Evolution of cybercrime: It’s in the many technicalities

Last Friday, police officials collected details of a SIM card number that was used for hacking a mobile financial service (MFS) account.

To their utter surprise, law enforcers found that the SIM was registered under the name of an employee of a reputed private firm, who had no idea his details were being used by a hacker.

However, this incident is far from being isolated. Criminals often use pre-registered SIM cards for threat calls, hacking and illegal trade to keep police in the dark.

Law enforcers believe this has been made possible due to the easy availability of such SIM cards in the market and lack of monitoring.

This correspondent recently visited the capital's Panthapath area to test the claim.

A man was found selling SIM cards at a makeshift roadside stall near the Panthapath intersection. When approached to buy one from him without NID, he refused to sell at first.

However, after some more conversations, he decided to sell a pre-registered SIM card in exchange for Tk 700, which after some more bargaining came down to Tk 600.

"You are in luck today," he told this correspondent.

"The easy availability of SIM cards poses a major limitation for us to deal with cybercrimes. Syndicates collect personal details from people in different areas in the name of surveys and then use them to register SIM cards without their knowledge," said Chatak Chakma, assistant commissioner of  cybercrime unit of Counter Terrorism and Transnational Crime (CTTC).

He said these SIM cards are later sold to criminals who use them for hacking and other fraudulent activities. They later go off the radar by switching the numbers off, said Chatak.

Subrata Roy Maitra, vice-chairman of Bangladesh Telecommunication Regulatory Commission (BTRC), recently said they conduct regular drives against these activities and act on any specific complaint.

"We even serve show-cause notices to the operators concerned," he said.

In August last year, CTTC's e-fraud team conducted a drive in different areas of Sylhet and arrested five over hacking of MFS accounts. All 540 SIM cards found in their possession were pre-registered.

"Targeting uneducated tea workers, they take fingerprints and other details from them twice or thrice, because the scanning was not done properly. In the process, they register for three SIM cards with the information of one individual, but provide each with one card only," said Suranjana Saha, assistant commissioner of the e-fraud team, who led the drive in Sylhet.

"We found a SIM distributor involved in the scam and arrested him. Lack of monitoring is a major reason behind these occurrences," she added.

THE CURSE OF SHARED IP

Law enforcers said in Bangladesh, only a limited number of people use unique internet protocol (IP) addresses -- numerical labels connected to computer networks. Others use shared IP addresses for their affordability.

Owing to the use of shared IP, it is difficult to trace a criminal when it comes to cybercrime, said Junaed Alam Sharker, additional deputy commissioner of DB's cyber and special crime division.

CTTC official Chatak Chakma said this issue can be solved by making the use of a unique IP mandatory for all.

"Internet service providers are supposed to keep a log of every user for a certain period but the records are often missing," said Chatak.

"We are now using internet protocol version (IPV) 4. Once we start using IPV 6 like the developed countries, it will be easier to implement the solution, as this most recent version provides a robust identification system for computers and routes internet traffic," he added.

Md Imdadul Hoque, president of Internet Service Providers Association of Bangladesh, told this correspondent that they expect the country will be using IPV 6 in the next two years.

"Presently, there are around 2,000 registered members, and we have been keeping a user log of every six months. The problem occurs with unregistered service providers," he explained.

LACK OF TRAINING, ABSENCE OF MLAT

According to the register books of the cybercrime tribunal in Dhaka, a total of 163 cases were disposed of from 2013 to May 30 this year. Of them, no one was punished in 137 cases.

A high official of Cyber Police Centre (CPC) of CID said one of the major reasons behind the low conviction is the lack of training for local police in dealing with such cases.

"We are handed the case after a delay. By then, evidence is either removed or tampered, and we have to submit a subpar charge sheet," said the official, requesting anonymity.

Admitting this limitation, SM Ashraful Alam, special superintendent of CPC, said they are providing training to officials, but it is not sufficient to deal with these crimes.

An initiative was taken to set up a cyber police station under CPC in 2020, to ensure charge sheets are submitted with all evidence, said officials.

The station will first be set up in Dhaka and then in other districts.

Other reasons behind low conviction are lack of evidence, witnesses not appearing in court and lack of expertise, said lawyers.

Moreover, Bangladesh has no Mutual Legal Assistance Treaty (MLAT) with other countries to share information about cybercrime incidents, said Chatak Chakma.

"Cybercrime is transnational,  but we often do not get information from other countries due to the absence of an MLAT," he said.

OTHER LIMITATIONS

Bangladesh does not have any direct liaison with Google, Facebook or WhatsApp, which poses yet another limitation, said SM Ashraful Alam of CID.

"We only get responses from the tech giants in life-threatening situations. Cases like defamation remain unaddressed," he said. "Steps have been taken from the government to strike a deal with these companies."

IT expert Tanveer Hassan Zoha said it only takes four or five clicks for local hackers to hack social media accounts if they have any fake or real NID, passport or driving licence details.

"We need to be cautious about sharing our information. Awareness is the only solution from a user's end," he added.