Lessons from China to Indian Bankers and RBI

China Banking Regulations Commission (CBRC) has notified guidelines to the Banking industry to use “Secure and Controllable Technology” to strengthen the Internet based Banking system. This guideline has the potential to bring significant changes to the IT industry in China and also the vendors from outside China.

According to the guideline it would be mandatory for Banks in China to use “Secure and Controllable IT Products at a minimum rate of 15% increase each year and to reach 75%  by 2019. The criteria for determining the status of a product as  “Secure and Controllable” have been detailed in the guideline and includes the following.

1. IT Vendors are required to establish own R&D service cetners in China

2. Source code should be filed with CBRC

3. Risk of Product supply chain should be controllable. (i.o.w. there could be a need for more local production in the entire supply chain)

4.The IP rights in respect of certain products could be subordinated to the local requirements. (i.o.w. provisions similar to compulsory licensing may be used)

As a result of these regulations, it would be necessary for the following:

1.Supplier/Service Contracts will have to incorporate necessary compliance clauses.

2. Banks will have to deploy 5% of their R&D budget on deployment of Secure and Controllable IT products

3. Banks need to subject themselves to an annual audit by CBRC  to determine compliance.

As a result of these changes, Indian IT companies having operations in China with exposure to Banking industry need to be prepared for a compliance related modification of their business contracts.  If they fail to adapt, the supply contracts may be terminated.

I think RBI needs to pick up a few lessons from these guidelines since they have mindlessly allowed domination of Chinese products in the Indian Banking industry exposing the country to a great disadvantage in the event of a Cyber War. Banks should also understand that there is national interest beyond the need to increase their bottom line.

 We remember that during the UPA regime, a Security Certification Center was established under the guidance of IISC Bangalore to test IT products from China in particular which were suspected to have OEM-back doors, but was actually sponsored by Huawaei !

I hope the National Cyber Security team in India takes note of these developments and initiate appropriate actions.

REFER:

China Banking IT Regulation Tightened Up

China Issues new CBRC guidelines

CBRC issues clarifications

CBRC makes life difficult for MNC vendors

Naavi

Share Button
Print Friendly

Will Axis Bank Explain?

Naavi.org recently was informed of a bizarre instance involving Axis bank and ATM transactions. This incident is a matter of serious concern to all Axis Bank customers and hence we would like to bring this to the notice of all including Reserve Bank of India.

I am reproducing verbatim a comment posted by one Mr Sharad Updhyay about his experience in an ATM in Gurgaon for one of our earlier articles titled “Axis Bank ATM license should be cancelled by RBI

“Recently I tried withdrawing Rs. 2000 using my IDBI Debit card from an AXIS BANK ATM based at Sahara Mall, Gurgaon. The ATM asked me if I want a receipt for the transaction. I opted yes, the transaction was automatically aborted. Wondering what happened to the ATM, I tried again and again (with option “Yes” for transaction receipt) – a total of 5 times, but encountered the same problem everytime.

Meanwhile I noticed that another person who opted “No” for printed receipt was able to withdraw money from the same machine. I followed him – went ahead for withdrawal without transaction receipt, and this time machine dispensed the desired amount i.e. Rs. 2000.

Next day I noticed that my IDBI account was debited twice: first for a sum of Rs. 10000, and once again for Rs. 2000 (which I actually withdrew there). I was wondering what made the ATM cause a debit of Rs. 10000 in a single go – while I never entered this amount at ATM console.

I raised an official complaint with my bank (IDBI), and they escalated the case on my behalf with Axis Bank, however, Axis Bank rejected my claim – stating that their ATM balancing reports, switch files, and other transaction logs show that Rs. 10000 transaction was carried out successfully, and they do not owe me anything.

At this stage my bank i.e. IDBI has been helpless, and I’m just wondering whom to report this fraudster in order to get my money back. It appears that something fishy is going on there in Axis Bank ATMs with help of CMS (the agency which replenishes cash in ATMs) and the Axis Bank staff itself. How is it possible that there was no surplus sum recovered from ATM for my failed transactions, and how is it possible that an ATM automatically converts 5 subsequent transactions of Rs. 2000 each in to a single transaction of Rs. 10000?

Please let me know what can be done in this case, and how can I get my money back. Also, isn’t there any authority to punish the bank owning such malicious ATMs and ripping off the customers like this?”

First comment I would like to make on this incident is that there is apparent fraudulent mis-management by Axis Bank. It is clear that the ATM has been deliberately tweaked to ensure that fraudulent transactions donot come to the notice of the customer when he is withdrawing the amount.

The responsibility for this fraud lies squarely on the management of Axis Bank all the way up to the Chair person.

The reported incident is a report of possible hacking of a critical computer resource belonging to the Banking system. It represents a cognizable offence under ITA 2008. Mumbai police who closely monitor even facebook “likes”  and go the extent of arresting persons, must be considered as being aware of the occurrence of this crime. They should therefore take suomotu action and register a Cyber  Crime under Section 66 of ITA 2008 making unknown Axis Bank employees as suspects. It should also investigate “Negligence” from Axis bank ATM division and the Chair person for not taking adequate information security measures to protect the ATM transactions.

The Reserve Bank of India at the same time initiate its own investigation and take penal action against the officials of the Bank.

Now coming back to the customer and what he can do.

1. Normally  money fraudulently debited to the account should have been reversed immediately on filing of a complaint with the Bank.

2. IDBI Bank cannot absolve itself of its responsibility since they have used Axis Bank as it’s agent and hence they are responsible for their client’s loss.

3. Customer need not go to the Banking Ombudsman since that is a sham run by RBI and most Ombudsman are biased in favour of the banks and simply reject the claim with a further proviso that you cannot appeal to RBI.

RBI is aware that the scheme is a sham and yet has not shown any interest in correcting the same. This is not a reflection on the Banking Ombudsman in Mumbai but a general reflection on the scheme and how it is run.

 If possible I advise the customer to personally meet Mr Raghuraman Rajan, the Governor of RBI and check why he is not considering himself responsible for running a secure banking system.

 4.The customer is fortunate to be in Mumbai where the IT Secretary is one Mr Rajesh Aggarwal. He is also the “Adjudicator” under ITA 2008. For any financial loss arising due to contravention of any of the provisions of ITA 2008, in Mumbai, he is the sole authority having judicial powers to conduct an enquiry and award a compensation.

I advise the customer to make an adjudication complaint to him immediately. If he remains in office for some more time, he will definitely give him justice.

However, since Maharashtra is likely to have a change of Government soon and it is customary to shuffle secretaries if a new Government comes, it is possible that this great officer who is upholding justice under ITA 2008 like no other IT Secretary in India may be shifted out.  Hence the customer should at least get his complaint registered before any such change occurs.

5. It would also be better if a complaint is filed with the commissioner of Police, Mumbai against the officials of IDBI Bank and Axis Bank  for running a fraudulent ATM system and causing loss to you. The customer should not fall into the trap of filing the complaint against the unknown fraudster who might have drawn the money. That person will never be traced since IDBI bank is unlikely to have maintained the CCTV footage or other evidence that may be required for this purpose. Police and Banks will try to hold that only that unknown person is responsible and no body in the Bank is responsible. This is a way of driving the complaint to a dead end. For the customer it is always a transaction with the Bank and hence should hold the Bank alone responsible.

The Police complaint should also mention that RBI has been negligent in enforcing ATM security and is also responsible for pushing customers to such frauds.

If necessary, the customer may take the assistance of a Consumer activist to pursue the complaint.

It may appear that  the money lost may not be substantial and hence may not be worthy of the trouble of complaining. It is this attitude of most of us that emboldens criminals to resort to this type of small ticket frauds which we refer to as “Salami” attacks. It is our duty to bring this to public knowledge and wake up regulators like RBI to remind them of their responsibilities.

In the meantime, I demand that Axis Bank makes an official statement about this incident.

Naavi

Share Button
Print Friendly

Technology used to strangle Bank Customers

Reserve Bank of India is slowly losing focus on customer service aspects of Banking service. Acceding to a request from the Indian Bank’s association, RBI has imposed an ATM transaction limits of 3 withdrawals per month after which the customer would be charged Rs 20 per transaction. (Refer report)

Many of the Banks have already imposed a limit for direct withdrawals at the Bank counters and are charging fees for withdrawing cash at the counters. With the current notification customers are made to pay whether they withdraw cash at the counters or at the ATM. It appears that RBI wants customers to move back into the cash economy and withdraw all their monthly requirements in one go.

When technology was introduced in Banking, customers were promised of better services at lower costs. However over the years Banking transaction costs have only been on the increase and at a pace higher than the inflation. I would be happy if IBA releases data of “Weighted Average Banking Transactions Cost” in India and check how it has been increasing year after year say from 1980 when technology at higher levels was brought in to the system.

While the Government will start subsidizing the costs to select sections of privileged sectors for political reasons, other ordinary “Neglected Class of Bank Customers” will end up paying more than proportionate costs for the Banking services they may avail or even not avail.

Will the RBI Governor Mr Raghuraman Rajan respond?

Naavi

Share Button
Print Friendly

RBI limits Customer’s Loss on Phishing

In an excellent but long awaited move, RBI has directed Banks that the liability of customers on “Phishing” loss should be limited to Rs 10000/-

See Report

The new Banking Service code of ( Banking Codes and Standard Board of India -BCSBI)  says that for any unauthorised internet banking transactions, the customer’s liability is limited to Rs 10000, irrespective of the funds moved out of the account. An unauthorised transaction is one that doesn’t have the express and implied approval of the account holder.

According to the code, “If a third party manages to get hold of the user ID or password in an unauthorised manner and any debit takes place and which he notifies the bank, the maximum loss will be Rs 10,000.”  Also, the code says that customers will not be liable for any losss due to unauthorised fund transfers taking before they receive the password for internet banking transactions.

Further, the onus will be on the banks to establish that customers have compromised the secrecy of their password.

In some instances, the liability could be lower than Rs 10,000. The new code says that in the event of any unauthorised transactions, this would be the lower of the following options: the actual loss at the time of notifying the bank; the limit set for such transactions; the balance available for withdrawal; a maximum of Rs 10,000.

For instance, if a customer has a balance of Rs 5,000 but the fraudster transfers Rs 25,000 by taking a temporary overdraft, the loss would be limited to the minimum balance of Rs 5,000 in the account.

It may be recalled that many such cases of frauds have been reported earlier at Naavi.org. The undersigned has been relentlessly following legal action against many Banks in this regard. Damodaran Committee report had also spoken about such cases.

The current guidelines come as a great relief to the Bank’s customers.

Naavi.org congratulates RBI for taking these steps.

Naavi

Share Button
Print Friendly

New Security Risk..data stolen through mobiles just with electromagnetic waves

A new Cyber Threat that is far ahead of the Stuxnet threat has been reported by security researchers.

Ref: here

This threat works through a mobile phone which is near a computer. The electro magnetic waves emanated by the phone and the computer during their regular operations establish a contact with which a malware is first introduced into the computer and then the computer transmits the data through FM frequency to the mobile and later sent through the mobile network to the hacker.

This means that no mobile phones can be allowed near a sensitive computer if this threat need to be eliminated.

 

Naavi

Share Button
Print Friendly

No bank has proper Information Security Guidelines

An RTI query filed by Nagpur based NGO Cyber Awareness Organization (CAO) recently revealed that none of the banks in the country had drafted information security guidelines which are mandatory as per RBI’s guideline on electronic banking. 

Speaking to the press during his visit to Nagpur recently, Naavi said “When RBI started allowing internet banking way back in 2001, it clearly laid the responsibility of data security and educating customers about the dos and don’ts on the banks. It was also advised that all banks offering the service take cyber crime insurance. None of that has happened even today”

Details here

Share Button
Print Friendly