Why CISO's of Banks will be guilty of murder
Feb 29: This is in continuation of the
previous articles on how Bank fraud victims are suffering heart attacks
because of the loss of their life time savings and focuses on the
responsibility of the CISOs....
SBI is unconvincing in explaining Patna ATM Frauds
Feb 29: 22 ATM fraud cases are reported to
have been filed in SBI ATMs in Patna involving a loss of Rs 12 lakhs to
different customers including Rs 4 lakhs by a retired Police officer. (Refer
article in TOI) GM of the Bank has blamed the customers for taking
the help of strangers and not protecting the PIN. However the GM has
failed to explain how the fraudsters have been able to withdraw money
only with the PINs even if they get access to it without the presence of
a Card. If the ATMs can be operated without Cards or with cloned cards,
the responsibility for having such ATMs must be taken up by the Bank. If
there were guards and CCTV as claimed by the GM, why they are not able
to find out those who withdrew the money?. Banks should stop lying about
their security and RBI should stop being silent. In fact the Ombudsman
in Patna should ensure that all the losses are recovered from the Bank
on the lines of the recommendations of the Damodaran Committee.
Related Article in TOI
Indian BPO Owner Charged of Extortion
Feb28: An Ahmedabad Call Center owner has been
charged of running an extortion racket threatening US customers and
forcing them to pay non existing loan dues. The incident reported
charges the owner directly of having committed the offence and not for
vicarious liabilities for his employee's actions. It is alarming that an
owner should commit such a fraud but if true it is a big shame on the
BPO industry in India. It is more probable that such frauds may be
committed by employees of the Call Centers in which case the owner still
takes the liability for the action of its employees but could consider
covering such losses through insurance and appropriate due diligence.
Report in Livemint
Megaupload owner arrested
Feb 28: The owner Mr Kim Dotcom of
megaupload.com allegedly one of the sites mis-using the concept os
secure cloud hosting to host and distribute pirated content has been
Blood of Bank fraud victims are on these hands...
Feb 26: Naavi has been crusading against the
Indian Bankers who are in pursuit of commercial profits even at the cost
of the lives of their customers. The days when we considered "Customer
is the King.." as suggested by Mahatma Gandhi is over. Today most
bankers have no idea how their services are making their customers lose
several years of their active life. A series of articles are presented
here on the current status of E Banking customers in India..
Indian Media is Insensitive..here
Blood of Bank fraud victims are on these hands...
Watch out for more articles...
SMS Texting Banned in HIPAA Context
Feb 23: The Joint Commission on Accreditation
of Healthcare Organizations (JCAHO) recently issued a “ban” on physician
texting, saying it’s “not acceptable” for medical professionals to
communicate patient information via SMS. This is likely to push for the
use of secure messaging systems. RBI should take note of this
development as they are pushing the use of mobiles in Indian Banking
system unmindful of the risks. JCAHO is an independent, not-for-profit
organization, which accredits and certifies more than 19,000
health care organizations and programs in the United States. Joint
Commission accreditation and certification is recognized nationwide as a
symbol of quality that reflects an organization’s commitment to meeting
certain performance standards.
Surge in HIPAA Compliance Issues
Feb 23: According to a recent research in US,
data breaches in 2011 have risen by 32% while at the same time
regulations have become more stringent. Covered entities are therefore
seeing a squeeze from both sides with increasing risks and increasing
regulatory pressures. It is reported that 92% of all healthcare
institutions have experienced data breach incidents atleast once in last
two years and each such incident costs on an average USD 2.2 million.
TRAI should Investigate Billing Frauds
Feb 23: After the Number Portability has been
introduced in the mobile circles, companies are finding that if there
are any billing disputes, customers opt for MNP and move out. However
MNP is still not available for data cards and it appears that mobile
companies are now focusing on cheating customers on data transactions
which are more difficult to verify. Airtel being the leader in the
industry appears to be also leading in this scam. It is essential for
TRAI to introduce a system whereby false data billing can be identified
and customers saved from such frauds.
executives of MTS have been arrested in Mumbai for misusing the KYC
forms issued by one customer and using it to issue data cards to another
after switching photographs to boost sales.
Airtel has been doing this by falsely billing data
usage on cards even when they are not in use. ( I am refering to my own
account as an example). Such false billing has also been observed on the
mobile. It appears that this is prevalent in 3G connections. I have also
demanded Airtel to provide me a study of 3G speeds available in
Bangalore in different parts to substantiate their marketing claims. I
allege that Airtel 3G does not provide 3G speeds but substantially
operates only on 2G networks. Their marketing claims are therefore
false. I have also asked them to provide me the details of my data usage
with reference to the IP addresses and destinations and I am yet to
receive their reply.
It may be necessary for a large scale investigation
to unearth a corporate fraud in Airtel billing department TRAI should
stake steps in this regard.
TRAI should also ensure that the data card device
should be portable across different service providers so that the
customer is not locked onto a service provider if he does not want to.
AIRTEL sends bills in transparent covers
Feb 23: In a bizarre observation, Midday
reported that hundreds of customers of Airtel received their bills in
transparent covers with the entire bill being visible. Has anybody in
Airtel heard of "Privacy", "Sensitive Personal Information", "Reasonable
Security Practice"?. The incident is a clear violation of Section 43A
and 79 of ITA 2008 and action needs to be taken against the Company.
Mid Day article
Ethical hacker in UK jailed for 8 months
Feb22: An ethical hacker in UK was jailed for
8 months for hacking Face Book. The matter was unearthed in a regular
security review at Face Book and investigated by FBI claiming that it
has rights to deal with hackers in UK. Passing the judgment Judge
Alistair McCreth observed that the hacking could have potentially caused
very serious consequences to Face Book but agreed that the hacker did
not have any intention of making any commercial gain. The Court observed
that there could be an indication of an "Asperger's
Syndrome" in the hacker's behaviour of trying to prove himself
to his father.
Bangladesh Hackers/Terrorists give notice through
Feb 21: Hackers from Bangladesh appear to be
using You Tube to send a message to India. They have sent a few demands
which are more that of terrorists and threaten a large scale hacking of
Indian sites if their demands are not met. The threat is made out in the
name of the Bangladesh Cyber Army. It would be interesting to know what
the Indian Government response would be apart from perhaps asking for
the video to be taken down.
Laws More Misused than applied purposefully
Feb 21: The case of a web journalist in
Bangkok being tried for publication of comments by visitors on her
website is a case where the intermediary is being held unreasonably
liable for an offence committed by some body else. If more such cases
surface, the intermediaries will be so much afraid of posting any
content that Internet ceases to be of any value as a medium of free
expression. This approach may lend legitimacy to underground
publications who may work outside the legal control. If we want
"Responsible Behaviour of Netizens" it is also necessary that regulators
are reasonable in their approach to political criticism.
Case Filed For Disclosure of Face Book Security
Feb 19: A security specialist in Hyderabad has
filed a case in AP High Court seeking directions to GOI to demand
disclosure of the security architecture of Face Book. It has also
demanded that Face Book should use stringent identitification measures
such as Face Recognition before opening of profiles to avoid fake
Report in TOI
HSBC Bank into massive money laundering?
Feb 16: In a shocking revelation, an ex
employee of HSBC has revealed that there is a massive money laundering
operation going on in HSBC and is reportedly produced more than 1000
customer pages as evidence. The employee who was working as a
Relationship Manager has said “I was shocked to find accounts through
which millions of dollars were being deposited and withdrawn without any
apparent business activity being conducted,...Then when I went to visit
the business, I found nothing – shell companies, vacant offices with no
furniture, or no such business whatsoever at the address listed on the
Read the full story here
In response to this expose, HSBC has tried to force
the publication to withdraw the story.
Read report here. To ensure that the stories will be available for
the readers, they are archieved by Naavi.org/ceac.in to be used if
This story also corroborates what Mr Yash, a security
professional in Bangalore has been stating on his attempts to bring to
public knowledge the security vulnerabilities in the E banking system.
E Banking Security Guarantee Scheme
Feb 12: Naavi.org has been in the forefront of a
crusade to make E Banking systems safer for the Bank Customers.
Here is a suggestion that the RBI can implement in this
direction. This could be a temporary or a permanent measure that
can ensure safety of the funds of the E-Banking Customer and
could be the only solution for survival of the Indian Banking at
this point of time...
Reduction of Phishing in Ahmedabad
Feb 12: Police in Ahmedabad have reported
substantial reduction of Phishing in Ahmedabad after a leading local
bank introduced IP filtering system to eliminate Nigerian IP addresses.
If this is possible for one bank in one city it should perhaps be
adopted by all other banks.
Face Book Responds to Victims
Feb 12: During the last week two victims who
had seen false profiles being created in their names on Face Book
found a quick relief after the matter was suitably taken up with the
Face Book team through a Section 79 notice from Naavi.org. Face Book
appears to have set up a new grievance redressal mechanism to meet such
requests. These two cases were not cases of freedom of speech. One was
the case in which obscene pictures were posted in the profile and in the
other pictures stolen from a lost mobile had been used. We congratulate
Facebook for their quick response. It has given relief to two young
girls who were facing extreme stress on account of the activity of the
some irresponsible cyber criminals.
Will RBI take note of this?
Feb10: Security researchers have identified a
mobile botnet which appears to have compromised more than 100,000
Android devices. Though at present this botnet seems to be targeting
mobiles in China, it gives notice of a serious security threat even to
India where RBI is pushing mobile usage for Internet banking. Naavi.org
has been repeatedly warning RBI that security in Internet Banking itself
is unacceptable and if transactions are extended to mobile devices
further doors of opportunity will be opened out for criminals at the
expense of Bank customers.
Banking System in danger of collapse..What are the solutions?
Feb 8: Given the alarming security situation
in E Banking and continued apathy of the RBI and collective failure of
the ministries of Finance, Home and IT in the Central Government, here
are some immediate measures required to ensure survival of the Banking
Three More Phishing Cases in Pune
Feb 8: Three phishing cases were registered
involving a loss of Rs 17.5 lakhs to three customers in Pune. Fraudsters
are making merry since banks are collaborating with the fraudsters with
their lack of basic due diligence in the conduct of Banking and
continued failure of Governance of the RBI.
Report in Midday
Media Takes Notice of E Banking
Feb 7: The vulnerabilities in the E banking
systems in India has slowly started getting the attention of the media.
In a detailed article on the subject Moneylife.in has detailed the risk
of Man in the Browser attack.
ticking to destroy the Indian Banking System
Feb 7: Naavi.org has constituted an "Expert
Group on E Banking Security" consisting of representatives from
different walks of life to which a security professional in Bangalore
made a demo of vulnerabilities in the Indian E Banking Systems. The
group is now contemplating further action to draw the attention of the
RBI and the Government of India to find answers to some of the concerns
raised during the demo. ...
Report on Privacy Symposium
Feb7: Here is a report in Tehelka on the
Privacy Sympoisum held in Delhi on 4th February 2012.
20 Canara Bank Accounts Hacked through ATM
Feb 5: Naavi.org had reported a few month's
back about an ATM fraud in which a Bank of India customer had lost Rs
40,000/- through fraudulent withdrawal through a Canara Bank ATM.
It had been pointed out in that case that Canara Bank was not having a
CCTV camera in the ATM. Now it is reported that 20 account holders have
suffered similar losses in Yelahanka town where it has been found that
fraudsters had deployed cameras to watch the customer's passwords.
Obviously this must have been coupled with closing of the card itself.
It is also a practice in Canara Bank not to appoint any guards at the
ATM which makes it easy for fraudsters to manipulate the machines
without being observed. This is a systemic flaw for which the Bank needs
to be pulled up. Unfortunately when this case was brought before the
Banking Ombudsman Mr Palanisamy, he dismissed the customer's complaint
and even ruled that no appeal can be made. Had he been fair in his
decision at that time he would have pulled up the Bank and the current
fraud might have been avoided.
Report in Youtube
Now even BBC agrees..Indian Banks wake up!
Feb 5: In the last week a serious discussion
has ensued in India about the weaknesses in the E Banking security.
Despite the security professional Mr Yash demonstrating the weakness
through a video recording of how a genuine Bank customer may find
himself cheated on the E banking platform, Indian Banks have failed to
respond to the public announcement of the threat. Out of the three Banks
used by Mr Yash to demonstrate the weakness, one has used its influence
to bring down the you tube video, the other has issued a legal notice
and the third has sent goons to the security professional's house to
threaten him. If this is the attitude of the Banks it appears they are
not interested in securing the Banking transactions.
The reason for this apathy stems from the fact that
they are aware that the legal system in India is in favour of the Banks
since victims are financially unable to sustain the litigation.
Presently two cases which were decided in favour of the customer are
pending on appeal at the CAT with Government of India preferring to keep
the institution closed by failing to appoint a Chair Person for the last
7 months. In the meantime Banks are working overtime to get absurd
interim orders from some obliging adjudicators against the customers
using their financial muscle knowing fully well that it will take a long
time for the case to get sorted out and by that time the customer would
be frustrated enough and withdraw his case.
Now BBC has also spoken about the Man In the Browser
attacks similar to what Mr Yash was pointing out. Hopefully Indian
administrators will now wake up.
HSBC Bank sends goons to silence a
Feb 2: An ethical hacker from Bangalore who
decided to disclose an E Banking vulnerability has found that the bank
instead of correcting the vulnerability would like to silence him.
Unlike another Bank which sent a legal notice for defamation, it is
reported that HSBC Bank sent its recovery goons to his house when he was
not available and caused annoyance and threat to his family members. RBI
should take note of this illegal behavior of the Bank and conduct a
Advertisements cause denial of access
Feb 2: We are all aware that ads provide for
monetization of content sites and are therefore a good thing to be there
in support of the free Internet system. But of late advertisers are
becoming greedy and want to usurp the content space. Just as some times
on TV we find that serials exist for the ads, Cricket matches are played
for the ads, the web content is also becoming secondary to ads. I am not
speaking of "Parked" websites which are deliberately created for
monetizing zero content. I refer to respected news paper sites which are
overwhelmed by the "Pop Up Ads" and "Video Ads". The Pop Up ads cover up
the entire page and prevents the visitor from viewing the content for
which he visited the site. Besides there is an increasing trend of video
ads that gulp bandwidth of the user. It is also becoming increasingly
common to disable closure of such ads just as pornographic ads used to
be. I saw one such ad today in the Business World site at the URL
The ad itself belonged to Microsoft.. There are similar ads on other
sites and by other advertisers. I consider this as "Denial of Service"
and "Diminishing the value or utility of information
residing inside a computer resource" which are offences under ITA
2000/8. The advertiser as well as the publication will be responsible
for such an offence. I wish respectable publications ensure that ads
remain in the side bar and can pop out only on user's request. Similarly
video ads should by default be in pause mode and the user should have
the option to play it either in the allocated space or on full screen
mode. See the ad here
Director CERT Clarifies
Feb 1: Director of CERT-IN, Mr Gulshan Rai has
clarified in an interview with Mint that Government of India has so far
not exercised its discretion in any case of Website blocking but only
acted on Court orders.