of days, call your credit card company or bank to confirmyour billing address and account balances.

    Conclusion

    Now, as more organizations provide greater online access for their customers,professional criminals are successfully using phishing techniques to steal personalfinances and conduct identity theft at a global level. The popularity which virtual bankingservices have won among customers, owning to the speed, convenience and round-the-clock access they offer, is likely to increase in the future. However, several issues of

    concern would need to be pro-actively attended. While most of electronic banking hasbuilt-in security features such as encryption, prescription of maximum monetary limitsand authorizations, the system operators have to be extremely vigilant and provide clear-cut guidelines for operations. On the larger issue of electronically initiated funds transfer,issues like authentication of payments instructions, the responsibility of the customer forsecrecy of the security procedure would also need to be addressed. So for the bettersecurity multifactor authentication is best to make the virtual banking with highersecurity in forth coming years. However, it needs to be recognized that such high cost

  • 8/3/2019 SSRN-id1289190

    6/6

    Impact of cyber crime on Banking- Dr.S.Arumuga perumal

    6

    technological initiatives need to be undertaken only after the viability and feasibility ofthe technology and its associated applications have been thoroughly examined. Byapplying a multi-tiered approach to their security model (client-side, server-side andenterprise) organizations can easily manage their protection technologies against todaysand tomorrows threatswithout relying upon proposed improvements in communication

    security that are unlikely to be adopted globally for many years to come.

    References

    1.Skoudis, Ed. "Phone phishing: The role of VoIP in phishing attacks", searchSecurity,June 13, 2006.2.Krebs, Brian. "Phishing Schemes Scar Victims", washingtonpost.com, November 18,2004.3.Anti-Phishing Working Group: Vendor Solutions. Anti-Phishing Working Group.Retrieved on July 06, 2006.4.http://www.technicalinfo.net/papers/Phishing.html

    5.http://www.antiphishing.org/solutions.html#takedown

    .

    http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1193304,00.htmlhttp://www.washingtonpost.com/ac2/wp-dyn/A59349-2004Nov18http://www.antiphishing.org/solutions.html#takedownhttp://en.wikipedia.org/wiki/July_06http://en.wikipedia.org/wiki/2006http://www.technicalinfo.net/papers/Phishing.htmlhttp://www.antiphishing.org/solutions.html#takedownhttp://www.antiphishing.org/solutions.html#takedownhttp://www.technicalinfo.net/papers/Phishing.htmlhttp://en.wikipedia.org/wiki/2006http://en.wikipedia.org/wiki/July_06http://www.antiphishing.org/solutions.html#takedownhttp://www.washingtonpost.com/ac2/wp-dyn/A59349-2004Nov18http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1193304,00.html

SSRN-id2755578 (1)

SSRN-id2755578 (1)

Documents
SSRN-id1631069 215

SSRN-id1631069 215

Documents
SSRN Madrasah (1)

SSRN Madrasah (1)

Documents
(157940258) SSRN-id2225301

(157940258) SSRN-id2225301

Documents
Ssrn id18623551 (2)

Ssrn id18623551 (2)

Documents
SSRN-id2364912 (1)

SSRN-id2364912 (1)

Documents
SSRN-id1949838 (1)

SSRN-id1949838 (1)

Documents
Ssrn id390701

Ssrn id390701

Documents
Paper Ssrn Id945425

Paper Ssrn Id945425

Documents
SSRN-id289780 - Privacy

SSRN-id289780 - Privacy

Documents
Arbitrage Ssrn

Arbitrage Ssrn

Documents
Ssrn id1685942

Ssrn id1685942

Economy & Finance
SSRN-id1102215 (1)

SSRN-id1102215 (1)

Documents
Ssrn id2170508

Ssrn id2170508

Documents
SSRN-id1467184 2

SSRN-id1467184 2

Documents
SSRN-id437221 2541

SSRN-id437221 2541

Documents
SSRN-id2208033 (1)

SSRN-id2208033 (1)

Documents
Ssrn Id1028129

Ssrn Id1028129

Technology
Crowdsourcing (SSRN)

Crowdsourcing (SSRN)

Documents
Ssrn id1582232

Ssrn id1582232

Business
Ssrn Id241350[1]

Ssrn Id241350[1]

Technology
SSRN-id1296040 (2)

SSRN-id1296040 (2)

Documents
SSRN Id896518

SSRN Id896518

Documents
SSRN-id604971 (1)

SSRN-id604971 (1)

Documents
Harrington NFI Ssrn

Harrington NFI Ssrn

Documents
Ssrn id1911492 code1641040

Ssrn id1911492 code1641040

Documents
SSRN Top 30,000 Authorsfaculty.haas.berkeley.edu/arose/SSRN022819.pdf · 2019-02-28 · 2/28/2019 SSRN - SSRN Top 30,000 Authors 3/7 …

SSRN Top 30,000 Authorsfaculty.haas.berkeley.edu/arose/SSRN022819.pdf · 2019-02-28 · 2/28/2019 SSRN - SSRN Top 30,000 Authors 3/7 …

Documents
SSRN-id1740890 (1)

SSRN-id1740890 (1)

Documents
SSRN - Pairs Trading

SSRN - Pairs Trading

Documents
SSRN-id998468 (1)

SSRN-id998468 (1)

Documents