An Open Letter to Mr Kapil Sibal
July31: ..It was good to hear
in your interview on Head Lines Today
where you stated that there are no
pending files in your Ministry...For the last few
months, I have been reminding DIT that a
decision on the appointment of the
Presiding Officer of Cyber Appellate
Tribunal in place of Justice Sri Rajesh
Tandon who retired on June 30, 2011 was
pending. My understanding is that this
file is pending on your table for a long
time...
Complete Letter
New Draft of ESD Bill released
July30: A new version of the draft of the
proposed Electronic Services Delivery Bill has been released by GOI.
This appears to the final draft which may be tabled in the Parliament in
the next session.
Copy of the revised Bill
SpyEye Poses new threats to Online Banking
July30: Information security professionals in
Banking industry are aware of the havoc that malicious codes such as
Zeus can cause in the Online Banking security. When a computer is
infected by Zeus v3 it waits until user connects to his online banking
account then it hijacks the online banking session. This trojan checks
if a customer has more than 800 pounds in their account, then it gets to
work.
Now another malicious code "SpyEye" poses
similar risks where the malicious code executes its own transactions
while the customer of the Bank is logged in. SpyEye is a botnet with a
network of command-and-control servers hosted around the world.Some
experts indicate that Zeus and SpyEye capabilities have been merged to
create an even more formidable malicious code.
In the light of these threats, the Banking
system need to re-evaluate their security measures as a part of
"Due-Diligence" and initiate appropriate counter measures to meet the
SpyEye risks.
Indian Bankers who are riding on Customer-Bullying
tactics to hoist cyber crime liabilities on the customers need to take
note that RBI under the implementation of the GGWG recommendations will
be keenly monitoring the measures initiated by the Banks as recommended
under the committee's report.
Related Article:
Banking Risks on Zeus-SpyEye merger
Proposed HIPAA Disclosure Rule meets with stiff
opposition
July30: The proposed rule whereby Covered
Entities and Business Associates are required to provide certain
collateral information regarding disclosures made under the Act to data
owners when called for has created a huge stir in the US market. The
"Disclosure Accounting Rule" provides that it is a right of the
information owner to demand to know the particulars of disclosures made
if any by a covered entity or a Business Associate. This requires
recording, archiving and disclosing when required information on who
accessed the information though permitted by HIPAA or otherwise
unauthorized. Compliance of the rule requires changes to be made to the
software and certain costs. In a recent survey conducted to elicit the
response of the stakeholders it has been reported that a substantial
number of respondents felt that the rule is impractical. It is however
unlikely that the Government may yield to the pressure of the lobbyists.
Related Report : Earlier Comment in Naavi.org:
Third Invasion
of HIPAA into India will be like a Tsunami attack
Paper Trail test on EVM Unsuccessful
July 30: It has been reported that a test on
the process of paper trail being captured for electronic voting system
conducted in Delhi has not produced satisfactory results. According to a
report which has appeared in thevotingnews.com. it was found that
substantial number of electronic votes did not have corresponding paper
trail recordings.
It may be noted that Naavi has longtime back
expressed the view that the current EVMs are not Cyber Law Compliant. He
has also indicated how they can be made Cyber Law Compliant. The
solution that has been proposed by Naavi was offered by the inventor who
had filed a patent application to the Election Commission also. However
at that time the Election commission did not show any interest. It is
high time that the design suggested by Naavi is given a fair
consideration since it not only provides for a trail being created, it
also ensures confidentiality and legal compliance.
Related Articles:
Solution to EVM Controversy :
EVM Controversy
PIL Filed on Electronic Voting System
Clarifications on Cyber Law Compliancy of EVMs
:
Cyber Law Compliancy and Electronic Voting:
Remote Controlling EVM –
Manufacturing Election Result
Banker's meet on Information Security
July29: Indian Bank Association held its
second annual information security seminar in Taj President Mumbai
today. The event attended widely by the Banking community discussed
several issues on information security relevant to the Bankers. Mr
G.Padmanabhan, Deputy Governor of RBI who inaugurated the program
highlighted the steps taken by RBI in recent days to improve the
security of Banking transactions in the electronic platform and urged
the Banks to increase their security measures and also take steps at
educating customers. Naavi speaking in a panel highlighted the legal
issues of Information Security as proposed in the G.Gopalakrishna
Working Group committee report and why use of digital signatures and
encryption of SMS messages have become a TINA factor in E-Banking.
Speech of Mr
Padmanabhan :
Webcast
Link :
Naavi's Speech (Time: 19.20 to 35.20)
Single KYC for Financial Sector
July 25: Recognizing the inability of Banks to
fulfill the KYC obligations in proper form, the Financial Stability
Development Council (FSDC) has recommended consideration of a common KYC
approach which is more stringent than the present KYC which individual
banks seem to be adopting. At a time when UID is also accelerating its
identity program the proposal appears to be an industry attempt which
may overlap with the UID. Unless the system that the FSDC recommends
would be structured differently to suit the Banking needs, there is a
likelyhood that the suggested system may turn out to be superfluous.
Presently many Banks have considered KYC to be a replacement of the
system of Introduction which Banking law and practice suggested under
Section 131 of NI Act. RBI has repeatedly stated that Introduction is
required even when KYC verification through the Telephone Bill/PAN card
etc is done. FSDC needs to ensure the differentiation between UID and
the new KYC if there has to be relevance to the suggestion.
Related Article
Will for Digital Assets
July25: Making a will is a recommended process
for transferring one's self acquired assets or one's portion of an
ancestral property which has been bequeathed in an intestate process.
Doubts often arise when the asset involved is a "Digital Asset".
According to ITA 2008, Will cannot be written in the form of an
electronic document. However there is no bar on recognizing a digital
asset as a property and including it in a Will in paper form.
Related Article
Rs 168 crore damage claimed for data theft charge
July 25: In what is likely to be a
landmark case, Travelocity has claimed a damage of RS 168 crores against
Cleartrip.com alleging wrongful benefits received due to data theft. The
case has been filed in Mumbai High Court. The case relates to incidents
in 2007 and hence ITA 2000 and not ITA 2008 would be applicable. The
allegation is that some client information was passed on by an executive
who later joined Cleartrip.com. The evidence involves some e-mails
alleged to have been received by the employee during his tenure at
Travelocity and recovered from the computers of Travelocity. This trial
would put to test the efficacy of the forensic investigation report that
would be submitted by the Police in their chargesheet.
Report
When a Fraudster uses your name...
July 25: Often fraudsters make use of
genuine companies to convince their prospective customers in many ways.
Here is an example
of one of the phishing mails recently received in the name of the
Department of Homeland Security, US Government. It provides a list of
persons who are supposed to have received parcels through two courier
companies namely UPS and FEDEX along with the parcel numbers.
In a situation like this prospective victims would
like to check the websites of the respective courier companies to
confirm the statements made. If therefore these companies provide a
prominent notice on their websites, it would be possible to warn the
prospective victims. This is not only a public duty but also "Due
Diligence" as an intermediary. They can also use a Cyber notice to
advise the public that they are not involved in the scam. If this is
neglected, it can be anticipated that in the next version of this scam,
a link will be provided to a pseudo fedex/ups tracking page where
a positive tracking would be placed for the listed parcels to further
convince the victims.
Copy of the
Phishing Mail
It was found that UPS does have a
prominent page alerting the visitors about various frauds that may
be conducted in their names. Hoever Fedex did not appear to have a
similar public notice.
HIPAA Complaint Converted to Criminal Prosecution
July23: In a first publicly known
instance of a HIPAA complaint turning into a federal criminal
prosecution, criminal charges have been initiated against an
osteopathic doctor for allegedly sharing a patient’s protected health
information with his employer. According to a statement from the federal
prosecutors, Richard Alan Kaye of Suffolk, Va., allegedly provided a
patient’s employer with protected health information "under the false
pretenses that the patient was a serious and imminent threat to the
safety of the public, when in fact he knew that the patient was not such
a threat."..
Report
Blocking of websites has never been so easy in
India
July 23: It is reported that Reliance Big
Pictures has obtained a Jon Doe order ( Against unknown parties) from a
Delhi High Court to block certain file sharing websites on the
presumption that the site may be used for downloading pirated copies of
the movie Singham. This is a speculative order and armed with the order
the DOT appears to be blocking whatever file sharing site they seem to
know off. It would be interesting to check the legality of this order at
the Supreme Court.
Report
Two Nigerians Sentenced to 7 years
July20: Two Nigerians were sentenced for 7
year imprisonment for online fraud under IPC in a Court in Mallappuram,
Kerala.
Report
Income Tax Department Shows the Way..How to respond to Phishing?
July 15:Phishing is an often discussed subject by Bankers and
Cyber Security Professionals. We also discuss and debate what an
organization do when its name is being impersonated and phishing frauds
are taking place.
... it was interesting to observe today how Income
Tax department has tried to handle customer information regarding the
Phishing attacks in the name of the department. ..The steps taken by the
department require complete appreciation and who ever was personally
responsible for the introduction of these measures deserves
commendation.
..More
OTP Compromised by Zeus Trojan
July15: A new variant of Zeus trojan
designed is designed to steal One Time Passwords used by banks.
The malware posses as a legitimate bankign security application called
"Rapport" and intercepts all incoming SMS messages and forwards them to
a remote server.
Related Article
FFIEC Suggests Layered Security for Banks
July14: FFIEC (Federal Financial Institutions
Examination Council), the US regulatory body for financial institutions
has issued a supplementary "Authentication guideline" for Internet
Banking environment. The note highlights the need for a layered security
approach which includes risk detection aspects built into the
authentication systems. Indian Banking systems suffer from Phishing
frauds because neither the Banks nor the software vendors like
Infosys which supply the Finacle core Banking software incorporate the
risk management principles. It is necessary for CISOs of banks to take a
look at these guidelines and implement them along with what ITA 2008 and
GGWG mandates.
Copy of the guidance note
Due
Diligence: Chairman of Banks in India
July13: Today two interesting news reports
have appeared in the news papers.As an ex-Banker and presently a Techno
Legal Information Security Consultant as well as a Netizen activist,
however, my thoughts run in a different direction and I would like to
point this out for the specific notice of the Chairman of various Banks
in India....
More .
Related report in DH :
Related Report in HT
Writing Down the Password
July 13: Bankers often blame customers who
write down their ATM Pin on the ATM card. When lost the thief has botht
he card and the PIN so that he can use it effortlessly. While we can
blame the ignorance of the "Mr Citizen" in this practice, it now
transpires that one the Banks in Mumbai had written the code for
disarming the night burglar alarm system next to the strong room. The
thief pomtly used it to deactivate the alarm and complete the burglary.
Who is to blame?.. The manager, all the staff in the branch?, the
inspectors? ..the Bank's training system?..or the CEO?... A good case to
say that ignorance and negligence is not limited to the "Aam admi" but
also to the professional Bankers.
Related Story
Why is
Bloggernews.net still blocked in India?
July 13: It is difficult to understand why this site bloggernews.net remains blocked in India. Some time back one article
written by me on this site was sought to be blocked with a Court order.
It was related to a dispute between a company called E2labs in India and
the owners of Zone-H.org. E2Labs had filed a defamation suit in a Court
in Delhi and asked for an interim order to block the URL. Accordingly an
order was made to block the specific URL
http://www.bloggernews.net/124029
I would urge the honorable Delhi High Court to review
its order since the order has become redundant. If the blocking of the
entire site is not authorised by the Court GOI, each of the ISPs
who have caused the blocking are liable for "Denial of Access" and
"Diminishing the Utility of a computer resource" which are offences
under Section 66 of ITA 2008. The CEOs of the ISPs and the CTOs are
liable for imprisonment. If the blocking is unauthorized under Sec
69/69A, there could also be punishment under this section. It would be
interesting for the readers to make a search of bloggernews.net for the
keyword "India" and identify which article could be the one which has
offended the GOI.
...More
Third Invasion
of HIPAA into India will be like a Tsunami attack
July 12: India is an important outsourcing partner for USA.
There is a substantial stake for the Indian Companies in the
developments in USA that may indirectly affect the outsourced business
in India. ....Now yet another shake up is visible in the form of the
proposed changes in the Privacy law which HHS has notified on May 31,
2011. The changes proposed which are presently under a public comment
period is likely to hit Indian outsourcing industry like a Tsunami....more
Corporate India Summit on IT Security
July 12: Secpro 2011, an annual IT Security
summit organized by NISPANA is going to be held in Bangalore on 21st and
22nd of July. Details of the summit are available
here:
HIPAA Proposes New Rights to Individuals
July12: The proposed changes to HIPAA Privacy
Rules suggested by HHS adds e-discovery rights as part of the
HIPAA Privacy rights to data subjects. Presently HIPAA provided a right
to request for disclosure of ones own data and there was also an
obligation for the data processor to restrict access to data only to
authorized persons. Now the data subject can request for "Accounting of
Privacy Obligations" meaning that the data subject will have the right
to request for information on who accessed his data etc. This is an
innovative proposition which should be welcome by all those who respect
the right of an individual to enforce privacy. This was already being
included in the recommended security practice under Naavi's IISF-309,
the security framework developed for ITA 2008 compliance in India as a
best practice and now there is a legal precedence under HIPAA.
An Interesting Identity Misuse in USA
July 11: Here is an interesting case of
identity misuse and its implications under HIPAA. A patient was operated
for a heart problem in a hospital and died. His family sued the hospital
for negligence. During the suit it was admitted by the family that the
patient had checked in using his brother's name since there was an
insurance in the name of the brother. Now the hospital will not get its
insurance payment. The patient's family has to fight through the charge
of fraud before its negligence case can be sustained. The Court will now
decide if the dead man was in deed the insurance holder and if it
decides so, the living brother would have suffered a death by proxy.
When India starts depending on UID, we may also see such cases whenever
a data entry clerk mistypes the UID number in a hospital admission
register.
Related
news
Company Law adoption of ITA 2008
July11: ITA 2000 was expected to usher in a
"Digital Revolution" in India since it provided legal recognition to
electronic documents as well as the way of authenticating the
electronic documents. Though Banking is one of the most digitized
industries in India, we have been repeatedly pointing out the reluctance
of the industry to absorb the provisions of ITA 2000/8 into the banking
procedures. As a result unauthenticated transactions rule the e-Banking
scenario and exposing the Banks and the Customers to various kinds of
avoidable risks. RBI has not so far been able to force the Banks to
adopt what is stated in the law as well as RBI's own guidance in the
past. However the recent notification of Gopalakrishna Working group
report may change the scenario since RBI has prescribed an elaborate
implementation and accountability mechanism for adoption of security
measures and legal obligations under ITA 2008.
In this context it is good to remember how the
Ministry of Corporate Affairs has been repeatedly introducing and
advising changes in Company Law and procedures to ensure the adoption of
ITA 2000/8 principles in the day to day affairs of the company. Demat
form of corporate securities existed even before ITA 2000 but since then
MCA mandated digital signatures for submission of annual returns and
brought around 10 lakh corproate directors under digital signature usage
regime. Income Tax department followed with tax return submissions being
enabled for digital signatures. Now MCA has also clarified that notices
can be sent through digitally signed e-mails instead of certificate of
posting (since discontinued by Postal department), annual reports can be
sent in soft copy format, Board meetings can be held through video
conferencing etc.
Related Report in Hindu
Naavi has been one of the early adopters of these
principles and has created services such as
arbitration.in,
ceac.in,
cyber-notice.com etc to
enable companies use electronic means of communication and governance.
Hopefully the companies will now appreciate the value of these services
and start using them either on their own or on an outsourcing basis.
DIT
Ignores Public Interest Call
July11: It was pointed out through these
columns that Cyber Appellate Tribunal (CAT) of India, which is an
important judicial office connected with Cyber Crimes and contraventions
under Information Technology Act 2000/8 has been deliberately allowed to
remain without a head since 30th of June 2011.However it appears that
the file remains with the DIT.I once again call upon the honourable
minister Sri Kapil Sibal to devote five minutes of his time today the
11th july 2011 to pick up the file relating to the appointment of the
Chairman of CAT and dispose it off in whatever manner he considers it
fit. ..More
Responsibilities of Bankers under GGWG
Recommendations
July9: RBI conducted a two day workshop on
GGWG recommendations for senior executives of Banks at the College of
Agricultural banking, Pune. The program which was the first such program
from RBI after the new guidelines were issued on April 11th was widely
attended. Naavi participating on the session on Legal issues highlighted
the impact of ITA 2008 on the Banking industry as indicated in the GGWG.
Mr G.S.Hegde, the legal advisor of RBI who was also part of the GGWG and
Mr Kale, GM, RBI who is in charge of the Customer Services department of
RBI also shared their views during the session.
Copy of
presentation made by Naavi on this occassion is available here. :
Other articles
A New Service Launched
July 8, 2011: In continuation of the endeavour to
introduce pioneering services to Netizens, Naavi has launched a new service
from " www.Cyber-Notice.com
" to provide free and low cost option for notices to be placed in Cyber
Space. The service is unique since the paid service comes with a CEAC
certification as to the publication of the notice and the period for which
the notice was available. Suggestions for improving the service are welcome.
Bulk users who would like to register themselves for special rates and
credit facilities may contact the site administration...
Visit the site here
Future
of e-Banking in India
July3: Phishing frauds have become so common in
Banks that they soon will not be considered as news worthy of discussion.
Naavi has been in the forefront of a crusade against Bankers who have jumped
into the e-Banking bandwagon throwing all caution to wind and making
customers pay for the commercial greed of the Banks.
In order to end speculation in this regard, Naavi has now
placed a request with the Governor of Reserve Bank of India that in three
instances of known violation of RBI guidelines brought to their knowledge,
RBI should penalize the respective branches of the bank by cancellation of
branch licenses....More
Innocent
Customer Suffers out of Bank's Negligence
July2: An ATM fraud involving a customer of Bank of India has
been reported from Bangalore which indicates the distinct possibility of
an ATM Card cloning syndicate being in operation in
Bangalore. In
this reported incident, Canara Bank ATM was involved. It appears that
the banking Ombudsman has informed the customer orally that he has
received a satisfactory explanation from the Bank and may be unable to
resolve the dispute.
When the customer is still holding the Card and the
ATM Bank is unable to produce evidence in the form of CCTV that the
customer has not himself withdrawn the amount it is surprising how the
Banking Ombudsman can come to the conclusion that RBI direction has not
been followed by either Bank of India or Canara Bank. RBI needs to take
a closer look at the incident and needs to come up with a proper
explanation for the decision of the Banking Ombudsman.
In a similar incident in Gurugaon under a complaint no BO Complaint No.
201011014004856, where money had been drawn from a customer's account in
Axis bank through ATMs in some foreign countries, the Ombudsman had
ordered that payment had to be made by the Bank which held the
customer's account. There are also other instances where Banking
Ombudsman have held Banks liable in Phishing cases also and some of
these cases are reported in the Compendium of cases reported by RBI and
it is not clear why the Banking Ombudsman in Bangalore should take a
divergent view. There is also a case of Bank of India in Bangalore
itself in the past where the Ombudsman intervened and settled a claim of
Rs 29000/- to a phishing victim. RBI needs to ensure consistency
in the decisions of their officers acting as Ombudsman. ...More
Related Report in Deccan
Chronicle
Cookie Legislation in UK
July2: Explicit consent would be required by websites if they
propose to track the website users according to a law passed by
UK.The law will be effective after a period of 1 year. This is a
provision similar to what GOI has introduced through Sec 79 rules.
Related Report
The Status of
CAT
July 1, 2011: The term of the current Chairperson (Presiding
officer) of Cyber Appellate Tribunal (CAT), Justice Sri Rajesh
Tandon expired yesterday the 30th June 2011 due to his attaining the age
of superannuation. Unfortunately, the Government does not appear to have
taken timely action either to appoint a substitute in place of Sri
Tandon or to extend his term before his term expired.As a result CAT
will technically be closed from today until a new incumbent assumes
office. ..More
Demat Fraud in Delhi
July 1: Six persons have been arrested for a fraud in which the
offenders hacked into a demat account and sold shares worth Rs 94 lakhs.
The amount was transferred to a Bank account opened in the name of the
share holder in ICICI Bank, Chandigarh. Yet another case of KYC
negligence by the Bank. Going by the frequency of frauds occuring
through ICICI Bank accounts it may be necessary for RBI to open a
special division for conducting KYC inspections in ICICI Bank...provided
RBI is serious on its obligations to AML Act.
Related Story
![[Valid RSS]](../../image/valid-rss.png "Validate my RSS feed"){kind=small}
![[Valid RSS]](http://www.naavi.org/image/valid-rss.png "Validate my RSS feed"){kind=small}
