Header image alt text

Naavi.org

Building a Responsible Cyber Society…Since 1998

Aug 16

11

Cyber Security Framework and Directors of Banks- An Action Plan..for Now..

Posted by Vijayashankar Na on August 11, 2016
Posted in BankITA 2008RBI  | No Comments yet, please leave one

The Cyber Security Framework (CSF-2016) proposed by RBI to be implemented by Banks has posed a stiff challenge to the community of Bank Directors. After the lukewarm response to its previous guidelines including the E Banking Security Guidelines (GGWG Recommendations) of 2011 from Banks, RBI has now tried to tighten its screws on the Bank boards and therefore repeatedly sought the direct responsibility of the Board of Directors in Banks for ensuring implementation of the recommendations under CSF-2016.

The Countdown has already started. By September 30, 2016, RBI wants several aspects of its recommendation to be in place and it is hardly 51 days to this deadline and probably not more than two board meetings left to review the implementation.  The challenge is stiff, but we need to make a start and start running. The spirit is to make an honest attempt.. afterall, we are in the season of Olympics and participation is the key.. Making an honest attempt to win is necessary….But actually winning is incidental..

Let’s briefly review the challenge that our Bank Directors have on their hand now. I wish Directors in banks and more appropriately the “Independent Directors” need to take note of the following in their own interest.

The first deadline given by RBI was July 31, 2016 by which the Board should have approved a “Gap Analysis ” and signed on a report sent to the DBOD.  Probably most Banks should have completed the formality. Those who have shot off the report may now review if the report was complete and those who have not, need to review how quickly they can recover the lost ground.

Banks already have some infrastructure to handle Information Security and there will be a sub committee of senior executives already assigned to the task of managing the Information Security in the Bank as per the GGWG guidelines. There is also a CISO in most Banks. The CISO should therefore present (should have already presented) to the Board his assessment of the Gap and recommended action plan.

If not, summon another Board meeting immediately and ask the CISO to make a presentation. Even if a note has been already presented, it is recommended that the CISO is asked to present his views on the Gap report already sent to RBI and modifications that may be required.

The “Gap Report” is to document the current status of the implementation of the “Cyber Security Program” vis a vis the recommendations contained in the Cyber Security Framework-2016 elucidated in the RBI circular of June 2, 2016.

Obviously, in order to prepare this Gap Report or approve it as a member of the Board of Directors, there is a need to understand the CSF-2016 document and absorb its implications. This itself requires a deep understanding of the nuances of Cyber Risk Management without which the Directors can be easily mislead that “All is Well” and ignore the urgent action to be undertaken.

The first question to be raised is

  • It is a requirement of the CSF-2016 that the Board of Directors should be adequately trained on Cyber Security issues. Has the CISO organized such an awareness  program for the Directors? If not.. when is it scheduled?
  • In order not to waste further time, the agenda for the next Board meeting should include a presentation by the CISO of not only the action plan under CSF-2016 but also a general training on the implications of CSF-2016 .
  • Since CISO is the implementing party, it is better if such a training program is organized by an external consultant who understands the issues in managing Information Security in the Banking environment and should precede the presentation of the CISO so that right questions can be raised to the CISO.
  • Since it is embarassing for the Board to call for a training for itself, it is better to call this an  “Interaction with an expert” or a “Round Table” in which the implications of CSF-2016 can be discussed by the members of the Board along with the CISO and his team.

Some of the challenges that the Directors need to meet during this initial interaction is..

a) The Gap report should have identified the Cyber Threats that confront the Banking environment considering the business and product profile of the Bank. The CISO should have developed a “Threat Register” to identify and list the threats.

b) The Gap report should have identified the Cyber Vulnerabilities of the system including the technical, regulatory, and manpower related deficiencies in the system.

c) Based on the threats and vulnerabilities, the CISO should have developed a “Risk Register” listing out the individual Cyber Risks that confront the Bank.

d) The “Risk Identification” should not be restricted to technical matters only and should also address the legal issues such as compliance to Information Technology Act 2000 as amended in 2008 and later (ITA 2000/8) and also take into account the human factors that can result in exploitation both at the employee level and the customer level

c) The Risk Identification has to also assign a measure of the risk criticality  which can be either a subjective evaluation of “Low Risk”, “Medium Risk”, “High Risk” etc or assign a value in an objective manner if possible.

d) The CISO should also indicate and recommend the “Risk Management Policy” consisting of how much of the risk can be avoided, how much of the risk can be transferred by insurance, how much of the risk can be mitigated by various measures and how much of the risk has to be absorbed by the organisation.

e) The CISO should also indicate and recommend a brief overview of a  “Risk Mitigation Plan” and suggest what should be the “Risk Appetite” of the organization. It would however be the decision of the Board to determine the “Risk Appetite” of the organization which reflects the extent of risk that it can absorb in the interest of business since ultimately commercial activity is always a risk-return trade off.

f) The CISO may also be asked to present his specific recommendations on the status of implementation on the 24 Baseline controls that have been indicated in Annexure 1 of the CSF-2016 as well as how to approach the SOC set up indicated in Annexure 2 and the Incident Reporting structure indicated in Annexure 3 of the CSF-2016

The “Gap Report” is only a starting point and may be imperfect. But what is required to be done is to set in motion a corrective plan so  that by September 30, 2016 when a comprehensive “Cyber security Policy” along with an operating “Security Operations Center” and a “Cyber Crisis Management Plan” is to be presented to the RBI with the recommendations of the Board, the Directors are fully aware of the responsibilities they are undertaking in submitting the plan.

This is also the time for the Board to review if its current information security management infrastructure is adequate and needs to be augmented. Finding right people in the domain is not easy and even if a decision is taken today, it is impossible to get quality people before the deadline of September 30 has already elapsed by a mile. Hence the first set of action has to be initiated by the existing team summoning whatever assistance they can gather from within and available external consultancy resources.

There is no doubt that your CISO will say setting up an SOC is a long term project and even a proper risk assessment will take time. But RBI has taken this into account and advised that Banks cooperate amongst themselves through the CISO forum coordinated by IDRBT to share knowledge and achieve the goals faster than what they would otherwise achieve.

This however requires shedding of individual egos of Banks and their CISOs and working in a spirit of cooperation and benefit to the Banking community on the whole.

The Board has a responsibility to provide support to their CISOs to explore such cooperation in a spirit of give and take so that professional CISOs are not constrained by the fears of breaking the norms of secrecy that often shrouds the operation of the information security departments.

… With these introductory words, I urge the Directors of the Banks to accept the challenge placed before them by RBI to strive towards achieving the Cyber Security Goal however difficult it appears to be.

Naavi

 

Print Friendly, PDF & Email

Jul 16

26

SMS Based 2F authentication is dead.. FinTech companies skating on thin ice

Posted by Vijayashankar Na on July 26, 2016
Posted in BankRBI  | No Comments yet, please leave one

During the days of G Gopalakrishna Working Group (GGWG) of RBI which was deliberating on the E Banking security, two Banks namely ICICI Bank and SBI who were members of the committee tried to argue that “Two Factor Authentication” should be considered as equivalent to “Digital Signature” for the purpose of authentication of Banking transactions. Fortunately, thanks, partly to the efforts of the undersigned the bluff was called and the GGWG rejected the recommendation of the sub committee in this regard.

This was way back in 2011 and lot of water has flowed under the bridge since then. Despite the recommendations of GGWG against Two Factor Authentication being considered as valid authentication, Bankers have continued to use two factor authentication based on SMS sent to a mobile as the principal means of authentication of all transactions conducted on Internet or Mobile.

In the case of Mobile Banking, the SMS based two factor (2F) authentication actually was reduced to a single factor authentication since the same channel was used both for the transaction and the authentication.

In the meantime, certain malwares were also developed specifically to exploit the SMS based 2F authentication and technologists continued to further compromise security by developing Apps that could read SMS automatically, pick up the OTP and continue the authentication process without human intervention. “Convenience” blinded the users into believing that this technological revolution was great.

Technologists who had little understanding of the security or ignored it deliberately for the sake of functionality of the Apps and the business entities who always pursued the compromised policy of “Security to the extent it is financially feasible” made 2F authentication a universally used system providing a false sense of security to the users.

What was regrettable was that the Government of India also fell prey to this false sense of security provided by OTP through SMS on Mobile as a valid 2F authentication which could enable an Aadhar based e-Sign authentication that could be considered as a “Legally Valid” authentication.

The UPI (Universal Payment Interface) further adopted OTP for integrating all card based transactions and increased the stakes. It is reported that there are many FinTech projects which will go on stream on the UPI platform in the coming days making SMS based OTP system a widely used digital authentication system in India.

The central point that Naavi has been making in all the discussions here was that the dependency on OTP had diluted the KYC process to be completely subordinated to the integrity of KYC system used by the Mobile Service Providers (MSP). The situation has been brought down to the extent that a “Mobile Number Ownership” was equivalent to having an “Aadhaar Card” as if it was the “Passport to Digital Identity”.  But the MSP’s processes of KYC were not robust enough to be the foundation for all financial dealings in the country and therefore the society was exposed to a huge risk of massive digital financial frauds.

There appears to be a silver lining now to indicate that the tide may be turning Yesterday there was a news report that the Indian Army had filed an FIR against Airtel over issue of “Pre activated” and “Unverified SIM cards” in Manipur.

According to the complaint, an Army column had found that a distributor was handing out free, pre-activated SIM cards to the villagers without any paper work.

Though Airtel has officially denied that they are violating any DOT norms, the prevalence of the practice of issuing pre-activated SIM cards that can be used by ether terrorists or fraudsters has been documented beyond doubt exposing the naivety of the regulators in Banks including RBI, DeITY, UPI, Aadhar, UPI etc to rely upon the KYC process of the MSPs as reliable enough to mount their financial transactions on, as a Standard Operating Process. (SOP).

This incident alone should have immediately brought out a clarification from RBI and DeITY or the CERT-IN that the SMS based 2F authentication is no longer to be relied upon for building authentication systems which may further be used for financial transactions.

I therefore urge CERT-IN to immediately step in and issue the advisory.

In a further confirmation of this need to deprecate the use of SMS based 2F authentication, the globally acceptable, Government backed, Standards organisation namely the NIST (National Institute for Standards and Technology) of  US has proposed to deprecate the SMS based authentication in its latest standard draft.

The report also identifies that NIST has flagged the use of SS7 protocols by hackers which was highlighted by Naavi.org recently. According to the NIST,

“it’s going to deprecate it (Ed:the 2F system) in favor of other options. Those options include using your smartphone with secure applications (such as Google Authenticator) that can generate out of band authentication codes, or other types of devices that can be used as out of band authentication (such as security keys, smart cards, and so on). If the cryptographic keys are stored on the device, then it should use trusted platform modules (TPMs), keychain storage, or trusted execution environments.”

One of the additional reasons why identity verification through an SMS sent to a mobile number is considered unreliable is the development of online services where a “Virtual Mobile Number” is made available as a service. This “Virtualization” of the MSP system will be a feature that can come in handy for fraudsters and be a threat for the law enforcement agencies.

The “Authentication Industry” has to therefore find a new method of reliably verifying the source of a digital transaction without which the entire FinTech industry will be skating on thin ice.

This development will be a milestone in the standards that set the bench marks for “Due Diligence” and “Reasonable Security Practice” under Section 79 or Section 43A of Information Technology Act 2000/8.

All Judicial authorities including Adjudicators as well as all Advocates need to take note of this development and ensure that Banks and other organizations that continue to use SMS based 2F authentication will no longer be considered as following “Due Diligence” or “Reasonable Security Practice” under ITA 2000/8 and hence will have to absorb the liabilities arising from frauds where OTP is used as an authentication feature.

Additionally, this article placed in public domain will also be a “Notice” to all Organisations, Security professionals, the Advocates and Judicial Authorities, including the Government Agencies that the failure of SMS based OTP as a reliable authentication mechanism in digital world has been brought to their notice and their continued use will disable any legal defense based on this concept being projected as an accepted “Industry Practice”

Naavi

Print Friendly, PDF & Email

Jun 16

19

Raghuram Rajan exits.. Media starts its games once again.

Posted by Vijayashankar Na on June 19, 2016
Posted in BankRBI  | 3 Comments

The media including the otherwise respected Economic Times and CNBC TV  all predicted dooms day for Indian economy if Rajan is not given a second term. It was funny to observe that even Mr Narayana Murthy of Infosys made a suggestion that Rajan deserves not one renewal but two at one go.

Now that Mr Rajan has decided to call it quits, all these people should accept that  their attempt to manipulate the process of appointment of an RBI Governor which is the prerogative of the current Government has not been successful and keep quiet.

All said and done, Mr Rajan was a personal choice of the previous Finance Minister Mr Chidambaram who is a tainted with issues such as  the Ishrat Jehan files involving National Security issues  and that should be sufficient to cause distrust of Mr Rajan by neutral observers.

Mr Rajan did not do enough to present himself as a person who is not pro-Congress during his tenure. The support he received from Congress in the last month and receiving till today is sufficient to vindicate the belief that Congress had a vested interest in his continuation and it was therefore a political decision to continue him or not.

The media which thinks it can influence every Government decision has now started its game once again by projecting Ms Arundhati Bhattacharya, the current SBI Chair person to the post of the RBI Governor. Media would love to have the “First Female Governor of RBI” as if it is a special qualification for a person to be female. This criteria is insulting even to Ms Arundhati and should never be advanced.

I however, consider the attempt of the media to project Ms Arundhati as faulty for a different reason.

We must understand that she is now the head of the biggest Commercial Bank in India and if there is any problem with the Banking industry including NPAs and Frauds, the biggest share of the same is with SBI.

The role of RBI Governor is one of the “Regulator” of Banks and therefore it is completely illogical that the current Chair person of one of the commercial Banks is made the regulator.

It is highly objectionable in principle and should be avoided at all costs.

Even if she is otherwise eligible for the responsibility, it can be considered only after a cooling off period of upto 3 years after she demits the current office.  Otherwise there would be a serious conflict of interest in her role.

Further, in Personnel Management, we all know the problem of “Role Fixation” that arises in a person when he is elevated to a higher position in the hierarchy. An SBI Chairperson will remain an SBI Chairperson mentally,  for some time even if she is made the RBI Governor and immediate switch over is not advisable from managerial principles.

Further, it should be understood that the RBI Governor’s position is that of a “Regulator”. One of the problems with Raghuram Rajan was that he had a “Role Fix” as an “Economist” and was weak in discharging his other functions as a “Regulator”. It is for this reason that on issues of security, fraud management etc, his contribution appeared wanting.

Any person who has watched the E Banking and Credit Card scenario in India will recognize that SBI was one of the problem Banks. It was operating its credit card operations through an outsource partners and fraud attempts and phishing was most rampant in SBI cards. There have been many E-Banking frauds indicating a weak information security position in SBI though its past image has endured in giving a picture of a sound Bank.

The recent incident where SBI was caught transferring Rs 720 crores in Cash (as claimed by them in certain press reports) in Tamil Nadu during elections cast a doubt on the integrity of SBI just as the old Nagarwala Case had proved how SBI was acting as a private Banker of Indira Gandhi. Ms Arundhati owes an explanation to the country on this incident which she is yet to come up with.

I wish Mr Subramanya Swamy raises this question in the Parliament.

There is no doubt that ex-Bankers like us hold SBI with lot of respect for their systems and procedures as well as their manpower training systems. However, in the generation of E-Banking, the same efficiency does not seem to have been carried through. Now that SBI will be saddled with the “Subsidiary Merger Issues”, there will be chaos in the Bank in the next three years and it would be best if Ms Arundhati is left to handle the challenges of merger rather than be moved out.

If Ms Arundhati is made the RBI Governor, I see the possibility that many of the frauds in SBI will be suppressed and there will be a greater mess to deal with on a later date. Even issues such as the Vijay Mallya issue will become complicated if the SBI Chair person becomes the referee.

I therefore request media to stop speculations and supporting any one person for the job of the RBI Governor. Let this be handled professionally. More the media tries to support a person, it will be seen as a PR exercise and there will be many who will oppose. This is not good even for the incumbent candidate.

If Ms Arundhati is intelligent, she should immediately issue a statement that she would not like to be considered for the post at this point of time. This will prevent further embarrassment to her.

My personal view is that  the RBI Governor’s position is best managed by one of the current Deputy Governors, the best of whom can be elevated. We donot need a Noble Laureate and an economist  but a hard nosed regulator to manage RBI. Then the Governor will focus on Bank regulation rather than poking his nose into the Financial Minister’s work.

Certainly it is wrong to think of  current Chair persons of SBI or ICICI Bank or Axis Bank for the post even if they have been efficient in their past assignments and they all would create history of being the First Female RBI Governor of India, if it is a desirable thing. If such a decision is taken, remember “Peter’s Principle” and pray for the welfare of the  Indian Banking Customer.

Naavi

Also Read Old articles on NBFC policy issues (These are 1998 articles and to be seen in that context)

 

Print Friendly, PDF & Email

Oct 15

5

WhatsApp Moment in Indian Financial Services

Posted by Vijayashankar Na on October 5, 2015
Posted in Cyber LawInformation Assurance  | No Comments yet, please leave one

Happy to note that Mr Nandan Nilekani is back at what he is at best..the professional circles..after a brief brush with politics that too  with the Congress party. Naavi has been highly critical of his association with Congress party which made him say things such as “Reservation is required in Private Sector”.

Now that he seems to have donned the corporate suit again, it is happy days for all his admirers. We welcome him and hope he will make his own disruptive impact on the IT eco system in the country.

I got to watch two of his talks recently on the topic of Disruption of Financial Services, one at TIE, Bangalore and another at IFMR Trust, Mumbai. He called it a Thought experiment and it was in deed very thought provoking.

The thoughts which he has seeded in the talk will be discussed and debated in the market place and as an Ex-Banker and a keen watcher of the developments of “Use of Technology in Banking” I will add some of my own thoughts in due course through these columns.

For the time being, I invite the readers to watch the you tube video below:

Nandan’s Presentation at TIE :

https://www.youtube.com/watch?v=aGM5TvAUF00

IFMR Presentation (Same as TIE but better videographed):

Panel Discussion at TIE:

https://www.youtube.com/watch?v=94GuUoXEmxc

The essence of what Mr Nandan Nilekani discusses is that in 2009, the advent of WhatsApp disrupted the Telecom scenario and changed the way data was consumed on mobile networks. In the same manner he feels that the advent of Paytm and the likes will change the way the Indian Banking system will function in the coming days and there can be some major upheavals in store.

In the TIE conference, Paytm and Bankbazaar promoters also add their views and suggest that the developments threaten the traditional Banking system. Obviously this requires some in depth discussions.

I invite the readers to contribute to this discussion as we go along.

Naavi

Print Friendly, PDF & Email

Mar 15

24

Lessons from China to Indian Bankers and RBI

Posted by Vijayashankar Na on March 24, 2015
Posted in BankRBI  | No Comments yet, please leave one

China Banking Regulations Commission (CBRC) has notified guidelines to the Banking industry to use “Secure and Controllable Technology” to strengthen the Internet based Banking system. This guideline has the potential to bring significant changes to the IT industry in China and also the vendors from outside China.

According to the guideline it would be mandatory for Banks in China to use “Secure and Controllable IT Products at a minimum rate of 15% increase each year and to reach 75%  by 2019. The criteria for determining the status of a product as  “Secure and Controllable” have been detailed in the guideline and includes the following.

1. IT Vendors are required to establish own R&D service cetners in China

2. Source code should be filed with CBRC

3. Risk of Product supply chain should be controllable. (i.o.w. there could be a need for more local production in the entire supply chain)

4.The IP rights in respect of certain products could be subordinated to the local requirements. (i.o.w. provisions similar to compulsory licensing may be used)

As a result of these regulations, it would be necessary for the following:

1.Supplier/Service Contracts will have to incorporate necessary compliance clauses.

2. Banks will have to deploy 5% of their R&D budget on deployment of Secure and Controllable IT products

3. Banks need to subject themselves to an annual audit by CBRC  to determine compliance.

As a result of these changes, Indian IT companies having operations in China with exposure to Banking industry need to be prepared for a compliance related modification of their business contracts.  If they fail to adapt, the supply contracts may be terminated.

I think RBI needs to pick up a few lessons from these guidelines since they have mindlessly allowed domination of Chinese products in the Indian Banking industry exposing the country to a great disadvantage in the event of a Cyber War. Banks should also understand that there is national interest beyond the need to increase their bottom line.

 We remember that during the UPA regime, a Security Certification Center was established under the guidance of IISC Bangalore to test IT products from China in particular which were suspected to have OEM-back doors, but was actually sponsored by Huawaei !

I hope the National Cyber Security team in India takes note of these developments and initiate appropriate actions.

REFER:

China Banking IT Regulation Tightened Up

China Issues new CBRC guidelines

CBRC issues clarifications

CBRC makes life difficult for MNC vendors

Naavi

Print Friendly, PDF & Email

Oct 14

11

Will Axis Bank Explain?

Posted by Vijayashankar Na on October 11, 2014
Posted in BankITA 2008RBI  | No Comments yet, please leave one

Naavi.org recently was informed of a bizarre instance involving Axis bank and ATM transactions. This incident is a matter of serious concern to all Axis Bank customers and hence we would like to bring this to the notice of all including Reserve Bank of India.

I am reproducing verbatim a comment posted by one Mr Sharad Updhyay about his experience in an ATM in Gurgaon for one of our earlier articles titled “Axis Bank ATM license should be cancelled by RBI

“Recently I tried withdrawing Rs. 2000 using my IDBI Debit card from an AXIS BANK ATM based at Sahara Mall, Gurgaon. The ATM asked me if I want a receipt for the transaction. I opted yes, the transaction was automatically aborted. Wondering what happened to the ATM, I tried again and again (with option “Yes” for transaction receipt) – a total of 5 times, but encountered the same problem everytime.

Meanwhile I noticed that another person who opted “No” for printed receipt was able to withdraw money from the same machine. I followed him – went ahead for withdrawal without transaction receipt, and this time machine dispensed the desired amount i.e. Rs. 2000.

Next day I noticed that my IDBI account was debited twice: first for a sum of Rs. 10000, and once again for Rs. 2000 (which I actually withdrew there). I was wondering what made the ATM cause a debit of Rs. 10000 in a single go – while I never entered this amount at ATM console.

I raised an official complaint with my bank (IDBI), and they escalated the case on my behalf with Axis Bank, however, Axis Bank rejected my claim – stating that their ATM balancing reports, switch files, and other transaction logs show that Rs. 10000 transaction was carried out successfully, and they do not owe me anything.

At this stage my bank i.e. IDBI has been helpless, and I’m just wondering whom to report this fraudster in order to get my money back. It appears that something fishy is going on there in Axis Bank ATMs with help of CMS (the agency which replenishes cash in ATMs) and the Axis Bank staff itself. How is it possible that there was no surplus sum recovered from ATM for my failed transactions, and how is it possible that an ATM automatically converts 5 subsequent transactions of Rs. 2000 each in to a single transaction of Rs. 10000?

Please let me know what can be done in this case, and how can I get my money back. Also, isn’t there any authority to punish the bank owning such malicious ATMs and ripping off the customers like this?”

First comment I would like to make on this incident is that there is apparent fraudulent mis-management by Axis Bank. It is clear that the ATM has been deliberately tweaked to ensure that fraudulent transactions donot come to the notice of the customer when he is withdrawing the amount.

The responsibility for this fraud lies squarely on the management of Axis Bank all the way up to the Chair person.

The reported incident is a report of possible hacking of a critical computer resource belonging to the Banking system. It represents a cognizable offence under ITA 2008. Mumbai police who closely monitor even facebook “likes”  and go the extent of arresting persons, must be considered as being aware of the occurrence of this crime. They should therefore take suomotu action and register a Cyber  Crime under Section 66 of ITA 2008 making unknown Axis Bank employees as suspects. It should also investigate “Negligence” from Axis bank ATM division and the Chair person for not taking adequate information security measures to protect the ATM transactions.

The Reserve Bank of India at the same time initiate its own investigation and take penal action against the officials of the Bank.

Now coming back to the customer and what he can do.

1. Normally  money fraudulently debited to the account should have been reversed immediately on filing of a complaint with the Bank.

2. IDBI Bank cannot absolve itself of its responsibility since they have used Axis Bank as it’s agent and hence they are responsible for their client’s loss.

3. Customer need not go to the Banking Ombudsman since that is a sham run by RBI and most Ombudsman are biased in favour of the banks and simply reject the claim with a further proviso that you cannot appeal to RBI.

RBI is aware that the scheme is a sham and yet has not shown any interest in correcting the same. This is not a reflection on the Banking Ombudsman in Mumbai but a general reflection on the scheme and how it is run.

 If possible I advise the customer to personally meet Mr Raghuraman Rajan, the Governor of RBI and check why he is not considering himself responsible for running a secure banking system.

 4.The customer is fortunate to be in Mumbai where the IT Secretary is one Mr Rajesh Aggarwal. He is also the “Adjudicator” under ITA 2008. For any financial loss arising due to contravention of any of the provisions of ITA 2008, in Mumbai, he is the sole authority having judicial powers to conduct an enquiry and award a compensation.

I advise the customer to make an adjudication complaint to him immediately. If he remains in office for some more time, he will definitely give him justice.

However, since Maharashtra is likely to have a change of Government soon and it is customary to shuffle secretaries if a new Government comes, it is possible that this great officer who is upholding justice under ITA 2008 like no other IT Secretary in India may be shifted out.  Hence the customer should at least get his complaint registered before any such change occurs.

5. It would also be better if a complaint is filed with the commissioner of Police, Mumbai against the officials of IDBI Bank and Axis Bank  for running a fraudulent ATM system and causing loss to you. The customer should not fall into the trap of filing the complaint against the unknown fraudster who might have drawn the money. That person will never be traced since IDBI bank is unlikely to have maintained the CCTV footage or other evidence that may be required for this purpose. Police and Banks will try to hold that only that unknown person is responsible and no body in the Bank is responsible. This is a way of driving the complaint to a dead end. For the customer it is always a transaction with the Bank and hence should hold the Bank alone responsible.

The Police complaint should also mention that RBI has been negligent in enforcing ATM security and is also responsible for pushing customers to such frauds.

If necessary, the customer may take the assistance of a Consumer activist to pursue the complaint.

It may appear that  the money lost may not be substantial and hence may not be worthy of the trouble of complaining. It is this attitude of most of us that emboldens criminals to resort to this type of small ticket frauds which we refer to as “Salami” attacks. It is our duty to bring this to public knowledge and wake up regulators like RBI to remind them of their responsibilities.

In the meantime, I demand that Axis Bank makes an official statement about this incident.

Naavi

Print Friendly, PDF & Email

Next Page »