Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

True Caller is a reasonably popular mobile App which many mobile users in India have downloaded and installed. When the user receives a call from another True Caller user, though his name may not be in the contact list of the receiver, the receiver would get a display of the name of the person who is calling. This is meant to help the receiver to know the name of the caller when he is an unknown person outside his contact list.

When a user downloads the App, he gives permission for the App to access his contact list which goes into a global data base from which the service is delivered. In this process, the name of the owner of a mobile number is the name assigned to him by the member who shares the information.

There is no doubt that when this service  was conceptualized by a techie and became a successful venture, every body would have hailed the service as innovative. In fact it may have some positive uses also.

However, unfortunately, Cyber Criminals try to exploit every service on the  Cyber Space to their advantage and find various methods of using any useful and trusted service to commit frauds.

When a fraud is committed with the use of a service, the service provider becomes vicariously liable to third parties as an “Abetter” of crime. To avoid such liabilities, the service provider tries to adopt a “Privacy Policy” and “Terms of Use” to absolve himself of the liabilities through disclosures and consents.

Recently, it was brought to the notice of Naavi.org that a call was received by a user in Bangalore from one of the fraudulent entities operating as “Representatives of a Bank” and calling to threaten that the “Bank account is being deactivated… unless…”.

(Such frauds in the case of SBI Credit Cards are the most prevalent and soon it will become synonymous with the name of SBI. Just as we recognize advance fee frauds as “Nigerian Fraud”, soon we will recognize the Phishing frauds as “SBI Frauds”. I hope Ms Arundati Bhattacharya takes note of the PR implications of such association of a fraud to SBI’s name.)

The receiver has checked the number under the True Caller data base and found that it had been listed as “SBI”. This would be a reasonable confirmation to any ordinary person to believe what the caller says and act as per his instructions leading to a classical phishing fraud. It is easy to get the name of SBI or any other Bank associated with the telephone number of the caller if one or more of the fraud associates save the number as their contact under the Bank’s name and install True Caller.

When such a fraud occurs, the responsibilities of True Caller as a service provider who provides “Caller ID” as a service will come into question. In Indian law, ITA 2000/8 provides guidelines under Section 79 for intermediaries to maintain “Due Diligence” which also includes “Reasonable Security Practice” under Section 43A for sensitive personal information and additional responsibilities under Section 72A.

If this is an unintended compromise of the service, the service provider can defend by initiating corrective action. If he neglects, Court can interpret as intentional recklessness deserving invoking of law.

SBI  is well within the jurisdiction of India and hence has to recognize this potential risk of liability arising out of the operations of these call centers misusing its name. If no action is initiated by them, it would not only be a reason for holding them liable for the crime, but also for not providing adequate provisions in the balance sheet and thereby misrepresenting the financial position of the bank to the share holders constituting a Corporate Governance failure.

The Corporate Governance auditors of SBI are hereby given notice of the potential financial risk going un-reported in the balance sheet. Hope they will ask the right questions before they sign off on the audit.

True Caller declares as subject to jurisdiction of Courts in Stoclkholm, Sweden.

ITA 2000/8 however over rides the jurisdicional limitation under Section 75 to make Crimes committed outside India and by persons who are not citizens of India also come under the jurisdiction of ITA 2000/8.

Though True Caller presents its Privacy Policy and Terms of Use with several disclaimers, they can be considered as inadequate if the service is known to be used for committing frauds and the service provider has not taken sufficient steps to prevent the same.

I therefore urge the Police to initiate action against True Caller and demand if they have adequate measures

a) To prevent a User or a set of users deliberately registering an impersonated name to a number and commit frauds.

b) To initiate a process by which the Company takes knowledge of any misuse of its service and initiate appropriate immediate counter action

This article in public space is considered as a reasonable notice both to True Caller and the Police in India as well as SBI that True Caller service is being used as a tool of Crime in the name of State Bank of India and the Police are aware of this “Abetment to a Cognizable Offence”.

If no action is taken by any of these parties, future victims can invoke “Negligence” on the part of SBI and True Caller and make them liable under Section 79 read with Section 85 of ITA 2000/8 and other sections of ITA 2000/8.

I suppose efficient and dutiful police officers such as Dr Triveni Singh of Noida will issue notice to both SBI and True Caller to show cause why action cannot be initiated against them for abetting these  Phishing frauds.

For those who receive such calls, I recommend that they immediately post their own disclaimers using the service of Cyber-notice.com and Identity theft notice under ceac.in. This is to offset the possibility that a fraudster makes such a call and then in association with an employee of the bank hacks the Bank account even when the receiver has not revealed any information.

It must be appreciated that in such cases where a hacking is committed after a phishing call,  the evidence would stack against the victim since he cannot deny having received a phishing call but has to convince a Judicial authority that he did not reveal his identity parameters which the Bank will assertively claim.

Naavi

Bug Bounty Policy as part of Corporate Governance Responsibilities

Posted by Vijayashankar Na on March 26, 2016
Posted in Cyber Law  | 3 Comments

Software is a unique industry where from Operating Systems to applications, programs are released for public use, without any real commitment from the software developers as to whether the program is free from vulnerabilities.

In fact, vulnerabilities give raise to more opportunities in the industry and are silently adored. The Indian software boom which now claims to make the Country a IT super power itself was greatly aided and abetted by the Y2K bug. The trend continues to this day when applications keep on hitting the market and patches are released as a matter of routine. The EULA is drafted in such a manner that we are living in an imaginary law less jungle where the user is responsible for the mistakes of the software developer.

Imagine an automobile manufacturer who releases a new model with defects that lead to an accident or a potential accident. He is made to withdraw millions of products in the market, replace them at his cost and also be liable for payment of damages. Industries are routinely made to pay for intentional and unintentional environmental damage unless we they are blessed to be a “Union Carbide under an obliging  Government” when a mishap occurs. Software industry similarly admits the need for periodical patches and makes it the responsibility of the user to conduct his own vulnerability and penetration tests, install patches and live with zero day vulnerabilities.

The recently reported incident in which 5 Engineering students in Kolkata were arrested for criminally exploiting a bug which the software developer left in the program is an immediate reminder to all of us on the responsibilities that a software vendor has to take up before commercially releasing a software product which exposes the public to risks financial or otherwise.

There is no doubt that most of the software developers do follow ethical principles of Corporate Governance and adopts measures to ensure “Quality” and “Security”  during the software development cycle. There could be processes they put in place certified by ISO bodies to mitigate the risks of a “bug” seeping into a product that is released in the wild. But nothing is perfect in this world and even these processes do fail some times too often for comfort.

When it comes to critical applications that deal with sensitive data such as financial or health or national security, there is a world of hackers trying to enrich themselves with the mistakes of honest software developers through targeted attacks. There are virus developers, malware droppers, managers of Command and Control centers for spamming, phishing, and other malicious activities etc all hunting for opportunities to steal money from you and me trying to make an honest buck.

The Cyber Laws are meant to fight such menace and make it difficult for Cyber Criminals to exploit the society. There are therefore laws that impose stringent punishments on Cyber Criminals both for commission of an offence and an attempt as well as assistance to commit an offence. There are however, the misguided persons, who are only interested in making profits for themselves irrespective of the harm they cause to the society in the long run. Some of them identify an opportunity to make a fast buck out of a software vulnerability and are tempted to use them only in their self interest. The five students who got arrested in Kolkata belong to this category. If they had a strong ethical background, they would never have tried to exploit the vulnerability and instead either published the same in the media or informed the Bank/Company which was responsible for the software.

This would not be the last time when some of our intelligent youth  chose such deviant path and ruin their own careers besides the dreams of their parents.

There is therefore a need for the society to do whatever is necessary to reduce the possibility of such “Technology Intoxicant” and “Deviant Minds” pursuing the path of crime.

One step of course is in “Education”. There is a need for mandatory teaching of “Ethics in IT” right at the time when school kids are introduced to Computers, Laptops. At the time education starts teaching “Software development”, it should be mandatory for teaching basics of “Cyber Law” so that the techies are aware of the adverse consequences.

I urge honorable Minister of Human Resources, Mrs Smrithi Irani to consider these educational innovations without any further delay.

From the industry perspective, it is also necessary that some efforts are made to reduce the incentives for “Hacking” and increase incentives for “Ethical Software Quality Research”.

To start with, we need to stop recognizing “Hackers” by rewarding them with jobs as a part of their rehabilitation. It should be a principle that every organization makes it a policy to discourage hackers from being accommodated as information security professionals like a thief being appointed as a policeman.

Past hackers should be tagged and rehabilitated through a stringent psychological drill that should include forced community service which hopefully should transform their mindset over a period of time.

Further, every software company should be made to take responsibility for the public damage that the software may create.

Presently the Companies use their financial clout to ensure that victims don’t get any justice. The way Cyber Crime victims are being treated by Indian Banks is an example to this attitude and has been repeatedly discussed in these columns in the past. This should stop and Companies should obtain Cyber Insurance to cover their liabilities.

While law can look at the possibility of considering all software owners as “Intermediaries” under Section 79 of ITA 2008 and make them responsible for “Due Diligence”, the industries can preempt the punitive provisions of law through their own measures to mitigate the risk of “Bug Exploitation”.

(P.S: It is the considered view of Naavi that  even as law stands today,  ITA 2000/8  requires software owners to be considered as “Intermediaries” and be financially liable for the defects of the software. Software developers need to be made responsible as Business Associates through an indemnity clause in the software delivery contract)

Through these columns therefore, I call upon all software developers to make it a policy to introduce measures not only to make their product testing procedures more robust but also involve the responsible and ethical members of the public by enrolling them as “Watch Dogs” to check on the quality of their software particularly from the point of view of presence of any vulnerabilities.

This can effectively be done through a “Bug Bounty” program that provides incentives to any person who spots a vulnerability to immediately bring it to the notice of the responsible persons within the Company. The Company should for this purpose adopt a “Bug Bounty policy” and provide rewards commensurate with the risks mitigated and efforts invested by the bug reporter.

Regulators may consider if it is necessary to create a public body to ensure that Companies donot sit on the reported vulnerabilities which then become zero day vulnerabilities and are exploited.  Honourable IT Minister Mr Ravi Shankar Prasad may do the needful in this regard.

Cyber Insurance companies who have a stake in the early detection of vulnerabilities should initiate their own programs to subsidize the Bug Bounty programs of companies.

In the meantime, NASSCOM can also initiate some measures in this regard to develop a “Best Practice guideline” for “Bug Bounty Programs”.

What is essential in such programs is not a huge financial reward but creation of a “Recognition” followed by other assistance such as educational scholarships or reservation in higher educational institutions such as the IITs and IIMs, over riding the society dividing reservation policies based on Caste and Religion which our politicians have erroneously adopted. This will be an adjunct to the “Skills Registry” that NASSCOM is supposed to be maintaining.

As a Netizen Rights Activist organization, Naavi.org would like to contribute whatever little it can do in this regard through complimentary services. To start with, the Cyber Law Compliance Center (CLCC) has tried to develop a “Model Bug Bounty Policy” which can be adopted with necessary changes by any user company.

The CLCC would also be happy to assist the Bug Reporter through a free “CEAC” service where the reporting is certified through a third party intervention to prove the good faith credentials of the reporter. (More information on this would be provided in the web site of ceac.in.

Under this service, a Bug Reporter can report the suspected Bug to the relevant company under copy to naavi through e-mail.

Since mitigation of the risk of financial liability arising out of defective products of a Company is part of the Corporate Responsibility, professionals within a company responsible primarily for Corporate Governance such as the Company Secretaries and Chartered Accountants should take the lead in introducing appropriate Bug Bounty programs and ensure its introduction within a Company.

I invite comments on the above suggestion.

Naavi

 

The recently reported fraud in Kolkata where five engineering students were arrested for a Bank Wallet fraud involving Rs 8.6 crores is an incident to ponder. (See the report in TOI here).

According to the report, the persons arrested were Engineering Students who found out perhaps accidentally, a bug in the wallet program and its back end software functionality.

It appears that when a transaction was initiated, for a C2C transfer of money, an instruction went out to the Bank to initiate the payment to the destination mobile account. However when the destination account was not connected to Internet, at the originating end it was deemed as a failure of the transaction and the account was not debited. However, when the destination account reconnected to internet, the system recognized the event and  completed the payment from the Bank end without debiting the originating customer’s account.

This was distinctly an error in the way the transaction processing was planned by the wallet developer. The destination person not being immediately within reach is a standard use case scenario, the transaction ought to have beeen planned as a three legged transaction.

The first leg is the initiation of the transaction when the amount is debited to the originator’s bank account and transferred to a “Remittance in Transit” account. Then in the second leg, the bank’s server should try to establish contact with the destination end and if successful, debit the amount to the “Remittance in Transit Account” and credit it to the beneficiary. Then in the third leg, the beneficiary should accept the transaction and completes the transaction.

If all the three legs go through smoothly, the transaction would be completed in the sequence on a real time basis. However there would be a proper recording of a failure in each of the above three legs in which money would not fall into wrong hands.

If the transaction fails in the first leg, amount would not be debited to the sender’s account. If the transaction fails in the second leg, money remains in the Bank and can be returned to the originator if a complaint is raised or after a lapse of a default period of say one hour. Finally, if the transaction is rejected by the beneficiary, the transaction can be reversed. If the beneficiary is aware that no money is due but still accepts the receipt, he would be legally bound to return it in case of any credit by a mistake.

This process is a typical process for “Cyber Law Compliant App developing” which the undersigned has been advocating for a long time and techies are unable to comprehend.

It is unfortunate that the reported fraud occurred in a Bank where the Bankers should have tested and ensured that the above process was followed. This is a “Negligence” and failure of “Due Diligence” at the Banker’s end and hence make them directly liable for assisting the commission of the above crime and reimburse the victims.

The techies are normally not domain specialists and hence are naturally naive enough to accept whatever broad product specification is given by a client (who himslef may not understand how technology works). The techies focus on the functionality of the app and reducing the steps in completing the transaction so that the transaction goes through fast. In fact it would not surprise me if the wallet developer in the above case would have been proud of the way his wallet was processing the transaction without understanding the major flaw.

The techies in this case however failed in not subjecting the wallet to a proper testing and also not using a “Bug Bounty” program with sufficient incentives so that the Engineering students who were perhaps not “Born to Commit a Crime” would have been incentivised to report the bug rather than gang together to commit a grand fraud which will now put them in to jail and destroy their future permanently.

At present, the media has not published the name of the Bank nor the name of the App which was involved in the fraud. They may be presuming that they are protecting the privacy of the Bank and the App and preserving their reputation.

However, it must be stated that this is a major incident which has a need to be publicized in the interest of the public. In case I am the user of the App, I need to take care. If I am a customer of the Bank, I need to take care because I now know the Bank is reckless in technology adoption and can endanger me elsewhere. By protecting their identity, media is hiding the truth and protecting those who does not deserve protection. I therefore charge that the media has also failed in its duty at this point of time in not fully disclosing the incident details.

Since an FIR has been registered and a charge sheet is going to be filed shortly (Unless the Police are forced to be compromised before the filing of the charge sheet), the identity of the Bank and the App is a public information and hence should be in public domain sooner or later.

I request any of the readers who are aware of the name of the Bank and the App to consider revealing it in public interest.

At the same time, I request all App developers to take care of proper testing, proper domain knowledge inputs and a good Bug Bounty program as a standard procedure before releasing the app at least in the sensitive sectors.

All the Banks who are now using various wallet should also review their own Apps and ensure that similar bugs donot endanger their clients.

Naavi

Also Refer:

Wallet Frauds on the Rise: Business Standard

Mobile Wallet Frauds set to raise: Deloitte: Governancetoday.co.in

Aadhar Cards..should they be used in wallets..as KYC?: track.in

Bug Bounty Program from Government Required..

 

Flipkart CEO’s E mail hacked…

Posted by Vijayashankar Na on March 18, 2016
Posted in Cyber Law  | No Comments yet, please leave one

In an interesting development of how even tech savvy CEOs often become victims of Cyber Crimes, it is reported (See the Report here) that Flipkart CEO’s E mail was hacked and two mails were sent from it to the company’s CFO asking for transfer of $80000/-.

Fortunately, the CFO decided to personally check with the CEO Mr Binny Bansal who immediately confirmed the fraud so that further damage could be prevented.

binny_bansal_email_hacked

The incident highlights that Cyber Criminals use well directed targeted attacks. Some times they may use sophisticated methods but many times, simple methods also work.

Preventing such frauds require building up of  an enterprise level culture of Information Security which does not stop at technological approach to information security but extends to legal and behavioural aspects.

Naavi

Flipkart blacklists Sellers for malpractice

Posted by Vijayashankar Na on March 18, 2016
Posted in Cyber Law  | No Comments yet, please leave one

In a bid to check fraudulent practices by sellers, Flipkart has instituted a “Mystery Shopping” team and found several malpractices including,

a) Supply of substandard products

b) Selling of Counterfeit products

c) Buying out competitor’s products and returning them

d) Buying own inventory to benefit from cash back offers

(Refer Article in ET)

The exercise carried out over a period of 6 months resulted in about 250 sellers being black listed. Feedback were taken on about 600 sellers. Some of them were guilty of inefficiency in the form of wrong labeling or packaging and are being given training to improve their performance.

It is said that there are about 85000 sellers on the platform. It is understood that Paytm has blacklisted around 3000 sellers last year and similar exercise is done by other E-Commerce agencies as well.

Recently, three persons were arrested in Nagpur for floating an entire e-commerce website along with a payment gateway to defraud the public through fake transactions. (Refer Article in TOI here).

Fake websites in the Government sector have also been used to defraud Netizens. (Refer Article here)

It was therefore natural that frauds do take place in the platform of reputed e-commerce players both by sellers and even some buyers.

Flipkart and other E Commerce players need to therefore be ever on the vigil to check such malpractices.

Naavi

Cheque In Electronic Form, redefined, Implications on E Banking

Posted by Vijayashankar Na on March 16, 2016
Posted in Cyber Law  | 1 Comment

Section 6 of the Negotiable Instruments Act 1881 defined the term “Cheque” as follows:

A “cheque” is a bill of exchange drawn on a specified banker and not expressed to be payable otherwise than on demand.

This section was amended and expanded  by the Negotiable Instruments (Amendment and Miscellaneous Provision) Act 2002 with effect from 6th February 2003 to include “Cheques in Electronic Form”.

The amended section then read:

6. “Cheque”.– A “cheque” is a bill of exchange drawn on a specified banker and not expressed to be payable otherwise than on demand and it includes the electronic image of a truncated cheque and a cheque in the electronic form.

Explanation 1.–For the purposes of this section, the expressions–

(a) “a cheque in the electronic form” means a cheque which contains the exact mirror image of a paper cheque, and is generated, written and signed in a secure system ensuring the minimum safety standards with the use of digital signature (with or without biometrics signature) and asymmetric crypto system;
(b) “a truncated cheque” means a cheque which is truncated during the course of a clearing cycle, either by the clearing house or by the bank whether paying or receiving payment, immediately on generation of an electronic image for transmission, substituting the further physical movement of the cheque in writing.

Explanation II.–For the purposes of this section, the expression “clearing house” means the clearing house managed by the Reserve Bank of India or a clearing house recognised as such by the Reserve Bank of India.

The above amendment had a relation to ITA 2000 since “Cheque in Electronic Form” was one of the electronic documents to which the ITA 2000 applied.

Now the NI Act has been further amended with “The Negotiable Instruments (Amendment) Act 2015” passed on 29th December 2015 with effect from 15th June 2015.

This amendment inter-alia re-defines the  term “Cheque in Electronic Form” by replacing the explanations which now now read as follows:

Explanation 1.–For the purposes of this section, the expressions–

(a) “a cheque in the electronic form” means a cheque drawn in electronic form by using any computer resource and signed in a secure system with digital signature (with or without biometrics signature) and asymmetric crypto system or with electronic signature, as the case may be;
(b) “a truncated cheque” means a cheque which is truncated during the course of a clearing cycle, either by the clearing house or by the bank whether paying or receiving payment, immediately on generation of an electronic image for transmission, substituting the further physical movement of the cheque in writing.

Explanation II.–For the purposes of this section, the expression “clearing house” means the clearing house managed by the Reserve Bank of India or a clearing house recognised as such by the Reserve Bank of India.

Explanation III.—For the purposes of this section, the expressions “asymmetric crypto system”, “computer resource”, “digital signature”, “electronic form” and “electronic signature” shall have the same meanings respectively assigned to them in the Information Technology Act, 2000.’.

The amendment is meaningful and confirms what was already understood with the passage of ITA 2000 (effective from 17th October 2000) which recognized the electronic document and digital signature as equivalent to paper and written signature.

In the earlier system, there was a need to scan  a cheque to transform into an electronic form and cancel the physical cheque simultaneously. It was not practically convenient and it is good that RBI realized its mistake and corrected the system.

Now any document which is an unconditional order to a banker affixed with digital signature can be called a Cheque in Electronic form.

However, it will be necessary for Banks to make an addition to their Account operational instructions to include instructions on how a  non standard format satisfying the definition given in Section 6 (2015 version) received by the Bank would be handled.

It may however be necessary to take note that the amendment does not make any changes in the “Presentment” of  or “Payment in Due Course” or “Collecting Banker/Paying Banker responsibilities” of an electronic cheque.

Now that the definition of the cheque in electronic form has been  added to the NI Act without further changes to other aspects of NI Act, Banks should be prepared to receive an e-mail from a customer attaching a digitally signed cheque in electronic from issued by another customer of the same Bank or another Bank and take a decision on what to do.

Presently the clearing system operates on truncated cheque system and there is no defined system for clearing the new Cheques in Electronic form. RBI needs to take action on introducing a system of clearance of such cheques.

Since the NI Act has not been further amended to re-define the concepts of endorsement in electronic form, holder in due course of an Cheque in electronic form, etc, there are several aspects of NI Act which needs to be interpreted for Cheques in Electronic form.

An interesting phase of development in electronic banking is now before us. There will be certain adverse implications of the amendment not being comprehensive enough. Probably, there will be a need for a quick further amendment to reduce the uncertainties created by the amendment-2015

Naavi

Copy of the Amendment Act

(More on the implications of the new NI Act will be discussed in these columns in the coming days. I invite comments and views from readers in this regard)