Promoting E Banking-Role of RBI

RBI in its recent annual report, has lamented that 90% of payments are estimated to be collected through Cash/Cheque despite its efforts to promote E Banking. (See this report in Business Line). RBI has stated that more than 3080 crore bills are generated each year in 20 cities in India and there is need to increase the efficiency of the bill collection process. RBI has also reported the handling of around 47 million transactions valued at Rs 360,200 crore in March 2013 through NEFT and 8 lakh crore through RTGS on a single day March 28, 2013. AAs at the end of March 2013, 55 banks with a customer base of 23 million provided mobile banking services compared to 49 banks and 13 million customer base at the end of 2012. A whopping 53 million transactions valued at around Rs 6000 crore were transacted through mobile banking during the year 2012-13 registering a growth of 108 % by volume and 229% by value over the previous year.

The figures of E Banking usage quoted in the report are very impressive despite the tone of the report suggesting that RBI would be happier with a better digitization of the transactions.

For last several months, RBI has been promoting E Banking as if it is a marketing agent for technology.  There have been attempts like “Disincentivisation of use of Cheques” with stiff penalties imposed on customers and deliberate inconveniences mounted on the customers. The technology vendors and greedy commercial Banks have made RBI their captive and coerced RBI into taking policy decisions which make one feel that RBI has forgotten its basic role that as a “Banking Regulator” it has a responsibility to ensure that Banking in India is safe and sound.

The undersigned speaking in a conference on Bank Security in Mumbai on the 22nd instant compared the current status of RBI to being posessed by “Stockholm syndrome” sympathizing with its captors namely the technology vendors and the greedy commercial Banks. He suggested that RBI must take cognizance of the increasing Cyber frauds and an attempt by many Banks to bully the customers into accepting liabilities for cyber frauds as if all frauds occur only because of customer’s fault. he highlighted that the recent great E Banking robbery involved negligence of the back end processors and entirely because of the mistake of the Bank. He therefore strongly advocated that RBI should make “Cyber Crime Insurance” mandatory for all E Banking transactions.

One of the speakers from a prominent Bank speaking at the seminar boasted that there was not a single fraud reported in his Bank in the last one year reflecting the “All is Well syndrome” syndrome and the “Public can be fooled with such statements for ever” attitude. Dr Chakravarty, Deputy Governor of RBI speaking recently on Cyber frauds indicated that around 8765 frauds were reported in 2012-13. It is strongly believed that there is a huge under reporting of technology frauds in the Banks and the actual incidence of frauds is much higher. Dr Chakravarthy who is one of the last remaining custodians of customer interests in the Bank also said

“Banks could also consider seeking insurance coverage as a risk transfer tool and a mitigant for the financial losses arising from technology induced fraudulent customer transactions”

The news paper report of Business Line which refers also to the  so called “Vision Document” of RBI  does not make any mention of the actions that RBI has taken or intends to take on prevention of Cyber Frauds in Banking and the increasing risks that the Bank customers are being exposed due to untested technologies such as “Mobile Banking”. Banks and the RBI should remember that “Convenience” cannot be the last word in Banking and we should ” Say No to Technology if it is not safe”.

I call the attention of the new RBI Governor to ensure that the policies of RBI does not get diluted in terms of providing a safe banking environment in India and show his own commitment to the cause of Customer safety when he addresses the issue of licensing new Banks most of whom will be more dependent on technology than the current generation of Banks and will therefore be more vulnerable to “Failure due to technology Risks” than the present set of Banks.

Naavi

Copy of RBI Annual Report

Copy of speech by Dr Chakravarthy

Share Button
Print Friendly

Drawing Attention of Media on this Karnataka High Court hearing

On 27th May 2013, an interesting writ petition is coming up before the Karnataka High Court (WP 21049/2013 at Court Hall No 9, #54).

This petition has been filed by Axis Bank Ltd against the Adjudicator of Karnataka as the first respondent and Gujarat Petrosynthese Ltd as the second respondent and a decision on the petition will have a huge impact on the Cyber Crime law in India.

On the face of it the case appears to be a simple “Preliminary Hearing” and the proceedings at the end of the day are unlikely to have any earthshaking consequences. But this perception may not be correct.

During the preliminary hearing the Court will consider admission of the petition and also take a view on the “Interim Stay” granted by the vacation judge on 16th May 2013.

The options before the Court appear to be one of the following.

a) Admit the petition, post it for a detailed hearing on another day and in the meantime continue the Interim Stay granted by the vacation judge.

b) Admit the petition, post it for a detailed hearing on another day but vacate the Interim Stay.

c) Based on the preliminary objections, dismiss the petition.

A normal observer of Court proceedings would say, “What is special about this? This is common for all similar writ petitions”. They may also say that “The most likely decision is the first one where an opportunity is given for detailed hearing and in the interim the status quo  may be continued. The status quo in this case means continuation of the interim stay.

In order to appreciate the impact of a decision on the above preliminary hearing on the Cyber Judiciary system in India, it is necessary to understand the background of the case and the meaning that can be ascribed to the above three possible decision outcomes

The decision outcome will interalia determine

a) Whether the Adjudicator of Karnataka can effectively discharge the duties cast on him under ITA 2000/8

b) Whether Individual Cyber Crime victims can file any adjudication complaint against any companies such as a Bank

c) Whether any Company can file any adjudication complaint or hacking or denial of service etc complaint against any other individual or a company.

As an example let us take the recent case in which some persons hacked into the systems of two BPOs in India (One of which is in Bangalore) and stole some information/modified some information unauthorizedly and caused a fraud of over Rs 250 crores. Some of these hackers have been arrested in New York. Had they been in Karnataka, the Company here which suffered hacking cannot file a complaint  sustainable under Section 66 of ITA 2000/8.

Another example is that if some body hacks into Infosys or Wipro, then Infosys or Wipro cannot file a Section 66 complaint with the Police or Section 43 complaint to the adjudicator.

If somebody hacks into an ATM in Bangalore by any means, the Bank cannot file a Section 66 (Hacking) Complaint against such a person.

To understand why such an adverse impact can arise we need to appreciate what a “Continuation of Interim Stay Means” as a legal precedent.

The background of the case is as follows:

In around June 2011, M/S Gujarat Petrosynthese Ltd, (GPL) a company having an account with Axis Bank, Marathhalli found that Rs 39 lakhs vanished from its account. On filing a complaint with the Bank as well as the Police it was found that the amount had been transferred to several other branches of Axis Bank, Indus Ind Bank, Standard Chartered Bank, ING Vysya Bank etc.  Bank gave the account details to the Police and Police are trying to identify the existence of such customers.

In the meantime, GPL filed a complaint under Section 43 to the Adjudicator of Karnataka alleging that Axis Bank and the other Banks who received the proceeds transferred from their account should compensate them for the loss.

Axis Bank objected to the filing of the complaint stating that the “Adjudicator does not have jurisdiction” to entertain the complaint under Section 43 of ITA 2000.

The reason stated by Axis Bank for the purpose was

1. Under Section 43, any “Person” can file a complaint against another “Person”.  Here the word “Person” means an “Individual”. GPL is not an individual. Also Axis Bank is not an individual. They are “Body Corporates”. Hence Section 43 is not applicable.

2.Recognizing the lacuna of Section 43 that it was not applicable for Companies, an amendment was brought to the Act to introduce Section 43A.

Despite objections from GPL, the then Adjudicating officer agreed with the contention of Axis Bank and issued a decision that the complaint cannot be entertained by him since Section 43 cannot be invoked by GPL since it is a corporoate entity. He confirmed his conviction on this view in another instance where the complainant was an individual but the respondent was ICICI Bank which was a corporate entity.

By these two decisions, the Adjudicator created a precedent that “Section 43 cannot be invoked by a Company and cannot be invoked against any Company”. This also applied to partnership firms and association of persons.

GPL submitted a request for review immediately within 2 days of the decision on 29th December 2011. The review was kept pending by the Adjudicator.

In the absence of a review of the said order of 27th December 2011, no cyber crime victim in Karnataka could approach the Adjudicator under Section 43. Since Section 43 is directly linked to the definition of offences under Section 66, if a Company cannot be considered as part of Section 43, it could not be part of Section 66 also. (Please see Section 43/and  Section 66 here). Under Section 61 of ITA 2000/8 the Adjudicator has the sole jurisdiction for any claim for damage upto Rs 5 crores. The Civil Judiciary therefore believes that any claim for damages arising due to contravention of any of the provisions of ITA 2000/8 is falling under the sole discretion of the Adjudicator and they would therefore refuse to entertain any complaints.

The situation was similar to the jurisdictional police station and the Cyber Crime police station bouncing a cyber crime complainant from one to another. There was therefore a void created in the Cyber Judicial System in the state of Karnataka.

Recently the Karnataka Human Rights Commission took suo-moto cognizance of the adverse effect of the lack of Cyber Judicial process in Karnataka and in the month of March 2013 issued a notice to the current IT Secretary of the State to set things right. The current IT Secretary who is holding the Adjudication responsibilities and having the review request in his files took a legal opinion of the State Law department and in accordance with such opinion cancelled the order of 27th December 2011 and started hearing the complaint once again on 15th May 2013. During the hearing Axis Bank sought time to file a reply and the hearing was adjourned for the next hearing on 31st May 2013.

On 16th May 2013, the vacation judge of the Karnataka High Court considered the writ petition challenging the order of the current adjudicator cancelling the earlier order and deciding to continue the process making several allegations against the IT department, the Law department as well as the complainant. The Court  issued notices to the respondents namely the Adjudicator and GPL for hearing on 27th May 2013. However the Court routinely approved the request for interim stay.

The interim stay was on the action of the new order of the present adjudicator dated 26th April 2013 which cancelled the earlier order of 27th December 2013  which had held that “No Company has a right to invoke Section 43 or no body can invoke Section 43 on any Company”.

If On 27th 2013, the interim stay is not vacated, it would mean that until such time where the Court changes the order later in the future, the adjudication order of 27th December 2011 will be operative and the cancellation will not be effective. This also means that the citizens of Karnataka would be deprived of the human right regarding availability of judicial redress in respect of cyber crimes. There would be a conflict between the decision of the Karnataka Human Rights Commission and the Karnataka High Court and the Adjudicator would be sandwiched between the two decisions.

If the Court vacates the Stay and continues hearing the case then the adverse impact of the stay will be prevented.

However if the High Court proceeds to hear the writ petition, it would be over ruling the powers of the Adjudicator as envisaged under ITA 2000/8 and would be also destabilizing the natural process of “Appeal” that has been envisaged under ITA 2000/8. This would mean that the role of the Cyber Appellate Tribunal is irrelevant. In other words the Karnataka High Court would change the hierarchy of Cyber Judiciary from

-Adjudicator of a State to Cyber Appellate Tribunal to the High Court of the State and then the Supreme Court of India to

-Adjudicator of a state to High Court of the State and then the Supreme Court of India.

The system of Cyber Appellate Tribunal can therefore be considered as redundant and ITA 2000/8 provision will effectively stand amended.

It is not clear if the High Court has this power to cause an effective amendment of ITA 2000/8 by agreeing to continue hearing of the case.

The option where the petition is dismissed and returned to the adjudicator for continuation would avoid setting of the above precedents which may add some confusions in the Cyber Law situation in India.

The objective of placing this detailed analysis of the forthcoming  hearing is to enable the media to take note of the importance of the case so that they can follow up the case.

I wish Mr Arnab Goswami of  Times Now, Mr Rajdeep Sardesai of CNN IBN, Mr Rahul Kanwal of Head Lines Today, Ms Bukah Dutt of NDTV, Mr Vishweshwar Bhatt of Suvarna News (Kannada) and others from TV 9 (Kannada), Samaya, (Kannada), Public TV (Kannada) and other channels to take note. I also invite attention of the print media such as Hindu, Deccan Herald, Economic Times, DNA, Deccan Chronicle, Bangalore Mirror, Times of India, Business Standard, Kannada Prabha, etc also to take note.

I request readers who have contacts with these journalists to draw their attention to this article so that they show some interest in the case.

Naavi

 

 

Share Button
Print Friendly

Regulating Ethical Hacking Training in India

The recent accusation that a prominent information  security training company in India was responsible for release of some malware in the wild and used for Cyber Espionage of Telenor and also for attacking Pakistani and Chinese web assets has raised an issue of ethics for all security trainers.

Naavi.org has for years advocating that there should be a proper regulation of training of ethical hackers since the skills acquired by people during these training programs can be used for committing crimes.

Recently the Government of India has announced that India needs 4.7 lakh security experts. Obviously this has created an opportunity for many unscrupulous IT training companies to start what they call as “Ethical Hacking Course”. APPIN itself has created many franchisees and trying to provide training to hundreds of persons across the country.

Who will be the persons who will undertake the training? what will they do afterwards? are areas of concern of the society.

If these training companies are not strictly regulated, there will be lakhs of young trained hackers ready to test their skills in the open market. During these training programs trainees also get a “Hacking Kit” and information about online resources. These can be dangerous terrorist training camps in the digital world.

It is the responsibility of IN CERT to immediately take stock of the activities of these companies and put a hold on their activities until a proper system of regulation is evolved.

There is no doubt that we need information security professionals. But we donot need “hackers”. The very use of the term “hacker” mentally indicates to the trainee a status different from a “Security Professional”. Just as there is a ban on the use of “Bank” by any organization other than licensed Banking institutions, the use of the word “Hacking” or “Ethical Hacking” should be banned in India.

Also all companies indulging in information security training other than registered educational institutions such as the Engineering and Law Colleges whose curriculum is controlled by regulators such as the AICTE or BAR councils should be subject to scrutiny of IN CERT. If a licensing system is required for this purpose, it should be designed.

All persons who are enrolled into such programs should submit proper ID documents and the details are to be kept in a central data base accessible to public who can report any adverse activity of a person. Such list should be available for employee background check by companies. INCERT should periodically conduct audit of such educational organizations and record their observations. Sample background checks should be done on the candidates.

Once trained and certified, the trainees should submit themselves to a life time surveillance of their activities by IN CERT. Their employment movements, financial returns, IT activities should all be voluntarily submitted for surveillance of the State.

If any organization or individual does not enter into appropriate contractual agreement to be monitored (like a person on parole) they should not be allowed to run such courses or take such training.

I am sure that many of my friends in the security professions may express strong dissent for such a move which appears “Draconian”. I agree that it is draconian. But the consequences of letting loose trained hackers in lakhs to the field already reeling under the growing threats of Cyber crimes is disastrous. It will eventually destroy the Internet and convert it into a Cyber Crime Paradise.

If for this purpose we need to enact a separate law such as “Cyber Security Regulation Act” on the lines of Banking regulation and give the powers of regulation to say the newly formed National Cyber Security Council, it can be considered.

If this suggestion needs to be countered by the private sector information security education industry then there is a need for formation of a similar “Cyber Security Education Regulatory Forum” as a private sector initiative. This should not be left either to NASSCOM or DSCI. It should be more like TRAI and headed by a person outside the corprote influence which gets reflected in NASSCOM or DSCI.

If APPIN is an affected party in the current controversy, they can consider taking the leading initiative in formation of such a forum without putting themselves into a position where they can be accused of influencing the activities of such an academic organization.

I see a parallel in this proposal with the need for BCCI to set up an independent committee (Uninfluenced by BCCI cronies such as Atul Wassan) to monitor Betting in IPL.

On many occasions I have suggested formation of a “Netizen Protection Forum” as a Netizen imitative and “Netizen Protection Commission” as a regulatory structure. The same commission can also undertake the responsibility of regulating the ethical hacking training.

Comments are welcome.

Naavi

Share Button
Print Friendly

RBI should Inspect Bank’s Subsidiaries

The recent Banking frauds in India and abroad have indicated that the security breach not only occurs at the Bank (besides the customer) but more often at the outsourcing partner of the Bank.

Whether the outsource partner is a big name like WIPRO or a relatively unknown company,  danger to Bank customers lies in such companies. At least the well nown companies like WIPRO have a reputation to keep and therefore can be expected to take some remedial steps. However the lesser known companies are likely to dither and postpone any security initiative unless they are forced on them.

It is therefore essential for RBI to put its foot down and assume a greater role in the regulation of the Business Associates of Banks.

The Banking Regulations Amendment Act of 2012 (BRA-2012) made an attempt in this direction by inserting a new section 29A into the Banking Regulation Act. This section though is focussed on the financial aspects of the subsidiaries and associates, has the potential to be used by RBI to atleast make preliminary enquiries in such organization who provide outsourced services to the banks.

The new section 29A is reproduced here:

9. After section 29 of the principal Act, the following section shall be inserted, namely:—

‘29A. (1) The Reserve Bank may, at any time, direct a banking company to annex to its financial statements or furnish to it separately, within such time and at such intervals as may be specified by the Reserve Bank, such statements and information relating to the business or affairs of any associate enterprise of the banking company as the Reserve Bank may consider necessary or expedient to obtain for the purpose of this Act.
(2) Notwithstanding anything to the contrary contained in the Companies Act, 1956, the Reserve Bank may, at any time, cause an inspection to be made of any associate enterprise of a banking company and its books of account jointly by one or more of its officers or employees or other persons along with the Board or authority regulating such associate enterprise.
(3) The provisions of sub-sections (2) and (3) of section 35 shall apply mutatis mutandis to the inspection under this section.
Explanation.—”associate enterprise” in relation to a banking company includes an enterprise which—
(i) is a holding company or a subsidiary company of the banking company; or
(ii) is a jont venture of the banking company; or
(iii) is a subsidiary company or a joint venture of the holding company of the banking company; or (iv) controls the composition of the Board of directors or other body
governing the banking company; or
(v) exercises, in the opinion of the Reserve Bank, significant influence on the banking company in taking financial or policy decisions; or 
(vi) is able to obtain economic benefits from the activities of the banking company.’.

It may be noted that though one of the principal objectives of this empowerment is for “inspection of financial affairs of subsidiaries”, under clause 29(A) (2) (vi), any Business Associate such as those engaged in card processing or transaction processing can be considered as entities who are obtaining economic benefits from the activities of the Banking company and come under the provisions of this clause. RBI therefore is empowered to seek information as well as conduct inspections.

Such information need not be restricted only to the financial aspects since “Information related fraud Risk” in banks have already been defined as “Operational risk” as defined in Basel II and hence seeking information security related information is within the powers of this section. Similarly, conducting Information Security audits is also within the powers of this section.

It may also be noted that under Section 29A (2) such inspections can be done by the officers of RBI or “other persons”. Hence RBI may seek the assistance of external Information Security auditors to conduct such inspections if it deems fit.

Though the section provides for “Empowerment” rather than a “Mandate”, in the context of companies where a security breach has already been reported, “Mandate” can be implied.

In case IN CERT is conducting its own enquiry, RBI should request that a copy of the report should be shared with them. This could be a good input for RBI to understand the framing of its policies regarding outsourcing of Banking business.

We look forward to how things progress.

Naavi

N

Share Button
Print Friendly

Modus Operandi of a Phishing Fraud

The investigations by the Mulund Police about the Rs 1 crore phishing fraud that occurred in Mumbai have brought to public attention the modus operandi of the fraudsters.

The police have arrested two brothers in Delhi who have revealed the following during investigations.

Mr Fajroor Rehman Khan the elder of the brothers is a 26 year old college drop out who is an expert in Software. He learnt the “art of e-fraud” and formed a gang in 2008. He improved upon the old Nigerian tactic of sending an e-mail and asking the recipients to visit the bank’s website. He considered this method as “Out dated” and took the “Trojan Route”.

He did some research and found chose a “Trojan Virus” and sent mails to around 5000 persons asking if they needed “Expert help” to update their systems. The moment the recipient clicked on the e-mail, the trojan got activated and enabled Fajroor to monitor the activities of the victim. Using the technique he stole the credentials of the current account of Mr Ankur Korani, a director of a cosmetic company and using the password and user name he accessed the account and transferred Rs 1 crore to 12 accounts in 45 minutes.

It is to be noted that with this “Trojan Approach”, Banks cannot accuse the customers of being negligent in passing on the credentials to a fraudster which they used to do in the older technique.

Secondly, the usual security message which Banks provide on their website stating “We donot ask your password” is of no consequence since a “Trojan” is dropped with a spam mail of any subject line or content.

Banks should therefore harden their system so that an analysis of the pattern of past transactions should reveal such suspicious transactions. In the instant case, transfer of Rs 1 crore within 45 minutes to 12 different unknown persons across the country is a give away.

The fact that PNB did not have a system of risk analysis from the transaction pattern is a matter to be taken note off.

It must also be noted that there is an inherent risk in the browser based log in with password authentication which has no legal or regulatory support and sooner the Banks recognize the truth, better it is for bank customers.

TOI Article

Naavi

Share Button
Print Friendly

RBI issues new guidelines for E Banking security

Naavi.org has been pointing out that RBI appears to have a dual character when it comes to policy implementation. There are one set of executives probably closer to retirement but occupying the top echelons of RBI who are still oriented towards “Safe Banking” and “Customer Interests”. But there is an emerging set of executives in the mid management cadre who are easily swayed by the powerful bank lobbies into recommending measures which are often anti consumer.

Another evidence of this is the issue of a new circualr dated February 28, 2013 by RBI addressing some Risk mitigation measures for Electronic payment systems, in the midst of the controversial “Discussion Paper” on “Disincentivisation of Cheques”.

Copy of circular available here

Speaking of “Securing Card Payment Transactions”, the circular specifies that

1.new cards will be issued for use only within India. If international use is specifically requested by the customer, it may be allowed but only on a card with EMV chip and Pin enabled.This will be effective from June 30, 2013.

2.Existing cards which have been used internationally( E commerce and POS or ATM) at least once will have to be in the EMV/PIN format only and older magnetic strip cards will have to be replaced by June 30, 2013.

3.Until such time the EMV cards are issued, there would be an omnibus limit of USD 500/- on international payments of any magnetic strip card. Lower limits may be fixed by the Banks based on the customer profile.

In terms of security, it is advised that

1. all POS systems should be certified for PCI-DSS and PA-DSS compliance by June 30, 2013

2. Banks should frame rules based on transaction pattern of the card usage to prevent frauds.

3.All acquiring infrastructure based on IP based solutions should be mandatorily put through PCI-DSS and PA-DSS certification.

4.Real time fraud monitoring system should be introduced at the earliest.

5.Card blocking through SMS should be enabled.

6.Two factor authenticaiton should be applied even for international payment of cards.

7. Call referral system should be introduced. Under this system the issuer may respond to the merchat with a “Call issuer” decision. Merchant may then call the acquiring bank with details after which the acquirer calls the issuing bank and seeks authorization. Before authorization, the issuing bank will speak to the customer. After the authorization, merchant has to swipe the card again.

The above measures will go a long way in mitigating the card related frauds. Some of these suggestions are on the lines suggested by the Damodaran Committee.

It is time to congratulate RBI for this move.

(More to follow)

Naavi

Share Button
Print Friendly