Credit Card Users

Credit Card Users

	In case of losing the credit card, lodge a complaint with the bank immediately. It will enable the bank to announce it as 'hot card' as early as possible, making it possible to nab the culprit. This will also protect you from liabilities, which may be incurred using the stolen card.
	Do not write the PIN number on the card itself.
	Always check your monthly bank statements for any suspicious transactions
	A card's magnetic strip has the basic details of the cardholder. But the card also comes with a blank space for you to sign in. You must sign on the card to avoid unauthorized use.
	Better hang around when your card is being swiped.
	Disable your credit card account if you are not using it.
	Do not store your personal and credit card information on the computer
	Never delay to report a lost credit card as the consequences can be highly disastrous.
	Thoroughly check the authenticity of the firm, the website, or any other transactional society where your money would be flowing through.

Warning signs of a 419 Nigerian Advanced Fee Fraud Scam email

A promise to share or transfer millions of dollars to you for your help or participation.(Out of 6 billion people in the world you were singled out as this fortunate person, lucky you…!).
The e-mail or correspondence is marked "urgent," "top secret" or "highly confidential" and demands you act immediately. (Time is commonly of the essence).
The sender claims to be an exiled Dignitary, Cabinet Member, General, CEO, CFO, lawyer, doctor or the heir of some other important person or top official to gain your confidence. (The Grifter usually uses a Hotmail, Yahoo, Netscape or other such free and anonymous e-mail service to send you the message - not very Regal at all).
Claims to have obtained your e-mail address "during a personal research on the Internet" or from an unidentified "friend who was once on diplomatic mission.
The proposal contains a seemingly unlikely situation, i.e. overpaid millions on a contract, royal money or assets frozen by a foreign government, an inheritance, or money, gold or diamonds that need to immediately be transferred or be lost forever.
Seeks an "honest foreign partner" to help with them with their crisis situation. (As if none exist or can be found in their own country).
States they are working with an unidentfied "Security Company" or the "Central Bank of Nigeria"
Requests personal information from you, i.e. your full name, bank account information and routing numbers, home or business telephone and facsimile numbers, or a copy of your letterhead.

Tips to Avoid 419 Advance Fee Fraud
The best tip is to DELETE any mail from a stranger which resembles the mails we described above
Same mail may be forwarded to the service provider’s mail ID like abuse@yahoo.com, abuse@hotmail.com depending on the senders mail ID.
Similarly you can forward the mail before you junk it to local police email ID if they have any

What is Phishing?

Phishing is an attempt to criminally and fraudulently acquire sensitive information, such as usernames, passwords and credit card details, by posing as a trustworthy site in an electronic communication. Most of the online banks are common targets. Phishing is typically carried out by e-mail or instant messaging, and often directs users to enter details at a website, although phone contact has also been used at times. 

How to Spot Phishing Emails

The best way to avoid becoming a phishing scam victim is to use your best judgment. No financial institution with any sense will email you and ask you to input all of your sensitive information. In fact, most institutions are informing customers that “We will never ask you for your personal information via phone or email”. Safety tips to avoid Phishing? When you receive emails claiming to be sent by banking institution asking you to enter your account details, DO NOT do so! Your bank already has your details and clearly would not want them again.

 

Check if the email that you receive has your name spelt correctly. Fraudsters simply try to guess your name by your email address. DO NOT open emails that have your name spelt incorrectly.

DO NOT respond to emails that seem like they are sent from your bank. Some of the claims made in these emails may be the following: - You are to receive a refund - The bank is trying to protect you from a fraud - The bank needs some security and maintenance update on your account

If you receive such email always check back with your bank directly or speak to the customer service representative of the bank.

NEVER enter your credit card details and password in a website which you suspect is not genuine.

It is a good practice to type in the URL of your bank yourself, or bookmark it if the URL is difficult to remember.

DO NOT follow links to a banking website from another website or email.

Verify a website’s URL carefully before you provide your login details on any web page. Fraudsters create fake websites that have URLs closely resembling the original.  DO NOT share your account details, password, or credit card details with anyone who you do not know or trust. Log in to your accounts regularly and look for account transactions that you do not recognize. DO NOT send your account details and/or password over an email to anyone. Password: Important tips to keep your password safe in the Cyber World. Never tell or share your password or with anyone. Never write your password on the paper, or send your password in Email or tell your password over telephone. Always change your password regularly. Avoid choosing the “Remember/Save my password” option. Avoid typing the password in-front of others. Always use the different passwords for different logins. Do's Use a password with mixed-case letters (eg, AaBb) and use upper-case letters in the middle and/or end, not just the beginning. Use a password that is easy to remember, so you don’t have to write it down. Use a password that you can type quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by watching over your shoulder Passwords are the secret which is used to protect the valuable personal information that is stored in our computer and in our Online Accounts. Don’ts Don’t tell a password over the phone to ANYONE. Don’t reveal a password in a email message. Don’t talk about a password in front of others. Don’t use the “Remember Password” feature of applications (For Example, OutLook, Browser, Messenger) Don’t share a password with family members.

protect yourself from scammers

1. Do not respond to any e-mail that asks for personal information from you, such as account number, credit card number, user names, passwords, etc. If you suspect that the e-mail, indeed, be legitimate, contact your bank or institution to verify this.

2. When in doubt, visit the Anti-Phishing Working Group for an update of the latest scams, and tips to avoid becoming a victim. The website’s URL is www.antiphishing.org

3. Websites like www.Paypal.com, www.citibank.com, and www.ebay.com, offer security tips and tell you what information they’d never ask for in an e-mail.

4. Get anti-virus software and keep it up-to-date.

5. If you suspect you have received a fraudulent e-mail, do not click on any links within it, and forward it to the FTC at uce@FTC.gov

Finally, if you suspect you’ve been a victim of this fraud, get a copy of your credit report immediately to check for unusual activity. If you discover that you’ve been a victim of identity theft, close your account at once and…

    * Call the Credit Bureau.
    * File a police report.
    * Call the FTC ID theft hotline at 877IDTHEFT.
    * Alert other financial institutions where you have accounts.

Gmail Spam

Some spammer pretending to be writing on behalf of Gmail service center asking me for my email account and password. This kind of spam is so scary and dangerous.

These days even people with minimum awareness about spam mails, mail virus internet frauds etc use gmail and other mail clients. Am sure if a naive person like that, my mom and dad for example, would get this mail he/she would fall into the trap and send away their account details to a spammer exposing them to extreme internet risks.

May be Google should try to nail these kinds of frauds and give some press statement or something cautioning users to be beware of such fraud.

Keep you're PC Secure

Keep you're PC Secure by Following Ways

A---Make your Internet Explorer more secure - This can be done by following these simple instructions:

1--From within Internet Explorer click on the Tools menu and then click on Options.

2--Click once on the Security tab

3--Click once on the Internet icon so it becomes highlighted.

4--Click once on the Custom Level button.

a-Change the Download signed ActiveX controls to Prompt

b-Change the Download unsigned ActiveX controls to Disable

c-Change the Initialize and script ActiveX controls not marked as safe to Disable

d-Change the Installation of desktop items to Prompt

e-Change the Launching programs and files in an IFRAME to Prompt

f-Change the Navigate sub-frames across different domains to Prompt

g-When all these settings have been made, click on the OK button.

h-If it prompts you as to whether or not you want to save the settings, press the Yes button.

5--Next press the Apply button and then the OK to exit the Internet Properties page.

B---Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

CRIME RELATED TO COMPUTER NETWORK

As investigating team comprising personnel of special skills and expertise becomes a logical requirement.

         i.            Securing data from authorized personnel owning such data that may have evidentiary value for investigation of a crime and

       ii.            The legal provisions that empower investigating officer to conduct a search and proceed further to seize incriminating evidences for a successful prosecution.

The former issue involves the privacy right of individual as upheld by the State and to compet the physical owner of the data to allow access and further, immunizing them from the bonafide breach.

The latter issue involves principally the aspect of jurisdiction.  The law enforcement agency enjoys full and unfettered powers to investigate a crime within the jurisdiction of the country.  The accepted norm is one wherein there is a demand from the law enforcement agency of one country for legal assistance and response of the law enforcement agency of another country to assist them on established principle of reciprocity.

PROBLEM DEFINITION

The law enforcement agencies face new challenges in combating these crimes.  They are yet to establish the degree of proficiency and understanding to successfully detect such crimes.

In the absence of special laws to define these crimes, recourse to traditionally defined offences are largely taken to.

Computer figures as an instrument for commission of crime.  The investigator is confronted with new types of electronic evidences like computer files program, ID passwords etc.

Information Technology is one of the fastest growing technologies in India.  Information in this context is being recognized as a resource for the country’s growth and development as well as to become globally competitive.  The size of investment in the IT industry is estimated at Rs.7500 crores (US $ 2.2 billion).  Currently about 30 large networks (WAN) are operating in the country.  Internet is accessible through dial-up lines, namely PSTN.

The impact of crimes related to computer network in India is yet to be felt.  Since internet access is through only one state-controlled service provider, websites offering objectionable material like pornography, child prostitution etc. are filtered or blocked at source.  A number of cases, relating to software piracy have been registered and investigated in the aftermath of major amendments made to Copyrights Act.

Covert intelligence, undercover operations, surveillance etc. may be techniques, accepted as professional compulsions but these have to lead to a legally vetted procedure or compulsory measures.  A comprehensive ‘Data Protection Act’ is pending enactment.  Drafting of a bill for Computer Crimes (Prevention) Act.

The law-makers (democratical by elected Parliament) the law-enforcer (Police), the prosecution system (Public Prosecutor), the Judiciary (Judge) and the correctional service (Prison staff) as five fingers of the plam exert the required grip in ensuring an orderly society needed checks and balances.

            The Republic of India as a Federal set-up comprises of the Union (Central Government) at the top and States (Provincial or State Government – 25).  The Constitution of India (1949), a law of all laws, governs public administration, listing the fundamental rights which in spirit exudes the Human Rights, the Directive Principles which in spirit exudes the economic and social rights and the subjects for governance delineated as “Central list” and ‘State list’ and ‘Concurrent list’.  The ‘law and order’ as a subject comes under ‘State list’ with the centre assisting them monitorily and by guidelines for uniformity.

1. Indian Penal Code (1860) Penal
2. Code of Criminal Procedure (1898) (Amended – 1973)
3. Evidence Act (1872) Evidentiary

Major laws are to conform to the spirit of the articles of the Constitution failing which they are liable to be struck down as ultra virus.  The High Court of States and Supreme Court of the centre having original jurisdictions to intervene and protect the Constitutional guarantees through writs.

Compulsory measures like search and seizure for instance, shall have to conform to the major procedural law, namely the CrPC.  The exercise of drafting a separate bill (draft law) to deal with computer-related crimes or crimes related to computer network has just been completed in India.

Investigation, prosecution or trial, the provisions codified in the ‘Code of Criminal Procedure’ shall prevail.

The salient features relating to the above (Section 91 to 105 of CrPC – chapter VII) comparative analysis of legal systems:

A search warrant is mandatory. As per Article 20(3) of the Constitution; no person accused of an offence can be compelled to be a witness against himself.  The act of compelling the suspect who has the key for encrypted data to make available the data should not be viewed by the court as an infringement of the same.  In such circumstances, the suspect can be only persuaded to cooperate and failing the same court may adversely view the non-cooperation during trial.  No separate compulsory measures to deal with the above situation are available.

All persons who have the right to access data are required to cooperate legally.  Though non-cooperation amounts to an offence u/s 175 IPC or 187 IPC, cooperation is obtained by persuasion and other conflict-resolution mechanisms.

Access to data or informations need elaboration in some respects.  There are also certain communication codified as privileged communications which cannot be compelled by even the courts they can be denied.  Affairs relating to the security of the state and defence related information could not be accessed.  The very act of giving such classified information becomes a punishable offence under Official Secrets Act.  Under

the Banker’s Book Evidence Act, banks are under obligation by Investigator in investigation or court in a legal proceeding.

If any offence is alleged to have been committed by public servants while acting or purporting to act in the discharge of official duty, no court shall take cognizance of such offence except with the previous sanction of the Government.  Either in giving data by persons who have access rights or steps of Investigator to access data considered relevant in respect of criminal investigations.  So long they are construed as bonafide.  No civil/criminal action can be initiated without prior sanction of the Government.  This immunity is granted.  In tackling the crimes related to computer network also related provisions of section 197 CrPC affords certain degree of protection.

Digital Signatures

Digital Signatures

It provides a method for employing digital signatures, which enable the recipient of the information to verify the authenticity of the information’s origin, that the information is intact.  Thus, digital signatures provide authentication and data integrity.  It also provides non-repudiation, which means that it prevents the sender from claiming that he or she did not actually send the information.

A digital signature serves the same purpose as a handwritten signature.  It is superior to a handwritten signature.  It is nearby impossible to counterfeit, it attests to the contents of the information as well as the identity of the signer.

The basic manner in which digital signatures are created is illustrated below.  You encrypt it with your private key.  If the information can be decrypted with your public key, then it must have originated with you.  Its actual use usually involves two processes.  One performed by the signer and the other by the receiver.

Digital Signature Creation

This consists of the following stages:

• The signer first creates the message that he is desirous of digitally signing.
• He then uses a hash function to compute the hash result of the message.
• He then uses his private key to digitally sign the message digest.
• The signer then sends the original message and the digitally signed message digest to the receiver.

In the illustration above, the original message has been highlighted in bold and begins with the words Dear Mr.Akash and ends with the words Asian School of Cyber Laws.  The digitally signed message digest begins with iOA and ends with =sKWD and is deemed to be the digital signature of Asian School of Cyber Laws for this message.

Digital Signature verification

This consists of the following stages:

• The receiver receives the original message and the digitally signed message digest from the sender.
• The receiver computes the message digest from the original message using the same hash function as used by the sender (SHA1 in this case).  He them compares the message digest computed by him to the message digest send to him by the sender.  If they are the same it implies that the message has not been altered unauthorizedly.
• The receiver then verifies whether the private key of the sender was actually used to sign the message digest. 
• He does this using the public key of the sender.

The verification software will confirm the digital signature as verified it.

• the signer’s private key was used to digitally sign the message.  If the signer’s public key is used to verify the signature.  The signer’s public key will only verify a digital signature created with the signer’s private key; and
• the message was unaltered.  If the hash result computed by the verifier is identical to the hash result extracted from the digital signature during the verification process.

A digital signature has many legal purposes:

·         Signer authentication: The digital signature cannot be forged, unless the signer loses control of the private key, such as by divulging it or losing the media or device in which it is contained.

• Message authentication: The digital signature also identifies the signed message, with far greater certainty and precision than paper signatures.  It shows whether the message is the same as when it was signed.
• Affirmative act: A digital signature requires the signer to use the signer’s private key.  The signer is consummating, a transaction with legal consequences.
• Efficiency: The digital signature is genuinely the signer’s.  Compared to paper methods such as checking, specimen signature cards methods so tedious and labor-intensive.  Digital standards yield a high degree of assurance without adding greatly to the resources required for processing.

Digital signatures have been accepted in several national and international standards developed in co-operation with and accepted by many corporations, banks and government agencies.  The malfunction is extremely remote and is far less than the risk of undetected forgery or alteration on paper or of using other less secure electronic signature techniques.

Security has become an essential component of information technology.  It will often depend, to a large extent, on the type and location of the IT equipment.

The potential security threats and risks will have to be carefully assessed in every situation and it is absolutely vital that all concerned are made aware of the threats and risks that affect them.

Threats to information systems may arise from intentional or unintentional acts and may come from internal or external sources.  International threats made with criminal intent, to Confidentiality and Integrity.  “Availability” security functions will only be addressed if they have an effect on “Confidentiality” and/or “Integrity”.

CONFIDENTIALITY (SECRECY)

Information is only disclosed for those “users” (persons, entities or processes) who are authorized to have access to it.

INTEGRITY

Information is modified only by those “users” who have the right to do so.  The accuracy and completeness of the data and information is also guaranteed.

AVAILABILITY

Information and other IT resources can be assessed by authorized “users” when needed.

THREAT

A “Threat” is a potential undesirable incident RISK.

A “risk” is the estimated probability that the “threat” will be activated.

Information Classification

To classify the information according to the appropriate level of availability.  E.g.”open”, “confidential” or “secret”.

The classification should be carried out by the management or by the ‘information owner”.

All systems especially the “Identification and Authorization system”, “Information Classification” system and “Application systems” must be fully documented.

IT-security policy should be documented in a “Security Handbook”. The chapter on IT Security should have separate sections for each user category. Eg. “Management”, “System Administrators”, “End-Users” etc.

Information Processing

It involves the following types of operation –

• READ/CREATE/MODIFY/DELETE information
• TRANSPORT (in one way or another) of information
• STORE information to keep it some where.

Simplest ways of “transporting” information is between the keyboard, the memory and the hard disk in a PC.  “Transport” of a diskette from one place to another.  Information can also be “transported” using a “Local

Area Network” (LAN) and/or a “Wide Area Network” (WAN).  Insecure “transport” affects both confidentiality and integrity.  A special kind of “transport” is “Electronic Emission”.

STORE INFORMATION

            Once the information has been “stored” on some kind of media (diskettes, tapes etc), it may become the target of unauthorized activities, which will have an effect on the confidentiality and/or integrity of the information.

As well as knowledge of computer architecture, the Investigator also needs to be familiar with a number of important IT-security functions if he is to be able to give advice on prevention methods and conduct investigations.

Success in information security work depends first and foremost on developing good basic working, practices and establishing procedures to ensure that they are maintained.  It is also important to create a security-conscious atmosphere and establish a disciplined approach.

If confidential information is to be handled, the people chosen for the job are absolutely reliable.  They should be security screened.  Access to information should be restricted to that which the individual “needs to know” to do his job.  Sensitive material should be split into sections.  Each section can be handled by a different member of staff; no member of staff should have access to all the information.

Security measures will only be effective if staff is properly trained.  They understand the problem.  This can be achieved with in-house training.  Employees can be taught what to do to counter certain threats, what they should not do, whom they can call and where they can get help.  To encourage employees to report incidents so that steps can be taken to prevent any further damage. New or temporary employees should be given introductory training.

User responsibilities

User should be given specific guidelines about what they should do-and what they should not do.  These guidelines should be distributed in written form and signed for.  Specimen guidelines are given below

1. Do not use any computer equipment without permission
2. Do not try to access information unless you know you are authorized to do so
3. Do not alter any information on a computer system unless you know you are authorized to do so
4. Do not use a computer for personal matters
5. Do not leave a working computer unattended.
6. Make sure you know what to do in the event of a virus being discovered on the system
7. Keep your password and user ID confidential
8. Do not allow anyone else to use your password
9. Do not use anyone else’s password
10. Anything done on the system using your ID and password IS your responsibility.

All senior management should be sufficiently familiar with the computer systems in use.

The role of the system manager is crucial.  He must be of the highest degree of integrity and sufficiently computer literate.  Computer security manager to check on the system manager’s activities.

The only way of establishing how a problem has occurred, whether the origin is accidental or deliberate, is to examine the logging information stored on the computer.  Analysis of this information should show when, where and how the problem occurred.  In some cases, careful examination will also indicate who was responsible.  The logging capabilities of the particular system are fully understood and utilized.  If the logging functions on the system are inadequate, consideration should be given to acquiring suitable software.

User Identification and Authorization

The simplest systems rely on passwords only.  These give some measure of protection against casual browsing of information, but will rarely stop a determined criminal.

Passwords should

1. Be issued to an individual and kept confidential, they should not be shared with anyone.
2. Ideally be:

1. Alphanumeric and
2. at least six characters long

      iii.            Be changed regularly at least every 30 days

      iv.            Using a password history list, new passwords will be checked against the list and not accepted if    they have already been used.

        v.            Be removed immediately if an employee leaves the organization or gives notice of leaving

Biometric systems make use of specific personal characteristics of a specific person.  E.g. fingerprint, voice, keystroke characteristics or the “pattern” of the retina.  Biometric systems are still quite expensive (except for the keystroke system) and not very common.

Authorization

There must be a function and set of rules to control what object each user is allowed to access.  This is the Access Control system.

Most computer systems have some kind of log.  The desired level of protection will only be achieved if the various security measures are properly followed up with a log, which can be analysed as and when necessary.  A proper log will answer the questions.

-         WHO (user)

-         WHEN (time-date)

-         WHERE (place)

-         WHAT (event/activity)

-         ADDITIONAL (additional information depending on activity)

There are often many different types of logs e.g.

-         Systems log

-         Transaction log

-         Security system log

-         Database log

-         Application log

-         Technical log (mainly on mainframes)

Log information is one of the most important items for a computer crime investigator to look for.

Back-up

Modern computer systems are generally very liable, breakdowns and failures do occur and users can make mistakes, which lead to the accidental destruction of information.  It is necessary to set up procedures for making regular copies of the information on the computer system on some form of back up medium.  This medium can then be stored in a safe place until it is needed.

Valuable information several copies should be made and each copy stored in a different place in different buildings at least if not different cities.

                                 i.            Make sure that regular back up copies are made of both date and system files.

                               ii.            Take a full back up out of the cycle on a regular basis and archive it off site for an extended period.

                              iii.            Back-up tapes/diskettes should be kept in a safe place under lock and key and away from the computer in case of fire, flood or deliberate interference, preferably off site.

                              iv.            Periodically test the back-up to ensure that the information can actually be restored in an emergency, do not wait for disaster to strike to find the back-up system does not work.

Back-ups (including old back-ups) are another important source of information for an Investigator.

COMPUTER ARCHITECTURE

The main types of computer architecture are indicated below.  The specific threats and risks to which a particular system is exposed will depend on its architecture.  There are a number of threats, which can affect all systems irrespective of their architecture.

-         Microcomputers, i.e. stand-alone with no communication facilities

-         Network architectures and Mini-computers, architectures with microcomputers, which are connected to each other in a network configuration

-         Mainframes

-         Hand-held computers

There are a number of important architecture-independent security targets:

·         Members of staff, with certain responsibilities, powers, information

·         Media handling

·         Malicious programs

·         Electronic emission

Local Area Network (LAN)

If a personal computer (PC) is connected to a network, there are two other possibilities for interfering with data, in addition to the dangers of physical access to the machine.

Firstly, it becomes possible to access the information stored on the PC via the network.  Care should therefore be taken to ensure networking software is correctly configured and that only that information which is intended to be generally accessible is stored in directories, which can be accessed via a network.

Secondly, the danger of leaving a PC unattended is much greater: not only can the data on the PC itself be compromised, but there is also a risk that any data which the rightful user may be able to access over the network will also be compromised.

It is essential to keep a central record of activity, i.e. a log.  There should also be a procedure for examining the log, so that all suspicious events can be highlighted and investigated.

Wide Area Network (WAN)

Networks are connected either by cable, by microwave or satellite.  The latter are vulnerable to interception as are any radio transmissions unless the data is encrypted.  There are many standards, TCP/IP which is the standard packet-switching protocol used for the Internet.  The best way is to use Identification, Authentication and Cryptography as well as firewall and Intrusion Detection Systems (IDS)

Telecommunication companies can offer the use of dedicated lines – which means that these lines are not available for normal public use and are protected against intrusion, but they cost substantially more.  There are a number of encryption standards and devices ranging from small logical keys installed on sending and receiving equipment to higher levels of coding which use complicated mathematical cycles and algorithms.  The decision to be taken in the light of the value of transmitted data.