A Bug in a Mobile Wallet and 5 techies end in Jail.. Where was the Bug Bounty Program?

The recently reported fraud in Kolkata where five engineering students were arrested for a Bank Wallet fraud involving Rs 8.6 crores is an incident to ponder. (See the report in TOI here).

According to the report, the persons arrested were Engineering Students who found out perhaps accidentally, a bug in the wallet program and its back end software functionality.

It appears that when a transaction was initiated, for a C2C transfer of money, an instruction went out to the Bank to initiate the payment to the destination mobile account. However when the destination account was not connected to Internet, at the originating end it was deemed as a failure of the transaction and the account was not debited. However, when the destination account reconnected to internet, the system recognized the event and  completed the payment from the Bank end without debiting the originating customer’s account.

This was distinctly an error in the way the transaction processing was planned by the wallet developer. The destination person not being immediately within reach is a standard use case scenario, the transaction ought to have beeen planned as a three legged transaction.

The first leg is the initiation of the transaction when the amount is debited to the originator’s bank account and transferred to a “Remittance in Transit” account. Then in the second leg, the bank’s server should try to establish contact with the destination end and if successful, debit the amount to the “Remittance in Transit Account” and credit it to the beneficiary. Then in the third leg, the beneficiary should accept the transaction and completes the transaction.

If all the three legs go through smoothly, the transaction would be completed in the sequence on a real time basis. However there would be a proper recording of a failure in each of the above three legs in which money would not fall into wrong hands.

If the transaction fails in the first leg, amount would not be debited to the sender’s account. If the transaction fails in the second leg, money remains in the Bank and can be returned to the originator if a complaint is raised or after a lapse of a default period of say one hour. Finally, if the transaction is rejected by the beneficiary, the transaction can be reversed. If the beneficiary is aware that no money is due but still accepts the receipt, he would be legally bound to return it in case of any credit by a mistake.

This process is a typical process for “Cyber Law Compliant App developing” which the undersigned has been advocating for a long time and techies are unable to comprehend.

It is unfortunate that the reported fraud occurred in a Bank where the Bankers should have tested and ensured that the above process was followed. This is a “Negligence” and failure of “Due Diligence” at the Banker’s end and hence make them directly liable for assisting the commission of the above crime and reimburse the victims.

The techies are normally not domain specialists and hence are naturally naive enough to accept whatever broad product specification is given by a client (who himslef may not understand how technology works). The techies focus on the functionality of the app and reducing the steps in completing the transaction so that the transaction goes through fast. In fact it would not surprise me if the wallet developer in the above case would have been proud of the way his wallet was processing the transaction without understanding the major flaw.

The techies in this case however failed in not subjecting the wallet to a proper testing and also not using a “Bug Bounty” program with sufficient incentives so that the Engineering students who were perhaps not “Born to Commit a Crime” would have been incentivised to report the bug rather than gang together to commit a grand fraud which will now put them in to jail and destroy their future permanently.

At present, the media has not published the name of the Bank nor the name of the App which was involved in the fraud. They may be presuming that they are protecting the privacy of the Bank and the App and preserving their reputation.

However, it must be stated that this is a major incident which has a need to be publicized in the interest of the public. In case I am the user of the App, I need to take care. If I am a customer of the Bank, I need to take care because I now know the Bank is reckless in technology adoption and can endanger me elsewhere. By protecting their identity, media is hiding the truth and protecting those who does not deserve protection. I therefore charge that the media has also failed in its duty at this point of time in not fully disclosing the incident details.

Since an FIR has been registered and a charge sheet is going to be filed shortly (Unless the Police are forced to be compromised before the filing of the charge sheet), the identity of the Bank and the App is a public information and hence should be in public domain sooner or later.

I request any of the readers who are aware of the name of the Bank and the App to consider revealing it in public interest.

At the same time, I request all App developers to take care of proper testing, proper domain knowledge inputs and a good Bug Bounty program as a standard procedure before releasing the app at least in the sensitive sectors.

All the Banks who are now using various wallet should also review their own Apps and ensure that similar bugs donot endanger their clients.

Naavi

Also Refer:

Wallet Frauds on the Rise: Business Standard

Mobile Wallet Frauds set to raise: Deloitte: Governancetoday.co.in

Aadhar Cards..should they be used in wallets..as KYC?: track.in

Bug Bounty Program from Government Required..

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

1 Response to A Bug in a Mobile Wallet and 5 techies end in Jail.. Where was the Bug Bounty Program?

  1. Very well explained and perhaps techies have been arrested as they have unauthorized accessed the system.But banks and wallet developer are equal partners in crime.Just consider the possibility of developer is hand in glove and he colluded with techies????

    Many more such issues and hence CYBER SECURITY COMPLIANCE PROFESSIONALS are required to certify such programs prior to entering into public domain.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.