It was heartening to note today that Times of India front news page carried a news of a successful Cyber Crime prevention operation in which Skimming in 5 ATMs were detected before any customer reported a loss. Normally Banks realize that skimmers are placed on their ATMs only after scores of frauds are reported. Some times the skimmers might have even been removed and moved to another ATM before anybody has recognized that a Skimmer was in deed in operation.

We should therefore congratulate Kotak Bank for having identified the skimmer and reported it to the Police quickly.

Once the skimmers were reported, it was perhaps the connectivity that enabled the Police to zero in on the foreigners from Romania who are supposed to have planted them. According to the report the accused came on a tourist Visa and used the age-old practice of fixing the skimmer on the Card slot and a Camera some where to record the Pin entry.

What however surprises most is that in the days of CCTV cameras and ATM guards, how is it possible for some body to walk in, fix the skimmer and the camera, spray paint the edges and go back without being observed. It is simply not possible except when the Bankers are not vigilant and implemented the “Reasonable Security Practices” under Section 43A of ITA 2000/8.

Have the Police filed a case against the Bank?… Obviously no.

Though most Bank frauds occur because of the negligence of the Banks, (It may not be the case with Kotak Bank in this case), Police have always been reluctant to call them to account. This only has encouraged them to continue “Reckless Banking” motivated by the greed for more profits and putting the customers always at risk.

After the Corporation Bank ATM incident, Bangalore Police had sent a mandate that all Banks should provide security guards at the ATM. Banks promptly told RBI that they want to be compensated for the increased cost of such security and started charging money for withdrawals on which today we even pay GST and enrich the Governments both at the center and the state.

Have the Bangalore Police questioned the banks if these ATMs were guarded properly? Whether the CCTVs were functioning? Whether the CCTV footage was being monitored?… We don’t know.

The report goes on to say that thousands of customer data might have been captured and sent out of the country. Had the Police not acted fast, there would have been a catastrophic attack on the Indian Banking system.

What do we all them?… it is called Cyber Terrorism because it strikes terror in the minds of ATM users as a category of our population.

But have the Police booked a case as “Cyber Terrorism”?…. Obviously no.

Police may  look at this case only as an unconfirmed  “Attempt” and since “No Loss” has been reported, it may pass out as a “Petty case of trespass into the ATM area”.

Since the arrests might have been made because the CCTV footage might have caught the suspects, or because the skimmer’s were programmed to send the information to an IP address/Mobile number which was accessed by the accused, the charges that may be pressed may be as some not so serious offences. Also it may not be easy to fix the arrested persons to the satisfaction of the Court to the attempted or successful “unauthorized access” under Section 66 of ITA 2000/8

Since the accused are foreign nationals, going by the way the Italian Marines who were accused of murder in Kerala was handled, these accused will be very soon (if not already) out of jail and moving out of the country.

So, apart from today’s headlines, all the creditable action of the Police may not end up with a lasting deterrence.

Have the Customers filed a case against the Bank for compromising their “Sensitive personal data”? … Again the answer should be a resounding No.

All our Privacy Lawyers are more interested in politically sensitive cases such as when a politician’s  Twitter is hacked  but not when an ordinary Bank customer’s data is compromised because of the negligence of the Bank.

It is of course not practical for an individual Bank customer to file complaints since even when there is some wrongful loss suffered, it is difficult to convince the Police to register an FIR or take up investigation after filing of an FIR. When it is only a loss of “Personal Data”, despite the noise people make on the Supreme Court judgement, there will be no PIL that may be filed … unless this article motivates some public-spirited lawyer in India.

The ITA 2000/8 has made a provision where by when the community interest is adversely affected by a contravention of ITA 2000/8, the Adjudicator of Karnataka can take suo-moto action on behalf of the public.

But, Will the Adjudicator of Karnataka take any action?….. Most probably No

More importantly, the Karnataka Adjudicator (as an office) has to first come out of the false narrative it has built around it that it is not empowered to take up a complaint against a Bank under Section 43 before we can expect it to even consider the suggestion of a suo moto action against banks.

[P.S: Why do I say that the Adjudicator of Karnataka is not interested in coming to the help of the community against a Bank?… and after all, who is the Adjudicator of Karnataka?… I am too tiered of discussing this issue …those interested may search this site for “Adjudicator” and find out.]

In the light of the above, it is now open to senior Police officials like Mr Pratap Reddy, Kishore Chandra and ably assisted by officers like Sharat to take such action which will really leave some long term impact on Cyber Security atleast as it surrounds ATMs.

My brief suggestions in this regard are listed below and is addressed not only to the Police but also to the Banks and RBI.

  1. All ATMs should restrict the entry through a biometric lock which collects anonymous biometric information which remains de-identified until it is investigated under a reported crime.
  2. All ATMs should be locked and released only after a “Face Recognition” is registered.. again as a de-identified information which also remains de-identified until it comes under investigation for a reported crime.
  3. The biometric and face recognition information should be sent to a secure encrypted storage which is not under the control of the Bank..could be under the control of RBI, under  the principles of “Regulated Anonymity” that has been explained serveral times here. The essence of the principle is that the information is held in an encrypted form som where but the decryption and disclosure control  rests not with the collector and user but with a group of controllers. In many of the recent incidents we always have the problem of CCTV footage being erased when the authority responsible for storing the footage itself is a suspect of a crime or negligence.
  4. All ATMs should be under the surveillance of a designated Bank official who gets the feed of the ATM room and watches for any irregularity. When the Face recognition camera fails to capture the image, the ATM should not function at all. When the surveillance camera does not function, it should be the responsibility of the officer to lock the ATM until the camera is restored. Emergencies can be handled through the help line requests that are to be diverted to a senior responsible Bank officer.
  5. All ATMs should be checked physically for Skimmers, Key Loggers, unauthorized PIN hole cameras, Attempt to disengage the CCTVs etc, unexplained power outages etc so that any attempt to fraud can be quickly identified and reported. The officer in charge should file a mandatory security audit report every day ensuring the “Physical Safety of the ATM”.
  6. The current case should be booked under Section 66F of ITA 2008 (Cyber Terrorism) as an attempt to attack a group of Bank customers and thereby destabilize the Indian economy. The arrested persons should be denied bail, passports seized and trial taken up by a special Court for speedy disposal.
  7. The Adjudicator also should move a suomoto action against the Bank and fine them a hefty sum which should be set aside as a “Cyber Security Awareness Creation Fund” and used for educating the customers of Banks on Cyber security.
  8. CERT-IN should move RBI and the Banks to ensure that sufficient investment is set aside to improve the security of ATMs on the lines suggested above or better.
  9. Banks who have not yet acted on the RBI’s limited liability circular should be penalized for deliberate failure to follow regulatory agency’s mandate.
  10. All foreigners coming into Bangalore need to be tracked  for identifying potential fraudsters for which our VISA system should be enforced with greater vigilance.

If the Police and  Banks together try to keep a focus on the Bank customer who is the most affected party in this incident, then this success will not end up as a one day news headline point but some thing that will improve the security of the Banking system in India.

Will it happen?….

…Hope is eternal and we continue to hope that atleast a few of the above security measures would be taken up by the relevant agencies.

Naavi