"Watch This Site as a Daily Habit. It may save careers".. A Banker's remark as an advise to fellow Bankers

---

HSBC Bank sends goons to silence a Security Professional

Feb 2: An ethical hacker from Bangalore who decided to disclose an E Banking vulnerability has found that the bank instead of correcting the vulnerability would like to silence him. Unlike another Bank which sent a legal notice for defamation, it is reported that HSBC Bank sent its recovery goons to his house when he was not available and caused annoyance and threat to his family members. RBI should take note of this illegal behavior of the Bank and conduct a suitable investigation.

Advertisements cause denial of access

Feb 2: We are all aware that ads provide for monetization of content sites and are therefore a good thing to be there in support of the free Internet system. But of late advertisers are becoming greedy and want to usurp the content space. Just as some times on TV we find that serials exist for the ads, Cricket matches are played for the ads, the web content is also becoming secondary to ads. I am not speaking of "Parked" websites which are deliberately created for monetizing zero content. I refer to respected news paper sites which are overwhelmed by the "Pop Up Ads" and "Video Ads". The Pop Up ads cover up the entire page and prevents the visitor from viewing the content for which he visited the site. Besides there is an increasing trend of video ads that gulp bandwidth of the user. It is also becoming increasingly common to disable closure of such ads just as pornographic ads used to be. I saw one such ad today in the Business World site at the URL http://businessworld.in/businessworld/businessworld/content/SC-Quashes-122-Telecoms-Licences-Issued-2008.html-1. The ad itself belonged to Microsoft.. There are similar ads on other sites and by other advertisers. I consider this as "Denial of Service" and "Diminishing the value or utility of  information  residing inside a computer resource" which are offences under ITA 2000/8. The advertiser as well as the publication will be responsible for such an offence. I wish respectable publications ensure that ads remain in the side bar and can pop out only on user's request. Similarly video ads should by default be in pause mode and the user should have the option to play it either in the allocated space or on full screen mode. See the ad here

Director CERT Clarifies

Feb 1: Director of CERT-IN, Mr Gulshan Rai has clarified in an interview with Mint that Government of India has so far not exercised its discretion in any case of Website blocking but only acted on Court orders. Details

Indian Cyber Criminals are getting creative

January 31: Recently, an uneducated cyber criminal in Bangalore showed how he could lock the Asterix of ATMs of State Bank of Mysore and stop a customer's transaction midway to exploit it later. This was  technique as innovative as the "Lebanese loop" and was highly ingenious as it just used the trick of sticking a broken matchstick to keep the key depressed. This "Match Stick Magic" was perhaps unique on a global scale.

Now yet another innovative technique seems to have originated perhaps again from Bangalore which is challenging the Nigerian Scams. This is a scam that has perhaps been inspired by a famous Kannada TV serial by name "Mukta Mukta" and tries to lure gullible investors into investing in films which have been stuck for want of funds. Copies of E mails received in the last two days are enclosed.

Recipients of the mail may end up losing a large chunk of money in one go if they respond to such e-mails. I wish some body checks the mobile numbers available and let me know their experience.

Freedom of Expression on Internet..Gone..

January 30: The recent decision of Twitter to censor its contents based on the political master's wishes in each country is an indication that the commercial interests are always higher than democratic interests for these companies. The move of the Indian Government to arm twist the major intermediaries is therefore expected to succeed in due course once the initial resistance wears off. This article in asian age captures the status in India and highlights the dangers. What is objectionable in the perception of the Government officials is that content should be removed by the intermediary when the objection is lodged by the affected party. This is not acceptable. While the affected party can lodge a complaint with the intermediary, removal has to follow a due process. The due process should include a suitable documentary evidence which is placed by the party, a process of examination through an ombudsman, a process of arbitration where the request is disputed or a Court order as may be required on a case to case basis.

Recently Naavi.org has received a letter from an advocate stating that in 2005 there was an article published in the site in which a person's name was mentioned in a litigation. Now that he is acquitted, the advocate wanted the name to be removed from the old article. Naavi.org has started a process of enquiry and to begin with  has asked the complainant notarized copies of the judicial order relevant to the acquittal and an undertaking that no appeal is being filed. On receipt, the author of the article would be asked to provide his/her response and then a decision will be arrived at on how to deal with the objection.

"Faith of Bank Customers Eroded"

Jan28: At a time when Banking frauds are ever on the increase and we have reached a stage where E Banking has destroyed the confidence of customers in the Indian Banking system, it is a breath of relief when we here the words of RBI officials speaking on the information security status stating "The implementation is not effective, capacity management plans are not robust, appropriate vendor exit strategies are not in place. The process of designing and development of awareness programmes for customers is not in place". These are words of the Executive Director of RBI Mr G Gopalakrishnan. What is clear is that today RBI's guidelines are openly ignored and Banks have turned "Rogue Banks". Hence whatever RBI proposes remains on paper and fails during the implementation stage. The recent recommendations of the Goplakrishna Working group is the last hope for the revival of customer faith in Banks since it has recommendations covering the implementation also. However the proof of the pudding is in the eating. The failure of RBI is in not imposing appropriate penalties when Banks fail to follow the RBI guidelines. As long as there is no strong deterrence mechanism, the Banks will continue to act in defiance. Report 1 : Report 2 Report 3

Copy of speech : Audio

Articles in naavi.org on GGWG

78 Adjudication Decisions ?

January 27: According to a report in Deccan Chronicle, Bangalore, the Adjudicators of Karnataka have so far provided 78 orders. This is for the first time that the news has been released to the public and perhaps the orders were considered a "State Secret" so far not to be seen by public. It is also notable that out of these 78 decisions only the 77th decision is now on appeal with the Cyber Appellate Tribunal and so far none of the orders were contested.

Normally a situation such as these where 76 orders were not appealed against indicates a very high quality of the orders. The report has not revealed details of orders except the last two. It is for experts to reflect if these two orders reflect the kind of quality expected of 76 unappealed decisions. If not, it would be interesting to see all these 76 orders to understand what they contained.  This would be an interesting case study of how effective is the system of Adjudication in the hands of IT Secretaries of the State Governments.

When this system was introduced in 2003, Naavi.org had pointed out that IT Secretaries who are responsible for the development of IT in the State could face conflicts of interest when dealing with the complaints against companies who work with the Government on commercial deals. I have also queried from time to time with Judicial Academies why they should not undertake IT training of Judicial officers so that the Adjudicators can be appointed from out of the Judicial community since lack of IT expertise in the judicial community was the reason why DIT entrusted the responsibility with the IT Secretaries in 2003 by way of a notification dated 25th March 2003.

Now that 78 cases are available in one single State for a study, it would be worthwhile for some research student to conduct a study of the Adjudication system and its effectiveness under IT Secretaries and if a time has come for the Judicial Community to reclaim this quasi judicial appointments either exclusively or as a two member bench one of whom could continue to be the IT Secretary and the other being a judicial member (A system already available at the CAT level).

Another aspect that needs to be considered is, if the Jurisdiction of the IT Secretaries are so worked out that when there is an apparent conflict of interest the complaint is handled by the IT Secretary of a neighboring State

The historical decisions of the Adjudicator of Karnataka quoted in the article of Deccan Chronicle are expected to be the beginning of a thinking about review of the Adjudication system under ITA 2000/8... Article in DC

What to Expect in a Judicial Order

January 27: After the sensational order of the Adjudicator of Karnataka reported in these columns which reflected the status in India on how Judicial orders are written at this level,  it was a revelation to read a judicial order in the Field Vs Google case of copyright infringement. The case was first filed in 2004 and judgment delivered in 2006 in the Nevada District Court, USA. Such judgments stand out because of the efforts taken by the Judge to understand various aspects of law in depth and to make a reasoned argument before arriving at the decision. In fact such judgments are like text books which students of law love to read. It is not necessary that only the High Court or the Supreme Court has to give such detailed orders which they often do. Other authorities may also learn from such orders on how they have to be documented. Copy of Judgement Related Article

All Digital Certificates issued in India may be invalid !!!

Jan 25: In an unusual development, an order issued by the Adjudicator of Karnataka has created  the effect that all licenses issued for Certifying Authorities in India by the Controller of Certifying Authorities will be rendered invalid. This follows the effect of an order where the Adjudicator has interpreted that the word "Person" used in Section 43 of ITA 2008 means only a "Natural Person" and not applicable to a Company.

If this is true, then Controller of Certifying Authorities would be wrong in issuing Certifying Authority license to Corporate entities since according to section 2(g) Certifying Authority means a "Person" who has been issued the license and therefore has to be a natural person only.

The order is categorical that a "Company" can neither seek remedy nor be accused under Section 43 of ITA 2008. With this no Company can be accused of or seek relief under Section 66 for  unauthorized access also.

Hopefully this interpretation would be  corrected in an appeal at the earliest. Until then....we are in a different dimension of Cyber Law in India.....a historical milestone in deed ! .

Privacy Seminar in Mumbai to discuss Proposed legislation

Jan 20: Privacy India in partnership with Center for Internet Society and other organizations is organising a conference on "Privacy matters" in Mumbai on 21st January 2011. The conference will discuss the proposed Right to Privacy Bill which is under consideration by the Government of India. More information available here : Update 21/01/12: Copy of Naavi's Presentation : Copy of new draft of Privacy Bill : A Report

Axis Bank Horror in Bangalore.. again

January 19: After the report of a Rs 39 lakh E Banking fraud in Axis Bank recently, another major E Banking fraud has been reported in Bangalore. As per the report of DNA, Bangalore, the fraudster was able to obtain a debit card through a forged letter, get event he address changed and withdraw Rs 15 lakhs from an unsuspecting lady. The incident reveals that the procedures adopted by the Bank are inadequate to meet the basic security requirements. The lady appears to be running around Police for recovering the money where as she should have perhaps claimed the money from the Bank which has acted on a forged signature. ..DNA Report

Innovative ATM Fraud in Bangalore

January 18: It is reported that a school dropout found an innovative way of committing frauds on SBM ATM machines in Bangalore. The modus operandi was to partially disable the ATM by inserting a match stick to depress the * key. When the customer entered a transaction, it failed after the access was authenticated. While the customer was trying another ATM, the fraudster noted the PIN and after he left, removed the match stick and continued the transaction. Report in DNA

Websites to go on Strike against Ant Piracy Legislation

Jan18: In a historic development, several major websites are expected to observe one day shut down to pretest against the anti piracy legislation proposed by US Congress. The websites participating in the strike include Wikipedia, Reddit, Cheezbuger, Boing Boing etc. It appears as if this is a fight between the Internet and the Hollywood. The White House appears to support the Silicon Valley in the controversy and being an election year in US, the proposal is expected to be dropped for the time being. Seen in the background of developments in India it appears that a serious confrontation may start between the Digital Society and the Physical society with Cyber Laws being at the center of the controversy. The problem has always been that Cyber Laws are being drafted not by Netizens but by Citizens. The laws therefore are biased in favour of Non Netizens and hence frequent clash of societies is likely to continue. Related Article

China and Pakistan offer less Internet Censorship than India !

January 14: The article in firstpost.com reveals how the Censorship attempt on the Internet in India compares with China and Pakistan. Surprisingly the statistics reveal that the number of occasions the Indian Government asked Google to take down pages for political criticism was much more than in China or Pakistan. ...Detailed Article

How Do you React to a Sec 79 Notice if you are an intermediary?

January 13: Ever since the Government of India summoned the major social networking companies namely Google, Face Book and Yahoo and demanded that they install a pre-publication manual monitoring system for content filtering, there has been considerable discussions about what is right, what is feasible, what is legal etc about the "Due Diligence" required to be exercised by Intermediaries under Section 79 of the ITA 2008. Naavi therefore suggests the following plan of action for Intermediaries to deal with the situation.... More

Symantec Accused of using "Scareware"

Jan12: A resident of Washington has filed a class suit against Symantec accusing that some of the security software marketed by Symantec as Norton Utilities is actually a "Scareware". Typically, a "Scareware" promises to identify and remove security threats for free. When the consumer tries the software it presents several computer errors as existing in the computer which cannot be removed by the free version and suggests that the consumer buy the registered version. According to the complainant the threats shown by the software were non existent as revealed by a forensic investigation and the software was designed to show errors even when non exist. It is regrettable that even a reputed security company like Symantec should use such anti consumer tactics. For records it may be said that Symantec has denied the charge. Related Article

Game Over

Jan 10: Yes it appears to be "Game Over" for current generation of authentication systems used by Banks. A new variant of the famous Zeus Virus has been reported by FBI which warns "The malware is appropriately called “Gameover” because once it’s on your computer, it can steal usernames and passwords and defeat common methods of user authentication employed by financial institutions. And once the crooks get into your bank account, it’s definitely “game over.” Related Article

Safety in Banking is our Right

Jan 10: Bank customers in India have reached a situation where they have to appeal to RBI to protect their right for Safe banking. The recent threats to Internet Banking have made the current system of Internet Banking completely unacceptable. We need a totally new security for Internet Banking system that provides the customer the comfort that his money cannot be stolen with the use of trojans like SpyEye. The SpyEye threat is worrying because it is capable of not only stealing the customer's money but also fool him with a fake web page making him think that "All is Well". As a result the fraud goes undetected for some time until the customer contacts the bank physically or through means other than the Internet Banking. Related Article1: TOI : PCWORLD

It is not as if technology cannot find a solution to SpyEye problem. But  effort and investment by Banks are needed in this direction. I am aware that certain suggestions by security professionals have been rejected by some banks because of profitability considerations. It is however time for us to remind RBI that "Profitability" cannot be the barometer for compromises on "Security". An "Insecure Banking" is no "Banking". The current Banking licenses should be deemed to be inoperative if security is compromised either because of technology or otherwise.

Some Bankers are living in a fool's paradise that the OTP system will guard them but they will realize that this is not exactly a wise thought. I hope soon some enterprising hacker or a security professional will demonstrate that event he OTP system is vulnerable to malicious attacks.

ICICI Bank leads in Banking Frauds

Jan09: In an alarming revelation from an RTI application, DNA has reported that ICICI Bank alone accounted for almost half of the frauds reported to the RBI. Of the 5,319 cases reported in the current financial year (till September) by 29 private banks, a whopping 3,304 were from ICICI. Similarly, in 2010-11, ICICI reported 10,684 of the total 19,845 cases. The second highest numbers of cases were reported by HSBC at 2,383 for the same period. CBI should immediately start an investigation across the Bank to find out if there is an involvement of Bank staff in these frauds. Simultaneously RBI also has to initiate appropriate action to protect the Indian Bannking system... More

Airtel resisting Port Out requests from Customers

Jan08: Airtel appears to be using unfair tactics to refuse Port-Out requests from customers. Normally port out requests should be confirmed immediately. But Airtel customers have reported multiple cases including some cases where Airtel has tried refuse port out requests for unstated reasons. Perhaps TRAI needs to look into this issue.

Mumbai is No 1 in Bank Frauds

Jan08: In an interesting information obtained by DNA through an RTI application, it has been revealed that Mumbai has been the city where the largest number of Bank fraud cases have been reported in the last 5 years. According to the report the total loss in Mumbai was Rs 1882 crores from 4099 reported cases. In New Delhi for the same perid 1326 cases werhe reported with a loss of Rs 921 crores. Chennai reported 1110 cases with a loss of Rs 484 cases and Kolkata reported 1021 cases with a loss of Rs 548 crores. Bangalore reported 1006 cases with a loss of Rs 815 crores. Out of this during the financial year 2010-11 alone, Mumbai and Delhi reported 787 and 335 cases with a loss of Rs 1049 crores and Rs 335 crores respectively. It is not clear if Banks are makeing adequate provisions in their balance sheets to cover such losses. According to Symantec, the loss was estimated at a much higher level of around Rs 6500/- crores for the entire country. RBI needs to take some special measures to protect the Bank customers from this E-Banking loot. Detailed article

The never ending Cyber Chase

Jan08: An article in The Hindu of 8th January 2011 on Fraud risks in E Banking. The article

What is the reaction of RBI for this?

Jan 08: At the instance of aggressive banks, RBI is promoting Mobile Banking in India.  Internet Banking itself is yet to meet the basic security requirements of Banking and hence it is difficult to understand the need for this new technology thrust. Here is an example of an application (Refer: http://spoofapp.com/) that is meant to spoof Caller IDs and also change the voice. The sales pitch for the application is "Protect your Privacy". However such tools are more useful for breaching the privacy of others than protecting privacy. They are extremely dangerous for the security of Mobile Banking. Until a solution is found to ensure that such applications donot endanger Mobile Banking transactions, RBI should refrain from introducing mobile Banking in India. At the same time, since Internet Banking is also dependent on mobiles for OTP, the risk of mobile spoofing places the entire Banking system in India at risk. Naavi.org has drawn the attention of  RBI  several  times on this technology risk. At some point in future Courts may have opportunities to question the role of RBI in securing E Banking in India and the fact that the risks have been brought to the attention of RBI will be a matter which may also determine the vicarious liabilities of individual officers who have neglected these early warnings. (P.S: According to one security professional this particular application may be a malicious application. There are similar applications which have been demonstrated by different professionals even in public in the past. Non specialists should not try out such applications for curiosity since they may create harm in the form of excess billing or otherwise. Using such application is a crime. Naavi)

Amendments to Consumer Protection Act

Jan08: Amongst the amendments proposed to Consumer Protection Act in the bill presented in the Parliament is a provision for submission of applications in electronic form. As Naavi has been advocating in the past, by virtue of Section 4 of ITA 2000 even without the need for this amendment, it should be possible for the forum to accept electronic applications. However, the amendment will remove any doubts in this regard and it is therefore welcome. Many of the tribunals and forums which have been given the freedom to device their own procedures and are not bound by the procedures of the civil procedure code  have been following the procedure of asking the complainant to submit affidavits in support of the contents of the application. Since such affidavits need to be stamped, it impedes the online submission process. Wherever online submissions are permitted, it is necessary for the Court officers to clarify that a "Digitally Signed" compliant is enough for the Court to take cognizance of the application and they should stop the practice of insisting on the affidavits. Even where an advocate is representing a litigant, the advocate can also be permitted to send his submissions through a digitally signed document. ITA 2008 provides both the Adjudicator and the Cyber Appellate tribunal to not only receive submissions online but also conduct the entire hearing online.  Detailed rules of the online process are yet to be developed. I request Cyber Appellate Tribunal to take necessary steps to design the procedures for online submission of appeals and other documents and start a new trend in Indian judiciary. This will also be a guideline for those who may have to frame the rules under Consumer Protection Act when the amendments are passed.

Internet Censorship in India

Jan07: Blocking of websites in India has been in news for some time. The fact that this power is being politically misused is confirmed by the incident where the website of a political cartoonist, Mr Aseem Trivedi participating in the Anna Hazare protest in MMRDA grounds has been blocked.    TOI has reported that the cartoon site of Aseem Trivedi was blocked by blocking the domain name cartoonsagainstcorruption.com.

The uniqueness of this blocking incident has been that it is not an ISP level blocking but a blocking at the domain name level by a notice to the domain name registrar BigRock. Also the site has been removed not by a Court order but by Police action.  While the cartoon site has reportedly been now moved to another host, the incident creates a  precedent of far reaching consequences though in a wrong context.

It is to be noted that blocking an objectionable content is different from forcing cancellation of a domain name. Domain Name is a "Virtual Property" and what Mumbai Police have done in this case is "Depriving a Citizen of his Right to Property". This is violation of his fundamental right. The action needs to be reviewed.

The domain name registrar BigRock.in should also be questioned on the propriety of their action without even giving an opportunity for the domain owner to defend. It amounts to deficiency of service on their part.

This incident is therefore to be considered as a serious threat to democratic principles. I hope some action to question the legality of the action of the Mumbai Police and BigRock would be undertaken by some public spirited persons in Mumbai.

Related article in Sunday Guradian

150 HITECH Act audits to be conducted in 2012

Jan06: Office of Civil Rights has announced that it is likely to conduct around 150 audits under HIPAA-HITECH Act before Dec 2012.OCR will audit as wide a range of types and sizes of covered entities as possible; covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses may all be considered for an audit. Business Associates will be included in future audits.

Patient Data posted in Facebook for fun

Jan 05: An employee of a staffing agency in California is reported to have posted some patient's information at Providence Holy Cross Medial Center in Mission Hills. California. It is said that the person defended his action by stating that "People, it's just Facebook. Not reality. Hello? Again ... it's just a name out of millions and millions of names. If some people can't appreciate my humor then tough. And if you don't like it, too bad, because it's my wall and I'll post what I want to." The case raises several issues of HIPAA violation and Social Media policy and behaviour of persons on social media, besides human ethics. Firstly, there is a privacy breach which is a HIPAA violation. Was there a BA contract with the staffing company? Were the employees adequately trained? are other HIPAA compliance issues for both the hospital and the BA. Does the Face Book wall belong to the user and he can do what he wants with it? is another question. Another grey area is whether this remains a Civil wrong only or will it constitute a "Criminal Offence"? since the person claims that he did not have any malicious intention and the posting was only in jest. All in all, an interesting legal case worth discussing in detail. Related Article

New Transactions and Code Sets for HIPAA

Jan 05: From January 01, 2012, the new HIPAA transaction code based on X12 Version 5010 and NCPDP Version D.0 have become effective. Related information

New Member Judicial appointed for CAT

January 04: After 6 months of waiting, Cyber Appellate tribunal has become active once again with the appointment of Justice S.K.Krishnan as  "Member (Judicial)". He has assumed office from 23rd December 2011. It is expected that Justice Mr Krishnan may be designated as the "Chair Person" so that he can independently conduct the sittings of the Tribunal.

Beware of mobile calls from +224...

January 04: It has been reported that there is a mobile scam in operation in India which may cost the unwary consumers. The modus operandi is that calls will be received from numbers such as +22455200981, +22455104370. At first glance this appears to come from Mumbai. If you donot pick up the call and attend to it as a missed call and return the call, you may be charged Rs 50 per minute. If you pick up the call at the first ring, you are likely to be told some thing such as ""we need your IMEI number and are authorized by DoT to collect it", "free handset giveaway from micromax" etc." It appears that we should refrain from returning any missed call unless we know the caller.

E Banking is Not "Safe Banking"

Jan 2: The recent revelations from the website http://www.yashks.com/ of how ICICI Bank's net banking facility is vulnerable has shaken the confidence of the public on Indian Banking System. Additionally the increasing number of ATM card cloning and Credit Card cloning have made it impossible for customers of Banks to sleep peacefully if they hold an ATM Card or a Credit Card or Internet Banking. Unfortunately, though RBI has provided good guidelines to protect consumer interests, Banks are completely ignoring such guidelines and challenging the customers to go for litigation. Indian legal system being what it is, the advantage always lies with the Banks which have deep pockets to stretch litigation until the customer finds it impossible to continue.

Under these circumstances it is clear that E Banking in India will never be as safe as it is envisaged under the Banking license. It will be a game of chance for customers that if they are lucky, they will not be hurt by the E-Banking frauds in their life time. I therefore request RBI to delink E Banking services from the Banking license and let Banks operate E Banking only as a E Business under an NBFC license. Then public will know that they cannot expect the same level of security as they expect in traditional Banking. However in such cases Banks should not call it as a "Banking service" and no privileges that are normally available to a "Bank" should be made available to those Banks. This E Business of "E Money Transactions" should be thrown open to the non banking institutions who may be able to provide better security than the Banks who misuse the trust they enjoy from being a traditional banker to provide deficient E-Banking services.

A public debate on this "Banking Reform" is perhaps the need of the hour.

New Year Begins with a warning

Jan1: Home based activities that generate income is of interest to many and on the eve of a New Year is more palatable than at other times as an opening for a "New Beginning". However, the Internet has become so untrustworthy these days that any such news has to be taken with a bucket full of salt...Here is an example of one such news which all readers must take note.

Death of QR Code!

Dec 31: In recent days QR Code had emerged as a convenient tool on mobile devices for transfer of information from a printed code picture to data on the mobile. Unfortunately the QR code seems to be heading for a premature death since hackers have found it as an easy tool to spread malware. It may no longer be wise to use the QR Code scanner on the phone to scan any Code. Naavi.org will also remove the QR Code in its contact form to avoid any problems arising in future. Related Article

HIPAA Audit is a Business Threat!

Dec 26: The results of a recent survey in USA about patient data breach has come out with interesting results.  Firstly, 96% of the respondents reported some data breach within the last two years which is an alarming situation. 41% resulted from employee negligence. About 43% of the breaches were identified during an audit making it a dreaded business risk for most organizations. More details

One More ITA 2008 Case against Face Book

Dec 25: An FIR has been registered against Face Book under Section 66A of ITA 2008 for defaming Hindu Gods and asking for burning of Bhagvadgita in Gomti Nagar, Lucknow. Report

Cyber Law to enter BBM Curriculum

Dec 25: The forum of business Management Teachers in a workshop at Mangalore decided to make Cyber Law a part of the curriculum for BBM. The addition of Cyber Laws into Management curriculum was long overdue since any business presently is inseparable from E Business.  Details

Blocking of Websites by Reliance

Dec 24: It has been reported that Reliance has blocked a host of websites providing file hosting services on the pretext of possible copyright infringement of Don 2 movie released this week. Though a Court order is cited, it is unclear whether the implementation is as per the order and whether there was a reasonable ground for such blocking. It is unfortunate that ISPs are irresponsibly resorting to website blocking. It is necessary for them to realize that if their action is found to be not backed by an appropriate Court order, they will be liable for punishment for wrongful interception. Related Report

Social Networking Sites.. questioned by Delhi High Court

Dec24: 21 executives of different Social Networking sites were summoned by Delhi High Court in connection with a complaint filed by a journalist Mr Vinay Rai. Mr Rai is the editor of a Urdu daily Akbari. It is alleged that the You Tube, Face Book and Google amongst others have hosted content which is objectionable from obscenity and religious view point and accordingly they have been asked to remove the content before February 6, 2012. Report

Where is Internet Banking safety in India heading?

Recently, a security specialist in Bangalore released a video in which he demonstrated how the Internet Banking System of ICICI Bank was vulnerable to a virus attack....The revelation of the security vulnerability in the system of ICICI Bank is also to be considered as a notice to not only to ICICI Bank but also all other Banks which may have similar problems....More
 

Naavi gets the ID "Naavi" on Face Book

Dec 22: Over the last few months, I was corresponding with Face Book for release of the short ID "Naavi" which had been registered by some other user. Once the name was released but before it could be re-booked by me, it was booked once again by another person. Finally the name has been released by the second person and after a waiting period it became available again to me and it has been registered. Now http://www.facebook.com/naavi points to my Face Book account. This was made possible because the current user agreed with my request and voluntarily changed his ID from "naavi".

However the fact remains that "Naavi" was a registered trademark and as per the terms and conditions of Face Book, it was the responsibility of Face Book management to ensure that the ID was withdrawn from the earlier person who had registered and handed over to me when I  demanded. Face Book failed in discharging this responsibility.

In the recent controversy between Face Book and Mr Kapil Sibal, Face Book had publicly stated that if any user is violating the terms of agreement, they would take action to correct it. However it may be taken on record that in this case involving the claim on the short ID of "naavi",  Face Book failed to keep up to their words. Their commitment given to Mr Kapil Sibal therefore is not truthful.

ICICI Bank Picks a fight with a Security Consultant

Dec 21: ICICI Bank is touchy when some body questions the security in its E Banking systems. Recently a Security professional Mr K.S.Yash, from Bangalore had highlighted a vulnerability that existed in the ICICI Bank Internet Banking system  by posting a video of a demo. The demo showed how a user of ICICI Bank system may place a fund transfer order for a certain amount through the Bank's Internet Banking website and end up executing a fund transfer of a different amount to a different beneficiary. The demo involved a video of a live session and clearly demonstrated the existence of the vulnerability. Instead of taking steps to rectify the security loophole, ICICI Bank appears to have sent a notice to the security consultant threatening legal action.

ICICI Bank claims that the video contains false information meaning that the vulnerability does not exist. However, the undersigned has also seen the demo live and the fact that the vulnerability exists cannot be untrue. What should be done by the Bank is important. Bank should thank the consultant for having brought the security weakness to the notice of the Bank before real hackers get into the Act using the same or different methodology. The consultant has not given any source code for the exploitation of the vulnerability and therefore it is difficult to understand why the Bank should object to what is essentially a security alert.

It would be interesting if ICICI Bank challenges a public debate on the security vulnerability shown by the consultant rather than throwing up threats of legal action.

Mobile Dealers Targetted by Hackers.. Are the MSP s at fault?

Dec 20: In a TV program on mobile hacking in Suvarna News yesterday, it was revealed that a mobile dealer in Channapatna (a town about 60 kms from Bangalore) had suffered a loss of Rs 15000/- through mobile hacking. The dealer had several demo mobiles given by service providers which had a specific application to store re-charge stock. He received a call stating that he will be getting a bonus recharge from the service provider and it will reflect in his account after he keeps his mobile switched off for about 5 minutes.  When the dealer switched on the mobile again, he saw that instead of additional amount in his account, the available amount had also bee drawn out in the form of recharges to different mobiles at different places. According to the dealer 12-15 such cases have been reported in Channapatna itself over the last 6 months indicating the extent of such frauds across the country. The beneficiaries of this fraud are indirectly the mobile companies themselves since whether the amount was used by a fraudster or any body else, they have got their value. This also gives room to speculate that the mobile companies may be hand in glove with the fraudsters in such frauds to improve their turnover. Link to Suvarna News Program broadcast (in Kannada) on 19th December 2011 : Part 1 Part 2. Part3

How Much have Indian Banks lost due to Phishing?

Dec 20: It is always a tough task to get information about losses on account of Frauds in Banks. By tradition, Banks are permitted to hide the actual details of the losses on account of "Bad Debts" by making a "Provision" and reporting "Debts less provisions" in the balance sheet. However no such protection exists in respect of "Losses on account of Crimes in Banks". However, Indian Banks have no proper system of reporting such losses in their Balance sheets.

According to RSA, the estimate of Phishing losses in India in 2011 is to the extent of US Dollars 27.8 million (approximately Rs 140 crores). (See report) However earlier estimates by other agencies are of the order of at least Rs 1200 crores. Hence there appears to be a gross under estimation of the losses.

In a recent speech to the Chartered Accountants, Dr Subbarao, Governor of RBI also pointed out that the reported financial statements of Banks were not truthful. (Copy of speech). It is high time the Chartered Accountants Association of India reviews the current Bank audit system and ensures that "Estimated Losses on Frauds" are not suppressed under "Provisions".

More detais of the report from RSA is available here. : Copy of RSA Online Fraud Report

Ten Commandments of Banking

Dec 20: Dr K.C.Chakravarthy, Deputy Governor, RBI, has reminded Bankers that "Thou shalt manage the people with empathy". In a commendable sppech delivered at the Manipal Academy, Bangalore, he has reminded Bankers that an  "essential characteristic of Banks is that they are highly leveraged and, hence, special and need to be regulated for protecting the interest of depositors." Of late Bankers have become so commercialized in their approach that they are even ignoring the regulatory role of RBI. The "Ten Commandments" that Dr Chakravarthy has lead out should be an eye-opener to the current day Bankers who are more IT operators than bankers. The complete speech is worth putting into text books on Banking and is available here.

Courts to use Website to communicate orders

Dec 19: In a confidential report submitted by NIC to Mumbai High Court, it has been suggested that the High Court may use digitally signed e-mails for communicating its orders to the lower court. However it has been stated that since this may take some time, High Court may in the meantime upload their orders to its website  to be picked up by the other Courts.... Report in HT

2012 security threat predictions for Mobiles

Dec19: "Mobile pick pocketing" is on the increase and is estimated to have cost Rs 5 crores in 2011 from Android users. In 2012, there could be an increase in bluetooth viruses, application based malwares, spread of viruses through text and MMS messages which could try to steal money from your account. It could make free calls billed to your number, steal data, send out spam messages, premium SMS messages, download paid games etc. Since "mobile" is an always on device it has the potential to be used as a botnet component. These threats along with the threat of SIM card cloning has to be considered by users of Mobiles and in particular users of smart phones. In particular users should be circumspect of applications and games downloaded from un-trusted sources. Like in the computers, it is too risky to own a smart phone without a good anti virus application from a reliable source.  Related Story

Banks seek dilution of Damodaran Committee Report

Dec 19: M.Damodaran Committee on Customer Services gave its recommendations on Customer Service in Banks on 3rd August 2011.  The report contained several important customer oriented suggestions. However RBI is yet to finalize its view on the report. It is however learnt that some Banks are lobbying with RBI for a massive dilution of the recommendations so that Banks can escape liability arising out of their negligence.  In the interest of the customers, we hope RBI will resist this industry pressure. Related Report1 Related Report2 : Related Report3

Cyber Crimes on the rise..but

Dec 19: An article in livemint on current status of Cyber Crime statistics in India. Article

US Legalizes Cyber War

Dec 18: US has taken an important step to pass a law to legalize Cyber war operations by which an offensive attack from US on Cyber Space of other sovereign countries may now be legit in US.   The new law stipulates that  U.S. military is now authorized to make war via the Internet and all the rules that apply to conventional war, also apply to Cyber War. This development also underscores the need for more indigenization of Software and Hardware IT supplies to India since we cannot trust either China or US both of whom may supply software/hardware which is deliberately embedded with backdoors...Related Article : A draft

Internet Censorship through backdoor?

Dec 18: According to Privacy legislation observers in India, the amendments to Copyright Act presently pending before the Parliament could be used as an instrument of backdoor censorship. The concept of "Self Regulation" that the Government proposes is considered as a facade to cover the imposition of Government's intentions to regulate the content of the Internet to protect the Government against public criticism.: Related Article

DIT Guidelines on Social Media

Dec 17: In continuation of the earlier post on this subject,  a perusal of the draft guidelines  issued by the Government on the use of Social media by Government departments indicate the following two paragraphs.

"Since profiles on social network are linked  more often to individuals and not organizations, for organization's site/page, a separate work profile may be created which can then be linked to a general e-mail address that is accessible to anyone in the team, enabling them to administer the social networks without compromising on individual privacy."

 "Each new account requires a URL, user name and/or email address and a password. A proper record of log in ids and password must be maintained. This is critical as multiple people may be authorised to post on behalf of the department".

I think the report in ET is an  interpretation of the above two paragraphs.

This apart, the idea of Government departments using Face Book etc in the manner suggested  is not a desirable proposition and the issue of the draft guideline will be regretted at some point of time in the future. ..Copy of the draft guideline

Password Sharing to be legalized by Indian Government?

Dec16: A report in Economic Times today suggests that the Government of India is thinking of a code by which Government employees would use Facebook. One interesting aspect of this code is reported to be that "the password of the account would be known to others in the department". It is difficult to understand what the Government is upto. If "passwords" are officially meant to be "shared", the sanctity of the access system based on passwords would be officially destroyed. Report in ET

Bring Your Own Devices Opens up Security Concerns

Dec 16: A survey conducted by ISACA on the concept of Bring Your Own Devices (BYOD) has highlighted the the new threat perceptions arising out of the employee ownership of the devices. There is no doubt that certain sections of the industry favour the idea of employee's bringing their own access devices to their place of work. This may be both economical and convenient. However security is built neither on convenience nor economy though they do affect the final outcome of security implementation. If the concept is to be given any consideration the data security and access authentication systems as well as the real time security monitoring systems need to undergo a  substantial modification. Rushing the concept of BYOD at the current stage is likely to result in a huge legal risk for all organizations. Related Article

Seven Most Significant Hacks of 2011

Dec 16: Here is a compilation of seven most significant hacking events worldwide compiled by a security observer.  Report

First Adjudication Application filed in Kolkata

Dec 15: First adjudication application under ITA 2008 has been filed in West Bengal. The application has been filed by Mr R Gopi in respect of a loss of Rs 339,000/- suffered by a customer of State Bank of India through unauthorized access to his Internet Banking account. This was a typical case where the RBI's OTP system had failed since the fraudster had simultaneously disabled the original SIM card of the customer, got a duplicate SIM card with false documents and used it for completing the fraud. The Mobile service provider involved was Vodafone. The adjudication application notes SBI and Vodafone as respondents along with the executives of both SBI and Vodafone.

IP address Details from Gmail

Dec 10: Often an account holder of a gmail requires to know the IP address from which his account is accessed. This requirement is more and is of critical need when gmail services are being used for business and multiple access accounts are created. Presently gmail provides information about last 10 transactions as a security routine. However if information is required beyond the last 10 transactions, the position is unclear. There is a wrong interpretation that such requirement can be met with only a Court order. But this is legally untenable. It is the right of every data owner to request for and be provided information about himself from the data processor without need for court intervention. Court order is required only of a person wants information about some body else. This is of course a matter which should be part of the terms and conditions and privacy policy and Google may be interested in restricting the rights to some extent. But it is high time Google clarifies and introduces appropriate measures to disclose the account holder's information when required.

High Profile Cyber Crime Cases-2011

Dec8: Here is an interesting article on some of the successful Cyber Crime investigations that occured during 2011. ..The Most Notorious Cyber Crooks of 2011 – And How They Got Caught

Aaadhar Project may be discontinued?

Dec 8: It is reported that the Parliamentary committee has rejected the UID Bill and consequently the aadhar project in its present form may have to be kept in abeyance until a new Bill is drafted and passed. ..Related Report

Now I understand why CAT Chairman has not been appointed

Dec 08: The post of the chairman of Cyber Appellate Tribunal is remaining vacant for last six months. Despite repeated reminders at several levels no action has been taken by DIT. Now that we know that the ministry has to scan the Internet for "political criticism" and identify content indulging in criticism of Government or the Congress leaders, they donot have time for anything else. It is to be noted that during the first half of 2011, only one content has been found objectionable on Google on grounds of "National Security" while 255 items have been found objectionable for political expediency. Related Article

Government Criticism muzzled

Dec08: According to this report in Hindu, during the first half of 2011, Indian Government sought to remove 255 items classified as "Government Criticism" from Google content. Additionally 39 items were sought to be removed on grounds of defamation, 20 due to privacy and security concerns, 14 due to impersonation, three pornographic items and one due to national security reasons. This shows that the Government machinery in DIT is is working only to serve the political masters and not to serve people. Related Article

The report also says that Google refused to remove the content related to Government criticism and the news now is that the Income Tax department is making some demands on Google. It is not clear if the two are related. But knowing how this UPA Government is targetting Anna Hazare group, a link between the two incidents cannot be ruled out. Related Article

CNet Download.com bundles adware

Dec08: Security observers always say that "Nothing comes free on Internet" and warn users of "Free Downloads" with attached trojans. Normally people expect that reputed download sites donot resort to such unethical practices of bundling adware/spyware/malware with genuine free installations. It has now been exposed that CNet which runs download.com instals several adware programs with its free installations. Report : Apology from CNET

Mr Kapil Sibal should think of taking action on such misuse of public trust by intermediaries rather than think of using Internet censorship to curb Anna Hazare or to muzzle political opposition.

Social Media Censorship in India

Dec 6: In a surprising announcement,  Union Minister of IT who has not found time for last 6 months to appoint a chairperson for CAT found time to criticize social media and ask them to set up a human pre publication scrutiny of content. The suggestion is highly impractical besides being undesirable and unnecessary. There is already a law to deal with objectionable content and the current attempt is either to be treated as an attempt to bring a new censorship law or to act ultra vires the law. It is speculated that the announcement was triggered by some criticism of the Congress leaders on the Face Book or more probably a preparation for the prevention of the use of Social Media for the next stage of Anna Hazare Campaign.  As usual this could be another  mistake which the Congress may regret. Related Article : Assocham Opposes proposal

How weak Internet Banking systems pose a threat to customers

Dec 3: Internet Banking has been a nightmare for innocent customers who constantly live in the fear of Phishing frauds. Though RBI has brought several regulations in favour of the customers, intransigent bankers continue to place customers at risk. Though law is in favour of customers being compensated by Banks in such cases  and Naavi himself is in the forefront of some of these fights, the delay and cost in pursuing litigation continues to be a cause of worry. With GOI being completely oblivious to the need of appointing the presiding officer to CAT in place of the previous incumbent who retired, vicitms have been made to wait endlessly while the Banks are enjoying the funds of the customers.

In such a scnario here is a video of  how a "Man in the Middle Attack " can divert banking transactions to fraudsters. It is high time Bankers and RBI take note of these technical risks and ensure that adequate security is provided to customers. See the Youtube Video here

EHR Incentive deadline under HIPAA-HITECH Act extended

Dec2: In an effort to make it easier for Health Care Providers to qualify for maximum payments under HITECH Act, the deadline for Stage 2 compliance has been extended from 2013 to 2014 for those who attest by February 2012 that they qualified for Stage 1 by adopting EHRs this year. The change in the deadline is meant to remove the disincentive for providers to adopt and use health IT right away.  Related Article

USA conducting survey for ascertaining China Cyber Risk

Dec 1: US Government conducted a survey of telecom companies and software companies to identify presence of foreign hardware and software and to ensure that there are no malicious installations to spy on US assets. In the survey , the U.S. Commerce Department asked for a detailed accounting of foreign-made hardware and software on the companies' networks. It also asked about security-related incidents such as the discovery of "unauthorized electronic hardware" or suspicious equipment that can duplicate or redirect data The survey required companies to provide a detailed outline of who made equipment including optical-transmission components, transceivers and base-station controllers. Companies that refused to respond could face criminal penalties under the Defense Production Act, a 1950 law allowing the government to manage the wartime economy, according to the survey. It is time India also does a similar survey... Related Article

For Articles of Earlier Date Browse through Archives

Visit
www.Naavi.net

Visit
www.lookalikes.in