E- COMMERCE FRAUD

What is E-commerce Fraud in India

INTRODUCTION

E-Commerce is a method of conducting business through electronic means. Such electronic means include ‘click & buy’ methods using computers as well as ‘m-commerce’ which makes use of various mobile devices or smartphones [1].

Electronic trade, usually known as web-based business or e-comm, is the purchasing and selling of items or administrations over electronic frameworks, for example, the Internet and other PC systems. The electronic business draws on such innovations as electronic subsidizes exchange, store network the executives, Internet promoting, online exchange preparing, electronic information trade (EDI), stock administration frameworks, and computerized information gathering frameworks. Current electronic business regularly utilizes the World Wide Web (www) at any rate at one point in the exchange’s life-cycle, despite the fact that it might include a more extensive scope of advancements, for example, email, cell phones and phones too.

 

E-commerce in India

  • The spread of ecommerce stays low in India as compared to the other developed nations but the participation in it is escalating at a much higher pace. The reasons given behind this sudden change by industry is many:
  • Availability of internet services at a much cheaper price as compared to other countries
  • Increasing 3G penetration even at rural areas
  • Convenience provided by online shopping which saves a lot of travelling time
  • Online websites like Amazon.com Inc have lower operating costs( reduction of real estate, inventory costs) and higher flexibility(reduction of chains of middlemen in transactions)
  • Rise of middle class in India which had higher disposable incomes
  • Online businesses allow disintermediation in contrast to brick and mortar retail
  • Most preferred method of payment in India is Cash on Delivery (COD) method, constituting 80% of Indian ecommerce and there is an ever increasing demand of international products from authorized distributors as compared to the in-county supply. These are some of the aspectsof ecommerce which are very unique to India (and potentially to other developing countries).

TYPES OF E-COMMERCE FRAUD

  • Credit/Debit Card Frauds

This is the most common type of e-commerce fraud. According to Wikipedia, Credit card fraud is a wide-ranging term for theft and fraud committed using or involving a payment card, such as a credit card or debit card, as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying or to obtain unauthorized funds from an account.[2]

Modus operandi

Credit card frauds are committed in the following ways:

  • An act of criminal deception (mislead with intent) by use of the unauthorized account and/or personal information.
  • Illegal or unauthorized use of account for personal gain.
  • Misrepresentation of account information to obtain goods and/or services.

Law as Applicable

Under the IT Act, 2000 as changed by Information Technology (Amendment) Act, 2008, Section 43(a), 43(b) and 43(g) read with Section 66 is applicable, and Section 420, 467, 468 and 471 of IPC, 1860 are applicable. The victim can enlist a complaint in the closest police station where the above crime has been carried out or where he comes to think about the said crime. The complainant can likewise petition for compensation up to Rs.10 lakhs with the banking ombudsman or compensation uptoRs. 5 crores with the adjudicating officer of the state and compensation above Rs. 5 crores with the civil court of the significant purview. He can likewise decide on discretion.

Punishment

If crime is proved under IT Act, accused shall be punished for imprisonment which may extend to three years or with fine which may extend to five lakh rupees or both.

As per Section 77-B of the IT Act, 2000 the above offence shall be cognizable and bailable while if section 268 of IPC is applied along with other Sections the said offence is non-cognizable, bailable, non-compoundable with permission of the court before which the prosecution of such offence is pending and triable by any magistrate.

Case Study

Hotel Le Meridien, Pune Case:

A very famous hotel of pune hotel “le marredian”  found guilty to cheat its 30 customers. When a customer swipe its  card to make a payement through online means, the cashier used to make a duplicate card through copied details with magnetic strips.

That person formed 33 duplicate cards. Through all these card he confiscate about 1 crore ruppes.Generally all these cards are the higher paying capacity card such as gold, platinum, titanium, and corporate cards. This fraud is detected when a city bank employee swipe his card and came to know about such fraud and filled a police report.

 

ATM Frauds

However, these tricks are old hat when compared to the latest ATM fraud that has taken Bengaluru by storm due to its ingeniously effortless technique.

modus operandi

The receipts leave by customers in the ATM, are often used by the fraudster to commit a crime. The modus operandi used by the fraudsters required scrupulous precision during execution but was deviously simple in nature.

According to Wikipedia Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.

Phishing is a term used to describe spoof emails and other technical ploys to trick receipts into giving up their personal or their company’s confidential information such as social security and financial account credentials and other identity and security information.

 modus operandi

  • Phishing is similar to fishing in lake, but instead of trying to capture fish, phishers attempt to steal yours personal information.
  • They send out e-mails that appear to come from legitimate websites such as eBay, PayPal, or other banking institutions.
  • These e-mails states that your information needs to be updated or validated and ask that you enter your username and password, after clicking a link included in the e-mail.
  • Some e-mails will ask to enter information, such as your full name, address, phone number, social security number, and credit card number.

Law as Applicable

Under the IT Act, 2000 as amended by Information Technology (Amendment) Act, 2008 Section 66-D is relevant, and Section 379 and 420 of IPC, 1860 are likewise pertinent. The unfortunate casualty can register a grumbling in the closest police station where the above crime has been perpetrated or where he comes to think about the said crime. He can likewise petition for a compensation upto Rs.10 lakhs with banking ombudsman or compensation uptoRs. 5 crores with the adjudicating officer of the state and compensation above Rs. 5 crores with the civil court of the applicable jurisdiction. He can likewise go for arbitration.

Punishment

If crime is proved under IT Act, accused shall be punished for imprisonment which may extend to three years or with fine which may extend to one lakh rupees.

As per Section 77-B of the IT Act, 2000 the above offence shall be cognizable and bailable while if section 268 of IPC is applied along with other Sections the said offence is non-cognizable, bailable, non-compoundable with permission of the court before which the prosecution of such offence is pending and triable by any magistrate.

Case Study

Shri UmashankarSivasubramaniam v. ICICI Bank[5] (Petition No. 2462/2008)In this case a customer of ICICI Bank named Mr. UmashankarSivassubramaniam lost Rs. 6.46 Lakhs through Phishing. Mr. UmashankarSivasubramaniam, received an email in September 2007 from ICICI, asking him to reply with his internet banking username and password or else his account would non-existent. After the reply to this mail he witnessed a transfer of Rs. 6.46 lakh from his account to that of a company which withdrew Rs. 4.6 lakhs from an ICICI branch in Mumbai and retained the balance in its account.

On April 12th 2010, the adjudicator of Tamil Nadu, Sri PWC Davidar pronounced a landmark judgment in respect of a complaint lodged with him under ITA 2000 by the award and directed the Bank to pay the customer the amount fraudulently transferred in the Phishing transaction along with expenses and interest amounting to a total of Rs. 12.85 lakhs.

419 Scams or Nigerian Scams

This scam is also referred to as a “Nigerian Letter” because large-scale use of the 419 fraud first began in that country. In fact, article 419 of the Nigerian Criminal Code deals with obtaining property by false promises, which is exactly what the advance-fee fraud is all about.[6]

Cybersquatting

Cybersquatting is a big problem in cyber space today. It is the most crucial type of domain dispute prevalent around the world. It is a practice where individuals buy domain names reflecting the names of existing companies, with an intention to sell the names back to businesses to attain profit when they want to set up their own websites. Many multinational companies such as Tata, Bennett & Coleman, Mc. Donald’s etc. were among the first victims of cybersquatting.

Cybersquatting is the act of registering a domain name that is same as, or confusingly similar to, the trademark of another with the intention of selling (at a profit) the domain name to the trademark owner.

The Delhi High Court in Manish Vij v. IndraChughAIR 2002 Delhi 243, 97(2002) Defined the term Cybersquatting as “an act of obtaining fraudulent registration with intent to sell the domain name to the lawful owner of the name at a premium”.

Case Study

The first case in India with regard to cybersquatting was Yahoo Inc. v. Aakash Arora &Anr. (1999 PTC(19) 201 )[7], .In this case the defendant launched a website nearly identical to the plaintiff’s renowned website and also provided similar services. Here the court ruled in favor of trademark rights of U.S. based Yahoo. Inc. (the Plaintiff) and against the defendant, that had registered itself as YahooIndia.com. The Court observed that it was an effort to trade on the fame of yahoo’s trademark. The court further added that a domain name registrant does not obtain any legal right to use that particular domain name simply because he has registered the domain name, he could still be liable for trademark infringement.

Hacking

Under Information Technology (Amendment) Act, 2008, Section 43(a) read with section 66 is applicable and Section 379 & 406 of Indian Penal Code, 1860 also are applicable. If crime is proved under IT Act, accused shall be punished for imprisonment, which may extend to three years or with fine, which may extend to five lakh rupees or both.

As per Section 77-B of the IT Act, 2000 the above offence shall be cognizable and bailable while if section 379 of IPC is applied along with other Sections the said offence is cognizable, non-bailable, compoundable with permission of the court before which the prosecution of such offence is pending and triable by any magistrate

 modus operandi

Inserting Viruses like Trojan Horses/Spyware/Malwares and Keyloggers into a computer constitute hacking and by this hacker get into our computer and steal all information from our computer like Passwords, Credit Card Numbers when we use online shopping.

 

Online Shopping and auction fraud

As the popularity of internet shopping and online auctions grows, so the number of complaints about transactions is increasing. Some of the most common complaints involve:

  • buyers receiving goods late, or not at all
  • sellers not receiving payment
  • buyers receiving goods that are either less valuable than those advertised or significantly different from the original description
  • failure to disclose relevant information about a product or the terms of sale.

 

Phishing

Voice phishing is the criminal practice of using social engineering over the telephone system to gain access to private personal and financial information from the public for the purpose of financial reward. It is sometimes referred to as ‘vishing’. The word “vishing” is derived from a combination of voice and phishing.

Vishing, or voice phishing, is the method of using IP-based voice messaging technologies (Voice over Internet Protocol, or VoIP).

Vishing is commonly used to steal credit card numbers or other information used in identity theft schemes from individuals.

modus operandi

There are various means by which Vishing Attack can be initiated (for example Internet E-Mail, Mobile Text Messaging, Voicemail, Direct Phone call), each depending on the type of information to be gathered. The most commonly used method is Direct Phone call. Following are the steps involved on how direct phone call works:

  • The criminal gathers cell/mobile phone numbers located in a particular region and/or steals cell mobile phone numbers after accessing legitimate voice messaging company.
  • The criminal uses a war dialler to call phone numbers of people from a specific region, and that to from the gathered list of phone numbers.
  • When the victim answers the call, an automated recorded message is played to alert the victim that his/her bank/credit card has had fraudulent activity. The message instructs the victim to call one phone number immediately. The same phone number is often displayed in the spoofed caller ID, under the name of the financial company the criminal is pretending to represent.
  • When the victim calls on the provided number, he/she is given automated instructions to enter his/her credit card number or bank account details with the help of phone keypad.
  • Once the victim enters these details, the criminal (i.e., visher) has the necessary information to make fraudulent use of the card or to access the account.
  • Such calls are often used to harvest additional details such as date of birth, credit card expiration date, etc.

 

SECURITY MEASURES

With the rapid growth and development in business design and technologies customers have a great options of schemes and services. Internet acts as a catalyst in promoting such services and made it accessible to the customers. So with respect to the growth in technology we need a secure system that ensure confidentiality and integrity.  The current policies that we have related to the cyber crime is not efficient to meet such demands.So there is a need of much developed and secure system for the determination of safe environment, and that system muct work at all the three important points that are at customer point, on the communication channel &at merchant level.

The type of risk involved resulting from inadequate security is:

  • At server end or merchant end: Vulnerabilities like Bugs or miss-configuration problems in the web server that can cause the theft of confidential documents
  • At customer end: Vulnerabilities of connection that customer is using for e-commerce, Risks on the Browsers’ side i.e. breach of user’s privacy, damage of user’s system, crash the browser etc.
  • At Communication channel: Interception of data sent from browser to sever or vice versa.

Customers (clients) need to be sure that:-

  • They are communicating with the correct server
  • What they send is delivered unmodified.
  • They can prove that they sent the message
  • Only the author could have written the message.
  • They acknowledge receipt of the message. All of the concerns listed above can be resolved using some combination of cryptographic method, and certificates methods.

Vendors (server/ merchant) need to sure that:-

  • They are communicating with the right client
  • The content of the received message is correct.
  • The identity of the author is unmistakable.
  • Only the author could have written the message.
  • They acknowledge receipt of the message.

Ecommerce security is the protection of eCommerce assets from unauthorized access, use, alteration, or destruction:

 Six Dimension of Security measures

  1. Integrity
  2. Privacy
  3. Confidentiality
  4. Non-repudiation
  5. Authenticity
  6. Availability

 

Security measure at different electronic commerce transaction phase:

E-Commerce transaction phases
 

Information Phase

 

Negotiation phase

 

Payment Phase

 

Delivery Phase

 

Security measures
Confidentiality

Access Control

Integrity Checks

Secure

Contract

Information

Digital Signatures

 

Encryption

 

Secure Delivery Integrity Checks

 

On the basis of case studies section of this paper, various security measures are explained which must be followed to secure e-commerce from fraud.

  • Encrypted protocols: E-commerce software packages should also work with secure electronic transfer (SET) or secure socket layer (SSL) technologies for encryption of data transmissions. (SSL) protocols, which allow for the transmission of encrypted data across the Internet.

 

  • Certificate to prove vendor’s identity: In today’s E-commerce environment, buyers may get personal certificates to prove their identity to a web site indicating secure website. Certificates bind identity, authority, public key, and the other information to a user.
  • Confidential and Authenticated service: E-commerce business must use a secure service which provide confidentiality and authenticated service like PGP (Pretty Good Service) which provide not only confidentiality and authentication but also compression, email compatibility and segmentation. Authentication can be provided using digital signature. For effective digital signature, combination of SHA-1 and RSA can be used. Confidentiality is provided by encrypting message to be transmitted or to be stored locally as files.

 

  • Adding 3-D Secure: 3-D Secure (Three-Domain Secure), is a security protocol to prevent fraud in online credit and debit card transactions. Offered by the credit schemes, it ensures the customer is actually the credit card holder by allowing them to assign a username and password to their card. By adding this extra layer of security, you not only protect your e-commerce store from fraud but can also ensure your customers are secure in case their credit card is used in fraudulent activity.

 

  • Maintaining Privacy: It’s a right of human that privacy of customer must be maintained by vendors. It’s a debating issue in all the areas law, politics, philosophy, sociology, and more recently computer sciences. In today’s scenario, users/ customer information are being sold by vendor’s end and privacy is violated. The information like credit card information, bank account details, customer details etc.

 

  • Protection of Communication channel: Communicating channel must be protected from attacker that tries to intercept the communication to steal sensitive information. Encryption method like AES, protocols like SSL, HTTPS and Digital Signature can be used to secure channel.

 

  • Shop at Secure Web Sites: Secure sites use encryption technology in order to prevent computer hackers from gaining transfer information such as credit card information and other customer details from your computer to the online merchant’s computer.

How to check website is secure or not: look at address bar, if https:// is showing then website is secure. If padlock displayed on url is closed then it should be assume that website is secure.

 

  • Research the website before you order: Always do research before you order. Do your commerce with familiar merchant sites.

 

  • What’s Safest: Credit Cards, Debit Cards, Cash, or Checks? The safest way to shop on the Internet is with a credit card. In the event something goes wrong, you are protected under the Federal Fair Credit Billing Act. You have the right to dispute charges on your credit card, and you can withhold payments during a creditor investigation. When it has been determined that your credit was used without authorization, you are only responsible for the first $50 in charges. You are rarely asked to pay this charge.

 

  • Keep Your Password long & private: Longer passwords are harder to break so keep the password long. To create a password, always use a mixture of numeric numbers, small alphabets, capital alphabets, and special characters. Many online shopping sites require the shopper to log-in before placing or viewing an order. The shopper is usually required to provide a username and a password. Never reveal your password to anyone.

 

  • Don’t Fall for “Phishing” Messages: Identity thieves send massive numbers of emails to Internet users. Some emails sent as part of such ―phishing expeditions often contain links to official-looking Web pages. Other times the emails ask the consumer to download and submit an electronic form. Don‘t respond to any request for financial information that comes to you in an email.

 

  • Use Firewall Security at both vendor’s and customer’s end: There are many Trojans and virus attacks that can be avoided with a Firewall. Firewalls monitor traffic coming onto the server and you can set a predefine access control list to allow only consented communication.

 

  • Don’t accept any activity you didn’t originate: Since in current time, smartphones are being used for all type of transaction. One of the most common ways mobile device security is compromised with mobile malware is user-permitted activity. If you authorize apps to send “push notifications” to your device with activity updates, don’t assume they all are legitimate. Cyber criminals may send a notification with a link in the hopes that a mobile user will click on the link, simply to clear the notification from the mobile device’s screen. With that innocent lapse in judgment, all the information you access and input using your mobile device is made vulnerable.

 

  • Tools for Detecting and Preventing Fraud Transactions: Merchants should adopt a proper fraud detection and prevention mechanism. The merchants should use fraud management to deal with frauds. The fraud management can include Automated transactional risk scoring, Real-time categorizing and resolution, Post-purchase transaction management, Adjusting Fraud Rules and Parameters and Keeping up with the Latest Threats.

PAYMENT GATEWAY

A payment gateway is the service that authorizes credit card payments for online and offline businessesThe payment gateway then tells you whether the charge has been approved by the cardholder’s bank and submits your charges for settlement. Settlement is where the payment amount is deducted from your customer’s credit card account and deposited into your merchant account. The main job of a payment gateway is to validate your customer’s credit card details securely, make sure the funds are available for the payment and get you paid.

 

HOW DOES A PAYMENT GATEWAY WORK

Here are the steps of how a payment gateway works in an online shopping environment:

  • A buyer purchases an item and enters a credit card1 number, buyer’s name & CVV number2 in the checkout page.
  • Details about the purchase are sent from checkout page to the payment gateway for processing.
  • The payment gateway forwards transaction information to merchant’s bank.
  • The whole channel between merchant’s website to payment gateway and payment gateway to merchant’s bank is encrypted.
  • The merchant’s bank forwards transaction information to the bank that issued the buyer’s credit card to authorize the transaction.
  • The bank that issued the buyer’s credit card either approves or denies the transaction and sends that information back to the merchant’s bank.
  • If the transaction is approved, the bank will deposit funds on a merchant’s account at a scheduled time.
  • The payment gateway sends transaction details and response back to the merchant website.
  • The merchant website lets the buyer know if the transaction was approved or denied.

PAYMENT CARD INDUSTRY DATA SECURITY STANDARD [PCI-DSS]

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).

SECURITY CONCERNS OVER PAYMENT GATEWAYS

Security is obviously a key concern when taking payments. You should make sure you only use a provider which is level 1 compliant with the Payment Card Industry Data Security Standard (PCI DSS) and that offers built in security capabilities (such as tokenization). The functionality of payment gateway is segregated16 across multiple levels of operations. Hence threats to its security can also be segregated based each level:

Network level: Any security risk present in underlying network infrastructure may lead to the compromise of payment gateway. Therefore ensure that the devices & servers are configured properly and network perimeter is also defended against unauthorized access.

Transaction level: The security concerns at transaction level include accepting an invalid transaction, for example – ‘0’ amount transaction, negative amount transaction and transaction with invalid details etc. Hence before accepting any transaction for processing, its validity should be checked properly.

Application level: This level is about the coding standard of payment gateway and is subject to application security risks like – SQL injection17, XSS18, Direct URL Access, CSRF19, etc. Refer list of OWASP top 10 vulnerabilities for more details.

 

CONCLUSION

As India is one of the biggest platforms for e-commerce, emerging demands have made India a consumer market. All of the big industries are investing in India for their benefit but this has given birth to positive and negative aspects. Positive aspects like Ease of Access, Large availability, Range of Products, Choices, etc. People need better services and offers, and each industry is trying to compete to get a hold of the market. But as every coin has two sides, people are using this platform to cheat and make a profit in the wrong ways. Frauds are increasing exponentially. Scams, Vishing, and Hacking are bi-products of technology. It is easy to fool someone by showing them what they desire. This desire makes people vulnerable and allows them to get hit. This will go on increasing if it is not handled. People should be aware of the scams, frauds, and crimes happening. Companies are making policies for secure communication but the key factor is awareness. We need to make a change and start campaigns to raise awareness in different geographical regions. Education of Law at the School level and moral education are necessary. Not only making people aware of these crimes but reducing crime by teaching ethics and morals is necessary. Remember, nobody is born a Criminal.

READ ALSO

GREEN CRIMINOLOGY: A CRITICAL STUDY ON ENVIRONMENTAL HARM

DIRECTIVE PRINCIPLES OF STATE POLICY

You cannot copy content of this page

Social media & sharing icons powered by UltimatelySocial