"Watch This Site as a Daily Habit. It may save careers".. A Banker's remark as an advise to fellow Bankers

---

US may extend Data Breach Notification Rule beyond HITECH Act

Sept 29: Data Breach Notification rule of HITECH Act makes it mandatory for HIPAA Covered Entities and Business Associates to report data breach incidents at various levels including notification to the affected individuals. Though some opposition has been received from the industry for the rule and is yet to be fully implemented, it is reported that US is considering a "Data Breach Bill" which may bring similar rules to non HIPAA entities as well.  Bill has been introduced for the purpose. Report

Beware of OddJob!

Sept29: OddJob is a malicious mobile application that targets mobile Banking. It keeps banking website sessions open even after users think they have logged off. This can be used for placing unauthorized transactions which apparently appears come within an authorized session. The malware targets Symbian and Blackberry smartphones and has been found in US, Poland and Denmark. (Source: Sophos)

80% malicious URLs are of insecure websites

Sept28: Sophos has come out with its analysis of the Internet threat scenario for 2011 which has many significant observations. One such observation is that out of all the URLs that distribute viruses, 80% are genuine websites. What is alarming is that in absolute numbers such sites are estimated to be around 15000 websites every day. which have been compromised because of lack of adequate web security. We can recall the instance where Bank of India website was compromised and hosted a number of trojans. High volume websites are the targets of such attacks and they need to pay special attention on this issue. Copy of Report

F1 Event in Gurugaon used by Cyber Criminals

Sept 26: Cyber Criminals have started using F1 event in Gurugaon for advanced fee frauds like lottery scams. Recipients of any SMS or e-mail regarding tickets being made available free etc are hoaxes which recipients need to be aware of and avoid. Related Story

Demand for Cyber Insurance Raising (in US)

Sept 26: After the news about the first major Sony hacking, the demand for Cyber Crime insurance appears to have increased in USA. Similar latent demand is prevailing in India but not many Insurance companies seem to have shown interest in this lucrative business practice. Hopefully some of the practitioners in US would enter India and offer such services before the local players wakeup to the opportunity. Related Article

Facebook Inc.. Avoiding Public Accountability in India

Sept 26: In continuation of an effort to locate the address and contact particulars of Facebook Inc, in Hyderabad, Naavi has requested the details from the US Consulate Hyderabad. It has been brought to the attention of the US Consulate that the details are required in regarding an alleged offence by Face Book in India and any attempt to hide their address would amount to an abetment in the Crime. We await further information.

In the meantime a second notice has been sent to Facebook at USA. The automated reply received indicates an admission that Facebook intends to contravene Section 79 of ITA 2008 and this provides enough evidence for taking the complaint further. I have alerted Facebook on this automated reply and its consequences and await a considered reply from a human agent who has applied his mind to the complaint and read through ITA 2008 and the accompanying rules.

Banking Ombudsman Scheme is set to fail

Sept 24: The Banking Ombudsman Scheme was introduced in 1995, revised in 2005 and amended in 2007 and 2009. The objectives of this scheme are good. However the amendment of 2009 has made the scheme liable to be misused by Banks to frustrate the customers. Naavi calls upon RBI to correct the scheme as otherwise the scheme is likely to fail...Part I, Part II

Indian Mobile Companies to share Phishing liability of Rs 3250 crores per annum?

Sept23: Close on the heels of a Rs 10 lakh Phishing fraud reported from Mumbai, another Rs 3.4 lakh fraud has been reported from Kolkata. In both the cases the fraudsters have managed to defeat the OTP system by taking over the customer's mobile connection by obtaining a duplicate SIM with a false KYC from Vodafone. SBI has been one of the Banks which along with ICICI Bank opposed the use of digital signatures in the GGWG committee and perhaps through IBA as well. These incidents reveal that Phishing network has effectively penetrated the Mobile industry and is able to integrate the SIM card frauds with the Phishing frauds.This is a deadly combination that needs to be put to sword at the earliest. So far only Banks were facing the blame for Phishing losses and now they have the Mobile operators for company. ...More

Deputy Governor of RBI Remembers Mahatma Gandhi's concern

Sept 23: Naavi often quotes the famous words of Mahatma Gandhi on Customer Service in Banks to remind the Bankers that "Customer is the most important person on the premises of the Bank".  It is heartening to note that Dr K C Chakravarthi, Deputy Governor of RBI made a reference to this in the Annual Conference of Financial Services Ombudsman Schemes in Vancouver on September 21, 2011. Unfortunately some officials in RBI does not seem to follow these principles. (Watch out for a detailed Article in this regard) Copy of the Speech : Related Article in ET

Face Book hides its contact address

Sept 22: Face Book which does huge commercial transactions in India maintains an office in Hyderabad. However the physical address of the office and the contact details of the person in charge is not made public. This should be treated as a deficient disclosure under Sec 79 of ITA 2008 as members of public who want to invoke the provisions of ITA 2008 are unable to send proper legal notices to the Company. Additionally FaceBook ought to have provided particulars of persons who are contact persons for compliance of Sections 69,69A and 69B of ITA 2008. It appears that FaceBook has defaulted on all these sections of ITA 2008.  I have requested the Director CERT/Secretary, Ministry of Communications and Information Technology and Secretary, Ministry of Home Affairs to take note of this aspect and take necessary action.

In the meantime, I have also served a formal notice to Face Book as per the rules under Section 79 of ITA 2008 for taking necessary action in respect of my complaint regarding impersonation by one of its users within the time specified  under the rules. On receipt of the reply I intend initiating the next set of actions. If pursued it would be an effort to establish the legal responsibilities of Face Book under ITA 2008 and would be of interest to members of public.

Impersonation of Naavi on Facebook

Sept 21: Naavi has identified that one Ms Navaneetha Rajesh, living in New Jersy is using the nickname Naavi on the facebook. This constitutes an offence under ITA 2008 attracting 3 years imprisonment, fine and payment of damages. Since Naavi is also a registered trademark, use of the name Naavi to attract traffic is a clear infringement under Trademark act also.  I hope Ms Navaneetha is ignorant of the consequences. The first notice has been served on Ms Navaneetha and I intend filing a Cyber Crime Complaint if the notice is not complied with.

I have served the following notice also on Facebook in its abuse page:

"Naavi is my popular name and a registered trademark. I am the founder of www.naavi.org which is a premier portal on Cyber law. All my services are branded under the umbrella mark of naavi. Infringement hurts my economic interests and it is also an offence under Information Technology Act. This is also a notice to Facebook under Section 79 of Information Technology Act and any failure to act in remedy may result in my raising a complaint on Facebook also."

I await further action from Face Book as well as the concerned person.

IIM B Student Selection Process flawed?

Sept 21: The suicide of Malini Murmu, a student of the PGDP at IIM B raises a question on the selection process adopted by IIMB for admission. If a student can consider committing suicide because of a Facebook comment it is clear that she had no ability to face any managerial crisis that she might have confronted with during the later part of her life as a Manager with IIM B tag.

If such a girl had passed IIM B and been associated with a critical business activity as a decision making person, she could have surely caused immense harm to the business. In this perspective I consider that IIM B recruitment failed to make a proper assessment of its candidates during the selection process. The selection of Malini Murmu was a mistake and the persons who designed the GD topics and assessed the girl need to review their process.

Management is simply not scoring marks in the CAT exam. It requires a state of mind to meet challenges that may have to be confronted in business. Psychological profiling of the prospective candidates is therefore a necessary process of selection.

I think the policy of IIMs to reserve seats on the basis of caste and gender could be also behind the wrong selection of Malini and the entire IIM selection managers needs to self introspect if they are conferring graduations on such weak personalities as managers of business with the IIM tag.

IIMB hit by Megan Meir Mania

Sept 21: A tragic event has hit IIM Bangalore. In a repeat of the Megan Meir case in USA where a 16 year old girl committed suicide because her boy friend rejected her on the Facebook, a student of the post graduate diploma in the prestigious management Institute, IIM Bangalore, by name Malini Murmu,  committed suicide unable to withstand the rejection by her boy friend posted on the Face Book. Related Story

Though it may look insensitive, with due apologies to the grieving relatives and friends,  I would like to still state that the act of the student comes out as immature and indicates mental illness. In the case of Megan Meir one can say the girl was too young to understand the meaning of life. But in case of Malini Murmu, a person who should have been reasonably intelligent for going through the CAT and getting selected for the course, the immaturity is unpardonable.

It is surprising to note that the Bangalore Police is trying to enquire if the boy friend is to be charged for abetment in the suicide. This would be a human rights violation. In the case of Megan Meir there was a case against the person who posed herself as the boy friend and dumped her. It was a premeditated action. Malini's case is not so. It is the case of an adult love affair that went wrong. Police should examine the medical records of the girl to identify if she had suicidal tendencies. If so, she might have committed suicide if she had failed in an examination as well. Hope  Bangalore Police would see reason. Detailed Story

Certifying Authority Hacked..Goes Insolvent

Sept 21: A Dutch Certifying Authority "DigiNotar" has been forced to file bankruptcy following a security breach. It was the primary provider of digital certificates for the Dutch Government. It is reported that a hacker tricked the system to issue 500 fraudulent digital certificates. Google subsequently confirmed that a fraudulent Google certificate issued to a non-Google entity was operating in the wild, allowing someone to conduct a man-in-the-middle attack to intercept Gmail traffic. The hacker, who in the past has identified himself as a 21-year-old Iranian student, claimed he got root access to DigiNotar after obtaining an administrator’s username (Production/Administrator) and password (Pr0d@dm1n). He also claimed to have breached four other certificate authorities, but did not name them. Related Article

CCA and Indian Certifying Authorities (CA) need to take a serious note of this security breach and initiate a special security audit of Certifying Authorities to preserve the confidence in Indian CAs. Further CAs should realize how a single security breach may push them to insolvency and the need therefore to have a foolproof security in their systems.

Misleading Article in Business Line

Sept 19: An article published in Hindu Business Line recently suggested that Indian Corporates need to rush to block domain names in .xxx TLD to protect possible registration of sites with the company name and extension of .xxx. It was also suggested that there could be Section 67 liability for companies in such cases.

I would however like to state that there would be no liability for a company if another person registers a .xxx domain name under the principal name of the company and hosts pornographic content. The Company can  sue the registrant under for "Impersonation" along with the trademark related remedies.

In fact if a Company registers a name under .xxx one can say that there is perhaps an "intention" of hosting pornographic content and if by any chance somebody hooks a pornographic site to the company.xxx domain which might have been simply parked, there would be a liability on the company.

I therefore advise companies not to register the .xxx tld in their official name. It is also possible that India may block the entire .xxx domain. If not a company can always seek blocking of the company.xxx domain by a specific application.

Gowri Mukherjee Committee Report on Card Transactions

Sept17: The Gowri Mukherjee Committee of RBI has recently submitted its report which includes recommendations on the precautions that the Banks need to take for Card transactions. Recommendations

Mobile Crimes Set to Explode

Sept 17: A recent study on Botnet infections in Mobiles indicate a disturbing trend that more than 40000 botnet infections were found in Android phones at one point of time during the first half of 2011. Indian Banking industry which is already reeling under a Rs 6500 crore Phishing fraud risks, needs to factor this development into it's plans. From the current trends Banks are unlikely to do anything unusual to protect the customers. It is therefore the responsibility of RBI to ensure that customer's interest of Safe Banking is not sacrificed in the chase for more profits. Related Article

Involvement of Bank Employees in Cyber Frauds

Sept15: Naavi has often been confronted by Banks with the cliche. "Our Systems are Safe. If an account has been hacked, it can only be because the customer must have compromised the password". This line of argument may confuse the judicial officers who donot have indepth knowledge of Banking. Anybody who has some knowledge of "Frauds" in general and Banking industry in particular would vouch that "Insider involvement" is a huge factor in Crimes and is said to account  for around 60% of Cyber Crimes such as data theft. Further in Internet Banking situations, several persons within the Bank are authorised to pass transactions in a customer's account. If the password of any one of these officers is compromised then it is possible for the customer's account to be compromised. We are also aware that many Banks outsource some of their activities and the outsourcing agents often swarm all over the Banking hall. They can verywell shoulder surf the log in sessions of the authorized employees and take note of their log in credentials. In the light of the above the TOI report on Rs 16 crore fraud involving an outsource partner in ICICI Bank does not come as a surprise to Cyber Crime watchers. It is time the judicial officers involved in Cyber Crime related judgments take note of this report.

Cyber Appellate Tribunal Becomes Redundant

Sept 14: With the DIT refusing to appoint a Chairperson for the Cyber Appellate Tribunal, (CAT), Yahoo has preferred an appeal against the decision of the Controller of Certifying Authorities (CCA) directly to the next appellate authority being the High Court. It appears that the Delhi High Court has stayed an order of the CCA imposing a fine of Rs 11 lakhs on Yahoo.

The details of the case as available indicate that the Government had sought some information from Yahoo which was not provided and hence the CCA has passed an order. Copy of CCA order on the fine imposed

The incident however indicates what is likely to happen if DIT continues to postpone appointment of the Chairperson for CAT. While new appeals from Adjudicators can go directly to the relevant High Courts of the State from which the adjudications originate, the existing cases which are awaiting the judgments however remain still in the limbo. Hope DIT realizes its responsibility to the Indian public. If not, there will be some doubts as to the reasons behind the inaction of DIT. Report :

Beware of this HITMAN threat

Sept14: In what is a very disturbing trend, a threatening e-mail has been reported by a receiver indicating that the sender is a contract killer hired to eliminate the recipient and want to help him. It is likely that this will be soon followed by ransom demands. Considering the damaging potential of the mail it is necessary for the Police in every State in India as well as the CBI to take cognizance of this mail and take up investigation to punish the sender. This mail qualifies as an offence under Section 66F of ITA 2008 (Cyber Terrorism) as well as several other sections of ITA 2008 and IPC. This crime needs to be nipped in the bud as it can give raise to several other law and order problems which I would not like to elaborate here.

Safe E Banking Forum

Sept 13: In order to continue the crusade against Unsafe E Banking in India, Naavi invites interested persons to join the Safe E Banking Forum on facebook.

Read more about the need for Safe E Banking Forum here.

Axis Bank yet to respond to Gujarat Petrosynthese Ltd

Sept 11: Gujarat Petrosynthese Ltd which lost Rs 39 lakhs due to unauthorized withdrawals from its account through Internet Banking has suggested the Bank for a settlement through mediation to which Bank has refused to respond. It appears that the Company will be initiating further legal proceedings to recover its losses. Report in CIO : Report in Hindu

RBI has repeatedly indicated its directions that Banks must follow law regarding authentication of electronic debit instructions as per ITA 2008 and use PKI based systems failing which they have to take the legal risk. It is surprising that Commercial Banks continue to defy RBI guidelines as if RBI's instructions have no value.  Initially it was ICICI Bank which started the trend of defying the RBI authority. It even went to the extent of misleading the RBI as a member of the G.Gopalakrishna Working Group. Then it was PNB which has tried to mislead RBI with a false submission to the RBI on a query. It is to be seen if it is now the turn of Axis Bank to publicly challenge the authority of Reserve Bank of India and join the growing list of Banks who record scant respect of law or regulations.

It appears that Banks are collectively defying the RBI with the comfort that RBI lacks the will to use its regulatory powers on erring Banks. Naavi has recently demanded the Governor of RBI to cancel the branch licenses of those Banks who have been knowingly flouting the RBI regulations as a deterrent for such behaviour of defiance. Unless RBI imposes such exemplary punishments on some of these Banks, Indian Banking system will continue to be a nightmare for customers from the security perspective.

In the case of companies like Gujarat Petrosynthese, there is a share holder interest also involved and SEBI needs to persuade RBI to ensure that its softness does not hurt the interests of shareholders of these companies.

Another ATM Card fraud in Bangalore

Sept 10: ATM card holders in Bangalore are getting increasingly worried about the safety of their funds. After the reporting of a fraud in Bank of India Chandapur where an ATM card holder lost Rs 40000/- through fraudulent withdrawals in a Canara Bank ATM, another incident where a Union Bank of India customer has found Rs 25000/- drawn through fraudulent ATM transactions. Unfortunately, Banks have been notorious in challenging the customers in cases of frauds and dragging them through litigation in the hope that a customer who has lost money would not have enough resources to carry on the litigation. In the process Banks may end up losing more money to maintain the litigation than what they would have lost if the customer had been compensated when the loss was first reported. It is time shareholders of the Bank start querying Banks whether they cannot invest more money into securing the Banking system as per RBI guidelines rather than on litigation.

The recommendations of the Damodaran Committee and the recent press release regarding the Banking Ombudsman conference have more than amply clarified the regulatory guideline that customer should be placed in a "Zero Liability" situation on account of Cyber Frauds and Banks should cover themselves with appropriate insurance. It is high time that independent external directors in the Bank boards realize that they have a responsibility to ensure that if Banks chose to spend shareholder's money on litigations, the losses should be recovered from the operational staff responsible for such needless litigations.

Norton Cyber Crime Report 2011

Sept 10: The recent annual report on Cyber Crimes released by Norton is an interesting study material for all Cyber Crime watchers. According to the report, the total number of Cyber Crime victims in India was estimated at 29.9 million with a direct loss of US$ 4 billion and indirect loss of US $ 3.6 billion....Phishing constituted 19% of these crimes..equivalent to around Rs 6500 crores...the efforts of Norton to bring out a survey of this kind is highly appreciated since for the first time some financial cost estimates are being tagged to the crime report. Hopefully this will set the benchmark for other studies to be carried out in this area on a higher sample size...Details

Norton Estimates Cyber Crime Losses in India at around Rs 20000 crores p.a.

Sept 8: Symantec released its new security product Internet Security 2012 and Anti Virus in Bangalore along with the results of a global survey on financial estimate of Cyber Crimes. It is perhaps the first time that a reasonable rupee estimate has been placed on Cyber Crime impact in India. The survey places the estimates as US$ 4 billion. This should be a good beginning for the development of the Cyber Crime Insurance industry in India. The number of victims were estimated to be 29.9 million during 2011 suffering US$ 4 billion in terms of direct losses and an additional $3.6 billion in terms of indirect losses. Details are available here.

Phishing Fraud in State Bank of India

Sept 8: A major Phishing fraud involving a loss of over Rs 10 lakhs has been reported from Mumbai by a customer of State Bank of India. The case involves a simultaneous deactivation of the mobile of the customer exposing the failure of the mobile based alert systems and 2 factor authentication systems which some Banks are using.  A similar case had earlier been reported from Chennai involving ICICI Bank and Reliance mobile and the Bank paid out the money lost in the transaction as an out of court settlement. In the SBI case, Vodafone appears to be the MSP involved. Further developments are being watched.

Authentication Risks in Banks

Sept 8: Indian Banks are notorious in their negligence regarding management of authentication risks in Internet Banking leading to a serious crisis of confidence amongst customers about the safety of their funds. RBI has been making the right moves but Banks are just ignoring the regulatory guidance of RBI. Thus 10 years after the Internet Banking guidelines came into place Banks are yet to introduce PKI based access for  Internet Banking and authentication for Internet transactions.

A question has now arisen as to what RBI should do to make Banks comply with the regulations and the law regarding authentication of electronic transactions. A law or a regulation without an implementation system is of no use. It is in this connection that Naavi has called upon RBI for suspension of license for three branches of Commercial Banks who have been legally found to have violated certain RBI guidelines. Offending Banks have been resorting to various unethical and illegal tactics to avoid penalties and we are awaiting the reaction from RBI. The details will be placed in the public domain at the appropriate time if no action is taken by RBI within a reasonable time.

 A supplementary guideline that RBI has issued is regarding "Risk Management Software" to be used by Banks for monitoring the transactions both before and during access authentication. Banks need to pay special attention in this direction and also pull up the software companies servicing the core banking software to upgrade their products to include risk management systems. Related Article of interest on FFIEC guidelines

Banking Ombudsman Conference

Sept7: A conference of Banking Ombudsman has adopted a 10 point plan for improving customer service in Banks. One of the points mentioned there in is :

 " In case of ATM/Internet based banking transactions, in the event of any monetary dispute involving the customer and the bank, the onus should be on the bank to prove the customer’s negligence or mistake. Customer must be compensated for the losses arising out of customers’ non-authorised transactions."

It is high time Banks start following the guidelines of RBI and protect the interests of their customers.

Cyber Appellate Tribunal Remains Closed..Request attention of Mrs Sonia Gandhi

It is now more than two months since Justice Sri Rajesh Tandon left office as Chairperson of Cyber Appellate Tribunal (CAT) since he attained superannuation during his contractual term...More

Nabard Warns Cooperative Banks of Cyber Frauds

Sept6: Nabard has issued instructions to Coop Banks to take adequate steps to prevent cyber frauds and also take proper insurance. It is reported that instances of employee collusion in cyber frauds which otherwise appear like a phishing fraud have been reported from some Banks. Instances of employees stealing the password of an officer and committing a fraud has also been reported. Similar instances should also be happening in Commercial Banks but are unfortunately not revealed to public. RBI has issued necessary instructions but are often ignored. Since non reporting of fraud is not being adequately monitored, RBI is at the mercy of the Banks to understand the extent of fraud losses in the system. Unless the Banks become more transparent in reporting frauds to the public it would be difficult to understand the health of the Indian Banking system.  Related Story in B S

HDFC Bank Security Vulnerable

Sept 4:  It is reported that a security team- zSecure has discovered a critical SQL injection vulnerability in HDFC Bank's Web Portal. Using this critical flaw HDFC Bank's various databases can be accessed and dumped as well. According to the security team  HDFC Bank  lack behind the basic security that needs to be implemented. If this is the status of one of the leading Banks one can imagine the security of the Banking industry in India in general. Related Report

Final Draft-EDS Bill2011

Sept 1: The final draft of the EDS bill 2011 is now available on the website of MCIT. The first draft of the ESD Bill was uploaded on DIT’s website and circulated amongst stakeholders for views and suggestions on 7th February 2011. Comments received were  reviewed and a second draft was prepared after extensive discussions and consultations. This revised draft was thereafter circulated to both various Central Government Departments and Ministries and the State Governments and suggestions obtained. DIT also held a consultative meet on 18th July.  The suggestions received by the attendees were analyzed and incorporated in the Draft EDS Bill, 2011.

According tot he proposed Bill all Government services are to be mandatorily delivered through electronic means in 5 years.

 

Visit
www.Naavi.net

Visit
www.lookalikes.in