Cyber crime has now become reality in India. Difficult to detect, seldom reported andeven more difficult to prove, computer- related crime lacks a traditional paper audittrail, is away from conventional policing and requires specialists with a soundunderstanding of computer technology.
With the country poised to enter the information superhighway— over three millioncomputers in place— and industry and banks networked, the realisation of the dangersand threats is finally sinking in. "The biggest challenge is jurisdiction. Technologyhas eroded the concept of state boundaries and created a borderless world," says N.R. Wasan, deputy director, CBI , who is credited with computerising the investigatingagency in 1992. In the age of automation, computer applications are likely targets fortheft, fraud, vandalism, extortion, and even espionage. It’s the darker side of thecomputer revolution.
In the West, world- class hackers have managed to:
It was the securities scam of 1992 that woke enforcement agencies in India to thepotential threat of more banks and financial institutions being targeted by professionalwhite- collar criminals. "It was scary and it has taken a long time before we aredeciding to act," says Dr K. P. C. Gandhi, director of Hyderabad’s ForensicLaboratory.
Software professionals, specialists from FBI , Interpol, IBM , and London’sComputer Forensic Limited recently conducted a brainstorming session with officials frombanks, insurance companies as well as Central and state police organisations, onIndia’s vulnerability to computer- related crime. "India is virgin territory, ifhackers or computer cartels break into computers and telecommunications systems, they can create havoc," says Keiron Sharp of Interpol. And while recent studies showthat the real threat is mostly from insiders, with employees having access to computersystems, external threats are also on the rise.
Now that technology has integrated the financial markets, access to the electronicmarket is open to all— including the criminal. The probable hacker could well be aninsider, dressed in a business suit, looking for quick financial returns. "We knowthat computer crime could emerge as a major problem area for the law enforcement agenciesin India— that is why an ounce of prevention is better than a pound of cure,"says R. K. Raghavan, CBI director. The techno- savvy Raghavan has been focussing hisattention on computerising cases handled by the agency so far and has also started a CBIhomepage.
Most system penetrations go unreported, say forensic and CBI officials, even thoughthere has been adequate publicity in recent years about system risks and attacks.Corporations and government agencies are often hesitant to report and prosecute computerbreakins because of the risk of adverse publicity, the loss of public confidence and thepossible charge of managerial incompetence. Further, organisations such as banks fearlawsuits based on the emerging ‘standards of care’. These sentiments are echoedby Kevin Griffin, special agent in the Federal Bureau of Investigation ( FBI ) who findsthe same situation prevalent in America. "Companies don’t come forward to reportthese incidents because they don’t want negative publicity. They also fear thatproprietary information may become public," he says.
Sample a few of the cases that were brought to the attention of investigators almost ayear after the incidents. Punjab National Bank suffered a loss of close to Rs 1.39crore when the computer records were manipulated to create false debts and credits. In theBank of Baroda, Rs 2.5 lakh was misappropriated through the computerised creation of falsebank accounts. "We want bank managers and other officials of financial institutionsto come forward and report such crimes to us straightaway, but they are reluctant,"says Wasan.
A more well- known case is that of Mahanagar Telephone Nigam Limited ( MTNL ) in Delhi.A junior telecom official was charged for reversing electronic telephone meter systems,thereby allowing some commercial export houses to make overseas calls without the chargesbeing directed to their telephone numbers— again by manipulating MTNL ’scomputer terminals.
In the absence of sufficient checks, the behemoth Indian Railways has also fallenvictim to computer crime. The computerised reservation records in
Mumbai were manipulated to accommodate favoured persons; money was siphoned out thoughfalse accounting by recategorising upper class monthly tickets as second class seasonaltickets; the computer system in a metropolitan city was turned off, ostensibly because itneeded repairs, but in reality so that one group could issue manual tickets to customersin return for bribes.
The computer as an instrument of crime is on the rise in a broad spectrum of areas,from business espionage to stealing cellular time. It’s a cause for worry for mobiletelephone operators such as Airtel and Essar, particularly with regard to the growingproblem of individuals using cellular phones and electronically billing charges to othercustomers. In these cases, offenders obtain cellular billing identification codes by usingscanning devices, which are small parabolic antennae connected to portable computers orlaptops. When activated, these scanners capture and store account numbers transmitted bycellular phones. No case till date has come to light in India, though.
"The offenders operate near high-ways, because motorists frequently make callsfrom their cars," says a revenue intelligence officer. Once they capture thecomputerised billing codes, they programme these codes into other cellular phones simplyby hooking up the phone to a personal computer. Then, using software originally developedby programmers in London, they reprogramme the signal chip in the cellular phone. The useof this software, which is easy to copy and use, is spreading across the United States andCanada.
Without effective cyberlaws in place, Indian companies are already permitting the useof credit cards for transactions through the Internet. None of these transactions aresecure as the credit card numbers are not encrypted and checked. "So if someone elseknows your credit card number, he may punch it in and leave you holding a fat bill,"says a CBI officer. There is also no efficient way to verify an address given on the phoneas belonging to the person whose account number is stated. Merchants who take verbalorders for merchandise on credit are facing mounting losses from rip-offs.
Even the Personal Identification Number (PIN) of a credit card, derived solely by analgorithmic conversion of customer data, is not secure. PIN pads do not guarantee secrecysince too many people have access to the secret number, which is generated by a computerand written on a letter handled by computer staff, mailmen and the customer’s familyand associates.
"Some time ago a 15-year-old schoolboy withdrew huge amounts of money fromCitibank’s ATM in Delhi’s commercial hub. He was subsequently caught and it waslater discovered that his sister worked in the bank," says Wasan.
Clearly, it’s time for a cyber police force to come to the rescue. And strategiesto combat cyber crime and introduce legal measures are on the anvil. A draft for aproposed Information and Technology Act, drawn up jointly by the Department of Electronicsand the CBI, is currently before the cabinet. The Act provides for penalties for offencessuch as tampering of computer source documents, committing electronic forgery andcheating, unauthorised access to computer networks and databases and making availableobscene material on the Internet. The National Computer Crime Resource Centre, a bodycomprising experts and professionals, is also likely to be set up in order to establishrules, regulations and standards of authentication of electronic records.
What’s most important about the proposed Act is that it provides for acomprehensive legislation defining a computer crime. This would entail amendments in theIndian Evidence Act, Indian Penal Code, the Bankers Book of Evidence and the CompaniesAct. "A floppy now is not admissible in the court. Instead, huge bank ledgers areaccepted. This will change when the Act becomes law," says a CBI official. Puttingpenal offences and banking secrecy laws on an equal footing, feel officials, will go along way in tackling computer crimes.
Technocrats feel that the CBI should also have a central computer crime response wingto act as a nodal agency to advise the state and other investigative agencies to guide andcoordinate in computer crime investigations. Says an official: "The CBI and statepolice agencies should immediately set up an exclusive computer investigation centre totrain, supervise and investigate such crimes."
India’s passion for software stocks and professionals is compounding the problemof computer crime in the country. Investor confidence in this sector has caught the fancyof foreign institutional investors, prompting many companies to raise the ceiling onforeign institutional ownership to 30 per cent from 24 per cent. India’s mostsuccessful software firms earn over 70 per cent of their revenue from exporting services,mainly to the United States.
Says Kevin Griffin of the FBI, who investigates computer crimes: "India has someof the best computer programmers in the world. Surely you’ll also have the besthackers." And the highly skilled inventory of computer professionals has caught theattention of global enforcement agencies.
"It is just a matter of time before computer programmers realise that there ismore money to be made by hacking than by working in the United States," remarksSanjay Dhawan, director, information risk management at KPMG Peat Marwick.
With trading on the country’s stock exchanges going online, RBI insisting on 70per cent of banking functions to be computerised by 2001 and the Central VigilanceCommission wanting to introduce electronic payments by all listed companies, it could bean opportune time for the hackers to strike. The incidence of frauds, above Rs 1 crore, inthe central bank in the past three years has already increased. Says RBI’s deputygovernor, S.P. Talwar: "With computerisation progressing at its present pace, thereis a crying need for safeguarding access controls and security checks".
In the words of Cosmos, the character in the motion picture, Sneakers: "Theworld is not run by weapons anymore or energy or money. It’s run by ones andzeros—little bits of data. It’s all electrons.. and there’s a warthere."
Murali Krishnan and Ashutosh Kumar Sinha
