E Banking Dispute Resolution Center to be activated

Naavi has been maintaining several information oriented websites and certain online services all of which are parts of resolving online disputes.

For example,

Naavi.org provides information on Cyber law, Cyber Crimes etc and creates awareness for the consumers about their rights in case some thing goes wrong in cyber space.

Ceac.in provides services towards capturing evidence which is in electronic  form which needs to be presented in a Court of law in India.

Cyber-notice.in provides service to place public notices on Cyber space when required.

Odrglobal.in provides an online mediation and arbitration facility which can be used for any dispute resolution.

Now, in the context of the recent RBI’s draft circular dated August 11, 2016, on “Limited Liability for Customers on E Banking Frauds” which requires certain specific procedure to be followed by victims of e-banking frauds to claim the benefits under the circular, Naavi.org proposes to provide an integrated E-Banking Dispute Resolution Center to assist customers of E-Banking who need to file their complaints in the unfortunate event of suffering losses from Cyber crimes, ATM or Credit/Debit Card frauds and Mobile Wallet frauds.

The E Banking Dispute Resolution Center proposes to do the following:

a) Enroll members for the service to whom necessary guidance for safe e-banking practices would be provided.

b) Provide facility for filing ceac-certified notices on receipt of phishing e-mails

c) Provide facility for filing disputes on receipt of any fraudulent debit alerts from Banks

d) Provide assistance to mediate with the Banks on determination of limited liability as per the norms fixed by RBI

e) Provide assistance from a panel of Cyber Lawyers who may represent the customers in different legal proceedings at judicial proceedings.

At an appropriate time, efforts would be made to bring in Cyber Insurance cover to the members.

The objective of the service is to enable reduction of losses caused by ignorance and bad e-banking practices by the public, provide assistance for resolving the disputes under the norms prescribed by RBI and to negotiate for residual risk coverage through Cyber Insurance when available.

This is a long term mission for which the foundation is being laid now.

The service will be formally activated and more detailed information made available after the RBI issues the confirmatory circular which should happen after the deadline of August 31, 2016 given for public comments.

The project is in the stage of being launched and any person who would like to join the project and contribute towards its stated goals is welcome to contact Naavi.

In the meantime, if any of the readers have not yet responded to the RBI circular, please do so before August 31, 2016. (For details refer this article)

Naavi

 

 

Print Friendly

ATM Hacking in Thailand.. Failure of Information Security design

In another huge ATM heist reported from Thailand, it is reported that 12 million Baht equivalent approximately US$ 350,000 or Rs 2.38 crores were stolen by fraudsters.

Refer Article Here

In the past, ATM frauds have been committed with the use of skimming and cloned cards. In one other instance it has been committed with the creation of cloned cards by hacking into the back end card issue system.

But this Thailand fraud appears to have been committed with a new modus operandi with the use of a malware infection of the ATM machines by inserting cards infected with malware into the machine.

Fraudsters withdrew cash from multiple machines in multiple transactions  in 21 ATM machines between August 1st and 8th. There must have been hundreds of transactions since it is indicated that the withdrawals were less than of 40000 baht per transaction.

What is important to note that when the card was inserted, it initiated electronic activities more than the expected process of reading of the card data which was not detected by the system.

Additionally,  after the initial payments, the Bank failed to detect the frauds for 6 to 7 days by identifying an unusual pattern of excessive withdrawals from the ATMs.

This  indicates a two fold failure of the information security system design.

While we can appreciate the inherent risks of technology as well as the ingenuity of fraudsters to find newer methods of committing a fraud, we must admit that our Bankers and the experts who design their Information Security Systems also should share the blame for major frauds such as these.  If they had been alert and designed the system properly frauds such as these should have been detected at least at the end of day one and should not have continued for 6 to 7 days.

It is also important to note that many ATMs run on obsolete operating system software such as Windows XP and are unable to be patched for new exploits. (It is not known if this was one of the causes for this fraud).

Now that this fraud has been reported in Thailand the Indian Banks need to wake up and check their systems to see if this vulnerability can be exploited in India.

If I were the Governor of RBI, the first thing I would have done was to call the Thailand counterpart and find out the root cause analysis of the fraud. If necessary, I would depute some body like Mr Nandakumar Sarvade to take the next flight to Thailand and personally meet the forensic specialists of Thailand to understand the issues involved so that we can check how vulnerable is the Indian ATM system to such frauds.

Well, this is a dream and may not happen. What I however consider feasible is that there are a few private sector White Label ATM owners in India who might want to undertake a tour of Thailand for investigation and understanding of the modus operandi of the fraud so that corrective security measures can be taken in India.

At present there are around 20 such companies including many listed companies. Such companies include Tata Communications Payment Solutions Ltd., Prizm Payment Services Pvt. Ltd., Muthoot Finance Ltd., and Vakrangee Ltd, BTI Payments Pvt Ltd, Srei Infrastructure Finance Ltd, RiddhiSiddhi Bullions Ltd.

For these companies, (As well as all other Banks who manage ATMs)  the news report about the Thailand ATM fraud is a “Risk Notice” and immediate action required is to analyze the information and initiate immediate action.

We are now about 36 days to the RBI deadline of for implementation of Cyber Security Framework 2016 and this ATM risk assessment and mitigation becomes an easily recognizable target for the information security team.

The Directors of these Banks and Companies need to therefore demand that in the next 48 hours, an emergency Board meeting may be called to appraise them about the vulnerability of their ATMs to this kind of frauds involving “Malware injection through  the ATM Card”.

Will the Bank Directors shoot out an e-mail today to the Chairman to convene such a meeting and demand information?

CISOs in the meantime may try to gather a list of ATMs, the OS systems on which they operate, the risks of malware injection, ability to identify unusual pattern of transactions etc and present their plan of action to secure the Bank against such frauds.

Exciting days ahead for the CISOs….

Naavi

P.S: My hunch is that Chip embedded cards are more vulnerable to malware injection attack rather than the old day magnetic stripe cards. Any opinion on this view?

Related Information:

RBI Guidelines on White Label ATMs

RBI guidelines on ATM usage

White Label ATMs in India

Economics of White Label ATMs etc

Print Friendly

Big Data Conundrum

With increasing emphasis on digital progress in India, we often hear the term “Big Data” and the “Privacy” issues associated with it. Just as “Privacy” and “Security” issues have become objects of comparative controversy, Big Data and Privacy are also becoming another set of objects for comparative controversy.

In addressing the Privacy Vs Security issues, we have always held that Security is to be preferred over Privacy and in the context of growing terrorism in India and the world, it is impossible for “Privacy” to be at any time be preferred over Security. This controversy can however be settled with a win-win solution of “Regulated Anonymity” which has been debated earlier.

Now let us look at the Big Data Vs Privacy as a problem which we need to address. This requires a better clarification on what is Big Data before we can comment on the issues arising out of Collection, Mining,Processing, Publishing, Transmission, Disclosure and Harnessing of Big Data.

The Concept of Big Data as against the normal term of “Data” arose when the volume of data to be handled for processing in a single process grew too large to be handled by the normal data processing systems. Along with the size of the data, came the complexity of diverse nature of data and the need to process the huge and complex data.

Big data requires a set of techniques and technologies with new forms of integration to reveal insights from datasets that are diverse, complex, and of a massive scale.  The technical issues raised by the size and complexity gives raise to legal issues that are also difficult of being handled by the existing Cyber Laws.

Hence there is a need to have a re-look at Cyber Laws related to Big Data. In this context, Privacy is presently in the top of the discussion table. “Big Data Crimes” will also be relevant for discussion and will subsequently flow on to “Big Data Security” as we go along the path of understanding the issues raised by Big Data.

The raise of IOT, Smart Cities, Smart Grids etc feed onto generation of Big Data and along with it the need to discuss “Big Data Laws” as a necessary subject of discussion.

The growth of Cyber Terrorism and Cyber Warfare, prevention of which requires “Cyber Intelligence” also overlaps with the policies and laws that are needed for the Collection, Mining, Processing, Storage, Publishing, Transmission, Disclosure and harnessing etc of Big Data.

Nature of Big Data

In order to discuss the “Big Data Laws”, we need to first understand the nature of Big Data.

The Source of Big Data is the information transmission nodes and the public data storage points. Beyond these, data is stored in private custody, behind Firewalls and unless it is transferred from the place of creation across an open network, it may never become accessible to Big Data Sniffers.

When Big Data Sniffers “Mine” for data, they may not target any specific type of data or an individual. The data collected from an omnibus data collection drive may later get filtered and classified into different types of data and tagged accordingly for further harnessing.

Components of Big Data are

a) Personal Data collected from Individuals including individualized data such as emanating from devices embedded to the human body such as Wearable s and Medical implants.

b) Corporate Data which includes business information as well as personal data of individuals in the hands of a corporate either as custodians of employee data or as intermediaries processing data of customers and public.

c) Environmental data including those collected from Weather satellites, Mapping devices, CCTVs in public places etc where the primary aim is not to collect personal data but it becomes part of the overall data collected.

d) Meta Data which is “Data about Data” which involves transactions of Netizens, tracking of data movement over a public network and includes “Log Records” of all kinds. Though this data is impersonal at the time of collection, they are amenable to further analysis and conversion from a de-identified state to an identified state.

Privacy Issues are concerns that arise when an individual’s personal data becomes accessible to another without the knowledge and consent of the data subject.

When an individual is providing specific personal data, the principles of Privacy protection revolves around informing the subject of data being collected, the purpose for which it is collected, how it is being used, secured, disposed off etc., following which a consent of the data subject is obtained by the agency collecting the information.

This is a contractual obligation and any violation of privacy which is in breach of the contract is punishable under various laws.

Even in India where there is no specific Privacy Protection law, Information Technology Act 2000 as amended in 2008 (ITA2000/8) provides protection for the contractual arrangement between the data subject and the data collection agent through Sections 43, 43A, 72A etc. Additionally certain powers are vested with certain authorities which provides for exceptions to Privacy which is used for surveillance, intelligence gathering by security agencies, investigation and prosecution of crimes etc.

The problem in Privacy that arises in the Big data context is that at the time data comes into the hands of a Big Data Sniffer, neither he knows that he is collecting personal data nor the data subject knows that his personal data is being collected.

Take for example a street view CCTV which captures the movement of a Car in which the license plate is visible or the face of a person is visible as he is walking across the street. This is initially a data of an activity that a car is moving in a particular street or a man is walking along. But if this data is parsed along with the vehicle registration data it can be presumed that the car’s owner is moving in the street.

Similarly if a face recognition is made on the person walking along by checking with tagged photographs in the social media, the CCTV data becomes a highly personalized data.

If the camera is capturing the person entering and exiting an ATM or a Hospital, we are entering into sensitive personal information about the individual.

These examples indicate that “Data can Change its status from the time it is collected to when it goes into processing”. Herein lies the biggest challenge to Big Data law making.

We cannot prevent the CCTV footage being collected in the first place because there may be a myriad security reasons for the same. Beyond the security reasons there could also be purely functional requirements such as managing the traffic lights in an automated traffic light system.

Once the information which is collected in a public place has an element of “Privacy” there will always be disagreements on how the data can be handled.

We therefore need to perhaps re-think if our definition of privacy itself needs to be reviewed in the context of the development of a digitized environment.

If a person is using a public place, whether the fact that he used the public place can be an information which he can claim to be private? is a point of discussion. Similarly, we can question if  watching a person move along the road threough the CCTV cameras, amount to “Cyber Stalking”?.

Obviously, some would agree that such watching may amount to privacy violation and needs to be protected. But law makers need to think twice before recognizing the “Public Activity” of a person as  “Private Data” subject to privacy protection.

It is a common practice today to see notices such as “This area is under CCTV surveillance” just to ensure that there is no complaint on privacy violation. In the Big Data law making scenario, we need to debate if such a notice is required in a public place (including malls and public offices).

The key point we need to therefore settle is,

Do we try to make new laws that fit into the Big Data scenario by changing some of the existing concepts or try to fit existing laws to where it cannot be regulated and enforced?

When Cyber Laws were made by people who had no understanding of the Cyber Space, we observed many anomalies creeping into the system.  Most of these still remain in the statute and are often the cause of imperfect legal implementation. It will take generations before Jurisprudence develops and matures to address the doubts that arise because the laws made are imperfect to the needs of the society.

A similar situation now prevails where laws made for the normal Cyber Society for privacy protection may not be effective in a Big Data scenario.

We need to therefore re-define what is Privacy in the context of a Digital world and the Big data processing. What is “Personal Data” subject to “Privacy Rights” may have to be re-defined to exclude personal data which is in such state where it is in the form of “raw data not associated with the personal information” though it may be capable of being tagged by a further sequential process.

Once this re-definition of privacy is accepted, the Big Data collector can be free from the obligations of Privacy. It is however the responsibility of Big Data processors to ensure that the linking of “Big Data” with “Identifiable Individual” does not happen except through a regulated process. The new Privacy laws have to therefore address this technical stage of processing Big Data. In a way this is keeping data collected as anonymous data being retained in anonymous state even when it goes down the further processing stream.

For Big Data to be useful, at some stage down stream of the processing chain, it has to be identified with an individual and it is at this process that the Privacy Protection laws can be applied.

The several “Intermediaries” involved in the Big Data Analytics have to be therefore classified into different categories such as “Anonymous Data Processors”, “Identified Data Processors” and “Data Identification Gate keepers” . The “Big Data Privacy Law” can then apply different norms to these different entities.

I invite comments and suggestions …..

(…..Discussions will continue)

Naavi

Print Friendly

If You are a Bank Director.. Your Independence Day Resolution Should be…

I draw the attention of all the individuals who hold the position of a Director in any of the Scheduled Commercial Banks in India including RRBs as well as Cooperative Banks about the new responsibility thrust on them by RBI through its Circular on Cyber Security Framework released on June 2, 2016 and further by announcing its intentions through the “Draft Circular” on August 11, 2016 to limit Customer liability on Internet/Mobile/Credit Card/Debit Card/ATM Card frauds. 

I also draw the attention of all Bank Staff Training establishments, Principals and Faculty Members who have the responsibility to educate the Banking Executives, as well as the well wishers of Banks such as the Auditors and Company Secretaries who have the responsibility to advise the Directors towards compliance of RBI regulations may in turn keep the Directors informed that the new dispensation of RBI hoists inescapable responsibilities on them and cannot be ignored.

Kindly analyze the following and take appropriate steps without any further delay.

Naavi

Recently, we witnessed an alarming situation where the Bank of Bangladesh lost Rs 90 crores through a hacking of their SWIFT money transfer system. A similar attack also occurred on Union Bank of India system and but for a stroke of luck, Bank could have lost about Rs 1200 crores through a similar fraud. Unlike the earlier major frauds where money of customers have been stolen from the Bank accounts, this time the attack was directly on the Bank’s system. It also demonstrated that there are vulnerabilities within the Banking system and the same vulnerabilities may also cause losses to the customers.

The Legal Implication

What we need to recognize here is that the  hacker was able to engineer a money transfer of hundreds of crores of rupees by forging the transfer request of two responsible officials of the Bank entrusted with the Maker-Checker responsibilities before funds can be transferred in the SWIFT system. It is therefore clear that such hackers will not find it difficult to forge the signature of a  Branch system administrator who may have powers to create new users, new passwords for their own staff members to create fraudulent access credentials and initiate transfer of  substantial amounts from many customer’s accounts.

Banks will therefore not be able to claim that they have good security systems in place and such systems have been audited for standards such as ISO 27001 by one of the Big Four firms etc. and try to convince judicial authorities that whenever a Bank fraud occurs it is the negligence of the customer which is responsible and not that of the Bank.

Cyber Security Framework (CSF-2016)

Taking note of the new risks that the SWIFT attack represented, RBI was quick to come up with a new “Cyber Security Framework” (CSF-2016) as a mandatory recommendation for Banks revising and upgrading the earlier directions contained in the Internet Banking Guidelines of June 2001, and the E Banking Security Guidelines (GGWG) of April 2011 as well as other guidelines on Card transactions released from time to time.

While issuing the new guidelines RBI has placed direct responsibility to the Board of Directors to take cognizance of the gaps that exist in compliance and the road map for mitigation of the gaps.

The suggestions made in the CSF 2016 are much beyond what were contained in the earlier guidelines and include setting up of a Security Operations Center (SOC) and a “Honey Pot” to defend against “Unknown Zero Day Vulnerabilities”.

The current information security systems will not be able to meet the compliance requirements even in the Big Banks and smaller banks will be woefully short of the requirements.

The Board of Directors need to therefore develop strategies of meeting the compliance requirements within the limitations of funds and expertise within their own Banks.

The CSF 2016 also requires that a report has to be sent to RBI as and when a security breach happens by submitting a detailed report within two to six hours of the incident coming to their knowledge. There will therefore be no opportunity to preview the report by holding a board meeting to approve what is being submitted to RBI that may create a liability on the Bank and its Directors.

The situation therefore calls for an urgent action by Directors to safeguard their own interests and that of the Bank. Such action includes training themselves and reviewing the action so far taken in this regard.

Many of the Banks might have already passed a resolution in their previous Board meeting since the deadline for submission of a Board acknowledged Gap report was July 31, 2016.

If the Directors had not fully appreciated the requirements and passed the resolution in good faith that their professional departments must have presented a fair proposition, now is the time for the Directors to look back at the papers which they approved and see if there is a need for review since the next deadline for actual compliance is September 30, 2016 which is hardly 45 days ahead.

Limited Customer Liability

As a further act of follow up towards “Safe E Banking” , RBI has now released a draft circular on August 11, 2016 and indicated its intentions of bringing in the concept of “Limited Liability” to customers in respect of frauds. “Limited Liability” for customers automatically means “More Liability” for the Banks.

According to the proposed system, in all cases of fraud in which the negligence of the Bank is involved, the liability has to be fully boarne by the Bank. In any case, once the Bank has been notified of an unauthorized debit, any further fraudulent withdrawals if any would also be the responsibility of the Bank irrespective of whose negligence caused the loss.

In cases where the fraud has occurred due to the direct negligence of the Customer, he may be held liable.

In cases of third party breaches where neither the customer nor the banker’s negligence is involved, if the customer notifies the  the unauthorized transaction within 3 days of it being reported to him by the Bank (Sending an alert is the responsibility of the Bank), the customer will not be liable. If in such cases the Customer reports after a delay, but within 4-7 days, the liability will be limited to Rs 5000/- .

If the customer notifies the unauthorized debit arising out of a third party breach in which there is negligence of neither the customer nor the Bank, beyond 7 days, or fails to report it at all, then the Bank has to state in its policy how much of liability can be hoisted on the customer beyond the R 5000/-. It is difficult to say if RBI would accept a 100% liability in such cases on the customers since the law also may not support it. It has to be a graded system and reasonable under the circumstances. Probably any liability to the customer beyond 50% would be unreasonable even if he has failed to report the unauthorized debit in his own account.

The non compliance of the CSF 2016 and providing a false confirmation to RBI that the bank is compliant would establish “Negligence” and “Complicity” of the Bank in facilitating a fraud and can make it liable for all frauds.

In view of the above, it is time that Directors of Banks immediately take necessary action to ensure that their responsibilities are  properly discharged and they are free from personal liabilities. I hope this would a personal resolution that they should take on this 70th Independence day of India.

P.S: I have placed more detailed discussions in the earlier articles and will continue to put more information and invite the Directors of the Bank to peruse the same and take appropriate action. 

Naavi

Print Friendly