Header image alt text


Building a Responsible Cyber Society…Since 1998

P.S: At the request of some of my friends, I have elaborated here the concept of Ze-Mo coupons I referred to in my previous article as a possible solution to the post-demonetization measure where there is a shortage of currency in the market. This solution was part of the patent applied solution titled “Digital Value Imprinted Instrument System” applied in 2003 and subsequently not pursued for various reasons. Presently the copyright is still with Naavi. However in the interest of the needs of the country at this point of time, I am publishing this solution with the hope that it can be exploited by either the Government owned Banks or any FinTech Company. There are a few more security aspects that can be incorporated in the solution beyond what is presented here to make the solution more robust….. Naavi

I present here a solution to the post demonetization problem that we are facing in India today where there is a serious shortage of currency notes. It is stated that the printing capacity of RBI indicate that it will take some more time for the withdrawn notes to be replaced fully.

The solution presented here is an adaptation of Naavi’s “Digital Value Imprinted Instrument System (DVIIS) as a “Digi-Real Currency” which will look as under. (May be printed on the security paper used in cheques)

This will be a form of a  hybrid instrument which uses the “Brick and Click” technology. It is a digital currency with a physical existence. People can hold it, feel it and hand it over to another person as they do now using a currency note.

However, there is no monetary value written on the instrument. The monetary value can be found by either checking the serial number on a website or on a mobile app. Persons with QR code reader or bar code reader can use them with or without the app .

The basic instrument is issued by a Bank in the form of books with “Zero Value” on the instrument.

The holder can then use the App/website, enter the serial number and load an amount on the instrument such as Rs 50,Rs 100, Rs 500 or Rs 2000 or for that matter any other amount also by transferring the value from his account to the digireal cheque. In this aspect it will be similar to a “pre-paid card” but the difference is that the Digi Real coupon is actually handed over to the person to whom the holder wants to pay some money and the receiver has the psychological satisfaction of holding the instrument with monetary value embedded inside.

Compared to the completely digital system that the “Mobile Wallets” etc represent, this Digi Real Currency is like filling up the missing link between the purely physical instrument based currency system as we use today and the  proposed digital payment system. Ideally this should have come first before the introduction of the pure digital systems but currently we have moved ahead by leaping across. Those who donot have the strength to leap fully are the people who will benefit by this intermediary solution that enables transformation in easy to digest steps.

This system is different from the Sodexo type of coupons where the value is printed on the instrument because it is easy to duplicate. By not indicating the value on the instrument, the acceptor is forced to “Verify” the value. If he so desires, he can note the value as read by him on the back of the instrument where there will be space for keeping notes.

Verification of value can be done by several alternate means of entering the number into an SMS, or read a QR code or read a Bar code. Even IVR system can be configured for the purpose.

It is also different from any instruments issued by the Banks today against payment since in such instruments similar to DDs or Certified Cheques or Cash Cards,  the customer has to first block his funds to get the pre-paid instruments where as in this instrument he can keep the blank instruments with him and use it for any denomination and commit his funds only at the time of use.

The holder will be given the option to

a) Extinguish the instrument by transferring the money to any bank account through the App

b) Hand over the instrument to another person without himself encashing it

c) Disable further transfer permanently or temporarily by locking the instrument ( preventing theft)

The current printing capacity for cheques by Banks should be sufficient to print required number of this instrument which will be about half or one fourth the size of a current account cheque book. This will reduce the cost of paper used. Also part of the back of the instrument can be used for advertisement to subsidize the cost.

It can be supplied to the customers and delivered at their homes so that they need not que up at the Banks. Each book can be used in any denomination of currency so that the shortage of one or other denomination does not arise. Eventually this instrument can enable the “Cashless Society” that we are dreaming off.

The system will prevent hoarding of this currency by putting an expiry date on the instrument after which it can only be transferred to the Bank account and extinguished. The instrument will therefore be in circulation all the time.

The system has many hidden security features all of which I have not discussed here. It will be more tamper proof than the currency except for the need for people to understand the use of App. In this respect it is not different from the Mobile Wallets, USSD codes or UPI apps. But it should be easier to understand and use than these apps. The only necessary operation that an ordinary man on the street needs to know is “How to Verify the value”. The other aspect is transfering the value to his account for which he can use assistance of other knowledgeable persons if required or the Bank itself where he can deposit the instruments like any other cheque.

The only risk that will remain will be “Hacking of the server” in which the value of the instrument is maintained. But if we today trust the Banks for our money in their core banking software, we should trust them also for this data base of digit-real currency. The need for strengthening the security in this system as well as the need for protective measures such as Cyber Insurance etc will continue.

The possibility of a “Denial of Access” is also a risk that frustrates the system. This has to be tackled by proper distributed system of authentication that can be configured by the Banks. The load on the system is of course not high since compared to the current transaction authentication related system load, query authentication involved in this instrument has a lower load on the systems and bandwidth. The “Query” received would be to validate a given number of the instrument and return the value recorded against it. There is no need to authenticate the transferor, transferee and initiating a transfer instruction from one bank account to another.

I am presenting this commercially valuable suggestion here so that the Government/NPCI/Banks can make use of it if it desires.

If any FinTech company intends to develop this product, I will be able to assist them in developing the solution with appropriate modifications as may be required.


(Comments are welcome)

Print Friendly, PDF & Email

Some time back, there was a lot of discussion in India about a video in JNU in which allegations that anti India slogans were raised. There were two versions of the video one in which there were clear indications that  Mr Kannaiah Kumar was involved in anti India solganeering and another in which he was present but perhaps not participating in the sologaneering. Similarly there were also static pictures of two versions of the event one accusing the organizers about putting up anti India posters and another in which it was not.

Apart from the political discussions, it was a matter of interest for Cyber Forensic people also about how a video or a picture can be doctored and how some times, no evidence can be accepted without a discerning evaluation. It is extremely important for everyone to understand that modifying a digital image or video is eminently possible and is often used to create fake pictures circulated in the social media. Some times in the heat of a charged atmosphere, such doctored pictures gets circulated and re-circulated in WhatsApp groups and Facebook posts of innocent persons leading to innocent persons being hauled up by law enforcement people. The issue of arrest of more than 50 persons in Tamil Nadu for allegedly trying to spread false rumours on facebook about the health of  Jayalalitha is a case in point in our recent memory.

In the ongoing US elections where there is a bitter battle between Mrs Hillary Clinton and Mr Donald J Trump, there is a virtual social media war that is going on in the You Tube. As the mainstream media is supposed to be very much in favour of Mrs Hillary Clinton, Donald Trump camp is more dependent on the social media for its own campaign. Trump Camp is extensively using You Tube for its campaign while Twitter and Facebook are supposed to have been favouring Hillary. It is alleged that Twitter and Facebook are not showing pro-Trump discussions in the “Trending Category”.

Even You Tube was accused of blocking the “Streaming Facilities” provided to one of the Trump Sympathizers though there are many other You Tube videos that talk about Wiki Leaks and Hillary Clinton’s misdeeds. There are also plenty of videos on other associates of Hillary including President Obama, Michelle Obama, Huma Abedin, her husband Anthony Weiner and so on. All these videos have their own positive and negative influence on the electorate and therefore it is essential that the voters need to be able to identify the truthful videos from fake videos.

It is necessary for we in India to learn from what is happening here because the same strategies that are used to produce fake videos may also be used in India when it is election time here and the Indian Election Commission needs to take up a “Cyber Forensic Training” to understand how Cyber Space can be misused.

One of the recent videos that attracted my attention was the one where a Cyber Forensic aspect became apparent. We normally know that a digital image is modified by using “Photoshop” editing software which has many features which try to create morphed pictures. But when it comes to manipulating the video, it is slightly different.

In the JNU video case, it was suspected that the audio stream and the video stream was bifurcated in the video editing software and an alternate audio stream was super imposed on the video stream to create a false video. When you have two video files with the same video stream but a different audio stream, it is not easy to find out which is the original and which is the fake.

Police will find it extremely difficult to find the difference particularly when they are building up a prima facie case which leads to an intense media trial in which some Scoot and Shoot politicians specialize.

In the US Elections, there is one debate which is going on about the health condition of Ms Hillary Clinton. One observation is that the injury that she suffered several year’s back to her skull might have created a blood clot near her right ear which some times causes her to go into a “Seizure” like condition for a few moments when she is unable to control her eye ball movements.  Some say that this is an early symptom of the Alzheimer’s decease that makes her physical fitness to the US President suspect.

Recently, there was one Youtube video in which when Hillary faced a barrage of questions simultaneously from a few reporters around her, she suddenly seemed to go into a fit. We all know that people who suffer from epilepsy go into a seizure when they are exposed to strobing light or even flash bulbs. It appears that Hillary may be suffering from a similar “Audio Strobing trigger for Seizure” and when a simultaneous volley of questions are hurled at her, her mind cannot process the multiple voices simultaneously an goes into a state of confusion.

While I am not a medical expert and leave the speculation about such possibility to experts in the medical field, I would like to point out to one of the videos which was recently published in Youtube which is given here below for reference and is relevant for Cyber Forensics.

What this video says is that in one of the live interviews that was shot by NBC channel, Ms Hillary Clinton appeared to go on seizure and the channel tried to edit the video so as not to present an embarassing video to the public. But it is said that they did not do the editing properly and hence the doctoring of the video is evident on close observation.

In many Crime thrillers, we have seen a CCTV video hacking method where a small footage is recorded and made to play over and over again to hide the real streaming image. This works very well to cheat surveillance cameras normally used in perimeter security of an important physical asset.

As per the discussions available with the above video, it appears that the Channel might have used a different technique using a substitute frame as “Chroma Key” to morph a few frames of the video in which Hillary might have lost her control on her eye balls. The Chroma key is a video frame which is super imposed on another video layer so as to provide an indistiguishable frame over frame effect as if something is happening in the background. If you see a news reporter reading a report while his background shows a live video of a mountain stream, you know how Chroma key works. It is a common video mixing strategy used by all TV channels.

What is special in the above video is that the chroma key is simply one of the earlier frames of the same video and I find this as an interesting morphing technique used which we as Forensic analysists need to take note so that we are not fooled by such videos if we come across. I want the law enforcement people to specially analyze this technique and how to find them quickly to check possible misuse of social media through doctored videos.

I invite forensic specialists to comment on this video and the strategy discussed with an idea of how law enforcement can detect such doctored videos.

Needless to say that producing and publishing such videos would be an offence under ITA 2008 and channels will be liable for criminal prosecution either directly or as an “Intermediary who did not practice due diligence”.


Print Friendly, PDF & Email

The mystery land of Cyber Insurance-2: What is Cyber Insurance?

Posted by Vijayashankar Na on June 10, 2016
Posted in Cyber CrimeITA 2008  | 3 Comments

Naavi along with some of his friends embarked upon a Cyber Insurance Status study in India titled “India Cyber Insurance Survey 2015”. Some aspects of this survey has been briefly referred to on this site earlier. Now based on the results of the survey, a more detailed information is being presented in a series of articles to be published over time. Hope this will be useful to the community….Naavi

When the exploration of the Cyber Insurance land was contemplated, it was known that knowledge about the concept of Cyber Insurance was low in the market. Hence the expectations of the study was set low. There was no surprise here to find out that the penetration of Cyber Insurance in India was low. Some of the reasons for such a status despite the growing Cyber Crime threats is analysed here.

Penetration Levels:

Let us analyze one set of the responses which indicated as under:

 92 % of the respondents who represented different IT user entities had no experience of taking Cyber Insurance.

54% of the respondents stated that they are unlikely to consider in the near future.

90% said that they will consider only if they suffer any loss in a cyber attack.

74% said that they will consider only of they have an attack on themselves.

72% said that they may consider if a suitable product at a right price is available and 80% said that they will consider if there is a mandate. 

The respondents were all senior professionals from IT sector and included CEOs. For 54% of them to say they are unlikely to consider Cyber Insurance in near future was very disappointing.

The fact that 90% said that they will consider only if they suffer a loss indicated the dreaded syndrome of “Closing the stable  doors  after the horses have bolted”.

I can categorically state that many of the organizations may either not survive after their first attack or may get so badly battered that their survival after the attack would be an unending struggle.  None of us know what is in destiny for us. But for us to take the Cyber Risks so lightly is nothing short of recklessness and readyness to commit harakiri.

I therefore strongly advocate entrepreneurs of all kinds to shed their complacence and take a look at the need for Cyber Insurance.

I also want to highlight here that the need for Cyber Insurance is more for the entrepreneurs than the Cyber Security professionals since the business risk lies mostly with the entrepreneurs and their investors. If a company faces a fatal attack, the Cyber Security professionals will easily walk out and settle in another company enriched with their experience. Their loss is for a limited time and can be overcome. But for the entrepreneur, loss of his dream project may be the end of the world.

Hence it is the Company promoters, Directors and Investors and Business Managers, who need to watch out for what I am set to say on Cyber Insurance through these columns.

Cyber Insurance is part of Cyber Security Management

Cyber Security professionals who understand that Cyber Security management consists of the four strategies of ” Risk Mitigation,  Risk Transfer, Risk Avoidance and Risk  Absorption” and “Risk Transfer” is achieved through Cyber Insurance should also need to watch out. After all they are senior professionals today and many of them will be owners of business in the Start Up revolution that is sweeping our country.

The first reason why a responsible professional is not keen on Cyber Insurance, is that there is less than needed understanding of what is “Cyber Insurance”. Let us therefore try to address this issue first.

Two Components of Cyber Insurance

Cyber Insurance has two major components. One is insuring self damage where losses suffered by the insured is covered by the insurer. The second is that when a Cyber incident occurs, the insured may suffer a liability to pay damage to an outsider. Cyber insurance also covers this as “Liability insurance”.

It is easy to understand this concept by looking at similarities or otherwise between Motor Insurance. In motor insurance, if an accident happens, the owner of the vehicle gets a compensation to pay for the repair of the vehicle. At the same time, under the motor vehicles act, if he is liable to pay damages to third parties, that is also covered.

Cyber Insurance is also like Motor Insurance and has the two components of “Own Damage” and “Third Party Liability”.

The “Cyber Incident” may happen due to many reasons. For example it can happen due to internal technical issues including physical issues such as electrical outage, flood, fire etc. It can also happen due to fault in the hardware or software. It can happen due to human failure such as negligence of employees. It can also happen due to malicious intentions of humans including insiders and unknown attackers from the wild.  In such attacks there are also those which are categorized as “Zero Day Attacks” which essentially means that until such an attack is revealed , even the manufacturer of the software/hardware does not know that a certain Zero day vulnerability exists in the system which he has in good faith sold to the IT user who is today facing a liability situation.

Asset Valuation Issues

A quick glance at the various reasons that can cause a loss which may come under the umbrella of a Cyber Insurance indicates why Cyber Insurance is complicated and poses a challenge not only to the insured but also to the insurance industry itself in structuring a suitable policy.

For example, for insuring “Own Damage” one needs to value the Cyber Assets. While it is easy to value the hardware and purchased software, for which there is a cost and a depreciation, the value of internal software development needs to be arrived at on an assessment. Also a huge part of the cyber assets is in the form of “Data” which is acquired at a cost. The resident data should therefore be valued.

Now check back with your CFOs if there is a proper valuation of the cyber assets reflected in the balance sheets and whether your current asset valuation policies for the purpose of P&L is well suited for claiming insurance.

Most companies have a system of writing off all software purchases as “Expenses” though its beneficial use is spread over several years. Hence many soft assets continue to be used much after they find no mention in the balance sheets. As regards the hardware, it is often the practice to retain a nominal value of Rs 1 in the balance sheet even after the value is depreciated for a conservative reflection of the P&L. A similar approach is required for any software acquired at a cost so that no asset remains outside the radar. When a cyber event occurs and the company has to regroup, what is relevant is “Replacement Cost” of the asset and not the depreciated value represented in the balance sheet.

Of course it would be convenient for the insurance company if the insured is stating that what he has lost is of “Zero Value” on the books while it costs a bomb to replace. Insurance company may simply value the assets at book value and deny any compensation.

There is therefore the first hurdle of “Asset identification and Valuation” for the purpose of “Cyber Insurance” on which the industry has to reach a convergence.  Perhaps the Chartered Accountants and the Institute of Chartered Accountants need to think if their asset valuation system needs to be reconsidered.

I would urge the Institute to consider valuation of IT assets on “Replacement Cost”.  Depreciation may be considered as first tier, second tier and third tier. The first tier depreciation would be the writing off of the cost over the estimated useful period of the asset. The second tier depreciation could be the conservative approach where assets are depreciated faster than their useful life as a conservative practice. The third tier depreciation would be the equalization amount which arises due to the revaluation of the asset at replacement cost.

If accountants follow this system of representing the asset value, then analysts can pick up either the replacement value or the book value as they please. Insurance companies may use the replacement cost for evaluating the compensation while share holders and SEBI may look at the lower asset value as a conservative estimation of profits.

Where software assets are developed within the company, there needs to be a valuation process which is today mostly absent. Only service companies who bill their services to their clients have a good system of evaluating their operational costs. Others ignore the internal development cost which gets debited to the P&L as an expense. There  is a need for maintenance of employee work record and assigning them to valuation of Work in Progress and later to the completed service. If this can be done, there would be a greater efficiency in the operation of many IT companies. This is of course the work of a Cost Accountant who can develop a system of valuing the service component which can be rightly priced for business purposes while at the same time providing the asset value for the insurance purpose.

Last item of asset is the “Data”. While the company can value “Data” on the basis of its acquisition cost, during a cyber incident leading to a liability  and insurance claim, what is relevant is not the asset acquisition cost but the loss which the victim has suffered and has claimed from the Company under the legal rights given to him under law.

Dependency on Compliance

This “Liability” estimation depends on the “Legal Compliance” status of the company such as “Reasonable Security Practice” and “Due Diligence” under ITA 2008 and also the Privacy Rights granted under the constitution or other laws.  Additionally the efficiency of our legal system where victims are aware of their rights and make adequate claim also will influence the losses which the company suffers and expects to be covered by the insurance policy.

Just as Liability insurance has a dependency on ITA 2008 compliance of the insured, the estimation of replacement value of soft assets has a dependency on the DRP and BCP status of the company. If a Company has an excellent DR and lost assets can be recovered in full without much cost, the replacement cost as well as the insurance liability will be reduced.

It is for this reason, that the survey has discussed in greater detail the Compliance status responses to which will be discussed in subsequent articles.

Declared Value of Assets

Practically, when an Insurance contract is written, the insured and the insurer have to identify the value of assets since it determines not only the liability but also the premium. The general practice is for the proposer to seek insurance based on the details furnished in the proposal form which will include the value of the assets to be insured. The insurer looks at the value and determines the premium.

Now it is possible that if the insured and the insurer is not on the same level of understanding, the contract may be vitiated by declarations that are made by the proposer which always works to the advantage of the insurer.

The insurance contract is considered as a “Uberrimae Fedei” contract or a “Contract of utmost faith” and in such contract the entire responsibility to make truthful declarations lies on the proposer. The insurance company can accept the declarations in good faith and later rescind the contract when a claim is made on the grounds that the proposer was aware of some adverse aspects which he did not declare during the insurance time.

The easily understandable example is when we take a health insurance and fail to disclose pre-existing diseases. While the insurer can accept the proposal, and charge a premium based on the declaration, if a claim arises, then the insurance company goes into an investigation mode and finds out that there was an pre-existing condition of the insured which would have altered the premium and risk and since it was not disclosed, the entire contract is declared invalid and claim denied.

A similar situation may arise in Cyber Insurance if the insured fails to declare earlier security incidents, weaknesses in its DR/BCP or other IS related issues. “Hiding Truth” is therefore not  a good strategy at the time of insurance and this is a challenge for professionals since they might have hidden the truth even from their own management in the past.  Hence a strong “Security Incident Management” policy and implementation is essential to write a robust insurance contract.

Another factor which insurers should remember is that in the event valuation of assets at the time of insurance is lower than at the time of the insurance claim, (When a re-assessment is made as a general practice) it may be considered as an event of “Under insurance” and the insurance company may decline to pay the full loss considering the shortfall as “Self Insurance”.

Hence it is important for the insured and insurer to agree upon a proper valuation system so that there will be no claim of “Under Insurance” or even “Over valuation” though there may be a natural appreciation or depreciation of the value for different reasons.

Need for Well Structured Policies

These complications are one of the reasons why perhaps 72% of the respondents to our study felt that they may consider Cyber Insurance if a suitable product at suitable price is available.

This also indicates what an insurance company needs to do now that it knows that 92% of the respondents are their potential customers who may consider such products.

If all the complications of asset valuation etc cannot be sorted out to mutual satisfaction, insurance companies will offer coverage with certain sub limits for different types of losses. Though this may not be a perfect solution for the insured, it represents a way forward for further refinement of the product.

(……Discussions To continue)


Earlier Article in the series:

The mystery land of Cyber Insurance-1: Overcome the “All is Well syndrome”

Print Friendly, PDF & Email

Recently two bank fraud incidents have been reported one from State Bank of Mysore in Karnataka and another from Bank of Baroda in Lucknow where security specialists have suspected hacking of the Bank’s servers without any compromise of information at the POS or the customer side.


Hindu and Hindu Business Line on SBM fraud

TOI on BOB fraud : P.S: Though this was a case of hacking into dormant accounts by an insider, there is a failure of information security even in this fraud.

nyooz.com on BOB

In the background of these frauds, one can read the article in Kasparesky published a few months back titled: “Dozens of banks lose millions to cybercriminals attacks” and “APT-Style bank robberies on the increase..

This article states that Kasparesky which exposed a sophisticated bank fraud gang last year by name Carabanak has now identified threats from of two more gangs by name Metel (or Corkow) and GCMAN. It also said that Carabanak has reemerged with new targets. Some of these attacks indicate a spear phishing attacks on the Bank employees.

It appears that the recent attacks in India may indicate the activity similar to what has been reported here.

One of the strategies that is reportedly used is to first gain access to one of the user’s computer and plant a trojan. The trojan may crash some application such as Microsoft Word and it is expected that  the admin will be called to set things right. When the admin logs into the victim’s computer with his password, his credentials are captured by the attackers. Using this, the attackers slowly get into other systems until they are able to compromise the fund transfer systems leading to further frauds.

What we have seen in SBM now with small amounts being transferred may be only a testing of the fraud and we may soon see a major break in SBM which may shake the Bank and put its customers into great pain. May be similar threat is there in other banks also.

The recent failure of basic information security principles in an otherwise reputed company like TCS leading to a Rs 6000 crore damage on the Bank is an indication that most of the companies (including the Banks) have very weak security culture.

Additionally the opening of Unified Payment Interface opens up the mobile network to one part of the Banking servers which can be used by hackers to worm their way up the network into the core banking servers and launch a major attack to bring down a bank.

Knowing the attitude of Banks and RBI, nothing constructive is expected to be done to prevent such attacks and hence it would not be long when this prognosis may sadly come true.

I would therefore advise Bank customers to manage their risks by ensuring that they spread out their bank balances into multiple Banks and ensure that all the eggs are not in a single basket. Better still, spread it across smaller banks including cooperative banks without internet and mobile banking  so that their hard earned savings are protected.


Print Friendly, PDF & Email

Beware of CIBIL Report Fraud

Posted by Vijayashankar Na on December 29, 2015
Posted in Cyber Crime  | 1 Comment

I would like to bring to the notice of the public a fraudulent e-mail that is being sent in the name of CIBIL.

The copy of the email is reproduced below:



Normally the CIBIL Transunion score is expressed as a three digit number and not as single digit such as 8.3.

On verification of the header information, it is found that the e-mail has emanated from notification@solveerrors.com. Return path is : ..@smtp1.perfectpriceindia.com>

The IP address from which the mail has been sent appears to be

Public are requested not to respond to this fraudulent e-mail.

At the same time, I hereby give a notice to CIBIL that they are now been informed of an attempt by some body to cheat the public in their name and if they donot take suitable steps to prevent such misuse of CIBIL’s name, they will be considered as “Negligent” and providing indirect “Assistance” to fraudsters.

I request the Police anywhere in India also to take cognizance and issue notices to the concerned web hosting service providers as well as CIBIL to ensure that this fraud is stopped immediately.


Print Friendly, PDF & Email

Digi Locker Beta Release

Posted by Vijayashankar Na on March 7, 2015
Posted in Cyber CrimeCyber LawITA 2008  | 1 Comment

Government has opened the beta version of the Digital Locker operated by CDAC and UIDAI which provides 10MB free storage space for every Aadhar number holder. It envisages that members can upload their ID documents and share it with other Government agencies if required.

The service is available at   http://digilocker.gov.in. It can also be accessed through http://digitallocker.gov.in and http://elocker.gov.in.

The site carries a digital certificate from an Indian Certifying Authority unlike many other web sites which are using certificates issued by verisign which is not licensed in India. However it is surprising to note that instead of using a digital certificate issued by the Government owned NIC, the site uses the certificate from (n)code solutions which is a private sector certifying authority. Also, some of the practices used by (n)code solutions for issue of digital certificates to public is not in accordance with the legal procedures suggested under ITA 2008. It is therefore surprising that the project has preferred to use their services instead of NIC or other more Cyber Law Compliant Certifying Authorities.

At the time of account creation and for certain other operations, the site uses OTP as a verification mechanism. It appears that an “e-sign” procedure is envisaged for users to individually authenticate the documents. But this is not yet working properly at present. It is also not clear what is meant by e-sign in this context.

The documents would be made available to designated agencies of the Government. Users can also send the document to another person through email.

While the concept of making available a free digital document storing place is welcome it is necessary to note that the site is short in the implementation of ITA 2008 compliance measures.

The website is silent on the issue of storage of information and it is unlikely to be in an encrypted state. We draw the attention of readers to my immediate previous post about the data breach in Anthem Inc, USA and the consequences. We are already aware that the Aadhar data base has been compromised in parts many times and lakhs of aadhar records would be available with cyber criminals as well as the enemy states of India. Now if the linked information is also leaked, it is a goldmine for terrorists in Pakistan or ISIS as well as countries like China who are preparing for Cyber space domination.

Government of India may be unaware of the risks that it is undertaking in this project and Modi Government should be prepared for a huge embarrassment at some time in future.

Employers should also be ready for a completely faked employee IDs with fake marks cards etc which may completely compromise their background verification systems. This can enable more Mehdi’s to find employment in critical sector and compromise the national security interests.

We hope the authorities will take a deep breath and review the security of the system before proceeding further.


Print Friendly, PDF & Email