US may extend Data Breach Notification Rule beyond
Sept 29: Data Breach Notification rule of HITECH
Act makes it mandatory for HIPAA Covered Entities and Business
Associates to report data breach incidents at various levels including
notification to the affected individuals. Though some opposition has
been received from the industry for the rule and is yet to be fully
implemented, it is reported that US is considering a "Data Breach Bill"
which may bring similar rules to non HIPAA entities as well. Bill
has been introduced for the purpose.
Beware of OddJob!
Sept29: OddJob is a malicious mobile
application that targets mobile Banking. It keeps banking website
sessions open even after users think they have logged off. This can be
used for placing unauthorized transactions which apparently appears come
within an authorized session. The malware targets Symbian and Blackberry
smartphones and has been found in US, Poland and Denmark. (Source:
80% malicious URLs are of insecure websites
Sept28: Sophos has come out with its analysis
of the Internet threat scenario for 2011 which has many significant
observations. One such observation is that out of all the URLs that
distribute viruses, 80% are genuine websites. What is alarming is that
in absolute numbers such sites are estimated to be around 15000 websites
every day. which have been compromised because of lack of adequate web
security. We can recall the instance where Bank of India website was
compromised and hosted a number of trojans. High volume websites are the
targets of such attacks and they need to pay special attention on this
Copy of Report
F1 Event in Gurugaon used by Cyber Criminals
Sept 26: Cyber Criminals have started using F1
event in Gurugaon for advanced fee frauds like lottery scams. Recipients
of any SMS or e-mail regarding tickets being made available free etc are
hoaxes which recipients need to be aware of and avoid.
Demand for Cyber Insurance Raising (in US)
Sept 26: After the news about the first major
Sony hacking, the demand for Cyber Crime insurance appears to have
increased in USA. Similar latent demand is prevailing in India but not
many Insurance companies seem to have shown interest in this lucrative
business practice. Hopefully some of the practitioners in US would enter
India and offer such services before the local players wakeup to the
Facebook Inc.. Avoiding Public Accountability in
Sept 26: In continuation of an effort to
locate the address and contact particulars of Facebook Inc, in
Hyderabad, Naavi has requested the details from the US Consulate
Hyderabad. It has been brought to the attention of the US Consulate that
the details are required in regarding an alleged offence by Face Book in
India and any attempt to hide their address would amount to an abetment
in the Crime. We await further information.
In the meantime a
has been sent to Facebook at USA. The automated reply received indicates
an admission that Facebook intends to contravene Section 79 of ITA 2008
and this provides enough evidence for taking the complaint further. I
have alerted Facebook on this automated reply and its consequences and
await a considered reply from a human agent who has applied his mind to
the complaint and read through ITA 2008 and the accompanying rules.
Ombudsman Scheme is set to fail
Sept 24: The Banking Ombudsman Scheme was
introduced in 1995, revised in 2005 and amended in 2007 and 2009. The
objectives of this scheme are good. However the amendment of 2009 has
made the scheme liable to be misused by Banks to frustrate the
customers. Naavi calls upon RBI to correct the scheme as otherwise the
scheme is likely to fail...Part
Indian Mobile Companies to share Phishing liability of Rs 3250 crores
Sept23: Close on the heels of a Rs 10 lakh
Phishing fraud reported from Mumbai, another Rs 3.4 lakh fraud has been
reported from Kolkata. In both the cases the fraudsters have managed to
defeat the OTP system by taking over the customer's mobile connection by
obtaining a duplicate SIM with a false KYC from Vodafone. SBI has been
one of the Banks which along with ICICI Bank opposed the use of digital
signatures in the GGWG committee and perhaps through IBA as well. These
incidents reveal that Phishing network has effectively penetrated the
Mobile industry and is able to integrate the SIM card frauds with the
Phishing frauds.This is a deadly combination that needs to be put to
sword at the earliest. So far only Banks were facing the blame for
Phishing losses and now they have the Mobile operators for company.
Deputy Governor of RBI Remembers Mahatma Gandhi's
Sept 23: Naavi often quotes the famous words
of Mahatma Gandhi on Customer Service in Banks to remind the Bankers
that "Customer is the most important person on the premises of the
Bank". It is heartening to note that Dr K C Chakravarthi, Deputy
Governor of RBI made a reference to this in the Annual Conference of
Financial Services Ombudsman Schemes in Vancouver on September 21, 2011.
Unfortunately some officials in RBI does not seem to follow these
principles. (Watch out for a detailed Article in this regard)
Copy of the Speech :
Related Article in ET
Face Book hides its contact address
Sept 22: Face Book which does huge commercial
transactions in India maintains an office in Hyderabad. However the
physical address of the office and the contact details of the person in
charge is not made public. This should be treated as a deficient
disclosure under Sec 79 of ITA 2008 as members of public who want to
invoke the provisions of ITA 2008 are unable to send proper legal
notices to the Company. Additionally FaceBook ought to have provided
particulars of persons who are contact persons for compliance of
Sections 69,69A and 69B of ITA 2008. It appears that FaceBook has
defaulted on all these sections of ITA 2008. I have requested the
Director CERT/Secretary, Ministry of Communications and Information Technology
and Secretary, Ministry of Home Affairs to take note of
this aspect and take necessary action.
In the meantime, I have also served a formal notice
to Face Book as per the rules under Section 79 of ITA 2008 for taking
necessary action in respect of my complaint regarding impersonation by
one of its users within the time specified under the rules. On
receipt of the reply I intend initiating the next set of actions. If
pursued it would be an effort to establish the legal responsibilities of
Face Book under ITA 2008 and would be of interest to members of public.
Impersonation of Naavi on Facebook
Sept 21: Naavi has identified that one
Ms Navaneetha Rajesh,
living in New Jersy is using the nickname Naavi on the facebook. This
constitutes an offence under ITA 2008 attracting 3 years imprisonment,
fine and payment of damages. Since Naavi is also a registered trademark,
use of the name Naavi to attract traffic is a clear infringement under
Trademark act also. I hope Ms Navaneetha is ignorant of the
consequences. The first notice has been served on Ms Navaneetha and I
intend filing a Cyber Crime Complaint if the notice is not complied
I have served the following notice also on Facebook
in its abuse page:
"Naavi is my popular name and a registered
trademark. I am the founder of www.naavi.org which is a premier
portal on Cyber law. All my services are branded under the umbrella
mark of naavi. Infringement hurts my economic interests and it is
also an offence under Information Technology Act. This is also a
notice to Facebook under Section 79 of Information Technology Act
and any failure to act in remedy may result in my raising a
complaint on Facebook also."
I await further action from Face Book as well as the
IIM B Student Selection Process flawed?
Sept 21: The suicide of Malini Murmu, a
student of the PGDP at IIM B raises a question on the selection process
adopted by IIMB for admission. If a student can consider committing
suicide because of a Facebook comment it is clear that she had no
ability to face any managerial crisis that she might have confronted
with during the later part of her life as a Manager with IIM B tag.
If such a girl had passed IIM B and been associated with a critical
business activity as a decision making person, she could have surely
caused immense harm to the business. In this perspective I consider that
IIM B recruitment failed to make a proper assessment of its candidates
during the selection process. The selection of Malini Murmu was a
mistake and the persons who designed the GD topics and assessed the girl
need to review their process.
Management is simply not scoring marks in the CAT exam. It requires a
state of mind to meet challenges that may have to be confronted in
business. Psychological profiling of the prospective candidates is
therefore a necessary process of selection.
I think the policy of IIMs to reserve seats on the basis of caste and
gender could be also behind the wrong selection of Malini and the entire
IIM selection managers needs to self introspect if they are conferring
graduations on such weak personalities as managers of business with the
IIMB hit by Megan Meir Mania
Sept 21: A tragic event has hit IIM Bangalore.
In a repeat of the Megan Meir case in USA where a 16 year old girl
committed suicide because her boy friend rejected her on the Facebook, a
student of the post graduate diploma in the prestigious management
Institute, IIM Bangalore, by name Malini Murmu, committed suicide
unable to withstand the rejection by her boy friend posted on the Face
it may look insensitive, with due apologies to the grieving relatives
and friends, I would like to still state that the act of the
student comes out as immature and indicates mental illness. In the case
of Megan Meir one can say the girl was too young to understand the
meaning of life. But in case of Malini Murmu, a person who should have
been reasonably intelligent for going through the CAT and getting
selected for the course, the immaturity is unpardonable.
It is surprising to note that the Bangalore Police is
trying to enquire if the boy friend is to be charged for abetment in the
suicide. This would be a human rights violation. In the case of Megan
Meir there was a case against the person who posed herself as the boy
friend and dumped her. It was a premeditated action. Malini's case is
not so. It is the case of an adult love affair that went wrong. Police
should examine the medical records of the girl to identify if she had
suicidal tendencies. If so, she might have committed suicide if she had
failed in an examination as well. Hope Bangalore Police would see
Certifying Authority Hacked..Goes Insolvent
Sept 21: A Dutch Certifying Authority "DigiNotar"
has been forced to file bankruptcy following a security breach. It was
the primary provider of digital certificates for the Dutch Government.
It is reported that a hacker tricked the system to issue 500 fraudulent
digital certificates. Google subsequently confirmed that a fraudulent
Google certificate issued to a non-Google entity was operating in the
wild, allowing someone to conduct a man-in-the-middle attack to
intercept Gmail traffic. The hacker, who in the past has identified
himself as a 21-year-old Iranian student, claimed he got root access to
DigiNotar after obtaining an administratorís username
(Production/Administrator) and password (Pr0d@dm1n). He also claimed to
have breached four other certificate authorities, but did not name them.
CCA and Indian Certifying Authorities (CA) need to
take a serious note of this security breach and initiate a special
security audit of Certifying Authorities to preserve the confidence in
Indian CAs. Further CAs should realize how a single security breach may
push them to insolvency and the need therefore to have a foolproof
security in their systems.
Misleading Article in Business Line
Sept 19: An
article published in Hindu Business Line recently suggested that
Indian Corporates need to rush to block domain names in .xxx TLD to
protect possible registration of sites with the company name and
extension of .xxx. It was also suggested that there could be Section 67
liability for companies in such cases.
I would however like to state that there would be no
liability for a company if another person registers a .xxx domain name
under the principal name of the company and hosts pornographic content.
The Company can sue the registrant under for "Impersonation" along
with the trademark related remedies.
In fact if a Company registers a name under .xxx one
can say that there is perhaps an "intention" of hosting pornographic
content and if by any chance somebody hooks a pornographic site to the
company.xxx domain which might have been simply parked, there would be a
liability on the company.
I therefore advise companies not to register the .xxx
tld in their official name. It is also possible that India may block the
entire .xxx domain. If not a company can always seek blocking of the
company.xxx domain by a specific application.
Gowri Mukherjee Committee Report on Card
Sept17: The Gowri Mukherjee Committee of RBI
has recently submitted its report which includes recommendations on the
precautions that the Banks need to take for Card transactions.
Mobile Crimes Set to Explode
Sept 17: A recent study on Botnet infections
in Mobiles indicate a disturbing trend that more than 40000 botnet
infections were found in Android phones at one point of time during the
first half of 2011. Indian Banking industry which is already reeling
under a Rs 6500 crore Phishing fraud risks, needs to factor this
development into it's plans. From the current trends Banks are unlikely
to do anything unusual to protect the customers. It is therefore the
responsibility of RBI to ensure that customer's interest of Safe Banking
is not sacrificed in the chase for more profits.
Involvement of Bank Employees in Cyber Frauds
Sept15: Naavi has often been confronted by
Banks with the cliche. "Our Systems are Safe. If an account has been
hacked, it can only be because the customer must have compromised the
password". This line of argument may confuse the judicial officers
who donot have indepth knowledge of Banking. Anybody who has some
knowledge of "Frauds" in general and Banking industry in particular
would vouch that "Insider involvement" is a huge factor in Crimes and is
said to account for around 60% of Cyber Crimes such as data theft.
Further in Internet Banking situations, several persons within the Bank
are authorised to pass transactions in a customer's account. If the
password of any one of these officers is compromised then it is possible
for the customer's account to be compromised. We are also aware that
many Banks outsource some of their activities and the outsourcing agents
often swarm all over the Banking hall. They can verywell shoulder surf
the log in sessions of the authorized employees and take note of their
log in credentials. In the light of the above the TOI report on
Rs 16 crore fraud involving an outsource partner in ICICI Bank does
not come as a surprise to Cyber Crime watchers. It is time the judicial
officers involved in Cyber Crime related judgments take note of this
Cyber Appellate Tribunal Becomes Redundant
Sept 14: With the DIT refusing to appoint a
Chairperson for the Cyber Appellate Tribunal, (CAT), Yahoo has preferred
an appeal against the decision of the Controller of Certifying
Authorities (CCA) directly to the next appellate authority being the
High Court. It appears that the Delhi High Court has stayed an order of
the CCA imposing a fine of Rs 11 lakhs on Yahoo.
The details of the case as available indicate that
the Government had sought some information from Yahoo which was not
provided and hence the CCA has passed an order.
Copy of CCA order on the fine imposed
The incident however indicates what is likely to
happen if DIT continues to postpone appointment of the Chairperson for
CAT. While new appeals from Adjudicators can go directly to the relevant
High Courts of the State from which the adjudications originate, the
existing cases which are awaiting the judgments however remain still in
the limbo. Hope DIT realizes its responsibility to the Indian public. If
not, there will be some doubts as to the reasons behind the inaction of
Beware of this
Sept14: In what is a very disturbing trend, a
e-mail has been reported by a receiver indicating that the sender is
a contract killer hired to eliminate the recipient and want to help him.
It is likely that this will be soon followed by ransom demands.
Considering the damaging potential of the mail it is necessary for the
Police in every State in India as well as the CBI to take cognizance of
this mail and take up investigation to punish the sender. This mail
qualifies as an offence under Section 66F of ITA 2008 (Cyber Terrorism)
as well as several other sections of ITA 2008 and IPC. This crime needs
to be nipped in the bud as it can give raise to several other law and
order problems which I would not like to elaborate here.
Safe E Banking
Sept 13: In order to continue the crusade
against Unsafe E Banking in India, Naavi invites interested persons to
Safe E Banking Forum on facebook.
about the need for Safe E Banking Forum here.
Axis Bank yet to respond to Gujarat Petrosynthese
Sept 11: Gujarat Petrosynthese Ltd which lost
Rs 39 lakhs due to unauthorized withdrawals from its account through
Internet Banking has suggested the Bank for a settlement through
mediation to which Bank has refused to respond. It appears that the
Company will be initiating further legal proceedings to recover its
Report in CIO :
Report in Hindu
RBI has repeatedly indicated its directions that
Banks must follow law regarding authentication of electronic debit
instructions as per ITA 2008 and use PKI based systems failing which
they have to take the legal risk. It is surprising that Commercial Banks
continue to defy RBI guidelines as if RBI's instructions have no value.
Initially it was ICICI Bank which started the trend of defying the RBI
authority. It even went to the extent of misleading the RBI as a member
of the G.Gopalakrishna Working Group. Then it was PNB which has tried to
mislead RBI with a false submission to the RBI on a query. It is to be
seen if it is now the turn of Axis Bank to publicly challenge the
authority of Reserve Bank of India and join the growing list of Banks
who record scant respect of law or regulations.
It appears that Banks are collectively defying the
RBI with the comfort that RBI lacks the will to use its regulatory
powers on erring Banks. Naavi has recently demanded the Governor of RBI
to cancel the branch licenses of those Banks who have been knowingly
flouting the RBI regulations as a deterrent for such behaviour of
defiance. Unless RBI imposes such exemplary punishments on some of these
Banks, Indian Banking system will continue to be a nightmare for
customers from the security perspective.
In the case of companies like Gujarat Petrosynthese,
there is a share holder interest also involved and SEBI needs to
persuade RBI to ensure that its softness does not hurt the interests of
shareholders of these companies.
Another ATM Card fraud in Bangalore
Sept 10: ATM card holders in Bangalore are
getting increasingly worried about the safety of their funds. After the
reporting of a fraud in Bank of India Chandapur where an ATM card holder
lost Rs 40000/- through fraudulent withdrawals in a Canara Bank ATM,
another incident where a Union Bank of India customer has found Rs
25000/- drawn through fraudulent ATM transactions. Unfortunately, Banks
have been notorious in challenging the customers in cases of frauds and
dragging them through litigation in the hope that a customer who has
lost money would not have enough resources to carry on the litigation.
In the process Banks may end up losing more money to maintain the
litigation than what they would have lost if the customer had been
compensated when the loss was first reported. It is time shareholders of
the Bank start querying Banks whether they cannot invest more money into
securing the Banking system as per RBI guidelines rather than on
The recommendations of the
Damodaran Committee and the recent press release regarding the
Banking Ombudsman conference have more than amply clarified the
regulatory guideline that customer should be placed in a "Zero
Liability" situation on account of Cyber Frauds and Banks should cover
themselves with appropriate insurance. It is high time that independent
external directors in the Bank boards realize that they have a
responsibility to ensure that if Banks chose to spend shareholder's
money on litigations, the losses should be recovered from the
operational staff responsible for such needless litigations.
Norton Cyber Crime Report 2011
Sept 10: The recent annual report on Cyber
Crimes released by Norton is an interesting study material for all Cyber
According to the report, the total number of Cyber Crime victims in
India was estimated at 29.9 million with a direct loss of US$ 4 billion
and indirect loss of US $ 3.6 billion....Phishing constituted 19% of
these crimes..equivalent to around Rs 6500 crores...the efforts of
Norton to bring out a survey of this kind is highly appreciated since
for the first time some financial cost estimates are being tagged to the
crime report. Hopefully this will set the benchmark for other studies to
be carried out in this area on a higher sample size...Details
Norton Estimates Cyber Crime Losses in India at
around Rs 20000 crores p.a.
Sept 8: Symantec released its new security
product Internet Security 2012 and Anti Virus in Bangalore along with
the results of a global survey on financial estimate of Cyber Crimes. It
is perhaps the first time that a reasonable rupee estimate has been
placed on Cyber Crime impact in India. The survey places the estimates
as US$ 4 billion. This should be a good beginning for the development of
the Cyber Crime Insurance industry in India. The number of victims were
estimated to be 29.9 million during 2011 suffering US$ 4 billion in
terms of direct losses and an additional $3.6 billion in terms of
indirect losses. Details
are available here.
Phishing Fraud in State Bank of India
Sept 8: A major Phishing fraud involving a
loss of over Rs 10 lakhs has been reported from Mumbai by a customer of
State Bank of India. The case involves a simultaneous deactivation of
the mobile of the customer exposing the failure of the mobile based
alert systems and 2 factor authentication systems which some Banks are
using. A similar case had earlier been reported from Chennai
involving ICICI Bank and Reliance mobile and the Bank paid out the money
lost in the transaction as an out of court settlement. In the SBI case,
Vodafone appears to be the MSP involved. Further developments are being
Authentication Risks in Banks
Sept 8: Indian Banks are notorious in their
negligence regarding management of authentication risks in Internet
Banking leading to a serious crisis of confidence amongst customers
about the safety of their funds. RBI has been making the right moves but
Banks are just ignoring the regulatory guidance of RBI. Thus 10 years
after the Internet Banking guidelines came into place Banks are yet to
introduce PKI based access for Internet Banking and authentication
for Internet transactions.
A question has now arisen as to what RBI should do to
make Banks comply with the regulations and the law regarding
authentication of electronic transactions. A law or a regulation without
an implementation system is of no use. It is in this connection that
Naavi has called upon RBI for suspension of license for three branches
of Commercial Banks who have been legally found to have violated certain
RBI guidelines. Offending Banks have been resorting to various unethical
and illegal tactics to avoid penalties and we are awaiting the reaction
from RBI. The details will be placed in the public domain at the
appropriate time if no action is taken by RBI within a reasonable time.
A supplementary guideline that RBI has issued
is regarding "Risk Management Software" to be used by Banks for
monitoring the transactions both before and during access
authentication. Banks need to pay special attention in this direction
and also pull up the software companies servicing the core banking
software to upgrade their products to include risk management systems.
Related Article of interest on FFIEC guidelines
Banking Ombudsman Conference
Sept7: A conference of Banking Ombudsman has
point plan for improving customer service in Banks. One of the
points mentioned there in is :
" In case of ATM/Internet based banking
transactions, in the event of any monetary dispute involving the
customer and the bank, the onus should be on the bank to prove the
customerís negligence or mistake. Customer must be compensated for
the losses arising out of customersí non-authorised transactions."
It is high time Banks start following the guidelines
of RBI and protect the interests of their customers.
Cyber Appellate Tribunal Remains Closed..Request attention of Mrs Sonia
It is now more than two months since Justice Sri
Rajesh Tandon left office as Chairperson of Cyber Appellate Tribunal
(CAT) since he attained superannuation during his contractual term...More
Nabard Warns Cooperative Banks of Cyber Frauds
Sept6: Nabard has issued instructions to Coop Banks to take
adequate steps to prevent cyber frauds and also take proper insurance.
It is reported that instances of employee collusion in cyber frauds
which otherwise appear like a phishing fraud have been reported from
some Banks. Instances of employees stealing the password of an officer
and committing a fraud has also been reported. Similar instances should
also be happening in Commercial Banks but are unfortunately not revealed
to public. RBI has issued necessary instructions but are often ignored.
Since non reporting of fraud is not being adequately monitored, RBI is
at the mercy of the Banks to understand the extent of fraud losses in
the system. Unless the Banks become more transparent in reporting frauds
to the public it would be difficult to understand the health of the
Indian Banking system.
Related Story in B S
HDFC Bank Security Vulnerable
Sept 4: It is reported that a security team- zSecure
has discovered a critical SQL injection vulnerability in HDFC Bank's Web
Portal. Using this critical flaw HDFC Bank's various databases can be
accessed and dumped as well. According to the security team HDFC
Bank lack behind the basic security that needs to be implemented.
If this is the status of one of the leading Banks one can imagine the
security of the Banking industry in India in general.
Final Draft-EDS Bill2011
The final draft of
the EDS bill 2011 is now available on the website of
MCIT. The first draft of the ESD Bill was uploaded on DITís website
and circulated amongst stakeholders for views and suggestions on 7th
February 2011. Comments received were reviewed and a second draft
was prepared after extensive discussions and consultations. This revised
draft was thereafter circulated to both various Central Government
Departments and Ministries and the State Governments and suggestions
obtained. DIT also held a consultative meet on 18th July. The
suggestions received by the attendees were analyzed and incorporated in
the Draft EDS Bill, 2011.
According tot he proposed Bill all Government services are to be
mandatorily delivered through electronic means in 5 years.