The mystery land of Cyber Insurance-1: Overcome the “All is Well syndrome”

At naavi.org, we have been discussing the issues of Cyber Crimes and Cyber Law since 1998. After initial years of focus on Cyber  Laws, we moved to discussing the proactive defense in the form of Techno Legal Information Security and Cyber Law Compliance.

Recently, we have moved into discussion on  “Cyber Dispute Resolution” in the form of ADR/ODR.

Along with this we need to also devote some attention on “Cyber Insurance” since it engulfs all other aspects of Cyber Security which we have discussed so far in the different niche areas.

A few months back, Naavi initiated an all India survey on Cyber Insurance to document the current status of the Cyber Insurance industry in India, along with a few other like minded persons. Some aspects of this survey has been shared in some of the earlier articles.

Naavi has been a strong advocate for developing Cyber Insurance industry in India since atleast a decade but the response of the industry has been luke warm. It is only in the last three years that some Insurance companies have been seriously talking of Cyber Insurance. However the user industry is still not keen on adoption since there is a mismatch between the expectations of the Insurers and the user  industries regarding the coverage and cost.

It was one of the objectives of the survey that we bring a focus on the industry so that both the service offeror and the potential customer of the insurance products understand what is on the table.

It was known that the current knowledge of the product in the user industry would be low and hence the response on the survey also would be low. At the same time, it was also known that the insurers were few and would not like to share their views in a survey. Despite this known handicap we went about the survey trying to contact over 1000 information security professionals to elicit responses through e-mail. Finally, we had a small sample of 50 who gave the complete response and had to settle for closing the survey though the initial target aimed was at least 100..

During the time of the survey and before, I have also personally tried to draw the attention of the decision makers upto Prime Minister Mr Modi as well as Mr Raghuram Rajan the Governor of RBI through all known means to make Cyber Insurance concept a part of their policy initiatives.

However, it was regrettable to note that neither the visionary Mr Modi nor the much acclaimed economist Governor Rajan seemed to appreciate the importance of even initiating a preliminary discussion on Cyber Insurance.

Mr Modi introduced and pushed some insurance products for farmers and rural folk in the form of Crop insurance and low cost life insurance. However, he failed to respond to the need of Cyber Insurance though his other programs on “Digital India” are increasing the Cyber Risk even for the rural folk at an alarming rate.

Similarly, Mr Raghuram Rajan is increasingly driving RBI policies on technology to the use of high risk Mobile and Social Media platforms without a corresponding protection either in the form of increased information security initiatives or Cyber Insurance. Naavi urged RBI to make Cyber Insurance mandatory for new Banks being licensed, but RBI would take no such initiative.

We also have to take on record that the Union Ministry of IT under Mr Ravishankar Prasad and the CERT-IN have also been completely oblivious to the increasing Cyber Risks and the need for Cyber Insurance.

It was also observed that the insurance regulator and the top insurance industry players also did not respond to many of the approaches made by the undersigned either to start discussing the subject in their forum or to actively participate in the survey. In fact I was surprised that the Insurance industry leaders were still grappling with the problem of using IT in Insurance industry rather than providing insurance cover against Cyber Crimes. The industry leaders are at least 10 to 15 years behind the current market developments and are not expected to be able to understand the requirements of the Cyber Insurance industry for long time to come. The few companies who have started offering Cyber Insurance policies are only reproducing the policies of their international partners. This represents a very depressing state of affairs in the Insurance industry for whom Cyber Insurance could be a huge opportunity.

(P.S: I would be glad to be challenged on these comments and welcome industry players to raise their objection if any)

In the light of this all round apathy on protecting the interests of Netizens who are every day bombarded with news of Cyber Crimes and losses in E-Banking and M-Banking, it is left to a few individuals such as the undersigned to continue their mission on educating the market on the need for Cyber Insurance with the hope that some day others will wake up from their slumber.

In this endeavour, I would like to share the detailed findings through a series of forthcoming articles so that more people would be interested in the subject.

The objective of unraveling this series of articles is to enhance the understanding of the subject of Cyber Insurance amongst Netizens so that sooner or later they start pressurizing the institutions to introduce cyber insurance as a standard warranty to their products.

We hope that Mr Modi’s team will wake up from their “All is Well Syndrome” and start working on Cyber Insurance along with the Digital India and Smart City programs.

……..This is Naavi’s proposition to BJP/NDA in the eve of their review of  “Two years in Governance”

…..Watch out for more in the coming articles….

Naavi

Share Button
Print Friendly

Chattisgarh Adjudicator passes compensation order for Rs 22 lakhs

When on July 16, 2013, naavi.org pointed out in its article “Loans Through SMS?”,it was the first time that it was pointed out that some thing fishy was going on under the website: http://www.cgtmse-govt.in . It was pointed out that the website could be a fraudulent site trying to lure innocent loan seekers and impersonated a Government website.

Subsequently, one of the readers (Mr Vinod) made some personal investigation and confirmed that the physical addresses given on the site was non existent.  At that time the main focus was that there was impersonation of a website cgtmse-govt.in. It was repeatedly pointed out that Government should take action in bringing down this phishing site.

However, Government did not do anything and the fraudulent website continued even after the Government changed in the Center from UPA to NDA. The site content promptly changed to suit the change in the Government.

Much later, with some of the efforts of people in Nagpur including Mr Mahendra Limaye, the site was closed.

In the meantime many people had lost money responding to the offer from the website. One such entity was Tushar Kant Mohanty of Raipur who had lost Rs 22.36 lakhs.  The amount was transferred from the victim’s account to the account of the fraudsters in Axis Bank and Punjab National Bank, two Banks frequently used by fraudsters due to prevailing  lose KYC practices.

Fortunately, the victim has now been able to recover his amount from the balance that was available at PNB through an order from the Chattisgarh Adjudicator.

Mr Mahedra Limaye must be congratulated on the successful conclusion of his client’s case and obtaining him the relief.

However, it is observed that the adjudicator has not found fault with CGTMSE which is was grossly negligent in facilitating the fraud particularly after it was informed way back in June 2013 that a fraud was being committed in its name. The Mohanty fraud occurred in April 2014 nearly an year after the fraud was brought to light and all those who contributed to the fraud through negligence and in action should have been made to pay a price for it.

Similarly, the Adjudicator has only ordered recovery of the credit balance that was available in the PNB’s account and has not penalized PNB and Axis Bank for being “Fraudster’s Bankers”.

Axis Bank has also not been made the respondent and hence escaped liability.

The Adjudicator should realize that Mohanty’s case is a representative case of the many other frauds that these fraudsters have committed and it is the duty of the Adjudicator to protect the interest of all these victims some of whom might not be in Chattisgarh or Maharashtra and were not the complainants in this particular complaint.

However, the Adjudicator had the power to take suo moto recognition of all such frauds and held PNB, Axis Bank and CGSMTE liable for facilitating the fraud through their negligence and lack of due diligence under Sections 79 and Section 85 of ITA 2000/8.

He could have also provided further damages to Mohanty to cover his expenses.

While we appreciate the Adjudicator for the order at a time when there are no other Adjudicators in the Country taking up such complaints, we would have been happier if the order had been simultaneously been made that the Banks and CGTMSE were liable for all others who had been defrauded by these fraudsters. He could have collected a fraud recovery amount of around 100 lakhs, from CGTMSE, PNB and AXIS Bank, acted as a receiver, collected applications from other victims and settled their claims. This would have set a precedent that would have helped in driving a sense of responsibility to these Banks and other agencies like CGTMSE.

Probably, Mahendra Limaye should file an additional petition on behalf of “Unknown Victims” and get a compensation awarded collectively like a “Class Action”. I suppose ITA 2000/8 has necessary powers.

 I hope PNB or the fraudster does not challenge the order so that the victim can atleast be happy that his actual loss has been recovered. Since the Cyber Appellate Tribunal is not operating appeal if any may arise only in Chattisgarh High Court. I urge that High Court should not intervene to grant any stay on this order if an appeal is made to them.

Naavi

Reference: Copy of the order

 

Share Button
Print Friendly

Cyber threat Scenario-HPE Security Research Report 2016

Hewlett Packard Enterprise has released its latest report (HPE Cyber Risk Report 2016) providing an interesting perspective on the threat landscape prevailing in 2015. The report is compiled by an analysis by the  research team of data collected from open source intelligence.

The research highlights the following key themes.

  1. Collateral damage
  2.  Overreaching regulations
  3. Need for Broad impact solutions
  4. Decoupling Privacy and Security efforts
  5. Persistence of earlier threats
  6. Attacks on Applications
  7. Monetization of Malware

The detailed report is available here.

The report highlighted that in several instances, attacks touched people who never dreamed they might be involved in security breach, causing collateral damage. Two cases cited as example for such collateral damage were the cases involving the United States Office of Personnel Management and Ashley Madison. 

The report also highlighted that the reaction from the regulators to the attacks were often damaging and counter productive. It was observed that the over reaching regulations pushed legitimate security research underground.

The report indicated that the fixes to vulnerabilities should move from releasing patches to individual vulnerabilities to building sustainable defences to prevent attacks. It  urges Adobe and Microsoft in particular to invest in broad asymmetric fixes that knock out many vulnerabilities at once.

An interesting observation held out in the report is that in the wake of revelations by Edward Snowden and other whistle blowers have led to moves to erode “Privacy” rights in preference to “Security” needs.

It was also observed that many of the incidents arose from bugs already known to the market indicating that there was negligence in implementing security patches of the earlier years.

Report indicates that attackers have shifted efforts to attack applications directly rather than attacking the perimeter network.  It observes that with increasing use of Mobiles, the perimeter of a network is in the user’s pockets and the security practitioner needs to recognize this.

The report also highlights the growing malware market which has strengthened the attack industry and increased its disruptive capabilities.

Security professionals need to study the report in detail and factor the observations while building the security in their respective environments.

Naavi

Share Button
Print Friendly

The TCS-Epic incident.. a lesson for all

Here are some of my views expressed in an interview with ISMG Asia on the recent TCS-Epic episode.

tcs_inforisk

The interview can be accessed here:

P.S: Kindly note that the voice is slightly distorted and looks hurried through. I suppose it is because of some technical issue in recording.

Naavi

Earlier Article at naavi.org

Share Button
Print Friendly

The Proposed Map Law Could hit Many Start-Ups a death blow.. Are anti Modi Moles at work?

Over the last decade and more specifically over the last few years, there has been a tremendous development in the use of ICT with the mobile technology taking firm roots. On the one hand Mr Modi has been promoting the “Digital India” concept and going all the way to promote the use of digital technology such as Aadhar.

Naavi.org has been cautioning the over use of the technology without appropriate safeguards such as information security and Cyber Insurance. However, certain types of regulation need to be cleverly drafted so that there is no misuse of technology but the regulation does not hurt development. Drafting of such legislation requires a knowledge of both the domain of legislation as well as the technology. Lack of such professionals in the bureaucratic circles appears to be creating situations where some decisions are taken at different ministries which directly affect Mr Modi’s development agenda.

There appears to be a set of people in the Governments who are hurt by the beneficial aspects of e-Governance and would like to curb the power of technology through new regulations. They seem to be targetting Cyber technologists with a vengeance by introducing restrictive laws that betray lack of understanding of the Cyber Business model solely to meet their short term goals some of which may be sinister Anti-Modi designs.

Two examples that stand out in recent times is the Arvind Kejriwal’s fight agaisnt Uber in Delhi and Karnataka Government’s bill on Aggregators of Taxi services. In both cases new laws have been passed to curb the growth of the new business.

Surge Pricing was bad to some extent but it had some logic. It could be regulated to prevent fraudulent pricing instead of bringing down the system itself. Karnataka’s law on taxi aggregators also tries to hit out at the new business model because the Government feared losing revenue from taxi operations.

Now a third fight has opened up in the new “Map Law” which imposes hefty fines upto Rs 100 crores for erroneous “Geo Spatial Information” besides possible 7 year imprisonment.

While the apparent intention was to ensure that India’s borders are not wrongly depicted by Google Maps, the law appears to actually hit the domestic start ups and small companies which are developing new business around the location of the user.

The new law would seriously hurt many mobile app operators who could be could be a taxi operator or a medical service or an ambulance service or a catering service or a grocery supply service. Today every business wants to know the location of the customer and make services available on “Near You” basis. Probably it could hit you and me who may use WhatsApp to share our location.

The draft law has now drawn the attention of the public that it may introduce an unintended licensing system  that could kill many small businesses and go completely against the “Start Up” concept that Mr Modi is promoting under the Digital India concept.

According to Section 4 of the proposed law,

Dissemination, Publication or Distribution of the Geo-spatial Information of India.-Save as otherwise provided in this Act, rules or regulations made there under, and with the general or special permission of the Security Vetting Authority, no person shall disseminate or allow visualization of any geo spatial information of India either through internet platforms or online services, or publish or distribute any geo spatial information of India in any electronic or physical form. “

Under Section 9

“Any person who wants to acquire, disseminate, publish or distribute any geo-spatial information of India, may make an application along with requisite fees to the Security Vetting Authority for security vetting of such geo-spatial information and licence thereof to acquire, disseminate, publish or distribute such Geo-spatial Information in any electronic or physical form. “

Under Section 3,

“Save as otherwise provided in this Act, rules or regulations made thereunder, or with the general or special permission of the Security Vetting Authority, no person shall acquire geo spatial imagery or data including value addition of any part of India either through any space or aerial platforms such as satellite, aircrafts, airships, balloons, unmanned aerial vehicles or terrestrial vehicles, or any other means whatsoever”

Under Section 13

“Whoever disseminates, publishes or distributes any geo spatial information of India in contravention of section 4, shall be punished with a fine ranging from Rupees ten lac to Rupees one hundred crore and/or imprisonment for a period upto seven years.

It is noted that the law criminalizes the dissemination of information without license by a stringent 7 year imprisonment term without even any hint of a need to prove some criminal intentions.

There is no “Exemption” provision that exempts users and any body else without malicious intentions from penalty.

There is no doubt that the law in its present form is absurdly draconian and will be struck down if challenged in a Court of Law. I hope the Government withdraws the law or makes substantial correction without exposing itself to another embarrassment in the Supreme Court.

If the law makers had any sense of the market place they would have restricted the penalty to only cases where the depiction of wrong borders was intentional and use of maps was for some anti national purpose. In every other case, a wrong map is a consumer protection issue and it would suffice if the consumer interest is protected with a penalty in the form of damages.

For example, if a map on a mobile App depicts there is an Adigas hotel in 5th Main, Chamarajpet, Bangalore and I search for the hotel for half an hour and cannot find it, it would suffice if I can collect a “Free Meal Coupon” as a compensation. There is no need for the app developer to be jailed for 7 years under a cognizable offence.

The law makers are simply unaware of how many of our businesses would be facing 7 year imprisonment term for their routine business activities on account of this new proposed law.

I cannot but think that the law has been framed only to defame Mr Modi and his efforts to promote Digital India by some bureaucrat who sits in the Government as a mole of Congress. Already a campaign has been mounted in Washington Post citing the absurdities of this law.

I wish Dr Subramanya Swamy finds out who actually was responsible for framing such a draconian law.

On the contrary, if this is simply a case of over enthusiasm and a blinkered vision that “Maps” means “Google” and “Apple” and hence one can think of Rs 100 crore penalty, then the concerned official should admit his ignorance and resign from his responsible position immediately or else removed.

 It is well known that this law will not deter Pakistan or China from depicting the maps of Indian Border as they wish. Hence the law will not have any effect but to make innocent Indian businesses to pay. It is expected that Apple or Google will pay whatever license fee is imposed on them and pass on the burden to the users such as the Zomatos, the Olas etc. The cost of doing business will therefore go up and the Ease of Doning Business index of India will dive down.

Hence there is a need for Mr Modi to immediately initiate corrective action.

I Invite public to send their views on this draft bill to jsis@nic.in within next 30 days to protect Digital India

Naavi

Related Article :  Livemint 

Share Button
Print Friendly

IRCTC hacking.. What Next?

It has been reported that the IRCTC servers have been hacked and data base of millions of users compromised.

See article here

It is also learnt that the information is available on CDs for Rs 15000/- . (From unconfirmed private sources)

The fact that IRCTC has been hacked is no surprise. It perhaps happened long back and we have come to know of it only now.

The point that IRCTC does not have proper Information Security systems is being discussed in other fora.

At this point of time, it is not clear what information has been compromised and made public. If it is only the personal information about the name and e-mail address and used for spamming, it is perhaps tolerable.

However, if sensitive personal information including the Password, the PAN card detail, the Credit Card or Bank details have been compromised, it is unpardonable.

In such a case action should be initiated by Police and there is a need to send some body in IRCTC to jail.

It is a failure of the reasonable security practice under ITA 2008 and an assistance to commission of further frauds through recklessness with or without financial benefits.

At the same time, we cannot estimate when a past customer of IRCTC would be hurt. His confidential data may be used any time in the future to commit a fraud. Hence there is a need to protect every customer of IRCTC from possible future loss.

For this purpose IRCTC must immediately pick up a Cyber Insurance Contract and cover all their account holders against possible identity theft related losses in the next 3 years upto say an amount of Rs 5 lakhs. Whatever be the cost of such an Insurance must be boarne by IRCTC.

IRCTC should also immediately give a notice to all its customers by individual e-mail as per standard “Data Breach Notification Policy” (Please see CLCC for a draft of a model policy).

If such a policy has not been adopted, it confirms the lack of “Due Diligence”.

In January, TOI carried an article titled “IRCTC website a sitting duck for Hackware”. This was a notice on which remedial action should have been initiated.

Naavi.org has itself raised the possibility of hacking way back in August 2010 and also recently asked if IRCTC should have taken Cyber Insurance.

However, IRCTC has not taken any remedial measures and even now a google search on “IRCTC hacking” reveals many sites promoting hacking of IRCTC.

All this indicates complete negligence of the Information Security responsibilities at IRCTC for which the persons responsible must be held accountable.

I suppose some body should take up a PIL on this account.

The Supreme Court takes up many less worthy cases on Suo Moto basis and there are activists who hoist PIL litigation for innocuous matters which Courts spend time on.

Will any responsible Judge consider it worthwhile to take up this case on a Suo Moto basis and ensure that people who have shared their personal data with IRCTC are protected against losses arising out of the identity theft?

The PRO of IRCTC seem to have given a statement that the “Website of IRCTC is not hacked”

The PRO may not be aware that  it would not have mattered much if the website had been defaced rather than the data having been compromised. He is either unaware of the damage or has not shared the info with the public. Hope IRCTC releases a note through their website what exactly has happened and what are the risks to the public.

P.S: Will Aadhar data base be the next on CD on the streets?

Naavi

Share Button
Print Friendly