Header image alt text


Building a Responsible Cyber Society…Since 1998

Workshop on Safe E Banking

Posted by Vijayashankar Na on April 30, 2013
Posted in RBI  | No Comments yet, please leave one

A day long workshop on Safe E Banking is underway at Reserve Bank of India, Bangalore. Mr G.Gopalakrishna, The Regional Director of RBI, Mrs Uma Shankar, Regional Director of RBI at Bangalore has inaugurated the workshop. ED is delivering the Key Note Address. Internaional Institute of Information Technology Law (IIIT Law) is organizing the speakers.

The workshop will discuss the GGWG regulations, the Risk Mitigation guidelines of February 28, 2013 and other regulatory aspects of regulation. Naavi  along with several other professionals and Banking security specialists will participate as speakers.

The event will mark the second anniversary of the issue of the RBI guidelines on April 29, 2011 on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (popularly known as GGWG guidelines).


[Detailed Report will follow]

Migrating to Adaptive Authentication

Posted by Vijayashankar Na on April 29, 2013
Posted in BankITA 2008RBIUncategorized  | No Comments yet, please leave one

Banks in India have been traditionally using the “Legally Non Compliant”, “Password based Authentication” for their E Banking requirements. As a result there are frequent customer-Bank conflicts where the customer demands that Bank should undertake the liability on account of Cyber Frauds while the Banks blame the customer for not securing the passwords.

The RBI on the other hand has been urging Banks to improve the authentication methods used by the Banks. Way back in 2001, RBI stated that if Banks donot use Digital Signatures for authentication, they should assume the legal risk for Phishing kind of frauds. They reiterated the same again in 2011 through GGWG (G Gopalakrishna Working Group ) recommendations on Information Security.

After the rap on the knuckles received by the S.Umashankar Vs ICICI Bank adjudication verdict, some Banks started thinking of digital signatures as a means of authentication. But most stuck to the passwords and only enhanced it through a mobile based second authentication for certain key elements of transactions.

On February 28, 2013, RBI again issued a set of guidelines for mitigating the risks in both the electronic payment transactions as well as the Payment card transactions. Apart from reiterating the need for using digital signatures at least for RTGS transaactions of a certain value, RBI in this guideline has spoken about the need for the use of “Adaptive Authentication Technology” .

Banking in India therefore is on the move from the 2 Factor authentication to a regime where apart from the multiple factors that contribute to the authentication of an online transactions, the technology of authentication should adapt to the “behavioural pattern” of the customer based on a real time assessment.

This technology should increase the security for the customers though Banks would grumble as always about the cost of implementation.  But since this is the direction in which the global banking is moving  , there is no option for Banks but to adopt the “Adaptive Authentication technology”. (AAT)

From the users perspective it should not make any difference. In fact the AAT is expected to be unobtrusive and non interfering. The foundation may still be based in the currently used authentication parameters such as “What the customer knows”, “What the customer has” and “What the customer is”, supplemented with technologies such as the public key encryption etc. But the difference is that the AAT provides a deeper level of security since based on the transaction parameters it will invoke additional security measures.

For example, if a person has never used his E Banking account from abroad and there is a debit request from a foreign IP, the system should get alerted and hold the transaction execution until further confirmation is obtained. Similarly, if the amount withdrawn is far in excess of the usual transaction or the number of transactions within a small time is high etc (All these are typical occurrences in a Phishing transactions), the system should invoke higher levels of security. The higher level of security may be to requisition an additional factor of authentication including a “Call Referral” where the customer is given a telephonic call where the voice of the customer may be recognized by the system for authentication.

Hopefully Bankers will start adopting this higher level of security soon. Today being the second anniversary of the RBI guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (popularly known as the G Gopalakrishna Working group or GGWG Recommendations), it is the right time for Bankers to take a pledge that they will leave no stones unturned for making Indian Banking Safe. Naavi therefore urges the industry to treat 29th April as the “Safe E Banking Day” and ensure that we remember our obligations and take steps towards protecting the citizens against E Banking frauds.



Banking Ombudsman Scheme under Review

Posted by Vijayashankar Na on April 29, 2013
Posted in Bank  | No Comments yet, please leave one

As one of the follow up measures of Damodaran Committee report on Customer Service, RBI has set up a committee to review the Banking Ombudsman scheme. (Refer details here).

Members of the public who have their views on the functioning of the scheme may take this opportunity to pass on their views to RBI.

The Committee set up for review would be headed bySmt. Suma Varma, Chief General Manager ,Customer Service Department, Reserve Bank of India, 1st Floor, Amar Building ,Sir P.M. Road, Fort, Mumbai-400 001. (Ph: 22630483).


The Banking Regulation Act amendment Act 2012 which was recently passed by the Parliament has now become effective.(See PIB Press Release).  It amends several provisions of the Banking Regulation Act 1949.

Some of the amendments are directed towards new Branch licensing , raising of capital, voting rights etc.

The Act will

a) Increase the powers of RBI to regulate the erring Banks

b) Provides greater freedom for public Banks for mergers, captital issue etc

c) Increase voting rights

What is of specific interest to the general public are  the following  amendments

1. Depositor Education and Awareness Fund

A new section 26A has been introduced in the Act which provides for setting up of a “Depositor Education and Awareness Fund” to which the balances in the inoperative accounts in accounts not operated upon for 10 years would be transferred. (Can be claimed back by genuine depositors even after the period). The fund may be utilized for purposes which RBI may specify from time to time in “Depositor’s interest”.

2.Increased Fine for Non Compliance

Further for various kinds of violations under the Act the fines that RBI may impose have been substantially raised. The maximum penalty which was Rs 5 lakhs at present has been increased to Rs 1 crore.

This development is considered good for the industry since it has been found in recent days that the regulations of RBI addressing depositor’s interests were being repeatedly ignored by some Banks.

In recent days “Money Laundering” which generally means “Facilitating the use of Banking services for criminal funds” has been indulged in by Banks as a matter of general policy of business promotion. A sting operation recently exposed such activities un ICICI Bank, HDFC Bank and Axis Bank.

This Business Standard article advocates that fines upto Rs 1 crore may be imposed for KYC failures.

Naavi.org has been discussing how KYC failures are the essential ingredients of any Bank fraud and needs to be curtailed with heavy fines. We have also pointed out how most of the losses of Depositors arising out of Phishing Frauds could be met out of collection of fines on KYC failures at the maximum rate of Rs 5 lakhs per failure if a fund is created for the purpose of insuring the depositors against such losses.

It appears that the scope for creation of such funds has now increased with the above amendment.

RBI may now examine if under the amended Banking Regulations Act, it may create a suitable “Electronic Banking Fraud Protection Fund” from out of a corpus built from the fines collected out of KYC failures observed during encashment of any phishing frauds. The suggestion is that while the Banks can pursue the legal means of locating the offenders and recovering the money from them, the victims must be reimbursed the amount of loss immediately from out of such funds. The payments can be considered as a loan to the Bank and suitable interest may be charged.

The fund may absorb losses arising out of cases where the offenders are not apprehended and money becomes irrecoverable in which case the loan already raised in the name of the Bank is written off. In other cases, recovered money maybe reimbursed to the fund.

The initial fund may be started with a corpus created out of contributions from member banks based on their deposits like the fees payable under DICGC or ECGC schemes.



Can Minors open Facebook account?

Posted by Vijayashankar Na on April 26, 2013
Posted in ITA 2008Uncategorized  | No Comments yet, please leave one

For the regular users of Facebook or Google, the question whether minors can open an account appears funny. But this is precisely what the Delhi High Court has asked the Indian Government in a PIL. (Details here). It would be interesting to know how Government of India will respond. Facebook and Google are also respondents to the case and their reply is also to be made in the next 10 days.

It is well known that minors constitute a large part of Facebook users and their business model thrives on the activity of these minors who seek friends and post messages of all kinds.

During the registration, Facebook asks for the date of birth and gives an explanation why the date of birth is asked, with the following pop up message.

“Providing your birthday helps make sure you get the right Facebook experience for your age. You can choose to hide this info from your timeline later if you want. For more details, please visit our Data Use Policy.

Not creating a personal account? If you’re here to represent your band (Sic), business or product,  please create a Facebook Page.”

There is also a page on “Minors and Safety” which states as follows:

“We take safety issues very seriously, especially with children, and we encourage parents to teach their children about safe internet practices. To learn more, visit our Safety Center.
To protect minors, we may put special safeguards in place (such as placing restrictions on the ability of adults to share and connect with them), recognizing this may provide minors a more limited experience on Facebook.”
There is therefore a clear admission from Facebook that accounts can be opened by minors and except for the warnings no other preventive measures are taken by Facebook to block minors.
It is also not easy to accept an argument that minors should be barred from using Facebook because they cannot enter into a valid contract and agree for terms and conditions.
The fact is that even adults donot have a valid contract for opening the accounts either with Facebook or Google since Indian law does not recognize the “Click Wrap Contracts” represented by the “I Gree” kind of acceptances which these websites use.
At the same time Facebook is not concerned since it does not have any financial stake if minors use the account.
From the perspective of technology development, it is also undesirable to say that a person has to be of 18 years of age to use the Facebook. At a time when 16 year olds commit rapes and murders  it is ridiculous to suggest that minors cannot use technology devices such as Facebook and Google. In fact today’s 16 year olds are more techno savvy than many older people. It will therefore be a regressive step to expect that minors cannot use social media or Google.
In fact, the Indian Majority Act itself is in need of change with the age of majority to be brought down from 18 to 16 for the contractual and CrPc purpose. The Internet use should be available under parental  supervision from at least 12 years on wards.
I remember that earlier Yahoo used to get parental consent for opening accounts of minors above 13 years of age. Today Yahoo mail account can be opened using a facebook ID or a Google ID. Hence at present even Yahoo appears to have diluted the norms of providing service to minors.
Keeping the earlier practice of Yahoo, solutions can be found to this issue which both Facebook and Google can adopt which may satisfy the concerns of the Court without affecting their business interests to a significant extent.
It would be interesting to see how these companies now respond to the Court’s order.
Even when this issue of social media is being discussed,  one can also raise the issue of whether minors can use mobile phones because mobiles also are individual communication devices though SIM cards or handsets can be owned by adults.

An interesting survey conducted in three countries namely US,UK and Germany have indicated that 46% of the consumers donot trust websites which rely only on “Passwords” for authentication. (Refer findings here)

If the findings of this survey is extended to India, then it means that the Internet Banking system in India where passwords are being used as a means of authentication instead of the legally mandated “Digital Signature” is also not being trusted by the customers. Though from the research angle it may not be proper to extend the findings without appropriate correction, if we consider that “Frequent users of Internet Banking” can be equated with the profile of the website users referred to in the survey, the situation in India may be qualitatively similar.

The survey also reports that an additional factor of authentication is prefered by the users. But different customers prefer different types of additional factor of authentication such as the mobile based authentication or ID cards or biometrics. Thus the Two Factor authentication which is being pushed by RBI appears to provide some additional comfort to the customers.

The current generation intelligent malware has however grown beyond the security offered by th 2F authentication and we need to have a serious re thinking on the authentication systems that can secure Indian Banking systems.

The Digital Signature System is definitely a legally recommended choice which is the minimum compliance standard. But time is fast approaching for the industry to start looking beyond mere adoption of the digital signature system and to think of further hardening of the authentication methodologies which are legally compliant and also is technologically as good as possible.

At the same time, we need to keep in mind the factor of “Social Engineering” and “Lack of Security Awareness” as additional factors for considerations and not assume that what is technologically superior will necessarily be so in practice. We are aware how the Certifying authorities in India abuse the digital signature system and how the Controller of Certifying Authorities (CCA) is turning a blind eye to the irregularities.

Since our country has adopted the PKI system with a regulatory body controlled by the statute, the security of digital signature in usage is dependent on how effectively the system is monitored by the public authority such as the CCA.

Presently CCA would be happy just if digital signature is adopted. But this attitude needs to be quickly shifted to tightening the system so that the respect accorded to digital signatures in Indian law should not be eroded.