Let's Build a Responsible Cyber Society




Award against ICICI Bank-Comments Answered

The landmark decision of the Adjudicator of Tamil Nadu in the case of Umashankar Vs ICICI Bank, ordering payment of a compensation of Rs 12.85 lakhs to the victim of a Phishing fraud was covered by a few publications. It appears that the media has been very diffident of covering the landmark case and probably the PR machinery of the Bank has been working overtime to ensure that the case is not publicised.

Electronic media which some times takes up trivial issues and blows it out of proportion is conspicuous by its silence. In this era of Commercial media, it is left to the Internet and Blogs to uphold the information needs of the common people like what this case presents.

Naavi.org has been in the forefront of such an activity and has fought against a reluctant media in other instances. We shall do so even in this case since we feel this is of relevance to the common man.

I would however like to clarify that I am an ex Banker and hold the Banking industry in high esteem. I also know the PR issues involved when an adverse news of this nature breaks out in the media. I donot hold any personal grudge against ICICI Bank. In fact I am an admirer of ICICI Bank for being the leader in technology adoption. But..but.. I believe that adoption of technology should  not be at the cost of security of the customer. I feel that the Bank in its quest for technology development might have forgotten the basic Banking ethics and the current adverse decision is perhaps a result of this wrong approach to business.

Even after the incident, I would have appreciated if the Bank had accepted its mistakes and gone ahead with upgrading its security measures as suggested by the Adjudicator in his order. Instead they appear to be justifying their position as stated in the case. I wish better counsel prevails.

I reserve my strong appreciation for the Adjudicator who despite all the pressures of his work has independently researched on the subject and come up with an order which deserves to be showcased.

Since the appointment of IT Secretaries as Adjudicators in the year 2003, there has been doubts expressed in various circles including on occasions by Naavi.org that the nature of administrative work of the IT Secretaries is not supportive of the onerous responsibilities cast on them as the State's adjudicator.

However the current order is a vindication of the decision of the IT Ministry to place their faith on the experience of the bureaucracy. It indicates that  expertise as well as integrity exists in at least part of the bureaucracy and the good work represented in this order needs to be specially appreciated by all persons who have a concern for the welfare of the Netizens. I wish Sri PWC Davidar would be a role model to make the system of adjudication as envisaged in the ITA 2000 succeed.

After the article about the judgment appeared in some of the publications including Economic Times (Internet edition) many of the readers have made comments some of which indicate that the issue has not been fully studied by them. Hence we have picked the comments made on the ET article published here (Copy also available here) and tried to answer each of the comments. We will post a link to this in ET article but it appears that the comments for the article have been closed and it may not appear.

We also observe that the article has not so far been carried in the print editions and we hope ET will carry the news prominently in its print editions.


April 15, 2010

VENKATESH, NEW YORK, says: Hmm, we get such fraudulent phishing messages purportedly from "banks" all the time - it is common knowledge that one should not respond to the messages but contact the bank directly. The judiciary in any country has to have a good understanding of the business and social environment and update their knowledge base - unfortunately the Indian judicial system and the bureaucracy either have half-baked or absolutely no knowledge on these matters and make pronouncements that reveal their ignorance - when I see public officials reveal their ignorance in public I feel sad that a country has to rely on such people, that such officials can call their professional life fulfilling when such emptiness is revealed with pride - ICICI BANK IS NOT RESPONSIBLE.
[14 Apr, 2010 1652hrs IST]

Dear Mr Venkatesh

Your observation is completely wrong with respect to the current context. There may be other instances where the Judiciary has dished out decisions which are incorrect. Some times it may be due to the ignorance of the Judge. However mostly it is because the Judiciary has been inadequately counseled by the advocates representing the litigants. Courts base their decision on the facts placed before them that too in a form which they approve. Some times the advocates miss certain vital points and some times the evidence is not presented in an acceptable form. Hence wrong judgments come out. Some of these get corrected in appeals at the higher courts but some times the losing party may not have the resources to fight out and the erroneous decision may stand as a precedent.

In this particular instance the adjudicator has made extensive research of his own before arriving at his well reasoned decision knowing fully well that it could raise a huge protest from the Banking industry. We must appreciate his conviction. I am sure that you would place enough faith in ICICI Bank and its advocates to have placed all facts to defend themselves before the adjudicator though they failed to convince him.

In case you have any valid defense against the decision, you are welcome to share with the public. (Please see some other answers below to answer your query in full)

Danny, Mumbai, says: This will never stand in the court. The next thing would be - Someone has come to my house from ICICI and threatened to cancel my account if I dont handover the ATM card and the pin.. Penalize Y for stupidity of X.. nice one
[14 Apr, 2010 1534hrs IST]

Dear Danny,

The Judgement is from the office of the Adjudicator which is equivalent to a Civil Court. Under ITA 2000 Adjudicator has the sole jurisdiction regarding all cases where damages are claimed as a result of a cyber crime. (Under ITA 2008 cases where the damage claimed is in excess of Rs 5 crores only goes to the Civil Court). The example given by you is incorrect. If you handover your ATM card and PIN and claim misuse, you become a fraudster yourself. But if without your knowledge some body steals your credit card and breaks your PIN the situation is different.

Also just think.. if somebody steals a cheque leaf from you , forges your signature and withdraws cash from a Bank , would you concede that it was your fault in not securing the cheque book and using a signature pattern which is simple enough for some one else to forge and hence you were stupid enough to bear the loss yourself?

Aman, Bhatia, says: From today onwards, I need not to worry about Phishing sites because courts are there who will help me to get compensation from the concerned bank. Really a very sad day in the history of Indian Banking.
[14 Apr, 2010 1420hrs IST]

Dear Aman

You are taking it like a joke. Law protects those who are innocent and are taken advantage of by others. If you try to test the law you may be considered as part of the larger gang which conspires to loot the Bank. The circumstances surrounding the  case will determine whether the victim is really a victim or a conspirator.

karpaka_rajan_v_chettiar, abu dhabi, says: with due respect and without any malicious intention; I feel that the verdict is not fair. However, the financial institutions should be entrusted with responsbility to educate the customers or prospective customers on the inherent risk and precautions to be adhered to. Regards, Karpaka@gmail.com
[14 Apr, 2010 1342hrs IST]

Dear Karpaka

Fairness of the verdict must be seen after perusing the copy of the judgement and understanding all the circumstances sorrounding the incident. For 10 years, Indian law has been in force to mandate use of "Digital Signatures" in electronic communication but Banks want to place the customer's money at risk by using "Unauthenticated communications" for Banking. Please note that "Password" is not a legally valid authentication in India. Banks not only have the responsibility to educate the customers but also to adopt safe Banking practices.

Imagine that mobile phones manufactured by X company frequently explode and cause damage to the users while charging. However they have given disclaimers..donot overcharge..donot speak while charging.. etc. Can you then say that the victims are to be blamed for getting hurt? Similarly, if Banks are using insecure technology which is also not sactioned by either law or by RBI guidelines, they cannot take shelter under customer negligence.

JACINTA, MIRA ROAD, says: ICICI bank deserve to be penalized as they never protect interest of the customer. in the recent past i have lost 10,000 n ICICI did not provide any assistance to get the amount back. the battle carries on.
[14 Apr, 2010 1308hrs IST]

No Comments

Dinesh, Pune, says: ICICI bank is at 'NO' fault here. Its common sense not to disclose credentials into a mail and that too without enquiring the bank if it has sent such a mail.
[14 Apr, 2010 0023hrs IST]

Already replied

Rohit, bangalore, says: In this country India banks never won case against customers , that is why every financial regulations and conditions are in mess, why should ICICI should pay at first place when it is customer's negilgence that he gave out his user id and password to wrong authority or people,banks gives lots of manuals and tips in every possible manner people least bothered to even give a glance at it.Why bank should take liability for the foolishness and dumbness of people, This is not judgment this is misjudgment
[14 Apr, 2010 1120hrs IST]

Already replied

janney, Bangaluru, says: Money transfer that too higher denomination, Bank should confirm from the customer either telephone or e-mail route. It is necessary to make Bank accountable for this negligence deeds.
[14 Apr, 2010 1106hrs IST]

No Comments

Rik, Mumbai, says: This is communism ... why punish a corporate for the stupidity of an individual ?
[14 Apr, 2010 1104hrs IST]

Even capitalism expects "Corporate Responsibility". Take the instance of Car manufacturers. If Cars have a tendency to catch fire, or breaks have a tendency to fail company is willing to replace the cars free of charge or pay compensation even if the customer could have limited the damage by getting out of the car as soon as he sees smoke instead of sleeping inside and getting burnt or driving at only 30kmph so that even if the break fails, he can avoid an accident! ... How can any body be stupid to sleep inside a car or drive at 90kph?.. we can ask..

Bala, Chennai, says: Kudos to the TN IT Secretary who has given the verdict. While I say this, it is also the responsibility of the account holders not to respond to any of the Phishing sites / mails. Banks will have to be held responsible for any of these kind of unauthorised access. Alternatively, ICICI bank can use their GRID based security (Debit card) while login as well. The moment some mails asking for your debit card grid (which normally will not be asked by any bank) customers will be sure that it is a Phishing mail. I hope it would be a valid suggestion....any comments?
[14 Apr, 2010 1020hrs IST]

Recently one more case has been refered to me in which the grid numbers have also been forged. I donot know the details as yet to comment on how it occured.

GJRN, Mumbai, says: ICICI bank never asks the user id and pwd. Through the public email systems, they only despatch statements. They have got their own email systems for internal requests. It is the innocence of the user and the compensation is a gift to the user
[14 Apr, 2010 0742hrs IST]

Law requires communication to be authenticated with digital sigantures.  If you want to do banking communication on an unsigned letter basis then you have to accept liability when the man in the middle forges another unsigned letter to his advantage.

Karthick, US, says: How come ICICI can be responsible for a mistake committed by its customer. At the most ICICI can be penalized for not helping the customer in his investigation but asking them to compensate for his loss is not right. Next everybody will send their password to some scam email and claim that their Bank is responsible for their loss. Being said that, I do not think it is possible to transfer 6.46L from online with just username and password.
[14 Apr, 2010 0549hrs IST]


Please see the judgement copy and the comments made earlier.


Pranav, Sydney, says: Really it set good example..cyber laws should tighten in India.

I agree. I have been asking Banks to first comply with existing laws. They want to save on technology upgradation at the cost of the customer and cover themselves by sending a few alerts. This is not acceptable.



April 15, 2010




Comments are Welcome at naavi@vsnl.com