Beware of CIBIL Report Fraud

I would like to bring to the notice of the public a fraudulent e-mail that is being sent in the name of CIBIL.

The copy of the email is reproduced below:



Normally the CIBIL Transunion score is expressed as a three digit number and not as single digit such as 8.3.

On verification of the header information, it is found that the e-mail has emanated from Return path is :>

The IP address from which the mail has been sent appears to be

Public are requested not to respond to this fraudulent e-mail.

At the same time, I hereby give a notice to CIBIL that they are now been informed of an attempt by some body to cheat the public in their name and if they donot take suitable steps to prevent such misuse of CIBIL’s name, they will be considered as “Negligent” and providing indirect “Assistance” to fraudsters.

I request the Police anywhere in India also to take cognizance and issue notices to the concerned web hosting service providers as well as CIBIL to ensure that this fraud is stopped immediately.


Share Button
Print Friendly

Digi Locker Beta Release

Government has opened the beta version of the Digital Locker operated by CDAC and UIDAI which provides 10MB free storage space for every Aadhar number holder. It envisages that members can upload their ID documents and share it with other Government agencies if required.

The service is available at It can also be accessed through and

The site carries a digital certificate from an Indian Certifying Authority unlike many other web sites which are using certificates issued by verisign which is not licensed in India. However it is surprising to note that instead of using a digital certificate issued by the Government owned NIC, the site uses the certificate from (n)code solutions which is a private sector certifying authority. Also, some of the practices used by (n)code solutions for issue of digital certificates to public is not in accordance with the legal procedures suggested under ITA 2008. It is therefore surprising that the project has preferred to use their services instead of NIC or other more Cyber Law Compliant Certifying Authorities.

At the time of account creation and for certain other operations, the site uses OTP as a verification mechanism. It appears that an “e-sign” procedure is envisaged for users to individually authenticate the documents. But this is not yet working properly at present. It is also not clear what is meant by e-sign in this context.

The documents would be made available to designated agencies of the Government. Users can also send the document to another person through email.

While the concept of making available a free digital document storing place is welcome it is necessary to note that the site is short in the implementation of ITA 2008 compliance measures.

The website is silent on the issue of storage of information and it is unlikely to be in an encrypted state. We draw the attention of readers to my immediate previous post about the data breach in Anthem Inc, USA and the consequences. We are already aware that the Aadhar data base has been compromised in parts many times and lakhs of aadhar records would be available with cyber criminals as well as the enemy states of India. Now if the linked information is also leaked, it is a goldmine for terrorists in Pakistan or ISIS as well as countries like China who are preparing for Cyber space domination.

Government of India may be unaware of the risks that it is undertaking in this project and Modi Government should be prepared for a huge embarrassment at some time in future.

Employers should also be ready for a completely faked employee IDs with fake marks cards etc which may completely compromise their background verification systems. This can enable more Mehdi’s to find employment in critical sector and compromise the national security interests.

We hope the authorities will take a deep breath and review the security of the system before proceeding further.


Share Button
Print Friendly

I call for an “All India Cyber Law Awareness Movement”

In another regrettable incident, a talented young person from Patna who was earlier praised by none other than Dr Abdul Kalam for his technical skills has been arrested now for a criminal activity.

The 25 year old tech genius by name Shivendu Madhav from Bihar had reportedly earlier developed and demonstrated a search engine like Google to Dr Kalam in one of the exhibitions and   received accolades. He had also sold one of his technical blogs to an US professor for Rs 4.5 lakhs. He was therefore neither short of money nor recognition and future career prospects. Yet he decided to use his talents to develop a fake railway recruitment portal and duped lakhs of jobless youths promising them jobs via RRB Bhopal.

Refer Article in TOI

The youth has since been arrested and some of his accomplices are now being traced. Law will take its course and probably this young genius will be punished. As a routine we can also congratulate the police team and appreciate their work.

However, as information security professionals we need to sit back and reflect why such things happen. I am reminded of an earlier case where a youth was arrested in Bangalore for ATM frauds and it was found that he had a very lucrative employment. It appears that the traditional behavioral science theories are being over turned in the current generation where “Negative Motivation” influenced by unrealistic material expectations in the society over ride the traditional motivators such as “Security”, “Reasonable Money” and “Recognition”. People seem to be greedy for more and more money and are willing to risk their future for immediate gains.

This indicates

a) Lack of Ethical training in our IT education.

b) Lack of fear of the law.

I therefore call upon the Ministry of Information Technology to initiate an all India program of ” Creating an Ethical IT Work Force” as a part of the Cyber Security initiative. Such a program requires Cyber Law Education and  Awareness of the consequences of violation of Cyber Laws right from the XI standard when Compute science knowledge gets imparted to our students. We may call this “Cyber Ethics Education”.

Mr Modi has embarked on a “Clean India” program in memory of Mahatma Gandhi from today. I suppose what Mr Ravi Shankar Prasad has to initiate is a “Cyber Law Compliant Mindset Development Program”.

As regular followers of this site are aware, the undersigned has been pursuing “Karnataka Cyber Law Awareness Movement” or “saibar kanUnu PrajnaaMdOLana” (ಸೈಬರ್ ಕಾನೂನು ಪ್ರಜ್ಞಾಂದೋಳನ) and done several programs across Karnataka in the last decade. During the days when Mr H.K.Patil was the law minister of the state under S.M.Krishna’s regime as CM, the undersigned had also discussed several such initiatives with the then Karnataka Government authorities. KLE Society of educational institutions had provided support for the initiative in a big way. But over the years the interest appears to have waned as agencies other than Naavi’s initiatives failed to sustain the movement and Naavi’s initiatives could not sustain on their own due to lack of resources.

In fact one of the activities that these initiatives highlighted was the celebration of October 17 as the “Digital Society Day” to commemorate the notification of ITA 2000. This year this could be a day which Mr Ravi Shankar Prasad should consider to promote some positive action in improving the Cyber Law Awareness in the country.   “Bangalore Cyber Security Summits” conducted in Bangalore during the days when Mr Ashok Manoli was the IT Secretary were also part of such an effort with the participation of the local Government. They need to be revived.

Unfortunately over the next few years the movement withered out and slowly Karnataka lost the momentum it had gained as a “Cyber Law Capital of India”.

The current incident reminds me once again that the concept of “Cyber law Awareness Movement” retains its relevance and needs to be pursued. IIIT Law (International Institute of Information Technology Law), a trust based in Bangalore, Cyber Society of India (CySi) in Chennai are two surviving institutions co-promoted by the undersigned in the past to address the work related to Cyber Law Awareness in the community. Of these CySi is active and doing some good work in Chennai. IIIT Law has lost steam and efforts are being made to pull it back on rails.

I call upon the Karnataka Government as well as well private educational institutions and other related bodies with necessary resources to take up the cause of rebuilding the Karnataka Cyber Law Awareness Movement and also extend it as an “All India Cyber Law Awareness Movement”  (AICLAM).

Such a movement of this type  is an essential part of “Cyber Security” which Mr Modi stressed during his UN General Assembly address recently and therefore meets the objectives set forth by the current Government at the center.

Will Mr Ravishankar Prasad, the IT Minister in Delhi and the PMO consider this?


(I Invite suggestions from the public in this regard. Please also spread this message widely)

Share Button
Print Friendly

Cyber War Risk with China is evident

Despite the recent visit of the Chinese premier to India and the pledging of the possible investment of US$20 billion, the utterances of the Chinese prime minister after his return to China asking his troops to be ready for a “Regional War” is a matter to be taken note of.

China has always been an unreliable nation and cannot be trusted for business relations. China is the leader in Cyber Warfare and using their technologies for our bullet trains and smart cities is an open invitation to disaster if and when there is a cyber war between India and China.

It is good for Mr Modi to keep China at arms length in the field of technology and ensure that India tries to develop its capabilities in the technology era with the assistance of Japan and USA.

Indian companies doing business with China should also be careful not to transfer any critical technology to China in the long term interest of our country.


Share Button
Print Friendly

First Steps in Cyber Crime Insurance

Recently interest on Cyber Crime Insurance has been on the rise in India. According to a recent report in Business Standard, the premia for such policies is around o.5% to 1.5%.

It is important for the insured to however consider what are the exclusions in the policy and there is clarity on the valuations of the insurable assets at the time of purchase and the valuation of claims.

According to the above BS report “distribution of unsolicited email”, “wire tapping”, “eavesdropping”, “fraudulent acts”, “failure to maintain standard computer security” are some of the major exclusions.

Out of the above exclusions, the failure to maintain standard computer security is understandable. However, what is “Standard computer Security” is debatable.

Also it is not understandable how “eavesdropping”, “Fraudulent acts” etc can be excluded. If these are true, insurance companies must be considering more of “Loss due to technical failures” rather than “Loss arising out of Cyber Crimes”.

Technical failures may lead to loss of data. However in most of the cases where a claim is to be preferred there will always be a human hand, malicious or otherwise. Hence “Fraud” cannot be eliminated from the risks. Hence if “Frauds” are excluded, there is insufficient coverage. Also if the coverage does not cover “Liabilities” arising out of the security breach, it is not beneficial to the insured.

The question of “Standards” is always daisy. At present in India law requires “Reasonable Security Practice” which is often not interpreted properly by the companies. Hence what constitutes “Failure to meet Security Standards” is always a debatable issue. While many may be able to produce a certificate such as ISO audit or PCIDSS audit, these does not constitute indisputable standards under the “Reasonable Security Practice” under ITA 2000/8.

It would be interesting to see how insurance companies define such exclusions. Unless some data is built up over time on the claim settlements of different companies, it is difficult to evaluate which policy is better for a prospective insurance seeker.

As regards valuation, in a liability insurance, the value of the asset has to be based on the value of “Information” rather than the value of the hardware and software. Hence in companies where “Data Loss” is the prime criteria, the “Data” need to be valued.  Will this be based on acquisition cost or replacement value or liability potential is a matter to be discussed. Normally the acquisition cost of data is relatively low while the liability potential is high. The insurance premium would therefore be on the lower value but the claims would be on the higher value.

According to one of the recent security reports, in case of data breaches the biggest loss comes out of the “Reputation Loss”.  At the time of insurance, is it possible to add the “Value of Reputation” as part of the assets to determine the premium? is therefore a valid point for discussion.

Probably the role of insurance brokers s therefore very critical in the current juncture since they need to ensure a fair coverage for the clients at affordable premia.

We need to watch out the performance of such insurance brokers. calls upon insurance seekers to share their experience with insurance companies and insurance brokers so that we can evaluate their performance from time to time.


Share Button
Print Friendly

Cyber Crime Insurance industry is waking up

Several years after Indian industry started demanding Cyber Crime Insurance,  insurers appear to have realized that there is a potential business here worth exploring. (See article here). In our earlier article we had highlighted that after the recent G Mail hacking report, the interest seem to have got a boost.

While three companies namely HDFC ERGO, TATA AIG and ICICI Lombard appear to have started writing insurance policies, it appears that they are still in the process of writing customized policies for specific large clients. They may be banking more on their relationship with the existing customers in other products rather than developing an exclusive product for the “Cyber Crime Risk”.

The premia talked about in the media also appear to be unrealistically high and indicate that the insurance agencies are yet to get a grip on the risks and the acturial evaluation.

In order that the industry picks up such insurance products, it is necessary that the products must be affordable and also promise quick settlement of claims.

At present we donot have any experience as to the settlement of claims and therefore we need to await further developments to understand how the industry is set to progress in the coming days.


Share Button
Print Friendly