Legal aspects of handling cyber frauds

Legal aspects of Handling Cyber Frauds

IT ACT

LEGAL

LAW

LIABILITY

What is a Cyber Crime?

An unlawful act wherein the “Cyberspace” is used either as:-

– a tool or – a target or

– both

“CYBERSPACE”

Cyber Laws

Recent Rules under IT Act

Aims behind enactment

Jurisdiction

Virtual World Population Explosion : 1 Billion

Leading to Changing Face of Crime……

Affecting….

Individuals Governments Organisations

1 Dirty SMS = 3 Years of Jail

Case Study 1

WHY r u sending me DIRTY SMS ?

----------------------Don’t lie UR cell no has flashed on my

screen

SORRY !!! But I don’t know you.

You are lying!!!

Threatening email was sent from this cyber café.

Cyber Café has 100 machines & so many customers.

HOW do I Investigate. ?

1 Threatening Email = 3 Years of Jail

Case Study 2

Accounting Software worth crores is stolen.

Interested in buying Accounting Software at a cheap cost ?

Call 100-999-9999-22Location :India

SALE!! SALE !! SALE!!Accounting Software

Location: Finland

Case Study 3

Case Study 4

Stake Holders

Fake complaint via E-mailEmployee upset with

management

Demand an Immediate Demand an Immediate Explanation ?????Explanation ?????

Case Study 5

LOSS LOSS LOSS ?????I am losing all my tenders.

SERVER

CRIME SERVERCRIME SERVER

Scenario at the officeScenario at the office

Where is the evidence ?

Mobile Tower / Phones

Finland OR Indian Server

Cloud

Internet

How to Investigate ?

Employees / People

How to PROVE the CRIME?

How to decipher 010101 ?Can I submit the media in Court ?

VEXING Questions

Forensics is the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. (The word forensics means “to bring to the court.” )

Computer Forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law.

Source : http://www.us-cert.gov/reading_room/forensics.pdf

Forensics & Computer Forensics

Digital Evidence

Digital evidence is information and data of value to an investigation that is stored on, received, or transmitted by an electronic device. This evidence is acquired when data or electronic devices are seized and secured for examination.

Computer Forensics process

Subjected To

Storage MediaDIGITAL EVIDENCE

Acquires

Sample illustration

May be found in:

Can be hidden in:

Can relate to :

Digital Evidence

Office Setup

Cyber Cafe

Home PC

Scene of Acquisition

Computer Forensics process would involve…..

Forensic analysis of digital information

Identifying network computer

intrusion evidence

Identifying & examining malicious files.

Employing techniques to crack file & system

passwords.

Detecting steganography

Recovering deleted, fragmented & corrupted

data

Maintaining evidencecustody procedures

Courtroom Presentation

Steps in Computer Forensics

1.Identification of Digital Evidence

2.Acquisition of Media

3.Forensic Analysis of Media

4.Documentation & Reporting

THE A TEAM

Domain Expert

Computer Forensics expert

Forensics Accounting expert

Software expert

Lawyer

Acquisition of Media

Authenticate the confiscated media

Hash value of the suspect

media

Hash value of the cloned image file

If acquisition hash equals verification hash, image is authentic.

SHA 1/256

DOCUMENTATION….

Documentation & Reporting

Broad outline of Computer Forensic Report

1.Introduction to the case

2.Background of the issue

3.Details of forensic analysis carried out

4.Certification

Evidence Forms

A detailed sheet about each evidence item

Item serial number Item detailed description

Type Make Model Date and time collected Notes Any serial numbers, labels

Chain of Custody

The movement and location of physical evidence from the time it is obtained until the time it is presented in court

Logs all evidence moves HANDED BY HANDED TO DATE & TIME Item serial number Reason

Creating an Image of Media

Image is a bit-for-bit copy of the original

If a disk has 5000 sectors, then the image created will have an exact copy of all 5000 sectors in the same order

Media (evidence) must be protected from accidental writes / alterations

Hard disk (media)Write-blocker

Device Imaging workstation

Write blockers & alternatives

Write-blocker is a device that sits in between the computer and the media

Blocks all write commandsLets through all read commands

Prevents accidental alteration / deletion / addition or data

Alternatives include using a forensic live boot CD or a drive duplicator

Indian Evidence Act

Sec. 3 (a) – Scope of definition of evidence

expanded to include electronic records

Sec. 65B - Admissibility of electronic records

The person owning or in-charge of the computer

from which the evidence is taken has to give

certificate as to the genuineness of electronic

record.

INDIAN EVIDENCE ACT

Sec. 88A - Presumption as to electronic messages

The Court may presume that an electronic message

forwarded by the originator through an electronic mail

server to the addressee to whom the message

purports to be addressed corresponds with the

message as fed into his computer for transmission; but

the Court shall not make any presumption as to the

person by whom such message was sent.

INDIAN EVIDENCE ACT

The Information Technology Act Sec. 79A - Central Government to notify

Examiner of Electronic Evidence

The Central Government may, for the purposes of providing expert opinion on electronic evidence before any court or other authority specify, by notification in the Official Gazette, any Department, body or agency of the Central Government or a State Government as an Examiner of Electronic Evidence

CIVIL OFFENCES

Section 43

Unauthorised Access Remedy – Damages by the way of compensation Amount – Unlimited What needs to be proved – Amount of damages

suffered

Adjudication

Shri. Thomas Raju Vs ICICI Bank

Case decided by – the Adjudicating officer, Government of Tamilnadu Petitioner suffered a loss of Rs. 1,62,800/- as a result of the phishing

attack Amount was supposed to have been transferred on the account of

another customer of ICICI Bank Petitioner claimed that he had suffered a loss due to unauthorised access

to his account Petitioner further claimed that he had suffered a loss as bank has failed

to establish a due diligence and in providing adequate checks and safeguards to prevent unauthorised access into his account. Bank had also not adhered to the KYC norms given by the RBI.

Section 66

Removal of definition of “hacking”

Section renamed as Computer related offences

All the acts referred under Section 43, are covered

u/Sec. 66 if they are done “dishonestly” or

“fraudulently”

Section 43(A) – Compensation for failure toprotect data

If body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person

Liability – Damages by the way of Compensation

HSBC - Nadeem Kashmiri case

Based on complaints from customers - HSBC carried internal investigation - registers case

Involvement of Call centre employee (Nadeem Kashmiri)

He was arrested U/Sec. 66 & 72

HSBC also sued Call centre for the loss

Who is liable?

Issues

What is Sensitive Personal Information?

What are Reasonable Security Practices and Procedures?

SENSITIVEPERSONAL DATA OR INFORMATION

Rule 8 - Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011.

Reasonable Security Practices

Auditing

COMPLIANCE POLICIES

Collection of Information

Rule 5 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Collection of Information

Privacy and Disclosure of Information policy

Rule 4 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Contents of Privacy policy

Disclosure

Rule 6 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Transfer of information

Rule 7 - IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011

Sec 72(A) (Criminal offence)

Punishment for Disclosure of information in breach of

lawful contract -

Knowingly or intentionally disclosing “Personal

Information" in breach of lawful contract

Imprisonment up to 3 years or fine up to 5 lakh or with

both (Cognizable but Bailable)

CRIMINAL OFFENCES

Section 66 A

• Sending of offensive or false messages

• Covers following sent by sms / email:-

grossly offensive messages menacing messages false information sent for causing annoyance, inconvenience, danger, obstruction, insult, injury, criminal intimidation, enmity, hatred or ill will.. phishing, email spoofing, Spam mails, Threat mails

• Punishment – imprisonment upto 3 years and fine

Section 66 B

• Dishonestly receiving stolen computer

resource or communication device

• Covers use of stolen Computers,

mobile phones, SIM Cards, etc

• Punishment – imprisonment upto 3 years

and fine

Section 66 C

• Identity theft

• Fraudulently or dishonestly using someone

else’s electronic signature, password or any

other unique identification feature

• Punishment - imprisonment

upto 3 years and fine

Section 66 D

• Cheating by Personation

• Cheating by pretending to be some other person

• To create an e-mail account, Social networking a/c

on someone else's name

• Punishment – imprisonment upto 3 years and fine

Investigation Powers

Section 78

Cyber crime cases can now be investigated by

Inspector rank police officers (PI)

Earlier such powers were with the “DYSP/ACP”

Sec. 79Liability of Intermediary

Intermediary is not liable for any third party information, data, or

communication link made available or hosted by him –

if his function is limited to providing access to such link

the intermediary does not— initiate the transmission,

select the receiver of the transmission, and

select or modify the information contained in the transmission;

Sec. 79Liability of Intermediary

Observing due diligence –

The Information Technology (Intermediaries guidelines) Rules, 2011

Compounding of Offences

Section 77 (A)

Compounding – “Out of court settlement”

Offences -

for which less than three years imprisonment

has been provided and

Which are not committed against women or children

can be compounded

Issues

Possible Solutions