Open Door Policy of State Bank of India!

Posted on January 31, 2019 by 98410spice

If we want to enter a branch of SBI, we may have to encounter a guard, half closed gate. In secure rooms, there may be even an access controlled doors. But it is a surprise to know that the server which houses the “Customer data” which is as valuable as the entire deposit of the customers, was not secured even by a password let alone a robust encryption.

This is the revelation made by a security researcher (Refer article in india today) based on which it appears that millions of customer’s account data has been kept open for anyone to view and perhaps download. It is not known as to how long the server was left in that condition.

The security researcher was reportedly able to track transaction details in real time. In fact, the media report states the researcher was able to witness 3 million messages on Monday alone.

It is said that the leak has now been plugged.

This is indicative of the information security that the biggest of the Banks follows. Probably other Banks are worse off. We have pointed out in the past that some how SBI appeared to lead the Banks on which fraudulent phone calls for phishing was the highest. (Refer here).

We have also pointed out earlier that Axis Bank and Punjab National Bank besides ICICI Bank are notorious for phishing frauds. When we confront these Banks in judicial fora, they always come up with a ISO 27001 certificate stating that their system security is the best in the world. But the reality is that even the bigger Banks which donot have the dearth for funds to hire the best talents in the country are woefully short of security at the implementation level.

One estimate is that around 740 million sets of data might have been compromised in this incident. Had there been PDPA 2018 in place and it is imposed as strictly as GDPR on FaceBook etc., SBI would have to run a liability of Rs 100+ crores. SBI is fortunate that the data breach has occurred now before the PDPA 2018 has become a law.

SBI-Adhaar Enrolment fraud

Just two days back, there was another report in which SBI had allowed  its systems to be misused in the Aadhaar enrollment scheme and tried to blame UIDAI for lack of security. (See report here).

In this case, SBI had used an outsource partner for Aadhaar enrolment unlike many other Banks which have trained their own officers for the purpose. The employee of the outsource partner (Mr Vikram) had with the help of his operator ID,  used to generate Aadhaar cards using fake documents between November 9 and November 17, 2018. He had managed to generate bogus Aadhaar cards using “multiple station IDs” in his name.

According to one report in Moneycontrol.com,  SBI had outsourced its Aadhaar enrolment work to two vendors FIA Technology Services Pvt Ltd and Sanjivini Consultants Pvt Ltd – in the Chandigarh region to reach its Aadhaar enrolment target. Probably Vikram was an employee of one of these sub contractors. (It appears that these firms were empannelled by UIDAI). He was fined Rs 33 lakhs by UIDAI.

The Bank has come out with a strong defense in support of Mr Vikram (See report here) . An internal investigation by the SBI and its vendor gave a clean chit to Vikram against the UIDAI charges. The bank has also requested the UIDAI to remove the penalty and allow him to return to work, it added. The bank has also urged the UIDAI to offer an explanation on the incident and the creation of multiple station ids.

Legally, Mr Vikram being an agent of SBI and using the ID on behalf of the Bank, the Bank is fully liable for the incident. We can always debate if UIDAI could have some enhanced security to identify if one operator was using multiple station IDs. But the primary responsibility has to be boarne by SBI.

The strong counter posed by the Bank indicate that the Bank wants to protect Mr Vikram and this gives room for suspicion if any other person in the Bank was also involved in a larger fraud.

This incident is an eye opener to judicial authorities who some times get enamored by a Bank making a statement that “Our Security is the Best and if any fraud has happened it is only because of the customer’s negligence.

The above two incidents indicate a serious lapse in the information security status in SBI and there is a need for some heads to roll.

Naavi

 

Posted in Cyber Law | Tagged , , | Leave a comment

Product pricing in E Commerce and Consumer interests

Posted on January 30, 2019 by 98410spice

The new FDI guidelines applicable to E Commerce will be coming into operation from 1st February 2019. The copy of the revisions in the FDI policy is available here.

The guidelines provide that 100%FDI through automatic route is subject to certain conditions, one of which is that a vendor in whom the market place has ownership or controlling interests shall not generate more than 25% of its sales through the market place.

If any vendor does more than 25% of its sales through a single market place, it will trigger an inventory model and the e-commerce entity will not be considered as a market place. The inventory based model of e commerce is not eligible for FDI.

The vendors like cloudtail operating on Amazon or WSRetail on Flipkart  used to offer deep discounts and quick deliveries. There was no doubt that this was hurting the offline vendors who were charging more for the same product because they had to bear higher costs of physical presence.

The offline traders are therefore happy  and this is considered an advantage in political terms to BJP.

Though there are some optimistic statements from the E Commerce giants that they will rework their contracts so that the discounts etc may continue, it looks possible that the good days of competitive pricing on e-commerce platforms for computer products, mobiles and consumer household goods are over. The “efficiencies” of e-commerce which was expected to bring benefits would reduce.

The market movement to offline vendors would re-open the use of black money for purchase of consumer goods and part of the digitization benefits would also be lost.

It is possible that non FDI dependent platforms, one of which may be the Ambanis could replace Amazons and Flipkarts and possibly continue to provide the kind of discounts that has become a norm for E Commerce sales.

Where is  Consumer Interest?

It is however necessary to flag the fact that this move to render e-commerce platforms supported by FDI stop selling at the prices which they do now will only mean that consumers will have to pay more and suffer the inefficiency of the local vendors.

It is necessary for us to realize that what is being called a “Deep Discount” by the e-commerce players is a combination of trading of the dealer discount and the savings achieved because of higher volume of sales. The greedy nature of the offline merchants is also one of the reasons why there is a huge difference between the local vendors and e-commerce vendors.

The local vendors by virtue of their physical contact could have scored over the e-commerce merchants through better consumer service, better product assurance etc. But they have so far not shown any initiatives to make consumers feel that their neighborhood sellers are better from long term relationship. The warranties and service are provided only by the manufacturers and the local vendors donot add any value of their own to the product.

From the consumer’s perspective, what matters is the price paid by him for acquiring the product and the distribution of profits between the wholesaler, retailer etc are of no concern to him. If therefore a product X is available at Rs 2000 on line and the same product is available at Rs 3000/- in the local store, there is no reason why he should not opt for the convenience of online shopping where he can compare prices, search across brands, read reviews etc., without moving out of his work place or home.

In case of small purchases, E Commerce purchases are the only option since it is unlikely that the buyer would take the time to go out to a shopping mall and buy an electronic product which costs a couple of hundred rupees or less. In fact by not moving out he would decongest the roads and save his productive time.

I recently pointed out how offline vendors are making usurious profits in a specific instance and wonder why we should not take consumer action against the company for cheating the offline consumers by over pricing the product in the offline selling point.

I have explained this in greater detail in the article “Stop this Day light robbery from Shell India Marketing“.

Essentially I have pointed out that Shell India is selling a 4 liter lubricant oil can in its authorized show rooms at Rs 4980/- as against the online price of Rs 2299/-.

I am not able to believe that this is a deep discount given by the e-commerce merchant. it is in my opinion, an exploitation by the offline merchant.

In fact, I want some consumer action group to take up this matter and demand that Shell India stops this exploitative sale in their authorized show rooms and let the online merchants do the sale.

This is just one example of a product being over priced offline. It happens in case of consumer goods like Mixers, TVs etc., where there is a heavy dealer discounts passed on by the manufacturers which the dealers keep it to themselves and not pass on to the consumers., citing the “MRP” on the product package.

The E Commerce Guidelines may therefore be good for offline merchant intermediaries but certainly is anti-consumer. If products are sold at higher prices, Government will get better tax revenue and hence there is a vested interest in the Government to allow exploitation of the consumer.

Can the Consumer interests be protected? 

It is time for the Government to find some innovative solutions to ensure that the offline merchants are able to preserve their sales at a lower marketing costs so as to be competitive with the online sellers.

One thought could be to provide the convenience of online marketing  by creating a national network of offline merchants and providing an exclusive free online platform.  This could work like a cooperative federation for which Government can pass on exclusive tax concessions.

Let the neighborhood merchant sell the products on par with the online merchants and get the benefit of lower taxes, lower inventory movement costs, shared promotional costs etc so that his profits are retained even if he sells at the dealer’s price. The scheme could run like the “Duty Drawback Scheme” for promotion of exports and can be made specific to the objectives of achieving social justice through differential rates of drawback on different products.

Will the Government give a thought to such an idea?

Naavi

Also refer

Copy of the revisions in FDI policy

Refer article in livemint.com

Refer Article in hindustantimes

Can the “e-Janata Bazaar” carve out the future of Digital India?

Posted in Cyber Law | Tagged , | Leave a comment

Intermediary Guidelines..Time for Public Comments ends in 2 days

Posted on January 29, 2019 by 98410spice

The extended time for public comments to be submitted for the proposed changes in the Intermediary Guidelines is ending on 31st January 2019.

Naavi has already added his views in the comments submitted by the Foundation of Data Protection Professionals in India, a copy of which is found here…. Comments of FDPPI

Mr Rajeev Chandrashekar, MP has also published the comments submitted by him, a copy of which is available here….Comments of Mr Rajeev Chandrashekar

Mr Chandrashekar, who was also a member of the standing committee which went into an in depth discussion on “Intermediary Liabilities” which ended up with the amendments of 2008, has recalled the observations made by the Standing Committee in his comments.

A copy of the standing committee report is available here… Standing Committee Report of 2006-2008

Essence of Mr Chandrashekar’s Comments

Mr Rajeev Chandrashekar has basically suggested that there is a need to regulate the intermediaries and make them liable for misuse. He has however pointed out that there are different categories of intermediaries and one size fits all kind of approach should be avoided. He has basically identified 5 types of intermediaries namely the ISPs, Data Processing and web hosting companies, Search engines, E Commerce  and social media companies.

Mr Chandrashekar has expressed a strong opinion that technology companies must proactively prevent misuse of their platforms.

An important point that Mr Chandrashekar has made is that today intermediaries are not “mere conduits”. Profiling of users by a study of the information passed through is the order of the day. Hence there is no logic in these intermediaries putting up an excuse that such a requirement would either be infeasible or a burden on them.

Naavi agrees with this view and has strongly advocated for a long time that “Intermediaries” cannot simply make money by purveying information that is used for committing crimes. In the recent days the political parties have taken the fake news to a different level. The trust of the internet as a media has been destroyed by the fake news factories. Hence regulating the social media has become inevitable and the ready instrument available is the social media.

The Intermediary guidelines will soon end up with the Supreme Court and it will do its bit to confuse the matters.  Unfortunately, the Courts in India at the Supreme Court level have repeatedly failed to raise above the politics and in recent days yielded to the pressures created by the politician lawyers and the anti-Government PIL lawyers to the extent that the credibility of the institution as a neutral judicial authority has turned shaky.

The Court is unlikely to look at the good intention behind the proposal and  will be amenable to be influenced by the advocate’s aura and political ideologies. The Court will be happy to stamp its authority by rejecting what the Government proposes even if it is on flimsy technical grounds without looking at the larger consequences and this will be fodder for the opposition political parties during the election time.

Hence the Government has to be careful in drafting the guidelines.

Naavi

 

Posted in Cyber Law | Leave a comment

Good Wishes on Data Privacy Day

Posted on January 28, 2019 by 98410spice

Data Privacy Day is being celebrated since 2018 across the globe to increase the awareness about Privacy.

With the Personal Data Protection Act (PDPA-2018) under process, India is taking a significant step towards bringing in a comprehensive data protection regulation which is a step ahead of the global regulation including GDPR.

But we need to remember that Data Protection Act in India actually came into being on 17th October 2000 in the form of Information Technology Act  2000 which gave protection to all data including personal data, sensitive personal data and other data by providing civil compensation under section 43 and criminal punishments under Section 66. This was further strengthened on 27th October 2009 with Section 43A, Section 72A in particular and other sections such as Section 67C etc.

Let us celebrate the international data privacy day of 2019 with the expectation that before the year is out, India will have its own Privacy Act.

Naavi

Posted in Cyber Law | Leave a comment

The EVM Hacking…..Despicable Lies to Soften Targets

Posted on January 22, 2019 by 98410spice

It is terribly unfortunate that the Congress Party under Sonia/Rahul has turned one of the biggest enemies of the country just because it wants to capture power. While it is its right to fight the election and win, it has no right to undermine the country the way they are doing now.

The so called Cyber Expert Syed Shuja in association with the Indian Journalists Association, UK, under the watchful eyes of Mr Kapil Sibal, made many statements that Indian EVMs were programmed for hacking and used in 2014 by BJP to win the elections. He also made statements that the opposition parties are also aware of this but they were very honest and did not use it when they won the recent elections in Madhya Pradesh, Rajasthan and Punjab. Also he stated that Gauri Lankesh in Bangalore who was shot probably because of some difference with her Naxal friends and Gopinath Munde who died in a road accident were both murdered because they knew that EVM could be tampered. Perhaps he thinks no body else in BJP or in the opposition knew it and hence were not murdered.

The claims are so childish that even a discussion on the same appears a needless recognition for this anti India tirade.

I would like to however discuss a related aspect which is that Congress has been adopting a psychological strategy to soften the institutional heads and turn them into either their supporters or at least make them incapable of taking necessary actions in the course of their duty which may go against the Congress.

The strategy starts with spreading lies and accusing a person in charge of an important office of being corrupt and favouring BJP. Continue it’s campaign with the help of some part of the bought over media until the honest person gets so disgusted that he will be over come with decision paralysis.

They first tried this effectively against the previous CJI by bringing about an impeachment discussion though they knew that it could not progress. They then withdrew it but gave a notice to the other Judges that if they donot toe the line of Congress, there would be an impeachment action against them also along with mis-information in the media.

They thus softened the Supreme Court which today agrees to take up any issue brought up by the Congress advocates and issues notices to the Government even if the matter is meaningless. Supreme Court has also been obliging in postponing the National Herald Case and the Ayodhya case endlessly to suit the Congress. In the bargain the credibility of the Supreme Court has been hurt.

They attacked CVC during the Alok Varma dispute and made it look as if CVC office itself is unreliable. CVC has already been discredited because CVC reports on the UPA scams are well known.

Now Congress is targeting the Election Commission by targeting the EVMs. If EVMs were being tampered for the last 5 years, all Election Commissioners who held the office should also be compromised.

The claims made by Syed Shuja are so absurd that it does not merit any serious discussion. But it can be a gossip which can keep circulating and used by the politicians in their public speeches.  This is a strategy which Congress is pursuing and will be reasonably successful also.

Many people in the professional circles are falling prey to this propaganda and advocating various measures which will dilute the credibility of the Indian Election Commission.

We request professionals to raise above their individual political views and ensure that false technology narratives are not used to discredit our country’s apex institutions.

I wish the Government/ECI takes immediate legal action against the Indian Journalists Association, UK and Syed Shuja, as well as Kapil Sibal for  direct or indirect association with the false propaganda.

Naavi

Reference

Solution to EVM Controversy

Clarifications on Cyber Law Compliancy of EVMs

Hacking and Indian Elections

Hacking of EVMs is Cyber Terrorism

Bring Your own Virus infected Computer and say all computers can be tampered!

 

Posted in Cyber Law | Leave a comment

Umashankar Judgement upheld by TDSAT

Posted on January 11, 2019 by 98410spice

S Umashankar Vs ICICI Bank was a historic adjudication decision of the Adjudicator of Tamil Nadu in decided in 2010 (Complaint filed in 2008). The award had held ICICI Bank liable to pay compensation to the customer because the Bank was negligent and caused the loss despite the incident also involving a phishing element.

The Bank had appealed against the order  with Cyber Appellate Tribunal (CyAT). Unfortunately, just before the judgement to be given in CyAT, the then Chairman attained superannuation in June 2011 and the operations of CyAT stopped completely. Two successive Governments could not find a replacement for the chairman until in 2017, CyAT was merged with TDSAT.

TDSAT reopened the proceedings on 31st July 2018 and yesterday the 10th January 2019, pronounced the judgement upholding the Adjudication order though it reduced a part of the compensation granted by the AO on expenses account.

With this a 10 year fight for justice of a Cyber Crime victim appears to have reached a decisive stage though the mop up operations by way of execution of the decree need to be completed.

Naavi

[Update: A review had been filed on the decision as regards the interest payable for the intervening period since the adjudication order upto the TDSAT order. The order dated 3rd April 2019, provided the interest relief. Watch for further updates if any.]

 

Posted in Cyber Law | 5 Comments