Recently two Phishing Cases have been reported involving a combination of a Bank and a Mobile Service Provider. In both cases the combination is State Bank of India and Vodafone. Ever since RBI introduced the OTP system as a second factor authorization for some net based transactions, many Banks have jumped to the conclusion that this could secure them from Phishing liabilities. Banks like SBI and ICICI Bank strongly favoured 2F authentication even at the expense of the legally mandated PKI based digital signature system for authentication of Internet based transactions during discussions in the G Gopalakrishna Working Group.

Though RBI has always been in favour of the use of PKI based authentication system  SBI as the leading representative of the industry and in control of  IBA  has been opposing the introduction of digital signature based authentication system. It is therefore significant that in a series of frauds now surfacing are from SBI. Last week Naavi.org reported a fraud from Mumbai involving Rs 10 lakhs. Now another fraud has been reported from Kolkata involving Rs 3,39,000/-. In both these cases SBI is the Bank involved.

Additionally in both these cases, the SIM Card of the customers had been reported lost and replaced with false KYC information and hence the 2 F authentication based on OTP system as well as Mobile alert systems failed. The modus operandi indicates that the Phishing fraudsters have not only networked to be capable of opening false Bank accounts, they are now also networked to obtain duplicate SIM cards.

So far, Banks were being held liable for Phishing because of the failure of the security coupled with non compliance of RBI guidelines and ITA 2008 regarding authentication of transactions and KYC. Now failure of KYC at the mobile company has been added to list of omissions and brings the mobile service provider directly to face the liability along with the relevant Bank. 

While the victim can now blame both the Bank and the Mobile service provider for his loss and seek damages from both of them jointly and severally, the adjudicator may take a call on inter-se distribution of the loss between the Mobile service provider and the bank. In the absence of any better system it is likely that he may rule that they need to share the liability equally though it is possible that he may continue to place the primary blame on the bank and let the Bank proceed later against the Mobile service provider to recover a part or whole of the loss from them.

Under these circumstances it would be essential for the Mobile industry to estimate the extent of loss that may befall on them in the coming days on account of such frauds.

According to estimates based on the Norton study, the total Phishing losses in India in 2010 is estimated to be around Rs 6500 crores. If this is shared equally by the Mobile industry, the loss shared by Mobile industry would be around Rs 3250 crores. Now a company like Vodafone which is having around 20% share of the mobile market can therefore end up with a loss of around Rs 650 crores only on account of Phishing.

The finance managers of Mobile companies will now have to consider how they can absorb such losses. I feel that banks may not find it too difficult to absorb the losses but Mobile companies may go bust if they have to bear  such losses. Risk managers within the Mobile companies will now have to work overtime to address the issue of mitigating the losses with appropriate risk containing measures including ITA 2008 compliance so that they can effectively contain the Phishing losses to the Banking industry. The industry association of  Mobile Service Providers need to take a look into the effect of these cases on the industry.

Since the crisis is triggered by the RBI rule on OTP, it is possible that the Mobile providers will now gang up to bring pressure of some sort on RBI to protect them. RBI itself needs to now put a stop to all mobile banking initiatives until the system of KYC in mobile companies is rendered reliable.

I take this opportunity to bring these incidents to the notice of RBI and demand that a comprehensive review of all Mobile based authentication systems for Banking operations is undertaken. In the meantime RBI should inform all their Ombudsman to take note of such frauds and deal with customer complaints taking into account the possibilities indicated in such incidents.

Naavi

September 23, 2011