Promoting E Banking-Role of RBI

RBI in its recent annual report, has lamented that 90% of payments are estimated to be collected through Cash/Cheque despite its efforts to promote E Banking. (See this report in Business Line). RBI has stated that more than 3080 crore bills are generated each year in 20 cities in India and there is need to increase the efficiency of the bill collection process. RBI has also reported the handling of around 47 million transactions valued at Rs 360,200 crore in March 2013 through NEFT and 8 lakh crore through RTGS on a single day March 28, 2013. AAs at the end of March 2013, 55 banks with a customer base of 23 million provided mobile banking services compared to 49 banks and 13 million customer base at the end of 2012. A whopping 53 million transactions valued at around Rs 6000 crore were transacted through mobile banking during the year 2012-13 registering a growth of 108 % by volume and 229% by value over the previous year.

The figures of E Banking usage quoted in the report are very impressive despite the tone of the report suggesting that RBI would be happier with a better digitization of the transactions.

For last several months, RBI has been promoting E Banking as if it is a marketing agent for technology.  There have been attempts like “Disincentivisation of use of Cheques” with stiff penalties imposed on customers and deliberate inconveniences mounted on the customers. The technology vendors and greedy commercial Banks have made RBI their captive and coerced RBI into taking policy decisions which make one feel that RBI has forgotten its basic role that as a “Banking Regulator” it has a responsibility to ensure that Banking in India is safe and sound.

The undersigned speaking in a conference on Bank Security in Mumbai on the 22nd instant compared the current status of RBI to being posessed by “Stockholm syndrome” sympathizing with its captors namely the technology vendors and the greedy commercial Banks. He suggested that RBI must take cognizance of the increasing Cyber frauds and an attempt by many Banks to bully the customers into accepting liabilities for cyber frauds as if all frauds occur only because of customer’s fault. he highlighted that the recent great E Banking robbery involved negligence of the back end processors and entirely because of the mistake of the Bank. He therefore strongly advocated that RBI should make “Cyber Crime Insurance” mandatory for all E Banking transactions.

One of the speakers from a prominent Bank speaking at the seminar boasted that there was not a single fraud reported in his Bank in the last one year reflecting the “All is Well syndrome” syndrome and the “Public can be fooled with such statements for ever” attitude. Dr Chakravarty, Deputy Governor of RBI speaking recently on Cyber frauds indicated that around 8765 frauds were reported in 2012-13. It is strongly believed that there is a huge under reporting of technology frauds in the Banks and the actual incidence of frauds is much higher. Dr Chakravarthy who is one of the last remaining custodians of customer interests in the Bank also said

“Banks could also consider seeking insurance coverage as a risk transfer tool and a mitigant for the financial losses arising from technology induced fraudulent customer transactions”

The news paper report of Business Line which refers also to the  so called “Vision Document” of RBI  does not make any mention of the actions that RBI has taken or intends to take on prevention of Cyber Frauds in Banking and the increasing risks that the Bank customers are being exposed due to untested technologies such as “Mobile Banking”. Banks and the RBI should remember that “Convenience” cannot be the last word in Banking and we should ” Say No to Technology if it is not safe”.

I call the attention of the new RBI Governor to ensure that the policies of RBI does not get diluted in terms of providing a safe banking environment in India and show his own commitment to the cause of Customer safety when he addresses the issue of licensing new Banks most of whom will be more dependent on technology than the current generation of Banks and will therefore be more vulnerable to “Failure due to technology Risks” than the present set of Banks.

Naavi

Copy of RBI Annual Report

Copy of speech by Dr Chakravarthy


Mumbai High Court on Section 66A

The Mumbai High Court has in a judgement opined that Section 66A can be applied even in the case of Websites.

According to this report in TOI, the High Court held

“Creating a website that may contain false or offensive information and facilitating its access to others would fall under the definition of ‘sending messages’ under section 66A of the IT Act ‘Inconvenience’ cannot be read in isolation and must be read as a whole under the definition of an offence under the section It is only false information that causes inconvenience”

The view however is open for debate and questioning since it does create certain conflicts.

Firstly, ITA 2000 addressed the issue of “Publishing” and “Transmitting” through Section 67. This section was restricted to obscenity issues and did not extend to “Defamation” or “Causing annoyance in general”.

At this time, “Defamation” was being addressed with IPC and even when “Defamation” occurred with electronic documents, they could still be covered under IPC.

However when offences such as “Cyber Stalking” and “Cyber bullying” started occuring, it was noticed that “Sending repeated messages/emails” was creating  a new situation which was not similar to “Static form of annoyance that could be alleged for a website publication”. A website could be ignored but a direct message could not since it intruded into the personal space of the addressee. Hence it had more capability to create annoyance of the addressee. At the same time “Website” was open to public view while email or SMS was not. Hence the “Publishing” activity on the website and the “Messaging” had to be considered as two different kinds of activities. The “Message” could not be considered as “Publishing” not “Distribution”.

The IPC laws of defamation was insufficient to tackle situations where the content of the message itself was not defamatory or threatening etc but the act of messaging was still causing annoyance. An example would be a message which states  “I hope all is well” sent to a girl at say midnight repeatedly when she is perhaps with her husband and sent in the name of a boy. This is sufficient to create annoyance of the level that could lead to disasters. Sec 66A was meant to address such situations.

The website activity can however be considered as “Publishing” and if any content is false and defamatory and also obscene, it can be taken up under the present Section 67/67A/67B. If it is not obscene but is defamatory, it can be considered under IPC.

Twitter and Facebook are also “Publishing” and not “Messages” though the term “message” is often used in such context. The main difference between a “message” and “what is not a message” is that “message” is pushed by the sender to the addressee. A published content reaches the destination only when he decides to pu;; it from cyber space to his attention.

It appears that the Mumbai High Court has failed to appreciate this vital distinction .

It is surprising that repeated mis-interpretations are occurring in Maharashtra about the implications of Section 66A. This judgement appears to support the contention of the Maharashtra police in the instances such as at Palghar when they invoked Section 66A on Facebook postings.

It would be necessary for this judgement to be reviewed and mis interpretation corrected.

Naavi


HIPAA-US$1.2 m damage for not sanitizing photocopier hard disk

A HITECH Act violation by a health plan in New York resulted in a potential data breach of 344,579 individuals has resulted in the HHS imposition of penalty of Rs $1,215,780 as a settlement.

The breach occurred when the Plan which had leased several photocopiers and used it during its operations decided to return the photocopiers to the lessors. The hard disks that are attached to the photocopier were not sanitized before being returned which resulted in an impermissible disclosure of PHI.

OCR had taken up an investigation of this breach which had been reported in April 2010 after a media disclosure. The settlement has also suggested a corrective action as follows.

 (1) conduct a comprehensive risk analysis of the Plan’s privacy and security risks and vulnerabilities and

(2) use best efforts to retrieve all hard drives that were contained on photocopiers previously leased by the Plan that remain in the possession of the leasing agent and safeguard all electronic PHI contained therein.

Related Article 

The report of CBS News filed in April 2010 had indicated  that the agency purchased 4 used photocopiers from a warehouse in New Jersy and extracted thousands of documents from the hard disks which contained sensitive information from various agencies including the NY Police department and the previously referred Affinity Health Plan.

The incident highlights the need for all companies handling sensitive personal information realize that the Photocopying machines of current days carry a hard disk which copies every document that is photocopied in the machine and hence needs to be sanitized before the photocopier is discarded. If they fail to do the damages can be crippling.

Naavi


Indian Company causes HIPAA breach

An Indian contractor of a medical transcription company (M2ComSys) is said to have caused a breach of  PHI belonging to 32000 patients of US based Cogent healthcare leading to data breach notification by the US company.

It is stated that the data was stored on Internet without adequate security and landed up in Google search.

Related Report

The incident underscores the need for Indian companies to get themselves HIPAA-HITECH compliant as business associates if they have not done so far.

Naavi


Cyber Crimes Increase all over India..except Karnataka

In a reply given in Loksabha, the MOS for Communications and IT Mr Milind Deora submitted that Cyber Crimes in India are on the increase. According to the minister, 16035 instances of attacks of various kinds were reported only on Government assets upto June in the current calender year. This was in comaprision to 13301 instances in 2011 and 22060 in 2012. (See Report).

In sharp contrast the home minister of Karntaka recently made a statement in the Karnataka Assembly that in 2011 and 2012 only 74 cyber crime cases were registered in Karnataka.

Even in Tamil Nadu, the Police recently stated that they had registered  that 42 cyber crime cases were registered last year and 17 more in the current year.

The NCRB also states that in the entire country the number of cyber crime cases registered is in the order of around 4000.

From the above reports, it is clear that there is a serious mismatch in what the industry considers as “Security Breaches” or “Cyber Attacks” and what the Police record as “Cyber Crimes” though the two should be considered as one and the same. The objective of recording Cyber Crimes is not to estimate how efficient is the Police in solving the crime but to understand the impact of the crime in the society so that the Governments can provide the necessary support to the Police to fight the menace. By grossly under reporting the crime, the Police are doing a disservice to themselves since they cannot justify either better training or forensic facilities to be provided for fighting the crime.

In Karnataka where there is a good infrastructure for Cyber Crime investigation, the facility will remain grossly under utilized if it has to deal with just 30 to 40 cases in an year. Reluctance of Police in certain places to file FIRs for Cyber Crimes ensures that FIRs are not registered in most cases and hence criminals see a very bleak chance of them being punished.

There is a need to change this practice. We need an online cyber crime registration facility which automatically registers all complaints and generates complaint acknowledgements. The acknowledgements can be confirmed later by the Police in the form of FIRs after primafacie investigation.  If complaints are not converted into FIRs there has to be a specific justification provided by the Police.

Only when we have such a rigorous system of recording the crime statistics we will have a ground for Cyber Crime mitigation investment including Cyber Crime insurance.

The situation in Karnataka is the worst in the country. Here the Police and the Judiciary conspire to make the state a safe haven for Cyber Criminals. While the Police like the rest in the country are not eager to register complaints from the public, the Adjudicator is not keen to receive complaints from the public despite goading by the State Human Rights Commission.

To top it all the Karnataka High Court has also by its own judgement effectively barred filing of complaints either by companies or on companies for financial remedy as provided in the Information Technology Act 2008. It appears that the Karnataka High Court has not even recognized that it has itself created a huge void in the delivery of Cyber Crime justice in Karnataka. Though this matter has been brought to the notice of all authorities, there is either a reluctance to make necessary changes or complete ignorance.

I hope the honourable Chief Justice of Karnataka will personally examine why a citizen of Karnataka is making a statement that Karnataka High Court is itself the cause of obstruction of justice delivery and take steps to rectify the system.

I also hope that the honurable Chief Minister of the State also recognizes his responsibility in ensuring that Karnataka does not get a tag as the “Cyber Crime Haven of India”.

Naavi as a Citizen of Karnataka


ISI Penetrates BSNL?

This report in Mint suggests an intelligence report that ISI might have planted a trojan in the BSNL network to enable it spy on the database. It is interesting to note the social engineering methods used by ISI to get the trojans planted.

Mint reports the following modus operandi.

“ISI spoofed a landline number (011-23016782) so that the call would appear to originate from Indian Army HQ in Delhi, and called up a BSNL executive on his mobile phone.

Posing as Major Vijay, the ISI officer claimed that the Indian Army was unable to access BSNL’s subscriber base from its website, and also sent the BSNL employee a “test mail” on his Gmail address. The BSNL employee replied to this email by sending three online links, believing that he was helping the Army. The ISI officers then got back claiming they were unable to open the links. Besides, they (ISI) sent some links to the BSNL employee who opened the same on his computer thus enabling the Pakistani agency to allegedly install the malware in the state-owned telco’s systems. “

The incident should be a good lesson to other people employed in sensitive organizations.

Naavi