Cyber Threat in a Finance Organisation - Essay Example

? Internet Risk and Security - Cyber Threat (Identity Fraud) in a Finance Organisation Executive summary Magnitude and frequency of cybercrime has increased many fold in recent years and complaints regarding identity theft, identity fraud, unauthorized transfer of funds are lodging by customers against financial organizations have increased simultaneously. In such context, this paper will try to shed light on pertinent issues regarding identity fraud in financial organization through cyber space. In the first section, the paper will try to demystify the nature of identity fraud in financial organizations and what are the pertinent factors that create difficulty for users to detect the fraud. Identifying the loopholes in the existing regulatory framework for cybercrime will be the essence of the second part of this report. In the final part, the paper will try to recommend a viable solution which can at least decrease the magnitude of cyber threat in terms of identity fraud for financial organizations. Table of Contents Table of Contents 3 Introduction 4 1.1Aim and methodology 5 1.2 The report 6 Chapter 2: Identity Fraud in Cyber Space 6 Chapter 3: Are there enough safeguards? 8 Chapter 4: Strategic Interventions 10 Chapter 5: Conclusion 13 Reference 15 Figure Number Name Page Number Figure 1 Decision Check Box 10 Introduction Since the birth of World Wide Web (WWW) in the hand of Sir Timothy John "Tim" Berners-Lee, internet usage has travelled a long distance in the horizon of time. According to the report published by CNN News Story (2005), global cyber space users have increased by more than 1 billion in last one decade. Although internet has started its journey as the magic technology which provides information but later on it has established it ubiquitous presence in all our daily life needs, for example, one can even conduct financial or banking transactions by taking help of internet without going to the bank. It will be erratic to believe that such development of internet age has only offered benefits for mankind and not given the means to wrongdoers to commit crime through online platform. Rather the opposite scenario is true, crime through internet or cyber crime has increased manifold in last few years due to human civilizations over exposure of internet. Fletcher (2007) has reported that in many countries such as Brazil, Russia, and UK etc internet financial fraud has outpaced the money lost through bank robbery. Surprising fact is that public awareness about the threat of cyber crime, internet hacking is pretty low despite being the fact that activities of hackers are creating negative impact on financial system of a country in regular interval (Fletcher, 2007). Fletcher (2007) has also reported that cyber criminals or malicious hackers not only hack personal information of users but also rob the money from the account of users by using the hacked information. Hence, the situation cannot be taken in light hearted manner rather stringent regulatory reform is required in order to restore the safety of internet usage. Now, readers of this essay might question that why government and cyber crime agency are not taking steps to regulate the cyberspace? Well, it is not so easy. For example, Sofaer and Goodman (2001) have reported that internet is a large hemisphere of information which has multiple information channels and transaction points hence creating standard investigative instruments for all these issues is almost impossible. Important fact is that, internet is a free source hence no can control it in 100% accurate manner; a company can create a firewall to prevent hackers to access user information but there is no guaranty that the firewall will give 100% safety. Grabosky et al (2001) have argued that magnitude of cyber crime which threatens the internet security is far greater than the traditional criminal activities such as robbery, misrepresentation or theft berceuse cyber crime can be carried out in geographically boundary less manner. Almost 12 years ago, Grabosky et al. (2001) have warned that the existing governance functions are not sufficient to detect fraud committed by cyber criminals especially in the field of financial services. Hence, the question is whether the situation has improved in last 12 years or not? Well, the answer to this question is not a simple, however the researcher will dip digger in the topic in order to find the answers. 1.1 Aim and methodology Research scholars such as Irwin and Slay (2010) have tried to identify the nature and complexity of fraud in cyberspace. According to them, virtual environment gives the encouragement to cyber criminals to hack personal information of users to access the financial data because these hackers have a vague belief that no one is watching them committing crime and no one can catch them. Irwin and Slay (2010) have also pointed out that, cyber criminals and hackers use virtual reality role-playing arcade games or massively multiplayer online games (MMOGs) to create fake virtual avatars, which work as fraudulent identity to access important financial information. Interesting fact is that, MMOGs in virtual environment cannot be regulated by real world law practices which encourage hackers and cyber criminals to perform their fraudulent and malicious activities with impunity. For example, with Second Life (MMOG) avatar, hackers can access the stock exchange and bank account information of users quite easily because these financial institutions do not have the regulatory or legal framework to arrest a virtual avatar (Leapman, 2007). Such complex and unethical perspective of cybercrime has forced the researcher to shed light on identity fraud in a finance organisation, which a particular dimension of internet cyber threat that increases the risk for internet security of user information. Key aims of this report can be summarized in the following manner; To understand the nature of identity fraud in finance organization through cyber crime To identify the loopholes in the existing regulatory framework which encourages cyber criminals and fraudsters to commit financial frauds To recommend a strategic intervention which can improve the situation To accomplish these objectives, the researcher will use qualitative methodology backed by collecting information from secondary sources such as print medium, online articles, research papers, peer reviewed journals and reaching to a conclusion by analyzing these documents. The researcher will not use subjective view to analyze the topic rather banking on factual data and evidences to offer a recommendation will be key essence of this report. 1.2 The report The researcher will present the report in three substantive chapters and these chapters can be briefed in the following manner; Chapter two will try to demystify the nature of identity fraud in financial organizations and what are the pertinent factors that create difficulty for users to detect the fraud. Chapter three will try to shed light on loop holes in existing regulatory frameworks which encourages fraudsters and cyber criminals to commit identity fraud. The study will try to discuss various instances of identity fraud in virtual environment which can be prevented by filling the loopholes in legal and regulatory architecture of financial institutions. Key findings of the researcher will be summarized in the chapter five and based on the findings; the researcher will try to recommend legal and regulatory interventions which can discourage cyber criminals and fraudsters to commit identity fraud in financial organizations. Chapter 2: Identity Fraud in Cyber Space Sproule and Archer (2007) have defined identity theft as unauthorized access of personal information by third person using online platform while identity fraud can be defined as crime committed by falsifying identities. Sproule and Archer (2007) have also pointed out that identity fraud is closely related to fraud of existing or new financial and credit accounts. Using the credit relationship or existing account to commit fraud is related to existing account fraud while creation of fake identity and using the identity in illegal manner to commit financial crime can be treated as new account identity fraud. Sproule and Archer (2008) have pointed out that there is sharp demarcation exists between credit card theft and online hacking of personal information in order to access financial information. In credit card theft, no personal information apart from name and number of the user is divulged hence customers are not responsible for any fraudulent transactions made through the credit card. However, that is not the case when hackers hack the personal information of users or customers in financial organizations such as banks, stock exchange, foreign exchange etc. Cybercriminals can create a fraudulent identity by hacking the account of customers and then theft the money or use the money in financing illegal activities like terrorism, arms buying etc, in these circumstances, users will be responsible for all the wrongdoing committed by using his/her accounts. Hence, Eisenstein (2008) has rightly claimed that identity fraud is the most severe kind of cybercrime. Cyber criminals and hackers have started using the anonymity of virtual environment in order to create a fraudulent identity or a fake avatar which can help cyber criminals to hide their true identity. Brown (2010) have stated that cyber cafes are the most preferred destination for hackers and cyber criminals to access the virtual environment and create account for performing transactions. Absence of know your customer (KYC) norms in virtual environment gives the opportunity to fraudsters to access the real account of user in financial organization through virtual platform. Choo (2009) and Irwin, Choo and Liu (2012) have pointed out that, cyber criminals can steal the credit card numbers, prepaid cards or direct cash in the account by accessing personal information of users. It is easier to hack an existing account credit of users rather than creating a new account while creating a new account is also a lengthy process. Hence, hackers still prefer hacking the account and financial transactions related to the account instead of committing identity fraud through massive multiplayer online games (MMOGs). Apart from above mentioned procedure of creating fraudulent identities, there are other ways to access the account information of users. For example, services like on-line financial service providers (OFSPs) has given the scope to hackers to cash the hacked virtual world currency to real world currency, such facilities have made it extremely difficult for users to track who have accessed their profile in financial organization. Due to perplexing nature of the issue, users allege financial organizations such as banks, stock exchange for stealing their funds. Cyber criminals and fraudsters get access to the account information of customers by using key-logging viruses which infects the personal computer of users. In such context, Suri and Chhabra (2003) have reported fraudsters and cybercriminals have invented different types of viruses which can break down the privacy wall of financial organizations and give these wrongdoers the opportunity to access account information of users. Working pattern of these viruses or the technical pattern of how hackers commit identity fraud is pretty much complex issue and also beyond the scope of this paper. Hence, the researcher will not try to discuss the above mentioned issues in this paper. However, it has been observed that although privacy filters used by financial organizations work efficiently but still users get the victim of account fraud. Such surprising fact can be understood from the behavioral perspective of users, for example, hackers post virus contained advertisement or send spam mails to users. These advertisement or mail contain fake claim of prize money and users intentionally or unintentionally click these advertisements or spam mails and ultimately hackers get the chance to hack their e-mails. In modern world, users maintain their financial information and personal information in their e-mail; hence it can be easily assumed that why fraudsters target e-mail account of users. In modern world, accessing e-mail account means that the hackers and cybercriminals get the opportunity to access financial and personal information of users. Now, the question may arise that can identity fraud in financial organization be classified as financial crime? The answers is yes, because, using identity fraud cybercriminals can use customer’s account in the financial organization for financing various criminal activities such as money laundering, weapon purchase, illegal transfer of property, terrorist financing etc. There are jurisdiction issues which make it difficult for financial organizations to create barrier for fraudsters to hack the account of users. Research scholars have rightly described cyberspace as a place for everyone irrespective of their intentions. In the next chapter, the researcher will try to gauge what are the problems associated with regulatory and legal framework for cyber crime. Chapter 3: Are there enough safeguards? Having understood the nature of identity fraud, it is the right time to go deeper on the topic in order to understand why it is difficult to prevent identity fraud in financial organization. Throughout the report, the researcher has taken a conjectural view about the efficiency of safeguards place by respective authorities to prevent financial crime in terms of identity fraud in financial organizations such as stock exchange, banks, and e-commerce sites. When talking about safeguards, one thing need to be remembered that cybercrime is a contemporary issue and researchers and legal authorities are still working on drafting a strong regulatory framework which can address all the pertinent issues of cybercrime, Hence, there are still many loopholes in the existing legal framework which can alternatively increases the opportunity of cybercriminals to commit financial fraud. There are five basic levels of regulations which can ensure internet security, “the internet users themselves; the ISPs; corporate security organizations; state-funded non-public police organizations and state-funded public police organisations” (Wall, 2001, p. 171). However, actually the last level is responsible for placing the safeguard and combat with the financial crime in cyberspace. Let’s look at the issue identity fraud in cyberspace; the question may arise is the regulatory authority capable to detect the cyber criminals who commit identity fraud in financial organization or able to punish them. According to Article 8 of the European Convention on Cybercrime, respective legal authorities has the authority to establish criminal offences against the cyber criminals, whose intentional and illegal activities have caused loss of property, deletion of important data from computers, procurement of unauthorized content in order to get economic benefits (Fletcher, 2007). Unfortunate fact is that, to establish a standard cybercrime regulation, ratification to the convention is required from all signatory countries but the fact that number of signatories are so large that establishment of unanimous ratification seems improbable. As internet is an open universe, hence fraudsters of one country can hack the account information of users of other country and they will not be detected or punished due to absence of a common standard legal framework. Let’s simplify the above statement, A has account in a financial organization and B has hacked the account information of A and created a fraud identity to commit financial crime. In such context, it can be said that B has committed cyber crime and liable to the harm it has caused to Abut the situation is not that much simple in real world. In majority of cases, identity of B remains unknown and it is very difficult to find and punish D. Till date there is no such cyber law exists for cyber crimes where identity of users in financial organization has been hacked through gaming portal, e-mail spam, fraudulent advertisement etc (Fletcher, 2007). Few years ago, one incident took place in Bank of America which is similar to the example mentioned above. In USA, a businessman from Miami has alleged Bank of America for transferring money without taking his approval; it was the act of a cybercriminal who created a fraud identity of the businessman and transferred the money using the identity (The Banker, 2005). In such context, Bank of America has denied the allegation by stating that they are not liable for the transfer of money because their system is showing that money transfer had been done with appropriate security procedure (The Banker, 2005). The case is showing the actual scenario of regulation of the cyberspace. These loopholes such as difficulty to identify who is committing the online identity fraud for user’s account in financial organization or distinguish between real and fake users etc cannot be eradicated in overnight manner but financial organizations can take few steps to ensure safety of account information of customers. These security measures will be discussed in the next section of this paper. Chapter 4: Strategic Interventions It is evident from the above discussion that developing a privacy settings or firewall includes lots of technical issues and presenting a 3 dimensional diagram addressing all these technical issues is beyond the scope of this paper. However, a simplistic privacy framework can be depicted in the following manner. Figure 1: Decision Check Box (Source: Irwin et al, 2013) According to the diagram, hackers using MMOGs and fraudulent advertisements can be prevented by creating decision checking system at decision points. Hardouin (2009) has also pointed out that placing security checking system at every place of decision checkbox of privacy settings might help banks to verify the identity of customers. Placing decision checkbox while customers are doing banking transaction will automatically reveal the identity of the cyber criminals. For example, financial organizations can place a voice recognition system in the online transaction platform and ask customers to verify their voices while transacting. It will be very difficult for cybercriminals to copy the voice of customers and ultimately they will get caught while trying to use fraud identity. Online security system of banks should ask for signature of the users while they use transaction instruments such as Visa card, PayPal etc. Although cyber criminals can hack the account of customers but there is very low possibility that they can copy the magnetic signature of users. The bank and other financial organizations should prohibit the transactions of virtual currency in order to prevent fraudsters for using the MMOGs platform to hack information. Lastly, financial organizations should increase awareness about customers regarding cybercrime and identity fraud by organizing knowledge sessions, sending KYC norms or knowledge brochure regarding fraudulent advertising & spam mail to customers. Customers of financial organizations should be discouraged from jumping on suspicious mail claiming prizes or pop up advertisement by respective authorities. Many of the international banks such as HSBC, JP Morgan are using the decision check box as management strategy to prevent identity fraud in virtual space and during online transactions. As part of international responses to the identity fraud, Financial Services Authority (FSA) and Serious Fraud Office (SFO) have asked financial companies to improve the safe guard measures and efficiency of privacy settings in order to create barrier for cybercriminals and fraudsters from hacking the account information of users. In UK, National Hi Tech Crime Unit (NHTCU) has been established in order to take law enforcement action against cyber criminals who commit identity fraud (Fletcher, 2007). NHTCU has recommended the following measure for financial organizations of UK and Europe to use the following mechanism in order to prevent identity fraud. (Source: Irwin et al, 2013) To summarize all these discussion in the form of recommendation, the report will draw following points. Banks and financial organizations need to create a database of user’s name, address, personal identity, data of births etc. Then link this database with the customized security and privacy centre of the bank. Create at least 3 decision check points in the online banking and transaction process which will validate the identity of customers by taking help of database. Voice recognition system should also be used in order to check the identity of users. If any user is trying to use MMOG gaming platform or the virtual avatar then he/she should be asked to validate identity through voice recognition or special character password such as (*/@ etc) recognition. After such check, if any individual fails to verify his/her identity then the online account will be locked temporarily and a security alert will be sent to real user notifying that someone has tried to hack his/her account information. In this way financial organizations can prevent cybercrime up to certain extent. Chapter 5: Conclusion Throughout the report, the researcher has tried to understand nature and magnitude of problems associated with identity fraud in financial organizations. In some places, the researcher was forced to discuss some other issues related to cybercrime in order to address the key objectives of the study in comprehensive manner. Major findings of the study can be summarized in the following manner; Identity fraud in financial organization through hacking can hurt the interest of users in more severe manner in comparison to credit card fraud. Identity fraud can be done by using virus or massively multiplayer online games (MMOGs) by cybercriminals and fraudsters. Presently, there is no such standard legal and regulatory framework available to identify and punish the unknown cybercriminals who has hacked the account information of customers by creating fraud identity. Financial organizations need to strengthen its privacy settings by incorporating audio-visual elements during online transactions. Creating decision box at decision points of online transaction will increase the complexity for cyber criminals to create fraud identity and ultimately decrease the chance of cyber crime in financial organizations. Reference Brown, H. A., 2010. Virtual worlds – a tool for money laundering and terrorist financing? ACAMS Today, March-May. Choo, K. K. R., 2009. Money laundering and terrorism financing: Risks of prepaid cards/instruments. Asian Journal of Criminology, 4(1), pp 11-30. CNN News Story., 2005. The internet transforms modern life. [online] Available at: [Accessed 3 June 2013]. Eisenstein, E. M., 2008. Identity theft: an exploratory study with implications for marketers. Journal of Business Research, 11, pp. 1160-72. Fletcher, N., 2007. Challenges for regulating financial fraud in cyberspace. Journal of Financial Crime, 14(2), pp. 190-207. Grabosky, P., Smith, R. and Dempsey, G., 2001. Electronic Theft: Unlawful Acquisition in Cyberspace. Cambridge: Cambridge University Press. Hardouin, P., 2009. Banks governance and public-private partnership in preventing and confronting organized crime, corruption and terrorism financing. Journal of Financial Crime, 16(3), pp.199 – 209. Irwin, A. S. M. and Slay, J., 2010. Detecting Money Laundering and Terrorism Financing Activity in Second Life and World of Warcraf. [pdf] Available at: [Accessed 3 June 2013]. Irwin, A. S. M., Choo, K. K. R. and Liu, L., 2012. An analysis of money laundering and terrorism financing typologies. Journal of Money Laundering Control, 15(1), pp. 85-111. Irwin, A. S. M., Slay, J., Choo, K. K. R. and Liu, L., 2013. Are the financial transactions conducted inside virtual environments truly anonymous? An experimental research from an Australian perspective. Journal of Money Laundering Control, 16(1), pp. 6-40. Leapman, B., 2007. Second lifew world may be haven for terrorists. [online] Available at: [Accessed 3 June 2013]. Sofaer, A. D. and Goodman, S. E., 2001. The Transnational Dimension of Cyber Crime and Terrorism. Stanford, CA: Hoover Press. Sproule, S. and Archer, N., 2007. Defining identity theft. Los Alamitos, CA: 2007 World Congress of the Management of e-Business, IEEE Computer Society. Sproule, S. and Archer, N., 2008. Measuring identity theft in Canada 2006 consumer Survey. Working Paper No. 21, McMaster eBusiness Research Centre. Suri, R. K. and Chhabra, T. N., 2003. Cyber Crime. New Delhi: Pentagon Press. The Banker., 2005. Lawsuit raises online fraud issue for banks. [online] Available at: [Accessed 4 June 2013]. Wall, D. S., 2001. Crime and the Internet. London: Routledge. Read More