Indian Cyber Criminals are getting creative
January 31: Recently, an uneducated cyber
criminal in Bangalore showed how he could lock the Asterix of ATMs of
State Bank of Mysore and stop a customer's transaction midway to exploit
it later. This was technique as innovative as the "Lebanese loop"
and was highly ingenious as it just used the trick of sticking a broken
matchstick to keep the key depressed. This "Match Stick Magic" was
perhaps unique on a global scale.
Now yet another innovative technique seems to have
originated perhaps again from Bangalore which is challenging the
Nigerian Scams. This is a scam that has perhaps been inspired by a
famous Kannada TV serial by name "Mukta Mukta" and tries to lure
gullible investors into investing in films which have been stuck for
want of funds.
Copies of E mails received in the last two days are enclosed.
Recipients of the mail may end up losing a large
chunk of money in one go if they respond to such e-mails. I wish some
body checks the mobile numbers available and let me know their
Freedom of Expression on Internet..Gone..
January 30: The recent decision of Twitter to
censor its contents based on the political master's wishes in each
country is an indication that the commercial interests are always higher
than democratic interests for these companies. The move of the Indian
Government to arm twist the major intermediaries is therefore expected
to succeed in due course once the initial resistance wears off.
This article in asian age captures the status in India and
highlights the dangers. What is objectionable in the perception of the
Government officials is that content should be removed by the
intermediary when the objection is lodged by the affected party. This is
not acceptable. While the affected party can lodge a complaint with the
intermediary, removal has to follow a due process. The due process
should include a suitable documentary evidence which is placed by the
party, a process of examination through an ombudsman, a process of
arbitration where the request is disputed or a Court order as may be
required on a case to case basis.
Recently Naavi.org has received a letter from an
advocate stating that in 2005 there was an article published in the site
in which a person's name was mentioned in a litigation. Now that he is
acquitted, the advocate wanted the name to be removed from the old
article. Naavi.org has started a process of enquiry and to begin with
has asked the complainant notarized copies of the judicial order
relevant to the acquittal and an undertaking that no appeal is being
filed. On receipt, the author of the article would be asked to provide
his/her response and then a decision will be arrived at on how to deal
with the objection.
"Faith of Bank Customers Eroded"
Jan28: At a time when Banking frauds are ever
on the increase and we have reached a stage where E Banking has
destroyed the confidence of customers in the Indian Banking system, it
is a breath of relief when we here the words of RBI officials speaking
on the information security status stating "The implementation is not
effective, capacity management plans are not robust, appropriate vendor
exit strategies are not in place. The process of designing and
development of awareness programmes for customers is not in place".
These are words of the Executive Director of RBI Mr G Gopalakrishnan.
What is clear is that today RBI's guidelines are openly ignored and
Banks have turned "Rogue Banks". Hence whatever RBI proposes remains on
paper and fails during the implementation stage. The recent
recommendations of the Goplakrishna Working group is the last hope for
the revival of customer faith in Banks since it has recommendations
covering the implementation also. However the proof of the pudding is in
the eating. The failure of RBI is in not imposing appropriate penalties when
Banks fail to follow the RBI guidelines. As long as there is no strong
deterrence mechanism, the Banks will continue to act in defiance.
Report 1 :
of speech : Audio
Articles in naavi.org on GGWG
78 Adjudication Decisions ?
January 27: According to a
report in Deccan Chronicle, Bangalore, the Adjudicators of Karnataka
have so far provided 78 orders. This is for the first time that the news
has been released to the public and perhaps the orders were considered a
"State Secret" so far not to be seen by public. It is also notable that
out of these 78 decisions only the 77th decision is now on appeal with
the Cyber Appellate Tribunal and so far none of the orders were
Normally a situation such as these where 76 orders
were not appealed against indicates a very high quality of the orders.
The report has not revealed details of orders except the last two. It is
for experts to reflect if these two orders reflect the kind of quality
expected of 76 unappealed decisions. If not, it would be interesting to
see all these 76 orders to understand what they contained. This
would be an interesting case study of how effective is the system of
Adjudication in the hands of IT Secretaries of the State Governments.
When this system was introduced in 2003, Naavi.org
had pointed out that IT Secretaries who are responsible for the
development of IT in the State could face conflicts of interest when
dealing with the complaints against companies who work with the
Government on commercial deals. I have also queried from time to time
with Judicial Academies why they should not undertake IT training of
Judicial officers so that the Adjudicators can be appointed from out of
the Judicial community since lack of IT expertise in the judicial
community was the reason why DIT entrusted the responsibility with the
IT Secretaries in 2003 by way of a notification dated 25th March 2003.
Now that 78 cases are available in one single State
for a study, it would be worthwhile for some research student to conduct
a study of the Adjudication system and its effectiveness under IT
Secretaries and if a time has come for the Judicial Community to reclaim
this quasi judicial appointments either exclusively or as a two member
bench one of whom could continue to be the IT Secretary and the other
being a judicial member (A system already available at the CAT level).
Another aspect that needs to be considered is, if the
Jurisdiction of the IT Secretaries are so worked out that when there is
an apparent conflict of interest the complaint is handled by the IT
Secretary of a neighboring State
The historical decisions of the Adjudicator of
Karnataka quoted in the article of Deccan Chronicle are expected to be
the beginning of a thinking about review of the Adjudication system
under ITA 2000/8...
Article in DC
What to Expect in a Judicial Order
January 27: After the
of the Adjudicator of Karnataka reported in these columns which
reflected the status in India on how Judicial orders are written at this
level, it was a revelation to read a judicial order in the Field
Vs Google case of copyright infringement. The case was first filed in
2004 and judgment delivered in 2006 in the Nevada District Court, USA.
Such judgments stand out because of the efforts taken by the Judge to
understand various aspects of law in depth and to make a reasoned
argument before arriving at the decision. In fact such judgments are
like text books which students of law love to read. It is not necessary
that only the High Court or the Supreme Court has to give such detailed
orders which they often do. Other authorities may also learn from such
orders on how they have to be documented.
All Digital Certificates issued in India may
be invalid !!!
Jan 25: In an unusual development, an order
issued by the Adjudicator of Karnataka has created the effect that
all licenses issued for Certifying Authorities in India by the
Controller of Certifying Authorities will be rendered invalid. This
follows the effect of an order where the Adjudicator has interpreted
that the word "Person" used in Section 43 of ITA 2008 means only a
"Natural Person" and not applicable to a Company.
If this is true, then Controller of Certifying
Authorities would be wrong in issuing Certifying Authority license to
Corporate entities since according to section 2(g) Certifying Authority
means a "Person" who has been issued the license and therefore has to be
a natural person only.
The order is categorical that a "Company" can neither
seek remedy nor be accused under Section 43 of ITA 2008. With this no
Company can be accused of or seek relief under Section 66 for
unauthorized access also.
Hopefully this interpretation would be
corrected in an appeal at the earliest. Until then....we are in a
different dimension of Cyber Law in India.....a historical milestone in
deed ! .
Privacy Seminar in Mumbai to discuss Proposed
Jan 20: Privacy India in partnership with
Center for Internet Society and other organizations is organising a
conference on "Privacy matters" in Mumbai on 21st January 2011. The
conference will discuss the proposed Right to Privacy Bill which is
under consideration by the Government of India.
More information available
here : Update 21/01/12:
Copy of Naavi's Presentation :
Copy of new draft
of Privacy Bill :
Axis Bank Horror in Bangalore.. again
January 19: After the report of a Rs 39 lakh E
Banking fraud in Axis Bank recently, another major E Banking fraud has
been reported in Bangalore. As per the report of DNA, Bangalore, the
fraudster was able to obtain a debit card through a forged letter, get
event he address changed and withdraw Rs 15 lakhs from an unsuspecting
lady. The incident reveals that the procedures adopted by the Bank are
inadequate to meet the basic security requirements. The lady appears to
be running around Police for recovering the money where as she should
have perhaps claimed the money from the Bank which has acted on a forged
Innovative ATM Fraud in Bangalore
January 18: It is reported that a school
dropout found an innovative way of committing frauds on SBM ATM machines
in Bangalore. The modus operandi was to partially disable the ATM by
inserting a match stick to depress the * key. When the customer entered
a transaction, it failed after the access was authenticated. While the
customer was trying another ATM, the fraudster noted the PIN and after
he left, removed the match stick and continued the transaction.
Report in DNA
Websites to go on Strike against Ant Piracy
Jan18: In a historic development, several
major websites are expected to observe one day shut down to pretest
against the anti piracy legislation proposed by US Congress. The
websites participating in the strike include Wikipedia, Reddit,
Cheezbuger, Boing Boing etc. It appears as if this is a fight between
the Internet and the Hollywood. The White House appears to support the
Silicon Valley in the controversy and being an election year in US, the
proposal is expected to be dropped for the time being. Seen in the
background of developments in India it appears that a serious
confrontation may start between the Digital Society and the Physical
society with Cyber Laws being at the center of the controversy. The
problem has always been that Cyber Laws are being drafted not by
Netizens but by Citizens. The laws therefore are biased in favour of Non
Netizens and hence frequent clash of societies is likely to continue.
China and Pakistan offer less Internet
Censorship than India !
January 14: The article in firstpost.com
reveals how the Censorship attempt on the Internet in India compares
with China and Pakistan. Surprisingly the statistics reveal that the
number of occasions the Indian Government asked Google to take down
pages for political criticism was much more than in China or Pakistan.
How Do you React to a Sec 79 Notice if you
are an intermediary?
January 13: Ever since the Government of India summoned the major social
networking companies namely Google, Face Book and Yahoo and
demanded that they install a pre-publication manual monitoring
system for content filtering, there has been considerable
discussions about what is right, what is feasible, what is legal
etc about the "Due Diligence" required to be exercised by
Intermediaries under Section 79 of the ITA 2008. Naavi therefore
suggests the following plan of action for Intermediaries to deal
with the situation....
Symantec Accused of using "Scareware"
Jan12: A resident of Washington has filed a
class suit against Symantec accusing that some of the security software
marketed by Symantec as Norton Utilities is actually a "Scareware".
Typically, a "Scareware" promises to identify and remove security
threats for free. When the consumer tries the software it presents
several computer errors as existing in the computer which cannot be
removed by the free version and suggests that the consumer buy the
registered version. According to the complainant the threats shown by
the software were non existent as revealed by a forensic investigation
and the software was designed to show errors even when non exist. It is
regrettable that even a reputed security company like Symantec should
use such anti consumer tactics. For records it may be said that Symantec
has denied the charge.
Jan 10: Yes it appears to be "Game Over" for
current generation of authentication systems used by Banks. A new
variant of the famous Zeus Virus has been reported by FBI which warns
"The malware is appropriately called “Gameover” because once it’s on
your computer, it can steal usernames and passwords and defeat common
methods of user authentication employed by financial institutions. And
once the crooks get into your bank account, it’s definitely “game over.”
Safety in Banking is our Right
Jan 10: Bank customers in India have reached a
situation where they have to appeal to RBI to protect their right for
Safe banking. The recent threats to Internet Banking have made the
current system of Internet Banking completely unacceptable. We need a
totally new security for Internet Banking system that provides the
customer the comfort that his money cannot be stolen with the use of
trojans like SpyEye. The SpyEye threat is worrying because it is capable
of not only stealing the customer's money but also fool him with a fake
web page making him think that "All is Well". As a result the fraud goes
undetected for some time until the customer contacts the bank physically
or through means other than the Internet Banking.
It is not as if technology cannot find a solution to
SpyEye problem. But effort and investment by Banks are needed in
this direction. I am aware that certain suggestions by security
professionals have been rejected by some banks because of profitability
considerations. It is however time for us to remind RBI that
"Profitability" cannot be the barometer for compromises on "Security".
An "Insecure Banking" is no "Banking". The current Banking licenses
should be deemed to be inoperative if security is compromised either
because of technology or otherwise.
Some Bankers are living in a fool's paradise that the
OTP system will guard them but they will realize that this is not
exactly a wise thought. I hope soon some enterprising hacker or a
security professional will demonstrate that event he OTP system is
vulnerable to malicious attacks.
ICICI Bank leads in Banking Frauds
Jan09: In an alarming revelation from an RTI
application, DNA has reported that ICICI Bank alone accounted for almost
half of the frauds reported to the RBI. Of the 5,319 cases reported in
the current financial year (till September) by 29 private banks, a
whopping 3,304 were from ICICI. Similarly, in 2010-11, ICICI reported
10,684 of the total 19,845 cases. The second highest numbers of cases
were reported by HSBC at 2,383 for the same period. CBI should
immediately start an investigation across the Bank to find out if there
is an involvement of Bank staff in these frauds. Simultaneously RBI also
has to initiate appropriate action to protect the Indian Bannking
Airtel resisting Port Out requests from
Jan08: Airtel appears to be using unfair
tactics to refuse Port-Out requests from customers. Normally port out
requests should be confirmed immediately. But Airtel customers have
reported multiple cases including some cases where Airtel has tried
refuse port out requests for unstated reasons. Perhaps TRAI needs to
look into this issue.
Mumbai is No 1 in Bank Frauds
Jan08: In an interesting information obtained
by DNA through an RTI application, it has been revealed that Mumbai has
been the city where the largest number of Bank fraud cases have been
reported in the last 5 years. According to the report the total loss in
Mumbai was Rs 1882 crores from 4099 reported cases. In New Delhi for the
same perid 1326 cases werhe reported with a loss of Rs 921 crores.
Chennai reported 1110 cases with a loss of Rs 484 cases and Kolkata
reported 1021 cases with a loss of Rs 548 crores. Bangalore reported
1006 cases with a loss of Rs 815 crores. Out of this during the
financial year 2010-11 alone, Mumbai and Delhi reported 787 and 335
cases with a loss of Rs 1049 crores and Rs 335 crores respectively. It
is not clear if Banks are makeing adequate provisions in their balance
sheets to cover such losses. According to Symantec, the loss was
estimated at a much higher level of around Rs 6500/- crores for the
entire country. RBI needs to take some special measures to protect the
Bank customers from this E-Banking loot.
The never ending Cyber Chase
Jan08: An article in The Hindu of 8th January
2011 on Fraud risks in E Banking.
What is the reaction of RBI for this?
Jan 08: At the instance of aggressive banks,
RBI is promoting Mobile Banking in India. Internet Banking itself
is yet to meet the basic security requirements of Banking and hence it
is difficult to understand the need for this new technology thrust. Here
is an example of an application
(Refer: http://spoofapp.com/) that is
meant to spoof Caller IDs and also change the voice. The sales pitch for
the application is "Protect your Privacy". However such tools are more
useful for breaching the privacy of others than protecting privacy. They
are extremely dangerous for the security of Mobile Banking. Until a
solution is found to ensure that such applications donot endanger Mobile
Banking transactions, RBI should refrain from introducing mobile Banking
in India. At the same time, since Internet Banking is also dependent on
mobiles for OTP, the risk of mobile spoofing places the entire Banking
system in India at risk. Naavi.org has drawn the attention of RBI
several times on this technology risk. At some point in future
Courts may have opportunities to question the role of RBI in securing E
Banking in India and the fact that the risks have been brought to the
attention of RBI will be a matter which may also determine the vicarious
liabilities of individual officers who have neglected these early
warnings. (P.S: According to one security professional this particular
application may be a malicious application. There are similar
applications which have been demonstrated by different professionals
even in public in the past. Non specialists should not try out such
applications for curiosity since they may create harm in the form of
excess billing or otherwise. Using such application is a crime. Naavi)
Amendments to Consumer Protection Act
Jan08: Amongst the amendments proposed to
Consumer Protection Act in the bill presented in the Parliament is a
provision for submission of applications in electronic form. As Naavi
has been advocating in the past, by virtue of Section 4 of ITA 2000 even
without the need for this amendment, it should be possible for the forum
to accept electronic applications. However, the amendment will remove
any doubts in this regard and it is therefore welcome. Many of the
tribunals and forums which have been given the freedom to device their
own procedures and are not bound by the procedures of the civil
procedure code have been following the procedure of asking the
complainant to submit affidavits in support of the contents of the
application. Since such affidavits need to be stamped, it impedes the
online submission process. Wherever online submissions are permitted, it
is necessary for the Court officers to clarify that a "Digitally Signed"
compliant is enough for the Court to take cognizance of the application
and they should stop the practice of insisting on the affidavits. Even
where an advocate is representing a litigant, the advocate can also be
permitted to send his submissions through a digitally signed document.
ITA 2008 provides both the Adjudicator and the Cyber Appellate tribunal
to not only receive submissions online but also conduct the entire
hearing online. Detailed rules of the online process are yet to be
developed. I request Cyber Appellate Tribunal to take necessary steps to
design the procedures for online submission of appeals and other
documents and start a new trend in Indian judiciary. This will also be a
guideline for those who may have to frame the rules under Consumer
Protection Act when the amendments are passed.
Internet Censorship in India
Jan07: Blocking of websites in India has been
in news for some time. The fact that this power is being politically
misused is confirmed by
the incident where the website of a political
cartoonist, Mr Aseem Trivedi participating in the Anna Hazare protest in
MMRDA grounds has been blocked.
TOI has reported that the cartoon site of Aseem Trivedi was blocked
by blocking the domain name cartoonsagainstcorruption.com.
The uniqueness of this blocking incident has been
that it is not an ISP level blocking but a blocking at the domain name
level by a notice to the domain name registrar BigRock. Also the site
has been removed not by a Court order but by Police action. While
the cartoon site has reportedly been now
moved to another host, the
incident creates a precedent of far reaching consequences though
in a wrong context.
It is to be noted that blocking an objectionable
content is different from forcing cancellation of a domain name. Domain
Name is a "Virtual Property" and what Mumbai Police have done in this
case is "Depriving a Citizen of his Right to Property". This is
violation of his fundamental right. The action needs to be reviewed.
The domain name registrar BigRock.in should also be
questioned on the propriety of their action without even giving an
opportunity for the domain owner to defend. It amounts to deficiency of
service on their part.
This incident is therefore to be considered as a
serious threat to democratic principles. I hope some action to question
the legality of the action of the Mumbai Police and BigRock would be
undertaken by some public spirited persons in Mumbai.
Related article in Sunday Guradian
150 HITECH Act audits to be conducted in 2012
Jan06: Office of Civil Rights has announced
that it is likely to conduct around 150 audits under HIPAA-HITECH Act
before Dec 2012.OCR will audit as wide a range of types and sizes of
covered entities as possible; covered individual and organizational
providers of health services, health plans of all sizes and functions,
and health care clearinghouses may all be considered for an audit.
Business Associates will be included in future audits.
Patient Data posted in Facebook for fun
Jan 05: An employee of a staffing agency in
California is reported to have posted some patient's information at
Providence Holy Cross Medial Center in Mission Hills. California. It is
said that the person defended his action by stating that "People, it's
just Facebook. Not reality. Hello? Again ... it's just a name out of
millions and millions of names. If some people can't appreciate my humor
then tough. And if you don't like it, too bad, because it's my wall and
I'll post what I want to." The case raises several issues of HIPAA
violation and Social Media policy and behaviour of persons on social
media, besides human ethics. Firstly, there is a privacy breach which is
a HIPAA violation. Was there a BA contract with the staffing company?
Were the employees adequately trained? are other HIPAA compliance issues
for both the hospital and the BA. Does the Face Book wall belong to the
user and he can do what he wants with it? is another question. Another
grey area is whether this remains a Civil wrong only or will it
constitute a "Criminal Offence"? since the person claims that he did not
have any malicious intention and the posting was only in jest. All in
all, an interesting legal case worth discussing in detail.
New Transactions and Code Sets for HIPAA
Jan 05: From January 01, 2012, the new HIPAA
transaction code based on X12 Version 5010 and NCPDP Version D.0 have
New Member Judicial appointed for CAT
January 04: After 6 months of waiting, Cyber
Appellate tribunal has become active once again with the appointment of
Justice S.K.Krishnan as "Member (Judicial)". He has assumed office
from 23rd December 2011. It is expected that Justice Mr Krishnan may be
designated as the "Chair Person" so that he can independently conduct
the sittings of the Tribunal.
Beware of mobile calls from +224...
January 04: It has been reported that there is a
mobile scam in operation in India which may cost the unwary consumers.
The modus operandi is that calls will be received from numbers such as
+22455200981, +22455104370. At first glance this appears to come from
Mumbai. If you donot pick up the call and attend to it as a missed call
and return the call, you may be charged Rs 50 per minute. If you pick up
the call at the first ring, you are likely to be told some thing such as
""we need your IMEI number and are authorized by DoT to collect it",
"free handset giveaway from micromax" etc." It appears that we should
refrain from returning any missed call unless we know the caller.
E Banking is Not "Safe Banking"
Jan 2: The recent revelations from the website
http://www.yashks.com/ of how ICICI
Bank's net banking facility is vulnerable has shaken the confidence of
the public on Indian Banking System. Additionally the increasing number
of ATM card cloning and Credit Card cloning have made it impossible for
customers of Banks to sleep peacefully if they hold an ATM Card or a
Credit Card or Internet Banking. Unfortunately, though RBI has provided
good guidelines to protect consumer interests, Banks are completely
ignoring such guidelines and challenging the customers to go for
litigation. Indian legal system being what it is, the advantage always
lies with the Banks which have deep pockets to stretch litigation until
the customer finds it impossible to continue.
Under these circumstances it is clear that E Banking
in India will never be as safe as it is envisaged under the Banking
license. It will be a game of chance for customers that if they are
lucky, they will not be hurt by the E-Banking frauds in their life time.
I therefore request RBI to delink E Banking services from the Banking
license and let Banks operate E Banking only as a E Business under an
NBFC license. Then public will know that they cannot expect the same
level of security as they expect in traditional Banking. However in such
cases Banks should not call it as a "Banking service" and no privileges
that are normally available to a "Bank" should be made available to
those Banks. This E Business of "E Money Transactions" should be thrown
open to the non banking institutions who may be able to provide better
security than the Banks who misuse the trust they enjoy from being a
traditional banker to provide deficient E-Banking services.
A public debate on this "Banking Reform" is perhaps
the need of the hour.
Begins with a warning
Jan1: Home based activities that generate income
is of interest to many and on the eve of a New Year is more palatable
than at other times as an opening for a "New Beginning". However, the
Internet has become so untrustworthy these days that any such news has
to be taken with a bucket full of salt...Here
is an example of one such news which all readers must take note.