Home | Back Issues | Contact Us | News Home
“All Citizens are Equal before Law and are Entitled to Equal Protection of Law”-Article 27 of the Constitution of the People’s Republic of Bangladesh

Issue No: 151
January 09, 2010

This week's issue:
Law opinion
Law Tribute
Laws For everyday life
Human Rights analysis
Human Rights monitor
Law lexicon
Law Amusements
Law Week

Back Issues

Law Home

News Home


Laws For everyday life

Online Banking: How to ensure secure transaction?

Md. Ekram Uddin Khan Chowdhury and Md. Iqbal Hossain

Recently Governor of Bangladesh Bank declared that within very short span of time Bangladesh will enter into the Online Banking System. Bangladesh Bank offered broad use of online banking service facilitating subscribers of all the commercial banks of the country. According to that announcement, the online customers now will be able to pay utility bill from the customers' savings or daily transaction accounts. They can transfer funds to another bank as well as can trade by online. It also announced that monetary transaction within the country now is also possible through the credit card by using internet. But online transaction will pose huge threat for customers and banking system if not guided by proper legal and extra legal measures. In this short write up we will try to sum up legal and extra legal measures to ensure security of online transaction.

The IT law in Bangladesh
Bangladesh adopted Information Technology Law, 2006 for regulating Information Technology (IT) related disputes and to meet global requirements. Chapter-1, Sec-2 of the Act defines certain IT related definitions, but it has not specifically mentioned about online transaction related crime. In Part-1 of Chapter-8, Sec-54 to 67 mentioned certain acts which can be well applied in case of fraud or crime during online banking transaction.

According to sec. 54 (1) if any person, without permission of the owner or any other person who is in charge of a computer, computer system or computer network would commit crime if he: a) accesses to any computer or computer network or system, to damage data, computer database or information from such computer, computer system or computer network or provides any assistance to any person to facilitate access to a computer, computer system or computer network; b) downloads, copies or extracts any data, computer database or information from such computer, computer system or computer network including information or data held or stored in any removable storage medium; c) introduces or causes to be introduced any computer contaminant or computer virus into any computer, computer system or computer network; d) maliciously or with sound knowledge, damages or causes to be damaged any computer, computer system or computer network, data, computer database or any other programmes residing in such computer, computer system or computer network; e) maliciously or with sound knowledge, disrupts or causes disruption of any computer, computer system or computer network; f) denies or causes the denial of access to any person authorised to access any computer, computer system or computer network by any means; g) provides any assistance to any person to facilitate access to a computer, computer system or computer network in contravention of the provisions of this Act, or rules and regulations made there under; h) maliciously or with sound knowledge, without permission of sender or subscriber, having intention for marketing, spam producing or send unexpected email; i) charging the services availed of by a person to the account of another person by tampering with or manipulating any computer or computer network.

The scope of the section is rather pervasive. The above harmful acts shall be treated as 'crime'. If anyone commits any act mentioned under sub sec (1) as stated above, then he or she shall be liable to pay to the person affected compensation not exceeding Taka Ten Lack or imprisonment not exceeding 10 years or both. Again in sec. 56(1) of the Act states that if any person occurred any act with malice and having sound knowledge that the act will be harmful for mass people or any specific person (natural or legal) and access to any computer or computer network or system, to damage or change data, computer database or information from such computer, computer system or computer network and tempering or manipulating any data, computer database or information of any computer system or computer network, for which its utility and purpose will destroyed or having possibility to destroyed. (2) or accessed to any computer network or system where the is not authorized to access and cause damage that computer system or network; then the act shall be treated as 'Hacking' and the punishment of this type act is fine which is not exceeding taka 1 crore or imprisonment, which is not exceeding 10 years or both.

Sec.66 attempts to define crime which is committed by using computer or computer system or network. As internet is a borderless world, anyone from any territory can commit crime. In this case, jurisdiction, applicable law and recognition of foreign judgment will be vital factor to try a foreign subject. Sec.4 of the 1st Chapter of the IT Act briefly describes about cross border issues. However, it should be mentioned that concerned Court and police officer should have sound IT knowledge to deal with IT related crime. But the most important thing to prevent online transaction related crime is to increase awareness among the users and online banking service providers regarding some potential threat and good practices to avoid these threats.

Types of electronic fraud
Several types of electronic fraud specifically target online banking. Some of the more popular types are as follows:

Phishing attacks- use fake email messages from an agency or individual pretending to represent your bank or financial institution. The email asks you to provide sensitive information (name, password, account number, and so forth) and provides links to a counterfeit web site.

Malware- It is the term for maliciously crafted software code. Special computer programs now exist that enable intruders to fool you into believing that traditional security is protecting you during online banking transactions.

Account information theft- Malware can capture the keystrokes for your login information. Malware can also monitor and capture other data you use to authenticate your identity (for example, special images that you selected or “magic words” you chose).

Fake web site substitution- Malware can generate web pages that appear to be legitimate but are not. They replace your bank's legitimate web site with a page that can look identical, except that the web address will vary in some way. Such a “man-in the-middle attack” site enables an attacker to intercept your user information. The attacker adds additional fields to the copy of the web page opened in your browser. When you submit the information, it is sent to both the bank and the malicious attacker without your knowledge.

Account hijacking- Malware can hijack your browser and transfer funds without your knowledge. When you attempt to login at a bank web site, the software launches a hidden browser window on your computer, logs in to your bank, reads your account balance, and creates a secret fund transfer to the intruder-owned account.

Pharming attacks- It involves the installation of malicious code on your computer; however, they can take place without any conscious action on your part. In one type of pharming attack, you open an email, or an email attachment, that installs malicious code on your computer. Later, you go to a fake web site that closely resembles your bank or financial institution. Any information you provide during a visit to the fake site is made available to malicious users.

Measures suggested
All the attack types listed above share one characteristic; they are created using technology but, in order to succeed, they need you to provide information. When it comes to online banking, there is no way to absolutely guarantee your safety. However, good practices do exist that can reduce the risks posed to your online accounts. The following points may be of immense help:

* Review your bank's information about its online privacy policies and practices. By law, banks are required to send you a copy of their privacy policies and practices annually; you may also request a copy of this information.
* Before setting up any online bill payment, check the privacy policy of the company or service you will be sending payment to.
* For security purposes, choose an online personal identification number (PIN) that is unique and hard to guess.
* Install anti-virus, firewall, and anti-spyware programs on your computer and keep them up to date.
* Regularly check your online account balance for identifying unauthorized activity.
* Use a credit card to pay for online goods and services. Credit cards usually have stronger protection against personal liability claims than debit cards.
* Avoid situations where personal information can be intercepted, retrieved, or viewed by unauthorized individuals.
* If you receive email correspondence about a financial account, verify its authenticity by contacting your bank or financial institution.

The writers are Post-graduate Students of Law respectively at the Stockholm University and The Royal Institute of Technology, Sweden.


© All Rights Reserved