Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

ATM Security.. How much is Bank responsible?

Posted by Vijayashankar Na on December 31, 2015
Posted in Cyber Law  | 1 Comment

After the incident in which a Corporation Bank employee was assaulted in an ATM in Bangalore, there was some discussion on provision of additional security at ATMs. Police said that it was the responsibility of the Banks and Banks said they cannot afford to post guards at all ATMs.

Ultimately, banks started charging more for ATM transactions to cover the additional expense but did not provide any additional security….

……They cheated the public and RBI allowed them to cheat.

Now, an incident has been reported from the Electronic City which indicates that there is a mafia that is working to rob customers at ATMs. I reproduce the information posted by the victim in another forum for public information.

Quote:
BEWARE OF THIEVES & ROBBERS AROUND ATM IN BANGALOR
My son who is working in Infosys, Electronic City, Bangalore had a bitter experience on 20th Dec. His 2 friends had withdrawn cash and come out of ATM at midnight near electronic city after their shift is over. On their exit from the ATM, 3 rogues had intercepted them and snatched the money and costly smart phones. When my son went for their help, he was beaten. He had resisted and bounced back. All the 3 clashed with 3 robbers. One of them escaped and brought about 10 local rowdies to the spot immediately. My son and his another friend were kidnapped to a play ground at a secluded place and marred them. His head, face, hands, back, hip and all over the body were full of bruises and contusions. Both of them were unconscious for a long time. When another friend became conscious, he was able to move and get an auto to drop my son at his house without making any complaint to the Police.
My son and his friends are afraid to make a complaint to the Police, saying “the Police are hand in glove” and there would be of no use, except mental agony from the Police and further threat from the rowdies and robbers.
I informed the matter to my local friend at Bangalore and a Legal Person and requested to help. They also said the same thing is happening everyday and particularly the next day one Mr. Vinayak had experienced with the same incident. Govt. is not at taking steps to prevent these atrocities. Are these politicians running the Govt. like this? I wonder. Only God can punish these culprits, it seems.
Why I am posting this incident is, just to caution our people not to use ATM beyond 9 p.m. Because of the growing robbery and atrocities, the ATMs at the outskirts can be shut down between 10 p.m. and 7 a.m. More over, whoever happens to move around at the midnight should not hold the costly smart phones.
Unquote
It is unfortunate that law and order in Bangalore is deteriorating day by day.  We are aware of motorcycle borne chain snatchers roaming the city during the early mornings and now these ATM robbers in the evening. In between we have robbers posing as Police attacking people in Nice Road, not to talk of bag snatchers every where.
 I wish the Government does not allow the situation to further deteriorate and people start referring to Bangalore another jungle Rajya after Bihar.
At the same time, Bankers need to explain why there were no guards near the ATM referred to in the above incident and whether any CCTV footage has been captured. RBI should take immediate punitive action against the Bank owning this ATM for failing in its duty to provide security and causing the robbery.
Police should also file a case against the Bank for negligence in providing security at the ATM without taking refuge under the fact that no complaint has been filed.
If the Citizens feel insecure to approach the Police, it is a shame on the Police and not an omission on the part of the public.
Hope the Commissioner of Police is listening…
Naavi

Free basics Debate

Posted by Vijayashankar Na on December 30, 2015
Posted in Cyber Law  | 1 Comment

The Free Basics debate in India has reached a crescendo and there is lot of confusion surrounding the service launched by FaceBook in association with Reliance and the consultation paper which TRAI has released on “Net Neutrality”.

It appears that the debate of Free Basics and Net Neutrality getting inter connected and hence the public are finding it difficult whether they should respond to the TRAI consultation paper or not.

It is obvious that Free Basics is an advantage to Reliance and therefore could be a disadvantage to other mobile service operators.  Hence there is a business interest involved in opposing the Free Basics which needs to be factored into the analysis.

As far as the consumer is concerned, Free Basics brings to them certain content services for which data is not charged by the mobile service provider.

The user may be a farmer who is looking for some agricultural information or a cricket enthusiast who is looking for CrickInfo scores or a student who is browsing through some academic information.

It is true that at the same time when content offered through Freebasics comes without data charge, similar content outside the platform of Free Basics is charged. to that extent, the “free service” is more attractive than the “Paid service”. Hence some consider this as affecting “Net Neutrality”.

Some time back, some service providers tried to introduce schemes whereby they wanted to give certain premium services free on the mobile by collecting money directly from the beneficiary companies. This was opposed and the proposal was dropped under the consideration of “Net Neutrality”.

The Free Basics however has structured its services differently. Firstly it has presented itself as a “Platform” and any content provider may apply to be part of the platform provided he follows certain content guidelines. As long as this is not discriminatory, there should be no grounds to object. It appears that the present guidelines may favour basic content providers and not fancy websites and e-commerce sites and this is an acceptable criteria so that the data element is kept thin.

As long as there is no discriminatory exclusions, the system may be considered as equitable. In India we are used to “Reservations” of various kinds. Activists who worry about “neutrality” may also address if there is neutrality in the provision of basic services in the physical world, before raising their voice on the free internet that may become available to a limited extent as a result of Free basics.

It is understood that the Freebasics content would pass through a proxy server of FaceBook which will collect some user data which is the value proposition for FaceBook.  Though some privacy concerns can be raised on this account, the user himself may not be much worried on this account. Reliance may have increased clientele and also some reverse benefit from Face Book to offset the cost of data that it foregoes. This is a business strategy that is not objectionable per-se.

The low income mobile user may look at this as an opportunity to get some free Internet on the mobile just as the concept of ad supported free internet which was prevalent in the early eighties.

Today every business operator including Google collects information from users and uses it to its business advantage. Some of them may throw back free services to attract more customers since the value of data that the users bring in more than offsets the cost of the service itself. Even Gmail may be running on this principle.

Hence blaming FreeBasics only for the fact that it is making the life of the business rivals more difficult is perhaps incorrect.

On the otherhand, the rival telecom providers can consider collecting their own content packages and deliver them free through their services so that they donot lose their business. Nothing prevents Airtel from providing cricbuzz scores free or Telegram service free of data charges to counter Freebasics-Reliance offers.

The competition may actually benefit the general consumer.

What TRAI has to ensure however is that

a) Free Basics platform is open to all under a public technology based guideline

b) No content provider is discriminated against arbitrarily

c) Other service providers may be encouraged to introduce content packages with their own set of content providers

The net effect of the above is that basic information available on the internet may become available on the mobile without specific data charge. All other services will come with data charge like a premium service.

This may be good to reduce the digital divide and benefit the society in the long run.

Naavi

 

Beware of CIBIL Report Fraud

Posted by Vijayashankar Na on December 29, 2015
Posted in Cyber Crime  | 1 Comment

I would like to bring to the notice of the public a fraudulent e-mail that is being sent in the name of CIBIL.

The copy of the email is reproduced below:

 

cibil_fraud

Normally the CIBIL Transunion score is expressed as a three digit number and not as single digit such as 8.3.

On verification of the header information, it is found that the e-mail has emanated from notification@solveerrors.com. Return path is : ..@smtp1.perfectpriceindia.com>

The IP address from which the mail has been sent appears to be 206.183.107.64

Public are requested not to respond to this fraudulent e-mail.

At the same time, I hereby give a notice to CIBIL that they are now been informed of an attempt by some body to cheat the public in their name and if they donot take suitable steps to prevent such misuse of CIBIL’s name, they will be considered as “Negligent” and providing indirect “Assistance” to fraudsters.

I request the Police anywhere in India also to take cognizance and issue notices to the concerned web hosting service providers as well as CIBIL to ensure that this fraud is stopped immediately.

Naavi

Parliamentary Committee report on Information Security

Posted by Vijayashankar Na on December 28, 2015
Posted in Cyber Law  | No Comments yet, please leave one

The Standing Committee of the Parliament on Information Technology has released its observations and recommendations as submitted in the Parliament on 21st December 2015. Some of the salient features relevant to the public are discussed here.

Copy of the report can be accessed here

On Scrapping of Section 66A

The Committee has taken note that the Government expressed that it welcomed the decision of the Supreme Court in scrapping Section 66A since it supports “Freedom of Expression”.

With this the Government and the Committee has endorsed the erroneous decision of the Supreme Court without recognizing that Section 66A in no way addressed the “Freedom of Speech” issue but only addressed a “Message” between two persons using a communication device or an e-mail not to be threatening, harassing, causing annoyance, etc. The section which addressed several cyber crimes including cyber stalking, cyber bullying, phishing etc was thrown out by the Supreme Court under the wrong interpretation of law as it existed. Instead of opposing the decision, the Government surrendered to the erroneous decision and the Parliamentary committee ought to have pointed out this poor decision by the Government.

The Committee says that it would await the further action of the Government in this regard.

Further Amendments to ITA 2000/8

The committee has taken note that the Government has set up an “Expert Committee” under the chairmanship of Shri T K Vishwanathan who incidentally was the person who drafted the ITA 2000, to study and examine the existing domestic cyber laws and International cyber legislations and recommend a road map with measures and amendments to the present laws for consideration of the Government.

Committee also noted that the Home Ministry has set up another “Expert Committee” to prepare a road map for effectively tackling the Cyber Crimes in the country and give suitable recommendations on all facets of cyber crime.

Presently public are not aware of the “Experts” in this group. In the past, the “Experts” were mostly those who were close to the bureaucrats of MCIT and it was a cosy club of Delhi ites. Hope the Modi Government does not fall into the same routine.

The Committee has suggested that these two committees need to report the progress to this Parliamentary group. Hopefully the Committee would ensure that the two committees work in tandem and address the issues arising out of IOT, Big Data and other developments.

What the Parliamentary Committee Failed to do

Though the committee made a reference to the beta release of the “Digi Locker” scheme and cautioned the Government on security risks, the Committee has not recognized the points made out by Naavi.org in the past indicating that the Digi Locker Scheme and the CCA’s e-Sign notification appear non compliant with the existing ITA 2000/8. Naavi.org has also pointed out that the Karnataka Government passed a Bill on e-Governance which was contrary to ITA 2000/8. Such blunders of the Government were not recognized by the Parliamentary Committee and it appears that the secretariat has not made adequate research on the subject.

It is hoped that the Parliamentary Group headed by Mr Anurag Thakur will get better information from the market before it’s next report. The responsibility for such research should be boarne by the secretariat consisting of Shri K.Vijayakrishnan, (Additional Secretary), J.M.Baisakh (Director) and Dr Sagarika Dash (Deputy Secretary). I wish these executives peruse some of the points made out in Naavi.org in the past before advising the Parliamentarians. The report does not contain the contact details of these gentleman and I hope some reader will forward a copy of this note to them.

Naavi

In a gazette notification dated December 21, 2015, the Government of India has declared UIDAI system as a “Protected System” under ITA 2000/8.

This was long overdue and given the criticality of the system and the risks associated with the security breach, it is necessary to ensure that the system is protected both technically and legally. Some of the news paper reports have highlighted the impact of this notification by stating “UIDAI: Illegal access to Aadhaar data can land you in jail for 10 years “.

While this is certainly a message that should go out, we should add “Even an attempt to access UIDAI systems without authorization, may land a person in jail for 10 years and this is a non bailable cognizable offence”.

The information security professionals who work in the area of penetration testing should be particularly cautious to avoid any unintentional actions that may appear as an “Attempt” to access UIDAI system.

Under ITA 2000, the section 70 stated as follows:

Protected system (Sec 70 of ITA 2000)
(1) The appropriate Government may, by notification in the Official Gazette, declare that any computer, computer system or computer network to be a protected system.

(2) The appropriate Government may, by order in writing, authorise the persons who are authorised to access protected systems notified under sub-section (1)

(3) Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.

Under ITA 2008, the section was modified to read as under:

Protected system (Amended Vide ITAA-2008)

(1)The appropriate Government may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of Critical Information Infrastructure, to be a protected system.

Explanation: For the purposes of this section, “Critical Information Infrastructure” means the computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety. (Substituted vide ITAA-2008)

(2)The appropriate Government may, by order in writing, authorize the persons who are authorized to access protected systems notified under sub-section (1)
(3)Any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
(4) The Central Government shall prescribe the information security practices and procedures for such protected system. (Inserted vide ITAA 2008)

As one can observe, the ITA 2000 version did not specify that the system of declaring as “Protected System” is to be reserved for only “Critical Information Infrastructure”, though this was definitely the intention that could be read into the section.

Unfortunately, certain Governments did not understand this intent and went ahead to declare “All E Governance Systems” as “Protected”. Tamil Nadu was one such State which made such a overreaching ruling. (See the copy of the order here). In this order dated 29th June 2005, the TN Government declared

“any computer, computer system (Hardware, Software and Accessories), Website, online service or computer network including the Uniform Resource Lacator (URL) in any of the offices of the Government of Tamil Nadu or of the Government undertakings or Boards to be a “protected system”

This made all computers of the Government whether they are used for critical operations or not as “Protected Systems” and placed restrictions on the access. Fortunately, not many cases were filed under the section though the risk of misuse of the section was always there.

In an article in this site on January 10 2003, Naavi had also raised a doubt as to whether a State Government has the power to notify a “Protected System” under ITA 2000. (Read the article here).

When the amendments of 2008 were made, it was good that Central Government removed the ambiguity in one aspect that the section was not meant to declare “Any” system as “Protected”. The criteria was that the system should be considered as “Critical Information Infrastructure” which was defined in ITA 2008.

The definition of Critical Information Infrastructure in this context is any “computer resource, the incapacitation or destruction of which , shall have debilitating impact on national security, economy, public health or safety.”. This does not restrict that the system should belong to the Government since some of the systems that are critical for national economy, health, or safety” may be even in a private sector.

There is no doubt that UIDAI given the uses to which it is being put should be considered as a “Critical Information Infrastructure” and the protection of Section 70 should be accorded.

We may however bring to the attention of the Government here that the notification of December 21, 2015 donot provide details of “Information security practices and procedures”. 

It is possible that we may consider the CERT-In guidelines on information security is applicable to UIDAI. However, the Gazette Notification ought to have specified what Information Security Practices and Procedures are applicable for the access of these systems.

One may argue that this is not a matter on which public is to be notified. However, since an “Attempt” to access the system is to be considered as an “offence”, it is prudent for the Government to at least state in general terms what would constitute such offence by defining the limitations.

In particular information security professionals as well as those involved in Aadhar related IT projects need to  watch out while undertaking security scanning or software testing exercises to avoid any unintentional violations of Section 70.

The development will also add an additional angle to ITA 2008 compliance programs which should be followed by all IT Companies, Payment gateways, e-KYC companies, etc.

Naavi

RBI does a Modi on Bitcoin

Posted by Vijayashankar Na on December 26, 2015
Posted in Cyber Law  | 2 Comments

This Christmas has been a real merry Christmas for India…. and also Pakistan. In a stunning move which stunned everybody from his supporters to detractors, Indian PM Mr Narendra Modi dropped in at Lahore wished happy birthday to the Pakistani Counter part, Nawaz Shariff, gave gifts to his grand daughter for her wedding, touched the feet of Nawaz’s mother in respect, travelled in Pakistani military helicopter along with Nawaz Shariff, and virtually created an earthquake in the region. Whether immediate results are seen or not, the developments of 25th December 2015 in Indo-Pak relations will be a key development in the  history of the region and will permanently change the perception about Mr Modi in the minds of the Anti-Modi-Congress supporters in India.

Today morning when we opened the news papers, there was another development which was equally “disruptive” but in the domain of the Financial regulations in India. In what is a huge turn around, RBI came out with a statement Technology behind bitcoin can help fight Counterfeiting”.

In 2014, we had discussed at length the “Legal Validity” of “Bitcoins” in this site and some of those discussions have continued from time to time.

(The articles can be accessed here)

Following a Bitcoin conference in Bangalore and subsequently in a well read interview in Times of India, Naavi argued that “Bitcoin” was an electronic document and recognized in ITA 2000/8 and hence cannot be banned. In the follow up detailed article at Naavi.org titled “Why RBI cannot/neednot/should not ban Bitcoins?”, Naavi explained why Bitcoin as a category of “Crypto Currency/Virtual Coin” has huge advantages that can be harnessed by RBI. Naavi also explained that while part of the Bitcoin holdings and transactions may involve violations of PMLA or FEMA which can be tackled under the relevant laws, part of the Bitcoin holdings, particularly those mined in India could be considered as legal holdings.  Naavi also provided some suggestions to RBI on what it should do and stated as follows.

QUOTE

What RBI Should Do

.. RBI of course has a duty to advise the public through an open advisory not to consider Bitcoin as a currency. This is more for public education so that they are not cheated by smart operators.

Apart from the caution notice that RBI should release, they may consider some steps of their own to meet the situation arising out of the Crypto Currency phenomenon.

…if RBI so desires, it can provide some concessions to Bitcoin Exports  (Sale of Bitcoins by an Indian against receipt in foreign currencies) and Bitcoin Mining (Production activity similar to software development), It can also consider production of Bitcoins by Indians through foreign pools as a “Software Service Export”. In my opinion, RBI should consider these measures.

On the other hand, RBI may clarify limits on the import of Bitcoins (Buying of Bitcoins from foreign sources where the payment is designated in a foreign currency). While RBI has the right to ban such imports, it may consider permitting imports through designated exchanges upto a limit of say Rs 75000/-.

RBI may have to however caution the public that buying and selling of Bitcoins must be restricted to persons whose identity is known and records kept. Public must understand that in the current legal environment, Bitcoin is a “Virtual Commodity” and it does not have the immunity that “Negotiable Instruments” posses where a holder in certain circumstances claim the status of a “Holder in due course” which is free from the defects of the transferor.

STPI may consider declaring its own policies if some body wants to set up a Bitcoin (or another cryptocoin) mining facility as an STPI unit.

UNQUOTE

Naavi also gave a wishlist on Bitcoins which included a Crypto Coin Exchange of India, India Crypto Currency Pool and Hybrid Vareity of Crypto Coin and invited RBI to constitute an expert committee to take the discussion further.

However, as was feared, RBI came out with an “Advisory”, ED conducted a couple of raids on Bitcoin operators in India and put a fear of God in the techies who had enthusiastically embarked on a “Bitcoin Journey”. Naavi had held out during the time that the “Technology behind Bitcoins” is a very useful technology and must be harnessed by RBI. Subsequently one of the Bitcoin enthusiasts demanded that the RBI advisory needs to be clarified further as it introduced uncertainty in business. RBI however came out with a harsh rebuking reply . In the RBI also stated that the person “..is not entitled to call upon RBI to clarify the legal position in this regard..”

RBI was visibly angry with the person sending a notice demanding clarification and it went on to warn the person that if inspite of the clarifications, the person goes ahead with any legal proceedings, RBI would defend at the risk of the person’s cost and consequences.

This was nothing different from the stand Indian Government had taken in respect of its dialogue with Pakistan which Modi has now changed.

Subsequent to the RBI’s angry reply, Naavi has been reminding from time to time that “Bitcoin” may be tainted because of it’s past but the Block Chain technology has the potential of revolutionalizing the Digital Currency concept.

However there appeared to be no hope of a re thinking… until today morning news paper reported a positive view point on the Block Chain technology attributed to RBI. The article quotes RBI saying

“With its potential to fight counterfeiting, the ‘blockchain’ is likely to bring about a major transformation in the functioning of financial markets, collateral identification (land records for instance) and payments system,” said the RBI. The central bank pointed out that the traditional system of record maintenance works on the basis of ‘trust’ and the ‘regulatory’ and ‘controlling’ power of central entities/counter parties. “As against this, the ‘blockchain’ technology is based on a shared, secured and public ledger system, which is not controlled by any single (‘central’) user and is maintained collectively by all the participants in the system based on a set of generally agreed and strictly applied rules,”

This turn around to my mind is as bold as Modi dropping into Lahore to wish Nawaz Shariff a “Happy Birthday”.

Now it is time for RBI to walk its talk and set up a proper Expert Committee which can study “How RBI can harness the Block Chain Technology”.

As always, we need to point out that RBI needs to find appropriate members for this committee who can provide appropriate inputs. ..and request the committee to watch the space of Naavi.org where some voluntary inputs can be found not only from Naavi but also from its erudite readers.

I call upon the readers to contribute their views to the “Virtual Special Interest Group of Naavi.org on Harnessing of Block Chain Technology” which is deemed to be constituted right away. Naavi has already proposed a VSIG on Amendments to ITA 2008 and the Harnessing of Block Chain Technology can also be taken up in the same VSIG as an additional sub group. Volunteers are welcome.

Naavi