computerization in banks-its vulnerability...

COMPUTERIZATION IN BANKS-ITS VULNERABILITY TO FRAUDS AND ITS PREVENTIVE MEASURES / 35

COMPUTERIZATION IN BANKS-ITS VULNERABILITYTO FRAUDS AND ITS PREVENTIVE MEASURES

ASHU KHANNAAssistant Professor, Department of Management Studies

Graphic Era Institute of Technology, Dehradun

BINDU ARORAReader, Department of Management Studies

Gurukuk Kangri University, Dehradun

In the era of globalization and cut throat competition banks are showing interest in adapting tonew trends in Information Technology. They are reaping the benefits of information technology interms of reduced cost of operation and increased customer satisfaction. Such high dependency oninformation technology has led to serious security issues relating to computerized environment.The key issue is that whether there are adequate implemented security controls to protect againstsecurity threats in computerized environment . The study throws light on the various types offrauds that perpetrate in computerized environment and also evaluates the various preventivemeasures. A survey was administered to 253 bank employees that revealed their perceptiontowards frauds in computerized environment and the extent to which they implement some of theimportant security control.

INTRODUCTIONThe information and communication technology revolution has greatly influenced theoperational environment of banking industry. Recent trends shows that banks areshifting form product centric model to customer centric model. They are now in the raceof developing e banking capabilities so that they can achieve higher efficiency,productivity, profitability and customer satisfaction.

The growth of computerization in banks has gone through two basic stages in India.The first stage of computer has its base in eighties . Those days the main aim was toconvert the laborious manual process into simple automated process without reengineering any business process. The CVC (Central Vigilance Commission) stronglybelieved (particularly after Harshad Mehta’s Scam) that frauds can take place at ahigher rate due to slow and delayed manual processes and forced banks to computerizetheir branches with no one actually guiding or monitoring the whole computerizationin Banks. Banks went in their own way computerizing their branches, without havingany holistic integrated approach not only among banks but also in their own bank withintheir branches. This led to isolated applications at branch levels, and almost every PSB(Public Sector Bank) ended up with different flavors of branch automation from differentvendors mainly due to two reasons, first software vendor were of regional choice as

INDIAN JOURNAL OF FINANCE ECONOMICSVolume 4, Number 1, January-June 2015

36 / ASHU KHANNA & BINDU ARORA

maintenance charges from local vendors was cheaper and second no single vendor hadover all presence across India. The banking industry had to face many problems asislands of applications in the branches of a bank, with dissimilar computers, operatingsystems and application packages were made There was no integration of suchapplication thus forcing the manual intervention. Due to various flavors of hardwareand software, no data integrity could be maintained even though the application wasfor the same business purpose, eg- no one could see a unified picture of overall deposits,loans customer information etc of the whole bank. Due to dissimilar application packages,Inter branch reconciliation and communication was not possible. Even if it was madepossible, it was not straight through. Still some banks are continuing with this technologywhich is very out dated. Not able to trust vendors, banks relied on half vendor basedsoftware and half in house software. They couldn’t integrate the two, without somemanual intervention. Instead of alleviating the threats posed by manual banking, itactually increased them farther, leaving lot of confusion on whom to make accountable,the computer or the computer operator.

The second stage of computerization was in response to the arrival of foreign andprivate banks coupled with information technology and global computer networks thatposed a big threat to public sector banks. Not satisfied with already existing technology,banks have now decided to relook into the whole technology adoption with freshmanagement goals. Now they aim to integrate the whole back office and generate MISonline. With this aim banks are now setting up their networks so that they can have aoverall bank view instead of just a branch view from all angles of process control, monitor,decide and act. With banks deciding on setting up networks and computerize the wholebanking process, to offer their services on multiple channels, they now face risks bothfrom inside and outside.

The increasing use of technology in banks has brought up security concerns. Hightech banking has brought about new orientation to the banking risks , i.e transactionalrisk, securing risk, reputation risk and legal risk.

Research ProblemThe study aimed to identify the types and various causes of computer frauds in banks.It also brings to light the extend to which the various preventive measures for computerfrauds in banks are being implemented by employees of the banks and their opiniontowards computer frauds and their training status.

Research MethodologyBoth primary and secondary data was used. The primary data was collected through anempirical survey using closed ended questionnaire to know the opinion of bankemployees. The selection of the respondents was done through multistage random clustersampling

Survey of LiteratureDhillon (1999) claimed that computer related fraud caused a lot of losses in organisationsand it could be avoided if a more serious approach about the prevention and deterrence


procedures was taken. Business and organisations were trying to cope with the intricacyand mystique that surrounds computer system. He further stated that it seems thatless security was applied to the data or information held in computer systems than heldin manual systems. Typically, only IT department were concerned about computersecurity, but the other professionals did not give adequate attention to it. The authoremphasised that more proactive security administration was needed to avoid lossescaused by computer fraud. Fraud by insiders was a major problem, as it was difficult toprevent especially when blended with legitimate transactions. On the other hand, byhaving appropriate legislative controls and stricter criminal penalties, fraud could beprevented to a certain extent

Gail E. Torbet, Ian M. Marshall and Stev (1995). In the retail environment there isa need for verification of the card holder’s identity at the point of sale. Current techniques,such as the visual inspection of signatures or the use of holograms, offer some protectionagainst plastic card fraud. Unfortunately, knowledge can be stolen or replicated andsignatures can be forged. While photographs and PINs discourage forgery, they fail tolink the card uniquely with its authorized user. This article has considered the potentialfor the use of biometric technologies and smart cards to increase security by exploitingunique human physiological or behavioural characteristics to tie the card to an authorizedcustomer.

Haugen and Selin (1999) claimed that computer crime and fraud were more perilousto organisations today. This paper presented the statistics about the growth of fraud,and causes of fraud in the workplace. Furthermore, they elaborated on the commoncomputer frauds, techniques used to commit fraud, the computer-based controls, aswell as on how business assets can be protected. They stated that none of theorganisations in the world could be 100 per cent free of risk, and assessing anorganisation’s risk to fraud was not easy. However, the risk could be mitigated byimplementing a proper internal control system with good employment practices.

Haugen and Selin (1999) There are many reasons, the more common being revenge,overwhelming personal debt, substance abuse, and lack of internal controls. Businesstoday is very competitive, and employees can feel very stressed. As a result, they havefeelings of being overworked, underpaid, and unappreciated. If employees are alsostruggling with serious personal problems, their motivation to commit fraud is veryhigh. Add to the equation poor internal controls and readily available computertechnology to assist in the crime, and the opportunity to commit fraud is now a reality.He emphasized that use of password , connectivity security fire walls and cryptographictechniques will help in controlling frauds

Henry (1997) conducted a survey on 261 companies in Hampton Roads, Virginia,USA, to determine the nature of their accounting systems and security in use. Heattempted to ascertain the degree of correspondence between the theory and actualpractice. Seven basic security methods for computerised accounting information systemswere discussed and presented in his survey. These methods included encryption,password access, backup of data, virus protection, and authorisation for system changes,physical system security, and periodic audits. The results of Henry’s survey indicatedthat 80.3 per cent of the companies back-up their accounting systems, 74.4 per cent of


the companies secure their accounting system with passwords, but only 42.7 per centutilise protection from viruses. Physical security and authorisation for changes to thesystem were employed by less than 40 per cent of the respondents. The survey resultsalso showed that only 15 companies used encryption for their accounting data, whichwas a surprising result, considering the number of companies utilising some form ofcommunication hardware. Almost 45 per cent of the sample underwent some sort ofaudit of their accounting data.

Input tampering is considered to be the most prevalent computer fraud. Input scamscan be prevented with an effective internal control system such as: separation of duties;control totals; access controls; and audit trails (Thornhill, 1996)

COMPUTER FRAUDSThe advent of high technology culture has partly done away the risk of frauds arisingdue to manual procedure but they have also resulted in new fraud risk areas. Thecomputer frauds presents an ever changing potential areas of opportunities formanipulation of data and files and the amount of money lost when computer assist theemployee or any other person in committing the fraud is always higher. When themanual systems are being replaced by the computerized ones, a new set of skills andknowledge would be expected from existing employees including clerks, officersexecutives auditors and the like. Bank will have to recognize the risks and providesecurity audit and control . Moreover, a few adequate technical solutions to such crimesare available. Banks in India have indeed reported several computer related crime butcomputer crimes as such have been rare so far.

To understand the nature of computer frauds vis a vis non computerized fraud it isimportant to first know the definition of computer frauds

Collier (1991) defined computer fraud as “ Any fradulent behaviour connected withcomputerization by which someone intends to gain a dishonest advantage”

A computer fraud has been defined as “an unauthorized instruction/alteration ofthe account, to which entries are to be made or the alteration of the entry itself.” R.Maransimhan and C. S. Rao.

Computer crimes are different from the usual crimes vis-à-vis investigations. Thereare no eyewitness, no usual evidentiary clues, no documentary evidences. Computercrimes are difficult to investigate for many reasons firstly, computer crimes are hi techcrimes besides, the information technology is changing very fast. The normal investigatordoes not have the proper background in information technology, special investigatorshave to be created to carry out investigations, secondly it can be an International Crime.As a computer crime may be committed in one country while the resultant falls out maybe in another country, often there is no trail. Besides jurisdictional problems may alsoarise thirdly it is a no scene crime. For e.g. a debit card or credit card through salesterminal ATM. etc could work from anywhere. The usual crime scene is the cyberspace.The criminal need not indicate the place and may not be traced. Fourthly it is a facelesscrime. There is no personal exposure, no written documents, no signatures nofingerprints, no voice. The crime is truly faceless. Finally it is a no time crime. The


computer crimes is done with lightening speed while it may take days, weeks evenmonth and years before the time it is discovered.

TYPES OF COMPUTER FRAUDSThere are varieties of ways that computer frauds are perpetrated . Computer crimesare committed by tampering with input data, tampering with computer programs ,output tampering and other techniques such as exploiting inter system deficiencies,sabotaging and stealing of computer time.

Tampering with Input Data: Altering input does not require the extensivecomputer skills; the perpetrator only needs to understand how the system operates tokeep the track. Fraudulent inputs and fraudulent instructions can be made to makewrong payments or wrong deliveries of assets. Fraudulent debit can be added in a batchof bona fide transaction.

Fraudster can easily exploit inter system deficiencies where one system accepts aninput without verification, the latter could be fed with fraudulent data which would notbe verified this could give rise to several frauds later on.

Tampering with Computer Programme: Manipulation in the computerprogramme can help the perpetrator to have unauthorized access to the system dealingwith financial transactions and even access to bank’s communication line or mediataping Media tapping involves the fraudster collect all the digital bits that travel acrossthe physical communication wire. Only those, who have physical access to the media,can commit this kind of crime

The user’s computer can be attacked by infecting the programme with trojan horse.A trojan house is a set of unauthorized computer instructions in a programme thatperforms some illegal act at a predetermined time or under predetermine set ofconditions. In this type, the fraudster implants a virus, trojan horse into the victim’smachine, and using that program he monitors all transactions, steals vital data likeusername & password and then impersonates the victim. The virus, trojan horse can beimplanted into the victim’s machine by using numerous methods like e mails, IRCInternet Relay Chat, fake web sites

Even the bank’s servers can be attacked , in this case, the fraudster directly takescontrol of the bank’s server; does transactions impersonating many customers (eventhe internal staff can be impersonated now) of the bank; and can even delete all thetransaction log files of him visiting the bank’s site, such that he can’t be traced back.

Another computer based fraud technique is the salami technique. It helps inintroducing deliberate programming error for establishing routines to facilitateembezzlement. This fraud takes the advantage of small sum gained when rounding oftransactions , diverting only a part of the cent for each one every time accruals orfinancial calculations are done Another approach is to slice off a small sum , a few centsor a few dollars , from accounts that are generally not carefully checked . Data may bemodified either through clerical error or purposeful illegal manipulation by theprogrammer, computer operator or other person at a remote terminal.

Following sre the two incidents that are narrated by Rakesh M. Goyal & Manohar.S. Pawar in their book referred to as “Computer Crimes”.


In one incidence a US bank found in 1982, that one of its employees had tamperedwith the software that calculates interest on each accounts, this enabled the employeeto siphon of small amounts in cents, from several accounts with banks , and divert themto her own account. The amount so embezzled came to about 5.6 million dollar. Thecrime was noticed neither by bank nor the customers.

In other incident an experiment was conducted by the author at a bank branch inIndia in 1988 to demonstrate that customer rarely notice small discrepancies in theinterest on deposits, credit to their accounts. The branch had 215000 SB accounts withthe deposit of Rs. 19 crores in them.Interest was usually calculated at 5 per cent perannum, at the end of June and December each year. In the experiment, 100 accountswere picked up at random in which interest was calculated at 4.5 per cent per annumand the depositor were furnished with statements showing the wrong credit towardsinterest. None of the depositors ever questioned the bank and most of them belonged tothe middle class while a few were pensioners. After the experiment demonstrated itspurpose the correct position was restored.

Source Banking Section, Finance Ministry, Parliament Street, New Delhi

F. No. 18/10/2005/Vig /LS

Tampering with Output can be done by destroying outputs to deter/ delay discoveryof a fraud or substituting a fake output, in lieu of the original.

Others types of computer frauds are listed below

Mail Spoofing E Mail Forgery: The sender can easily forge a mail posing as anauthentic source. Impersonation is done One of the main reasons for computer fraudsis the problem of authentication .Source Address Authenticity is never verified -The email system was developed trying to imitate the postal mail. The “From Address”authenticity was never verified. Though the new mail systems have that capacity, noone can actually stop any one from setting up a mail server that has this flaw. Usingthis server, anyone can forge a mail posing as an authentic source. Reply can be sent toa different mail address as preferred by the sender instead of the source address.

Another major flaw in e mail system is that the sender can always set on which email address to get the reply to his mail. The forger can send a mail with the forgedsource e mail address; can set its reply address as his own e mail address, so that thereplies reach his actual e mail address instead of the forged e mail address. Due to theabove flaws, a forger can easily pose as any well known personality, without theknowledge of that individual. The receiver always thinks that the mails were from thesaid address, and his replies go actually to the forger than to the real person e mail.

The user computer can be easily attacked through e-mail though early e mail softwareallowed only messages in text, due to demand from users, the software is made moreintelligent in that it can now accept any kind of data, audio, video and executable files;and execute the same just by a click of button.

Web Spoofing: In a similar fashion, even the bank sites can be forged. The customersof the bank can be lured to log on to fake web site, which exactly looks and behaves asthe original, at least till it captures the customers’ username and password. Afterwards


these forged web site owners, pose as the real customers of the bank and log on to thereal site and do transactions with the already captured username and password. Thebad part of the whole issue is that the customers do not have any means of proving thatit was not they who did those transactions, but some unknown persons. This kind offraud has been increasing on Internet, to steal username, passwords and credit cardinfo etc. The main reason is customers are also not well aware of the mechanism ofinformation technology. Users actually can’t understand how an URL (UniversalResource Locator, that every one type in a browser after http ://) should be interpreted.They just see the rst few strings of the URL and if it just includes the web site namethey want to access, they are satisfied. For Ex: Take these 2 URL

(a) http://secure.bankname.com/mutualfnd/mutualfunds.asp,

(b) http://secure.bankname.com:any?@202154156/mutualffid/mutualfunds.asp

It would be very difficult for a normal user to understand the difference betweenthese two URLs. While the first one takes him to the right bank site, the other one cantake him to a forged site, in which he can reveal his username and password. The URLcan be circulated to all users using the E mail forgery mechanisms described earlier.Instead of typing the whole URL or going from the homepage of the original web site,the user just clicks the hyperlink given in the Sabotaging the facilities by physicaldamage and short circuiting.

CREDIT CARD FRAUDSInstances of occurrence of frauds in the credit card business of banks including by wayof use of fake credit cards , have come to the notice of RBI. The number of searchinstances and amount involved therein as reported by various banks during the followingyears are as under-

Years No. of frauds Amount involved (Rs in lacs)

2002 250 71.98

2003 227 64.74

2004 99 83.05

Source: Banking Division, Ministry of Finance, Government of India.File No- 18/9/2005/Vig.

Genuine cards are stolen, altered and misused. Counterfeit cards are created.Sometimes defrauders duplicate the original cards through photo mechanical processesemploying similar material and similar processes of printings and embossing besidesmagnetic encodings. Fraudulent telemarketing is done with credit cards. Telemarketersoffer goods to potential purchasers at highly reduced prices or by lottery system. Theyinform the customer about their fake win and ask them for processing of dispatchexpenses through their credit cards about which the information is provided by mail orby phone . Occasionally the account number are purchased from dishonest telemarketers.They prepare the forged sale draft and encash them directly or through other merchantson commission basis.


According to statistics released in 2001 by the National Consumers League’s NationalFraud Information Center (NFIC), Washington DC,frauds through bank debits wereparticularly high in certain categories among the top ten telemarketing frauds in 2001.Bank debits are situations in which fraudulent telemarketers obtain consumer’s bankaccount numbers either by luring consumers into providing them or getting them fromanother source.: 62 per cent of consumers paid for bogus credit card offers with bankdebits; 50 per cent gave out their bank numbers in the increasingly popular age oldNigerian money offer scam; and 26 per cent had funds withdrawn from their bankaccounts for buyers clubs they never agreed to purchase.

Source: “Fraudulent Telemarketers Snatching Bank Account Numbers,” NationalFraud Information Center Stats Show February 6, 2002 [email protected] .

Any banker would like to provide banking facilities to big wigs of industry. Thefraudulent people knows this weakness and exploit the same. They apply for creditcards impersonating these big wigs and collect the materials at a specified post boxes/post bag . Once cards are obtained they are misused as intended.

Many times bank employees have the access to both customers pin number andplastic card at the same time. In some banks when a customer lost his card he informedit to a bank employee, the bank employee made a call to computer or bank card centreand got the pin number with a plea that customer has forgotten his / her pin number.Later on the information is misused.

PREVENTIVE MEASURES IN CASE OF COMPUTER FRAUDSComputerization may not deter frauds or eliminate them altogether. It will certainlyhelp to uncover them faster, than before . This is because book keeping will never fail inarrears and frauds can no longer remain concealed forever or for very long periods. Onthe contrary, bank now face the risk of losing large sum of money, which may neither betraced nor recovered. The situation calls for the introduction of more comprehensiveand effective system of surveillance over staff.

Access Control: These controls are designed to prevent or limit likelihood, ofunauthorized access to data files or programs. Access controls that can be built into thesystem They are password , card , biometrics, encryption and authentication .

Password: ‘One password one person “should be the rule of thumb” . When anoperator changes, the access password to the computer should also change invariably.Password should be alpha numeric and longish not easily picked up by unauthorizedperson. Password of the users should be frequently changed after every predeterminedfrequency. The operator using password must know that all work done with the passwordwill be his responsibility and he should acknowledge this in writing.

Card [PIN]: Authorization can be done through cards . The card is inserted into thecomputer and the computer allows access to a specified data. The cash dispenser checksthe PIN code on the magnetic strip of card against the card number keyed in by thecardholder, and the two codes must match before the cardholder is allowed to withdrawany cash.

Biometrics: Biometrics, is the science of recognizing a person using distinguishingtraits. Physiological and behavioral characteristics are unique to an individual and can


be scanned, and scaled and scrutinized.. The former include fingerprints, retinal and irispeculiarities, hand geometry, voice patterns, and facial recognition; the latter encompassgait, speech, handwriting, signatures, mannerisms, gestures; and traits that remain tobe explored, they are individualistic and ensure perfect security. Of significance theyhelp in detection of bank frauds in Automatic Teller Machine (ATM) operations,workstation and network access, e business transactions over the Internet, biometricsembedded credit card, key encryption security enhancement, digital water marking,public identity smart cards and, above all, voice recognition for telephonic conversations.Biometrics can lend greater potency to digital signatures,

Encryption and Electronic signature: Encryption is a method that uses mathematicalalgorithms and keys to scramble (or encode) a message before sending , unscramble (ordecode) the message when received. Electronic signature is a personal identificationsystem that may include personal identification number (PIN), password, digitalsignature, smartcards, biometrics etc.

• There should be adequate segregation of functions, duties and responsibilities andminimum authorization of possible privilege. In order to maintain system securityeach user of the system should be authorized no more privileges than are absolutelynecessary for performance of his / her duties and assigned jobs.

• There should be proper handling of reject and reentry as this area has been a favoritesport for theft to occur. A repeated control function is needed in all system to providefor proper handling and disposition of all rejects and reentries.

• There should be a security awareness program that reviews and emphasizes thecontinued security responsibility of each employee.

• Data may be threatened by exposure to several key DP management positions. Systemprogrammers pose a great risk with their capability of making changes on machinelevel basis. Such changes may never be recognized by others. A work may be assignedin such a way that no system programmer works alone. At least two authorized personsshould handle the inputs and erasure. The supervisor should check the data beforeand after the changes in all important cases. Providing only one way computerterminals should also protect the data needed by a bonafide user, so that the operatorshould not be able to alter or erase the data he is using. The operator should not leavethe open computer unattended. Any subsequent software development or modificationby the vendor may be done off site and only customization may be permitted on site.When the user logs in to the system the application package should take over andwhen he exits for the package, he should be logged out automatically.

PREVENTIVE MEASURES IN CASE OF ATM FRAUD• Monitoring ATMs continuously by installing closed circuit television and patrolling

ATMs more frequently during and after office hours.• Implementing a mechanism that records relevant information on ATM cards or

credit cards so that banks can determine whether an unauthorized ATM transactionis carried out through a counterfeit card;

• Encouraging customers to report any suspicious devices detected on ATMs andproviding them with the relevant telephone number to do so at the ATMs.


PREVENTIVE MEASURES IN CASE OF CARD FRAUDS• The banker should educate the customer the consequences of card fraud and should

advice the customer on following preventive measures. Consumer should never letcards out of sight and should check receipts and bank statement thoroughly.Consumer should shed all their card receipts. Consumer should have different pinfor every card. Consumer should cover the hand they are using to enter their PIN,as fraudster hover around cash machines, spying on user in a bid to capture theirpin. It is essential that customers protect their card and PIN. Card and PIN shouldbe treated like cash. Consumer should guard their personal financial informationcarefully and should not divulge private and confidential information totelemarketers.

• The cards are mailed to the customer. This results in many cards getting into wronghands. So whenever the card is sent through courier or mail, confirmation ontelephone in addition to paper receipt should be done.

• The sales terminals should be alerted promptly whenever the banker receiveinformation about lost and stolen credit card. Banks should utilize computer softwarewhen a card, without knowledge of the customer is stolen or lost. The system trackscard usage and if it detects an abrupt change in usage it informs this usage patternchange to the banker. The banker becomes vigilant and can go for further enquiry.

• There should be a monitoring system to help locate unscrupulous merchants whoallow the use of fraudulent card to make fast buck.

• The presence of knowledge (as far as PIN is concerned), possession of the card, andunique human characteristics using biometric technology enables the cardholder ‘sidentity to be reliably verified.

DISCUSSIONS, ANALYSIS AND FINDINGSAn empirical survey on 253 bank employees using self administered questionnaire wasconducted to investigate the opinions of bank employees regarding the impact ofcomputerization on bank frauds, their training status and the extent to which theyimplement simple security control mechanism in computerized environment

The results of the findings indicate that almost half of the respondents (approximately53 per cent) believe that there is not at all or to some extent reduction in frauds due tointroduction of information technology. As evident from the following Table 1.

Table 1Frequency and Percentage Distribution of Responses of Managers, Officers and Clerks of their

Views on Whether Introduction of Computers has Reduced Fraud

Position Yes or to Large Extent No/ To Some Extent

Frequency Percentage Frequency Percentage

Managers 22 47.82 24 52.17Officers 53 48.18 57 51.81Clerks 44 45.36 53 54.64Total 119 47.03 134 52.97


Around 61.27 per cent of the respondents think that it has only change the nature offrauds to large extent as shown below.

Table 2Frequency Distribution of Responses of Managers, Officers and Clerks of their Views on

Whether the Introduction of Computer has Changed the Nature of Fraud

Position Yes or to Large Extent No/to Some ExtentPercentage Percentage

Managers 58.7 41.3Officers 63.63 36.36Clerks 59.79 40.21Total 61.27 38.73

A very high proportion of respondents (approximately 97 per cent) of respondentsfelt that a proper mechanism is not yet developed to prevent computer frauds.

This can be explained from the following table


Whether Proper Mechanism to Prevent Computer Frauds is Yet to be Developed

Position Yes NoPercentage Percentage


The employees are not well trained; only 16.13 percent employees feel that they arewell trained to detect computer frauds. As evident from the following table.


Whether they are Well Trained to Detect Computer Frauds

Position Yes or to Large Extent No/ To Some ExtentPercentage Percentage


Awareness level regarding computer related frauds is very low (approximately 13percent respondents are aware) and awareness level regarding credit card frauds isalso not up to the mark. Around 80 percent of employees are either not at all or to someextend aware of the types of frauds that perpetrate in credit card section. The followingtables show their awareness level in computer related frauds and credit cardsrespectively.


Table 5Frequency Distribution of Responses of Managers, Officers and Clerks on their Awareness

Regarding Computer Related Frauds


Managers 23.92 76.08Officers 10 90Clerks 11.34 88.66Total 13 87

Table 6Frequency Distribution of Responses of Managers, Officers and Clerks on their Awareness

Regarding Frauds in Credit Cards



When asked about certain important terms in credit card section, 40 percent of therespondents were not aware of the term hot card file terminal and 26 percent respondentsdid not had any idea about hot list bulletin. It seems that bank staff is not so educatedto understand the implication of non-adherence of security controls in computerizedenvironment.

Changing of password periodically is a simple and important security control, whichis not followed. Around 26.8 percent of managers, 24.55 percent of officers and 7.22percent of clerks say that they do not change their password periodically. Changing ofpassword periodically is a simple and important security control, which is not followed.This can be shown from the following table.

Table 7Frequency Distribution of Responses of Managers and Officers and Clerks on Whether they

Change their Passwords for Computer use Periodically

Position Yes NoPercentage Percentage


For security reasons in computerized environment there should be special controlfor reject and reentry. Around 47.83 percent of managers and 50 percent of officers saythat they do not have a special control for reject or reentry as evident from the followingtable.


Table 8Frequency Distribution of Responses of Managers and Officers on Whether they have Special

Control for Reject or Rentry for Computerised Transaction


Managers 52.17 47.83Officers 50 50Total 50.64 49.36

The security controls in credit card section is also not adequate.

Table 9Frequency Distribution of Responses of Managers and Officers on whether do they have

Effective Monitoring System to help Locate Unscrupulous Merchants

Position Yes No Not Applicable

Frequency Percentage Frequency Percentage Frequency Percentage

Managers 10 21.74 20 43.43 16 34.78Officers 31 28.18 31 28.18 48 43.64Total 41 26.28 51 32.69 64 41.02

The bank should have a sound monitoring system to help locate unscrupulousmerchants. But the above table reflects that out of those employees that handle incredit cards 33.3 per cent of managers and 50 per cent of officers state that they haveproper mechanism to help locate unscrupulous merchants while 66.6 per cent ofmanagers 50 per cent of officers say that such mechanism is not present.

Table 10Frequency Distribution of Responses of Managers and Officers on Whether they check that the

Applicant of Credit Card is Holding Credit Card from other Issuer also

Position Always Often Occasionally Never Not Applicable TotalFrequ- % Frequ- % Frequ- % Frequ- % Frequ- %

ency ency ency ency ency

Managers 14 30.43 4 8.7 9 19.6 3 6.52 16 34.78 46Officers 20 18.18 11 10 12 10.9 19 17.27 48 43.64 110Total 34 21.79 15 9.62 21 13.5 22 14.1 64 41.03 156

For the implementation of best practice code the managers and officers should checkwhether the new applicant is holding credit card from other issuer also

Out of those respondents who issue credit cards around 58.62 percent ofrespondents do not always check that the applicant is holding card from the otherissuers always.

In order to prevent frauds that arise due to stolen or lost credit cards, the managersand officers should alert sales terminals about lost and stolen card. But the above tablereflects that out of the employees who deal in credit cards 45.56 per cent of employeesdo not always alert sales terminal about lost and stolen cards.


Table 11Frequency Distribution of Responses of Managers and Officers on whether they Alert Sales

Terminals about Lost and Stolen Cards Promptly



Managers 16 34.78 5 10.87 1 2.17 8 17.39 16 34.78 46

Officers 34 30.91 13 11.82 9 8.18 6 5.45 48 46.36 110

Total 50 32.05 18 11.54 10 6.41 14 8.97 64 41.03 156

Table 12Frequency Distribution of Responses of Managers and Officers on whether they Obtain

Confirmation on Telephone after Dispatching Credit and through Courier



Managers 11 23.91 5 10.87 7 15.22 7 15.2 16 34.78 46

Officers 28 25.45 13 11.82 8 7.27 13 11.8 48 43.64 110

Total 39 25 18 11.54 15 9.62 20 12.8 64 41.03 156

In order to make sure that the credit card fall in right hands the manager andofficer should obtain confirmation on telephone after dispatching credit card throughcourier. But it is evident from above table that out of the employees who deal in creditcard around 58 per cent respondents do not always obtain confirmation from customeron telephone after dispatching card through courier.

CONCLUSIONS AND SUGGESTIONSA proper mechanism for prevention of computerized fraud is yet to be developed.The computer frauds are high tech crimes and requires investigator to have a goodknowledge about information technology. It is not easy to trace criminal, place and thetime of the crime. The computer frauds can cause tremendous loss as it is not possibleto detect them early The employees should be made technology savvy, so that they canunderstand the implication of not implementing the security controls in computerizedenvironment. New methods of security controls in computerized environment shouldbe introduced like iris detection and voice identification. Punjab National Bank hasinstalled first biometric ATM at Chhapraula Village branch of Distt. Gautam BuddhaNagar in U.P for the benefit of illiterate and semiliterate customers . It will help themto avail ATM facilities conveniently and securely. Such kind of ATMs should now beinstalled for security reasons. Customers should be educated about credit card fraudsso that they become more vigilant. In relation to banking industry, there is need forgreater sharing of information between financial institution on trends and practices offraudster and fraud topologies, specially those frauds that are committed in computerizedenvironment.


ReferencesButtross, T. and Ackers, M. D. (1990), “A Time-saving Approach to Microcomputer Security”, Journal

of Accounting and EDP, Vol. 6 No. 1, pp. 31-5.

Dhillon, G. (1999), “Managing and Controlling Computer Misuse”, Information Management &ComputerSecurity, Vol. 7 No. 4, pp. 171-5.

Haugen, S. and Selin , J. R. (1999), “ Identifying and Controlling Computer Crime and EmployeeFraud , Industrial Management and Data Systems, Vol .8 , pp. 340-344.

Henry, L. (1997), “A Study of the Nature and Security of Accounting Information Systems: the Case ofHampton Roads, Virginia”, The Mid-Atlantic Journal of Business, Vol. 33, No. 63, pp. 171-89.

Torbet, Gail.E.; Marshall, Ian.M. and Jones, Steve., “ One in the Eye to Plastic Card Fraud”, InternationalJournal of Retail & Distribution Management, Vol. 23, No. 5, pp. 3-11.

Rotchanakitumnuai, S. and Speece, M. (2003), “Barriers to Internet Banking Adoption a QualitativeStudy among Corporate Customers in Thailand , International Journal of Bank Marketing, pp.312-323.

Rusch, J. (2001), “The Rising Tide of Internet Fraud”, United States Attorneys’ Bulletin, (InternetFraud Cybercrime II), Vol. 49, No. 3, pp. 6-12.

Roger K. D. (1999), “Computer and Accounting: Where Do We Go from Here?” Managerial AuditingJournal, Vol. 14, No. 9, pp. 487-488.

Qureshi, A. A. and Siegel, J. (1997), “The Accountant and Computer Security”, The National PublicAccountant, Vol. 43, No. 3, May, pp. 12-15.

Sharma, S. and Brahma, A. “ Role of Insider in banking Fraud”, available at http;// manuputra .com

Parker, D. B. (1981), Computer Security Management, Reston Publishing Company, New York, NY.

Ganesh, S., “Prevention of Computer Frauds in Banking”, Financial Express, Article, 2-Jun-03.

Shah, P., Sangita, F., “RBI Tells Banks to Beef up Anti-fraud Mechanism”, Business Standard, NewsItem, 18-May-02.

computerization in banks-its vulnerability...

Documents