WhatsApp Moment in Indian Financial Services

Happy to note that Mr Nandan Nilekani is back at what he is at best..the professional circles..after a brief brush with politics that too  with the Congress party. Naavi has been highly critical of his association with Congress party which made him say things such as “Reservation is required in Private Sector”.

Now that he seems to have donned the corporate suit again, it is happy days for all his admirers. We welcome him and hope he will make his own disruptive impact on the IT eco system in the country.

I got to watch two of his talks recently on the topic of Disruption of Financial Services, one at TIE, Bangalore and another at IFMR Trust, Mumbai. He called it a Thought experiment and it was in deed very thought provoking.

The thoughts which he has seeded in the talk will be discussed and debated in the market place and as an Ex-Banker and a keen watcher of the developments of “Use of Technology in Banking” I will add some of my own thoughts in due course through these columns.

For the time being, I invite the readers to watch the you tube video below:

Nandan’s Presentation at TIE :


IFMR Presentation (Same as TIE but better videographed):

Panel Discussion at TIE:


The essence of what Mr Nandan Nilekani discusses is that in 2009, the advent of WhatsApp disrupted the Telecom scenario and changed the way data was consumed on mobile networks. In the same manner he feels that the advent of Paytm and the likes will change the way the Indian Banking system will function in the coming days and there can be some major upheavals in store.

In the TIE conference, Paytm and Bankbazaar promoters also add their views and suggest that the developments threaten the traditional Banking system. Obviously this requires some in depth discussions.

I invite the readers to contribute to this discussion as we go along.


Share Button
Print Friendly

1710 Bank Frauds reported by Police..Does RBI have a count?

triveni_singhDr Triveni Singh, the additional Superintendent Lucknow is emerging as a “Super Cyber Crime Cop” of the country having resolved many individual and organized cyber crimes in the areas around Noida and NCR region of Delhi. Dr Tiveni Singh is an exceptionally qualified police official with an MBA and  PhD, as well as certifications of CEH and CHFI. He is one of the few Police officers in India who are both qualified and also have many field accomplishments to their credit. Perhaps it looks strange that he belongs to the UP cadre and not working in Delhi or other major metros leading a National level Cyber Crime Police Force.  Such a specialized police force is necessary for the security of Digital India and hopefully, Mr Triveni Singh will soon be provided an opportunity to use his skills in a more productive posting.

In solving some  of the recent crimes involving  Bank Frauds, Mr Triveni Singh has reported that a special task force studied 210 FIRs and 1500 complaints from the residents of Haryana, Rajasthan, Maharashtra, Punjab and Bihar and came to certain interesting conclusions as the behaviour of these gang members. The total value of the frauds involved in these cases was around Rs 80 lakhs.

The police have found that the fraudsters used the proceeds to buy mobile phones and also kept money in mobile wallets. They were able to use the e-commerce merchants and mobile wallet managers as conduits to commit crimes, exposing them to risks of being held liable for the frauds under ITA 2008. These e commerce and mobile wallet managers are guilty of weak KYC and identity verification systems contributing directly to frauds.

See Report in Times of India

One of the immediate thoughts that occurred to me on reading the report is about the Cyber Crime statistics. The report indicates that in the few states mentioned, there was nearly 1700 cases reported involving  banks. But it is not clear if these cases get reported as “Bank Frauds” in the RBI’s records. In the absence of proper recognition of the incidence of such crimes, RBI is blind to the risks of e-banking and keeps allowing Banks introduce more and more technology in Banking without appropriate safeguards.

While it is exciting to hear about innovative banking practices such as the social media banking, card less banking etc., there is no accountability for Bankers when it comes to frauds. Now RBI has provided licenses to Small Banks and Payment Banks who are more technology dependent and therefore more vulnerable to Cyber Crimes.

With every new step in the advancement of technology in Banking, the customers are being driven into higher and higher risk situations.

Banks continue to evade any liability for frauds and RBI’s ombudsmen  collude with Bankers and refuse relief to Customers in ATM card, Credit Card and Mobile frauds. The supervision of RBI on information security in Banks is inadequate and Banks work with more risks than they can afford.

To top it all, Banks which were mandated to obtain Cyber Insurance against such frauds and ensure that customers donot suffer losses by none other than RBI itself through its Internet Banking Guidelines of June 2001, refuse to take such cover even today after 15 years.

If RBI was serious about customer safety it should have ensured that by this time all Banks had a suitable Cyber Insurance cover and not bully its customers to bear the cyber fraud losses. Without such insurance cover for their customers, no new Bank should have been licensed. But despite representations to this effect, RBI did not take any action and let new Banks be licensed with more risks than existing Banks.

I wish Dr Triveni Singh books a few Bank officials for their negligence in maintaining proper information security in their systems causing losses to the customers. We are aware that under ITA 2008, vicarious liabilities accrue to Bank for their negligence which causes identity theft and unauthorized access.

In fact one of the largest phishing frauds in India occurred in PNB, Noida where a customer lost Rs 1.64 crores. The case is lingering along in the National Consumer Forum and despite atrocious negligence in “Banking Service” displayed by the Bank, justice is being delayed for more than 7 years. Around this time in 2008 a series of frauds occurred in PNB and if Dr Triveni Singh studies all such frauds, it will be clear that PNB had put all its customers to a huge level of risks entirely by their own ineptitude. While the victims of the cyber crimes are suffering for last 7 years, the then Chairman went on to become IBA chairman and enjoy the fruits of his office built over the losses of the customers of PNB. I am not sure if there is any mechanism in RBI to monitor such matters which are simply reported by the Banks as “Under litigation”. RBI should study the impact of such unresolved frauds on the trust and confidence that people have on Banks and the danger of a back lash from customers.

I wish that at least now RBI assumes accountability for safe e-banking and ensure that the future of Digital India is not endangered.



Share Button
Print Friendly

Voluntary Special Interest Group on Secure Digital India (VSIG-SDI)

 Regular visitors of this site remember the article “If NAMO is the CEO of Digital India, who is the CISO”?

This thought is still ringing in the minds of many of us who are wholeheartedly supporting the Digital India project but frequently expressing adverse comments on many policy initiatives of the Department of Electronics and Information Technology” (DeitY).

A few days back a group Information Security Professionals in a WhatsApp group came together with a thought that Government of India is going ahead with its Digital India project without an appropriate Information Security back up and we need to do something to contribute our thoughts on how to change things for the better.

With this idea, the group decided to promote what can be called a “Voluntary Special Interest Group on Secure Digital India and start deliberating on how to progress further.

In order to collaborate with the persons of similar interest, a Facebook page was opened at www.facebook.com/securedigitalindia.

As a thought starter, I had placed a PPT on the initial thoughts I had shared it with the members of the group. Now I find that I am getting requests from many on this PPT which is only an information on the proposed activities of this group. We are yet to come up with any documents containing suggestions which can be shared with the public. We hope to do the same in due course.

However, since it is difficult to handle individual requests for the sharing of the document, I am placing the current version of the document on this website.

The document is available here

I welcome comments. Comments can be posted as visitor’s comments on the facebook page or here on naavi.org. You can also communicate with Naavi on his email.

I also welcome any detailed white papers that can be published on naavi.org that would go with the objective of the group. This SIG and its activities is a voluntary activity of  a virtual group of IS Experts who we believe may be able to collectively provide recommendations to the DeitY which would be useful. Success of the thought is in your hands. Participate in full.


Share Button
Print Friendly

Cyber Insurance and Data Breach Liability

In US it is stated that 46 of the 50 states have made Data Breach Notification mandatory. As a result when a data breach even occurs the company needs to conduct an in house audit and then send out notifications to all its customers who are likely to have been affected by the breach.

The cost of such notification itself is huge since in most cases the number of data lost runs to millions.

This data breach notification is recognized as one of the key drivers to the Cyber Insurance industry in US since these costs of data breach notification is a clear cash outgo for the company to be incurred almost immediately after a data breach comes to its knowledge.

Related Article in Computerweekly.com

In India, many companies are ignorant about whether there is any data breach notification obligation. Presently under Section 79 of ITA 2008, data breach incidents need to be reported to IN-CERT, though this is rarely observed and CERT-IN.

There is still however no specific obligation to notify the customers unless this is introduced as a part of the Section 79 notification on due diligence.

Recently Indian Press reported that two companies in Mumbai suffered extortion threats after some hackers threatened to reveal some illegal activities of the companies. This was also an incident of security breach in the company though we donot know if there was any customer information involved in the breach.

But  public do not know if this was reported to IN-CERT. In fact the Press have been helping the companies to keep their identity under wraps which also means the crime is kept under wraps.

Sooner or later the situation will change and data breach notification will become mandatory in India. Companies need to be prepared therefore for meeting the liabilities both in terms of costs involved in setting things right, notifying parties and also meet third party liability claims.

It is time they start asking themselves where they stand in this respect since some of these companies are also filing declarations under clause 49 of SEBI rules on listing which is similar to SOX guidelines.


Related Article: Reddit.com

Share Button
Print Friendly

Protect Bank Consumers from Frauds or be prepared for disaster..A warning to BJP Government

Naavi has been arguing from a long time that Banks are vicariously liable for Cyber Crimes in which customers lose money. It is under this argument that in the S.Umashankar Vs ICICI Bank case, the adjudicator of Tamil Nadu held the Bank liable. Subsequently, Mumbai adjudicator came to the same conclusion in several cases.

Now I am glad that more people are echoing the same view. Here is a good article on the subject in Indian Express written by an IPS officer Mr Arun Bothra. (See article here).

Mr Bothra has rightly argued that in case of ATM and other Bank frauds, it is the failure of Bank’s security systems that should be recognized and held responsible.

(Naavi has placed his arguments in detail in many articles in this website and one can find these articles if a search is made within the site. Or click here).

However, cyber crime victims who have tried to prove their case in a judicial system have been repeatedly frustrated by the powerful Banks as the following developments indicate.

  1. The Chennai Adjudicator Mr P W C Davidar who held ICICI Bank responsible in several cases was transferred out of the department as soon as Ms Jayalalitha took over as CM. Subsequent adjudicators have not made any moves to hear further cases.
  2. The Mumbai adjudicator who decided many cases against Banks was transferred to Delhi by the current BJP establishment and since then Mumbai adjudication system has gone quiet.
  3. In Bangalore where two cases came up before the Adjudicator, he went a step ahead of the others by declaring that no case can be filed against a Bank under Section 43 of ITA 2000/8 since Bank is a “Company” and the section applies only to a “Person”.
  4. The Cyber Appellate Tribunal which ought to hear appeals against adjudications has been literally shut down since the Government both in the earlier regime under Kapil Sibal and the present regime under R S. Prasad are unwilling to appoint a chair person since 2011.
  5. Karnataka High Court is reluctant to intervene for reasons better known to it.
  6. The IT Ministers, PMs, Presidents and the CJIs in the last several years who have come and gone or are presently in charge have all been contacted by the undersigned and none of them have been able to get the Cyber Appellate Tribunal functional.

All this indicates that there could be a huge conspiracy to deny the Cyber crime victims in Banks from getting justice through the system.

Mr Modi and the BJP Government who are tying to push through the Digital India agenda are unable to ensure at least the presence of a Cyber Judicial System though we understand that  they cannot guarantee justice in the end.

The situation is very depressing and would qualify for a low rating of the country in Cyber Security Index or Human Rights Index.

Now more frauds are getting reported from the new generation banking systems and RBI is not even bothered to collect the right statistics nor force the Banks implement  the RBI guidelines either on Cyber Insurance or on Information Security.

Mr Arun Jaitely as FM as well as Mr Raghuram Rajan as Gov, RBI  donot seem to have any appreciation for the plight of the E-Banking customers and are busy with inflation control, fiscal deficit control, re-capitalization of Banks to meet Basle III norms, re-engineering the NPA figures etc. Both of them are unmindful of the possibility that once the frauds cross a critical level, Bank customers would shun E Banking and start using cash once again as the medium of exchange. There could be a run on the Banks and the Indian Banking system may collapse.

Yesterday I was having a discussion with Ms Melissa Hathway the Cyber Security expert in USA who has worked under both presidents George Bush and Obama and found out that she does not trust E Banking and prefers not to use it.  On the other hand in India our regulators who donot even understand the risk of E Banking neither try to correct the system nor leave it to the discretion of the public to use E Banking or stay outside. The Government by policy imposes public to mandatorily use E Banking for Tax Payment, Direct Benefit Transfers etc and literally throws the citizens to the cyber criminals laps.

I have already brought to the notice of Mr Modi that if he does not introduce Cyber Insurance to protect the users of E-Banking/E-Governance, the Digital India program is under threat and may come down like a pack of cards one day. I am still waiting for him to read and understand the import of what I am saying.

I also draw the attention of these politicians and regulators the enclosed video which covers a recent debit card fraud scam busted (partially) in Bangalore. In particular I want them to see how people are feeling that “Plastic cards are not safe” which is an indictment of the system of E Banking.

It gives them some idea of how rampant is Bank frauds and why the statistics of RBI on Bank frauds is completely unreliable and why RBI and even the Government schemes may be more handy for Cyber Criminals rather than the public.

See the video here

I hope Mr Bothra’s article appearing prominently in Indian Express of 1st October 2015 will open the eyes of Mr Modi despite his busy schedule in Bihar.



Share Button
Print Friendly

Are We Cyber Ready?.. Melissa Hathway Shares her concerns

melissa_hathawayMelissa Hathway, the Cyber Security expert from US was in Bangalore recently and addressed members of DSCI Bangalore Chapter at NLSUI on 1st October 2015.  Melissa was until recently working with US President Obama and was tipped to be appointed as the “Cyber Czar”. She also worked as Director of the Joint Inter agency Cyber Task Force during President George Bush time and brings with her enormous US and International experience in management of Cyber Security at the Government level. She however left the US Government post and is now working as an independent Cyber Security Consultant.

During her presentation, Ms Melissa traced in detail how in the emerging Digital World, people are connected amongst themselves and with machines and machines themselves are connected with other machines, people and machines are connected with the house and the environment etc. and the security  issues emerging therefrom.

Speaking on the privacy issues, she raised a pertinent point that the risk to individual privacy from private sector enterprises such as Google is much more than from the Government agencies.

While hinting that National Security should get the priority in designing the IT infrastructure, she raised a question on whether all the connectivity we are thinking of in the IOT concept is at all necessary.

Another important point she made is to question the manufacturers of appliances on whether the electro mechanical engineers who design the new systems and freely put in IP devices to monitor the activity of the machine understand the “Risks” inherent in such connectivity.

She concluded her interesting and authoritative presentation with a very pertinent question which was not specific to India but was nevertheless relevant. The question was “Are we Cyber Ready”?

The talk was followed by a Q&A session in which as usual solutions were discussed in the form of how to build awareness among the masses on Cyber Risks, what should be the responsibility of the Telecom companies, whether the legal system is resilient, whether our law enforcement had the requisite knowledge? etc.

The undersigned left a question with Ms Melissa and the audience that while creating awareness of Citizens, Police and Corporate officials  is feasible, the biggest challenge was to create awareness in Judiciary and Top level Bureaucrats because they insulate themselves from attending any training sessions. She agreed that it was a challenge and it does exist in other countries also and strategies need to be found to bridge this lacuna.

Overall, it was a fruitful discussion and the audience felt that it opened new thoughts on security in the context of India entering the Digital India program.


Related Info:

Cyber Readiness index 1.0

Cyber Readiness index 2.0

Cyber Security indicies-ITU

Share Button
Print Friendly