Awake and Stop Not until Indian E Banking is made Safe
80000 Cyber Crime complaints filed in Kerala
July 31: For the first time in India, one state
appears to have reported truthful figures on Cyber Crime complaints
registered in the State. In the last one year it is reported that 80000
cyber crime complaints have been registered in the State in the last one
In the light of this report, the
statistics on Cyber Crimes becomes completely untenable. In the year
2010, a total of only 966 cases have been recorded of which 148 have
been attributed to Kerala. It is not possible for 148 incidents to
increase to 80000 all of a sudden. There is therefore a need to review
the NCRB system of recording cyber crimes and make it reliable.
"Vishing" on the rise
July 31: FBI has warned public of a telephone
scam where callers identified themselves as calling from Microsoft and
suggesting that there was a security issue/virus in their computers.
Public should note that such calls may lead to enquiry
on user names, passwords or even installation of trojans disguised as
license for software etc.
Recently I also came across an incident where some
callers identified themselves as speaking from SBI and successfully
extracted the Internet Banking credentials to later withdrawing the
In the light of these developments, public should be
vary of responding to any call from Banks however convincing they may
Disgruntled Employee responsible for Delhi T3
July30: CBI has identified an ex-employee of
ARNIC responsible for the system disruption at Delhi T3 air terminal on
June 29, 2011.
It is stated that he introduced a malicious code and
executed it remotely from Bangalore where he was working and expected
that his help would be sought by ARNIC to sort out the issue.
Unfortunately the company opted to investigate the disruption and ended
up with a Cyber Crime charge. The incident highlights the need for
Behavioral Science approach to Information Security as being advocated
by Naavi in his
Three Dimensional Approach to Information Security.
Why Biometric Systems are unreliable
July26: Academicians have reported that Iris
scan security systems can be cheated by using contact lenses specially
created with the iris signature of a person.
Report. Similar cheating may be possible if people develop hand
gloves with preprinted finger print patterns. This could be a challenge
to the UID system being developed in India.
Phantom Debt Collection Scam
July 26: A new type of scam is being reported
in US. This involves calls to citizens about existing or non existing
debts with threats of legal action. It is reported that the abusive
calls emanate from Indian Call Centers and have extracted millions of
dollars from US citizens. The modus operandi is to steal some personal
information on loans, threatening with abuses and defamation to extract
It is possible that such scams exist even in India.
It has been observed in recent days that at least one law firm in
Bangalore seems to have authorized a mobile company to send legal
notices on their behalf. It also appears that the Lok Adalat notices are
being sent by the companies themselves as unsigned pre printed letters.
It is not clear if the Bar Council or Lok Adalat is aware that notices
are being issued in their name by the Companies themselves.
A detailed investigation is required by BAR Council,
Legal Authority of Karnataka and TRAI to investigate such practices.
Intermediary Guidelines and Constitutional Validity
Here is an analysis of whether the rules issued under Section 79 of
ITA 2008 pass constitutional validity test.
Read the Article here.
This issue has been discussed several times at
Naavi.org and the above article provides a reasoned support to the view
that the rule is unconstitutional.
Despite this matter having been brought to the
attention of the responsible persons in DIT/MCIT as well as the Minister
Mr Kapil Sibal, no corrective action has been taken. Even the motion
brought in Rajyasabha by some MPs were defeated with simple assurances
without any intention of being fulfilled.
We are aware that the GOI officials and ministers
have no time for doing their constitutional duty and draft such rules
without proper consultation and relying on a few confidants. Hence
despite the issue being brought to the attention of the officials, no
action is taken.
It is time that the Courts should take suo moto
cognizance of unconstitutional acts of the Government and take up the
issue for review. They should not wait for a Subramanya Swamy to file a
PIL. Some Judges are known to be distasteful of PIL and many activists
are afraid of approaching such Courts for the fear of being lapped up
with heavy fines for bringing up the litigation. Hence these issues may
never be brought to the Courts by public persons and will remain in the
statute filling up the legal system with unconstitutional legislations.
PAN Number Misuse through Railways
July 19: An alert information security
professional has reported that certain jewellers are buying particulars
of PAN numbers along with the name age and sex of a person as displayed
on the Railway reservation charts to quote in certain purchase
transactions. This would place the person in a situation where they need
to explain the source of funds to the IT department for purchases not
made by them. PAN number is today being quoted at a number of places and
hence it is possible to misuse them in the way described.
It may be noted that according to the proposed
Privacy Act, PAN number is considered a "Sensitive Personal
Information". Hence its display in public domain by Indian Railways is a
violation of the "Privacy of a person" and could make the Railways
It is also advisable that passengers may avoid using
the information for reservation purpose.
However the biggest source of risk is the Mobile
companies who also collect PAN information and are known to have very
low security of the information.
Spear Phishing on bank accounts
July 12: Targeted phishing attacks with mails
appearing to come from friends which may drop Trojans is on the raise.
This video discusses this growing problems and how Banks are facing
increasing law suits alleging lack of adequate security.
Noida Police bust Bank Loan Fraud
July 12: Noida Police have busted a racket
which involved creation of a fake Bank account in the name of a fake
company whose fake employees were granted loans on the basis of
fraudulent salary information. The fraudsters are reported to have used
sophisticated techniques to send e-mails in the name of popular
companies to mislead the Banks. The incident once again exposes how
fraudsters have graduated to use Cyber space as a tool for committing
physical space frauds.
Gujarat Police save ICICI Bank from Hacker
July8: In what should be considered an
excellent catch, Gujarat Police arrested a person and busted a six month
long preparation for a Bank heist. ICICI Bank was the targeted Bank
where two specific accounts with balances of Rs 10 crore and 22 crore
were apparently targeted by cloning the Bank server and effecting fund
transfers. The incident establishes that the ICICI Bank's system which
incidentally uses Finacle of Infosys had certain vulnerabilities that
were being exploited by the fraudster. There is a possibility that the
report may contain errors and "Cloning of server" as reported may simply
be "Cloning of ICICI Bank website". More details are awaited.
Patent on Security monitoring
July7: A Bangalore based Information security
professional Mr Samir Kelker has been successful on registering an US
patent for a "A
system for real-time vulnerability assessment of a host/device".
Copy of the
Resale of used software license legal..EU Court
July 5: In a significant decision Europe's
highest court (The European Court of Justice -ECJ) ruled on Tuesday that
the trading of "used" software licenses is legal and that the author of
such software cannot oppose any resale. In a case of UsedSoft Vs
Oracle, referred by a German Court, ECJ said that the exclusive
right of distribution of a copy of a computer program covered by such a
licence is exhausted on its first sale. This applies to downloaded
software as well as that bought on CD or DVD. This ruling sets a
precedent for trading of used software licenses throughout the European
Union and could potentially impact ebooks and computer games as well.
2F Authentication is inadequate
July 4: Recent types of Bank frauds in India
and elsewhere have exposed the vulnerabilities in the 2F system of
authentication. Indian Banking system relies heavily on this system.
Though this is an improvement over the existing password based system,
time has come for RBI to think of new security measures to beat the
trojans which can sit in the customer's machines and modify the browser
inputs without the knowledge of the user (Yash vulnerability). In such
cases, the customer himself enters the OTP and hence there is no way the
2F system can secure frauds. There could be other means of stealing the
OTP information or disabling the OTP authentication also.
Global researchers are already discussing the
vulnerabilities in the digital signature system while in India we are
yet to move up in the security chain from the OTP system.
NCRB Report 2011 Released
July 4: The National crime records bureau (NCRB)
has released statistics on various crimes in India in 2011 including
Cyber Crimes. Though the records are considered a reflection of only
crimes registered with the Police and does not contain a significant
number of incidents not reported to Police, it is notable that the
registered complaints have also shown a significant increase of 85% over
the previous year.
Andhra recorded the highest number of cases (349)
followed by Maharashtra(306), Kerala (227) and Karnataka (151). 826
cases were related to loss or damage to computer resource while 496
cases pertained to Obscenity. The classification of crimes as "under
section 66(1) and 66(2)" needs some clarification since no such section
exists. 94 cases registered apparently under Section 65 also needs to be
cross verified if they are actually cases under Section 66. 15 cases
have bee fled under the digital signature category and 26 under "Breach
Overall it is good to note that Police are
increasingly registering Cyber Crime cases.
July 1: Here is a narration of the harrowing
experience of a customer of Axis Bank as reported to Naavi.org. The
victim here has suffered a loss of Rs 11 lakhs due to the faulty E
Banking security. Readers may come to their own conclusion on who should
be held accountable for this fraud...
Anticipatory Bail for Hotel owners rejected
July1: The owners of several restaurants in
Baroda suspected to be involved in debit card scam have been rejected
anticipatory bail. Te fraud involved some restaurant owners swiping
cards of their own friends and relatives along with tips. While the
amount along with tips got credited to the hotel's account, only the
basic amount was debited to the card holder's account. Obviously there
was a loophole in the system which was being systematically exploited.
It is said that the total fraud is of a value of more than Rs 1 crore.
Report in TOI
Internet censorship in India
June 27: India is one of the countries in
which Internet Censorship is very strong. One more example of the same
is the blocking of
http://hipaablog.blogspot.com a site which contains only useful
information on HIPAA. I want viewers to check if this has been blocked
in their ISP s also since different ISPs may have different policies.
Please do inform me if any other ISPs (I have checked with BSNL) have
also blocked the site. We can also demand from CERT-IN the reason why
this site has been blocked.
Cyber Crime Losses in Euro Banks
June 27: A study by Mcafee and Guardian
Analystics has estimated that the Cyber Crime losses in 60
European Banks could be in the range of USD60 million to 2 billion. At
present estimates in India vary between Rs 2000 to Rs 6000 crores per
annum. (USD 1 billion). But RBI and Indian Banks donot seem to be
concernede since they feel that Indian Banking system is resilient
enough to feed Cyber Criminals without hurting the consumers!
"John Doe" Or "Ashok Kumar" or "Kolaveri"?
June 23: The recent controversy in which
several websites were blocked citing the Madras High Court order by the
producers of the film "3" made the liberal reference to the "John Doe"
principle which in the Indian context was referred to as "Ashok Kumar"
principle. This principle is normally used when there is an offence but
the party is not identified. In the instant case however, the accused
was not "Anonymous". They were actually "Non Existent" on the date of
the Court's order. The prayer and the order was based on the speculation
that some unknown persons may infringe the copyright on the website and
if so they need to be blocked. Such an order needs to be classified
differently and not combined with the John Doe principle. Considering
that the film "3" was famous for the "Kolaveri Song", it may be apt to
call this principle as the "Kolaveri Principle".
June22: In an interesting modus operandi, it is
reported that certain persons in Mohali successfully fooled the ATMs to
report "Failed Transactions" when they withdrew Rs 10000/- and left Rs
100/- in the tray itself.
June 21: Researchers have found one instance
where the size of the brain tumor looks different in Mac and a PC
opening up the debate for telemedicine laws. The research in Germany
found that when data from 30 brain scans were viewed in a "FreeSurfer"
package there were significant difference between Mac and PC outputs.
The incident highlights the need for telemedicine law which imposes high
levels of testing and liabilities for non compliance.
Madras high Court Clarifies on Website blocking
June 21: Madras high court has clarified that
there is no need for ISPs to block the entire websites when the dispute
was related to a specific document. Naavi.org has also been raising its
voice about the unfairness of such orders. It is good that the
clarification has come through.
New Threats to Indian Banks
June 21: Trend Micro has warned that new
variations of SpyEye and Zeus are being sold in the underground
malicious code market and are being used in conjunction with web
injections and man in the browser attacks to rob Banks.
RBI and CERT have been sitting quiet on the
representations made by Naavi.org a few month's back with demonstrations
on such possibilities. It had been pointed out that the trojans can even
present false account views to the customers so that they never realize
the changes in their balances until they veirfy the balances through
alternate channels. The seriousness of the matter is being ignored by
RBI and CERT and the larger banking public are being placed at high
risk. With such insensitive security managers, Indian Banking system is
in grave danger of an attack which will bring the system to halt.
MIT is Confused on the Status of CAT
June 20: The Ministry of Communications and
Information Technology has been managing the Cyber Law in the country.
For some reasons the Ministry of Law appears to be uninterested in
managing "Cyber Law" in India. It is fine as long as MCIT consults the
Ministry of law and does a good job.
But of late, the functioning of MCIT has been raising
eye brows. While MCIT is in the forefront of Internet Censorship in
India, they remain actionless regarding appointment of the Chairperson
for Cyber Appellate Tribunal (CAT). The confusion the department is in
regarding the status of CAT is evident from the fact that pages of MCIT
continue to depict CAT as a division under CCA and headed by an official
The ITA 2000/8 envisaged CAT as equivalent to a Court
headed by a person with the seniority of a High Court judge. But the
department believes that "CAT has been set up under the aegis of the CCA)
snapshots of web pages enclosed). The latest executive assignments
indicate that Mr Gulshan Rai is not only the Director General of
ICERT, but also is the CCA and Head of Division of CAT.
Given the onerous responsibilities of the head of
ICERT, it is unclear why MCIT needs to have a single head for three
different activities each of which requires perhaps more than one person
to manage. More importantly, any appeal of a decision of CCA has to go
to CAT as per ITA 2000/8. It is therefore strange that the Government
thinks that a subordinate judicial authority (CCA) can be called
the administrator of CAT and a "Scientist" of the Government can be
called the "Head of Division of a Judicial body". This is like a State
Government appointing an officer of the Government as the "Head of
Division of High Court".
I hope MCIT understands the niceties of judicial
appointments and corrects the situation.
HIPAA-HITECH Rules may get updated
June 15: Final version of the HIPAA breach
notification rule published in July 2010 is likely to be notified
shortly. Also some changes in the "meaningful use rule" is also expected
under HITECH Act.
Digital Assets and Digital Wills
June 14: With the integration of digital life
and physical life in the current generation, there is value to many of
the digital assets they build up during their life time.
Apart from storing copyrighted material, people
accumulate domain names, hosting space, product license etc in digital
form. The control to these may be through passwords which are lost when
the asset owner expires. There is a discussion in these circumstances
about how the digital assets can be inherited.
Naavi.org was one of the first to raise this issue
and also offer a suggested solution through
It is essential to recognize that "an Electronic
document" can be an "asset" which has value, ownership, transferability
characteristics. But if these has to be transferred after death of the
owner, it has to be by means of a physical instrument and not a digital
will in the form of an electronic instruction since ITA 2000/8 has not
provided recognition for such instruments.
It may be necessary at some point of time in future
for the Indian Government to consider that "a Digital Will in electronic
form is recognized for transfer of digital assets" while a written will
can transfer both physical assets as well as digital assets. In such a
case an issue of dating of the digital will for digital assets vs
written will for digital assets need to be sorted out.
Related Article in BT
Canara Bank Exposed
June 13: In a stunning revelation, the arrest
of a Skimming kingpin by Bangalore Police has also exposed the gross
negligence of Canara bank in its ATM management. The report in
Bangalore Mirror indicates how the skimmers targeted Canara Bank
ATMs since most of them did not have guards. When the case of Mr Nagaraj
had been taken to the Banking Ombudsman in Bangalore last year for a
similar fraud of Rs 40000/-, the Banking Ombudsman failed to penalize
Canara bank for running ATMs without guards and without CC TV cameras.
Had he reacted judiciously at that time probably the current spate of
frauds might not have happened. Now it is time for RBI to ensure that no
ATMs without guards and CCTV cameras (functional) are allowed to be
operated by any Bank in India. The news report provides chilling
information that the Russian skimmer supplier has stated that he has too
many orders on hand to supply such skimmers to India. RBI should note
this as a warning of how the security of Indian banking system has been
allowed to be diluted by their slackness.