Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

We have been discussing the “Limited Liability” Circular of RBI which was first issued in draft form on August 11, 2016 and confirmed on July 6 2017.

However, recently when one of the customers of SBI Cards from Chennai, (a respectable employee of a MNC software company) who had lost money on a fraudulent credit card transaction, requested them to redress his grievance under the provisions of this circular, SBI Card replied to them that they are not aware of the existence of such a circular.

In an email reply from ceo@sbicard.com dated 1st September 2017, signed by one Jaspreet Kaur, SBI Card replied

“…we are not in receipt of any communication from RBI regarding limited liability clause. “

The Bank has provided the IP addresses from which the fraudulent transactions have been made which indicate transactions somewhere in Jharkhand while the customer is in Chennai.

This indicates that SBI card authentication system has not implemented “Adaptive Authentication” to identify an unusual transaction, as is required under various cyber Security guidelines issued by RBI from time to time.

Obviously, if Jaspreet Kaur does not know even the important Limited Liability circular, we may presume that she must be not only ignorant but incapable of understanding what is “Adaptive Authentication”.

Employing such inefficient persons with an authority to reply under an e-mail “Ceo@sbicard.com” indicates the complete lack of competence of SBI Cards to handle the responsibility of credit cards.

We also are surprised that this fraudulent transaction being a credit card transaction in which a payment has been made to a merchant, a “Charge Back” option has not been exercised by SBI Cards.

The concerned merchant is the beneficiary of a fraudulent transaction and therefore is part of a “Money Laundering” exercise. Hence SBI Card should not have hesitated to allow a charge back immediately.

SBI Cards should make a public statement if the Card holder who is also a customer of the Bank is not as much important as the Merchant who may also be a customer of either SBI itself or some other Bank.

If SBI/SBICards was aware of the Limited liability circular, they should have introduced a grievance redressal mechanism as well as indicated a policy for determination of the liabilities under various conditions. No such policy has so far been published by SBI even after two months since the circular was issued.

The casual handling of the complaint by Ms Jaspreet Kaur indicates the possibility of her being an accomplice in the fraud.

I wish Police in Chennai register a case against SBI Card as an organization and Ms Jaspreet Kaur as an individual who by her “negligence” and “an attempt to shield a fraudster” become an accomplice to the fraudulent transaction.

I also do not think that Ms Jaspreet kaur could be the CEO of SBI Card. If she is not the designated CEO of SBI Cards, her using the e-mail CEO@SBIcards.com is an attempt to cheat the customer with misrepresentation and possible unauthorized use of a senior executive’s e-mail ID which are offences under Section 66C and 66D of ITA 2008. These are cognizable offences and Chennai police should make use of this provision in pursuing the complaint.

I call upon the Chairman of SBI to also initiate an internal enquiry on the complaint and ensure that customer complaints are handled with more responsibility.

I also request RBI to also pull up SBI for not ensuring that its executives are not properly informed about the RBI Circular and if no satisfactory explanation is available, suspend the Credit Card license of SBI Cards.

I am looking forward to immediate response from some responsible person in SBI and request him to redress the grievance of this customer. (Ref: Interaction ID : 123634897427)

It is a general observation that  a large number of frauds happen in the credit card system of SBI Cards, much more than in other Banks. The reason is apparent that the SBI cards is being managed by incompetent persons who may be hand in glove with the fraudsters. There is a need for an in depth enquiry by CBI on the functioning of SBI Cards so that customers may not be subject to a “SBI Risk”.

Naavi

IAPP KNet Session at Bangalore: Aadhaar and Privacy

Posted by Vijayashankar Na on September 2, 2017
Posted in Cyber Law  | No Comments yet, please leave one

IAPP had organized a half day session at IIIT Bangalore in which the Privacy issues surrounding Aaadhaar was discussed in the light of the recent Supreme Court judgement. A summary of thoughts shared by the undersigned in the meet is reproduced here.

The reference to the Nine member Bench of Supreme Court was made during the discussion in the smaller bench on the Constitutional validity of Aadhaar in which one point brought out by the Government was that Privacy is not a fundamental right. Sensing the danger of the argument being held valid on account of the two earlier judgments of the Supreme Court namely the M.P.Singh and Kharak Singh judgments, one of which was from a 8 member bench, the CJI quickly set up the Nine member bench which in double quick time came up with its massive judgement and cleared the path for the smaller bench to proceed with the Aadhaar hearing under the specific consideration that Privacy is a Fundamental right.

Once this issue is settled, the Government will have to justify the Aadhaar Act under one of the “Reasonable Restriction” clauses under Article 19(2).

In this context, the issues before us are to understand

a) Does Aadhaar per-se violate Privacy?

b) Does the mandating of Aadhaar for social benefits violate Privacy?

c)Does Linking of Aadhaar to PAN violate Privacy?

d) Does leaking of Aadhaar Data through e-hospital app violate privacy

e) Does leaking of Aadhaar data through biometric device violate Privacy?

f) Once biometric is compromised, is there a way out to put the clock back?

We must recognize that Aadhaar was perceived as a data base of demographic and biometric data linked to a random number. This number was supposed to be held confidential by the owner and presented with his biometric to those agencies which needed to verify any particular parameter associated with the Aaadhaar such as the name,address, father’s name, data of birth etc. The query was supposed to be always answered in binary Yes or No and aadhaar data was not supposed to travel on the internet.

However in its implementation, Aadhaar is now used as an ID card and any authorized person who seeks information is allowed to download the entire aadhaar information on his systems where the data along with the Aadhaar number resides. The query is answered not only with the biometric but also on OTP over the registered mobile. There are also authorized APIs that lift the data from the Aadhaar server and populate forms at the User end. e-Hospital application was one such application which was at the center of the recent suspected data breach.

Similarly, wherever biometric devices are used, the biometric has to be captured and then transmitted to the Aadhaar server for authentication. Though the transmission is encrypted, it is possible for a copy of the encrypted bio metric to be stored at the device end as was. This was detected in one instance where E Mudhra and Axis bank had sent stored biometric for authentication and UIDAI had filed a criminal complaint.

Since the devices would be under the control of the intermediaries, even if UIDAI ensures an audit of the devices before it is approved, there is a possibility of them being tampered with subsequently.

The current generation of biometric devices and the technology adopted for referring the captured biometric to the UIDAI server does not seem to be secure enough to prevent storage of biometric and this could be a Privacy threat.

Thus in most cases Privacy information leakage occurs at the user end and not at the UIDAI end.  Hence what is required by UIDAI to ensure is a process by which users take the responsibility for leakage of Aadhaar data.

Currently this is determined by the provisions of ITA 2000/8 under Section 79 and 43A along with other provisions.

The issue of Aadhaar and Privacy should therefore be seen in the context of how the Aadhaar intermediaries obtain the consent of the Aadhaar users and whether it satisfies the internationally accepted principles of disclosure, minimal usage, security, limited period retention etc.

Some of the legal luminaries do consider that “Consent” being a “Contract”, it cannot be used to circumvent the abrogation of “Fundamental Rights”. In view of this, the consents need to be carefully drafted to avoid litigations.

Compliance therefore becomes a challenge to the companies who need to use “Data” as the raw material for their business.

If Aaadhar related privacy issues are to be tackled there is need to relook at the technology by which Aadhaar data base is accessed by the intermediaries who provide various services using Aadhaar as an ID. Government also should stop treating Aadhaar as an ID card which can be shared at various usage points to be photocopied and used.

If before the Aadhaar hearing comes up again in the Supreme Court, the Government issues a policy guideline on how Aadhaar data base is to be used, it may strengthen the argument to defend the Aadhaar system, Otherwise there could be a danger of impossible restrictions being imposed by the Court which may need change of many of the use cases which is under contemplation.

Naavi