The well known Delhi based security group “Appin” which conducts information security and ethical hacking trainings is accused of being indulging in organized APTs (Advanced Persistent Attacks) and Corporate espionage.
Initially it was reported that the group had been identified as behind some attacks of Pakistani targets. It was also speculated that they were the outsourced agent of the Indian Government. Now this report of Hangover indicates that some of the targeted attacks could be aimed at corporate espionage.
Another report identifies some of the recent attacks to Technical and Commercial Consulting Pvt. Ltd.
This Indian Express Report states that Appin is identified as the source of recent attacks on Pakistan and could be acting on behalf of the Ministry of Defense.
The hangover report puts a disclaimer that Appin could have been implicated by others. The company obviously denies the charge.
In the meantime it is reported that Appin franchise business shows an uptrend after the breaking out of the controversies. So far so good.
The scene is however murky and could lead to more interesting disclosures, twists and turns in the coming days. If this is a badly executed Cyber warfare though it is embarassing for the Government, the Indian Government can ride it out. But if it is involving corporate espionage, the possibilities are that this could develop into a legal battle and a scam. For example if Telenor takes up a legal battle in India accusing the Indian company imputing motives linked to the Telecom scam, there could be more embarrassments in store for many people. This could also hurt Appin commercially.
On the regulatory side, the need for regulating conduct of Ethical Hacking training which Naavi.org has raised several times in the past again attracts attention. Irresponsible training companies may end up creating a number of unethical hackers around the country who may turn out to be Cyber Terrorists and sophisticated Cyber Criminals. There is therefore a need for putting breaks on the activities of such firms and bring them under a very strict regulation.
An ex employee of ICICI Bank has reportedly been arrested for duping one of the Canadian Customer, by name Pierre Courtat to the extent of Rs 32 lakhs. The customer held about 61451 Canadian dollars in an account which was nearly dormant. He had called the call center to enquire the status of the account some times back when the employee by name B. Kishore Reddy accessed the personal credential of the account holder such as date of birth etc. After observing fro a few days that there was no further transactions in the account, Mr Reddy hatched a conspiracy to rob the amount. For this purpose he opened another account with the help of his wife and her friend, changed the email ID and got the amount transferred to the new account and withdrew through ATMs.
In this incident there is cheating under IPC as well as hacking and other offences under ITA 2008. There is also employee involvement creating vicarious liability on the Bank as well as KYC failure in opening the mule account. There also appears to be a systemic failure which enabled the employee to access sensitive personal data of the customer and its unauthorized modification.
If ICICI Bank does not pay off the customer and close the case, then there is a danger of the top executives of the Bank being held liable.
The incident also reveals the fault lines in the systems as a result of which many other customers often lose money and keep fighting with the Bank on legal front.
It is high time that RBI starts exercising its authority suo moto, recognize the root cause of the fraud and order the Bank to repay the amount to the customer without a legal challenge.
One of the views expressed by a Banker is quoted as follows:
“Earlier when internet banking was started, we thought that user name and password is the enough security but then additional security measures were developed,” a banker said, adding, “Even that is now proving futile.”
I would like to remind this Banker that way back on 17th October 2000, the Information Technology Act 2000 became effective. According to this law the only method of authentication of an electronic document recognized in law was “Digital Signature”. If this Banker thought that user name and password was enough security, I must say that he was ignorant of the law of the land.
Again, on June 14, 2001, RBI released the Internet Banking Guidelines and reiterated that if the Banks use any technology other than the “Digital Signature”, then they should assume the legal risk. At that time RBI could not mandate digital signature since no certifying authority was available until February 2002. Since 2002, digital signatures are available and hence Banks have no business to carry on Banking authentication without the use of digital signature. If the Banker was not aware of this position till now I am sorry about his ignorance.
In 2010, the Tamil Nadu Adjudicator gave his award in the Phishing case of S. Umashankar Vs ICICI Bank where he categorically pulled up the Bank for not using digital signatures.
The RBI circular on GGWG recommendations on Information security on April 29, 2011 again reiterated this fact that if Banks suffer any loss on account of non usage of digital signatures, then they should assume the legal risk which also is an operational risk under Basel II considerations. If the Banker does not know even this, then I donot know what to say.
I am aware that security experts are already warning that soon hackers will break even the digitally signed instructions through Man in the Browser attacks. So Banks are several steps behind the current threat scenario.
There is no point in them blaming the hackers nor the so called “ignorance of the customers”. If Bankers themselves cannot understand the emerging risks, the new trojan behaviour etc, how can they expect their customers to be more informed than them?
Naavi.org has been time and again pointing out that Bankers are bullying the customers into accepting liability arising out of the Banker’s greed to push Internet Banking to unprepared customers.
RBI has reminded them again and again that banks need to introduce real-time transaction behaviour monitoring to stop the kind of frauds that we have seen in the case of Yes Bank. But Banks did not heed.
The recent Rs 250 crore card fraud in which the Indian payment processing companies were hacked is another indication of how hacking can take place at the Bank’s end and innocent customers may lose their money. The same card processors also process transactions of some Indian Banks and hence the customers continue to be at risk.
Unless some Chairpersons of Banks are put in jail for such frauds, Banks will continue to act arrogantly and try to disclaim their responsibility. If minister’s resign for the mistakes of their subordinates, is it not necessary for Bank Chairmen to resign when such major frauds take place?
I hope Bankers are more responsible when they give press statements in such cases.
Though Banks have been using their money power to delay the judicial process by stalling the appointment of the Chair person for the Cyber Appelate Tribunal, there are enough judicial views even from abroad to hold categorically that liabilities in such cases lies only with the Bank and not with the customer. This holds good even in the case of a fraud from some of the employees of the customer as per previous Supreme Court judgement in respect of forgeries in Bank.
RPG should therefore not allow Yes Bank to bully them down. Even if the Bank takes the case to the Supreme Court, RPG should fight and obtain justice since most other victims are unable to carry on the legal fight with the Banks.
It is however possible that in this incident Yes Bank may buckle down in view of the strength of the RPG group. Even if therefore no precedent is set in a Court of law, we can expect an implied acceptance from Yes Bank that the fraud liability is on the Bank and not on the Customer.
We may recall the RBI’s Internet Banking Guidelines, the GGWG report and the Damodaran Committee report which all have held that liability for phishing lies with the Bank.
The recent Banking frauds in India and abroad have indicated that the security breach not only occurs at the Bank (besides the customer) but more often at the outsourcing partner of the Bank.
Whether the outsource partner is a big name like WIPRO or a relatively unknown company, danger to Bank customers lies in such companies. At least the well nown companies like WIPRO have a reputation to keep and therefore can be expected to take some remedial steps. However the lesser known companies are likely to dither and postpone any security initiative unless they are forced on them.
It is therefore essential for RBI to put its foot down and assume a greater role in the regulation of the Business Associates of Banks.
The Banking Regulations Amendment Act of 2012 (BRA-2012) made an attempt in this direction by inserting a new section 29A into the Banking Regulation Act. This section though is focussed on the financial aspects of the subsidiaries and associates, has the potential to be used by RBI to atleast make preliminary enquiries in such organization who provide outsourced services to the banks.
The new section 29A is reproduced here:
9. After section 29 of the principal Act, the following section shall be inserted, namely:—
‘29A. (1) The Reserve Bank may, at any time, direct a banking company to annex to its financial statements or furnish to it separately, within such time and at such intervals as may be specified by the Reserve Bank, such statements and informationrelating to the business or affairs of any associate enterprise of the banking company as the Reserve Bank may consider necessary or expedient to obtain for the purpose of this Act. (2) Notwithstanding anything to the contrary contained in the Companies Act, 1956, the Reserve Bank may, at any time, cause an inspection to be made of any associate enterprise of a banking company and its books of account jointly by one or more of its officers or employees or other persons along with the Board or authority regulating such associate enterprise. (3) The provisions of sub-sections (2) and (3) of section 35 shall apply mutatis mutandis to the inspection under this section. Explanation.—”associate enterprise” in relation to a banking company includes an enterprise which— (i) is a holding company or a subsidiary company of the banking company; or (ii) is a jont venture of the banking company; or (iii) is a subsidiary company or a joint venture of the holding company of the banking company; or (iv) controls the composition of the Board of directors or other body governing the banking company; or (v) exercises, in the opinion of the Reserve Bank, significant influence on the banking company in taking financial or policy decisions; or (vi) is able to obtain economic benefits from the activities of the banking company.’.
It may be noted that though one of the principal objectives of this empowerment is for “inspection of financial affairs of subsidiaries”, under clause 29(A) (2) (vi), any Business Associate such as those engaged in card processing or transaction processing can be considered as entities who are obtaining economic benefits from the activities of the Banking company and come under the provisions of this clause. RBI therefore is empowered to seek information as well as conduct inspections.
Such information need not be restricted only to the financial aspects since “Information related fraud Risk” in banks have already been defined as “Operational risk” as defined in Basel II and hence seeking information security related information is within the powers of this section. Similarly, conducting Information Security audits is also within the powers of this section.
It may also be noted that under Section 29A (2) such inspections can be done by the officers of RBI or “other persons”. Hence RBI may seek the assistance of external Information Security auditors to conduct such inspections if it deems fit.
Though the section provides for “Empowerment” rather than a “Mandate”, in the context of companies where a security breach has already been reported, “Mandate” can be implied.
In case IN CERT is conducting its own enquiry, RBI should request that a copy of the report should be shared with them. This could be a good input for RBI to understand the framing of its policies regarding outsourcing of Banking business.
It has been reported by BBC that in a Marks and Spencer outlet it was observed that when one customer was trying to swipe his card for payment, the POS recorded the transaction by picking up card data from another card which another person was holding in her hands.
It is said that the POS has implemented the “Near Field Communication” on a contact less basis so that there is no need to hard swipe the card. Unfortunately the instrument was too strong and picked up signals from another card.
Hope Indian Banks donot introduce such wireless communication cards since if Marks and Spencer POS could pick up data of another card one foot away, a fraudster can easily walk around with such a device and steal card data of people around.