Is Rs 1 Crore fine on Indian Bank a sufficient deterrant?

Posted on December 12, 2018 by 98410spice

The Reserve Bank of India in a press release dated December 11, 2018 imposed a monetary penalty of Rs 1 crore on Indian Bank for non compliance of its directions under the Cyber Security Framework of 2016 and the Master directions on Frauds reporting.

RBI has in the process clarified that

“This action is based on deficiencies in regulatory compliance and is not intended to pronounce upon the validity of any transaction or agreement entered into by the bank with its customers.”

Considering that in the past RBI has been content with fines of Rs 5 lakhs and Rs 10 lakhs for failures in KYC, the imposition of a penalty of Rs 1 crore appear eye-popping.

It is certainly a departure from the past in the fact that the fine is relatively significant and it is for “Non Compliance” of an order related to “Cyber Security”.

One of the complaints we always had about Banks is that they donot take the RBI’s instructions seriously and RBI is content in just sending circulars but not imposing its decisions on the Banks. We have often pointed out that Banks like ICICI Bank and SBI are so powerful when it comes to policy making by RBI that often it is the Banks which dictate the terms to RBI rather than the other way round, through the combined strength of the Banks through the IBA.

It is therefore refreshing to note that this time RBI appear to say that it is serious that its directions are taken seriously.

Many of the Banks openly declare that they would provide only such security as is “Commercially Feasible” and make security a trade off with its own profits. This fine therefore does raise the bar a little higher than what it was earlier.

However, will this be a sufficient deterrent?… In our opinion, not necessarily…for  the large Banks. Afterall this fine of Rs 1 crore will be an indirect burden on the public since the Bank will factor it in its service charges or simply let it be borne by the shareholders.

When the ATM security was in public discussion a few year’s back, Banks started charging extra money per transaction to cover the security guard’s cost etc., but soon the charges remained while the services promised never happened.  The same thing will happen now and Banks will pay off the monetary fine from their profits and except for a small ripple, continue to function the way they do now.

If real improvements are to be brought in the service of the Banks, a part of such burden should be imposed on the officials who were negligent in implementing the security guidelines. Such responsibilities need to be imposed even on the Board of Directors, the CMD as well as the CISO. The fine can be in the form of a percentage of their salary to be recovered say for about a year so that every month they are reminded of their dereliction of duties. Even the Board of Directors need to be imposed a penalty in the form of an individual fine out of the sitting fees or remuneration.

I hope the RBI will take note of this suggestion for the future.

Naavi

 

Posted in Cyber Law | Tagged , , , | Leave a comment

“Tweets are not Facts”….” WhatsApp” is not “Whats up”

Posted on November 30, 2018 by 98410spice

Speaking in the context of the Rafael deal the French Ambassador has reportedly made a comment “Look at Facts…not the Tweets”. This was as much an advise to the traditional media which is sensationalizing the social media posts of  Congress whose political ambitions has made the Tweets as a tool of spreading disinformation. The obliging media picks up anything and everything thrown at them and convert it into a political narrative.

It could be Rafael or RBI Board meeting, the CBI internal politics or even the quality of currency notes. Media is capable of converting it into an anti Modi narrative and keep shouting.

In this unfortunate situation, the innovative technical tools such as Twitter or Whats App have become more tools of creating false narratives and defaming people. The politicians should be credited with the successful corruption of an innocent tool created by the Internet to give “Voice to the Ordinary people”.

Today, even the owners of these business are carried away by the increased use that these false posts create and think they are generating more revenue like the TV media that goes after TRP at any cost. But in the long run this trend is eroding the credibility of the system and as soon as the election fever is over, the backlash will hurt these services to the extent that in due course they will be extinct.

In the interest of survival of these social media vehicles, it is necessary that they donot mis-interpret “Free Speech” as “Freedom to spreading falsehood”. If they do, they will be digging their own grave.

It is therefore time for the society to think and implement such measures that would enhance the “Trust” in these social media usage.

Though it looks ridiculous to many, there is a valid argument for the creation of “KYC based identified accounts in Twitter and WhatsApp and an Ethical declaration to be open to being banished for deliberate false postings”.

Twitter has the system of “Verified” accounts but it is not being implemented properly. Twitter’s approvals are biased and genuine accounts are often denied the “Verified Tag” without any reason. There is a need for introducing a new system of “Identified Social Media Postings”. The Face Book and WhatsApp should join this consortium.

Probably these business entities will not see the value of such “Identified Accounts”. I therefore call for a new Start Up business in India which runs an “Identity Service” to issue “Verified Tokens” to users of Social media so that there is more responsibility for social media users.

Of course this is not a solution for the Political parties posting false narratives for political gain but still, it would go a long way in establishing a “Responsible use of technology”.

Naavi

Posted in Cyber Law | Leave a comment

UK DPA strikes at Uber: Delivers a lesson in Password construction

Posted on November 28, 2018 by 98410spice

Uber has been fined by the UK DPA for UK sterling 385000/- (Approx Rs 3.5 crores) for failing to protect its customer’s data during a breach.

Refer report here

The breach occurred in November 2016 when GDPR notification was in place and UK was part of EU. It involved a Cyber attack on a US server of Uber maintained by Amazon Cloud service which was compromised and about 2.7 million accounts of UK citizens with names, email addresses and cell phone numbers of the users having been potentially accessed.

In US, Uber had reached an agreement with all the 50 states to pay a compensation of $140 million (approx Rs 1017 crores) for the same breach.

The ICO’s notice indicates that the attackers acquired the credentials for access to the cloud server by accessing a private repository of codes on GitHub by a trial and error based method akin to a brute force attack on a combination of user name and password. (Credential Stuffing).

Uber paid a ransom to the attackers amounting to US $100000, which they treated as a “Bug Bounty” payment and then introduced additional security to change the keys.

From the incident it appears that the  user name and passwords used by 12 Uber employees on the GitHub which was available in a code in plain text was first accessed and the combination tried on the Amazon cloud server. Since the same username-password combination was used by the employees on the Amazon account, the attackers were able to access the cloud server.

The decision may appear erudite but it must be debated whether this incident indicted a “Negligence” on the part of Uber and if so, the extent of such “Negligence”. Was the security otherwise used was “Reasonable”.

Once a breach has happened, any amount of security appears inadequate. The regulator has to ideally put itself in the shoes of the Company and evaluate whether under the circumstances in which the storage was designed, the security was adequate. The regulator should avoid penalizing the business entity with the benefit of hindsight and demonstrate its power to penalize.

Further to take objection to how Uber treated the payment to the attackers whether it was “Bug Bounty” or “Ransom” was perhaps beyond the scope of the authority of ICO. It could have avoided treading into this domain which could have been an accounting necessity. It could have been dictated by the insurance coverage needs. The procedure for bug bounty not having been adopted is an matter which is of no concern to ICO.

It appears that ICO exceeded its boundaries in this respect which may be  indicative of a bias with which the decision of penalty could have been arrived at.

It is also strange to observe that ICO has placed a disincentive on the Company’s right to appeal (by offering a discount if appeal is not resorted to) which may not be entirely legal.

This was a case fit for a nominal fine meant to flag a kind of attack against which companies need to guard against.

The lesson to be drawn from the incident is that “Users should not  use the same user ID- Password Combination” across different services.

This will now become a new paragraph in the Password policy of every organization.

Naavi

Posted in Cyber Law | Leave a comment

EY flags Crypto Currency as a threat. Will Supreme Court take note? or Ignore?

Posted on November 26, 2018 by 98410spice

Ernst and Young recently published a survey on “Responding to Cyber Crime Incidents in India”. Some interesting insights are reported in the survey.

One of the insights which is important from the point of view of the Supreme Court hearing on legalization of Bitcoins requires to be taken note of.

The survey speaking on “Crypto Currency” as an emerging area of risk, states

“The challenges in using virtual currency is that these systems are capable of facilitating tax evasion or illegal activities because of the anonymity factor which is built into the system. As a result, Bitcoin is a preferred mode by hackers for ransomware. …. The rise in usage can lead to a surge in cyber-attacks, raids and fraud. “

The Government of India and the Supreme Court which are under tremendous pressure from the Bitcoin industry and the supporting media should take note that “If Bitcoin is legalized in India, the country’s economy would be doomed”.

The Bitcoin being the “Currency of the Criminals” and “Currency of the Terrorists”, the easy movement of crime money across the entire economy and across borders would provide an easy channel for rewards to be distributed for different forms of crimes. Once the tracking of crime money becomes fuzzy, financial crimes will become difficult to be prosecuted since Courts would demand “Evidence of Money Trail” which will go dark with the use of Bitcoins.

The Supreme Court has to ask itself the question,

Is the Court able to understand the adverse impact of Bitcoin on the Country and be honest and bold enough to ban Bitcoins? or

Will the Court hide behind the technicalities and try to give breathing space for Bitcoins?.. which all the corrupt elements of our society worship…

Citizens of this country will draw their own conclusions on who is on the side of Corruption and who is not based on the arguments that will follow in the Supreme Court.

At present it appears that Naavi is a lone warrior in the social media fighting against Bitcoins.

Traditional media including the CNBC TV, Bloomberg, Business Standard, Economic Times, Republic TV, Times Now are all either in direct support of Bitcoin or exercising restraint on passing any adverse comment on Bitcoins.

There is an organized PR team working at planting favourable stories in the media to influence the Government to come up with a favourable view under which the Supreme Court can pass a favourable decision.

Mr Modi appears to be too distracted with the politics around him to be able to respond decisively. I am reminded of the Mahabharata war where Arjuna is dragged out of the main battle scene when the Kaurava’s planned a Chakra Vyuha which consumed Abhimanyu. Similarly, the election politics is dragging Mr Modi out of the Bitcoin scenario leaving the decision entirely to Mr Arun Jaitely.

Will Mr Arun Jaitely be able to stand up to a commitment of eliminating the Digital Black Money called Bitcoin?…So far he has not shown any indications of the same. Hope this time, it will be different.

However, I hope there are many silent supporters who may not be vocal but their silent voices would reach the Supreme Court.

Naavi

Posted in Cyber Law | Tagged , , , , | Leave a comment

RBI needs to Fight with Mazar Virus rather than fighting with the Government

Posted on November 17, 2018 by 98410spice

The Reserve Bank of India is in the news for picking up a fight with the Central Government on the right to use its reserves in a manner it deems fit. The fight whether RBI is over capitalized with the retention of reserves or not and whether part of it should be made available for bridging the fiscal deficit or not is not a debate for this platform. We leave it to the economists to debate and resolve hopefully in the November 19 Board meeting.

However, we would like to point out to the RBI that its functions apart from being Banker to the Government includes as the “Regulator of the Banking System in India”. RBI in this capacity is responsible for the security of the Banking system in India.

Whether RBI  should fight to defend its right over the disposal of its reserves or not is left to the economic experts but the Common Citizen who is a customer of the Bank is really concerned that RBI is not perhaps discharging its duty in protecting the interests of the Customers adequately.

We acknowledge that RBI has taken some right steps in the direction of safety of Banking transactions in the Digital Banking era, both by refusing to succumb to the pressure of the Bitcoin lobby and also by issuing the “Limited Liability Circular” to introduce the “Zero Liability” for Banking frauds.

However, the fresh outbreak of the Andorid Virus identified as the “Mazar”now poses a fresh challenge to the RBI and poses a question as to the adequacy of the measures initiated by the RBI.

I feel that RBI should start fighting Mazar on a priority rather than fighting with the Government on the issue of who should have a say in the disposal of its reserves.

The Mischief that Mazar is capable of

Just to make things clear, Mazar is a mobile virus which can be spread through an innocuous SMS message and enables the fraudsters to take over the mobile’s messaging function so that the OTP messages for Banking transactions are compromised.

Since the virus is known to be spread not through the messages linked to Banking transactions but through other messages such as

“The Income Tax Department is pleased to advise you that your return for the FY 2017-18 has been processed and refund has been processed. For details of the refund, kindly check here ……. (A shortened hyper link)”

it is a risk which is considered beyond the scope of normal alerts that the banks normally send to the customer such as “We donot ask for your password ..etc”

As we approach the elections or the IPL, we may see that messages linked to political issues or IPL or even to the controversial decisions of the Supreme Court such as the Sabarimala verdict etc can be used to lure the recipients into clicking such links.

If therefore an SMS is received saying ” Flash news…. Supreme Court all set to ban entry of women to Sabarimala temple. Click here for details…..” or “Virat Kohli meets with an accident in Sydney and hospitalized. Click here for details…”, there would be millions of Bank customers who would click the link in a blink and get their mobiles infected.

Are the Bankers and RBI prepared for such contingencies?

Are our Police and Courts ready to handle the flood of complaints that such messages may generate?

Mazar is a Risk Beyond Reasonable Capability 

Mazar is a security risk which is beyond the reasonable capability of mitigation by a customer and has to be recognized as part of the fundamental flaw of the digital banking architecture for which the Bank and RBI are alone responsible.

SMS is not a reliable means of communication

Mazar indicates that the SMS has ceased to be a reliable means of communication between the Bank and the Customer and should be replaced with some other form of communication.

If RBI does not act in this direction and force the Bankers to switch over to  a more secured form of communication which legally should be a “Digitally Signed message” or some other form of secure messaging, RBI will be failing in its duty.

I reiterate that RBI has addressed this issue in the past by mandating use of Cyber Insurance by the Banks but Banks have ignored the mandate and they should be pulled up for this lapse.

Adaptive Authentication

Further, Bankers have failed to introduce appropriate methods to identify unusual transactions through “Adaptive Authentication” which has been suggested by RBI earlier. Most of the fraudulent transactions including one which may use Mazar virus often happen at the dead of the night when the customer is not awake to respond to the SMS that may be sent by the Bank.

This “Nocturnal Transactions” need to be flagged by the system and subjected to a higher level of security verification. Banks cannot be blind to the fact that no sensible customer does transactions that wipe out the entire balance in the account through a series of transactions in the dead of the night.

Need to Reject Insecure CBS software

Not programming the CBS system to recognize the location of the origin of the transaction and the time of transaction and linking  it to an alert system is a fundamental draw back of the software including the popular Core Banking software systems.

RBI should therefore re-visit its approval of software such as Finacle or Flexcube and any implementation that does not have a proper adaptive authentication system should be declared as unacceptable.

Beware of what happened in Pakistan

We must be aware that recently there has been a large scale hacking of Banking systems in Pakistan and there is no reason why we should not expect a similar attack on the Indian Banking system.

In case the Mazar has already been spread and installed in many mobile devices, it could be a tool to compromise a large part of the Indian Banking system. There could be a serious crisis looming ahead for the Indian Banking system which can be attributed to the failure of the supervisory system.

As has been pointed out in the earlier article Mazar is a notorious risk because it creates “Fake Evidence” against the Customer which Courts may find it difficult to understand.

If the Governor and Deputy Governors of RBI donot recognize that this threat is larger than the “Autonomy to decide on the disposal of the Reserves”, they would be doing a great disservice to the Indian citizens.

Steps which RBI should initiate

As a first step, RBI should warn the Banks about this Mazar Virus and remind them that in all cases of digital frauds the “Onus of proof” rests with the Banks and hence Banks should not unfairly hoist the liability on the customers.

RBI should reiterate the point which it has already made regarding the “End Point Security” being the responsibility of the Bank and such responsibility extends to the user end devices.

Banks should mandate implementation of such security measures as are used by Companies in allowing BYOD devices to securely access Corporate digital assets and stop Mobile Banking transactions until a satisfactory solution is found for Mazar kind of viruses which compromise the OTP system.

I once again reiterate that Mr S. Gurumurthy should raise this issue in the Nov 19 meeting even ahead of the reserve related issue.

P.S: Bank Customers  may check their mobiles and deactivate App permissions which have been granted earlier to read SMS for all Apps besides avoiding clicking on any hyper links and more so the shortlinks (eg: bitly..)

Naavi

Posted in Cyber Law | Tagged , , | 1 Comment

Digital Banking in India is now under a serious threat… RBI needs to wake up

Posted on November 15, 2018 by 98410spice

India has adopted a Governance policy involving high dependency on Digital Banking and this technological shift in Banking has the blessings of the Government, the RBI and also the Banks.

Government is happy with Digital Banking because it is an effective tool for reaching out to the masses with several direct benefit schemes of the Government. Banks are happy because it is cost effective.

But in the process of this digitization, the Bank Customer has been exposed to Risks which are beyond his reasonable capabilities of mitigation.

RBI is caught in between the drive for new technology and its responsibilities to maintain safety in the Banking system. It has not been able to upgrade its own capabilities to suggest appropriate security measures to meet the threats nor ensure that the Customers are properly insured against losses though some efforts have been made through the “Limited Liability System”.

The Banks which are collectively more powerful than the RBI, have successfully blunted the Limited Liability system and trying to push most of the responsibilities to the Customer.

New Strain of Mazar BOT android Virus appears to be on the prowl

A Dangerous Android malware which was first reported in 2016 with a capability of erasing data in the mobile, stealing the credentials and taking over the messaging application so that it can send and respond to SMS messages without the knowledge of the owner, is now again in the news.

A Security Company called Heimdel  in Denmark reported this virus that could be sent like a hyperlink to any SMS message and if the Android mobile user clicks on the link, it infects the mobile.

Now in one of the Cyber Crime incidents reported from Bangalore, there is a suspicion that this Virus was probably in play.

After infection, this virus can read the incoming SMS messages and send outward SMS messages at the instance of the attacker besides stealing any other information in the mobile which may have some banking credentials.

It appears that the Virus may not require rooting of the phone and may not even display the permissions screen. It is possible that it may simply ride on one of the Banking applications which is legitimately installed in the mobile.

A research is required to understand the complete working of this virus.

This virus was perhaps countered in some of the anti-virus applications by an upgrade in 2016. But it seems that this has  re-surfaced in India probably through an SMS message which appears to come from the IT department and informs that a refund order has been processed and details are available in the link.

We can therefore speculate that a new strain of the Virus must have been developed by the deep web and released.

Mazar is a Banker Friendly Virus !

The problem with the Mazar Virus is that it not only helps the fraudster to steal money from the Banking accounts of the mobile owner, it also creates a fake evidence which will work against the customer and in favour of the Bank.

Earlier we have seen “Coat tailing virus” which operates during a legitimate banking session of the customer and releases unauthorized instructions to the Bank server and transfers funds to the fraudster’s account. We have also seen “Man in the Browser” attacks where the form details entered by the Customer during a legit session for funds transfer is modified just before its transmission to the Banking server. Even in these cases, the evidence created would reflect genuine transactions of the Customer and unless we are aware of the functioning of the virus, we may be fooled by the evidence.

What is further annoying is that the New Mazar virus appears to be able to self destruct and remove itself from the mobile making it further hard to identify the evidence that the virus existed in the device.

There was only one small foot print that the Virus appears to have left which is in the form of “apparent errors” in the messages that can be attributed to a software.  Further research may be able to improve our understanding of this virus.

The infected mobile will after the event, retain the SMS messages and even the service provider will show the details of messages sent and received. So, if the fraudster has tried to log into the Bank account of the Mobile owner and an OTP has been sent by the Bank, there will be record of an SMS sent from the Bank and the reply sent by the customer. The transaction therefore gets completed and the Bank can claim that the Customer has responded to the OTP though the response is by the fraudster and not the customer.

When we apply the Limited Liability rules of RBI, the Bank will claim that they are not liable since the OTP was given away by the Customer.

Thus the Virus creates a double jeopardy for the Customer, first by stealing the money and then by faking the evidence against him.

We need to find a solution

It is the responsibility of security specialists to find a solution to this problem.

If we donot find a solution, it is time to stop all Digital Banking Transactions where authentication is based on the OTP.

We are aware that USA has already degraded the OTP system for use in Government transactions because of the security concerns.

In India,

a) Bankers are ignoring the statutory provision of “Authentication through Digital Signatures” and conducting Banking transactions.

b) Bankers are also not resorting to sending encrypted messages instead of the present system of plain text messages.

c) Bankers (excepting a few) are also not using the split OTPs sent through multiple channels such as Mobile and E mail which could harden the security.

d) Bankers are also Not providing Cyber Insurance to the customers for such losses despite RBI mandate in the June 2001 circular.

I therefore urge RBI to either find an immediate solution to this Mazar type of Viruses or stop use of OTP based authentication forthwith.

Responses from the Information Security community is welcome with suggestions.

Officials of RBI like Mr Nandakumar Sarvade, who heads the IT division of RBI and has the experience of the IT environment and Policing need to take such issues seriously and bring it to the notice of the higher ups.

I hope this will be one of the points which the RBI board should discuss as an emergency measure in the meeting on November 19.

I request Mr Gurumurthy, the Director of RBI to specially take up the cause in the forthcoming meeting.

Naavi

Posted in Cyber Law | Tagged , , , , , | 5 Comments