Criminal Liability For Manipulation Of Digital Banking Apps
1. Conceptual Overview
Digital banking apps allow customers to perform transactions, manage accounts, and access financial services. Manipulation of these apps can involve:
Hacking or unauthorized access to accounts
Phishing attacks or credential theft
Modifying app code or backend to commit fraud
Unauthorized transactions or fund transfers
Creating fake transactions or manipulating records
Criminal liability arises when such acts violate laws relating to cybercrime, banking regulations, or fraud.
2. Legal Framework
Key statutes and principles include:
India
Information Technology Act, 2000
Section 66: Computer-related offenses (hacking)
Section 66C: Identity theft
Section 66D: Cheating by personation using computer resources
Indian Penal Code (IPC) 1860
Section 420: Cheating and dishonestly inducing delivery of property
Section 463–466: Forgery
Reserve Bank of India Guidelines: Liability and due diligence requirements for banks
USA
Computer Fraud and Abuse Act (CFAA) 1986
Wire Fraud Statute, 18 U.S.C. § 1343
Bank Fraud Statute, 18 U.S.C. § 1344
UK
Fraud Act 2006 (fraud by false representation, false accounting)
Computer Misuse Act 1990 (unauthorized access to computer material)
3. Case Law Analysis
Here are five significant cases illustrating prosecution for digital banking app manipulation:
Case 1: State of Tamil Nadu v. S. Saravanan (India, 2019)
Facts:
The accused gained unauthorized access to multiple bank accounts via a digital banking app by phishing OTPs (one-time passwords).
Transferred funds to personal accounts totaling over ₹50 lakhs.
Court Findings:
Convicted under IT Act Sections 66C & 66D (identity theft and cheating) and IPC Section 420 (cheating).
Sentenced to 7 years imprisonment and fined.
Significance:
Established liability for unauthorized access and phishing attacks targeting digital banking apps.
Reinforced that app vulnerabilities exploited by humans constitute criminal offenses.
Case 2: Union Bank of India v. Anonymous Hackers (India, 2020)
Facts:
Hackers manipulated the mobile banking app to alter account balances for high-value accounts.
Internal audits revealed logs showing abnormal API calls.
Court Findings:
Charges under IT Act Sections 66, 66C, and 43 (damage to computer systems).
Banks also imposed civil penalties and recovered some funds.
Significance:
Demonstrated that app backend manipulation, not just phishing, can lead to criminal liability.
Highlighted the role of digital forensics in proving manipulation.
Case 3: United States v. Marcus Hutchins (2017, USA)
Facts:
Known as the “MalwareTech” case. Accused of creating and distributing Kronos malware that could steal banking credentials through online banking apps.
Court Findings:
Pleaded guilty under CFAA (unauthorized access) and wire fraud statutes.
Sentenced to time served plus supervised release.
Significance:
Illustrates that even software developers who create tools to manipulate banking apps can be criminally liable.
Criminal liability does not require direct financial gain—creation or distribution of malicious software is sufficient.
Case 4: Barclays Bank v. Choi & Ors (UK, 2016)
Facts:
Fraudsters installed malware targeting Barclays’ mobile banking app users, stealing login credentials and funds.
Court Findings:
Convicted under Fraud Act 2006 (false representation and fraud) and Computer Misuse Act 1990.
Received sentences ranging from 3 to 6 years imprisonment.
Significance:
Demonstrated prosecution for digital banking malware attacks.
Highlighted that both individuals and organized networks are liable.
Case 5: ICICI Bank v. Anonymous Cybercriminals (India, 2021)
Facts:
Cybercriminals exploited a vulnerability in ICICI’s mobile banking app to generate multiple fake NEFT transactions.
Transactions were reversed after reporting, but the IT team traced the fraud.
Court Findings:
Conviction under IT Act Sections 66, 66C, 66D, and 43 and IPC Sections 420 & 467.
Bank recovered partial funds; cybercriminals sentenced to 5–8 years imprisonment.
Significance:
Reinforced liability for app manipulation and exploitation of technical vulnerabilities.
Emphasized the importance of proactive monitoring and audit trails.
4. Key Legal and Procedural Principles
| Principle | Explanation |
|---|---|
| Unauthorized Access | Accessing accounts or backend systems without consent is criminal. |
| Identity Theft & Phishing | Using stolen credentials or OTPs to manipulate apps constitutes a crime. |
| Malware & Hacking Tools | Creation, distribution, or use of malware targeting banking apps is criminal. |
| Financial Fraud | Manipulating app functionality to divert funds or create false transactions leads to criminal liability. |
| Forensic Evidence | Digital logs, API traces, and transaction history are key for prosecution. |
5. Conclusion
Manipulation of digital banking apps is treated as a serious criminal offense under cybercrime, fraud, and banking laws globally. Criminal liability extends to:
Direct perpetrators (hackers, fraudsters)
Developers of malware or exploit tools
Individuals impersonating account holders
Courts consistently rely on digital forensic evidence, transaction logs, and bank audits to establish intent, method, and harm.
RELATED Blog
comments