Saturday, May 14, 2005

Crime time in CYBERIA

Computer-related crime is on the increase. But, there are a number of ways, besides legal action, to track the criminals, writes Roopinder Singh

IN Minority Report, the police use psychic technology to arrest and convict murderers even before they commit a crime. Since the Hollywood movie is a work of science fiction, set in Washington DC in 2054, we have no way of finding out if such a technology will exist.

As of now, one is only too aware of computers being used by criminals for nefarious activities. It was only last month that 12 persons were arrested in Pune for allegedly transferring Rs 1.5 crore from a multinational bank to their own accounts, opened under fictitious names.

Before that a medical student had been arrested in Bangalore. He had defrauded people by using a website to advertise the sale of inexpensive laptops. He received the payments but did not deliver the laptops.

In Agra, a doctor, accused of illegally selling medicines over the Internet to customers in the US, was arrested.

There is no doubt that criminals are exploiting advances in cyber technology to commit crimes, both small and big.

People vs machines

The term cyber crime is loosely used to describe "any crime committed using a computer and the Internet to steal a person’s identity or sell contraband or stalk victims or disrupt operations with malevolent programs."

In the Pune cyber crime case, the employees of a call centre got the Personal Information Numbers of the customers and through Internet banking, transferred the amounts into their personal accounts. The bank certainly showed "lack of due diligence," and the call centre employees are liable under Section 66 of the ITA-2000 since "information residing inside a computer" was affected injuriously.

All IT companies are expected to implement cyber law compliance programmes to protect themselves and their customers from the impact of such frauds. And, ironically, it is at Pune that many companies, including international ones, go to the Asian School of Cyber Laws (ASCL) for education, training and consultancy in cyber laws and crime detection.

Legal position

The IT Act 2000, enacted on June 9 that year, was one of the early legislations against cyber crime. With India emerging as a major IT destination for outsourcing, the Act should be constantly updated to keep up pace with the changing technology.

As Nitya Ramakrishnan, a lawyer, points out: "The IT Act gives draconian powers to the police to seize and enter. In the virtual world of IT, data and responsibility are difficult to demarcate and given this nebulous nature, policing is either excessive or no action is taken. The law is a step behind technology and it will have to be intelligently culled and applied to various situations. There has to be an internationally accepted standard affixing responsibility of cyber data."

"A major lacuna in the Act is that intellectual property issues have not been adequately touched and even the right to privacy has not been dealt with," says Ali Naqvi, another Delhi-based lawyer.

"There is need to define ‘access’ more clearly and the sanctity of click-wrap contracts,’ that appear during the setup of a software program or online service and that requires the user to click a button to agree to the terms of the license, is still not clear. Also, there is too much power given to the police, as the police can arrest someone even if they believe that a crime is about to be committed." Incidentally, the Cyber Appellate Tribunal envisioned in the Act has not been set up.

While the main fear of cyber crime is with regard to credit card fraud, it actually forms only one of the many ways in which criminals use computers and the Internet (see box).

Overall, the police has been able to solve cases of cyber crime, especially those concerning BPO industries, and Nasscom has come up with the plan of creating a list of all BPO employees, to track their whereabouts even as they change jobs. This should help prevent crimes.

Security cover

It is unrealistic to expect absolute security. There can always be a natural disaster or an adversary with sufficient technological knowledge and ingenuity who could tamper with even the most secure systems. Optimum security can be achieved by the right balance between the cost of implementing protective mechanisms and the reduction in risk.

Certain precautions should be taken to ensure security. You should be cautious while using your accounts from cyber caf`E9s. If you have to use them, clear the cache of the browser before you leave. You should not only not disclose your password to anyone but also make sure that the password is not easily guessable. A password with letters and numbers is much more difficult to crack than that just with letters.

Those who chat on the Net should not give their phone numbers to others in the chat group, for almost everybody in the chat room pretends to be somebody they are not. A case that has rocked the USA recently is that of the 54-year-old Mayor James E. West of Spokane in Washington state, who carried on an online exchange which was often overtly sexual, with someone pretending to be a 17-year-old high school student. The character had been created by The Spokesman-Review, a local newspaper to trap the Mayor. While this time it was a senior American politician, all too often, sexual criminals lead young children astray.

Tracking offenders

One of the myths about the Internet is that it lends you anonymity. This often makes people attempt things that they would not do otherwise. Net users think they cannot be identified when they chat on the Net or send e-mails under assumed names. Actually every computer in the world that is networked has an Internet Protocol (IP) number that identifies it. Whenever it logs on to a website or a chat group, or sends out a computer, it leaves behind this IP number, which is its electronic footprint.

For instance, in the case of an e-mail, if you view the address column of the e-mail fully, you would not only see the server address of the sender but also the path. Thus messages can be traced back; websites can keep track of the identity of the visitors’ computers, and so on.

Thus a woman was caught in Chennai for sending a threatening message even though she had used the name of her lover, who had refused to marry her. A software professional in Bangalore saw his life in ruins when he attempted something similar a few years ago.

Cyber criminals are often caught because they leave electronic footprints. Like all criminals, they leave clues behind.

Low conviction rate

All too often, Internet crime is taken as a ‘white-collar’ crime and the perpetrators are treated as people with errant behaviour rather than as criminals. As far as successful convictions go, in India, only the case of a call centre employee in Noida who used the credit card number of an overseas customer to buy himself a personal computer, comes to mind.

In the Delhi MMS case, CEO Avnish Bajaj was arrested. Some copies of the digital clip featuring the sexual activities of two Delhi school students had been auctioned through his site.

There was much hullabaloo, and even high-power interventions from US authorities on behalf of the CEO, who is an American citizen. The matter is now before the courts.

Last year, the FBI’s Operation Web Snare led to the arrests or convictions of more than 150 individuals. Last week, a teenager in South Wales, UK, who duped more than 100 people into paying tens of thousands of sterling pounds for non-existent goods as part of a deceptively simple fraud on eBay was sentenced to 12 months’ detention and training.

While in the West, securing e-commerce is a priority, in India, pornography has been taken very seriously, especially under Section 67 of the IT Act. Anyone caught surfing porn sites or storing obscene images or text in their computer faces five years in prison and a fine of Rs 1 lakh for the first conviction. The second time invites double that punishment.

However, as expected, pornographic sites are a major draw for many Internet users, periodic heavy-handed raids by the police on cyber caf`E9s notwithstanding. As Nitya Ramakrishnan points out: "The police targets those who have no power to put something on the Net. Police, as such, is not the answer to moderating content on the Net. Some kind of non-coercive supervisory mechanism is needed, it would include self moderation and parental/peer supervision.

Protection pays

Most of the information on the Internet falls under public domain and as such is accessible to all. Not only that, it is also possible to intercept information that is sent over the Net, except in the case of specific websites, called secure sites. These can be easily identified by the lock on the bottom right hand of the browser window. They have security measures, including encryption, to ensure that even if information is intercepted, it remains garbled. Such sites are used for e-commerce transactions and are perfectly safe.

Safety is thus in the hands of all of us who use computers and the Internet. We have to protect ourselves from cyber crime.

Even in Minority Report, Tom Cruise, the head of the pre-crime unit in the movie, did took steps to find out how he was accused of planning the murder of a man he hadn’t even met.

He knew he was right, and found out the criminals who were manipulating the system. Nothing beats common sense and the instinct for self-preservation.

Safety check

The following steps should be taken to establish and maintain an adequate computer security programme:

  • Identify the computer system assets that require protection (i.e. data, software, hardware, media, services and supplies).

  • Determine the value of each asset.

  • Identify potential threats associated with each asset.

  • Identify the vulnerability of the computer/EDP system to each of these threats.

  • Assess the risk exposure for each asset.

  • Select and implement security measures.

  • Audit and refine the security program on regular basis.

It includes:

  • Administrative and organisational security

  • Personnel security

  • Physical security

  • Communications - electronic security

  • Hardware security

  • Software security

  • Operations security

Common crimes

Data diddling

A simple and common computer-related crime which involves changing data prior to or during input to a computer. Data can be changed by anyone involved in the process of creating, recording, encoding, examining, checking, converting, or transporting computer data.

Minimise the risk of diddling by applying internal security controls.

Trojan Horse

A Trojan Horse involves the placement of unwanted computer instructions in a program so that the host computer will perform some undesired/unauthorised function.

Minimise the risk of attack by a Trojan Horse by implementing security control measures for all incoming data containing hidden content.

Logic Bomb

A Logic Bomb is a computer program executed at a specific time to cause damage to computer programs or data. Logic Bombs often enter a computer system using the Trojan Horse method, but differ because their presence is detected only after the bomb "blows up."

Minimise the risk by using security methods that verify the system for inappropriate content.


Impersonation in the workplace may be accomplished as easily as taking an authorised user’s place at an unattended terminal which has not been logged off. However, impersonation usually requires that the intruder has access to two or three pieces of information:

  • User I.D. or account number;

  • Password of the authorised user.

  • A dial port number (ie. computer’s telephone number), if access is attempted from a remote location.

Minimise the risk of unauthorised access by implementing security measures and password maintenance. Passwords should be of adequate length to maximise security and maintenance systems should force a change of passwords at regular intervals.

— Source: Royal Canadian Mounted Police