G Gopalakrishna Working Group (GGWG) on Electronic Banking
Comments-2
Phishing Risks
The GGWG has made the following comment on Phishing Risks in its report
"Of late there have been many instances of
'phishing' in the banking industry, posing a major threat to
customers availing internet banking facilities. Though Section 66D
of the amended IT Act could broadly be said to cover the offence of
phishing, the attempt to commit the act of phishing is not made
punishable. It is suggested that there is a need to specifically
provide for punishment for an attempt to phish as well, in order to
deter persons from attempting it"
The suggestion of the Committee to make the "Attempt"
as also punishable is to be noted. I would however like to bring
it to the notice of the observers that this has been addressed in ITA
2008.
Under Sec 84C of ITA 2008 effective from 27th
October 2009, "attempt to commit offences" is punishable with a
punishment equivalent to half the punishment meant for the offence.
The section states,
84C: Punishment for attempt to commit
offences
Whoever attempts to commit an offence punishable
by this Act or causes such an offence to be committed, and in such
an attempt does any act towards the commission of the offence,
shall, where no express provision is made for the punishment of such
attempt, be punished with imprisonment of any description provided
for the offence, for a term which may extend to one-half of the
longest term of imprisonment provided for that offence, or with such
fine as is provided for the offence or with both.
Additionally, ITA 2008 makes Phishing liable for
punishment under several sections other than 66D.
Phishing is an offence which involves many parts. It
may involve sending of an impersonated e-mail, creation of an
impersonated website, downloading of credential information fraudulently
collected by the Phishing website, and unauthorized access of the Bank
account using the stolen credentials.
Phishing is therefore covered under Section 66A,
Section 66 as well as Section 43 in addition to Section 66D.
Section 66A covers "any electronic mail or electronic
mail message ......... to deceive or to mislead the addressee or
recipient about the origin of such messages " and Phishing mail falls
into this category.
Section 66 becomes relevant
because the fraudster accesses the Bank account without authorization
either from the Bank or the Customer. Merely being in posession of the
password is not "authorizing" since the password would have been stolen
by the Phisher through deceit and deception.
If the
Phisher has changed the password, he will also cause denial of access to
the genuine user, damage and diminish the value of information
information residing inside a computer.
Thus the
apprehensions of the working group has already addressed in ITA
2008. Convictions under ITA 2008 for Phishing are therefore easier than
in the case of ITA 2000.
Additionally, the Working
group has again endorsed the Mittal Report suggestion that "Legal Risk"
in case of frauds where digital signatures are not used for
authentication of electronic documents lies with the Bank.
The working group has also endorsed that at present, Banks are not
exempted from liability due to technical failure as they are in case of
EFT transactions under the Payment and Settlement Act.
These observations are
relevant to an analysis of Phishing cases in future.
Naavi
January 22, 2011
Copy
of Full Report:
Copy of Executive Summary
Comments are Welcome at
naavi@vsnl.com
