The present research article describes the most traditional methods of today’s mass marketing of financial crimes such as fraud. Digital banking is now used daily to check account data, make purchases, pay bills, transfer funds, print statements, etc. Online fraud is a crime committed through online software to illegally allocate funds from the account of both a bank and a payment system and/or transfer funds to another bank account. Banks are not so much targeted in today’s world, there is a lot of money in cyberspace, modern digital systems and data networks.
The main task of this article is to determine the most common forms of online financial crimes, such as “hacking” or intercepting unsolicited electronic transmissions to an interceptor, such as passwords, credit card information, or other types of identity theft. The article discusses the features of legal regulation and the activities of Ukraine to protect citizens from Internet fraud and to avoid Internet scams, phishing and other cyber crimes in the Internet. In this article, we review some of the principles of qualitative data collection, analysis, and strategic planning, in order to help scientists, lawyers, and law students interested in conducting research in their practice continue their education in this area.
The banking system, which operates to ensure price-policy stability, support for the national currency, the organization and operation of the international payment system, has a special place in the international economy. One of the important tasks is to protect bank customers and the majority of people who use Internet banking systems and credit cards from crimes committed in banking areas. This may become a more challenging issue for organized crime, as the Internet remains an important part of our world. Despite widespread awareness of security problems, criminals can still find more victims and find solutions to Internet fraud by using online services as well as network-access software applications.
The extent to which criminals are exploiting digital technology to commit crimes has accelerated. The term cybercrime refers to any type of criminal activity committed through or using information and communication technology (ICT) tools. Cybercrime can occur in conjunction with a variety of related criminal activities, and cyber techniques have spread to the more traditional criminal community, for example, urban gang members purchasing compromised data online. Law enforcement agencies are engaged in developing laws that victims can use to protect their rights. These laws were created to effectively expose the activities of cybercriminals and create a sustainable digital world safe from fraud.
The presented article analyzes the main fraudulent methods of activities carried out using bank payment cards. General fraud includes general fraud (Article 190 of the Criminal Code of Ukraine), fraud with financial resources (Article 222 of the Criminal Code of Ukraine) and others, which are defined in the Criminal Code of Ukraine. Special methods of fraud (computer fraud) carried out using bank payment cards. The main types of bank payment fraud include the following: phishing, the subspecies of which are: mixing and whisking; carding, the subspecies of which are: skimming, shimming; fraud with bank cards in the Internet, the subspecies of which are: fraudulent activities in social networks, pharming; scamming; fraud with bank cards in service sales networks.
There are two main methods of fraud: by deception or through abuse of trust. Fraud committed with the use of bank cards can be committed in active form, when false information causes the victim to have a false impression about the facts, which leads to the victim’s property loss, and in passive form, when the perpetrator does not inform the victim of the facts known to him, which also leads to the victim’s property loss. An essential condition for recognizing fraud committed with the use of bank payment cards or abuse of trust as a sign of fraud is that it is used to take possession of property, even the acquisition of rights to such property by means of a payment card. Therefore, if fraud is used to achieve another goal and does not lead to the direct transfer of property (property rights) by means of a bank payment card, such acts should be considered not fraud but a criminal offense encroaching on property.
Since banks are moving away from branch banking and offering more online applications, online banking fraud has become more popular. Although the type of fraud a criminal chooses does not normally impact on the qualification of his actions in terms of criminal law, however, criminals are more inventive by engaging in illegal activities in modern technologies, causing misunderstanding among victims. All victims are advised to investigate the above fraudulent practices to find out the key characteristics of the behavior. Banks must respond to modern electronic developments, thus security can take manifestations, but usually starts with phishing to obtain customer account information. Account numbers, credit card information can be collected using email and telephone scams. After payment or login details are collected, money can be transferred from the customer’s account.
Direct or indirect fraud are the two major types of electronic fraud, which can be classified nowadays. Direct fraud includes credit/debit card fraud, misappropriation of employees’ funds, money laundering, and targeting. Indirect fraud includes phishing, pharming, hacking, viruses, spam, anticipation fees, and malware. Credit card/debit card fraud and identity theft are specific types of e-fraud that are often used primarily.
These forms involve both identity theft and impersonation (name, Social Insurance Number (SIN), credit card number, or other identifying information) to carry out fraudulent activities. It is the unlawful use of a credit/debit card to wrongfully obtain money or goods without the knowledge of the credit/debit card owner. Identity theft can be done in various ways. Skimming involves stealing information from a credit card during a legitimate transaction, if the customer’s credit card is hidden from view while making the transaction. The scammer will scan the card through an electronic skim device that copies all the magnetic stripe information. Criminals can use advanced methods to extract credit card details, for example, hacking merchants’ databases to get credit card details.
Phishing is one of the most effective means of removing personal data from Internet users and web resources. Google employees conducted a study that examined the sale of online accounts on the black market. They found that the most common cause of personal data leaks is phishing. It turned out that 15% of all users have encountered online fraudsters at least once and lost their account data and even payment card information. And while everyone tries to protect themselves and their users from hackers, it doesn’t always work. More than 800,000 passwords have been lost through keyloggers (software or hardware). It is a device that records various actions of the user – typing on the keyboard computer, mouse movements and keystrokes, etc. Through phishing, attackers stole at least 12 million accounts within 2014-2016.
The main means of a phishing attack is aimed at the weakest link in any modern security system – the person. Not always a bank customer can distinguish the original web address of his bank from a phishing copy, for example, attackers can use it and the fact that in some fonts the lowercase letter ― “i” looks the same as in the capital letter ― “L” (I = l). Such methods allow to deceive the person with the help of similarity to the real link in the email, even clicking on this link (to see the real address) does not help. There are also other means in the arsenal of intruders: from replacing the real IP address with a fake one (for example, in Windows, for this it is enough to edit the hosts file before pharming is a process, secretly referring the victim to the wrong IP address). Not wanting to incur additional costs, phishers focus their attacks on the most popular services – auctions, payment systems, large banks – in the hope that some random spam recipient will have an account there. Thus, we are able to distinguish the following types of phishing attacks: Classic phishing. Phishing emails sent on behalf of known people are actually existing companies and are almost indistinguishable from the emails users usually receive from these companies. The only difference is that they ask for a link to perform some action.
Targeted phishing attack. Personalized phishing emails, aimed at a specific person. Such letters contain the victim’s name, possible position and other personal information. Phishing against top management. Phishing emails are aimed at gaining access to the accounts of the head of the company, CEO, technical directors, etc. After gaining access to such accounts, phishing experts can use them to gain access to other departments, for example, any financial entity to confirm a fraudulent bank transfer to an institution of their choice. Google and Dropbox mail phishing. A relatively new direction of phishing attacks targeted at usernames and passwords to log into cloud data warehouses. Phishing emails with attached files. Phishing lists from virus-containing attachments. Farming. Hidden redirects to a fraudulent site executed by changing the DNS cache on your local computer or network equipment6. Now let’s define the basic methods of combating phishing sites and other types of online fraud.
The first is to create a unique website design for all users. The essence of this method is this: a client, for example, at the time of the contract selects one of the proposed images on a bank or website. Further at the entrance to the bank’s site exactly this image will be shown. If the user does not see what he sees or sees another one, he must leave the fake site and immediately inform the security service. It is alleged that the abusers were not present at the time of signing the contract, they would not be able to guess the correct image and deceive the client. However, in practice this method is not critical. Firstly, in order to show the user his picture, he must first be identified, for example, by the login entered by him on the first page of the bank’s website. It is much more difficult for the attacker to prepare a fake site to find out this information, as well as for the user – to simulate a communication error. Now it is enough to turn on the real server, enter the stolen login and see the correct image.
The next method is to use one-time passwords. Classic passwords are available reusable: the user enters the same password each time without changing it over time when going through authentication procedures. If hacked by an attacker, this password can be used repeatedly without the owner knowing. Unlike traditional one-time passwords, one is used only once, that is, the user enters a new password every time access is requested. Special plastic cards with an applied protective layer are used for this purpose. Each time a bank customer erases the next strip and enters the required one-time password. In all a standard-sized card holds about 100 passwords, which is an intensive use of TV banking services that requires regular media replacement.
More convenient, but also more expensive are special devices – one-time password generators. There are basically two types of this type of construction: one when the current one-time password is displayed on the screen, periodically changing it (for example, every two minutes); and when a new value is generated every time the user clicks the device button. However, being more secure than traditional password authentication, it has a good chance of success for the attacker.
For example, authentication using one-time passwords is not protected from a man-in-the-middle attack. Its essence is to “wedging” in the exchange of information between the user and the server when the attacker “appears” on the user’s server, and vice versa. The server transmits all information from the user, including the information entered by the user, the one-time password, but on behalf of the attacker. The server, having received the correct password, allows access to private information. Without arousing suspicion, the attacker can allow the user, for example, to work with his account, sending him all the information from the server and back, but when his work session is completed it is necessary not to break communication with the server, but to make a transaction on behalf of the user.
To avoid wasting time waiting for a user session, the attacker can simply simulate a communication error and not allow a legitimate user to work with his account. Depending on the method used, the creation of an intercepted one-time password will be valid either for a short time, or only for the first session, but in any case, it gives the attacker the possibility to successfully steal data or money from the user8. Fraudsters can present themselves to bank employees, tell stories about “system issues”, the need to urgently recover all customer personal information, they will need to provide all your personal and card details.
Or they will simply be asked to read the code that will come to you via SMS and as if it will confirm that your card and everything in it is fine. But do not read what is written in it. After all, at this time it is likely that fraudsters are trying to use the cashless card service through an ATM. And they just need the code they need. Once it is announced, the funds will be deducted from the account. Another way fraudsters steal money from a bank account is to get a duplicate of the SIM card of the cardholder’s mobile number. Then your phone will be locked, and the fraudsters will know the credit card number and have a duplicate SIM in their hands, and they will get all the necessary passwords and confirmation codes for online transactions or from the ATM.
The victims of this method are often sellers of goods online. They advertise, so they are not surprised by calls from unfamiliar numbers. To obtain a duplicate of a phone card, fraudsters either force the person to call several times in a row and not pick up the phone, or call themselves and disconnect the connection. After this, a minimum of erroneous “replenishments” may come to the account. And then the number itself is blocked. This means that having learned the information about the last dialed number, the last replenishment, the fraudsters ordered a duplicate SIM card from the mobile operator and received it. Such situations should alert everyone. Small and medium-sized businesses are increasingly likely to be affected by cyber attacks, as such companies mistakenly consider themselves “unfriendly” in terms of the information about the resources they hold. When breaks affect larger organizations, they usually come to the attention of the public media. However, in reality, these are only a small percentage of the total attacks that occur each year. In practice, 71 percent of database breaks occur in small businesses.
Spear phishing and watering holes are the most common types of attack. Phishing is the first line of attack in 91 percent of cyber attacks. While traditional phishing attacks spread across a wide network, sending emails to hundreds or thousands of recipients targeted phishing attacks (spear phishing) usually target small subgroups of people, such as employees of companies. A scammer who plans a targeted phishing attack can create a fake employee email and write it to several legitimate employees, requesting company information. Thinking they communicate with a colleague, legitimate employees can provide this information. And this is where the question of setting up corporate mail comes in; it is an SPF digital signature whose value determines the servers from which it is possible to send mail from the corporate domain.
In addition, the important milestone is the checking of the technical title of the security letter which contains information about the mailing time and mail server. Hence the question arises of training working employees on basic information security rules. Conducting such training for working employees will not cost a lot, however, it can be quite significant. When using the watering holes attack strategy, hackers insert malware into the code of websites that are most likely to be visited by employees of the attacked company. If an employee visits such a site from a company computer, the entire network of the company may be exposed to a virus that will collect data.
The reason why small and medium-sized businesses are exposed to cyber attacks is quite simple. Large organizations store important data on their own servers, while small and medium-sized organizations rent remote servers. Small and medium-sized businesses need to become more secure. According to statistics, more than half of the businesses in Ukraine do not take any preventive measures to protect themselves from cyber attacks. In addition, 85 percent of people are not even planning to increase their budget for security, despite the fact that the number of attacks is growing. This makes small and medium-sized businesses especially attractive to hackers, who prefer easy targets.
Logic bombs are able to access confidential information, disable equipment. They can lead to the loss of personal information, reputation of a person, international image, confidential information. With their help you can “cause disasters at nuclear power plants, open dams to flood settlements, disable dispatching devices for the purpose of calling plane crashes”. Vishing attack is able to cause financial damage to the user, steal sensitive information organization. DDoS attacks are usually carried out for commercial gain because it takes hundreds of thousands of people to organize a DDoS attack computer, and such huge material and time costs can not afford everyone. Attackers have a habit of organizing DDoS attacks on a special network of computers – botnet. Kaspersky Lab regularly conducts studies that show that the most DDoS attacks come from Internet commerce, the financial sector and IT companies. In our opinion, there is a need to strengthen security measures to combat cyber fraud, in particular, to increase the level of skills of ordinary people Internet users and financial services, as they are emerging victims of fraud. Therefore, we need to make further recommendations to strengthen cyber fraud security measures and user recommendations.
Gmail’s security has been enhanced to be more careful. Tracking Google sign-ins through third-party applications. The Google Docs attack worked similarly – instead of the cloud office suite, users were logged into a fake application that requested your Google account login and password. An advanced spam filtering system has also been added. In addition, the company already has a number of anti-phishing activities such as machine-based fraud detection training, safe browsing mode, email attachment scanning and more security measures for suspicious Google sign-ins. Google also uses its own safe browsing API Safe Search, Application Programming Interface, Application Interface Programming, English. The application programming interface (API) allows applications from the client-side to check whether a URL is on a blacklist Google is constantly updating. Although this protocol is still experimental, most browsers use it. The list is maintained on the client-side and updated periodically; However, if the URL is changed even slightly, it will be blacklisted when the URL disappears.
Because these phishing attacks have a very short life, a lot of data is used to store these blacklisted and domain URLs, which will be of no use in the near future. In addition, the complexity of comparing each user URL with the blacklist data is very high. The most common vulnerability to phishing attack methods is to use URL blacklists, information security is still facing the fact that attackers can still access the site by simply changing the IP address or using bots to fake the domain13. New ways to combat cyber fraud can also be added, including by implementing already existing e-mail security mechanisms – SPF, DKIM, DMARC and others. According to Gartner, the top 5 suitable market segment today includes the following companies: Barracuda Networks, Cisco, Mimecast, Proofpoint and The Email Laundry. The second line of defense is usually considered to be access control means over the Internet – local or cloud. They allow you to block conversions by mail, SMS or MMS links (the last two cases require a cloud solution – perhaps on the part of a mobile carrier or a specialist information security service provider). Among the leaders in this segment you can name Bluecoat, Cisco, Websense and Zscaler.
According to the Law of Ukraine “On the organizational and legal basis of the fight against organized crime” the system of state bodies fighting organized crime is as follows: a) state bodies specially created for the fight against organized crime; b) state authorities involved in fighting organized crime, performing other key functions assigned to them. Prevent online cryptocurrency fraud from several subjects of activity specified by the questions. The capabilities defined on the basis of relevant laws can be differentiated as follows: National Bank of Ukraine State Tax Service, Security Service of Ukraine, Ministry of Internal Affairs of Ukraine.
Accordingly, there may be threats that are of subjective nature, accidental or intentional. However, self-defense is used to prevent the intentional act of the attacker. OI Karpenko includes the following statements for self-defense: encryption, electronic watermarks, passwords, malware distribution bypassing technical protection methods. Technical protection of information now involves the use of hardware, software, cryptographic and other methods and tools to prevent unauthorized users and applications from accessing the data of certain applications, including the prevention of leakage, theft, loss, unauthorized use destruction, distortion, modification (forgery), unauthorized copying, blocking of information, etc.
When someone takes actions such as hacking your computer, spreading malicious viruses to it, which prevents further work computer, password attacks, application layer attacks (crashes the server operating system), this list can be continued, however, others can take actions to protect themselves from such unauthorized activities, take actions to protect information, which in this case will be defined as self-protection of information rights. So, by installing the appropriate antivirus you can minimize the applications on your computer using passwords, but unfortunately, this does not completely protect the information on your computer system. In particular, according to official information from the National Police of Ukraine in the structure of cybercrime, 65 percent in Ukraine are actually fraudulent actions used to commit Internet crimes (hacking accounts for 16%, crimes against using payment systems – 13%, 5% – illegal content).
Over 11 thousands of Internet fraud reports were filed to the cyber police in the first nine months of the year. However, during this period in the Unified Register of Pre-Trial Investigations only 966 criminal proceedings with qualifications for parts 3 and 4 of Article 190 of the Criminal Code of Ukraine (fraud) have been registered, which is 18.4% of the total number of criminal crimes committed using high information technologies. However, according to the official statistical reporting National Police of Ukraine, the number of those registered in the pre-trial investigation of criminal crimes qualified. Article 190 of the Criminal Code of Ukraine during this period, in general, decreased significantly compared to the same period last year (from 1585 to 966 – 39.1%).
According to experts, this is mainly related to the incorrect qualification of such crimes. Indeed, in the vast majority of cases, pre-trial investigation bodies initiate criminal proceedings under Part 1 or Part 2 of Article 190 of the Criminal Code of Ukraine without taking into account the qualifying feature – “conducted using electronic computing”. In general, such a situation is typical of crimes in conditions of non-obviousness, that is, when the person who committed the crime is not identified at the time of initiation of proceedings. Unfortunately, there is a steady tendency of artificial correction statistics on crime in this category of crimes (envisaged by Part 3 and Part 4 of Article 190 of the Criminal Code of Ukraine) in the subdivisions of the National Police of Ukraine, since they fall into the category of serious crimes. The problematic issue during the investigation of such proceedings was the unqualified criminal offenses of the specified category in the territorial bodies of the National Police. Obviously, the problem of information security is one of the most urgent problems, and the threat of potential dangers in the form of IT and banking crimes in general and fraud with currencies in particular – is a real danger that requires a systematic, aggressive response of the state, as well as improvement of Ukrainian legislation.
To summarize, we have to mention that for online banking fraud: there is no such thing as a suitable target. It appears that persecution occurs because criminals constantly increase the level of their various strategies, as a result of which, they win the trust of bank customers, as people do not understand their new criminal methods. In addition, we have to determine the main factors of the structure’s influence on the failure of cyber attacks. Accordingly, the main factors have been identified: server security mechanisms, which store, coordinate and transmit important company data; the presence of valuable information at the company’s disposal; awareness of working staff with information security issues; the use of advanced device authentication, threat dissemination tools and much more.
Also, we should point out that the implementation of these methods of protecting information in the work of reducing the risk of becoming a victim of cyber attacks. Thus, last but not least, bank card fraud has significant negative consequences on the stability of the state’s financial system, as it hinders the spread of non-cash payments, which is a recognized priority for the development of the world financial system, and also causes significant economic damage to various subjects of economic processes. That is why actively combating this manifestation of cybercrime is an urgent need of the hour that requires the consolidation of efforts of banking institutions, law enforcement agencies, NGOs, and, of course, bank card users.
Read Also:
In this article we have provided information about internet usage. The information given here will…
In this article we have provided information about the disadvantages of Internet. The information given…
In this article we have provided information about internet. The information given here will prove…
Getting rid of porn addiction is a journey that many people embark on, yet very…
Porn addiction is often called sweet poison. This is something that may seem attractive, but…
It is important to understand the impact pornography has on physical and mental health, especially…