another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Friday, May 20, 2005

Cyber security expert tips

10 steps against security breaches
Captain Raghu Raman

The PC revolution and the Internet boom in India have introduced new elements to cyber crime. Elements that make cyber crime one of the most dangerous issues facing modern society. Children and innocent netizens are now being subject to unprecedented barrage of innovative cyber attacks.

For example, rising number of 'phishing' attacks have emerged as a new, big threat of cyber security. According to Anti-Phishing Working Group statistics, approximately 5 per cent of users fall prey to Phishing scams. Spam, viruses, worms and other malicious code account for global losses of several billion dollars.

These simple 10 steps could cover people against more than 80 per cent of all causes of information security breaches:

1. Instal the latest anti-virus software on your computer and never ever turn it (anti-virus) off, instal a personal firewall and spyware checker (all are available for free). To find them just Google using the keywords anti-virus & free.

2. Never download or open attachments, whose source you are not certain about. Even if the source is trusted, see if the content is relevant, if not, don't open attachment. Create another E-mail ID which you use exclusively for subscription to sites. That will prevent spam from coming to your main ID. Some accounts like Yahoo! allow you to create topic-specific E-mail IDs that you can delink.

3. Avoid checking mail or using credit card details online in cyber cafes. It's next to impossible to be sure that it's safe. Even reputed cafes such as those in international airports and 5-star hotels have known to be key-logged. Matter of fact, open an additional debit card with a limit if you do want to transact online. In a worst case scenario your damage is limited.

4. Do not give away your residence or cell number. Be especially careful when you are filling in contest forms, coupons, free gift vouchers. More often than not, these are gimmicks to obtain your personal details. Don't believe it when they say the data will not be given to others - it most certainly will be. Don't print these numbers on your visiting card.

5. Get into the habit of destroying documentation regarding credit cards, such as receipts, bills, invoices or any documents that contain personal details.

6. If you are using broadband or working from home, ensure that your PC is hardened professionally. You can do this yourself if you follow the next step.

7. Information is a reality of modern life. Just like health or transport or communication is. Point is, you need to know something about it, even if it's just some basics. Read about information security breaches by subscribing to some newsletters. In case of many breaches, the only defence is knowledge. For instance, no technology could have prevented the phishing attack (wherein victims got mails seemingly from legitimate banks asking them to confirm their passwords and IDs)

8. Use two different passwords. One for mail, work and other important access and the other for routine proposes such as subscribing to sites. But remember to switch between them when you start doing transactions after mere browsing.

9. Create a difficult to guess password by taking the first alphabet from each word of a phrase. For instance a password like 1at*eomc is constructed using a phrase "I am the star employee of my company".

10. Educate your children about the dangers of cyber crime. Children with their unbound curiosity and unmonitored access are the single most common victims of cyber crime apart from the enterprises. Ensure that the home PC is kept in a common place so that you can monitor what is going on.

(Capt Raghu Raman is the CEO of Mahindra Special Services Group (MSSG), a company focused on providing enterprise derisking solutions to organisations worldwide. He is an information security veteran with over 18 years of consulting experience. In addition to several government agencies, he has served the United Nations, where he was responsible for securing information flow between UN HQ and Mission Control HQ in Africa. His merits have been recognised with several awards including one by the UN Secretary General for services rendered in the UN.

Raman has been trained at the College of Telecommunication Engineering and specialised in missile guidance systems [Armored Corps Center and School] and secure communication links. In addition, he has been trained at Foundstone & SCIP [US] on advanced hacking techniques and protection against competitive intelligence respectively.

In his earlier avatar, Captain Raghu was the CEO of Automartindia.com, a leading auto company. Raghu is currently on the panel of RSA [Singapore, San Jose], Forum Engelberg [Belgium, France], MDI [Delhi], ITBT forum [Maharashtra] as an authority on information security. He has published several papers on the subject in Indian and international publications. In addition to the Central government agencies, he has also conducted training sessions for police and state Intelligence agencies.)

R Rangaraj

Karnataka leads in cyber hacking

`Cyber cafes aiding e-crimes`
Our Bureau / Bangalore May 20, 2005
Cyber cafes are breeding ground for e-crime, says Karnataka IT secretary Shankarlinge Gowda.

Delivering his keynote address at a conference on e-crime here on Thursday, Gowda said, “In the last few years, the proliferation of cyber cafes in the country (there are about five lakh registered and unregistered ones) has led to more gambling, pornography and e-business-related crimes.”

In Karnataka there are about 10,000 cyber cafes. The government, through its cyber police station located in the core of detectives’ office, is monitoring criminal acts like spamming people with pornographic mail.

Karnataka was one of the first states to draft the Information Technology (Karnataka) Rules 2004. “By doing this the government has sent the right signals to both domestic and international investors that the state is a safe place to conduct business.”

“When the Karnataka government took the initiative of asking cyber cafes to check the identities of Net users, there was some resistance initially. But now everybody has fallen in line and the crime rate is under check,” he said.

S T Ramesh, additional director general of police-computer wing, said, understanding of the issues at stake, involvement of numerous institutions, and co-operation among them is needed to fight computer-aided crime. To emerge as a software power, India needs to equip and prepare before computer-aided crime strikes us, he added.

Hacking, encryption technology, extortion, stalking, sales and investment fraud, illegal interception of telecommuncation, electronic funds transfer fraud are common crimes committed with the aid of computer and internet, said Ramesh.

Cyber Security (Official Government Tips)

Here is what the Indian Government's premier Cyber Security Cops ("CBI") advise you to do in the name of "security"
Online Security Tipes

Tips for Children

* Do not give out identifying information such as Name, Home Address, School Name or Telephone Number in a chat room.

* Do not send your photograph to any one on the Net without first checking with the parent or guardian.

* Do not respond to messages or bulletin board items that are suggestive, obscene, belligerent or threatening.

* Never arrange a face to face meeting without telling parent or guardian.

* Remember that people online may not be who they seem to be.

Tips for parents

* Use content filtering softwares on your PC to protect children from pornography, gambling, hate speech, drugs and alcohol.

* There are also softwares to establish time controls for individual users (for example blocking usage after a particular time at night) and log surfing activities allowing parents to see which sites the child has visited. Use these softwares.

Protect Yourself and Your PC

* Use the latest version of a good anti-virus software package which allows updations from the Internet.

* Use the latest version of the operating system, web browsers and e-mail programs.

* Don't open e-mail attachments unless you know the source. Attachments, especially executables (those having .exe extension) can be dangerous.

* Confirm the site you are doing business with. Secure yourself against "web-spoofing". Do not go to websites from email links.

* Use hard to guess passwords that contain mixes of numbers and letters. They should not be dictionary words. They should combine upper and lower case characters.

* Use different passwords for different websites.

* Send credit card information only to secure sites

* Use a security program that gives you control over "cookies" that send information back to websites. Letting all cookies in without monitoring them could be risky.

Protect Your Website

* Stay informed and be in touch with security related news.

* Watch traffic to your site. Put host-based intrusion detection devices on your web servers and monitor activity looking for any irregularities.

* Put in firewalls.

* Configure your firewalls correctly.

* Develop your web content off line.

* Make sure that the web servers running your public web site are physically separate and individually protected from your internal corporate network.

* Protect your databases. If your web site serves up dynamic content from a database, consider putting that database behind a second interface on your firewall, with tighter access rules than the interface to your web server.

* Back up your web site after every updation, so that you can re-launch it, immediately, in case of a malicious defacement.

India's Cyber Police.

Cyber Crime Investigation Cell

In keeping with the demand of the times, the Cyber Crime Investigation Cell (CCIC) of the CBI, notified in September 1999, started functioning w.e.f. 3.3.2000. The Cell is headed by a Superintendent of Police.The jurisdiction of this Cell is all India, and besides the offences punishable under Chapter XI, IT Act,2000, it also has power to look into other high-tech crimes.

Postal Address
Supdt. of Police
Cyber Crime Investigation Cell
Central Bureau of Investigation
5th Floor, Block No.3, CGO Complex
Lodhi Road, New Delhi - 3
Phone: (011) 24362203, 24392424

Foreign BPOs National Security threat to India

Is The US Ready For Cyber Warfare?

Jason L. Miller | Staff Writer
2005-05-18


With the exponentially growing military capability of the United States, it is becoming increasingly difficult for enemies to create and maintain a physical military strike.

Cyber Warfare
Is the US Ready For Cyber Warfare?

Most of them lack those kinds of resources, stymied by money and an intimidating US Defense Department.

It helps that the US is generally aware of who its enemies are (recent military efforts excepted). In the past, even recent past, threats to US borders were whole and conspicuous nation-states, or trickier groups of rogue terrorists operating with more primitive offenses.

But the emerging threat of our time is becoming less and less bombs and bullets. The "sleeping giant" proves difficult to knock down with sticks and stones, and ever-smaller Davids are camping in nondescript apartment buildings hacking their way into the giant's wallet, where it hurts him the most.

Last year, the Defense Department was targeted by hackers nearly 75,000 times, which led to the military forming the Joint Functional Component Command for Network Warfare, or JFCCNW, comprised of "the world's most formidable hacker posse. Ever."

So the government seems to be taking this very seriously. It recognizes a constant threat hitherto unfathomable. In a pre-Internet world, no country was under constant attack with bombs bursting at the gates 24/7. But this is what that amounts to, and the government, as well as businesses need to be vigilant about protection.

Where the Bull's-eyes Are

The most crippling targets of cyber attacks can be launched from virtually anywhere--inside or outside the borders, not necessarily from nations, not necessarily government funded--but quite possibly from even just one skinny kid hunched over his computer.

Here are his targets:

· The banking system
· Power plants and grids.
· Telephone networks
· Air traffic control centers
· Mass transit systems

Does this sound crazy? Should I change my name to Tom Clancy?

Let's take a real world example, then.

Over the past several months, Japan has been hit with a wave of information bombs and hackings believed to have originated in China. These attacks are not thought to be state-funded. They are believed to have come from Chinese protesters, angered over various recent Japanese government policies.

The list of sites that have been attacked there include the National Police Agency, the Self-Defense Forces, the Defense and Foreign Ministries, Tokyo's Yasukuni Shrine, and Sony.

Authorities have called it the heaviest assault ever from overseas computers.

According to a report by Rene Millman, the United Kingdom is at risk of an "electronic 9/11," as described by a former chairman of the Metropolitan Police Authority. He claimed that since 2002, 71 Ministry of Defense computers were compromised by external sources.

Why US Business Is Especially Vulnerable

According to a report by Dartmouth's Institute for Security Technology Studies, "IT dependence in the US is evolving into a strategic center of gravity." There is more and more movement to centralized computing in large computing hubs. Though you can't take down the entire Internet, a hacker may be able take out a large portion of it.

The study also states that movement toward global free market operations offers increased risks. Because of outsourcing to China, Philippines, India, Pakistan, to name a few, there are more people in scattered places with access to commercial systems and vast amounts of information. The more these capabilities are outsourced, the more vulnerable they become to a large-scale cyber attack.

Cyber warfare seems to be the way of future world wars. They are (presumably) bloodless and lightning fast ways of taking down the entire infrastructure of an enemy country. If successfully launched, the costs in terms of dollars and time would be immense, and the source may not be readily known.

Indian Cyber Police are toothless tigers

INDIA: Cyber Police are toothless tiger

Lack of guidelines prevents police from charging more individuals with cyber crimes

The Times of India
Wednesday, May 4, 2005

Hyderabad -- The Information Technology Act, 2000, defines only three types of cyber offences as crimes -- tampering with source documents, hacking a computer and sending obscene e-mails.

By its definition, most cyber frauds coming to light these days are not crimes, including the online railway ticket racket unearthed here last week.

Although an Internet-related crime, no case was registered against the men who purchased railway tickets online by punching stolen credit card numbers and sold them at higher prices. Simply because cheating as a crime remains out of the purview of the Act.

This recalls a similar case last year, when the city police arrested some people for gambling online. For the same reason, the cyber police did not register a case against them.

In such cases, where crimes are committed by using information technology, the cyber police now only assists the local police instead of investigating them themselves.

Because of limited purview, the cyber police have registered only 19 cases since it started functioning in 2002. Of them, 10 were related to obscene e-mails and pornographic material, three related to source code theft by employees of IT companies and six to computer hacking.

This year, the cyber crime police station has registered only one case, related to obscene mail, triggering off a clamour to widen the scope of the act.

Date Posted: 5/4/2005

Help students stop Bank Fraud in India

I wonder why Standard Chartered Bank takes YEARS to analyse and detect fraud credit card transactions.

23-YR-OLD SAKTHIVEL’S PROGRAMME ANALYSES DATA AS IT COMES — UNLIKE THE END-OF-THE-DAY EVALUATION THAT BANKS CURRENTLY USE

College student devises new programme to detect banking fraud
Sreejiraj Eluvangal (from Express Newsline)

Lucknow, May 17: HE may soon turn out to be the hottest property in the ‘banking solutions’ field of the country’s booming IT sector, but 23-year-old Sakthivel is more worried about getting a job right now. The final year student from a small- time college in Tamil Nadu’s Thanjavur district may have found the perfect cure for the rising instances of banking-related crimes.

‘‘If you use my system, you will be able to cut down the time required to detect suspicious bank transactions from hours to just minutes,’’ he says, standing on the sidelines at a technology seminar in Lucknow.

Advertisement
Citibank
Developed as part of his final-year project, Sakthivel’s approach to fraud detection is based on real-time analysis of transaction data — unlike the end-of-the-day analysis currently opted by banks in India.

‘‘If you can detect a suspicious transaction as soon as it happens instead of scouring for it at the end of the day, the chances of preventing further mischief are much higher,’’ he says.

Though real-time fraud detection currently suffers from the risk of bringing the entire network down, Sakthivel has used the latest software tools to get over it.

‘‘The last thing banks want is more work for their transaction servers which process customer requests from ATMs etc. But this approach puts them at the risk of crashing in case of overuse,’’ he explains.

A new software tool called ‘Aglets’ — developed by IBM’s Tokyo centre — helped Shathivel.

Tiny self-contained units of code, ‘Aglets’ collect information from designated computers on their network, dock onto a computer and uses its processing power to process the data it has collected. ‘‘In fact, even if the computer they are lodged in becomes busy these units have the ability to automatically migrate to another one,’’ he says. He has been working on the project for a year at the headquarters of ‘Polaris software’ in Chennai.

While some experts supported Shakti’s claims, others were sceptical.

‘‘We have worked for nearly 10 years with a team of 100 to develop our product,’’ said one of the engineers from a leading software vendor. ‘‘Suddenly when someone comes with such claims, it has to be taken with a pinch of salt,’’ he added. T Senthilkumar, senior lecturer of Computer Engineering at the ’Amrita Vishwa Vidya Peetam’ at Coimbatore and one of the experts consulted by the student, however, was optimistic. ‘‘The technology is a relatively untapped one and from what he told me about the project, I think it is quite a promising one. Of course, in this field, it sometimes takes more time to refine a product than to develop the first version,’’ he said.

Shaktivel has already done his initial checking. ‘‘It has been stable to the extend of a few thousand transactions in two hours and the average time taken to spot rogue transactions was 2 minutes!’’ Of course, it is a long way from the tens of lakhs of transactions per 12 hours that such systems are used to in real life, but I am sure it will take it,’’ he says.

Another Illegal VISA ETF scheme

Here is another illegal money transfer scheme being run in India by VISA in violation of the Information technology Act 2000. As usual the RBI is sleeping on the job.

Swipe plastic, zip cash across

Anita Bhoir in Mumbai | May 17, 2005 13:17 IST (source Business Standard)

Desperately seeking to send money to a relative?

Not to worry. Help is at hand, as banks have begun offering card-to-card money transfer.

IDBI Bank, ICICI Bank, HDFC Bank, UTI Bank, Citibank and Kotak Mahindra Bank, in association with Visa, the global payment company, have started card-to-card money transfer facility in the country.

This service allows customers to transfer money online from their bank accounts to any valid Visa debit or credit card issued by any bank in India.

Banks permit transfer of funds between Rs 25,000 and Rs 100,000 per day with no restriction on the number of transactions per day. At present most banks offer this facility free of cost.

However, they are planning to levy around Rs 25 per transfer depending on the quantum of money from the next quarter, said bankers.

Card-to-card fund transfer is a better option compared with other means of fund transfer such as cheque, demand drafts, money orders and electronic fund transfer, as it is instant, free of cost and the customer need not visit the bank's branch every time.

The other options cost around Rs 50 and it takes a longer time -- normally three to four days -- for the money to reach its destination.

The amount of funds that can be transferred through a card is also higher compared with the good ol' money order. But through this postal department vista, you can transfer only Rs 5,000.

Customers can also send funds through the real time gross settlement system set up by the Reserve Bank of India.

However, RTGS is economical only for high-value transactions and is a good proposition for corporates and not retail customers. The minimum amount that can be transferred under this is Rs 100,000.

Also, a customer will have to pay in excess of Rs 50 per transaction, said a banker.

Another point is, to facilitate an RTGS transaction, all bank branches should be RTGS-enabled. At present, only about 110 bank branches are part of the network.
A global standard for managing fund transfer, RTGS reduces risks and boosts investor confidence, apart from helping companies manage their working capital requirements more effectively.

Hackable Credit Cards ?

NEW YORK (Reuters) - JPMorgan Chase & Co. on Thursday introduced a credit card that does not have to be swiped and allows consumers to wave their card past a sensor to make payments, a function already common at many U.S. gas stations.

A top issuer of credit cards in the United States, JPMorgan Chase said its new credit card, called "blink," will be marketed this summer and can be used in movie theaters, convenience stores, specialty shops and drug stores.

Sheetz Inc., an East Coast convenience store chain, will be JPMorgan Chase's first partner to launch a co-branded credit card with the contactless feature.

Another early adopter of the new card is convenience store chain 7-Eleven which will test the card in 170 of its stores and eventually will accept it at its 5,700 stores.

The new card will allow card holders to hold their card at a point of sale terminal at checkouts, rather than swiping the card or handing it to a store employee. As card members hold their card near the point of sale terminal, the terminal will emit a signal or tone to confirm the payment.

The new cards also can be used the same way as traditional credit cards with a magnetic stripe.

This new card payment technology has been used by customers at many Exxon Mobil Corp. gas stations since 1997.

The gas station's payment card has a miniature transponder that is attached to a customer's key chain and is waved in front of an electronic reader at pumps and checkout counters. A credit card or check card designated by the customer is then charged for the purchases.

© Reuters 2005. All Rights Reserved.

CIBIL Credit Information Bureau India Limited

Sarbajit Roy's Hacking Complaint has substantially regulated the way CIBIL will do business in future. See last para of this story

CIBIL database grows to top 20 m records
Friday, 20 May , 2005, 08:48 (source rediff)

Chennai: Retail loans are booming at Indian banks. Given the 30 to 40 per cent loan growth that banks are registering, it would be difficult to verify each individual applicant's antecedents. This is where Credit Information Bureau helps banks, by providing a database of all borrowers in the system. Banks just need to query the CIBIL database, thus cutting the time taken for verification and process loan applications faster. As a customer, you'll benefit by getting your loans sanctioned faster - provided your track record is clean.

S. Santhanakrishnan, Chairman of Credit Information Bureau of India Ltd, answers a couple of questions about its operations.

How big is your database currently?

Our database has grown from 4 million records contributed by 13 members to over 20 million records from around 30 members.

How many banks have shared their full data with CIBIL?

At present, around 30 members have provided their complete consumer/borrower data to CIBIL. Several others are in various stages of data submission, wherein the data submitted by them goes through the stages of data validations and quality checks. The RBI is in continuous dialogue with the banks wherein they monitor the progress of data submission to CIBIL and encourage them to submit data to CIBIL.

Have banks started sharing of information on corporate borrowers?

Yes, banks have started submitting data on their commercial accounts as well. We expect that the database should be well populated in the next couple of months and we would be in a position to launch the commercial bureau operations. In the meanwhile CIBIL is already maintaining data pertaining to suit-filed cases.

How many queries have been posed to the CIBIL database by various users?

Most of the banks that have submitted their complete data to us have been instructed to pull a credit report for each loan that is being sanctioned. While most of them are using the `Web' to access reports, many of the members are moving towards building the CPU-to-CPU connectivity, which would permit them to connect to our servers, and access bulk reports.