It is unfortunate that some of the unpleasant prophesies of Naavi.org on increasing Card related frauds are becoming a reality. It is reported that Mumbai Police statistics show that in the first 9 months of 2015, Credit card frauds rose by 90% over the corresponding period last year. Overall Cyber Crimes rose by 52% and obscene e-mails by 34%.

Article in Indian Express

It has been pointed out in the article that the reasons for this massive raise in frauds include

a) Pushing of technology to persons who does not understand the security implications

b) Card cloning and Vishing

c) Lack of safeguards built around technology

Naavi.org agrees that the all the above reasons do contribute to the increasing card frauds and reflect that there is a fundamental flaw in the system of regulation.

Firstly, Banks are going too fast in introducing insecure technology to serve their commercial needs and RBI has failed in its duty as a regulator to prevent insecure services hitting the market.

In June 2001, RBI did mention that Banks need to obtain Cyber Insurance against technology related frauds and consider them as the Bank’s legal risk. However, Banks have neither obtained Cyber Insurance nor taken the onus on securing the system. On the other hand, they are going ahead with increasing risk in new services.

Though initially the “Adjudicators” in Chennai and Mumbai gave relief to victims of bank frauds by holding the Banks liable on Section 43 of ITA 2000/8 read with Section 85, Banks held up delivery of justice through appeals which were held up due to reasons such as “Non Appointment of Chair Person for Cyber Appellate Tribunal” since 2011, and mis-judgement of at least one Adjudicator in Bangalore which has not been corrected by Karnataka High Court and pending because of the Cyber Appellate Tribunal being non functional.

The mis-judgement was perhaps a consequence of ignorance of the Adjudicator or it could have been a decision influenced by the affected bank and the conflicting relations it had with the decision maker. The inability of Karnataka High Court was again a matter of the inability of the concerned judge to appreciate the facts of the case which was mis represented by the Bank as well as its reluctance to take responsibility for delivery of justice to the victims. The non availability of Chair person in Cyber Appellate Tribunal is perhaps a conspiracy between the affected Banks and the officials since 2011 as well as the controversies surrounding the NJAC.

The Modi Government is encouraging greater use of the card system in meeting its its digital economy goals but the IT ministry under Mr Ravi Shankar Prasad and RBI under Raghuram Rajan are both incompetent and uninterested in ensuring security of the financial model of Digital India.

As we go into the next decade, there will be more and more of these card frauds involving amounts less than 10000/-, with the use of mobile wallets where security is the secondary objective for the Banks. The amounts individually will be too small for victims to pursue legal remedies and hence most of the accused will go unpunished.

Police are doing a great disservice by not recognizing that Banks who introduce insecure banking services are to be considered as mainly liable for such frauds and have failed to charge the respective Banks in cases of frauds. These banks not only fail in introducing untested technology but also repeatedly fail in the KYC obligations.  Many of the mobile service providers are also guilty of KYC failures and since the mobile KYC is the foundation for many mobile based services, these failures of KYC reflect in increased frauds.

In many cases of frauds including the “Call from Information division of Delhi Consumer Courts” reported in these columns, Police have not taken any pro active remedial action. Call centers are operating in Delhi NCR region right under the nose of the countries top police authorities in which people are recruited for doing frauds by calling prospective victims and BPO operations are being run. Naavi.org itself has provided a couple of phone numbers during the last week and there is no news that Police has actually acted on it.

If Police want every such crime to be confirmed only with a complaint from the affected person and refuse to investigate without a complaint, then these frauds will not come down.

Just as Banks are an indirect cause of such frauds due to their negligence, Police by their inaction are also contributing to the proliferation of these crimes.

Despite the clear instructions of RBI for Banks to secure the victims by a system of Cyber Insurance, and their flouting of such regulatory guidelines, it is unfortunate that Police have not made Banks a co-accused in any of these card cases. In cases where there is a possibility of the involvement of Bank employees, Police may initiate action. But what we are trying to say is that even when there is no direct evidence of the involvement of Bank employees, using the “Negligence” aspect under Section 85 of ITA 2000/8, Police are bound to make Banks pay for the losses of the fraud victims. Banks themselves need to cover this risk through Cyber Insurance.

In the case of S.Umashankar Vs ICICI Bank, after the adjudicator held the Bank negligent and granted compensation, the undersigned wrote specific letters to the DGP of Tamil Nadu to pursue criminal charges against ICICI Bank. But they failed to do so. Now in Mumbai, there have been many decisions of the adjudicator Rajesh Aggarwal against Banks. He was transferred out of the position so that he does not create fresh problems for Banks. But the Police in Mumbai could have initiated their own criminal action against each of the Banks held guilty in the civil proceedings of the adjudicator. This would have created a deterrence against continuance of the crime and would have also woken up organizations such as RBI and Indian Bank’s Association. Their reluctance to charge Banks under Section 85 of ITA 2000/8 is therefore  a contributory factor for the increase of cyber frauds.

I hope that Mumbai Police will now show the way for the rest by filing cases under Section 43-66 of ITA 2000/8 read along with Section 85 of ITA 2000/8 in all the cases in which Mr Rajesh Agarwal has found the Banks guilty of negligence and granted compensation to the fraud victims.

Simultaneously, the Chief Justice of India should immediately clear the papers which is reportedly being held up at his office for appointment of the Chair person for Cyber Appellate Tribunal. Also the Karnataka High Court which is sitting on a PIL in this respect without listing it for final hearing to also expedite the hearing so that all these institutions work in unison with the Police to improve the counter cyber crime ec0 system.

It is not necessary to remind the authorities that a substantial part of this crime income may be also reaching the terrorists and funding their operations against India. Hence neglecting them is a grave error on the part of the Law enforcement, Judiciary and the Government.

As I have highlighted several times, the Anti Modi brigade will use the increasing Cyber Crime as a charge of inefficiency against Mr Modi’s Governance particularly when the heat is felt by the beneficiaries of Jandhan yojana in villages.

Law and Order in Cyber Space will be a relevant election issue in 2019 elections which will determine whether Mr Modi’s policies will survive to serve the country in future or not.  If Mr Modi does not realize it now and act appropriately,  it will be too late to save the country.

Naavi

Related Article: Hotel Industry will be the next big victim

The way the underworld for Cyber Crime tools has developed indicates how complicated is the world of Cyber Crimes from the law enforcement issue. Cyber Criminals are difficult to catch both because they are anonymous and spread across the globe and also because they are technically a step or two ahead of the best of the law enforcement. Also the Cyber Criminal has lot of time at his disposal to plan and commit a crime while law enforcement has only a limited time before the evidences start fading. Additionally the law enforcement has to deal with issues of Privacy and Freedom of Expression while the criminal is not bound by any norm or ethics.

One manifestation of this asymmetric warfare is the announcement of an open price list for Cyber Crimeware by a firm which is considered as a “Broker” for buying and selling  Cyber Crimeware. A company called Zerodium has put up a price list for different categories of exploits that people can buy. At the same time if there are any sellers, they can also use the chart for valuing their exploits.

The following is the chart published in an article at wired.com that indicates the current price of crimeware.

The pricelist indicates prices of upto $500,000 (Rs 3 crores) as annual subscription. It is unfortunate that the global law enforcement agencies have admitted their inability to control Cyber Crime or the illegal trading of such Crimeware by themselves subscribing to such services.

Zerodium proclaims itself to be a firm that pays premium rewards to security researchers to acquire and previously unreported zero day exploits affecting widely use operating systems, software and/ devices. Zerodium claims that normal Bug Bounty programs pay a smaller reward while it pays high rewards and focusses on high-risk vulnerabilities.

What is disturbing however is that Zerodium may also sell these by subscription. Though the company claims that it would not sell the exploits to oppressive Governments, the very fact that it is in the business of selling crimeware indicates that it is primarily prepared to sell for money.

It is possible that in due course ISIS may be able to infiltrate this organization or even force it to part with exclusive exploits that can be used against humanity. It is interesting to note that Zerodium is funded by a French firm Vupen and if for some reason the exploits fall into the wrong hands, then it would be ironical that a French firm itself would be responsible for the growth of ISIS.

While the concept of providing an appropriate reward for researchers is fine and I have also advocated it in the recent past (See: Bug Bounty Program from Government is required) ,my recommendation is that it has to be maintained by the Government agencies. (The fact that agencies like NSA have used it as Cyber war weapon is known and needs to be prevented separately by the checks and balances built in the system).

At the international level, a consortium of few countries need to manage such a program so that the exploits donot fall into wrong hands.

I suggest Prime Minister Mr Narendra Modi to start a discussion with global leaders and just has he has mooted the idea for Solar Energy consortium and Counter Terror Consortium, he can promote the concept of “Cyber Defense Consortium” which can operate this buying of exploits as a Bug Bounty program. The exploits however should be neutralized by quick patching so that they should never be available as a Zero day exploit.

Naavi

Related Article in infosecurity-magazine

I had pointed out through my earlier article “Beware of this Call from 90699 35661” about the calls that threaten the victim that there is a Consumer Court complaint against him/her in Delhi Consumer court and if help is required they may contact some person.

Yesterday I got the call again and I was referred to contact a person named Veerendra Singh Yadav at 08586067445.  When I searched the web for this number, I found a series of complaints of similar nature already noted at  the consumer forum website . I also saw one case reported by a consumer of Bajaj Finserv which has been promptly responded by a customer service executive indicating that event the organization Bajaj Finserv is unable to identify that this is part of a scam in which their name has been misused.

When I called back to this number, again a lady picked up and said that she was the assistant of Mr Veerendra Singh Yadav. When I insisted that I want to speak only to him, she said she will call back.  I suppose she is hunting for a male voice amongst her colleagues who all are part of a fraudulent organization and deserve to be in jail. Perhaps I may not get any call back.

From the background noise we get from these calls, it appears that the gang is operating like a call center with several persons engaged only in making such calls.

While these are criminals and chosen to be so, I take serious objection to the Police in and around Delhi who are letting such frauds continue to happen. If the information about these frauds are already available on the web, it is presumed that it is also known to the Police. (If not, they donot deserve to be called the “Police”).

Intelligence agencies including CBI should be not only aware of such frauds but also aware that most of these fraudsters raise money for terrorist organizations.  Hence the silence of Police could only mean “Complicity” to crimes including funding of terrorist activities.

I am sure that some of my Police friends may get annoyed with this comment but I would like them to realize that this is what the ordinary person on the street would think. Public think Police are incompetent, donot care about law and order in Cyber Space or are corrupt.

Being a friend of many policemen, I consider that this would be an unfair perception about the Police. Police in India are quite capable and if they want, they can take action to bring down such frauds. In this case I donot think  that inaction is a result of corruption. It could however be due to apathy and a belief that they need to act only when a complaint is registered.

I request Police who have jurisdiction on the phone numbers mentioned above to trace these calls and punish not only the proprietor of this business, but every one of these callers and also the Mobile Service Providers who have provided them the facilities to cheat public.

Let’s hope this criticism galvanise Police into action.

Naavi

More cases reported : board reader thread

The Symantec study on Internet threats has some interesting findings on the threats arising out of Mobile devices which needs some deep analysis.

The first alarming aspect thrown open by the study is that of the 6.3 million apps observed by the study, about 1 million apps have been classified as “Malware Apps” . (we shall call this MalApps). These are Programs and files that are created to do harm and includes  viruses, worms, and Trojan horses. 2014 is considered the 10th anniversary of the MalApps since the first worm on a Mobile App is said to be SymbOS.Cabir found in 2004. The 1 million new MalApps found in 2014 consists of 46 new families of Android malware. The study says that this 1 million MalApps does not include about 2.3 million “grayware” which represents Apps that display undesirable behaviour such as advertising.

Symantec expects the growth in mobile malware to continue in 2015, becoming more aggressive in targeting a user’s money. It is estimated that 51 percent of U.S. adults bank online and 35 percent use mobile phones and hence are prime targets for MalApps writers. The study records that  malware can intercept text messages with authentication codes from the bank and forward them to attackers. Fake versions of legitimate banks’ mobile applications also exist, hoping to trick users into giving up account details.

The study notes what it calls as “MadWare” which use aggressive techniques to place advertising in  mobile device’s photo albums and calendar entries and to push messages to the  notification bar.Madware can even go so far as to replace a ringtone with an ad.

An analysis of threats by platform indicates that out of the total of 48 threats (by families ignoring the variants), 45/46 were identified on Android platform and 3 on iOS.

As regards vulnerabilities, 168 mobile vulnerabilities were disclosed in 2014 compared to 127 in the previous year. It is surprising to note that 84% of these vulnerabilities are from iOS system and only 11% are from Android systems. Blackberry counts for 4% and windows 1%.

Probably the documentation of vulnerabilities in Apple could be better organized than the Android and hence there could be a skewed finding about the security of IOS phones vs Android phones. This is an interesting observation and leaves both equally vulnerable to risks.

As of today, Android appears to have a lead in market share of around 51.2 % as against iOS which is around 43.5% Cumulative global shipment of Android phones was around 1644 million units from 2010 to 2014 while the cumulative sales of Apple iOS devices since its launch in 2007 is around 600 million.

This indicates that relatively there were more vulnerabilities in iOS systems than the Android though  there are more threats on Android platform than in iOS.

The type of threats that the MalApps pose is reflected in the following chart.

It may be expected that in the coming years these mobile threats would increase and create more risks for the users since the App Ecosystem is difficult to monitor. The security industry needs to do some thing specific to improve the reliability of mobile platforms so that it can support the market developments in the coming days.

Naavi

Symantec Internet Security Threat report 0f 2015 has provided some interesting insights into the current trends in threats and vulnerabilities in the Cyber space.

One of the interesting findings of the study is the raise of ransomware as a major threat.

Ransomware is malicious software that locks and restricts access to infected computers. The malicious software then displays an extortion message using a social engineering theme that demands a ransom payment to remove the restriction.

In 2014, the ransomware attacks more than doubled from 4.1 million in 2013 to 8.8 million (approximately 24000 per day). The file encryption attacks leading to ransom demands expanded from 8274 in 2013 to a whopping 373,342 in 2014 showing a nearly 20 times jump in the threat. The actual ransom demands on an average was around US$ 1000 to 2000. However, since we have seen ransom demands of upto $5 million in India during the last year, it can safely be said that if the victim is a corporate entity, the damage could be significant.

Yet another point worthy of noting is the use of watering hole strategy for distributing the malware. This strategy plants the trojans in a popular website such as that of a news paper which is both respected and also has high traffic. (The name is taken from the strategy used by hunting animals which wait near water resources in a forest and catch their prey). The downloaded trojans are used for identity theft and other malicious purposes. The advantage of such watering hole attacks is that in corporate networks which maintain restricted internet access, the popular sites may be provided access and hence can reach out to the employees.

The threats analysed in the report give directions to the information security managers to check the effectiveness of their controls. The study also provides some guidelines on best practices which are a good starting point to evaluate the security systems of user organizations.

Naavi

The Norton/Symantec Cyber Crime study of 2014 has tried to provide an insight into the Underground Cyber Crime economy that drives the growth of financial crimes.

Spamming and Phishing continue to be the major tools through which frauds are committed on Cyber Space. Spamming with malicious links and attachments are used to drop Trojans and Phishing is used to make the spam look like a message from a known person.

According to the study, approximately 28 billion spam mails were in circulation worldwide each day in 2014 compared to 29 million in 2013. Overall, for 2014, 60% of email traffic was identified as spam compared to 66.4% in 2013 representing a decrease.

According to the India specific information available from Norton study, an estimated Rs 16558/- was lost on account of Cyber Crimes by Indian consumers on an average. The study estimates that approximately 113 million Indians were affected by Cyber Crimes which constituted around 48% of the Indian online population. There is a little ambiguity on the way the loss is being estimated and hence we shall leave it for analysis at a later time when more information is available while we revert to the figures available in the global study.

The Cyber Crime market has evolved like any other business where the crime ware is being developed by one set of people and exploited by another. There are people who specialize in developing malware, other people who specialize in identity theft and another set of people who drop the malware using spam techniques and yet another set of people who actually draw fraud money out of the victims. Certain trojans are available on lease for a specific period making it all look like an organized business.

The study estimates that a A drive-by download web toolkit, which includes updates and 24/7 support, can be rented for between $100 and $700 per week. The online banking malware SpyEye (detected as Trojan.Spyeye) is offered from $150 to $1,250 on a six-month lease, and DDoS attacks can be ordered from $10 to $1,000 per day. The value of information sold in the market for Cyber Crime is indicated by the following table.

If Cyber Crime has to be curtailed, then it is important to recognize the existence of this chain of actors and eliminate the participants at each of these levels.

Naavi