Header image alt text


Building a Responsible Cyber Society…Since 1998

There is a WhatsApp message in circulation that states

“Breaking News, Amazon Selling Samsung J7 Mobile Phone at Just 499 Rs because of Golden Anniversary. Buy It Now Before Sale Ends. Cash On Delivery Also Available. Visit just now  http://amazon.mobile-flashsale.com/

This appears to be an attempt to steal contact information and probably a fraud to steal Rs 499/- from some.

Presently Chrome/Google has flagged the site as a “Suspected Phishing Site” and the site is also  blocked by anti virus software .

However it is interesting for the general public to take note of this kind of fraud where the fraudster is riding on a genuine mega sale being promoted by Amazon where discounts upto 50% are being provided on certain items. This fraudulent message however says that the discount is 97% ! and it is for a poplar mobile product. It is possible for many to fall prey to such frauds.

What people should observe is that the domain name starts with “Amazon” but it is only a sub-domain and the main domain is mobile-flashsale.com. If people can recognize this difference, most would be able to identify the fraud.

Now that the website has been blocked by Google itself, the fraud through this domain name may be over. But it may come back in another name again. It is therefore necessary to take some steps to prevent such frauds recurring.

I therefore request the law enforcement agencies to take note of this and try to identify the perpetrator of the fraud and book him for the offences both under ITA 2000/8 and IPC.

The domain name mobile-flashsale.com has been registered by GoDaddy who is the intermediary facilitating the fraud and liable under Section 79 of ITA 2000/8. The website is hosted at cloudfare.com

The registrant noted by GoDaddy is

Mr Anil Kumar, Kanakumari, with a registered mobile number 9886554323 and an email address rv984950@gmail.com.

The sending of the Whats App message, and creating a fraudulent website can be considered as an impersonation/attempted impersonation for commission of/attempt to commit “Cheating” and hence punishable under both ITA2008 and IPC.

I therefore call upon the Police in Kanyakumari to identify this Anil Kumar and prosecute him. It is possible that the e-mail address or the mobile number may be untraceable since wrong addresses might have been provided by the registrant.

In that case the Police needs to book cases against

a) GoDaddy.com

b) Cloudfare.com

c) Google.com

d) The Mobile Service Provider at whom the number 9886554323 is operating. (Vodofone Karnataka) It is possible that this might have been ported from Vodofone Karnataka to some TN service provider in which case Vodofone should provide the new service provider who is handling the current billing for this fraudster.

These intermediaries are guilty of “Negligence” and “Assisting” in the commission of the fraud. They are liable under Section 79 of ITA 2000/8 for lack of due diligence facilitating the fraud.

If any member of the public has suffered loss on account of this crime, they should file a Police Complaint naming these intermediaries as accused and also approach the Adjudicators of their respective states (IT Secretary of the State) to file a complaint under Section 46 of ITA 2008 for recovery of their losses.

Adjudicator of Tamil Nadu can also start a Suo Moto enquiry and direct Police in Kanyakumari to conduct an investigation and report back to him. Once the person is enquired into, the Adjudicator can impose a penalty for a reasonable amount and appropriate it into a fund from which any complainant can be redressed.

This incident should be made into a test case of how the State should respond to such Cyber Frauds. Probably the State administrators will be too busy for such public service and I therefore request public interested advocates to take up the issue and draw the attention of appropriate judicial authorities to take up the issue for prosecuting the fraudster/attempted fraudster alias Anil Kumar.


[P.S: If there are any innocent persons by name Anil Kumar particularly in Kanyakumari, kindly excuse me for using the name in this post. I welcome all such people to inform me so that a disclaimer can be put up on this platform stating “I am not that Anil Kumar”.]


The security world is warning Indian Android mobile users that the malware HummingBad has been spreading fast across the globe and pose a threat to Indian mobile users also.

This malware which is reported to have infected over 1.4 billion Android devices worldwide and generates an ad revenue of over $300000 to its Chinese owner “Yingmob”, which is a Chinese mobile ad server company, which had already been linked to the development of malware targeting Apple iOS devices.

Once on a device, HummingBad is capable of exploiting  a full range of paid services, including displaying mobile ads, creating fraudulent clicks from users’ devices, and installing additional fraudulent apps.According to Check Point,  the apps display more than 20 million advertisements per day, and Yingmob achieves over 2.5 million ad clicks per day which translates into significant revenues.  Yingmob’s average revenue per clicks (RPC) is $0.00125, making accumulated daily revenue from clicks is over $3,000. Added to revenues from fraudulent app downloads, which exceed $7,500 daily, Yingmob makes over $10,000 per day, more than $300,000 a month.

Under the Indian laws, such “Unauthorized introduction of a code is considered a computer contaminant and is an offence under Section 66 of ITA 2000/8”. In case any of the intruded mobile is a property of the Government of India, the intrusion can be considered as an offence under Section 66F which is considered as “Cyber Terrorism” under which “Life Imprisonment” is possible. Also in view of Section 75 of ITA 2000/8, Indian Courts have a jurisdiction to take on trial this offence and pronounce a verdict.

In order to discourage legitimate commercial companies getting into cyber crime as business, it is necessary that such activities are nipped in the bud. I therefore urge the Indian Government to lodge a formal complaint with evidence obtained from Check Point and prosecute YingMob for Section 66F offence in India and then take up the issue at International Levels.

This trend of mobile malware that tries to root into the system may also be commercially beneficial to the mobile companies since users tend to get fed up with the slowing down of their devices and often decide to buy a new mobile rather than put up with a persistent malware induced performance attrition. Probably the Chinese mobile Industry is not so unhappy therefore that there are companies like YingMob in their midst.

Besides, the growth of mobile ransomware poses unimaginable threat to the India’s Digital India program and if proper defensive action is not taken to prevent the YingMob type of companies from using its resources to commit international crimes, the future for Indian economy is in danger of being swamped by a Cyber war attack launched through the same mobiles through which HummingBad may be operating today as a relatively less harmful, performance reducing malware. Left unchecked it can become a monster in the days to come.

It is time India takes a lead in checking such malpractice and show to the world that such deceit does not pay.


RBI cautions Banks on Cyber Security

Posted by Vijayashankar Na on July 30, 2016
Posted in Cyber Law  | 1 Comment

The RBI Deputy Governor Mr R Gandhi has confirmed that the recent cyber attack that was reported in Mumbai was on Union Bank of India but no loss might have been reported. Mr Gandhi also reminded the Banks about the new Cyber Security Framework that RBI wanted Banks to implement.

Under this framework, there was a need for Banks to confirm that a gap analysis had been completed and taken note of by the Board before July 31, 2016. Since the deadline has already passed yesterday (given the weekend holidays), it would be interesting to know whether at least one Bank has reported to RBI about the compliance to its compliance requirement. Since his statement is silent on this aspect, it can be presumed that no Bank has so far completed the gap analysis and got the approval of its board and reported it to RBI so far though one or two might have been able to complete the gap analysis at departmental level and kept it ready for presentation to the Board whenever it meets next.

 Now we need to watch out what would be the follow up action of RBI for non compliance of this first level default.


In a little surprising but welcome development, the Government of India has released a notification under Section 67C of ITA 2008 viz G.S.R. 711 (E) dated 21st July 2016 titled “Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules 2016. which may not perfectly fit under Section 67C but is otherwise related to the setting up of a new regulatory authority called the Digital Locker Authority and defining a new set of business in the Digital India project.

Apparently, the purpose of this notification is to define the rules under which public documents shall be preserved and protected when lodged with the Digilocker authorities and the notification is issued under Section 67C of Information Technology Act 2000/8. It sets a new trend of “Data Retention” defined specific to a domain of activity.

Sec 67C was perhaps meant to define “how long” and in “what form” intermediaries may retain information and “manner” of retention was incidental. However, this notification actually goes to define the “Manner” in which a certain type of intermediary shall retain information without much emphasis on the format and period for which the information has to be retained. Also the “Information” referred to in the Section 67C  of the Act is being used to identify the “Documents” that a subscriber would like to lodge in the safe custody of an agency as an “Uniquely Identifiable Document” with an “URI” (Unique Resource Identifier). No specific structure for the URI like a standard structure for a URL has been defined as part of the “manner of retention of information” under Sec 67C.

It therefore appears that Section 67C has been used as an excuse to define some new business proposition which has its own implications for Digital India. It has redefined Sec 67C itself and altered its scope.

May be we can call this an innovative and creative interpretation of law but the possibilities of unintended consequences that may follow from a loosely regulated service needs to be watched out.

New Opportunities Unleashed

In effect, through this notification, the Government seems to have defined a new business proposition for private sector to develop services to set up and manage “Portal”, “Access Gateways” and “Repositories” to store electronic documents deposited by public and verifiable and retrievable by authorised entities.

The service as conceived is bigger than UIDAI and without a separate Act like the UIDAI Act, it enables a new system by which electronic documents are authenticated, preserved and verified.

Obviously there will be Privacy and Security issues as well to contend with.

Further, since the Main DigiLocker authority would be the Government, the notification provides an admission that its own department may now be considered as an “Intermediary” if it also provides its own digilocker services in addition to private sector players. Such department will therefore be subject to Sec 79 obligations.

To ensure protection of the department as well as avoid conflicts, it may be necessary for Deity to refrain from directly providing the digi locker service as they are dong now and to make the DLA as the regulator like the  Controller of Certifying Authorities which will only restrict itself to regulatory issues and not provide a service of its own. These should have been part of the notification such as “Appointment of a Digital Locker Authority”, but unfortunately they are not released as of now.  We need to wait for the notification  to be issued as a supplementary notification in due course.

The “Digilocker Credentials” which may ultimately be just the log in ID and Password will henceforth become a pointer to the other documents such as Aadhaar, PAN etc held within the Digital Locker and its security would be a key obligation of the service provider since it becomes a proxy to the subscriber’s identity.

Just as the Unified Payment Interface (UPI) is becoming a Universal identification for all financial instruments owned by an individual, this Digi Locker Account may become the universal identity document for an individual.

The Digi Locker service provider would be having a “Digital Locker Practice Statement” similar to the one used by a Certifying Authority for Digital Signature and would be bound by it.

The practice statement  would be a self declaration and only verified by an audit by an independent auditor. Since the Digital Locker Service Provider has to be gazette notified, the practice statement may be subject to an approval process.

The service provider would obviously be open to obligations under Section 43A for reasonable security practice and compliance of all aspects of ITA 2000/8.

At present the qualifications of an Auditor is not defined and I hope it would be determined on a “Ability to Audit basis” and not on a “Qualification Certificate Issued by Preferred entities basis”.

In summary, it appears that the Government through this notification has opened up a new business opportunity which is as responsible as a Licensed Certifying Authority in the case of a Digital Signature issue and the Unique Identification Authority of India (UIDAI) without an elaborate legislation. It could be an innovative approach but hopefully not questioned in the Courts for its validity.

The Start Up community may welcome this move as it opens up new opportunities where they can integrate several of their services.

We need to watch out how this notification gets absorbed by the community and harnessed for business.


(These are preliminary views and more would follow)

SWIFT Hacking exposes Indian Banks to huge Risks

Posted by Vijayashankar Na on July 27, 2016
Posted in Cyber Law  | No Comments yet, please leave one

The hacking of a Bangladeshi Bank last February where about $81 million was transferred by fraudsters hacking into the SWIFT Inter Bank money transfer system is a grim reminder of the weaknesses in our Banking eco system.

The detailed account of this heist as explained here, 


The article explains the suspected modus operandi used by hackers to book 35 fraudulent transfers amounting to nearly US$ 1Billion from the Central Bank of Bangladesh to  Federal  Bank of New York. By by some grace of God only 4 of these transactions were carried through and the loss was limited to $81 million. The principle cause could be the compromise of the access credentials of one of the Bank employees with a malware. What compounded the problem was the delays in cross verification arising out of holidays first in Bangladesh and then in New York  exposing the Bank to the huge loss.  Finally what prevented 30 transactions to be held up by the New York Bank was that one of the e-mail addresses contained the word “Jupiter” which was a black listed name of an Iranian Oil Vessel subject to certain sanctions. One transaction failed due to a spelling mistake.

Now a clear 4 months later a similar attack seems to have been repeated on one of the Indian Banks in Mumbai which again by a stroke of luck did not go through.

The incident has been reported in Economic Times here.


This time the US Bank was a little more alert to identify an unusual transaction and the Indian Bank was saved. At this point of time it is not clear which was the Bank involved except that it was a public sector Bank with headquarters in Mumbai. The Economic Times report indicates that the Stock Exchange has not been informed of the attempted fraud which should be considered as a violation of the SEBI norms.

The CERT IN guidelines require that the information regarding such security breaches need to be reported to them and even the latest RBI guidelines mandate reporting of such incidents. However Banks continue to hide the incidents and keep their investors in the dark until one day such frauds blow up on their faces.

One thing however is clear from these incidents that the security systems within the Banks has several short comings and if even the SWIFT transactions are unsafe, one can wonder how safe are the RTGS transactions.

Just like the Banks, customers also should pray for luck to be on their side to protect their funds from fraudsters!


During the days of G Gopalakrishna Working Group (GGWG) of RBI which was deliberating on the E Banking security, two Banks namely ICICI Bank and SBI who were members of the committee tried to argue that “Two Factor Authentication” should be considered as equivalent to “Digital Signature” for the purpose of authentication of Banking transactions. Fortunately, thanks, partly to the efforts of the undersigned the bluff was called and the GGWG rejected the recommendation of the sub committee in this regard.

This was way back in 2011 and lot of water has flowed under the bridge since then. Despite the recommendations of GGWG against Two Factor Authentication being considered as valid authentication, Bankers have continued to use two factor authentication based on SMS sent to a mobile as the principal means of authentication of all transactions conducted on Internet or Mobile.

In the case of Mobile Banking, the SMS based two factor (2F) authentication actually was reduced to a single factor authentication since the same channel was used both for the transaction and the authentication.

In the meantime, certain malwares were also developed specifically to exploit the SMS based 2F authentication and technologists continued to further compromise security by developing Apps that could read SMS automatically, pick up the OTP and continue the authentication process without human intervention. “Convenience” blinded the users into believing that this technological revolution was great.

Technologists who had little understanding of the security or ignored it deliberately for the sake of functionality of the Apps and the business entities who always pursued the compromised policy of “Security to the extent it is financially feasible” made 2F authentication a universally used system providing a false sense of security to the users.

What was regrettable was that the Government of India also fell prey to this false sense of security provided by OTP through SMS on Mobile as a valid 2F authentication which could enable an Aadhar based e-Sign authentication that could be considered as a “Legally Valid” authentication.

The UPI (Universal Payment Interface) further adopted OTP for integrating all card based transactions and increased the stakes. It is reported that there are many FinTech projects which will go on stream on the UPI platform in the coming days making SMS based OTP system a widely used digital authentication system in India.

The central point that Naavi has been making in all the discussions here was that the dependency on OTP had diluted the KYC process to be completely subordinated to the integrity of KYC system used by the Mobile Service Providers (MSP). The situation has been brought down to the extent that a “Mobile Number Ownership” was equivalent to having an “Aadhaar Card” as if it was the “Passport to Digital Identity”.  But the MSP’s processes of KYC were not robust enough to be the foundation for all financial dealings in the country and therefore the society was exposed to a huge risk of massive digital financial frauds.

There appears to be a silver lining now to indicate that the tide may be turning Yesterday there was a news report that the Indian Army had filed an FIR against Airtel over issue of “Pre activated” and “Unverified SIM cards” in Manipur.

According to the complaint, an Army column had found that a distributor was handing out free, pre-activated SIM cards to the villagers without any paper work.

Though Airtel has officially denied that they are violating any DOT norms, the prevalence of the practice of issuing pre-activated SIM cards that can be used by ether terrorists or fraudsters has been documented beyond doubt exposing the naivety of the regulators in Banks including RBI, DeITY, UPI, Aadhar, UPI etc to rely upon the KYC process of the MSPs as reliable enough to mount their financial transactions on, as a Standard Operating Process. (SOP).

This incident alone should have immediately brought out a clarification from RBI and DeITY or the CERT-IN that the SMS based 2F authentication is no longer to be relied upon for building authentication systems which may further be used for financial transactions.

I therefore urge CERT-IN to immediately step in and issue the advisory.

In a further confirmation of this need to deprecate the use of SMS based 2F authentication, the globally acceptable, Government backed, Standards organisation namely the NIST (National Institute for Standards and Technology) of  US has proposed to deprecate the SMS based authentication in its latest standard draft.

The report also identifies that NIST has flagged the use of SS7 protocols by hackers which was highlighted by Naavi.org recently. According to the NIST,

“it’s going to deprecate it (Ed:the 2F system) in favor of other options. Those options include using your smartphone with secure applications (such as Google Authenticator) that can generate out of band authentication codes, or other types of devices that can be used as out of band authentication (such as security keys, smart cards, and so on). If the cryptographic keys are stored on the device, then it should use trusted platform modules (TPMs), keychain storage, or trusted execution environments.”

One of the additional reasons why identity verification through an SMS sent to a mobile number is considered unreliable is the development of online services where a “Virtual Mobile Number” is made available as a service. This “Virtualization” of the MSP system will be a feature that can come in handy for fraudsters and be a threat for the law enforcement agencies.

The “Authentication Industry” has to therefore find a new method of reliably verifying the source of a digital transaction without which the entire FinTech industry will be skating on thin ice.

This development will be a milestone in the standards that set the bench marks for “Due Diligence” and “Reasonable Security Practice” under Section 79 or Section 43A of Information Technology Act 2000/8.

All Judicial authorities including Adjudicators as well as all Advocates need to take note of this development and ensure that Banks and other organizations that continue to use SMS based 2F authentication will no longer be considered as following “Due Diligence” or “Reasonable Security Practice” under ITA 2000/8 and hence will have to absorb the liabilities arising from frauds where OTP is used as an authentication feature.

Additionally, this article placed in public domain will also be a “Notice” to all Organisations, Security professionals, the Advocates and Judicial Authorities, including the Government Agencies that the failure of SMS based OTP as a reliable authentication mechanism in digital world has been brought to their notice and their continued use will disable any legal defense based on this concept being projected as an accepted “Industry Practice”