"This website is the Wikipedia of Indian Cyber Laws".. A Visitor's remark
REQUEST ONLINE MEETING
Cyber Squatting and ITA 2008?
Nov26: A case of an FIR being registered under ITA 2008 against a person who registered a domain name pratibhapatil.com has been reported from Delhi. Mr Neeraj Arora has given a good analysis of the mis-interpretation of ITA 2008 in the enclosed article. There are two other issues to consider. One is whether the site indicates that "pratibhapatil" refers only to the President of India and whether there was a case of "attempted impersonation". From the information available proving "Wrongful harm" may also not be easy. The Court may take a view on this while the Police can perhaps "teach a lesson" to the errant person who dared take on a protected personality. It would perhaps be interesting to have a full reading of the public prosecutor's opinion in this regard.
Berners Lee on threat to Net Neutrality
Nov25: Berners Lee, often called the father of the world wide web expressed regret that the new developments on the Internet threaten the basic principles on which the world wide web was created. In particular he has highlighted that social networking sites such as Facebook and Linked in collect information from Netizens and prevent it from being shared on the Internet. He also highlighted that wireless Internet providers deliberately slow down access to websites which donot join their preimium network. .. Detailed article in ciol
CBI and Nasscom to set up Cyber Crime Center
Nov23: In a welcome move, the CBI and Nasscom has come together to collaborate on the setting up of a Cyber Crime center which may undertake training, share information on forensics, best practices etc. Hopefully this will improve the capacity of the law enforcement to tackle the emerging threats. Related Article
Cost of Cyber Crimes.. A Study
Nov20: A report from the Ponemon Institute, "The First Annual Cost of Cyber crime Study" published in July 2010 found that successful cybr attcks now cost large enterprises on an average $6 millions a year. Report
Anti Phishing Initiatives in US support Digital Signatures
Nov 18: Anti Phishing initiatives in US (Refer Consumer Advice from antiphishing.org) seem to support our view that Digital Signature does hold the potential of reducing the incidence of Phishing frauds. It is a legal mandate in India that electronic documents can be authenticated only by means of a digital signature. However, Banks in India seem to take things for granted when it comes to legal compliance and are not serious in implementation of the digital signatures for their own communication as well as for Internet Banking.
Why and How Reserve Bank of India is remaining silent even if it is aware that its own Internet Banking guidelines of June 2001 is being ignored completely is a mystery. Perhaps the RBI, just like what our PMO did in the case of the 2G scam considers its duty done when it sends the circular and does not consider it responsible to act on its implementation. Perhaps we need a Supreme Court directive to wake up RBI to its duties.
Mumbai is Botnet Capital of India
Nov18: According to Symantec's Internet Security report XV, Mumbai is reported to be have 50% of bot infected computers in India, followed by Delhi at 13% and Hyderabad at 7%. In 2009 about 62,623 bot-net infected computers have been identified in India according to Symantec. Bangalore appear to have around 6% of them. Report in Hindu
ECI considering Paper Trail on EVMs
Nov17: Election commission of India has invited political parties to submit their views on the introduction of paper trails for EVMs. This has been a matter of discussion for some time and Naavi has also put forth some suggestions. Hopefully Political parties will find time to react to this request of the ECI. Reference articles:
Another Double Fraud.. at PNB
Nov 17: The Statesman has carried a report today about a double fraud that occurred at Punjab National Bank, Raja Street, T. Nagar, Chennai in which nearly Rs 9 lakhs was fraudulently withdrawn from two accounts and distributed to more than 30 fraud beneficiaries across India. The incident occurred during September 2009 and has come to light since both victims have approached the Adjudicator of Tamil Nadu for relief under ITA 2000/8.
What is alarming is that in a single Bank and branch within a gap of a week week two victims, 9 lakh fraud and 30 fraudster gang has come to light. If a proper nationwide enquiry is instituted and a proper estimate of such losses are made across all Banks, it appears that the Indian Banking system is in the brink of disaster caused by improper technology use. Despite several reminders from Naavi.org to RBI and IBA, there has been no response from the regulators about why they remained quiet despite the frauds being reported again and again.
The situation bears similarity to the CAG observation in the 2G spectrum case where the PMO and other ministries were content in sending a disapproving notes to the Minister and remained a silent spectator to the rest of the developments. Hope we donot need Mr Subramanya Swamy or Supreme Court to bring justice to the people. The report : Also see : Also see Comments from Gills
Double Cancellation Fraud
Nov 16: In an ingenious fraud involving exploitation of a computer programme has been detected in Kolkata. The fraud involving over Rs 2 crores were committed by two persons simultaneously cancelling the Jet air tickets, one at the jet counter and one online getting double refund. The fraud became possible since there was 40 seconds delay between the the jet counter cancellation instruction to reach the server. Detailed story
Security flaws with Mobile Companies exploited
Nov13: Police in Mumbai have busted a well thought out exploit of Cyber Fraudsters who used the weaknesses in the mobile companies combined with the dependence of Banks on mobile numbers to defraud Bank customers. The modus operandi was to steal the customer data from mobile companies, report loss of SIM card and obtaining duplicate SIM cards.The control over the mobile was then used to get the passwords on bank accounts changed and hack into the Bank account. Probably this would have been used in conjunction with a normal phishing to circumvent the mobile alert based security which the Bank was using. The thieves were clever enough to launch the mobile disablement on a saturday so that customers were unable to contact the mobile companies even after they notice the problem. In some of the Phishing frauds of late we can also see that the transfers were made on the dead of the night and moneys withdrawn through ATMs before the banks opened next day. The mobile fraud also indicates such planning to strike when the organization is closed. This highlights the need for mobile and banking companies to have a 24X7 desk for fraud reporting so that the customer can contact them at any time. In case of a Bank, there is no need for the Bank to allow after hour transactions except under very special circumstances. Like mobile banking, "Night Banking" should be only on specific request and not by default. Related report
1 Million Chinese Mobiles infected with Virus
Nov 13: As per a report in a Shanghai Daily, a virus by name the 'zombie' virus, hidden in a bogus antivirus application, has infected over 1 million mobiles in China. The virus can send the phone user's SIM card information to hackers, who then remotely control the phone to send URL links. The attack is estimated to cost the users a combined 2 million yuan ($300,000 U.S.) per day. Report
Digital IDs Across Europe
The security issue has arisen because of the smart card system adopted by the authorities through deficiencies in the software used in the card readers. it appears that the problem is not serious and can be resolved easily. However it may require real time connectivity.
Naavi has been advocating the DVIIS system for a long time now for such applications and the UID is also implementing a similar technology. However UID has not yet integrated the digital signature system. Naavi has ow proposed a UDID (Universal Digital ID Card) which provides for secured digital signature along with the normal parameters associated with an ID card and can even be supplemented with an RFID tag if required.
In case UID authorities would like a pilot to be organized for demonstrating the UDID, the same can be organized. Any corporate entity which wants to substitute its present ID cards with UDID may also request for a suitable solution which can be customized for the requirement of the organization.
Cloud Computing Risks
Nov11: US Government has released a federal risk management guideline for Cloud security. A Copy of the guideline called Federal Risk and Authorization Management Program (FedRAMP) is available here. This was was developed to provide a standard approach for assessing, authorizing and monitoring cloud computing services and products used by the federal government. This could also be a good reference document in India for "Reasonable Security Practices" under ITA 2008.
Fake Call Center in Kolkata
Nov8: A report in Guardian UK suggests a major scam from Kolkata involving fake phone calls to customers in UK stating that they are calling from Microsoft and giving suggestions which involve total compromise of security. Details are available in this accompanying article.
One of the security observers has reported the following two addresses in Kolkata registered for the fraudster's websites:
1: mypccare.com: Zeal IT Solutions Pvt. Ltd, (firstname.lastname@example.org), CD-202, Sector-1,Salt Lake City, , Kolkata, West Bengal,700064, IN, Tel. +033.65486467
2.: onlinepccare.com: Onlinepccare, M.K.Shah (email@example.com), 835,Pblock new alipore, Kolkata, West bengal,700053, IN, Tel. +091.3340101614
We urge Kolkata Police to investigate and publish their findings for public awareness. We also invite rebuttals if any from the above mentioned companies.
Indian Banks in a mess because of faulty software
Neighborhood Bankers.. Are they RBI licensed?
Nov 4: A report has appeared in NY Times about a micro Banking project supposed to be under operation in Delhi. While the entrepreneurial spirit displayed is highly appreciable, if the service is run as indicated in the report, it appears to be not in compliance with the Banking law in India... Article
Indian Banks on the verge of Collapsing???
Nov: 4: As a person involved in information security area, and advising public on Cyber Crime issues, I often come across information about frauds in Banks. One such recent incident has triggered a huge concern in me that we may be in for a major bank collapse due to inadequate security systems in the Bank and inadequate supervision from the Reserve Bank of India....More
Fake Clinics come up in USA
Nov 4: FBI busted a massive identity theft racket where identities of patients as well as doctors were stolen to create fake clinics for the purpose of raising fake biils. The scam spread over 25 states involved a fraud of US $165 million. 52 persons were arrested. Report
Fined for Delay in Notification of Data Breach
Nov4: Breach Notification is a new obligation that HITECH Act has hoisted in Business Associates in US under HIPAA. Designers of the website of Wellpoint, a health insurance enabled online applications to be submitted by public and the information so collected was left on the web server in a manner that it was accessible to others. For this potential breach, which lasted for 137 days, Though notified in end February, the Company failed to notify the affected persons and the AG's office as required under the law (in Indian State where the company is located0 only in June 2010. AGs office has now fined the company $300000/- for the delay. Report
Lucrative EHR market in USA.. for HIPAA_HITECH Compliant Companies only!
Nov3: After the passage of the HITECH Act in USA, Health Care providers in USA are eligible for massive subsidies for meaningful use of Electronic Health Records. This is a great opportunity for software companies in India of a type offered by the Y2K issue in the last decade. The US Government has set aside $19.2 billion for subsidies nd the total market for EHR related services is estimated to be over $50 billion. According to a recent report only 20 percent of U.S. hospitals have EHR systems, but starting next year the typical 500-bed hospital will be eligible for $6 million in federal funds to implement an EHR and will eventually face $3.2 million a year in penalties if it fails to have a system in place. In order to establish oneself in this market, it is necessary for Indian companies to make their software HIPAA-HITECH compliant. If as per the report, 80% of US hospitals are now moving into EHR systems, it also indicates a massive growth potential for the medical transcription industry which also requires HIPAA-HITECH compliance. Naavi as a leading HIPAA Compliance consultant in India expects that Medical Transcription companies in India should speed up implementation of HIPAA-HITECH Compliance without which it would not be feasible for the US vendors to pass on transcription business to them. Related Story
CBI Enquiry on Tatkal Reservation Scam
Nov1: Some time back Naavi.org had highlighted the possible fraud in tatkal booking manipulating the online reservation system. A website which had published a script that could hack into IRCTC website and book tatkal tickets was also revealed. After Times Now TV reporter contacted the software professional who had put up the script, the site was removed. IRCTC also changed some of its design elements which could have made the old script obsolete. Now this report suggests that CBI is enquiring into possible staff involvement in the reservation scam. We trust that the investigation would also check the use of online reservation facility and possible use of malicious software to make the booking. Report in NDTV