Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

How Do We Improve Cyber Crime Management System in India?.. Need for a Survey

Posted by Vijayashankar Na on October 21, 2017
Posted in Cyber Law  | 2 Comments

As India is taking more and more digital initiatives in E Commerce, E Banking and now the Digital Payment mechanisms, there is an increasing fear that Cyber Crimes will continue to grow. In the recent times, Cyber Crimes are also being used as a tool of Terrorism and Wars and unless we are efficient in managing Cyber Crime, it would be difficult to tackle the menace of Cyber Terrorism and Cyber Wars.

Naavi.org has been frequently raising the issue of a need to improve our Cyber Policing system to ensure that Cyber Criminals are caught and punished. Naavi is also personally involved in training of Cyber Crime police since 2000 when the laws first came into existence in India.

At one level we feel that there is a need to “Increase awareness” and “Build Cyber Crime investigation Skills” in the Police and this will improve the situation. If the recommendations of the  T K Vishwanathan Committee report (as leaked) is implemented, ITA 2000/8 will be amended to make it possible for Sub Inspectors to investigate Cyber Crimes. This would mean that a lot more Police Stations will be involved in the Cyber Crime investigations in the coming days and more and more people need to be trained.

However, Naavi has also pointed out that the emphasis of Cyber Crime Management cannot end with creating “Awareness” and conducting training programs whether under the banner of Police Academies, Law Colleges or DSCI. Though we can show statistics of such outreach programs indicating that there are thousands of police officers with a good awareness of Cyber Crimes, the number of successful investigations and Prosecutions is still very low. Many of the prosecutions have been sustained because the cases were pursued along with some IPC sections and had they been pursued only under ITA 2000/8, the cases would have failed. Judiciary has not been kind to Cyber Police with the scrapping of Section 66A.

The Cyber Crime victims therefore have been left completely unsatisfied about getting their grievances redressed through legal means. With the Adjudication system unable to take off and Cyber Appellate Tribunal being in eternal closure mode, the Civil proceedings are also not moving smoothly. For every dispute there is now a need to move the High Court and this is not feasible for most of the crimes.

If therefore a survey is conducted with Cyber Crime Victims, they would unanimously conclude that there is no effective Cyber Crime Police in India.

Recently, I had approached Mumbai Cyber Crime Cell for a simple e-mail based crime and the Police have been taking ages to respond. The possibility of the Police being unable to conclude the investigation in this case is therefore very high.

As I have indicated in my earlier article the efficiency of the Cyber Crime Police seems to have deteriorated in the current times compared to the days the undersigned entered the Cyber Crime investigation because the intermediaries like Google, Yahoo and ISPs seem to  value the rights of Criminals or Suspected Criminals in hiding their IDs which puts several hurdles before the Police can come anywhere near them. All the training and awareness workshops have yielded very little benefit to the common man.

If this situation is not brought under control, we will have a chaotic situation that will prevail in the country.

We as a society have to therefore  initiate some concrete steps to arrest the deteriorating situation and ensure that our Cyber Crime Police become more efficient.

In this direction, we have discussed many suggestions in the past. But it is now time to gather more scientific information from the market on What is causing problems delaying Cyber Crime Investigations and frustrating Cyber Crime prosecutions.

It has therefore been felt that we need to conduct an all India survey to gather a reliable information through a survey and involving as many stake holders as possible.

Target Audience 

Public are  the final stake holders and we need to gather their views to understand what they feel about the problem.

But another important part of the target audience is  informed professionals in the Cyber Crime investigation and prosecution and the Police themselves.

Many solutions have to come from within the Police.

The suggestion of the TK Vishwanathan Committee leaked report seems to have indicated that some amendments to CrPC would help and there could be more that can be attempted if there is need.

Scope of Survey

The Cyber Crime Management has a wide scope which includes

a) Prevention of Cyber Crimes

b) Reporting of Cyber Crimes

c) Detection of Cyber Crimes

d) Identification of offences as per law

e) Primary identification of the device responsible for the offence including the IP address, Mobile Number etc

f) Identification of the individual behind the device identification

g) Collecting evidence in a proper form admissible in a Court

h) Cooperation with inter state and inter national agencies

i) Improving the Legal system for Criminal complaints

j) Improving the Legal system for Civil Claims which includes the Adjudication and Cyber Appellate tribunals

k) Encouraging Alternate Dispute Resolution Mechanisms to aid and assist the formal judicial system

l) Role of Cyber Crime Insurance in mitigating the losses of the public

m) Role of RBI, the Banking Ombudsman, the Zero Liability circular of RBI, the CERT IN etc

When I floated the thought of conducting a survey to “Improve the Cyber Crime Investigations in India” in some of the professional groups, the response was overwhelming. Many have come forward to share their thoughts and participate in conducting the survey.

After further discussions, we will finalize how the survey would be conducted.

We can even handle the requirement in stages with small achievable targets to be taken in the beginning.

The first task I would like to focus is “Improvements in the Cyber Crime Investigation System” . This may include how we identify and record potential crimes quickly and how quickly we can bring the investigation of identifying the suspect within the “Golden hour” of crime. This should be followed by identification of evidence required to be collected and collecting them properly without adversely affecting their validity in a Court of Law.

The expertise and equipment required upto this stage is minimal and it is not difficult to equip every Police Station to have this capability within a short time.

After this stage the Case will take a turn either into a Civil proceeding or continue as a Criminal proceeding even while the victim pursues civil remedies. Some cases get closed at this stage itself.

If we are able to improve the “Time To Identifying the Suspect” then there will be a high level of public satisfaction.

Further delays may still happen in the Judicial Process where the need for ADR (Check out the concept of  Cyber Dispute Mediation and Arbitration Center or CDMAC) becomes relevant.

Beyond this, there will still be issues such as higher level of Forensic capability and international cooperation through treaties. These are issues that need to be tackled later.

If Awareness is the major issue, it should be handled on a war footing. If there are other issues, we need to address them involving appropriate agencies. If the issue is non cooperation of intermediaries like Google and Facebook, it may have to be tackled with the involvement of the MeiTy.

These and other related issues would be part of the survey when a questionnaire has to be designed.

I have placed some of my initial thoughts here so that we can together develop a scope document which is not too broad and unmanageable.

I invite responses from all concerned persons either through comments here or through email.

Naavi

 

Information Security Headache for PPI Issuers

Posted by Vijayashankar Na on October 21, 2017
Posted in Cyber Law  | No Comments yet, please leave one

The Payment Instruments industry which consists of many of the mobile wallet operators have raised objection to the recent Master Guidelines issue by RBI on several counts such as

a) KYC requirement made more or less mandatory for all Semi Closed and Open system PPIs

b) Phased introduction of interoperability

c) Restriction of peer to peer fund transfer in Semi KYC wallets

Out of these, KYC requirements are essential to prevent frauds and is non negotiable. Funds transfer for KYC done PPIs provide for transfer “Back to Source” and “Own Bank Account” and hence should not be an issue beyond that it is a little inconvenient for customers.

Transfer from one PPI to another actually creates a problem in understanding the usage pattern and creates double counting for statistical purposes. If both accounts are KYC enabled, RBI can consider relaxing this provision and managing its statistical problems by tweaking its system.

Interoperability is a technology issue and would perhaps introduce some costs. It may require a discussion at technical levels but it is desirable in the long run.

I presume that more than the above publicly expressed grievances of the PCI, (Payment Council of India) what has made them squirm is the reiteration of

a) Security and Fraud Prevention Management Framework

b) Customer Protection and Grievance Redressal Framework

c) Information System Audit

in the Master Directions.

Let’s now look deeper into these provisions as contained in the Master Directions.

a) Security and Fraud Prevention Management Framework

The Security measures envisaged in the guidelines include development of a “Board Approved Information Security Policy” which should be the starting point. The security measures need to be reviewed on an ongoing basis but atleast once a year, after any security incident or breach and before/after a major change to their infrastructure or procedures.

Apart from the usual security measures such as monitoring invalid log in attempts, time out, beneficiary creation alerts, cooling period etc the guideline requires that

“Issuers shall introduce a system where every successive payment transactions in wallet is authenticated by explicit customer consent”

Presently the OTP is used more as a pre-transaction second factor authentication. Will this double up as “Explicit Customer Consent”? needs to be discussed.

“Cards (physical or virtual) shall necessarily have Additional Factor of Authentication (AFA) as required for debit cards, except in case of PPIs issued under PPI-MTS.”

Some PPIs at present donot have second factor authentication at the time of usage transaction though they may have authentication at the time of loading. This may require some modification of the system.

” Issuers shall provide customer induced options for fixing a cap on number of transactions and transaction value for different types of transactions / beneficiaries. Customers shall be allowed to change the caps, with additional authentication and validation.”

This is an important requirement that was first suggested by the Damodaran Committee on Customer relations way back in 2011 and has not been fully implemented. This is an important risk control measure and should be welcome. However it requires some support since hackers can easily modify it once they have access to the system.

“Issuers shall put in place a mechanism to send alerts when transactions are done using the PPIs. In addition to the debit or credit amount intimation, the alert shall also indicate the balance available / remaining in the PPI after completion of the said transaction”

This “Alert” is also a requirement under the “Zero Liability Circular of July 6, 2017. Some PPI issuers have not incorporated the “Balance” aspect and need to incorporate it now.

“Issuers shall put in place mechanism for velocity check on the number of transactions effected in a PPI per day / per beneficiary.”

This is an important aspect of “Adaptive Authentication” which many have ignored. It however requires a proper system for identifying a risk and responding to it appropriately.

“Issuers shall also put in place suitable mechanism to prevent, detect and restrict occurrence of fraudulent transactions including loading / reloading funds into the PPI.”

This is an open ended requirement that requires a proper risk assessment including threats and vulnerabilities in the environment. Adequacy of this should be seen through the IS policy.

” Issuers shall put in place suitable internal and external escalation mechanisms in case of suspicious operations, besides alerting the customer in case of such transactions.”

This needs to be addressed through the Grievance Redressal Mechanism which was also part of the Section 79-ITA 2008 requirement which many of these PPI issuers did not recognize and implement. Now they cannot ignore the requirement.

” PPI issuers shall establish a mechanism for monitoring, handling and follow-up of cyber security incidents and cyber security breaches. The same shall be reported immediately to DPSS, RBI, Central Office, Mumbai. It shall also be reported to CERT-IN as per the details notified by CERT-IN.”

This is the most annoying requirement as far as the PPI issuers are concerned. But this is the only control that will ensure that PPI issuers take the directions seriously. It will also retain the hold of CERT-IN on the PPI issuers as envisaged in the ITA 2008.

b) Customer Protection and Grievance Redressal Framework

The guidelines are supported by a stringent Customer protection and Grievance Redressal Framework.

The framework includes “Disclosure” of important terms and conditions, creating awareness on secure use of PPIs and conform to the RBI’s “Zero Liability Circular”

It is interesting to note that the directions indicate that “In case of PPIs issued by banks, customers shall have recourse to the Banking Ombudsman Scheme for grievance redressal.”

Otherwise the grievance redessal framework needs to include:

a formal, publicly disclosed customer grievance redressal framework, including designating a nodal officer to handle the customer complaints / grievances, the escalation matrix and turn-around-times for complaint resolution. The complaint facility, if made available on website / mobile, shall be clearly and easily accessible. The framework shall include, at the minimum, the following:

a) PPI issuers shall disseminate the information of their customer protection and grievance redressal policy in simple language (preferably in English, Hindi and the local language).
b) PPI issuers shall clearly indicate the customer care contact details, including details of nodal officials for grievance redressal (telephone numbers, email address, postal address, etc.) on website, mobile wallet apps, and cards.
c) PPI agents shall display proper signage of the PPI Issuer and the customer care contact details as at (b) above.
d) PPI issuers shall provide specific complaint numbers for the complaints lodged along with the facility to track the status of the complaint by the customer.
e) PPI issuers shall initiate action to resolve any customer complaint / grievance expeditiously, preferably within 48 hours and resolve the same not later than 30 days from  the date of receipt of such complaint / grievance.
f) PPI Issuers shall display the detailed list of their authorized / designated agents (name, agent ID, address, contact details, etc.) on the website / mobile app.

These are areas in which lot of action is still required for many Mobile wallet operators.

c) Information System Audit

The Master directions has also included a detailed guideline on the Information Security Audit requirements for the PPI issuers.

The directions make reference to the “Cyber Security Framework”  which is a comprehensive guideline which even the best of Banks are struggling to meet. PPI issuers who are banking on Mobile Apps will find meeting these guidelines challenging.

The Audits need to be conducted by CERT-IN empanelled auditors within two months of the cose of their financial year and submit reports to RBI.

In particular, the master directions indicate that

All PPI issuers shall, at the minimum, put in place following framework:

a) Application Life Cycle Security: The source code audits shall be conducted by professionally competent personnel / service providers or have assurance from application providers / OEMs that the application is free from embedded malicious / fraudulent code.

b) Security Operations Centre (SOC): Integration of system level (server), application level logs of mobile applications (PPIs) with SOC for centralised and co-ordinated monitoring and management of security related incidents.

c) Anti-Phishing: PPI issuers shall subscribe to anti-phishing / anti-rouge app services from external service providers for identifying and taking down phishing websites / rouge applications in the wake of increase of rogue mobile apps / phishing attacks.

d) Risk-based Transaction Monitoring: Risk-based transaction monitoring or surveillance process shall be implemented as part of fraud risk management system.

e) Vendor Risk Management:

(i) PPI issuer shall enter into an agreement with the service provider that amongst others provides for right of audit / inspection by the regulators of the country;

(ii) RBI shall have access to all information resources (online / in person) that are consumed by PPI provider, to be made accessible to RBI officials when sought, though the infrastructure / enabling resources may not physically be located in the premises of PPI provider;

(iii) PPI issuers shall adhere to the relevant legal and regulatory requirements relating to geographical location of infrastructure and movement of data out of borders;

(iv) PPI issuer shall review the security processes and controls being followed by service providers regularly;

(v) Service agreements of PPI issuers with provider shall include a security clause on disclosing the security breaches if any happening specific to issuer’s ICT infrastructure or process including not limited to software, application and data as part of Security incident Management standards, etc.

f) Disaster Recovery: PPI issuer shall consider having DR facility to achieve the Recovery Time Objective (RTO) / Recovery Point Objective (RPO) for the PPI system to recover rapidly from cyber-attacks / other incidents and safely resume critical operations aligned with RTO while ensuring security of processes and data is protected.

Obviously these are the matters that non Banking PPI issuers may not be prepared. It will also involve expenditure and management attention.

I suppose that these are the issues that is making PCI uncomfortable.

However, we welcome the stringent regulations which are in the interest of the general public. If only they had specified a mandatory Cyber Insurance aspect, it would have been even better.

Anyway let us now watch and observe how these guidelines are implemented by the industry and how RBI will enforce them.

Interesting days are ahead for Cyber Security professionals.

Naavi

Earlier Articles:

New RBI Norms for Prepaid Instruments make Digital payment Companies squirm

The PPI Ecosystem and the Power of the industry to lobby

Understanding the types of Prepaid Instruments under Payment and Settlements Act