Payment authentication through missed calls?

A new system of online payment authentication through “missed Calls” has been launched by a company in India and is being suggested as a system of Two Factor Authentication which is better than the OTP system now being used.

According to NetCore the company which is proposing this service, “Spoofing of number” in an SMS system is easy but not in the missed call system.

See details here

However security experts don’t agree with the view of the company that the system is anymore secure than the OTP system. They point out that with services such as Skype calls, it is easy to send a missed call without access to the Telco network. The claim of the company therefore appears to be incorrect.

It is also to be reiterated that there is no legal support for authentication of an electronic transaction in India except with some form of digital/electronic signature. Any other method is “Ultra-Vires” the law and requires a binding from the service provider that the loss arising out of the failure of the authentication has to be borne by the concerned service provider such as the Bank. Any marketing suppressing this fact in the disclosure would amount to a fraud.

Naavi

Share Button
Print Friendly

Mobile Apps Company fined $800,000

The Federal Trade Commission (FTC) of USA has fined a two year old Mobile Apps manufacturing company “Path” a sum of US$ 800,000 for violating the privacy of US Citizens. In particular the Social Networking Apps manufacturer was charged with violating the privacy of children since it collected personal information on underage users including any person in the user’s address book.

The incident is a serious notice to all mobile apps manufacturers to offer a strict “opt out” option by default and a proper check on the identification of children.

Identifying whether a person is an adult or a minor is a huge challenge and companies need expert advise from appropriate Privacy Consultants to steer clear of the risks indicated by the above incident.

Related Report

Naavi

Share Button
Print Friendly

Mobile Apps.. Guidelines on Privacy

California Department of Justice has released a set of guidelines for Mobile Apps developers which act as “privacy Practice Recommendations”. The practices recommended here are expected to help in the compliance of the California Online privacy protection Act (COPPA) Being perhaps the first of such codes, this is a useful document to be adopted by all mobile apps developers as well as other stakeholders such as app platform providers, mobile networks etc.

These principles include making an app’s privacy policy available to consumers on app platform, before they download the app. It is stated that major app platform providers such as Amazon, Apple, Google, HP, Microsoft, RIM< and Facebook have agreed to the principles.

Highlights of the recommendations are:

For App Developers

•Start with a data checklist to review the personally identifiable data your app could collect and use it to make decisions on your privacy practices.
•Avoid or limit collecting personally identifiable data not needed for your app’s basic functionality.
•Develop a privacy policy that is clear, accurate, and conspicuously accessible to users and potential users.
•Use enhanced measures – “special notices” or the combination of a short privacy statement and privacy controls – to draw users’ attention to data practices that may be unexpected and to enable them to make meaningful choices.

For App Platform Providers

•Make app privacy policies accessible from the app platform so that they may be reviewed before a user downloads an app.
• Use the platform to educate users on mobile privacy.

For Mobile Ad Networks

•Avoid using out-of-app ads that are delivered by modifying browser settings or placing icons on the mobile desktop.
•Have a privacy policy and provide it to the app developers who will enable the delivery of targeted ads through your network.
•Move away from the use of interchangeable device-specific identifiers and transition to app-speciic or temporary device identifiers.

For Operating System Developers

•Develop global privacy settings that allow users to control the data and device features accessible to apps.

For Mobile Carriers
• Leverage your ongoing relationship with mobile customers to educate them on mobile privacy and particularly on children’s privacy

This is a good starting point for a new regime on privacy protection on the mobile platform. Hopefully it would be adopted at the earliest by responsible apps developers and distributors.

Naavi

Copy of Guidelines

Share Button
Print Friendly

Year 2012 in retrospect..from the view point of Cyber Law in India

The Cyber Law scene in India during 2012 was dominated by the discussions of Section 66A. The rules notified under sections 43A and 79 which held center stage in 2011 also continued into 2012. The end of the year however was however completely clouded with the issue of the brutal rape that occurred in Delhi which shook the consciousness of all Indians and pushed everything else into the background.

However let’s briefly review the major developments of 2012 in India from the cyber law perspective looking through the footprints at Naavi.org.

1. Karnataka Reduced to a State with “No Cyber Law”

The year began with the scandolous adjudication verdict from the Karnataka Adjudicator in the complaint of Gujarat PetroSynthese Vs Axis Bank. In a verdict which stirred the consciousness of the numerous victims of Cyber Crimes in the country, the learned Adjudicator Sri M.N.Vidyashankar decided that “No Company Can invoke Section 43 of Information Technology Act 2000 as amended in 2008 (i.e: ITA 2008)? and “No Company can be named as a respondent under Section 43 of ITA 2008″.

The decision was based on the wrong interpretation that the word “Person” used in the section should be restricted to mean only an “Individual” and cannot extend to legal person such as a “Company”. The adjudicator failed to review his decision even when it was brought to his attention that the General Clauses Act clearly defined that a “Company” comes within the meaning of the word “Person”.

This decision though considered incorrect will have limited precedence value until it is reversed by a superior judicial authority.

However since the Cyber Appellate Tribunal (CAT) remained without a Chair person through out the year, the matter is still under appeal in CAT. As a result Karnataka derived a dubious distinction of being a State where there is no remedy for Cyber Crime victims as envisaged under Section 43 of ITA 2008. Since Section 43 also defined provisions of Section 66, the interpretation has virtually made Karnataka a “Cyber Law Less State”.

Though the matter has been brought to the attention of the Chief Ministers, and the Law Minister of the State as well as the Chief Justice of Karnataka, no action has come forth to correct the situation.

Hopefully a PIL which may come for hearing in 2013 in Karnataka High Court may help settle the issue.

For the Netizens of India, the lack of Cyber Judiciary at the national level (CAT) for more than 18 months and abdication of Cyber Judicial authority in Karnataka are matters as grave as the Nirbhaya issue.

2. Un Safe E-Banking in India

In April 2011, the RBI released a very important notification which we refer to as the GGWG notification. This RBI notification of April 29, 2011 on Information Security,Electronic Banking, Technology Risk Management and Cyber Fraud defined a complete Information Security overhaul for Banks meant to safeguard the interests of Bank customers. This was followed later by the Damodaran Committee report which further tried to strengthen the security of E Banking.

However very few Banks implemented the recommendations by the time schedule stated in the RBI circular and some of the major Banks have virtually posed a challenge to the capability of RBI to ensure its own compliance guidelines. During this year and in the following year RBI will be trying to address this issue through its inspections and trying to re-establish its authority on the Indian Banks.

In the meantime new Trojans and viruses specifically targeted at the Banks are being released into the malware market. One of the Security experts in Bangalore who tried to draw the attention of authorities to such viruses was however targeted by some Banks with threats and forced closure of his websites.

There were also several ATM frauds making the life of innocent victims miserable. Banks instead of responding to the interests of the customers went about increasing their risks by introducing mobile banking and enhancing the daily transaction limits on internet transactions without substantial improvements in security.

The current internet banking security is heavily dependent on the OTP system which has already been demonstrated as an inadequate measure of security. We need to therefore keep our fingers crossed that no major calamity falls in the Indian Banking system through new Cyber threats. At present this remains merely a hope and prayer.

Naavi has also placed before the RBI a suggestion for the introduction of the E Banking Security Guarantee Scheme to which RBI may some time in future wake up to.

Naavi continues his fight to ensure safety in E Banking in India through various means and let’s hope 2013 will result in some positive developments in this regard.

3.Section 66A/Internet Censorship

In the very beginning of the year, the blocking of the website of Aseem Trivedi, a cartoonist sparked off a debate on “Internet Censorship” in India. During the year this grew into a massive controversy regarding Section 66A of ITA 2008 finally ending with a PIL in Supreme Court about the constitutional validity of the section 66A.

Subsequently the arrests in Tamil Nadu for a twitter comment on Karti Chidambaram and the arrest of Palghar girls for their FaceBook posting on Bundh in Mumbai raised a hot debate on the misuse of Section 66A by Police.

Now there is a clamour for withdrawal of Secton 66A and a reference to Supreme Court on its validity under Indian Constitution. But Naavi strongly feels that Section 66A was never meant to address “Defamation” and its use to curb freedom of expression is an aberration coming out of misinterpretation of law by the Police either deliberately or through ignorance.

As a possible solution to the menace of Internet censorship, Naavi has suggested the concept of “Regulated Anonymity” which the society needs to consider seriously.

4. Emergence of the Information Assurance Concept

The year 2012 also marked the emergence of the “Information Assurance” concept replacing the “Information Security” Concept as a term to indicate the industry response to the requirements under the growing risks in the IT use. Naavi also identified the need for a change of his Techno Legal Behavioural science based Information Security concept with the more easily expressable “Total Information Assurance Concept”.

Ever since the Government of India summoned the major social networking companies namely Google, Face Book and Yahoo and demanded that they install a pre-publication manual monitoring system for content filtering, there has been considerable discussions about what is right, what is feasible, what is legal etc about the “Due Diligence” required to be exercised by Intermediaries under Section 79 of the ITA 2008. Naavi therefore suggested the following plan of action for Intermediaries to deal with the situation..How Do you React to a Sec 79 Notice if you are an intermediary?

Naavi also suggested a framework to define the “Reasonable Security Practices” envisaged under Section 43A of ITA 2008.

Naavi had already discussed specific Information Security frameworks for compliance of ITA 2008 by different segments such as LPOs and other IT Stakeholders. Keeping in view the international developments, Naavi developed the Information Assurance Framework For Modular Implementation to enable SMEs to gradually attain the desirable information security standards otherwise envisaged under popular frameworks such as ISO 27001 and COBIT.

In the coming days this is likely to establish a practially feasible Information Security approach in India.

5.Miscellaneous

Developments across the world on Information Security continue to focus on increased legislation to meet the ever growing cyber threats. EU is adopting a new Data Protection regime and HITECH act is becoming more stringent with better enforcement. Other countries are also strengthening their laws against privacy violation.

The domain of Information Assurance which incorporates Technical Security, Legal Dimensions and Behavioral Aspects which Naavi has called the “Total Information Assurance” will therefore be in the limelight in the coming year.

It is not possible to end the review of year 2012 in India without a reference to the protests that followed the gruesome rape of a girl in Delhi eventually causing her death. The spontaneous but sustained outburst of peoples’s anger on the failure of the law enforcement system to ensure safety of women in India gripped the attention of the country since December 16th when the incident happened. While the incident will be discussed in other forums dedicated to such discussions, it is important to recognize that after Anna Hazare and Arvin Kejriwal movements, the current protests which some named as “Nirbhaya protest” indicated how the social media can be mobilized to generate support for a cause in the physical world. This is a demonstration of the power of Internet to safeguard democratic traditions.

While this is a matter to be proud off, it is clear that the Government ahs also realized this power and considers it as the greatest threat to their political existence. Hence the iron-hand approach to the suppression of “Freedom of Expression” in the Cyber Space is likely to continue and we may not be surprised if more stringent restrictions are placed on the Internet expressions in India in future. The PIL before the Supreme Court on the constitutional validity of Section 66A therefore assumes a new dimension. Hopefully the Supreme Court will provide clear guidelines for the protection of freedom of Netizens. Naavi wishes that “Freedom of Netizens in India” should be an important election issue in the much awaited 2014 Loksabha elections.

We therefore end our reflections with Hope, Hope and more Hope for a better 2013 because we have no other option left.

Naavi

[P.S: Kindly peruse the archives for more detailed chronicle of Cyber law developments in India in 2012]

Share Button
Print Friendly

Five Year Plan on National Cyber Security Unveiled

In a long pending but welcome move it appears that the GOI has unveiled a Five Year plan on National Cyber Security.

Having recognized the inadequacy of the IND-CERT which is the designated nodal agency for Critical IT infrastructure security under Section 70A of ITA 2008, the Government of India has set up a “National Critical Information Infrastructure Protection Center: (NCIIPC) to coordinate the activities on Cyber Security regarding recognized Critical systems. NIIPC appears to have developed a Five Year Plan for the purpose.

One of the major developments would be setting up of sectoral CERTs probably in sectors such as Energy, Transportation, Banking and Finance, Telecom, Defense, Space, Law Enforcement and Security.

NIIPC will work under NTRO (National Technical Research Organization) and along with the existing Ind-Cert which will handle security in areas not overseen by NIIPC.

In the process NTRO is emerging as the super Nodal Agency for National Cyber Security though ITA 2008 notification still recognizes IND-CERT as the designated nodal agency. This aberration needs to be corrected with an appropriate notification under ITA 2008.

More Info:

Naavi

Share Button
Print Friendly

FIR Filed Against Airtel CMD

Dec 12: Naavi has long been complaining that Airtel is practicing unethical practices for over charging its customers including placement of fraudulent transactions in the customer’s mobile and data usage accounts which amount to offences under ITA 2008. It is therefore no surprise to learn that an FIR has been filed against Airtel for extortion and threatening of one of the clients in Bangalore who has been allegedly wrongly billed for Rs 50000/-. Report

 

PLEASE NOTE:

This website has been in existence since 1998.  

Older posts before the site switched to word press are available through the link at the top and here below.

OLD POSTS

Share Button
Print Friendly