Chanda Kochhar Allows her e_mail to be hacked?
There is a strange way ICICI Bank does business. The
Bank prides itself as one of the most progressive in utilization of
technology. But along with it, it is also in the forefront of hosting a
large number of Cyber frauds though they might not be reported to RBI.
Most of these frauds are classified as "Phishing" and the customers bull
dozed into believing that it was their mistake that they fell prey to a
Phishing attack and should absorb the loss.
Of course the S Umashankar Vs ICICI Bank case with
the Adjudicator of Tamil Nadu has changed this perception and made
public aware that just because a customer allowed himself to be cheated
by a fraudster in revealing his password, the Bank cannot absolve
itself of its responsibilities in adopting appropriate information
security policies to protect the transactions. This case proved that the
reckless attitude of the Bank in opening accounts for fraudsters without
any KYC checks beyond collection of some documents whether true or faked
and use of unauthenticated e-mails and internet banking access system
can haunt them as lack of due diligence and make the Bank liable along
with some of its executives.
Unfortunately, ICICI Bank has not learnt its lessons
even after being chastened by the Adjudicator's verdict. Recently, I
came across a strange way the Managing Director of the ICICI Bank
handles her responsibilities in receiving communication from public
through e-mails. For those who may not remember, the Managing Director
of ICICI Bank is none other than Ms Chanda Kochhar, who rose from the
ranks at a galloping speed to the top post in the Bank. Kochhar has
enjoyed many enviable recognitions including the Padma Bhushan award for
her services to the banking sector. She is also the second Indian behind
Sonia Gandhi to be recognized by Forbes as the "World's 100 most
Powerful Women". A hot favourite of our TV channels, she was the
honoured guest for Burkha Dutt and other TV personalities during the
last fortnight during the global business leader's meet at Davos.
To ask such a distinguished person if she knows how
to handle E-Mails appears at first glance to be very disturbing.
But look at this sequence of events.
There is an e-mail ID recognized as "firstname.lastname@example.org".
It appears that that the mail ID belongs to Ms Chanda Kochhar, the CEO
Can it have any other interpretation? Obviously No.
Let's say you are a whistleblower and want to warn
the MD about the various frauds that happen in ICICI Bank and how
criminals are flocking to open accounts in the bank since it is the most
convenient Bank to be used as a conduit for frauds.
Where will you send the e_mail? Obviously to
But, don't' be surprised if you get a reply instead
from one K.Raghavender who represents the "Office of the head of Service
Quality". Difficult to understand what the designation means. Is he the
"Head" of the Service Quality department? or is he just a member of the
team in the office? Never mind, but ask him why he is opening the
e_mails addressed to the MD. If he has not been authorized in writing so
far, we can say that Mr Raghavender has been "hacking" into the MDs
e_mail. But Raghavender says he is authorized. He also adds that all
Directors of the Bank have authorized others to open their e_mails.
Oh! what a policy? Perfect for later on claiming that
any activity that represents
email@example.com was actually done by some body else in
the Bank. If the Governor of Reserve Bank receives any response from
firstname.lastname@example.org, it might have actually been sent by
some body else in the Bank.
Have you heard of "Digital Signatures" as
authentication for e-mails so that you can know who the sender of an
e-mail really is? ICICI Bank is one Bank which hates digital signatures
and they have made it known by passing dissenting comments in the S R
Mittal Working Group and also indirectly in the G Gopalakrishna Working
group on Electronic banking. Now we know why ICICI bank would be happy
with un authenticated e-mails. Even the CEO prefers to do business
Looks wonderful since many politicians also prefer
the same policy. Subordinates sign papers while the head gets his/her
work done through oral instructions so that if a scam surfaces, it is
the small fishes that get caught.
But what a senior Bank executive like Chanda Kochhar
should understand is that if the Bank allows a practice where incoming
mails in the personal name of the MD are handled by others, even a legal
notice sent to Ms Chanda Kochhar would be answered by Mr Raghavender who
always maintains a cut and paste paragraph for all his e_mails stating
"ICICI Bank has fool proof security. If any thing has gone wrong at your
end , you must have done some thing wrong. Go to Police and our Bank is
Recently, the undersigned wanted to send a mediation
request to Ms Chanda Kochhar to avoid a complaint getting lodged against
her which could create civil and criminal liabilities on her. But
despite explaining the seriousness to Mr Raghavender through a series of
mails, he continues to answer all mails sent to
email@example.com. Hope if there is any need for Ms
Chanda Kochhar to pay damages or go to Jail, Mr Raghavender would
More seriously, it is unfortunate that people at high
places with lots of responsibilities on their shoulder reflect a very
low understanding of how to handle communications in the Electronic
space. We today have one to one communications and they will be used
both for wishing happy birth days and for sending legal notices.
If there is no respect for e-mail IDs given in the
name of the Bank, it reflects the Information Security awareness or more
appropriately the lack of it at the CEO level.
If this is the sad state of affairs at an apparently
tech savvy Bank managed by a "Padma Bhushan", it is difficult to imagine
what would be the state of affairs in other Banks.
One has to also raise a question whether RBI has
factored such lack of awareness amongst CEOs before introducing high
tech banking through Internet and Mobiles?
In the recent G Gopalakrishna Working group report,
lot has been said about the need for education of customers regarding
frauds in the electronic banking scenario but the working group perhaps
did not know that the awareness building has to start from the top.
May be RBI will now consider a "Workshop for CEOs of
Banks" on Information Security, Cyber Frauds and Cyber Laws as the first
recommendation to be implemented following the G Gopalakrishna Working
group. Otherwise how will Banks understand what is Information Security?
What is the role of a CISO? What is DRP and BCP? etc on which the
working group has made many suggestions?
February 10, 2011
Copies of E Mails Exchanged