IDENTITY THEFT IN CYBER SPACE

IDENTITY THEFT IN CYBER SPACE

                                                Cyberspace is a giant neighborhood made up of networked computer users around the world, then it seems natural that many elements of traditional society can be found taking shape as bits and bytes. The broadness of the computer crimes through Internet is still not a subject studied or researched elaborately in India. The judiciary, investigating agency and the prosecuting agency in India must have knowledge about the Cyber laws, Cyber crimes, Internet scams, other internet crimes and about the Internet communications and computer systems. Now it has become essential that an IT technician must be a part of the Cyber criminal investigating system in India. In the place of deposition of witnesses computer screens will furnish evidence to the Investigator and to the court. All most all the states in India started functioning their own separate Cyber crime units and there is indication that the cyber crimes are increasing in the country.

Internet world

The Internet has proved to be one of the powerful inventions of the twentieth century. The Internet is people, plain and simple, without regard to age, sex, race, creed, life style, language, handicap, religious affiliations, political associations, country of origin, or any other discriminatory or qualifying requirements.

The Internet is a world within itself; it is a virtual community of hundreds of millions of citizens from every corner of the planet. Never before in the history of mankind have so many people gathered together in one place. This new world community has created the need for a whole new way of thinking.

Traditional land based rules can never apply in such a complex and diverse environment. One nation's laws cannot be applied to another nation's citizens.  New internationally accepted standards must be enacted. Business practices must be completely re-thought   and new methods must be developed to survive in the international market place. A whole new world has opened up and new traditions must be established to replace the old. So is a new world of cyber crimes opened by cyber criminals.

The traditional crimes like conspiracy, fraud of securities, fraud in banking, appropriation of fund with the aid of bogus and forged negotiable instruments, espionage, misappropriation of fund etc. can be committed through Internet.

The Internet is global matrix of interconnected computer networks using the Internet Protocol (IP) to communicate with each other. According to static’s provided in 1997 there are 12 million total users (34,000 new users per day), in 1998 that has increased to 85 million total users (200,000 new users per day), in 1999 it gone up to 370 million (811,000 new users every day). By the completion of the millennium, it is estimated that the number of users of Internet would have crossed 900 million (1,726,000 new users per day).

What is identity theft?

             Identity theft or identity fraud (true name fraud) is the taking of the victim’s identity to obtain credit, credit cards from banks and retailers, steal money from the victim’s existing accounts, apply for loans, establish accounts with utility companies, rent an apartment, file bankruptcy or obtain a job using the victim’s name. The Impersonator steals thousands of rupees in the victim’s name without the victim even knowing about it for months or even years. Recently criminals have been using the victim’s identity to commit crimes ranging from traffic violations to grave crimes. Lots of places have knowledge about ones identity. – For example: personal doctor, accountant, lawyer, dentist, school, place of work, health insurance and many others have ones identity information. If some criminally minded person is working at the office (or just visiting) decides to use this information to assume a persons identity, he would not know it.

            It is easy to impersonate another if the information’s about the victim are ready.  In some case all that is needed is the date of birth and other identifying information such as address and phone numbers and whatever else they can find out about him. With this information, and a false driver’s license with their own picture, they can begin the crime. They often provide an address of their own, claiming to have moved. Negligent credit grantors in their rush to issue credit do not verify information or addresses. So once the imposter opens the first account, they use this new account along with the other identifiers to add to their credibility. This facilitates the proliferation of the fraud. Now the thief is well on his/her way to getting rich and ruining another persons credit and good name. You will need a report to clean up the credit mess.

As soon as a person is made aware of the fraud he must immediately note the fraud in accounts, put a fraud alert on his credit profile, and contact l the police in the country where the fraud occurs. One may not be able to stop the fraud immediately. It is very complex. But this will get him started.

Identity Theft occurs when someone wrongfully uses another person’s identification to obtain credit, loans, services, even rentals and mortgages in his name. This type of crime is common in bank business field. The sureties/guarantors are usually impersonated for the purpose of the loan. The salary certificate of the employees are also personated for loan. Identity Theft is a frightening and overwhelming experience if it does happen to any body. He may not know it is happening for months or years! 

Identity theft is one of the fastest growing crimes in both the United States and world-wide. According to a U.S. Secret Service estimate, consumers across the country lose $750 million per year through identity theft. Each victim, according to the Identity Theft Resource Center, can expect to spend $1000 and an average of over six hundred hours to clear their name in the credit records. United States of America has enacted Identity Theft and Assumption Deterrence Act of 1998  in order to make identity theft a crime.

Identity Theft and Assumption Deterrence Act, 1998

The Identity Theft and Assumption Deterrence Act of 1998, which became effective October 30, 1998, makes identity theft a Federal crime with penalties up to 15 years imprisonment and a maximum fine of $250,000. It establishes that the person whose identity was stolen is a true victim. Previously, only the credit grantors who suffered monetary losses were considered victims. This legislation enables the Secret Service, the Federal Bureau of Investigation, and other law enforcement agencies to combat this crime. It allows for the identity theft victim to seek restitution if there is a conviction. It also establishes the Federal Trade Commission as a central agency to act as a clearinghouse for complaints, (against credit reporting agencies and credit grantors) referrals, and resources for assistance for victims of identity theft. This statute may serve as a model for your state to enact similar legislation. It should also provide you leverage to influence law enforcement to investigate your case.

Combating Cyber crime and law & enforcement in India

The computer crime or an e-crime can be simply defined as a crime where a computer is the target of a crime or it is the means adopted to commit a crime. While some of the crimes may be new, the others are simply different ways to commit conventional crimes such as frauds, theft, blackmailing, forgery, and embezzlement using the online medium often involving the use of internet.

The Information Technology Act, 2000 came into force in India on 17th of October 2000. It extends to whole of India and also applies to any offence or contraventions committed outside India by any person (Section 1 (2), IT Act,2000). According to Section 75 of the Act, the Act applies to any offence or contravention committed outside India by any person irrespective of his nationality, if such act involves a computer, computer system or network located in India. The IT Act prescribes provisions for contraventions in Chapter IX of the Act, particularly Section 43 of the Act, which covers unauthorized access, downloading , introduction of virus, denial of access and internet time theft committed by any person. It prescribes punishment by way of damages not exceeding Rs. 1 crore to the affected party. Chapter XI of the IT Act discusses the cyber crimes and offences interalia, tampering with computer source documents (Sec. 65), Hacking (Sec.66), Publishing of obscene information (Sec.67), Unauthorized access to protected system (Sec.70), Breach of confidentiality (Sec.72), Publishing false digital signature certificate (Sec.73).

One of the first cases where the accused was convicted under the IT Act provisions was the case of State of Tamilnadu V. Suhas Kutty. The case related to posting of obscene massage about a divorcee woman in the yahoo massage group. The accused was found guilty and convicted for offence under section 469 and 504 of IPC and Section 67 of the IT Act.

The IT Act, 2000 does not have any specific provision to deal with Identity theft. The expert committee on amendments to IT Act, 2000 has recommended certain amendments in this context. This report does discuss and recommend insertion of amendment to tackle child pornography, theft of confidential information (insertion of sec. 43(2)), gradation of severity of computer related offences under Section 66 committed dishonestly & fraudulently and Section 72(3) to deal with the problem video-voyeurism. However, this report does not deal with some other rampant problems, for instance, Spamming.

The non-stop calls from tele-callers for insurance, investments etc are also a part of this grave offence of identity theft by some reputed telephone companies. For example if a company buy name A is taking all the details of B and providing a connection immediately after that there comes calls from various agencies to this phone number for canvassing investments and insurance. This is possible by stealing the identity of the telephone consumer from the mobile company. This is an example of identity theft in our day today life.

Coming back to Indian situations to counter identity theft and fraud in India, the government must focus on three areas:—                   

1. Legislating specific provisions to counter identity theft

An Expert Committee on Amendments to the IT Act 2000 (whose report is presently under consideration by the government for adoption) has recommended amending the Indian Penal Code (IPC) by inserting in it two new sections: section 417A which prescribes punishment of up to 3 years imprisonment and fine for 'cheating by using any unique identification feature of any other person'; and section 419A that prescribes punishment of up to 5 years imprisonment and fine for 'cheating by impersonation' using a network or computer resource.

The IT Act 2000 in its present form does not have any specific provision to deal with identity theft. The proposed Sections 417A and 419A comprehensively cover identity theft and their incorporation into the IPC would place India amongst the handful of countries to have specific provisions to counter the scourge of identity theft.

After Section 417, the following section shall be inserted, namely:-

Punishment for cheating using digital signature of another person

“417A            Whoever, cheats by using the digital signature, password or any other unique identification feature of any other person, shall be punished with imprisonment of either description for a term which may extend to three years and shall also liable to fine.”

After section 419, following section shall be inserted, namely: -

Punishment for cheating by impersonation using communication network or computer resource:

“419A Whoever, by means of any communication network or computer resource, cheats by personation shall be punished with imprisonment of either description for a term which may extend to five years and shall also liable to fine.

Explanation:- the expression “computer resource” shall have the meaning assigned to it in clause (m) of sub-section (1) of section 2 of the Information Technology Act, 2000,”

Vide Information Technology Act Amendment 2006 a new section was inserted in the Criminal Procedure code. In the Code of Criminal Procedure 1973  a new section 198 B was inserted after 198A, namely:  198B: No Court shall take cognizance of an offence punishable under sections 417A, 419A and 502 A of the Indian Penal Code, except upon a complaint made by the person aggrieved by the offence

2. Enabling flow of information from credit bureaus to consumers

 In many cases victims discover the identity fraud perpetrated on them only when they receive their bills. The time gap between the commission of fraud and discovery may be too large to trace the impersonator. To proactively counter identity theft the consumers should have a means of being kept informed about any significant changes in their credit accounts as soon as possible. The government should bring into force provisions that would require credit bureaus like the Credit Information Bureau (India) Ltd to inform consumers in case of any significant change in their credit account status. In the US the Fair and Accurate Credit Transactions Act (FACTA) achieves this objective, and is considered as a potent anti-identity theft measure.

3. Implementing an identity fraud alert registry.

In case of suspected identity theft, consumers require a way to inform financial institutions and credit bureaus to watch out for possible identity frauds. Likewise, companies holding customer credit card information when breached would require a means to inform financial institutions and credit bureaus to flag the breached credit card numbers for possible misuse. Such requirements entail setting up of a national fraud alert registry that can be updated directly by consumers/companies. Credit bureaus and financial institutions can take extra precautions in transactions pertaining to those accounts which are flagged in the fraud alert registry.

The NCRB (National Crime Records Bureau) has reported that there were  481 instances of cyber crime in 2005 compared to 347 in 2004 and 471 in 2003. These crimes were registered under the Information Technology Act 2000 and the Indian Penal Code. Cyber Fraud accounted for 61.6 percent (186 of 302) of these and Cyber Forgery, 15.9 percent (48 of 302).

The Central Bureau of Investigation registered nine cases till 31st July, compared to three in 2006, four in 2004 and only one in 2003.

Actual numbers prove elusive considering the fact that a majority of cases go unreported. Most victims, especially corporates, fear negative publicity and downplay things making it hard to paint an accurate picture of cyber crime.

Preventive measures

v     Memorize PIN numbers, passwords and the like-commit them to memory, do not write them down. If you store them, you must encrypt the files.

v     Put passwords on all your accounts and do not use passwords like your maiden name.

v     Never give personal information of any kind-over the telephone or online unless you initiate the contact. Never give out any of your personal information to telemarketers.

v     Do not put your telephone number on your cheques.

v     Get credit cards and business cards with your picture on them. Do not put your credit card account number on the Internet unless it is encrypted on a secure, well known site.

v     Scrutinize your credit card statements every month and check to see if there is anything that you do not recognize and call the bank to verify that the transaction is indeed yours.

v     Use virus protection software always and make sure its updated regularly. Most AV (anti-virus) packages have an option to retrieve updates on a regular basis.

v     Make sure that the operating system is kept up to date with critical patches and hotfixes. Windows XP, for instance, can be set up to automatically download and apply updates.

v     Never open a file, click on a hyperlink, or download a program sent by an unknown company or unrecognized person. Even if the person is recognized and known, always be wary of opening attachments, even if they look okay.

v     Only reveal the personal and financial information through SSL (Secure Sockets Layer). It will be sure when the lock icon shows up in the browser window when the SSL is using. This helps ensure that the information cannot be seen by anyone while its in transit over the internet.

v     Some 95% of stolen laptops are never recovered so never store every thing in the laptop and careful about it.

v     Delete all information on a computer before selling, giving away, or disposing of it. While it may not be practical  consider of  destroying the hard drive. If not practical, consider degaussing or destroying the information contained on the drive.

v     Be careful at ATM's and using Phone Cards. "Shoulder Surfers" can get your "Pin Number" and get access to another persons account.

v     Get all of the cheques delivered to the bank - not to the home address.

v     When ordering a new credit card in the mail watch the calendar to make sure that the card is delivered within the appropriate time. If it is not received by a certain date, call the credit card grantor immediately and find out if the card was sent.

v     Cancel all credit cards that do not use or have not used in 6 months. Thieves use these very easily - open credit is a prime target.

v     Get a post office box or a locked mailbox, for personal use.  Empty your wallet of all extra credit cards and social security numbers, etc. Do not carry any identifiers you do not need. Don't carry your birth certificate or passport, unless necessary.

v     Memorize passwords don’t keep it noted anywhere. 

v     Never give any of the personal information to any body who comes to house .

v     Get credit cards and business cards with the  picture of the owner on them.

v     Do not put the credit card account number on the Internet (unless it is encrypted on a secured site.) Don't put account numbers on the outside of envelopes, or on the cheques.

v     Monitor all the bank statements from every credit card every month. Check to see if there is anything that do not recognize and call the bank  to verify that the genuineness of the cash transaction.

v     Order the credit report at least twice a year. Review it carefully. If there is anything that appears fraudulent, immediately put a fraud alert to the bank and  contact the police.

Adv. K.C. Suresh, Kerala

Suresh_kc@sify.com