CEAC-ITN (Cyber Evidence Archival Center’s Identity Theft Notice system) is meant to provide a channel of voluntary disclosure by public to legally defend themselves against Phishing attacks. CEAC also provides a service called CEAC-VPN which is an extension of the CEAC-ITN service. It is meant to publish a public notice. Under this service, the user will request posting of his announcement on the CEAC Notice board for a specific period. For more details check here.
“Phishing” starts with an e-mail sent by a fraudster to a targeted victim either through a Spam or otherwise. It is not uncommon today for almost every one who uses an e-mail account to receive one or more Phishing mails. If the receiver does not have an account with the Bank to which the mail refers to, he is unlikely to respond to it. However, if the recipient holds an account with the specified Bank in whose name the mail has been received then it is statistically possible for a certain percentage of recipients to respond to the mail thinking that it comes from the Bank itself and thereby open themselves to the risk of losing their password.
The “Phishing” expedition thus ends with the “Phisher” obtaining the password of the Bank customer.
This identity theft is an offence under Section 66C of ITA 2008. When read with Section 84C of the Act which makes an “Attempt to commit an offence” also as an offence, the sending of the Phishing mail itself can be considered as a punishable offence under ITA 2008.
The actual withdrawal of the money by the fraudster from the Bank account is a follow up crime which arises because the Banks in India follow the system of access control based on passwords and donot have appropriate risk management control mechanisms.
Whenever a customer of a Bank reports unauthorized transactions in his account, the first question that a Bank asks is if he was in receipt of any “Phishing Mail”. If the answer is in the affirmative, the Bank immediately jumps to state that “If you have received a phishing e-mail and if there has been an unauthorized access, then it is to be presumed that you only should have released the password to a fraudster and hence should bear the liability”.
Even in the instances that the customer insists that he has not responded to the phishing e-mail, it becomes his word against that of the Banks. Since Banks often present themselves in the Adjudicator’s office/Consumer Courts through influential advocates who vehemently argue that “Bank can do no wrong”, the victim would be at a disadvantage to convince the Court that he is innocent and has a genuine right of protection under law. As a result, there could be a miscarriage of justice.
CEAC-ITN is therefore a service introduced by CEAC to provide a shield of protection to the genuine Bank customer who has received a Phishing e-mail and has not responded to it to keep a record of his public disclosure that he has received the e-mail and has recognized that it is a fraudulent mail and he has not responded to it.
The procedure for filing a request for using of CEAC-ITN service is available here.
Following is the list of CEAC-ITN registrations received by CEAC.
This service is a unique service and a first of its kind service in the world.
I request that public may make use of this service which is offered free at this point of time.
The service is being officially opened for public use from this New Year as per the Indian Calendar.
The details of the application will be made available on specific application and on payment of a retrieval fee as per the rules of CEAC portal.
Information for registration can be sent with the following particulars to firstname.lastname@example.org
From: ………… (Name)
Account Number: …………………, Branch…………………
I hereby give notice that I have received the enclosed e-mail which I suspect to be an attempt to deceive me into parting with my password for my Internet Banking access.
The mail was received on ……………. at ………………… (time)
I hereby give notice that I have not responded to the mail and shall not be responsible for any unauthorized withdrawals from my account attributed to this phishing attempt.
This notice is being archived with CEAC for records.
April 4th 2011
Registration of CEAC-ITN disclosures
P.S: Copy of the registration mail would be provided on request
For CEAC-VPN Service, send e-mail here
|Date||Sl No||Name and Address of the Registrant||Name of the Bank|
|2011April 4||CEAC-ITN/1||Na.Vijayashankar||Punjab National Bank|
Comments are Welcome.