"Watch This Site as a Daily Habit. It may save careers".. A Banker's remark as an advise to fellow Bankerssed

---

How Do you React to a Sec 79 Notice if you are an intermediary?

Naavi's Theory of Regulated Anonymity

Sec 43A Compliance Framework

---

Arise, Awake and Stop Not until Indian E Banking is made Safe

India to press for Changing Internet Governance Structure

May 16: The fact that the Government of India is moving towards Internet Censorship has been visible in many of the actions f DIT over the last few months. The systematic manner in which ITA 2008 is being misapplied to gain control on Internet Content bas brought Indian policies on the Internet close to that of China and other totalitarian countries. Though the western countries have also followed similar policies in the case of Wiki Leaks, the move of the Indian Government to suggest changing of the ICANN structure to bring it under the Control of the Government bodies is now threatening to brand India as a "Totalitarian State" on the Internet. Just as individuals take different Avatars in the digital society, the "Democratic" India in the physical world is now taking on "Totalitarian" avatar in the digital society. As a combination, the present Internet policies of DIT have made India a  "Totalitarian Democracy".  See this report in The Hindu

Sec 79 rule to come for discussion in Parliament

May12: The statutory motion for annulment of rules under Sec 79 of ITA 2008 issued on April 11, 2011 is expected to be taken up for discussion in Rajyasabha on 15th of this month. Report

Another Court order for removal of defamatory content

May 11: In another instance of Section 79 of ITA 2008, Delhi High Court has ordered removal of primafacie defamatory content against Sri Sri Ravishankar. It may be noted that the Court has made a reference to the 36 hour rule for content removal to be counted from the Court order being received by the intermediary (Google in this case). Report

Copyright Amendment Bill gets Cabinet Clearance

May 11: The Copyright amendment bill which was pending for a long time is reportedly cleared by the cabinet today. The exact copy of the final amendments need to be checked. Report

John Doe Orders and Internet Censorship

May 10: An increasing number of John Doe orders obtained by the Film industry in India prior to release of major films has raised a debate on whether such orders are being applied in a manner that they are becoming more of a tool of censorship. It appears that the order which has resulted in the blocking of Vimeo site is a "John Doe Speculative order" where it is based on not only unknown infringers but also for a contingent event that may result after the release of the film. Is it a new legal principle being established? or is it a passing phase where a principle is being misapplied?.. only time will tell.  Related Article

Cyber Appellate Tribunal in Bangalore?

May9: During the first Bangalore Cyber Security summit in 2009, a promise was made by the then Presiding officer Sri Rajesh Tandon that he would be happy to see the setting up of a southern bench on CAT in Bangalore as proposed by Naavi. The then Home minister of the Sate, late Sri M. V. Acharya as well as the Law secretary of the state who were present during the deliberations also agreed with the suggestion.

Subsequently, despite several attempts, the State Government never took steps to send a formal request to the CAT and the matter remained unattended. During the second Bangalore security summit in 2010,  the IT Secretary Sri M.N.Vidyashankar again promised that the CAT Southern bench will be set up within a few months. Nothing moved except that Justice Rajesh Tandon moved out of CAT on superannuation. The Government of India did not move even to post a replacement for Justice Rajesh Tandon and far from a new Southern Bench of CAT being created, even the CAT in Delhi remained closed for operations. Unmindful of these developments, the Karnataka IT Secretary has again made a promise during this year's Bangalore Cyber Security Summit that the southern bench of CAT would be formed.

Coming from an IT Secretary who believes that "No Company can invoke Section 43 of ITA 2008" and "No complaint can be filed against a Company under Section 43", (Refer related award here) the promise of a CAT bench in Bangalore appears like an "Election Promise of a Politician".  Related Report in Deccan Chronicle : Also see:

Internet and Human Right 

May 8: Internet as a technology was a facilitator for the democratic revolutions in Tunisia , Egypt etc during the last year. This has again opened the debate on "Whether Internet Access should be considered as a Human Right?". Though there are differences of opinion on whether Internet should be considered only as a tool and not considered as a Human Right, the fact remains that the "Quality of human right without Internet is increasingly becoming unacceptable". One of the prime factors driving the humanity to this thinking is that Internet is a "Tool of Expression". The difference between other media of expression and Internet is that Internet along with the World Wide Web enables an individual to publish his thoughts to the world without the assistance of others. This makes Internet a tool of a human being to translate his thoughts to an expression to the global society. It therefore has the credentials to demand the status of a "Human Right". Vincent Cerf Differs : UN Special Report Agrees

Apart from the suppression of the freedom of expression in India through excessive legislation and misapplication of  legislation, Indian Citizens are being denied of the human right through closure of judicial options for remedy of grievances due to the inaction of the DIT in keeping the Cyber Appellate Tribunal active.

Karnataka has gone a step further in the direction of denial of rights of Internet users by closing substantially the options of the citizens to redress the grievances through the Adjudication system.

Naavi.org has raised this issue with the Chief Minister and Law Minister of the State through an Open letter. Responses are however still awaited.

New York Judge says IP Address is not a reliable identification

May 5: In a significant judgement, a Judge in New York has stated that given the dynamic nature of IP address allocation and the possibility of IP addresses being shared over WiFi networks or otherwise, they can be no longer relied upon in legal suits to identify a person and charge him with offences. Related Report

Cyber Justice is denied to Citizens in Karnataka

May 4:. Citizens in Karnataka have been facing a unique problem as regards Cyber Crime complaints due to the non availability of any proper legal forum for the Redressal of their grievances. The problems regarding Police officers refusing to register Cyber Crime complaints is well known. It is widely prevalent everywhere in India and also in Karnataka. Additionally, what has added to the woes of the citizens of Karnataka is that they have been shut off from civil remedies as envisaged in Information Technology act 2000 due to the inadequacies in the Adjudication system which is administered by the IT Secretary of the State. Taking a contrarian view in an earlier case referred to him, the Karnataka IT Secretary has taken an opinion to the effect that "No complaints can be admitted for remedies under Section 43 of Information Technology Act 2000 after the amendments of 2008 against any corporate entity and that no complaints can be made by a corporate entity as well".

Though the unsustainability of such a stand has been brought to the attention of the IT Secretary, he has stood by his opinion. This opinion which needs to be revoked now only on an appeal to CAT will stay in place until CAT is reactivated by the appointment of a "Presiding Officer". This combination of inefficiency of DIT in not appointing a Presiding officer for CAT and the interim decision of the Karnataka IT Secretary has enormously benefitted some of the Banks who are  e-Governance partners of the government facing complaints from public.

It is ironic that in such a state of affairs, the Karnataka IT Department is conducting a Cyber Security Summit. One needs to ask the Government what the end objective of Cyber Security? Is it for protecting the citizens of Karnataka? or Is it for protecting the business interests of those corporates who are in E Governance partnership with the Government? Naavi.org seeks a response from the Chief Minister of Karnataka who also holds the IT portfolio to clarify. Related Report in Hindu : An Open letter to CM of Karnataka

Intermediary Guidelines is now a Human Rights issue

May4: For some time now, civil society in India has been fighting against the Intermediary Guidelines issued by DIT on April 11, 2011 which inter-alia is being interpreted as a tool of Internet Censorship.  Now it has been recognized that "Freedom of Expression" is a "Human Rights issue" and the guideline may downgrade the Human rights index of India when UN is undertaking the Universal periodic Review some time in June this year. Internet is considered as an important tool of free expression and any attempt to gag the media through notifications that provide that intermediaries shall remove content within 36 hours is highly objectionable. Government can no longer justify the law as an "Enabling Provision" for national security reasons since the track record of the Government is that it is often used against political opponents. The Aseem Trivedi incient, call for "Pre-screening" of social media content, the case against "Facebook" etc in Delhi High Court, the Professor Mahopatra incident in West Bengal have all indicated that Sec 79 rules is an instrument of censorship and a prelude to "Internet Emergency" in India.

Additionally shutting down of the Cyber Judiciary system by not appointing a chair person for CAT will be held in a negative perspective as regards the Human Rights Review.

The DIT needs to therefore wake up from its slumber and make some positive efforts to clean up its Internet Human Rights records. See related  DEF report : Related Article:Will the Government Consult Netizens?..Need for National Netizen Rights Commission)

Multi-Stakeholder Consultation on Internet Rights Inaugurated

May 3: Multistake holder consultation on Internet Rights was inaugurated in Delhi by Amt Aruna Roy, Chairperson Mazdoor Kisan Shakti Sanghatana. Officials from DIT and various organizations also participated in the event. Naavi speaking on the subject highlighted the need for Netizens to be more responsible and organize themselves into a voice to be heard. (Copy of the presentation is available here)

Internet As a Human Right

May 2: A debate has started in India if "Internet Access" is to be considered as a fundamental right of an individual. Certain countries such as Finland have declared access for Internet as a part of the fundamental right. Even UN has in a report  indicated that Internet should be considered as part of Human Right. 80% of people surveyed over 26 countries by BBC favoured the thought of Internet as a Fundamental right. At the moment however, in India, the top of the agenda is whether the Internet access we now have is diminishing in value because of the failure of the Government in having proper regulations which are fair, democratic and reasonable.

The Digital Empowerment Foundation in Delhi  and Association for Progressive Communications (APC), supported by the Department of Information  Technology and the National Internet Exchange of India, Govt. of India. is organizing a  national consultative workshop in Delhi on 3rd may 2012. The workshop will be outlining India’s progress towards ‘Internet Access for All’, and specific areas of concern – right to information, internet & information access, internet governance, Internet regulation, content specifications, cyber law, and appropriate policy framework.

Risk of Data Loss in Cloud Storage

May1: The risk of data loss in cloud storage was in focus as the assets of megaupload.com,  a data storage service facility in Virgina was seized by the US federal government on charges of facilitating copyright infringement. As more than 1100 servers remain seized, data equivalent to 25 million gigabytes remain in accessible by its owners many of whom are genuine business houses. Related Report

The issue has thrown open the legal question of ownership of "Information" as distinct from the "Information container". It should be recognized that the Government has no right to seize the assets of innocent parties and have to hand over the information to the rightful owners at the earliest.

The incident also is a wake up call to those who use Cloud storage services to ensure that the activities of the service provider does not affect the interests of genuine users. The need for DRP/BCP strategies in cloud environment is also highlighted.

Misconceptions About Electronic Signature

April 30: During the recent discussions with several informed members of the public, there appeared to be widely prevailing misconception about the provision of Section 3A of ITA 2008 regarding "Electronic Signatures".

It appears that people have misinterpreted the term "Electronic Signature" to mean any form of authentication other than "Digital Signatures". Some are speaking as if "Click Wrap" agreements will now be recognized. Some Bankers are on the prowl to seize any opportunity to get the 2-Factor authentication itself recognized as digital signature as they tried during the G Gopalakrishna Working Group discussions.

 Let's therefore explore this new section introduced in ITA 2008 a little more in detail...Details

Zero Value Statistics on Cyber Crimes!

April 30: In replying to a query in the Parliament the Minister has indicated that there were 966 cases booked in India in 2010 as "Cyber Crimes" some under IPC and some under ITA 2000. These are the records from NCRB report which showed an increase of cases registered from 420 to 966 between 2009 and 2010. 153 of these cases were registered in Karnataka,148 in Kerala and 142 in Maharashtra. These statistics are however relevant only to study the number of cases registered and donot reflect the status of Cyber Crimes in India. Huge number of Bank fraud cases have not been registered and hence the statistics has no real value for analysing the Cyber Crime status in India. Naavi.org has therefore been proposing setting up of a "E Banking Emergency Response Team" to receive information about E Banking frauds directly from the public, report it on a public website, offer legal assistance to E banking victims, develop security norms for the Banks who are interested in making E Banking safer. Eventually this exercise would lead to safer E Banking in India.

Internet Censorship in India

April 30: Here is an article on Internet Censorship which may be of interest to people following the debate on the unconstitutionality of Sec 79 rules. Naavi.org points out that spineless intermediaries are also to blame for the lack of application of their minds when a content objection is received. Recently Mr Ajit Balakrishnan of Rediff.com stated on a TV program that Rediff.com does not blindly follow the take down notice and will examine the request properly. This approach is what has been suggested by Naavi.org.

Basic Security Flaws in Aadhar Enrolment exposed

April 29: After the bizarre revelation about "Coriander" being issued an Aadhar identity, more frauds have come to light in the enrolments in Hyderabad. It is stated that over 30000 fraudulent enrolments have occured. One the flaws that has been revealed is that when an agent tries enrollment and the biometric fails on two occassions, in the third occassion the system proceeds with the default biometric.

In otherwords, after two unsuccessful log in attempts, instead of the system being locked up, it opens up without biometric authentication. Such a system is never heard of in any security scenario. This is a clear indication that the Aadhar security does not meet even the most basic requirements to qualify the system as acceptable. Add to this frequent loss of laptops with data the system appears to have been compromised to the core and Mr Nandan may not have any control over the project being useful.  It is time that the Government scraps the enrolment process forthwith.

We may recall that in one of the very first meetings with the Aadhar team in Bangalore, the security requirements had been raised by the group of specialists to whom Mr Nandan had presented the action plan. We were assured that there is adequate attention given to the security issues and he does not have any apprehensions. This confidence has been proven wrong. Related Article

SC acquits Mr Avnish Bajaj

April 28: The historic Baazee.com case in which the CEO Mr Avnish Bajaj was facing the charges under Section 67 of ITA 2008 for liabilities arising out of the posting of obscene video for sale by one of the members was finally disposed off after 7 years with the Supreme Court dismissing the charges under both IPC and ITA 2000. It is to be noted that the acquittal appears to be based on a technical irregularity in pressing of the charge. According to the report in indiatimes.com , a three-judge bench of justices Dalveer Bhandari, S J Mukhopadhyaya and Dipak Mishra quashed the cases registered against Bajaj under Section 292 (sale etc of obscene material) IPC and various provisions of the Information Technology Act on the ground that the company was not made a party to the case and only the Director of the company was roped in for the said alleged commission offence.

The prosecution appears to have erred on the fact that first Section 67 offence should have been charged against the Company and then with the operation of Section 85 of ITA 2000, it would have flowed onto the Director. Without making the Company a party to the offence Section 85 does not become operative. By not including the Company as "Accused", prosecution appears to have committed a technical mistake.

Why Russians are considered masters of cyber crimes

April 26: According to this report from Forbes, the share of Russians in the global cyber crime earnings of US$12.5 billion is around US$ 4.5 billion. Related Article:   Some Stats

DIT's incapability to manage Cyber Laws

April 26: Repeated incidents of misuse of ITA 2008 highlights the inadequacies of the laws or bad framing of the laws. The responsibility for this has to lie squarely on the DIT. Unfortunately DIT does not have a good consultative process and relies on some chosen favourite advisers to draft the laws and regulations. The proof is that the constitutionality of regulations are being repeatedly questioned. If DIT can come down from its pedestal and is ready to listen to wiser counsel from a large section of the society, perhaps the errors could have been reduced. This article in Indian Express captures the observations of experts from the field. A report in IE

I would like to add the following points to the article.

1. The system of adjudication managed by IT Secretaries in States under the guidance of DIT is also in doldrums because of the lack of understanding of law by the IT Secretaries.
2.The system of Cyber Appellate Tribunal has been kept deactivated by DIT probably lead by vested interests who donot like this forum to be active.

I would like to add a clarification that CRAC under Sec 88 was formed and notified on 17th October 2000 but is being sidelined by DIT. Even the amendments of 2008 are therefore ultravires the act since it was not vetted by CRAC.

Bank Inspection Reports to come under RTI

April 26: In what could be considered as a significant and people friendly development, the Central information Commissioner has held that inspection reports of Banks should be made available under RTI. So far Banks have been avoiding sharing information about frauds under the argument that it would undermine the confidence of the public. RBI has also been avoiding any release of documents pertaining to Bank frauds in India. The absence of data on Bank frauds has created hurdles in the possibility of insurance companies coming up with products for insuring the banks against fraud losses. Phishing victims are being stone walled by Banks stating that their security is impregnable and to support this myth are not releasing any fraud related information to the public. Now this decision of the CIC should enable RTI applications to be filed on every Bank to find out the extent of Phishing frauds reported and how the Banks have disposed of each of them. Related Report :

In a similar case J& K Information Commissioner has also held that J& K Bank is  a public authority and has to share information under STI. Report regarding J&K IC

Do We need anti virus for TVs?

April 23: It appears that  vulnerabilities have been found in Samsung and Sony TVs which can be exploited to cause disruptions and shutting off the TV. Hope the manufacturers take note. Related Article

Has the time come to work on amendments to ITA 2008?

April 23: Civil activists alarmed by the misuse of ITA 2008 by politicians to curb any writings on the Internet perceived to affect the reputation of the ruling government, and by some business interests to protect their business interests, have started asking for the withdrawal of the rules notified by DIT on April 11, 2011 particularly under the "Intermediary Rules" under Section 79 of ITA 2008. 

Naavi.org strongly recommends that even the "Reasonable Security Practices" notification under Section 43A which was notified along side the Intermediary rules need to be scrapped as it unashamedly promotes one particular security framework involving enormous outgo of funds out of India. The Section 79 rules are linked to Section 43A rules and makes it mandatory for all intermediaries to undergo ISO 27001 audits or be damned. This is an unconstitutional promotion and a scam bigger than 2G scam.

Further the unconstitutional nature of Section 79 actually flows from the amended Section 79 which gives the executive powers to curb the constitutional right granted under Article 21 without judicial intervention. The amendment itself was introduced without due process of consultation with Cyber Regulations Advisory Committee constituted under Section 88 of ITA 2000 by DIT.

It is therefore necessary that the entire amendments of 2008 be considered as unconstitutional and re-worked. I request MPs Mr P. Rajeeve and Rajeev Chandrashekar to take note of this and move the motion in the Parliament accordingly.

I was one of the supporters of ITA 2008 amendments when it was enacted because certain provisions were considered necessary from the point of view of national Security. However politicians have interpreted “National Security” mean security of the politicians in power and hence the provisions are being repeatedly misused. It has therefore become difficult to trust the commitment of the Government to democratic principles and there is therefore a need for strong checks and balances in the Act. This can be achieved by a complete overhaul of ITA 2000 by a major amendment now.

Activists Demand Scrapping of ITA 2008 rules

April 22: Free speech activists held a demonstration in Bangalore demanding the withdrawal of ITA 2008 rules as it is opposed to Free Speech principles. The main contention is that under the Section 79 rules, an intermediary is forced to remove content without judicial intervention and based only on the complaint of a victim.

Naavi has however pointed out that it is only a "tendency to crawl when asked to bend" of the intermediaries that has resulted in such a situation and also suggested a "Due Process" to deal with demand for removal of content. (Ref: How Do you React to a Sec 79 Notice if you are an intermediary?). If we have spineless intermediaries, it will only encourage Government to be more repressive. It is therefore necessary for Intermediaries to rethink on their content regulation policies. They can be law compliant without being subservient to political interests if they have the will. Related Article in DH : Report in ET

A discussion had also been organized by CIS (Center for Internet Society) on the same subject in which Naavi also had participated.

Game Theory to Predict when Cyber Criminals Start Striking

April 22: According to Game Theory analysts, the reason why malware for Apple systems are on the increase from near zero in 2003 to around 250 per month at present lies in the possibility that effectiveness of anti virus systems have improved in recent times. It is estimated that at present the Windows Essentials is capable of detecting upto 93% of malware variants while other softwares claim upto 99.7%. It is the theory of some observers that with the decrease in the probability of successful attacks on Windows PCs, cyber criminals have shifted attention to Mac which may have only around 11% market share but the probability of success of planting a malicious code is already beyond the break even level for Windows PC. As the market share of Apple increases it is estimated that more and more malicious codes for Apple would be created. Related Article : latest antivirus comparative : Related Research Paper

War on Internet

April 22: It appears that for the last several days, DIT is working overtime to get the Abhishek Manu Singhvi's controvertial videos removed from Internet. This explains why DIT is not finding time to address issues such as appointment of CAT chair person.

While the GOI has taken control of mainstream internet media such as You Tube and ensured that the Video is removed, many persons continue their attempt to reach the video to people through other means. In fact it appears that this could test  the relative strength of  the Government which wants to block some information from publication and the power of Internet as the voice of the people who want to defeat the Government intention.

While it may be debated whether the current cause of these activists is noble or otherwise, the developments are throwing light on what may happen in future if there is a political battle between the Government and the common people and the Government becomes repressive of public expression.

In the meantime, the decision of the Court to grant a permanent injunction on the publication means that Courts are responsive to the demand for blocking sex related content, particularly when the content relates to  an influential politician . Had it been a common man in similar circumstances, it would have been difficult to convince the Court that there was any reputation to be protected in such cases.  But it would be interesting to observe if the same Courts also support other assaults on freedom of expression when the content is related to political dissent. This will also determine if  obscene content, defamatory content , Cartoons, and political dissent are considered different forms of speech and deserve different treatment in law regarding  the guaranteed constitutional right to "Freedom of Expression".

Ravi Belegere Fined

April 21: The famous public speaker Mr Ravi Belegere is reported to have been fined Rs 35 lakhs for an article published in a tabloid "Hai Bangalore" in 2003 criticizing the "Play Win" lottery. Play Win not only operates online but also engages services on the physical space for selling its lottery tickets.

In most states in India including Karnataka, Lottery is banned. It is prima facie considered as anti social. It is therefore surprising that a journalistic article in public interest should invoke the wrath of a Court to the extent of fining such a large amount.  It is also not possible to judge whether the lottery systems run on the Internet are run on fair terms since their software is not subject to scrutiny of a source code audit by a reputed organization and can therefore be unreliable. Though Playwin declares that its systems are audited by E&Y, unless a copy of the audit report is  made public, we cannot find out the scope of the audit and if it suffices to meet the expectations of the public. though the lottery is perhaps licensed in Sikkim, it is not clear how it can operate online and offer its services to states where lottery is banned.

If any reader has a copy of the judgment and copy of the said article, I request them to send it to me so that we can analyze and understand under what circumstances, criticizing a business which is popularly considered immoral by the society becomes a "Defamation".  Related Article

GPS Coordinates in iPhone photo nets a hacker

April 21: A hacker who posted an objectionable photograph was traced by FBI and arrested using the GPS coordinates embedded in the photograph taken in an iPhone. Earlier there are reports about a print out being used to track the printer. It is said that all colour laser printers print yellow dots as code in the background which may be used to match the printer in forensic investigations. (refer article here)   It is not clear if this is also possible in a black and white print out. Related Article1 Related Article 2

If you want to check if your colour laser prints such codes, you can visit http://dotspotter.ultrasec.de/

US Court rules "No Data theft" if access is authorized

April 21: A US Court of Appeals has ruled in a case that an employee with valid access cannot be held liable when he downloads data. This is an interpretation of the Computer Fraud and Abuse Act regarding unauthorized downloading of a list of names and contact information in a recruitment firm. This is an interesting judgement which has relevance to India also. It is interesting to note that under Section 43 in ITA 2000, India  has separate provisions under Section 43(a) for unauthorized access and 43(b) for unauthorized downloading. Such a provision should have held the download as a contravention even if the access is authorized. But the Judge appears to have interpreted the legal provisions from the point of view of "legislative intent" and held that a "Corporate Policy" that contains unrealistic impositions are not fit to be supported in law. This is like the "Standard form Contract" with all legal jargons thrown into the Policy whether they are contextually relevant or not. The ruling can provide relief to many cases even in India where the employers have tried to institute false cases against employees only because they had resigned. Related Article

Call for Scrapping April 11 Rules

April 21: The rules notified by DIT under Section 43A and 79 on April 11, 2011 have been a subject matter of controversy ever since the rules were notified. Naavi.org raised serious objections to Section 43A rules dubbing it as a scam bigger than the 2G Scam in view of the promotion of ISO 27001 audit through legislation. Section 79 rules have been objected to because of the apparent power given to any perceived victim of defamation to get a web content blocked. Additionally Section 66A misuse by Mamta Bannerjee and the move of DIT against Face Book et a on political cartoons, has raised further questions on the integrity of the Government in applying the provisions in a fair manner. Sec 69,69A as well as Sec 66F hold further threats for ordinary citizens if the Government wants to misuse their provisions. 66F can impose "Life Imprisonment" for "Cyber Terrorism" and the section is so drafted that it can be invoked against political opponents at the drop of the hat. There is therefore no surprise that there are talks of the rules being questioned as "Unconstitutional" and demands have been raised for scrapping of the rules.

Hindu in its article today has advocated a National Consultation on such anti democratic legislation. We look forward to such a process being initiated by a credible body of the public.

Status of CAT

April 20: Naavi.org has been reporting on the status of CAT for quite some time now and Naavi has personally taken up the cause of the public and the difficulties experienced by Cyber Crime victims due to the non appointment of the presiding officer of CAT at all levels. However there seems to be no urgency on the part of the Government of India to re-activate CAT. After a long time a major publication like ET seems to have thought it fit to carry a small article on the subject. Hopefully this will wake up the officials into some kind of action soon. Article

Hacking a Hotel System to access customer information

April 20: Researchers have exposed a case where a trojan package that can infect hotel management software with an ability to steal the credit card information of clients was being sold.  This represents a strategy to access the customer credentials through indirect means without hacking into customer's own machines which might have been well protected. It is necessary for IN CERT to take up suitable security audits of hotels in India and other establishments where similar vulnerabilities may exist. The incident also highlights how purchse of a software needs to be screened for security issues by IS teams in organizations. Report

Security Expert exposes Banking Vulnerabilities in Iran

April 20: A security expert in IRAN exposed vulnerabilities in the Banking system by demonstrating how the credentials of the customers can be compromised by hacking into 3 million accounts in 22 different Banks though the information was not misused by the expert. The expert had before the disclosure reported the vulnerabilities to the Banks who ignored the vulnerability. The Central Bank of Iran maintained even after the exposure, that the threat is not serious.Hope RBI acts differently if a similar situation develops in India. Report

US$ 1 million hacked in Brokerage Firm

April 20: Hackers in USA have been reported to have hacked into retail accounts of a brokerage firm and initiated false transactions to siphon off over US $ 1 million. A Russian residing in New York has been arrested. Though similar frauds might not have been reported in India, risk of such frauds are also relevant and SEBI should undertake a customer survey to identify "Suspicious" transactions which could be indicative of such frauds.  Report

GOI issues "Advisory" to State Governments on Cyber Crimes against Children

April19: In an unusual move, an advisory appears to have been issued by Government of India to State Governments regarding handling of Cyber Crimes against Children. The advisory talks of undercover operations and action to be taken under Sec 69A etc. The implications of the advisory are many and needs detailed examination. The advisory

Privacy Bill Panel to submit its report by June 2012

April 14: The panel formed by the Planning Commission to study the Privacy Bill and give its recommendations to the DIT is expected to give its reprot by June 2012. Headed by a retired Delhi High Court Judge Ajit P Shah the committee has a sub group headed by Som Mittal of NASSCOM which will submit its recommendations to the Committee. Report

Six Firms Remain in the Content blocking Litigation

April 14: Out of the 22 firms which were originally named in the suit in Delhi High Court regarding the responsibility for removal of "Objectionable content" hosted on their resources, all but 6 firms have been taken out of the purview of the litigation. The six firms remaining are, Facebook (India and US), Google Inc, Orkut, Youtube and Blogspot (through Google Inc CEO Larry Page). Related Article

Why Mobile Devices are inherently unsafe for Banking

April 14: It is always a matter of pride and joy to take note that technology in the form of mobiles has revolutionalized life on earth. However when it comes to secure transactions on the virtual world, we need to remember that mobiles were not built for secure communications. Unless special efforts are taken by the users to impart encryption over and above what the service provider provides, mobile communication should be considered vulnerable from security point of view for applications such as Banking. This article highlights the point

While individuals may overlook these considerations, the regulators should not. Hope the message is reaching the right persons.

Politicians discredit ITA 2008

April 13: By misusing the provisions of ITA 2008, and using it mainly to curb political criticism, political parties appear to be discrediting the law itself. When it comes to genuine action required under the Act such as activating the CAT, there is no hurry on the part of the Government. However when it comes to muzzling the expression of criticism of the politicians, there appears to be a sudden realization that there is Cyber Law in India. Right thinking persons need to get together and discuss how this issue can be resolved. If this trend is not curbed we will be seeing a replay of the Emergency days.

Joint Data Base to prevent Mobile thefts

April 13: US mobile operators are reported to have agreed to create a joint data base of mobile phones to pevent stolen mobile phones from being used. This is an urgent requirement in India also since this will be a great disincentive for mobile phone theft. In India, using a stolen mobile phone is an offence under Section 66B of ITA 2008 and carries a 3 year impriosnment. The offence is considered as cognizable. There are hundreds of such offences being committed each day in different parts of the country. Hence there is an urgent need for action to trace and block stolen mobiles across India. This will also help in anti terrorist/Naxalite activities of the law enforcement. The WSJ  report

Mr Kothimeer gets and Aadhar Number !!!

April 13: It is reported that an Aadhar card number  4991 1866 5246 has been issued to Mr Kothimeer S/o Mr Palav (Biryani), Mamidikaya Vuru (Village Raw Mango), of Jambuladinne in Anantapur district. For the sake of clarification, "Kothimeer" is "Coriander" (Kottambari). The photograph is said to be of a "Mobile Number". The incident indicates how the Aaadhar enumerations are happennign across the country. In the informed circles, there is little respect for Aadhar and the Government is spending crores of rupees of public money for a cause which appears to have no sanctity left. What credibility does the system has if such instances are being reported. The DH  report

"Cutting Edge Technologies"..and Rs 11 lakhs lost!

April 9: In yet another Phishing Fraud and involving Axis Bank, a customer in Kerala lost Rs 11.14 lakhs. The fraud involved the fraudster obtaining a duplicate SIM card and defeating the two factor authentication. Axis Bank as expects claims that they have implemented "Cutting Edge Technologies" and hence not responsible for the fraud. Only Courts need to tell if the claim of cutting edge technologies is true or is only a fraudulent claim... Report in IE

How Much Money is lost through Phishing in India?

March 31: Today is the end of a financial year for Indian Banks. It is time for them to draw their annual reports and submit it to both RBI and its shareholders. One essential information missing from Bank reports it the extent of loss in E Banking frauds. RSA recently stated that the losses suffered by Indian enterprises in 2011 through Phishing was of the order of Rs 172 crores. In an RTI based information releassed by RBI by DNA, Mumbai, it was stated that during 2010-11, the losses on E Banking were Rs 467 crores in Citi Bank, Rs 298 crores in SBI, Rs 112 crores in ICICI Bank and Rs 39 crores in HSBC. (See here) According to another rough estimate by Symantec, phishing related losses in India was of the order of Rs 6500 crores.

Naavi.org has been fighting for "Safe E Banking" and advocating that Banks which cannot provide safety in Internet Banking should be barred from providing Internet Banking service. In this connection demand has been already made on RBI to cancel the licenses of one branch each of ICICI Bank and Punjab National Bank. However RBI has maintained a royal silence.

Naavi has also brought to public attention the continued vulnerabilities in E Banking as demonstrated by Mr K S Yash, a security consultant in Bangalore. The videos of a live demonstration before a group of experts have also been submitted to CERT IN and informed to RBI. Invitations have been sent to both RBI and CERT IN  to take the demonstration directly and initiate action to restore the confidence of the public in E Banking. ... We are awaiting a positive response from both of them.

Under this background, one must question the wisdom of Banks and RBI in hiding the real information of how much money is being lost by Indian Banks through Phishing and any form of E Banking frauds, whether they are being reported to RBI as per the RBI's Fraud reporting guidelines?, Whether the losses are recovered out of insurance as per the RBI's Internet Bankign guidelines of June 14, 2001? If not why RBI is silent on the Bank's recovering the money from the hapless customers?, Why DIT is barring legal remedies in such cases by not appointing a chair person for Cyber Appellate Tribunal since last June?, Why DIT and the Government of Karnataka has not been able to address the anomalous situation created by the IT Secretary of Karnataka deciding that no cases can be brought before him against any Banks?, Why RBI is tolerating the rogue behaviour of Banks in ignoring its guidelines both of June 14 2001 and the more recent Gopala Krishna Committee report? Why RBI is unable to notify the recommendations of the Damodaran Committee report?, Why RBI is silent on our request to apply KYC failure fines to create an E Banking insurance Fund?, Why our Ministers Kapil Sibal, Mr Sachin Pilot as well as the PM are unable to respond to our complaints? etc.

Naavi.org vows to start a fresh campaign on "Protecting E Banking Customers" and invites Consumer activists all over India to join in this campaign.  I invite support and comments at naavi@vsnl.com.

Arise, Awake and Stop Not until Indian E Banking is made Safe

ICICI Bank on Face Book.. Does it compromise user security?

March 29: ICICI Bank is known for its innovativeness. Unfortunately, some times we feel that the innovativeness crosses its boundaries to possible recklessness. The recent foray of ICICI Bank into Face Book is one such new brainwave that has stuck ICICI Bank. Now it is possible to view a person's account through an application on Face Book. Though ICICI Bank claims that no data is transferred to Face Book and hence the security of information is not compromised, for a Bank which has the highest reported internet banking fraud incidents such statements ring hollow.

One wonders what RBI thinks of this innovation. Does the security on Face Book meet the recommendations of Gopala Krishna Committee report? or Does it matter? After all  RBI guidelines are there for the public to see and feel secure.

MP wants Section 79 rules to be annulled

March 26: A motion has been moved in the Rajyasabha that the notification issued by DIT on Intermediary guidelines on April 19, 2011 be annulled. The motion has been moved by Mr P Rajeev, an MP from Kerala. report

FIR Registered against HSBC Employees for harassment

March 23: We have reported in these columns about the disclosure by Mr Yash on E Banking vulnerabilities through a live demo involving some Banks. The demo included HSBC Bank and subsequently it had been reported that some representatives of the Bank had visited his house in Bangalore and threatened his family members demanding that the demo videos on the Internet should be removed. Naavi had brought  this to the notice of the Bank at higher levels. Now Mr Yash has confirmed of having filed an FIR against the Bank requesting the Police to investigate and provide him protection from being physically harmed.

Kerala High Court admits petition against Intermediary rules

March 12: Kerala High Court has admitted a petition challenging the constitutionality of the Intermediary rules issused by GOI on April 11, 2011. The petition has been filed by an advocate Mr Shojan Jacob raising objection to certain provisions of rules under Sec 79 and Section 69A and arguing that the rules are unconstitutional. Rules under Sec 79 are interrelated with rules under Section 43A also and hence it may be necessary to look at the rules under Section 43 A (April 11, 2011) while deciding on the constitutionality of the rules under Section 79. In particular the rules under Section 43A provide that if an intermediary can show an ISO 27001 certificate, he is deemed to have followed the requirements under Section 43A for protection of privacy of an individual. This refers to privacy while Section 79 refers to freedom of speech. These two are interrelated and both need to be reviewed for constitutionality. Naavi.org has already discussed these issues at length in the past and readers may view the articles in the Archived News

Related articles: Writ extracts : Medianama : Bar&Bench

GIGA National Seminar held at Hyderabad

March 11: A national Seminar was held at NALSAR in Hyderabad on "Internet Law and Governance" as part of the activities of GIGA, (The Institute of GLOBAL INTERNET GOVERNANCE AND ADVOCACY) established as a center of research, advocacy and training in Internet Governance and related issues. Justice S.Ravidra Bhat, inaugurated the conference and also made an interesting presentation on the E Court project in Delhi which was launched under his supervision. Officials from DIT including Dr Gulshan Rai, Dr Ravishanker and Dr Mohan also spoke on Internet Governance initiatives and security issues. Pavan Duggal, noted Cyber Law specialist gave a presentation on mobile laws in India. Copy of presentation made by Naavi on IT Act-Issues for Judiciary is available here. Prof Vivekanandan, Director of the institute outlined the activities of the institute including the free online data base of judgements maintained by the institute. The website of giga was also launched during the occasion.

IT Companies in Bangalore face a new challenge

March11: IT Companies in Bangalore have been presented with a new challenge with the withdrawal of the exemption from labour laws for the industry. This is likely to hit the bottom line of the IT Companies and act as a disincentive for new IT investments in Bangalore. The industry needs to develop a system of classifying the workers and the wage levels and obtain a case to case basis exemption. Industries have been given a six month time to meet the commitments. A serious effort is required by each company and the industry as a whole to resolve this issue and ensure that this does not become a death knell for the industry. Report in Hindu

Time to Delete Your Face Book and Twitter account?

March11: A surprising and disturbing report from US indicates that many employers and colleges are demanding that applicant's reveal their log in ID and passwords when they apply for a job or a course. Certain agencies seem to demand during the interview that password protected pages shall be displayed in front of the interviewer. Read the article here

If such a practice is found in a country like US where there is a huge awareness and activism in Privacy Protection, then one may wonder what could be the attitude in other more authoritarian countries.

Perhaps this marks the end of "Privacy" of individuals on the Internet as we know today... Or is the beginning of a new trend of anonymous, virtual identities and a second life for some?

A Phishing Mail in the name of You Tube

March 8: Here is a new phishing mail in the name of You Tube. The mail indicates a You Tube Video but the link is to some html page which may possible contain some viruses. See the copy of the mail here

Why The Governor of RBI is guilty of this bloodbath?

March8: Reserve Bank of India is by law the custodian of the interests of Bank customers in India. It is expected to regulate the Indian Banking system. The responsibility for introducing and encouraging the use of E banking lies with the RBI and hence the responsibility for the loss suffered by customers also lies with RBI. Naavi has also brought to the attention of RBI that there is a serious flaw in the Internet Banking security and RBI should take some corrective actions immediately to prevent the possibility of a Cyber Terrorist attack on Indian Banks. However all these efforts have been met with a stoic silence from the authorities.

Under these circumstances, Dr D. Subba Rao, the Governor of Reserve Bank of India must be considered as having failed in his duty to protect the interests of the Customers of Indian Banks who are seeking a safe banking platform. The blood of the E Banking victims is therefore all over the hands of the Governor of RBI. ... More

Bank Frauds in Bhopal

March 8:  A series of E Banking frauds have been reported from Indore where it is reported that more than 100 complaints have been registered in the last one year. The Police seem baffled by the number of crimes and have started advising customers about safe e-banking. While this is appreciable the report does not indicate any action taken by banks against the errant Banks and hence it is unlikely that a solution will be found to this problem in the near future. RBI should check of the 100+ frauds reported in this report are there in the FMR reports filed by the Banks and if not, take action against the banks which are hiding this information from RBI.

Related Article: Spurt in online banking frauds leaves state policemen baffled

Copyright Decision goes against Intermediaries in UK

March 7: A three-judge panel at London's Court of Appeal endorsed new copyright rules, siding with the music industry over internet providers in a battle over online file sharing. Under the rules under The Digital Economy Act has rules similar to rules already in place in France and Ireland and forces internet service providers to send an escalating series of warnings to users suspected of illegally swapping movies and music. Eventually, service providers can suspend repeat offenders' access to the Web. Related Article
 

HIPAA Non Compliance Holds up Physician's payments

March 7: From January 1, 2012,  HIPAA introduced  a mandatory shift of the Electronic Transactions and Code set Standards from 4010 guidelines to 5010 guidelines. The deadline was extended for 3 months due to the lack of readyness of the industry. HIPAA ASC X12 version 5010 and NCPDP version D.0 are new sets of standards that regulate the electronic transmission of specific healthcare transactions, including eligibility, claim status, referrals, claims, and remittances. Covered entities, such as health plans, healthcare clearinghouses, and healthcare providers, are required to conform to the new transaction set standards. It is understood that due to many technical issues involved  in the migration, there is a large scale delay in the processing of transactions leading to many physicians not receiving their payments on time. The industry is requesting another 3 month's extension of the deadline. Related article

Indian Business Associates who may be involved in processing of HIPAA transactions  need to ensure that they donot become objects of complaint in this regard . It would be prefereable for them to technically review their processes and correct deficiencies if any.

FaceBook Outsources Content monitoring

March 5: Despite the stand taken by Face Book that it is not able to manually monitor content in its court case in India, it appears that Face Book has set in an outsource mechanism to monitor content. However there is concern on whether this mechanism is trust worthy and whether it is appropriate to reveal sensitive personal data to the outsource agency. The mechanism however appears to come close to some of the suggestions made in these columns about how social networking sites can meet the obligations under Sec 79 of ITA 2008.Perhaps Face Book is moving in the right direction though some fine tuning of the process may be required. The suggestions made on "Regulated Anonymity" may also be relevant here. Related Article

TV Actress Falls Prey to Lottery Fraud

March 4: Asha K Shetty, a TV actress in Chennai has reportedly lost Rs 1.77 lakhs in an online  lottery scam. She was lured with  an SMS and filled up a form with RBI logo. This incident  indicates the vulnerability of people arising out of the trust they place on  their mobile communications and the name of organizations like RBI... Related story in TOI

Theory of Regulated Anonymity

March 3: The theory of regulated anonymity as propounded by Naavi advocates a conflict resolution solution for preserving the democratic principles of Privacy Protection in Cyber Space along with the need of the law enforcement to be able to prevent misuse of “Privacy” as a cover for Cyber Crimes.

The Theory  is built on the premise that “Absolute Anonymity of the Netizen is impractical as it would  be completely opposed by all law enforcement authorities and is against the current laws in most countries. ...More : Download the entire article

Regulated Anonymity-A Solution towards Privacy compatible with National Security

Mar 2: There is admittedly, a strong case for “anonymity” and also “Pseudonomity” as means of protecting the privacy of an individual on the Internet. However looking from the perspective of increasing Cyber Crimes and their escalation to Cyber Terrorism and Cyber Wars, there is an equally strong case for the demand of the law enforcement for absolute surveillance and need to identify individuals conducting any transaction on the Internet. The new laws in most countries including India and US try to provide for such “ Authorized Invasion of Privacy”. This brings forth the direct conflict between Privacy and Crime Prevention while formulating regulations.

Is there a solution to resolve this concept?.. Naavi explores and invites  suggestions and comments from legal and technical persons about how such a system can be designed.

Detailed article :  Download the entire article

Why CISO's of Banks will be guilty of murder

Feb 29: This is in continuation of the previous articles on how Bank fraud victims are suffering heart attacks because of the loss of their  life time savings and focuses on the responsibility of the CISOs.... More

SBI is unconvincing in explaining Patna ATM Frauds

Feb 29: 22 ATM fraud cases are reported to have been filed in SBI ATMs in Patna involving a loss of Rs 12 lakhs to different customers including Rs 4 lakhs by a retired Police officer. (Refer article in TOI) GM of the Bank has blamed the customers for taking the help of strangers and not protecting the PIN. However the GM has failed to explain how the fraudsters have been able to withdraw money only with the PINs even if they get access to it without the presence of a Card. If the ATMs can be operated without Cards or with cloned cards, the responsibility for having such ATMs must be taken up by the Bank. If there were guards and CCTV as claimed by the GM, why they are not able to find out those who withdrew the money?. Banks should stop lying about their security and RBI should stop being silent. In fact the Ombudsman in Patna should ensure that all the losses are recovered from the Bank on the lines of the recommendations of the Damodaran Committee. Related Article in TOI

Indian BPO Owner Charged of Extortion

Feb28: An Ahmedabad Call Center owner has been charged of running an extortion racket threatening US customers and forcing them to pay non existing loan dues. The incident reported charges the owner directly of having committed the offence and not for vicarious liabilities for his employee's actions. It is alarming that an owner should commit such a fraud but if true it is a big shame on the BPO industry in India. It is more probable that such frauds may be committed by employees of the Call Centers in which case the owner still takes the liability for the action of its employees but could consider covering such losses through insurance and appropriate due diligence. Report in Livemint

Megaupload owner arrested

Feb 28: The owner Mr Kim Dotcom of megaupload.com allegedly one of the sites mis-using the concept os secure cloud hosting to host and distribute pirated content has been arrested. Related Article

Blood of Bank fraud victims are on these hands...

Feb 26: Naavi has been crusading against the Indian Bankers who are in pursuit of commercial profits even at the cost of the lives of their customers. The days when we considered "Customer is the King.." as suggested by Mahatma Gandhi is over. Today most bankers have no idea how their services are making their customers lose  several years of their active life. A series of articles are presented here on the current status of E Banking customers in India..

1. Indian Media is Insensitive..here

2. Blood of Bank fraud victims are on these hands...

Watch out for more articles...

SMS Texting Banned in HIPAA Context

Feb 23: The Joint Commission on Accreditation of Healthcare Organizations (JCAHO) recently issued a “ban” on physician texting, saying it’s “not acceptable” for medical professionals to communicate patient information via SMS. This is likely to push for the use of secure messaging systems. RBI should take note of this development as they are pushing the use of mobiles in Indian Banking system unmindful of the risks. JCAHO is an independent, not-for-profit organization, which  accredits and certifies more than 19,000 health care organizations and programs in the United States. Joint Commission accreditation and certification is recognized nationwide as a symbol of quality that reflects an organization’s commitment to meeting certain performance standards. Related Article

Surge in HIPAA  Compliance Issues

Feb 23: According to a recent research in US, data breaches in 2011 have risen by 32% while at the same time regulations have become more stringent. Covered entities are therefore seeing a squeeze from both sides with increasing risks and increasing regulatory pressures. It is reported that 92% of all healthcare institutions have experienced data breach incidents atleast once in last two years and each such incident costs on an average USD 2.2 million. Related Story

TRAI should Investigate Billing Frauds

Feb 23: After the Number Portability has been introduced in the mobile circles, companies are finding that if there are any billing disputes, customers opt for MNP and move out. However MNP is still not available for data cards and it appears that mobile companies are now focusing on cheating customers on data transactions which are more difficult to verify. Airtel being the leader in the industry appears to be also leading in this scam. It is essential for TRAI to introduce a system whereby false data billing can be identified and customers saved from such frauds.

Recently executives of MTS have been arrested in Mumbai for misusing the KYC forms issued by one customer and using it to issue data cards to another after switching photographs to boost sales.

Airtel has been doing this by falsely billing data usage on cards even when they are not in use. ( I am refering to my own account as an example). Such false billing has also been observed on the mobile. It appears that this is prevalent in 3G connections. I have also demanded Airtel to provide me a study of 3G speeds available in Bangalore in different parts to substantiate their marketing claims. I allege that Airtel 3G does not provide 3G speeds but substantially operates only on 2G networks. Their marketing claims are therefore false. I have also asked them to provide me the details of my data usage with reference to the IP addresses and destinations and I am yet to receive their reply.

It may be necessary for a large scale investigation to unearth a corporate fraud in Airtel billing department TRAI should stake steps in this regard.

TRAI should also ensure that the data card device should be portable across different service providers so that the customer is not locked onto a service provider if he does not want to.   Also see

AIRTEL sends bills in transparent covers

Feb  23: In a bizarre observation, Midday reported that hundreds of customers of Airtel received their bills in transparent covers with the entire bill being visible. Has anybody in Airtel heard of "Privacy", "Sensitive Personal Information", "Reasonable Security Practice"?. The incident is a clear violation of Section 43A and 79 of ITA 2008 and action needs to be taken against the Company. Mid Day article

Ethical hacker in UK jailed for 8 months

Feb22: An ethical hacker in UK was jailed for 8 months for hacking Face Book. The matter was unearthed in a regular security review at Face Book and investigated by FBI claiming that it has rights to deal with hackers in UK. Passing the judgment Judge Alistair McCreth observed that the hacking could have potentially caused very serious consequences to Face Book but agreed that the hacker did not have any intention of making any commercial gain. The Court observed that there could be an indication of an "Asperger's Syndrome"  in the hacker's behaviour of trying to prove himself to his father.  Related Article

Bangladesh Hackers/Terrorists give notice through You Tube

Feb 21: Hackers from Bangladesh appear to be using You Tube to send a message to India. They have sent a few demands which are more that of terrorists and threaten a large scale hacking of Indian sites if their demands are not met. The threat is made out in the name of the Bangladesh Cyber Army. It would be interesting to know what the Indian Government response would be apart from perhaps asking for the video to be taken down.  Video

Laws More Misused than applied purposefully

Feb 21: The case of a web journalist in Bangkok being tried for publication of comments by visitors on her website is a case where the intermediary is being held unreasonably liable for an offence committed by some body else. If more such cases surface, the intermediaries will be so much afraid of posting any content that Internet ceases to be of any value as a medium of free expression. This approach may lend legitimacy to underground publications who may work outside the legal control. If we want "Responsible Behaviour of Netizens" it is also necessary that regulators are reasonable in their approach to political criticism. Related Article

Case Filed For Disclosure of Face Book Security Architecture

Feb 19: A security specialist in Hyderabad has filed a case in AP High Court seeking directions to GOI to demand disclosure of the security architecture of Face Book. It has also demanded that Face Book should use stringent identitification measures such as  Face Recognition before opening of profiles to avoid fake profiles... Report in TOI

HSBC Bank into massive money laundering?

Feb 16: In a shocking revelation, an ex employee of HSBC has revealed that there is a massive money laundering operation going on in HSBC and is reportedly produced more than 1000 customer pages as evidence. The employee who was working as a Relationship Manager has said “I was shocked to find accounts through which millions of dollars were being deposited and withdrawn without any apparent business activity being conducted,...Then when I went to visit the business, I found nothing – shell companies, vacant offices with no furniture, or no such business whatsoever at the address listed on the account records.” Read the full story here

In response to this expose, HSBC has tried to force the publication to withdraw the story. Read report here. To ensure that the stories will be available for the readers, they are archieved by Naavi.org/ceac.in to be used if required.

This story also corroborates what Mr Yash, a security professional in Bangalore has been stating on his attempts to bring to public knowledge the security vulnerabilities in the E banking system.

E Banking Security Guarantee Scheme

Feb 12: Naavi.org has been in the forefront of a crusade to make E Banking systems safer for the Bank Customers. Here is a suggestion that the RBI can implement in this direction. This could be a temporary or a permanent measure that can ensure safety of the funds of the E-Banking Customer and could be the only solution for survival of the Indian Banking at this point of time... More

Reduction of Phishing in Ahmedabad

Feb 12: Police in Ahmedabad have reported substantial reduction of Phishing in Ahmedabad after a leading local bank introduced IP filtering system to eliminate Nigerian IP addresses. If this is possible for one bank in one city it should  perhaps be adopted by all other banks. Related Article

 

Face Book Responds to Victims

Feb 12: During the last week two victims who had seen false profiles being created in their  names on Face Book found a quick relief after the matter was suitably taken up with the Face Book team through a Section 79 notice from Naavi.org. Face Book appears to have set up a new grievance redressal mechanism to meet such requests. These two cases were not cases of freedom of speech. One was the case in which obscene pictures were posted in the profile and in the other pictures stolen from a lost mobile had been used. We congratulate Facebook for their quick response. It has given relief to two young girls who were facing extreme stress on account of the activity of the some irresponsible cyber criminals.

Will RBI take note of this?

Feb10: Security researchers have identified a mobile botnet which appears to have compromised more than 100,000 Android devices. Though at present this botnet seems to be targeting mobiles in China, it gives notice of a serious security threat even to India where RBI is pushing mobile usage for Internet banking. Naavi.org has been repeatedly warning RBI that security in Internet Banking itself is unacceptable and if transactions are extended to mobile devices further doors of opportunity will be opened out for criminals at the expense of Bank customers. Related Article

Indian Banking System in danger of collapse..What are the solutions?

Feb 8: Given the alarming security situation in E Banking and continued apathy of the RBI and collective failure of the ministries of Finance, Home and IT in the Central Government, here are some immediate measures required to ensure survival of the Banking system.... More

Three More Phishing Cases in Pune

Feb 8: Three phishing cases were registered involving a loss of Rs 17.5 lakhs to three customers in Pune. Fraudsters are making merry since banks are collaborating with the fraudsters with their lack of basic due diligence in the conduct of Banking and continued failure of Governance of the RBI. Report in Midday

Media Takes Notice of E Banking Vulnerabilities

Feb 7: The vulnerabilities in the E banking systems in India has slowly started getting the attention of the media. In a detailed article on the subject Moneylife.in has detailed the risk of Man in the Browser attack. Details

Bomb is ticking to destroy the Indian Banking System

Feb 7: Naavi.org has constituted an "Expert Group on  E Banking Security" consisting of representatives from different walks of life to which a security professional in Bangalore made a demo of vulnerabilities in the Indian E Banking Systems. The group is now contemplating further action to draw the attention of the RBI and the Government of India to find answers to some of the concerns raised during the demo. ... More

Report on Privacy Symposium

Feb7: Here is a report in Tehelka on the Privacy Sympoisum held in Delhi on 4th February 2012. Report

20 Canara Bank Accounts Hacked through ATM

Feb 5: Naavi.org had reported a few month's back about an ATM fraud in which a Bank of India customer had lost Rs 40,000/- through fraudulent withdrawal  through a Canara Bank ATM. It had been pointed out in that case that Canara Bank was not having a CCTV camera in the ATM. Now it is reported that 20 account holders have suffered similar losses in Yelahanka town where it has been found that fraudsters had deployed cameras to watch the customer's passwords. Obviously this must have been coupled with closing of the card itself. It is also a practice in Canara Bank not to appoint any guards at the ATM which makes it easy for fraudsters to manipulate the machines without being observed. This is a systemic flaw for which the Bank needs to be pulled up. Unfortunately when this case was brought before the Banking Ombudsman Mr Palanisamy, he dismissed the customer's complaint and even ruled that no appeal can be made. Had he been fair in his decision at that time he would have pulled up the Bank and the current fraud might have been avoided. Report in Youtube

Now even BBC agrees..Indian Banks wake up!

Feb 5: In the last week a serious discussion has ensued in India about the weaknesses in the E Banking security. Despite the security professional Mr Yash demonstrating the weakness through a video recording of how a genuine Bank customer may find himself cheated on the E banking platform, Indian Banks have failed to respond to the public announcement of the threat. Out of the three Banks used by Mr Yash to demonstrate the weakness, one has used its influence to bring down the you tube video, the other has issued a legal notice and the third has sent goons to the security professional's house to threaten him. If this is the attitude of the Banks it appears they are not interested in securing the Banking transactions.

The reason for this apathy stems from the fact that they are aware that the legal system in India is in favour of the Banks since victims are financially unable to sustain the litigation. Presently two cases which were decided in favour of the customer are pending on appeal at the CAT with Government of India preferring to keep the institution closed by failing to appoint a Chair Person for the last 7 months. In the meantime Banks are working overtime to get absurd interim orders from some obliging adjudicators against the customers using their financial muscle knowing fully well that it will take a long time for the case to get sorted out and by that time the customer would be frustrated enough and withdraw his case.

Now BBC has also spoken about the Man In the Browser attacks similar to what Mr Yash was pointing out. Hopefully Indian administrators will now wake up. Related Article

HSBC Bank sends goons to silence a Security Professional

Feb 2: An ethical hacker from Bangalore who decided to disclose an E Banking vulnerability has found that the bank instead of correcting the vulnerability would like to silence him. Unlike another Bank which sent a legal notice for defamation, it is reported that HSBC Bank sent its recovery goons to his house when he was not available and caused annoyance and threat to his family members. RBI should take note of this illegal behavior of the Bank and conduct a suitable investigation.

Advertisements cause denial of access

Feb 2: We are all aware that ads provide for monetization of content sites and are therefore a good thing to be there in support of the free Internet system. But of late advertisers are becoming greedy and want to usurp the content space. Just as some times on TV we find that serials exist for the ads, Cricket matches are played for the ads, the web content is also becoming secondary to ads. I am not speaking of "Parked" websites which are deliberately created for monetizing zero content. I refer to respected news paper sites which are overwhelmed by the "Pop Up Ads" and "Video Ads". The Pop Up ads cover up the entire page and prevents the visitor from viewing the content for which he visited the site. Besides there is an increasing trend of video ads that gulp bandwidth of the user. It is also becoming increasingly common to disable closure of such ads just as pornographic ads used to be. I saw one such ad today in the Business World site at the URL http://businessworld.in/businessworld/businessworld/content/SC-Quashes-122-Telecoms-Licences-Issued-2008.html-1. The ad itself belonged to Microsoft.. There are similar ads on other sites and by other advertisers. I consider this as "Denial of Service" and "Diminishing the value or utility of  information  residing inside a computer resource" which are offences under ITA 2000/8. The advertiser as well as the publication will be responsible for such an offence. I wish respectable publications ensure that ads remain in the side bar and can pop out only on user's request. Similarly video ads should by default be in pause mode and the user should have the option to play it either in the allocated space or on full screen mode. See the ad here

Director CERT Clarifies

Feb 1: Director of CERT-IN, Mr Gulshan Rai has clarified in an interview with Mint that Government of India has so far not exercised its discretion in any case of Website blocking but only acted on Court orders. Details

For Articles of Earlier Date Browse through Archives

Visit
www.Naavi.net

Visit
www.lookalikes.in