Cyber Crime in India

0
2507

March 04, 2018

As the technological advancement is growing by leaps and bounds in India, the vulnerabilities associated with this burgeoning cyberspace is surfacing and its repercussions in the recent times have been witnessed far and wide. Looking at the levitating statistics of cybercrime incidences in India, it cannot be denied that the computer technology poses innumerable internal and external threats.

The proliferation of computer technology has created a new class of threats -“cyber threats”- which societies must confront. These cyber threats can be generically defined as using computer technology to engage in activity that undermines a society’s ability to maintain internal or external order[1]. One common definition describes cybercrime as any activity in which computers or networks are a tool, a target or a place of criminal activity[2].

Cyber crime Statistics in India

The latest NCRB (National Crime Record Bureau) publication of 2017 indicates an increasing incidence of cybercrime in India[3].

The aforesaid figures indicate an upsurge in rate of cybercrime over the years, however, the percentage variation in 2015-2016 is lower than the percentage variation in 2014-2015.

Categories of Cyber crime

Hacking

Hacking is recognized as one of the most common forms of cybercrime. Hacking in general refers to unlawful access to a computer system. It has been often categorized as one of the oldest computer related crimes. Some examples of hacking include breaking the password protected websites[4] and circumventing password protection on a computer system[5], it also includes use of faulty hardware or software implementation to illegally obtain a password to enter a computer system. Three main factors that have supported the increasing number of hijacking attacks: inadequate and incomplete protection of computer systems, development of software tools that automate the attacks and the growing role of private computers as a target of hacking attacks[6].

Identity Theft

Identity Theft refers to crimes wherein a person fraudulently obtains another person’s personal information and uses it primarily for economic gain[7]. Identity theft is broadly defined as the unlawful use of another’s personal identifying information[8]. Using only a name and a social security number an identity thief can borrow money, acquire credit, obtain employment or even obtain a criminal record. Victims are often unaware of their victimization. Calls from collection agencies and denied loans are frequently first signs of trouble. Victims of identity theft have to cope with the frustration of having their privacy invaded, their financial well-being threatened and astonishingly few resourced to turn to for assistance[9].

This can also be categorized as one of the simplest form of cybercrime, for instance making a social media account/profile in the name of someone else. Last year a Kannada Actress had filed a Police Complaint alleging that unidentified people had morphed and posted obscene pictures of her on social media.

Cyber Stalking

As the name itself signified, cyber stalking involves the repeated pursuit of an individual using electronic or internet capable devices[10]. Some instances of cyber stalking includes threatening, coercive or intimidating electronic communication. A cyber stalker relies upon the anonymity afforded by the Internet[11].

Hate Speech Online

The substance behind regulation of hate speech in India was underlined in Supreme Court’s verdict in the case of Pravasi Bhalai Sangathan v. Union of India & ors.[12], wherein the Apex Court observed that the issue of hate speech deserved deeper consideration by the Law Commission of India. The Court in the case requested the Commission to consider defining “hate speech” and make recommendations to the Parliament to curb the menace of hate speech in India.

In pursuance of Supreme Court’s above direction, the Law Commission in March last year issued Report on Hate Speech[13] which recognized the perils of hate speech on internet[14]. The Report stated that in the age of technology, the anonymity of internet allows a miscreant to easily spread false and offensive ideas. These ideas need not always incite violence but they might perpetuate the discriminatory attitudes prevalent in the society. Thus, incitement to discrimination is also a significant factor that contributes to the identification of hate speech.

Intellectual Property Crimes

It cannot be denied that IP rights become susceptible to misuse and theft in cyberspace. In this context, it would be relevant to refer Delhi High Court’s dictum in the case of Kabushiki Kaisha Toshiba Trading v. Mr. S.K.Sil & Anr.[15].

In this case the Court took account of the rapidly expanding cyberspace and stated that on account of advancement of technology, fast access to information, manifold increase in international business, international travel and advertising, publicity on internet, television, magazines and periodicals, which now are widely available throughout the world, of goods and services during fairs/exhibitions, more and more persons are coming to know of the trademarks, which are well known in other countries and which on account of the quality of the products being sold under those names and extensive promotional and marketing efforts have come to enjoy trans-border reputation. It is, therefore, being increasingly felt that such trademark needs to be protected not only in the countries in which they are registered but also in the countries where they are otherwise widely known in the relevant circles so that the owners of well-known trademarks are encouraged to expand their business activities under those marks to other jurisdictions as well.

Fraud and Financial Crimes

This is another gray area and indeed a crucial concern. The disclosure of Bank A/c details on several E-commerce transaction platforms has further aggravated this apprehension among masses. Under this category it would be relevant to shed light on the topic online payment and Security Issues.

Also read E-commerce Fraud in India- Risk, Measures and Legal Implications

Online payment and Security IssuesAccording to RBI (Reserve Bank of India) RTGS and NEFT volumes increased almost threefold between 2013 and 2016 reflecting greater adoption of the system by all segments of users. Similarly, with increasing number of banks offering mobile banking services and driven by the growth in e-commerce and use of mobile payment applications, the volume of mobile banking transactions has increased nearly seven-fold and the value of transactions has shown a steep rise.

Though RBI seeks to promote electronic payments it also recognized security risks of electronic payments and has notified all the Banks and Authorized Payment Networks about the Security and Risk Mitigation measures for Electronic Payment Transactions.

RBI stated that the Banks shall ensure that transactions effected through such channels are safe and secure and not easily amenable to fraudulent usage. One such initiative by RBI, was mandating additional factor of authentication for all card not present (CNP) transactions [1]. Banks have also put in place mechanisms and validation checks for facilitating on-line funds transfer, such as: (i) enrolling customer for internet/mobile banking; (ii) addition of beneficiary by the customer; (iii) velocity checks on transactions, etc.

One of the intriguing concern is that how can financial security be ensured in view of this aggravated peril? Duty of customers or account holders is an essential duty recognized by the RBI guidelines. It enumerates as under:

Duty of Customers in Banking Frauds

  • Customers shall mandatorily register for SMS alerts and wherever available register for e-mail alerts, for electronic banking transactions;
  • The customers must be advised to notify their bank of any unauthorised electronic banking transaction at the earliest after the occurrence of such transaction, because longer the time taken to notify the bank, the higher will be the risk of loss to the bank/ customer.

Liability of a Customer

RBI on July 06, 2017 also issued notification regarding Customer Protection – Limiting Liability of Customers in Unauthorized Electronic Banking Transactions. Relevant extract of the notification that defines the liability of customer in the event of unauthorized transaction is reproduced below:

Limited Liability of a Customer

(a) Zero Liability of a Customer

A customer’s entitlement to zero liability shall arise where the unauthorised transaction occurs in the following events:

  1. Contributory fraud/ negligence/ deficiency on the part of the bank (irrespective of whether or not the transaction is reported by the customer).
  2. Third party breach where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, and the customer notifies the bank within three working daysof receiving the communication from the bank regarding the unauthorised transaction.

(b) Limited Liability of a Customer

A customer shall be liable for the loss occurring due to unauthorised transactions in the following cases:

  1. In cases where the loss is due to negligence by a customer, such as where he has shared the payment credentials, the customer will bear the entire loss until he reports the unauthorised transaction to the bank. Any loss occurring after the reporting of the unauthorised transaction shall be borne by the bank.
  2. In cases where the responsibility for the unauthorised electronic banking transaction lies neither with the bank nor with the customer, but lies elsewhere in the system and when there is a delay (of four to seven working daysafter receiving the communication from the bank) on the part of the customer in notifying the bank of such a transaction, the per transaction liability of the customer shall be limited to the transaction value or the amount mentioned in Table 1, whichever is lower.
Table 1
Maximum Liability of a Customer under paragraph 7 (ii)
Type of Account Maximum liability
(₹)
• BSBD Accounts 5,000
• All other SB accounts
• Pre-paid Payment Instruments and Gift Cards
• Current/ Cash Credit/ Overdraft Accounts of MSMEs
• Current Accounts/ Cash Credit/ Overdraft Accounts of Individuals with annual average balance (during 365 days preceding the incidence of fraud)/ limit up to Rs.25 lakh
• Credit cards with limit up to Rs.5 lakh
10,000
• All other Current/ Cash Credit/ Overdraft Accounts
• Credit cards with limit above Rs.5 lakh
25,000

Further, if the delay in reporting is beyond seven working days, the customer liability shall be determined as per the bank’s Board approved policy. Banks shall provide the details of their policy in regard to customers’ liability formulated in pursuance of these directions at the time of opening the accounts. Banks shall also display their approved policy in public domain for wider dissemination. The existing customers must also be individually informed about the bank’s policy. Overall liability of the customer in third party breaches, as detailed in paragraph 6 (ii)and paragraph 7 (ii)above, where the deficiency lies neither with the bank nor with the customer but lies elsewhere in the system, is summarised in the Table 2:

Table 2
Summary of Customer’s Liability
Time taken to report the fraudulent transaction from the date of receiving the communication Customer’s liability (₹)
Within 3 working days Zero liability
Within 4 to 7 working days The transaction value or the amount mentioned in Table 1, whichever is lower
Beyond 7 working days As per bank’s Board approved policy

Hence, according to the RBI it is incumbent on the customer to report unauthorized transaction to the Bank as soon as possible in order to avoid any liability.

Phishing

This is a sub-category of financial crimes on the cyberspace. It refers to a form of online identity theft that aims to steal sensitive information such as online banking passwords and credit card information from users. It is believed that the earliest form of Phishing Attacks were e-mail based and they date back to 90’s. These attacks involved spoofed e-mails1 that were sent to users where attackers tried to persuade the victims to send back their passwords and account information[16].

Many Bank websites, strictly mention that Bank employees will never ask for PIN/OTP/CVV/Card Number. Hence, it is advisable that such sensitive account details are never shared with any third person and in case any phone call is received where the person inquires such details like PIN/CVV/Card number then it is the duty of Account holder to immediately inform the Bank with which he/she has Bank Account. In 2016, ICICI Phishing Attack was in news which specifically targeted the customers of ICICI Bank.

Cyber Terrorism

Cyber terrorism is the act of Internet terrorism in terrorist activities, including acts of deliberate, large-scale disruption of computer networks, especially of personal computers attached to the Internet, by the means of tools such as computer viruses[17].

The potential threat posed by cyberterrorism has provoked considerable alarm. Numerous security experts, politicians, and others have publicized the danger of cyberterrorists hacking into government and private computer systems and crippling the military, financial, and service sectors of advanced economies. Cyberterrorism is, to be sure, an attractive option for modern terrorists, who value its anonymity, its potential to inflict massive damage, its psychological impact, and its media appeal[18].

Child Pornography

Online Child Pornography can be classified as one of the most heinous form of cybercrime in India that is crippling the safety and security of the future generation. Child Pornography is a criminal offence and is defined as any visual depiction involving the use of a minor, or one appearing to be a minor, engaging in sexually explicit conduct. Since technology moves much faster than legislation, crimes committed via social media are often prosecuted by applying existing statutes. Child pornography is any visual depiction of sexually explicit conduct involving a minor.

Center’s Directions to Curb Online Child Pornography

In April, 2017 the MEITY had issued measures to curb CSAM (Child Sexual Abuse Material) in India. The two specific directions by the Ministry were:

  • ISP’s (Internet Service Providers) having cable landing station Gateways/ International Long Distance Licenses in India shall be required to adopt and implement IWF (Internet Watch Foundation) resources on or before July 31, 2017 to prevent the distribution and transmission of online CSAM into India.
  • All ISP’s shall continue to observe the existing due diligence requirements prescribed by the Central Government under the Information Technology Act, 2000 and Rules and regulations thereunder including the obligation to expeditiously remove or disable access to any unlawful content brought to its notice by relevant authoritites.

Subsequently, in July last year the Centre had blocked around 3500 child pornographic sites in India. The Centre also informed the Supreme Court in a case that to prevent access to pornography sites in schools, the Government had directed CBSE (Central Board of Secondary Education) to install jammers in schools and buses.

How to Report Cyber crimes in India

Step 1- In case of any cybercrime, immediately approach the Law Enforcement Agency (LEA) i.e. Cyber Crime Bench or the nearest Police Station in your area. Here you can lodge FIR for commission of cybercrime under the relevant provisions of the Information Technology Act, 2000.

Step 2– The LEA then approaches the Indian Computer Response Team (CERT-in) for information pertaining to Technical Analysis of crime like IP address and URL details.

CERT-in- The CERT-In has been established under Section 70B of Information Technology (Amendment) Act 2008. The CERT-in has been conferred with the following functions in the area of cyber security:

  • Collection, analysis and dissemination of information on cyber incidents
  • Forecast and alerts of cyber security incidents
  • Emergency measures for handling cyber security incidents
  • Coordination of cyber incident response activities
  • Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents

Contact details and Useful Links to report cyber crime

The MEITY in 2017 had published a paper on How to Report Cyber Crimes in Indian Territory. The Paper apart from explaining the procedure also enumerates the contact details of major cities wherein cases of cybercrime can be reported. It also enlists some useful links for reporting report objectionable content to Social Media intermediaries like Facebook, Twitter etc. The contact details can be accessed here.

 

 

 

 

 

[1] Susan W. Brenner, At Light Speed: Attribution and Response to Cybercrime/Terrorism/Warfare, 97 J. Crim. L. & Criminology 379 (2006-2007)

[2] Carter, Computer Crime Categories: How Techno-Criminals Operate, FBI Law Enforcement Bulletin

[3] http://ncrb.gov.in/StatPublications/CII/CII2016/pdfs/NEWPDFs/Crime%20in%20India%20-%202016%20Complete%20PDF%20291117.pdf

[4] Sieber, Council of Europe Organised Crime Report 2004

[5] Musgrove, Net Attack Aimed at Banking Data, Washington Post

[6] ITU Publication- Understanding Cybercrime: Phenomena, Challenges and Legal Responses by Prof. Dr. Marco Gercke

[7] Berni Dwan, Identity Theft, 2004 Computer Fraud & Security

[8] Bellah, 2001, p.222

[9] A Case Study of Identity Theft- Stuart F.H Allison University of South Florida

[10] Reyns et al., 2012, p.1

[11] International Journal of Science Technology and Management, MEITY (Ministry of Electronics & Information Technology)

[12] AIR 2014 SC 1591

[13] Report No. 267 on Hate Speech http://lawcommissionofindia.nic.in/reports/Report267.pdf

[14] Clause 4.23 of Law Commission Report

[15] CS(OS) No.1298/2010

[16] Protecting Users against Phishing Attacks, Published by Oxford University Press, Engin Kirda, Christopher Kruegel

[17] http://meity.gov.in/writereaddata/files/HOW_TERRITORY.pdf

[18] Cyberterrorism, How Real is the Threat?- Special Report by United States Institute of Peace