Subscribe

0

Advertisment
Annuals

Growing Menace

author-image
DQI Bureau
New Update

The dynamics of the fraud scenario is changing worldwide. IT in general and
Internet in particular, is emerging as the key battleground perpetrating fraud.
Therefore, technology today, is becoming the key enabler of frauds, making it
simpler to conduct and more difficult to counter.

Advertisment

The variety of criminal activities, which can be committed with or against
information systems, has become surprisingly diverse in the last couple of
years.

While the worldwide scenario on cyber frauds looks bad, the situation in
India isn't better either. Though no concrete data is available, it is roughly
estimated that the cyber crime witnessed an increase of about 40-50% in 2005.

Driving Factors

According to Deepankar Sanwalka, executive director and head of Forensic at
KPMG India, IT's role in frauds has grown significantly, considering the fact
that more and more information for the corporates is residing in the IT systems
such as ERP and databases.  

Advertisment

The online criminal activity has also grown significantly with the increase
in software security flaws. According to California-based research company,
Cupertino, last six months (early 2006) have witnessed a record 1,862 new
software vulnerabilities. Rakesh Mittal, president and COO of Corbus feels that
security holes in Web-based programs are serious threats for businesses.
Attackers can use them to bypass security measures such as Internet firewalls.
Cyber fraudsters are now looking at exploitation of code vulnerabilities in
popular programs such as Microsoft Windows. These include 'zero-day'
attacks, which take advantage of security vulnerability on the same day that the
flaw becomes generally known.

Who's at Risk?

According to Kartik Shahani, director, Sales, India and SAARC, McAfee,
enterprises dealing with both their internal as well as customer sensitive data
would be at risk, as the information could be used for getting financial gains.
Arpinder Singh, director, Forensic at KPMG India believes that the prevalence of
cyber threats is the highest among the IT/ITeS and the financial sector. He
adds, the average age of the employees, specifically in IT and BPO, is
relatively younger and they use Internet widely. A greater technical know-how
further helps. “However, this doesn't rule out the growing cyber fraud
menace in other industry segments, especially biotech, pharma, and FMCG where
information on pricing, costing, and R&D are extremely critical and at high
risk to be prone to theft,” adds Singh.

Changing Dynamics of Cyber Frauds

According to Mittal, for the new generation of financially motivated
hackers, 2006 has brought numerous opportunities to develop more sophisticated
methods. Cyber fraud is emerging in the form of electronic vandalism, terrorism,
extortion, stealing telecommunications services, telecommunications piracy,
pornography, telemarketing fraud, electronic fund transfer crime, and electronic
money laundering. Surendra Singh, head, South East Asia and India, Websense says
businesses are now facing a new type of information security threat whose
characteristics are less widespread in number, more insidious, better-targeted,
financially-motivated, and driven by organized crime.

Advertisment
Guidelines
for the CIO

  • Risk profiling
    should be done and countermeasures be taken.

  • Regulatory and
    Compliance Mandates be put in place.

  • Process for audit
    and is reviewed at regular intervals. Audits carried as frequently as
    possible.

  • Process though
    stringent must not be so complex and cumbersome that the users cannot
    get the desired productivity.

    -Kartik Shahani, director,Sales, India and SAARC, McAfee
Expected
Future Trends in Cyber Fraud

  • Increase in use of
    Really Simple Syndication (RSS) to circumvent frequent updates and
    patches.

  • Increase in cases
    of theft of corporate data: As personal information used for identity
    theft becomes more difficult to steal, we anticipate increased
    interest in cyber theft of corporate roadmaps, plans, and engineering
    schematics, diagrams.

  • Web-borne worms and
    blogs will continue to be avenues for exploitation

  • Criminals will take
    advantage of Web scripting languages and unpatched machines to launch
    worms.

  • Voice over Internet
    protocol (VoIP) phishing or vishing.

  • Online gaming
    consoles that connect to the Internet for updates may be open to
    creative exploits designed to co-opt computer resources for attacks.

    -Surendra Singh, head, South East Asia and India, Websense

The trend of bot-led denial-of-service attacks has also increased at an
alarming rate. There has also been a shift towards profiting from current
events, in particular, donation scams for natural disasters. Prime examples were
sites purporting to collect donations for Tsunami or Hurricane Katrina victims.
'Virtual Social Networks' or 'Network of Friends' such as Ringo, MySpace,
Hi5, Plaxo, and Bebo etc can be used for frauds.

Identity Theft: A Growing Scourge

From the early days of 'dumpster diving' to sophisticated online fraud,
identity thieves are always on the prowl for new ways to steal information. The
growing ubiquity of digital data has resulted in an exponential increase in
identity theft over the last 2-3 years. And even, while it continues to remain
mostly under wraps with few cases being reported. Identity theft is becoming
more sophisticated.

Advertisment

Considering the growing complexity and economic impact of the threat, it is
time for the enterprises to graduate to primary defense mechanism such as
role-based management system (role-based access control). According to Navin
Agrawal, practice head, Security Governance, Wipro Infotech, the enterprises
need to concentrate on developing authentication tools around the application
processes, and on the back end, instituting better data-sharing practices, and
streamlining consumer reporting requirements.

Growth Statistics

If you thought that it could not happen to you, think again. Identity theft
is becoming more rampant. As reported by some surveys, the incidence of
victimization caused by identity theft increased from11% to 20% in 2001-2002 and
80% in 2002—2003. The manifold growth continues, say experts.

Experts feel that the increase in identity theft cases is being seen
in India as well. However, as Singh points out, such cases are still
highly under-reported for fear of harassment and negative publicity According to
Capt Felix Mohan, director of SecureSynergy, identity theft has become an
epidemic of frightening proportions as it becomes the number one consumer crime
in the US with someone losing ones identity every two-and-a-half seconds. “In
India concrete statistics on the extent of identity theft is not available, it
would be fair to assume a rapid escalation in identity theft and fraud with
increase in the number of net banking and e-commerce transactions,” he adds.

Advertisment

However, he further cautions that while the common perception is that the
largest risk of identity theft is while buying online, surveys have found that
most of the identity fraud is committed by someone who knows the victim.

Growing Threat Areas

Phishing, pharming, pretexting, skimming, card-not-present fraud, keystroke
catchers, database theft, mail theft, and stealing from residence have grown
considerably in the last 2-3 years.
Cyber
fraudsters are now looking at exploitation of code vulnerabilities in
popular programs such as Microsoft Windows
Advertisment

Phishing is the Internet's biggest identity theft scam and is widely
prevalent in India and has emerged as the primary method used by eCriminals to
extract identities. As per Websense's Web@work survey conducted in India in
2005, almost one in four employees (23% out of the 400 surveyed) stated that
they have given out financial, personal, or confidential data, such as corporate
network passwords or social security numbers, as a result of a phishing

attack.

Effective Remedy

Lack of adequate security can lead to breach, which in turn can lead to huge
damages, both tangible and intangible, for both individuals and enterprises.

This has resulted in a growing traction towards technology tools such as
identity management to safeguard against identity theft. However, technology
tools need to be effectively complemented with the adoption of the right policy
framework for an effective prevention, say experts.

Advertisment

Identity management solutions include access control, directory services,
directory services, and profile update, management of identities. Elaborating on
the trends in the identity management space, Agrawal points out that access
control and profile update are among the promising new technologies in this
domain. He adds that some of the mature and widely deployed technologies
are directory services, especially those using light-weight directory
access protocol (LDAP), password management, Web access management, and Web
single sign-on. “These technologies have significant install bases in
production, and demonstrate real and measurable RoI,” he explains.

To counter identity theft and fraud at a broader and national level, Capt.
Mohan suggests the government to focus on three areas, i.e. legislating specific
provisions to counter identity theft, enabling flow of information from credit
bureaus to consumers, and implementing an identity fraud alert registry.

The IT Act 2000 in its present form does not have any specific provision to
deal with identity thefts. However, the Expert Committee on Amendments to the IT
Act 2000 (whose report is presently under consideration by the government) has
recommended insertion of new sections relating to identity theft in the Indian
Penal Code (IPC). The committee has also sought provisions
for fine and punishments.

Shipra Arora

shipraa@cybermedia.co.in

Advertisment