Naavi avatar
Full name:
Vijayashankar Na
Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance

Posts by Vijayashankar Na

This credit card fraud should be a lesson to Judges, Adjudicators and Banking Ombudsmen

The credit card fraud reported in media today involving use of 580 fake cards created by fraudsters resulting in withdrawals of Rs 2.84 crores from Kotak Mahindra Bank is a lesson to all those men in Judicial positions who have been always difficult to be  convinced that Banks can fail in their security procedures.

The details of the case is available here

Fortunately, in this fraud, no customer is involved. The fraudsters obtained the details of “yet to be used” credit card numbers assigned to K0tak Mahindra Bank by Master Card and created card accounts in fictitious names and encashed the same through online portals.

It is surmised that a security breach at DZ Card India Ltd, Gurgaon could have resulted in the fraud. Possibility of insider involvement in DZ card or Kotak Bank is not ruled out. But “negligence” and “Failure of Information Security policy and Procedures” is a certainty.  Violation of RBI regulations on how to manage information security with an outsourced agent can also be visualized. Possibility of negligence by  multiple agencies involved in the processing of the card printing, and its encashment is not ruled out.

While the Police can follow the available leads and try to resolve the case, I would like to make this a case to be quoted in all Bank fraud litigation hearings where the Banks make a statement….

“We have international level of information security and no breach can happen at our end. If there has been a fraud, the negligence must be at the customer’s end and hence the loss should be borne by him and him alone.”

I have heard this argument from all the banks against whom I have either directly or indirectly followed complaints some with the Banking Ombudsmen,  some with  Adjudicators and also Judges of various courts.

Even in this case, if there is any query, the Bank as well as the Card printing agent will claim that they are “PCI-DSS Compliant” or “ISO 27001 Compliant” and file a one page document signed by one of the Big4 audit firms or some other firm stating that they have satisfactorily undergone an audit as of a particular date.

Ask them “Are you ITA 2008 Compliant?”.. they will perhaps say “What do you mean by it?..

These companies think that technical best practice compliance is better than legal compliance. All of them will learn the hard way that when the bell rings, it is the legal compliance that can save them from liabilities and not the technical best practice compliance.

The Judicial authority who may not know the difference between ISO 9001 and ISO 27001 or what  PCI-DSS means, is likely to be impressed by the weight of the audit firm’s reputation and ignore any plea by the poor customer that he has no knowledge how his Credit Card or Debit Card appeared in some ATM or Merchant Establishment’s claim or how his identity could have been stolen.

I therefore invite the attention of all such judicial authorities to realize and start believing that Frauds such as  Phishing or Credit/Debit/ATM Cards or Mobile Banking or Mobile Wallet frauds can occur without any knowledge of the customers.

The subject case proves that such frauds can occur even when cards are not issued at all to any customer. If so, it can also happen on a clone of a card issued to a customer.

If this truth is understood by these Judicial persons, I would be happy that this fraud had a beneficial impact on the society.

At the same time, I consider that Kotak Mahindra Bank is one of the better Banks in the pack in terms of Information Security and I hope they did cover themselves with appropriate Cyber Insurance to recover this loss.


Share Button

WhatsApp Moment in Indian Financial Services

Happy to note that Mr Nandan Nilekani is back at what he is at best..the professional circles..after a brief brush with politics that too  with the Congress party. Naavi has been highly critical of his association with Congress party which made him say things such as “Reservation is required in Private Sector”.

Now that he seems to have donned the corporate suit again, it is happy days for all his admirers. We welcome him and hope he will make his own disruptive impact on the IT eco system in the country.

I got to watch two of his talks recently on the topic of Disruption of Financial Services, one at TIE, Bangalore and another at IFMR Trust, Mumbai. He called it a Thought experiment and it was in deed very thought provoking.

The thoughts which he has seeded in the talk will be discussed and debated in the market place and as an Ex-Banker and a keen watcher of the developments of “Use of Technology in Banking” I will add some of my own thoughts in due course through these columns.

For the time being, I invite the readers to watch the you tube video below:

Nandan’s Presentation at TIE :

IFMR Presentation (Same as TIE but better videographed):

Panel Discussion at TIE:

The essence of what Mr Nandan Nilekani discusses is that in 2009, the advent of WhatsApp disrupted the Telecom scenario and changed the way data was consumed on mobile networks. In the same manner he feels that the advent of Paytm and the likes will change the way the Indian Banking system will function in the coming days and there can be some major upheavals in store.

In the TIE conference, Paytm and Bankbazaar promoters also add their views and suggest that the developments threaten the traditional Banking system. Obviously this requires some in depth discussions.

I invite the readers to contribute to this discussion as we go along.


Share Button

1710 Bank Frauds reported by Police..Does RBI have a count?

triveni_singhDr Triveni Singh, the additional Superintendent Lucknow is emerging as a “Super Cyber Crime Cop” of the country having resolved many individual and organized cyber crimes in the areas around Noida and NCR region of Delhi. Dr Tiveni Singh is an exceptionally qualified police official with an MBA and  PhD, as well as certifications of CEH and CHFI. He is one of the few Police officers in India who are both qualified and also have many field accomplishments to their credit. Perhaps it looks strange that he belongs to the UP cadre and not working in Delhi or other major metros leading a National level Cyber Crime Police Force.  Such a specialized police force is necessary for the security of Digital India and hopefully, Mr Triveni Singh will soon be provided an opportunity to use his skills in a more productive posting.

In solving some  of the recent crimes involving  Bank Frauds, Mr Triveni Singh has reported that a special task force studied 210 FIRs and 1500 complaints from the residents of Haryana, Rajasthan, Maharashtra, Punjab and Bihar and came to certain interesting conclusions as the behaviour of these gang members. The total value of the frauds involved in these cases was around Rs 80 lakhs.

The police have found that the fraudsters used the proceeds to buy mobile phones and also kept money in mobile wallets. They were able to use the e-commerce merchants and mobile wallet managers as conduits to commit crimes, exposing them to risks of being held liable for the frauds under ITA 2008. These e commerce and mobile wallet managers are guilty of weak KYC and identity verification systems contributing directly to frauds.

See Report in Times of India

One of the immediate thoughts that occurred to me on reading the report is about the Cyber Crime statistics. The report indicates that in the few states mentioned, there was nearly 1700 cases reported involving  banks. But it is not clear if these cases get reported as “Bank Frauds” in the RBI’s records. In the absence of proper recognition of the incidence of such crimes, RBI is blind to the risks of e-banking and keeps allowing Banks introduce more and more technology in Banking without appropriate safeguards.

While it is exciting to hear about innovative banking practices such as the social media banking, card less banking etc., there is no accountability for Bankers when it comes to frauds. Now RBI has provided licenses to Small Banks and Payment Banks who are more technology dependent and therefore more vulnerable to Cyber Crimes.

With every new step in the advancement of technology in Banking, the customers are being driven into higher and higher risk situations.

Banks continue to evade any liability for frauds and RBI’s ombudsmen  collude with Bankers and refuse relief to Customers in ATM card, Credit Card and Mobile frauds. The supervision of RBI on information security in Banks is inadequate and Banks work with more risks than they can afford.

To top it all, Banks which were mandated to obtain Cyber Insurance against such frauds and ensure that customers donot suffer losses by none other than RBI itself through its Internet Banking Guidelines of June 2001, refuse to take such cover even today after 15 years.

If RBI was serious about customer safety it should have ensured that by this time all Banks had a suitable Cyber Insurance cover and not bully its customers to bear the cyber fraud losses. Without such insurance cover for their customers, no new Bank should have been licensed. But despite representations to this effect, RBI did not take any action and let new Banks be licensed with more risks than existing Banks.

I wish Dr Triveni Singh books a few Bank officials for their negligence in maintaining proper information security in their systems causing losses to the customers. We are aware that under ITA 2008, vicarious liabilities accrue to Bank for their negligence which causes identity theft and unauthorized access.

In fact one of the largest phishing frauds in India occurred in PNB, Noida where a customer lost Rs 1.64 crores. The case is lingering along in the National Consumer Forum and despite atrocious negligence in “Banking Service” displayed by the Bank, justice is being delayed for more than 7 years. Around this time in 2008 a series of frauds occurred in PNB and if Dr Triveni Singh studies all such frauds, it will be clear that PNB had put all its customers to a huge level of risks entirely by their own ineptitude. While the victims of the cyber crimes are suffering for last 7 years, the then Chairman went on to become IBA chairman and enjoy the fruits of his office built over the losses of the customers of PNB. I am not sure if there is any mechanism in RBI to monitor such matters which are simply reported by the Banks as “Under litigation”. RBI should study the impact of such unresolved frauds on the trust and confidence that people have on Banks and the danger of a back lash from customers.

I wish that at least now RBI assumes accountability for safe e-banking and ensure that the future of Digital India is not endangered.



Share Button

Voluntary Special Interest Group on Secure Digital India (VSIG-SDI)

 Regular visitors of this site remember the article “If NAMO is the CEO of Digital India, who is the CISO”?

This thought is still ringing in the minds of many of us who are wholeheartedly supporting the Digital India project but frequently expressing adverse comments on many policy initiatives of the Department of Electronics and Information Technology” (DeitY).

A few days back a group Information Security Professionals in a WhatsApp group came together with a thought that Government of India is going ahead with its Digital India project without an appropriate Information Security back up and we need to do something to contribute our thoughts on how to change things for the better.

With this idea, the group decided to promote what can be called a “Voluntary Special Interest Group on Secure Digital India and start deliberating on how to progress further.

In order to collaborate with the persons of similar interest, a Facebook page was opened at

As a thought starter, I had placed a PPT on the initial thoughts I had shared it with the members of the group. Now I find that I am getting requests from many on this PPT which is only an information on the proposed activities of this group. We are yet to come up with any documents containing suggestions which can be shared with the public. We hope to do the same in due course.

However, since it is difficult to handle individual requests for the sharing of the document, I am placing the current version of the document on this website.

The document is available here

I welcome comments. Comments can be posted as visitor’s comments on the facebook page or here on You can also communicate with Naavi on his email.

I also welcome any detailed white papers that can be published on that would go with the objective of the group. This SIG and its activities is a voluntary activity of  a virtual group of IS Experts who we believe may be able to collectively provide recommendations to the DeitY which would be useful. Success of the thought is in your hands. Participate in full.


Share Button

Cyber Insurance and Data Breach Liability

In US it is stated that 46 of the 50 states have made Data Breach Notification mandatory. As a result when a data breach even occurs the company needs to conduct an in house audit and then send out notifications to all its customers who are likely to have been affected by the breach.

The cost of such notification itself is huge since in most cases the number of data lost runs to millions.

This data breach notification is recognized as one of the key drivers to the Cyber Insurance industry in US since these costs of data breach notification is a clear cash outgo for the company to be incurred almost immediately after a data breach comes to its knowledge.

Related Article in

In India, many companies are ignorant about whether there is any data breach notification obligation. Presently under Section 79 of ITA 2008, data breach incidents need to be reported to IN-CERT, though this is rarely observed and CERT-IN.

There is still however no specific obligation to notify the customers unless this is introduced as a part of the Section 79 notification on due diligence.

Recently Indian Press reported that two companies in Mumbai suffered extortion threats after some hackers threatened to reveal some illegal activities of the companies. This was also an incident of security breach in the company though we donot know if there was any customer information involved in the breach.

But  public do not know if this was reported to IN-CERT. In fact the Press have been helping the companies to keep their identity under wraps which also means the crime is kept under wraps.

Sooner or later the situation will change and data breach notification will become mandatory in India. Companies need to be prepared therefore for meeting the liabilities both in terms of costs involved in setting things right, notifying parties and also meet third party liability claims.

It is time they start asking themselves where they stand in this respect since some of these companies are also filing declarations under clause 49 of SEBI rules on listing which is similar to SOX guidelines.


Related Article:

Share Button

Protect Bank Consumers from Frauds or be prepared for disaster..A warning to BJP Government

Naavi has been arguing from a long time that Banks are vicariously liable for Cyber Crimes in which customers lose money. It is under this argument that in the S.Umashankar Vs ICICI Bank case, the adjudicator of Tamil Nadu held the Bank liable. Subsequently, Mumbai adjudicator came to the same conclusion in several cases.

Now I am glad that more people are echoing the same view. Here is a good article on the subject in Indian Express written by an IPS officer Mr Arun Bothra. (See article here).

Mr Bothra has rightly argued that in case of ATM and other Bank frauds, it is the failure of Bank’s security systems that should be recognized and held responsible.

(Naavi has placed his arguments in detail in many articles in this website and one can find these articles if a search is made within the site. Or click here).

However, cyber crime victims who have tried to prove their case in a judicial system have been repeatedly frustrated by the powerful Banks as the following developments indicate.

  1. The Chennai Adjudicator Mr P W C Davidar who held ICICI Bank responsible in several cases was transferred out of the department as soon as Ms Jayalalitha took over as CM. Subsequent adjudicators have not made any moves to hear further cases.
  2. The Mumbai adjudicator who decided many cases against Banks was transferred to Delhi by the current BJP establishment and since then Mumbai adjudication system has gone quiet.
  3. In Bangalore where two cases came up before the Adjudicator, he went a step ahead of the others by declaring that no case can be filed against a Bank under Section 43 of ITA 2000/8 since Bank is a “Company” and the section applies only to a “Person”.
  4. The Cyber Appellate Tribunal which ought to hear appeals against adjudications has been literally shut down since the Government both in the earlier regime under Kapil Sibal and the present regime under R S. Prasad are unwilling to appoint a chair person since 2011.
  5. Karnataka High Court is reluctant to intervene for reasons better known to it.
  6. The IT Ministers, PMs, Presidents and the CJIs in the last several years who have come and gone or are presently in charge have all been contacted by the undersigned and none of them have been able to get the Cyber Appellate Tribunal functional.

All this indicates that there could be a huge conspiracy to deny the Cyber crime victims in Banks from getting justice through the system.

Mr Modi and the BJP Government who are tying to push through the Digital India agenda are unable to ensure at least the presence of a Cyber Judicial System though we understand that  they cannot guarantee justice in the end.

The situation is very depressing and would qualify for a low rating of the country in Cyber Security Index or Human Rights Index.

Now more frauds are getting reported from the new generation banking systems and RBI is not even bothered to collect the right statistics nor force the Banks implement  the RBI guidelines either on Cyber Insurance or on Information Security.

Mr Arun Jaitely as FM as well as Mr Raghuram Rajan as Gov, RBI  donot seem to have any appreciation for the plight of the E-Banking customers and are busy with inflation control, fiscal deficit control, re-capitalization of Banks to meet Basle III norms, re-engineering the NPA figures etc. Both of them are unmindful of the possibility that once the frauds cross a critical level, Bank customers would shun E Banking and start using cash once again as the medium of exchange. There could be a run on the Banks and the Indian Banking system may collapse.

Yesterday I was having a discussion with Ms Melissa Hathway the Cyber Security expert in USA who has worked under both presidents George Bush and Obama and found out that she does not trust E Banking and prefers not to use it.  On the other hand in India our regulators who donot even understand the risk of E Banking neither try to correct the system nor leave it to the discretion of the public to use E Banking or stay outside. The Government by policy imposes public to mandatorily use E Banking for Tax Payment, Direct Benefit Transfers etc and literally throws the citizens to the cyber criminals laps.

I have already brought to the notice of Mr Modi that if he does not introduce Cyber Insurance to protect the users of E-Banking/E-Governance, the Digital India program is under threat and may come down like a pack of cards one day. I am still waiting for him to read and understand the import of what I am saying.

I also draw the attention of these politicians and regulators the enclosed video which covers a recent debit card fraud scam busted (partially) in Bangalore. In particular I want them to see how people are feeling that “Plastic cards are not safe” which is an indictment of the system of E Banking.

It gives them some idea of how rampant is Bank frauds and why the statistics of RBI on Bank frauds is completely unreliable and why RBI and even the Government schemes may be more handy for Cyber Criminals rather than the public.

See the video here

I hope Mr Bothra’s article appearing prominently in Indian Express of 1st October 2015 will open the eyes of Mr Modi despite his busy schedule in Bihar.



Share Button