Home | Feedback | Contact Us
Legal Articles  
Credit Card Cloning: Emerging Quandary

Though law cannot possibly be expected to keep pace with changes in technology, nevertheless there are few areas in the current cyber laws which need some attention as is dealt further on; focusing on the recent rise of credit card frauds through cloning writes Akansha Dubey.

Introduction

Modern times have witnessed the rise of technology to the maximum. This new century has been greeted with tremendous scientific advancement leading to a transformation in the life of an individual. Technology is shaping the way business and consumers will interact in the future, commerce has gone electronic. It is still at the development stage requiring the nations to keep pace with the latest advancements. Law has to also keep pace with the development in every sphere as it is to be emphasized that with success and growth, more challenges are presented to the legal systems.

Success in any field of human activity leads to crime that needs mechanisms to control it. Legal provisions should provide assurance to users, empowerment to law enforcement agencies and deterrence to criminals. The law is as stringent as its enforcement. Crime is no longer limited to space, time or a group of people. Cyber space creates moral, civil and criminal wrongs. It has now given a new way to express criminal tendencies resulting in the emergence of new forms of trans-national crimes known as cyber crimes. Cyber crimes have virtually no boundaries making all nations open victims to such threats and tremendous loss, posing one of the most difficult challenges before law enforcement machinery.

The United Nations Commission on the International Trade Law (UNCITRAL) adopted, in June 1996, a Model Law on e-commerce, intended to provide states a legislative frame-work to remove barriers of e-commerce. This step was taken in view of the need for uniformity of the law applicable to alternatives to paper methods of communication and storage of information. It applies to any kind of information in the form of data message used in the context of commercial activities. Model Laws has been used as a basis for e-commerce laws in Singapore, Korea and India.

To tackle the ever increasing difficulty of formation of proper cyber legislations the first approach is when United States adopts a sectoral approach with a range of privacy protection statutes being enacted to regulate specific forms of information handling. The second approach has prevailed within Europe where the tendency has been to enact omnibus data protection statutes.

Cyber Crimes are a new class of crimes to India, rapidly expanding due to extensive use of internet. Procuring the right lead and making the right interpretation are very important in solving a cyber crime. The 7 stage continuum of a criminal case starts from perpetration to registration to reporting, investigation, prosecution, adjudication and execution. The system can not be stronger than the weakest link in the chain. But the relationship between legal/constitutional order and science/technology is wholly unexplored in India. The shift from paper-based to electronic transaction has raised questions concerning the recognition, authenticity and enforceability of late specific forms of information handling documents and signatures.

Till year 2000, India did not have any legislation governing cyber space or Information Technology Law.  In consideration to the Model Law on Electronic Commerce adopted by the United Nations Commission on International Trade Law (UNCITRAL) and to give legal recognition to electronic commerce the Information Technology Act, 2000 was enacted which was further amended in December 2008. Though this is comparatively a new legislation as far as others areas of law are concerned, still eight years have passed since this act was enacted and in these years technology has changed at a much faster pace.

Credit card fraud is a wide-ranging term for theft and fraud committed using a credit card or any similar payment mechanism as a fraudulent source of funds in a transaction. The purpose may be to obtain goods without paying, or to obtain unauthorized funds from an account. Credit card fraud is also an adjunct to identity theft. The risk of credit card has increased manifold especially after the advent of e-commerce.

The fraud begins with either the theft of the physical card or the compromise of data associated with the account, including the card account number or other information that would routinely and necessarily be available to a merchant during a legitimate transaction. The compromise can occur by many common routes and can usually be conducted without tipping off the card holder, the merchant or the bank, at least until the account is ultimately used for fraud. The rapid growth of credit card use on the Internet has made database security lapses particularly costly; in some cases, millions of accounts have been compromised.

Credit card cloning, or "skimming" as it is sometimes called, is a new technique whereby someone obtains your credit card details, copies them onto a bogus card and begins using the credit card. It is a process whereby a person just creates a cloned version of the card. This clone can be created by either using leaked credit card information or by swiping the card on a device called a skimmer, which captures the data on the magnetic strip of the card. The data can then be transferred to expired or blank cards or even stolen cards, which are easily available in the market.

India: Present Scenario

In recent times it has been well established that the use of information technology in the form of e-governance and e-commerce has risen tremendously in India. The fact that India has emerged as a new venue of great economic and technological advancement leading not only to the growth of the country at the international level but also resulting in several problems related within the country. The problem of credit card cloning or skimming has been  on a rise in the areas of North America and Europe but it is to be seen that the problem has also been infected India with various cases coming up to the forefront.

To mention a few recent cases the emergence of which has attracted the attention of the lawmakers and the threatened consumer to this worldwide problem would be that of the cyber crime cell of the Chennai Police which recently arrested four people for withdrawing money from ATMs through forged credit cards. The police recovered 160 fake international credit cards through which they had planned to withdraw Rs 15 crore.

It is to be noted that these are only some of the instances of cases that have involved credit card cloning as a means of committing credit card fraud in India on a large-scale, warning that the emergence of the problem itself has begun on a global level. Before one can begin with the analysis of the perspectives it is to be kept in mind that with the passage of time India has grown tremendously in the area of information technology. The rise in e-governance and e-commerce has been noticeable also the IT sector in India has grown successively each year, clearly indicating the fact that India can now be considered as a nation emerging in the league of USA and UK. Thus, it is but natural to compare the growth of the IT sectors of the nation but also the way in which each of them tackle the challenges in front of law due to the rapid development.

Keenly observing, one comes across a bitter truth that the approach of Indian law towards this emerging crime is ignorant and lacking in various effective requirements, narrowing it down to the realm of the Information Technology Act. On the other hand USA and UK, both have separate legislations providing the various rules regarding data protection exhibiting the vigilant and speedy approach.

One can easily figure out that USA, which has been majorly targeted by this problem, has been prompt and accurate in its formulation of laws to curb it. No other nation has made a separate credit card statute to focus on the increasing problem of credit card fraud, which has become the basic means of transaction in the modern times. It is to be noticed that India far from a statute or act exclusively for credit card fraud does not even take up the issue of basic cyber crimes in the Information Technology (Amendment) Act, 2008.

There is only one legislation formed which is required to deal with all kinds of cyber crimes where distinctions are not present as well as it proves to be not a simple but complicated task to interpret the same provision (example hacking) in the case of distinct crimes committed by different means. Electronics Communications Act, 2000 and Electronic Signatures Regulations, 2002 deal with protecting data in the United Kingdom.

Another difference to be noted is that though there have been recent cases in India the matter of credit card cloning has not been taken up as a separate issue.  Though, these cases serve as a warning, yet the issue of credit card fraud is merged with the general law of information technology laws. Neglecting the fact this problem has emerged on a global level requiring similar immediate concern as has been aptly showed by the UK and USA law-makers.

The laws in all nations of USA and UK specify the purview that they deal, making it easier to categorise the crimes as well as to tackle recent, emerging and growing crimes in the modern times. It is to be seen that the legislations specific to the credit card fraud itself explains that the law-makers of the country are ready to increase the area of law to various developing spheres. As mentioned earlier, it proves that the developed nations consider this of utmost importance to focus on the growth of law for the country’s progress.

Praveen Dalal, the leading techno-legal ICT, cyber law, cyber security and cyber forensics specialist of India, says, “Although India has done a good job by enacting the IT Act, 2000 yet it failed to keep it updated. For instance, we need express provisions and specified procedures to deal with issues like denial of service (DOS), distributed denial of services (DDOS), bot, botnets, trojans, backdoors, viruses and worms, sniffers, SQL injections, buffer overflows etc. These issues cannot be left on mere luck, implied provisions or traditional penal law of India (IPC). Even issues like cyber war against India or cyber terrorism against India have not been incorporated into the IT Act, 2000 yet.

Though this statement does not target the problem of skimming in India, it strives to highlight the lacking needs of the cyber law legislations in India. The fact basic viruses, hacking methods have not been dealt the issue of dealing with a recent globally challenging quandary is a far-fetched thought in itself.

Conclusion

One can conclude by comprehending that in this developing world, the use of information and reliance on data are unavoidable means to attain the targets at an individual as well as the national and global level, making it imperative to have effective yet workable data protection law. Yet, surprisingly as can easily be inferred through this research paper India has none. In India, credit card fraud is mostly limited to the physical space. Online con jobs make up just about 1% of the total numbers here, unlike 40% in the developed world. But, as consumers graduate to the shop-easy internet and pay with their cards, instances of fraud are bound to rise.

With the increase in cross border e-commerce the issuers in India will have to update their arsenal to combat the forgers on the same lines as their Western counterparts. The Information Technology (Amendment) Act, 2008, provide penalties for the tampering of computer source documents and hacking of computer systems. No specific mention has, however, been made of Credit cards or financial transactions. Except for two sections, none focus on Data Protection. The RBI has formed the Credit Information Bureau of India (CIBIL) in collaboration with Dun and Bradstreet who will maintain the records of all individuals who want to avail of finance from banks and credit card companies in India.

India can rely on American as well as British experience, taking up either of the two approaches for enacting legislations based not only on credit card cloning but data protection as a whole. It can focus on transparency of data making the central plank of the new law. The Data Protection Directive goes further in requiring the provision of additional information such as the purposes of the processing. Right to Privacy is not a fundamental right in India, which has to be kept in mind while the Data Protection Bill is formulated.

Thus, in my opinion, the lawmakers of India have erroneously neglected area of credit card cloning as they are endeavoring to focus on the large expanse of data protection law, which is required at this stage of advancement. Only when specific focus and emphasis is given on the protection information in the form of data, can the concept of credit card fraud as well the recently emerged crime of credit card cloning appropriately be dealt with by Indian Law. One can perceive that other countries have also been vigilant on this note forming adequate legislations to assist the growth of the information sector thus India needs to awaken from the deep slumber which results in the neglect of the most rapidly growing industry in the world.

AKANSHA DUBEY is a 2nd year student pursuing B.A. LL.B (Hons) from National Law University, Jodhpur.
 
© 2007 India Law Journal   Permission and Rights | Disclaimer