Have Russian Hackers entered India?.attacking State Bank of Mysore and Bank of Baroda?

Recently two bank fraud incidents have been reported one from State Bank of Mysore in Karnataka and another from Bank of Baroda in Lucknow where security specialists have suspected hacking of the Bank’s servers without any compromise of information at the POS or the customer side.

Reference:

Hindu and Hindu Business Line on SBM fraud

TOI on BOB fraud : P.S: Though this was a case of hacking into dormant accounts by an insider, there is a failure of information security even in this fraud.

nyooz.com on BOB

In the background of these frauds, one can read the article in Kasparesky published a few months back titled: “Dozens of banks lose millions to cybercriminals attacks” and “APT-Style bank robberies on the increase..

This article states that Kasparesky which exposed a sophisticated bank fraud gang last year by name Carabanak has now identified threats from of two more gangs by name Metel (or Corkow) and GCMAN. It also said that Carabanak has reemerged with new targets. Some of these attacks indicate a spear phishing attacks on the Bank employees.

It appears that the recent attacks in India may indicate the activity similar to what has been reported here.

One of the strategies that is reportedly used is to first gain access to one of the user’s computer and plant a trojan. The trojan may crash some application such as Microsoft Word and it is expected that  the admin will be called to set things right. When the admin logs into the victim’s computer with his password, his credentials are captured by the attackers. Using this, the attackers slowly get into other systems until they are able to compromise the fund transfer systems leading to further frauds.

What we have seen in SBM now with small amounts being transferred may be only a testing of the fraud and we may soon see a major break in SBM which may shake the Bank and put its customers into great pain. May be similar threat is there in other banks also.

The recent failure of basic information security principles in an otherwise reputed company like TCS leading to a Rs 6000 crore damage on the Bank is an indication that most of the companies (including the Banks) have very weak security culture.

Additionally the opening of Unified Payment Interface opens up the mobile network to one part of the Banking servers which can be used by hackers to worm their way up the network into the core banking servers and launch a major attack to bring down a bank.

Knowing the attitude of Banks and RBI, nothing constructive is expected to be done to prevent such attacks and hence it would not be long when this prognosis may sadly come true.

I would therefore advise Bank customers to manage their risks by ensuring that they spread out their bank balances into multiple Banks and ensure that all the eggs are not in a single basket. Better still, spread it across smaller banks including cooperative banks without internet and mobile banking  so that their hard earned savings are protected.

Naavi


SBI introduces a long awaited security measure to control Card frauds

State Bank of India has been one of the Banks specially targetted by Card fraudsters for cloning and fraudulent withdrawal. A few years ago, Damodaran Committee of RBI recommended the most sensible control where by the customer should be given the ability to switch on and off the online banking facility.

Now We understand that SBI has introduced a “SBI Quick” service where a customer can switch on and off the use of debit cards through SMS and or Missed calls.

While the full details of how the system operates and whether it would be limited to the use of Debit cards or would be extended to credit cards, are awaited, the service in principle is welcome and has to be a mandatory feature.

This is similar to the olden day locking and unlocking of STD facility in a phone.

Hopefully the implementation of SBI quick will ensure that the security weaknesses in the current system donot also spill over to this locking and unlocking system where by a fraudster may just look at this as one additional step to cross before he continues to do what he is presently doing.

More info here: 

Naavi


Backup your Biggest data file.. to fight ransomware

Ransom ware has been one of the biggest threats that is confronting IT users at present.  Many companies have found that their critical resources have been rendered useless with the ransomware encrypting the files and demanding a ransom for release of the decryption key.

It is however heartening to note that researchers at Kasparesky have recently found a way to decrypt files encrypted by CryptXXX.

The solution works if the user can produce one original unencrypted copy of a file that has been encrypted by the CryptXXX and the key can decrypt all other files of size equal to or less than the subject file used for finding the decryption key.

This means that if the file used for breaking the encryption is the largest file in the system, the entire set of encrypted files can be decrypted.

See Article in threatpost.com

Henceforth it is therefore a security strategy to find out which is the largest file in the system and take a backup in an offline environment.

Hopefuly, at least a few can find relief from this strategy…until a new updated version of CryptXXX with a work around hits the market.

Anyway, we need to thank Kasparesky for the solution…

Naavi


Has RBI Permitted Social Media Banking?.. What about audit of Mobile Apps?

We have been following the discussions on how the Unified Payment Interface introduced by RBI has created one big security risk where the telecom links have been provided a direct access to Banking transactions server through execution of USSD codes.

Though the authorities claim to have adequate security, customers are yet to be convinced about whether RBI and the Banks are saying the truth.

Does it mean that Banks and RBI can lie?

I would like consumers to make their own conclusions from the following RTI exchange between one Mr Sisirkumar and RBI.

(P.S:Though this RTI pertains to ICICI Bank, the issues are expected to apply to other Banks also)

Mr Sisirkumar of Vijayawada made a simple RTI Query to RBI raising the following questions.

  1. Details on decision taken by RBI to let Banks use Social media and mobile applications.. and how RBI arrived at a decision that this does not violate the privacy of customers or their data.
  2. Details on specific documents related to approval given by RBI to ICICI Bank limited for creation of the following accounts.
    1. https://twitter.com/icicibank
    2. https://twitter.com/icicibank_care
    3. https://facebook.com/icicibank/
    4. https://youtube.com/user/icicibank

3. Details of  decision taken to permit ICICI Bank to do social media banking

4. Copy of RBI guidelines on how online presence can be conveyed to customers

5. A copy of the results of the security and privacy audits conducted by RBI

6.Details of the official RBI accounts on social media and the relevant act as per which they have been created and their purpose.

RBI has replied to the above RTI as follows:

Reply for query1:

” Department of Payment and Settlement Systems, Reserve Bank of India (DPSS, RBI) has not issued specific instructions to Banks on areas raised in the query. However, Banks have been advised vide our circular on mobile banking which is available on the website of RBI at link:

https://rbidocs.rbi.org.in/rdocs/notification/PDFs/65MNF052B434ED3C4CE391590891B8F3BE66.PDF

Para 2(ii) of Annexure I advise that social media can also be used by the Banks to build awareness and encourage customers to register on mobile Banking as one of the measures of customer awareness programs”

Reply for query 2:

“DPSS, RBI has not issued any such approvals to ICICI Bank Ltd”

Reply for query 3:

“No Specific instruction has been issued to ICICI Bank”

Reply to query 4

“DPSS has not issued any instructions in this matter”

Reply to query 5:

“DPSS has no information in this matter…. Your query has been forwarded to CPIO..to provide information if available..”

Reply to query 6:

“DPSS, RBI has no information in this matter….Your query has been forwarded to CPIO…”

Subsequently regarding query 6, M.Nandakumar, CPIO replied on January 12, 2016 stating :

“We have no information”

Another reply dated January 11, 2016 signed by Ms Alpana Killawala , CPIO stated for the same query,

“From April 13, 2015, the Reserve Bank of India has presence on two Social Media sites namely, You Tube and Twitter. It is an initiative taken by Reserve Bank for enhanced outreach and real time engagement with the public in addition to engaging with them through traditional media.

Purpose: For wider dissemination of information about RBI policies, rules and regulations”.

On query 5, a reply dated January 15, 2016, Subhash Chandra Mishra, another CPIO replied

“No Security or Privacy audits of mobile applications of banks are done by us. However, the level of adherence to extant guidelines issued by RBI are examined during the course of annual inspection of banks.”

From the above it is clear that the DPSS which issues guidelines on the use of technology is not even aware of the need for security and privacy audits and the CPIOs are completely confused about the state of affairs.

The replies confirm that RBI has not even considered security and privacy audits of mobile apps and have not recognized the security risks associated with the use of Twitter and Facebook for conducting banking transactions such as balance enquiry and transfer of funds. Perhaps they are not even aware that some banks are using Twitter handles to interact with the Banking servers and execute fund transfer requests.

As an ex Banker and lot of respect for RBI (by tradition), it is a big surprise for me to note the level of incompetence at the RBI.

This in fact corroborates some of my earlier concerns that I expressed in respect of use of USSD codes for Banking transactions by NPCI.

I am awaiting Banking security experts to react to what we have indicated here particularly to the fact that the mobile apps have not been audited by RBI.

In the earlier guidelines IDRBT was supposed to clear any banking related applications. Obviously, this guideline is being flouted by Banks and RBI has not taken any corrective action.

Naavi


“Even when my client is negligent, the liability can be on me”- Lesson from TCS-Epic dispute

The US$ 940 million penalty imposed on TCS by a US district Court (Wisconsin) is to be considered as a watershed moment in the history of data security management in India since it involves one of the most reputed IT companies of India and what could be  a silly information security negligence.

What is also important to note is that the kind of contravention that TCS has been accused of is some thing many other companies in India are also indulging in as a matter of routine.

Some times these incidents of information security negligence arise out of ignorance of individual employees but when it goes undetected and even supported by several employees and their team leaders, one wonders ..

…”How come none of these people were aware of the basic information security routine?”

It is possible that TCS may fight it out in the court and get the penalty reduced. But there are many lessons Indian companies need to learn from this episode including,

” Even when  my client is negligent, the liability can be on me”

To understand the reasons how a Rs 6000 crore liability arose on TCS (Bigger than the Satyam liability in the case of UPaid patent infringement in rupee terms), we need to look at the details of the case well explained in this article in wire.in (Article in wire.in ).  Another  article in business Standard debates on the amount of the penalty.

Essentially, the incident involves employees of TCS accessing confidential information on the information systems of Epic Systems, a health care software company which has accused TCS and Tata America International Corp (American arm of TCS) of “Brazenly stealing trade secrets, confidential information, documents and data”. One of the allegation is that TCS built a competing software called “Med Mantra” using stolen intellectual property of Epic Systems.

According to the details now available, the case involves three (possibly four) parties namely the TCS, Epic Systems and Kaiser Pemanente,  a health care organization, one of the subsidiaries of which is includes a chain of Kaiser Foundation Hospitals. In view of this there is a HIPAA-HITECH angle and possible health data compromise which could lead to more damage claim on Kaiser and may be through Kaiser, on TCS. There is a previous client of Kaiser who may also have a role to play in this game of negligence.

Kaiser was using a software of Epic for hospital management since 2003 and TCS was a consultant to Kaiser and had also signed an agreement with Epic stating “Epic’s program property contained trade secrets of Epic protected by the operation of law”. In 2011, TCS was engaged by Kaiser to test Epic Software through approved off shore development centers in Chennai and Kolkata where certain data security measures were to be in place. Such data security measures  included simple things such as web access being blocked, USB ports being blocked etc.. essentially to ensure that the employees donot get unauthorized access to Epic’s data.

(It may be noted that the testing environment ought to have also taken measures to be “HIPAA Compliant” since there was an exposure to the data compromise risk involving individually identifiable health information of US citizens though this point is completely missed in the discussions so far).

It appears from the records that TCS failed to have adequate information security measures in place in the development centers.

Additionally, during the testing process, TCS employees regularly required access to some internal documents of Epic since it was the essence of the testing process. Such documents were available in Epic servers and ought to have been selectively released to the TCS employees under authorization of Epic whenever required on a need to know basis.

To make the process simple, it appears that when required, access was granted  to the Epic’s proprietary data such as “Release Notes” which were the foundation documents for the testing process directly to TCS employees.  While one process was for the request to be made by TCS to a Kaiser employee for the relevant documents and for Kaiser personnel to download the document and provide access to TCS employees, a work around was initiated where TCS employees acted on behalf of Kaiser, accessed and downloaded the documents directly.

It is here that we can say that Kaiser was negligent in allowing such access but TCS could have refused to take such access as offered and raised the flag of potential breach of information security principles.

One of the employees who was earlier working with another Kaiser client and who had at that time given access to Epic system (UserWeb) then joined TCS and started working on the project. But this time he felt that not having a direct access to Epic system was delaying things and therefore checked if his earlier access to UserWeb was still working. Since to his surprise, neither his past employer nor Kaiser nor Epic had disabled his access, he felt happy and continued to use the old company’s access to do work for TCS. He also shared this access credentials with other members of his team and they all used it to access and download documents from Epic, impersonating themselves as the ex-employee of another firm without understanding the gravity of the situation.

The fact that these TCS employees are unaware of the risk of sharing passwords that too of a different firm indicates a complete failure of the training provided and the security culture prevailing in the team.

Here again there was gross negligence of the earlier employee of that erring employee, Kaiser and Epic which contributed to the unauthorized access.

While it remains a matter of debate if TCS or its employees can be charged of bad intentions or misuse of the IP for developing a competing product etc which are allegations in the course of a legal trial, the fact that there was an information security failure at TCS, EPIC, Kaiser and the unknown Kaiser Client where the erring employee was earlier working, is apparent.

Who has to take how much of the blame and how much of loss is a matter which the Courts can decide.

Will the Courts be able to appreciate this as an “Information Security Failure” and not “Hacking” depends on how mature are the Judges and how efficiently lawyers present their case.

Before I end, I cannot but express my feeling that it would have been better for all the parties concerned if this dispute had gone to an arbitration where technology and information security experts had sat in judgement rather than the Juries and Judges who may be more conversant with Computer Abuse law than the nuances of Information security governance.

Perhaps here is a case for TCS and the like to consider odrglobal.in as the dispute resolution mechanism at least in future. Of course odrglobal.in is only a technology platform and the adjudication of liabilities have to be assessed by experienced arbitrators who need to be appointed.

I call upon the IT industry in Bangalore to set up an “International IT Arbitration Council” and invite NASSCOM and STPI Bangalore to to take up the necessary initiative.

Naavi

arbitration_logo4


Unified Payment Interface makes Mobile a better tool for financial frauds

Last week, Reserve Bank of India proudly announced the launch of a “Unified Payment Interface” (UPI) hailed as the next giant leap in “Digital Payment System Innovation”.

UPI is expected to make our mobiles a universal instrument for all forms of payments including person to person (P2P) money transfers or Government to Citizen (G2C) or Business entity to Consumer (B2C) or Consumer to a Business entity (C2B).

UPI would be used not only for making payment when the person who wants to pay pushes the money out from his account into a beneficiary’s account, but also to receive payment, when the person who has to receive money from another sends out a “Pull Request” to the payer.

The “Pull” system  has the potential to turn out to be a sinister system like the collection agent digging into your pocket and taking out money. For example, one use of this would be the arrack supplier supplying arrack on credit and taking money out of the labourer’s account on the pay day before his family can lay its hands. The system can also be used by fraudsters to pull money through fraudulent transactions.

Under UPI, the National Payment Corporation of India (NPCI) will maintain a Central Repository of information of an individual’s Aadhar ID, his various Bank and Card details and mobile number. This would create  a single point of access to an individual’s financial information, personal information and mobile information so that all this can be integrated to enable payment of money from one mobile owner to another. Mobile will become a universal KYC instrument querying Aadhar for information and identifying itself through an OTP to the mobile.

In the proposed system, the Bank account becomes secondary and the mobile becomes the primary access point to your bank account. When you ask your mobile to pay, it will instruct your Bank. If you want to receive money from another mobile owner, you ask your mobile to collect the money and it will contact the other mobile and pull the money.

At first glance, the system appears attractive and in fact exciting for the tech savvy persons. But in this rush to use the technology, it appears that security of the citizen’s savings in the Banking system appears to have been completely ignored.

Mobile as an instrument and its operating system and the App environment is yet to mature in security perspective. At present, there are numerous technical bugs that can be exploited by criminals when a mobile is used for financial transactions.

When Mobile is used as a KYC instrument through OTP, it would render the neighborhood mobile store worker who sells SIM cards an intermediary who can interfere in the process of new SIM card issue. This is a channel which is often exploited by criminals and terrorists to get fake SIMs and cloned SIMs.

When this unregulated channel is relied upon by Banks and the e-KYC system, the security of the entire ID process is subordinated to the KYC process of the Mobile service provider.

It is like your Airtel KYC verification agent  becoming a Bank officer to approve your signature on an account opening form. He may be a glorified courier boy who can verify address efficiently but does not understand the importance of KYC in financial transactions.

I am only highlighting the huge responsibility that the KYC agents are hoisted with and not trying to be disrespectful of the KYC agents presently operating in the scene.

A small example of the issues that come up when mobile becomes the universal payment interface is here.

Let us say your friend walks up to you and asks for a loan. You say, sorry friend, I don’t have money.

If your friend says.. “Yar, don’t bluff, I just saw you had a balance of 50,000/- in your account. You received a bonus yesterday Isn’t it?”, how would you feel? ..

…You may keep wondering how on earth he came to know about your bonus.

Remember, in the current scenario, knowing one’s bank balance may be as simple as dialing *99# in a mobile (may be of your friend’s or spouse’s) and just entering the first four digits of the IFSC code of the Bank (e.g.: ICIC for ICICI Bank or UTIB for Axis bank). This will execute what is called an USSD code and if the mobile is one of the registered mobiles for internet/mobile banking, it may give out not only the balance but also the last few transactions without even asking for a PIN or password. (Try it on your mobile and check its vulnerability to give out your bank information).

If anybody who gets a temporary access to a mobile can know the bank balance of its owner, it is a serious breach of privacy and confidentiality of information. This is not only against the established Banking tradition, but also a contravention of the legal provisions of Information Technology Act 2000 and constitutional rights of privacy.

Under the UPI system, it is also envisaged that every user would be provided a “Virtual Address” which will be linked to all his accounts and would work as a universal ID for financial transactions.

For example, let us say, your friend Ramesh is the customer of Axis Bank, and has an ID Ramesh@axisbank which is his virtual address for making payment into and out of the account. You send money to him occasionally through UPI using this virtual banking address. It is possible that another person may hold a virtual financial address Ramesh@icicibank and you may make an erroneous remittance.

More probably, a fraudster may use your contact list information which you have shared with an App and alter the virtual financial address from Ramesh@axisbank to Ramesh@icicibank. Once done your next payment goes to ICICI Bank’s fraudster and not your friend. Out of courtesy, your friend may never inform you and repeated payments may go to the fraudster and even if found out later, the recipient  may simply claim he was not aware that he was receiving money not belonging to him.

Yet another issue that UPI throws up is the risk in the facility to enable a receiver of money to “Pull” money from your account by sending a message through the mobile.

Now a days it is common for such incoming messages to be able to read SMS without any intervention of the mobile owner (e.g. auto fill up of OTP in some mobile banking apps).  When a request for a “pull money” comes into the mobile and asks for “permission” it is possible that your mobile may simply provide the permission without your even knowing what  is going on in the mobile.

If necessary, a fraudster will be able to send a malicious code to extract your permission say by sending an earlier message which may say, “Hi, I want you to send some money through UPI. Shall I?”…and such message may appear to come from one of your known contacts.

Most recipients will open such an SMS and even may reply if necessary, clicking a link which purports to send an automated reply.. “Yes. You can send. My virtual address is ……”.

In the meantime a virus could have already been implanted into the mobile and all the Bank accounts or mobile wallets accessed through the mobile may be compromised.

Who would be responsible for such incidences?

Banks may say that the user should be aware of frauds and protect himself from such frauds. But how practical it is to expect every mobile user which includes the uneducated rural beneficiary of MNREGA and our own urban kith and kin who are not so tech savvy to be aware of sophisticated mobile viruses and take care?

Police therefore will now have more challenging and perhaps frustrating complaints ahead of them in increased incidences of Mobile frauds, Mobile thefts and also  consequential frauds. Legal pundits would be sweating to prove lack of due diligence of multiple intermediaries involved in the transaction making it impossible for the victim of a cyber fraud to get a satisfactory legal remedy.

One safety feature which should have been an integral part of such technology innovation was coverage of every user through a Cyber Insurance Scheme at the cost of the Bank. Unfortunately, this is no where in the consideration of either NPCI or the individual Banks.

It is regrettable to note that despite the risks cited above being easily foreseen, RBI has failed to make it mandatory for the Banks to provide a Cyber Insurance Cover to the consumers against such frauds despite repeated demands.

The need for such Cyber Insurance has also been brought to the notice of none other than the PM himself and yet the importance of cyber insurance as an instrument of social security is yet to be appreciated by the Government promoting Digital India, in a manner which we may regret some time in future.

In fact both RBI and Banks are assuring that the UPI system is secure but it appears to be a false and misleading assurance given to promote the new system and needs to be challenged.

Time has come therefore for mobile users to take steps to ensure that their mobile is never out of their sight and they donot provide permissions to apps to automatically respond to incoming messages without an affirmative action like entering a PIN or a Password by clicking buttons.

Also, Consumer Protection Organizations need to initiate action in first educating the public of the risks of mobile banking in the UPI scenario and then on the security measures they need to take. They should also press for the mandatory introduction of Cyber Insurance for all mobile based financial transactions at the cost of Banks or the Mobile app owners.

Naavi

arbitration_logo4