Award against ICICI Bank-Comments Answered
The landmark decision of the Adjudicator of Tamil Nadu in
the case of Umashankar Vs ICICI Bank, ordering payment of a compensation of Rs
12.85 lakhs to the victim of a Phishing fraud was covered by a few
publications. It appears that the media has been very diffident of covering
the landmark case and probably the PR machinery of the Bank has been working
overtime to ensure that the case is not publicised.
Electronic media which some times takes up trivial issues and blows
it out of proportion is conspicuous by its silence. In this era of Commercial
media, it is left to the Internet and Blogs to uphold the information needs of
the common people like what this case presents.
Naavi.org has been in the forefront of such an activity and
has fought against a reluctant media in other instances. We shall do so even in this case since we feel this is of
relevance to the common man.
I would however like to clarify that I am an ex Banker and
hold the Banking industry in high esteem. I also know the PR issues involved
when an adverse news of this nature breaks out in the media. I donot hold any
personal grudge against ICICI Bank. In fact I am an admirer of ICICI Bank for
being the leader in technology adoption. But..but.. I believe that adoption of
technology should
not be at the cost of security of the customer. I feel that the Bank in its
quest for technology development might have forgotten the basic
Banking ethics and the current adverse decision is perhaps a result of this wrong
approach to business.
Even after the incident, I would have appreciated if the
Bank had accepted its mistakes and gone ahead with
upgrading its security measures as suggested by the Adjudicator in his order.
Instead they appear to be justifying their position as stated in the case. I
wish better counsel prevails.
I reserve my strong appreciation for the Adjudicator who
despite all the pressures of his work has independently researched on the
subject and come up with an order which deserves to be showcased.
Since the appointment of IT Secretaries as Adjudicators in
the year 2003, there has been doubts expressed in various circles including on
occasions by Naavi.org that the nature of administrative work of the IT
Secretaries
is not supportive of the onerous responsibilities cast on them as the State's
adjudicator.
However the current order is a vindication of the decision
of the IT Ministry to place their faith on the experience of the bureaucracy.
It indicates that expertise as well as integrity exists in at
least part of the bureaucracy and the good work represented in this order
needs to be specially appreciated by all persons who have a concern for the
welfare of the Netizens. I wish Sri PWC Davidar would be a role model to make
the system of adjudication as envisaged in the ITA 2000 succeed.
After the article about the judgment appeared in some of
the publications including Economic Times (Internet edition) many of the
readers have made comments some of which indicate that the issue has not been
fully studied by them. Hence we have picked the comments made on the ET
article published
here (Copy also available
here) and tried to answer each of the comments. We will post a link to
this in ET article but it appears that the comments for the article have been
closed and it may not appear.
We also observe that the article has not so far been
carried in the print editions and we hope ET will carry the news prominently
in its print editions.
Naavi
April 15, 2010
VENKATESH, NEW YORK, says: Hmm, we get such fraudulent phishing
messages purportedly from "banks" all the time - it is common knowledge that
one should not respond to the messages but contact the bank directly. The
judiciary in any country has to have a good understanding of the business and
social environment and update their knowledge base - unfortunately the
Indian judicial system and the bureaucracy either have half-baked or
absolutely no knowledge on these matters and make pronouncements that reveal
their ignorance - when I see public officials reveal their ignorance in
public I feel sad that a country has to rely on such people, that such
officials can call their professional life fulfilling when such emptiness is
revealed with pride - ICICI BANK IS NOT RESPONSIBLE.
[14 Apr, 2010 1652hrs IST]
Dear Mr Venkatesh
Your observation is completely wrong with respect to the current context.
There may be other instances where the Judiciary has dished out decisions
which are incorrect. Some times it may be due to the ignorance of the Judge.
However mostly it is because the Judiciary has been inadequately counseled by
the advocates representing the litigants. Courts base their decision on the
facts placed before them that too in a form which they approve. Some times the
advocates miss certain vital points and some times the evidence is not
presented in an acceptable form. Hence wrong judgments come out. Some of these
get corrected in appeals at the higher courts but some times the losing party
may not have the resources to fight out and the erroneous decision may stand
as a precedent.
In this particular instance the adjudicator has made extensive research of his
own before arriving at his well reasoned decision knowing fully well that it
could raise a huge protest from the Banking industry. We must appreciate his
conviction. I am sure that you would place enough faith in ICICI Bank and its
advocates to have placed all facts to defend themselves before the adjudicator
though they failed to convince him.
In case you have any valid defense against the decision, you are welcome to
share with the public. (Please see some other answers below to answer your
query in full)
Danny, Mumbai, says: This will never stand in the court. The next thing
would be - Someone has come to my house from ICICI and threatened to cancel my
account if I dont handover the ATM card and the pin.. Penalize Y for stupidity
of X.. nice one
[14 Apr, 2010 1534hrs IST]
Dear Danny,
The Judgement is from the office of the Adjudicator which is equivalent to a
Civil Court. Under ITA 2000 Adjudicator has the sole jurisdiction regarding
all cases where damages are claimed as a result of a cyber crime. (Under ITA
2008 cases where the damage claimed is in excess of Rs 5 crores only goes to
the Civil Court). The example given by you is incorrect. If you handover your
ATM card and PIN and claim misuse, you become a fraudster yourself. But if
without your knowledge some body steals your credit card and breaks your PIN
the situation is different.
Also just think.. if somebody steals a cheque leaf from you , forges your
signature and withdraws cash from a Bank , would you concede that it was your
fault in not securing the cheque book and using a signature pattern which is
simple enough for some one else to forge and hence you were stupid enough to
bear the loss yourself?
Aman, Bhatia, says: From today onwards, I need not to worry about
Phishing sites because courts are there who will help me to get compensation
from the concerned bank. Really a very sad day in the history of Indian
Banking.
[14 Apr, 2010 1420hrs IST]
Dear Aman
You are taking it like a joke. Law protects those who are innocent and are
taken advantage of by others. If you try to test the law you may be considered
as part of the larger gang which conspires to loot the Bank. The circumstances
surrounding the case will determine whether the victim is really a
victim or a conspirator.
karpaka_rajan_v_chettiar, abu dhabi, says: with due respect and without
any malicious intention; I feel that the verdict is not fair. However, the
financial institutions should be entrusted with responsbility to educate the
customers or prospective customers on the inherent risk and precautions to be
adhered to. Regards, Karpaka@gmail.com
[14 Apr, 2010 1342hrs IST]
Dear Karpaka
Fairness of the verdict must be seen after perusing the copy of the judgement
and understanding all the circumstances sorrounding the incident. For 10
years, Indian law has been in force to mandate use of "Digital Signatures" in
electronic communication but Banks want to place the customer's money at risk
by using "Unauthenticated communications" for Banking. Please note that
"Password" is not a legally valid authentication in India. Banks not only have
the responsibility to educate the customers but also to adopt safe Banking
practices.
Imagine that mobile phones manufactured by X company frequently explode and
cause damage to the users while charging. However they have given
disclaimers..donot overcharge..donot speak while charging.. etc. Can you then
say that the victims are to be blamed for getting hurt? Similarly, if Banks
are using insecure technology which is also not sactioned by either law or by
RBI guidelines, they cannot take shelter under customer negligence.
JACINTA, MIRA ROAD, says: ICICI bank deserve to be penalized as they
never protect interest of the customer. in the recent past i have lost 10,000
n ICICI did not provide any assistance to get the amount back. the battle
carries on.
[14 Apr, 2010 1308hrs IST]
No Comments
Dinesh, Pune, says: ICICI bank is at 'NO' fault here. Its common sense
not to disclose credentials into a mail and that too without enquiring the
bank if it has sent such a mail.
[14 Apr, 2010 0023hrs IST]
Already replied
Rohit, bangalore, says: In this country India banks never won case
against customers , that is why every financial regulations and conditions are
in mess, why should ICICI should pay at first place when it is customer's
negilgence that he gave out his user id and password to wrong authority or
people,banks gives lots of manuals and tips in every possible manner people
least bothered to even give a glance at it.Why bank should take liability for
the foolishness and dumbness of people, This is not judgment this is
misjudgment
[14 Apr, 2010 1120hrs IST]
Already replied
janney, Bangaluru, says: Money transfer that too higher denomination,
Bank should confirm from the customer either telephone or e-mail route. It is
necessary to make Bank accountable for this negligence deeds.
[14 Apr, 2010 1106hrs IST]
No Comments
Rik, Mumbai, says: This is communism ... why punish a corporate for the
stupidity of an individual ?
[14 Apr, 2010 1104hrs IST]
Even capitalism expects "Corporate Responsibility". Take the instance of Car
manufacturers. If Cars have a tendency to catch fire, or breaks have a
tendency to fail company is willing to replace the cars free of charge or pay
compensation even if the customer could have limited the damage by getting out
of the car as soon as he sees smoke instead of sleeping inside and getting
burnt or driving at only 30kmph so that even if the break fails, he can avoid
an accident! ... How can any body be stupid to sleep inside a car or drive at
90kph?.. we can ask..
Bala, Chennai, says: Kudos to the TN IT Secretary who has given the
verdict. While I say this, it is also the responsibility of the account
holders not to respond to any of the Phishing sites / mails. Banks will have
to be held responsible for any of these kind of unauthorised access.
Alternatively, ICICI bank can use their GRID based security (Debit card) while
login as well. The moment some mails asking for your debit card grid (which
normally will not be asked by any bank) customers will be sure that it is a
Phishing mail. I hope it would be a valid suggestion....any comments?
[14 Apr, 2010 1020hrs IST]
Recently one more case has been refered to me in which the grid numbers have
also been forged. I donot know the details as yet to comment on how it occured.
GJRN, Mumbai, says: ICICI bank never asks the user id and pwd. Through
the public email systems, they only despatch statements. They have got their
own email systems for internal requests. It is the innocence of the user and
the compensation is a gift to the user
[14 Apr, 2010 0742hrs IST]
Law requires
communication to be authenticated with digital sigantures. If you want
to do banking communication on an unsigned letter basis then you have to
accept liability when the man in the middle forges another unsigned letter to
his advantage.
Karthick, US, says: How come ICICI can be responsible for a mistake
committed by its customer. At the most ICICI can be penalized for not helping
the customer in his investigation but asking them to compensate for his loss
is not right. Next everybody will send their password to some scam email and
claim that their Bank is responsible for their loss. Being said that, I do not
think it is possible to transfer 6.46L from online with just username and
password.
[14 Apr, 2010 0549hrs IST]
Please see the judgement copy and the comments made earlier.
Pranav, Sydney, says: Really it set good example..cyber laws should
tighten in India.
I agree. I have been asking Banks to first comply with existing laws. They
want to save on technology upgradation at the cost of the customer and cover
themselves by sending a few alerts. This is not acceptable.
Naavi
April 15, 2010
COPY OF THE JUDGMENT
Comments are Welcome at
naavi@vsnl.com
