Let's Build a Responsible Cyber Society





Chanda Kochhar Allows her e_mail to be hacked?

There is a strange way ICICI Bank does business. The Bank prides itself as one of the most progressive in utilization of technology. But along with it, it is also in the forefront of hosting a large number of Cyber frauds though they might not be reported to RBI. Most of these frauds are classified as "Phishing" and the customers bull dozed into believing that it was their mistake that they fell prey to a Phishing attack and should absorb the loss.

Of course the S Umashankar Vs ICICI Bank case with the Adjudicator of Tamil Nadu has changed this perception and made public aware that just because a customer allowed himself to be cheated by a fraudster in revealing his password,  the Bank cannot absolve itself of its responsibilities in adopting appropriate information security policies to protect the transactions. This case proved that the reckless attitude of the Bank in opening accounts for fraudsters without any KYC checks beyond collection of some documents whether true or faked and use of unauthenticated e-mails and internet banking access system can haunt them as lack of due diligence and make the Bank liable along with some of its executives.

Unfortunately, ICICI Bank has not learnt its lessons even after being chastened by the Adjudicator's verdict. Recently, I came across a strange way the Managing Director of the ICICI Bank handles her responsibilities in receiving communication from public through e-mails. For those who may not remember, the Managing Director of ICICI Bank is none other than Ms Chanda Kochhar, who rose from the ranks at a galloping speed to the top post in the Bank. Kochhar has enjoyed many enviable recognitions including the Padma Bhushan award for her services to the banking sector. She is also the second Indian behind Sonia Gandhi to be recognized by Forbes as the "World's 100 most Powerful Women".  A hot favourite of our TV channels, she was the honoured guest for Burkha Dutt and other TV personalities during the last fortnight during  the global business leader's meet at Davos.

To ask such a distinguished person if she knows how to handle E-Mails appears at first glance to be very disturbing.

But look at this sequence of events.

There is an e-mail ID recognized as "chanda.kochhar@icicibank.com". It appears that that the mail ID belongs to Ms Chanda Kochhar, the CEO and MD.

Can it have any other interpretation? Obviously No.

Let's say you are a whistleblower and want to warn the MD about the various frauds that happen in ICICI Bank and how criminals are flocking to open accounts in the bank since it is the most convenient Bank to be used as a conduit for frauds.

Where will you send the e_mail? Obviously to chanda.kochhar@icicibank.com.

 But, don't' be surprised if you get a reply instead from one K.Raghavender who represents the "Office of the head of Service Quality". Difficult to understand what the designation means. Is he the "Head" of the Service Quality department? or is he just a member of the team in the office? Never mind, but ask him why he is opening the e_mails addressed to the MD. If he has not been authorized in writing so far, we can say that Mr Raghavender has been "hacking" into the MDs e_mail. But Raghavender says he is authorized. He also adds that all Directors of the Bank have authorized others to open their e_mails.

Oh! what a policy? Perfect for later on claiming that any activity that represents chanda.kochhar@icicibank.com was actually done by some body else in the Bank. If the Governor of Reserve Bank receives any response from chanda.kochhar@icicibank.com, it might have actually been sent by some body else in the Bank.

Have you heard of "Digital Signatures" as authentication for e-mails so that you can know who the sender of an e-mail really is? ICICI Bank is one Bank which hates digital signatures and they have made it known by passing dissenting comments in the S R Mittal Working Group and also indirectly in the G Gopalakrishna Working group on Electronic banking. Now we know why ICICI bank would be happy with un authenticated e-mails. Even the CEO prefers to do business without signatures.

Looks wonderful since many politicians also prefer the same policy. Subordinates sign papers while the head gets his/her work done through oral instructions so that if a scam surfaces, it is the small fishes that get caught.

But what a senior Bank executive like Chanda Kochhar should understand is that if the Bank allows a practice where incoming mails in the personal name of the MD are handled by others, even a legal notice sent to Ms Chanda Kochhar would be answered by Mr Raghavender who always maintains a cut and paste paragraph for all his e_mails stating "ICICI Bank has fool proof security. If any thing has gone wrong at your end , you must have done some thing wrong. Go to Police and our Bank is not liable".

Recently, the undersigned wanted to send a mediation request to Ms Chanda Kochhar to avoid a complaint getting lodged against her which could create civil and criminal liabilities on her. But despite explaining the seriousness to Mr Raghavender through a series of mails, he continues to answer all mails sent to chanda.kochhar@icicibank.com. Hope if there is any need for Ms Chanda Kochhar to pay damages or go to Jail, Mr Raghavender would substitute!

More seriously, it is unfortunate that people at high places with lots of responsibilities on their shoulder reflect a very low understanding of how to handle communications in the Electronic space. We today have one to one communications and they will be used both for wishing happy birth days and for sending legal notices.

If there is no respect for e-mail IDs given in the name of the Bank, it reflects the Information Security awareness or more appropriately the lack of it at the CEO level.

If this is the sad state of affairs at an apparently tech savvy Bank managed by a "Padma Bhushan", it is difficult to imagine what would be the state of affairs in other Banks.

One has to also raise a question whether RBI has factored such lack of awareness amongst CEOs before introducing high tech banking through Internet and Mobiles?

In the recent G Gopalakrishna Working group report, lot has been said about the need for education of customers regarding frauds in the electronic banking scenario but the working group perhaps did not know that the awareness building has to start from the top.

May be RBI will now consider a "Workshop for CEOs of Banks" on Information Security, Cyber Frauds and Cyber Laws as the first recommendation to be implemented following the  G Gopalakrishna Working group. Otherwise how will Banks understand what is Information Security? What is the role of a CISO? What is DRP and BCP? etc  on which the working group has made many suggestions?



February 10, 2011

Reference: Copies of E Mails Exchanged