It will be a cliche to say that cyber crime has been on the rise in India. So, instead of re-hashing/ lamenting about it, we will look at a few ways in which businesses can protect themselves against cyber crime.
We will focus on a specific category of cyber crime – phishing – stealing of net-banking user IDs and passwords that are then used to siphon off money from corporate accounts
Case Study
The corporate bank account of RPG Life Sciences was hacked on May 11 2013. Within 3 hours (from 11.30 AM to 2.30 PM), INR 2.4 crore was transferred out of the account using RTGS. The culprit is said to be a malware sent through email. What probably happened is that someone in RPG received the malware in their inbox and they opened it, thus, activating it. The malware must have sent out details of activities performed by the user to the hacker sitting elsewhere. The RPG user then probably used that same computer to access RPG’s corporate bank account with YES Bank. The malware promply sent out the userid and passwords to the hacker who then used it to wire money out of the account.
How they shot themselves in the foot:
1. RPG employee/ user opened and activated suspicious email.
2. RPG’s internal virus/malware scanner did not catch this.
3. RPG did not have a dedicated machine to access internet banking.
4. RPG did not utilize the two factor authentication provided by YES bank – where a one time password is sent via SMS to the registered mobile phone (according to YES Bank’s website)
3 people have been arrested in this regard. These people came to withdraw money from those accounts into which the RPG money was transferred.
Another similar incident occurred in August 2011 where around INR 80 Lakhs was transferred fraudulently from the account of Poona Auto Ancillaries Private Limited with PNB, Pune.
On February 25, 2013, a special court of the Information Technology (IT) Department of Maharashtra, presided by Rajesh Aggarwal, Secretary, Department of Information Technology, Government of Maharashtra, directed Punjab National Bank (PNB), Pune, to pay Rs 45 lakh to the MD of Poona Auto Ancillaries.
So, why was PNB ordered to pay roughly half of the loss?
Apparently, the money was transferred to other PNB accounts – accounts which were opened fragile adherence to KYC norms.
So, how do you not shoot yourself in the foot?
– Do NOT open suspicious mail attachments: Educate your people on security
– Deploy a good virus & malware scanner in your organisation
– Try to have a separate computer to access net banking or at least use a separate virtual machine
– Go in for the two factor authentication mechanisms made available by your bank
Insurance against cyber fraud is in its nascent stage in India – some insurers have started offering such covers. Businesses should take advantage of such covers – but they should carefully study exclusions and liability limitation clauses.
The judgement by the special court on IT awarding a INR 45 Lakh penalty to PNB should act as an eye opener for banks. Banks should ensure that they comply with all KYC norms.
Businesses cannot get away from transacting in the cyber world – a world where many traps await them. Businesses should open their eyes to these traps that lay in their path and adopt appropriate preventive measures in order to safeguard their assets.
Information Security, SSAE 16, ISO 27001, CISA, Cert-IN
Comments are closed.