Information Security for Industry Managers… CII Puducherry program on 21st march 2018

Posted on March 6, 2018 by Vijayashankar Na

This is for general information of the public:

One Day Training Progamme on Information Security for Industry Managers

Wednesday: 21 March 2018: Hotel Accord, Puducherry

CII Puducherry is organizing an One Day Training Programme on Information Security for Industry Managers on Wednesday: 21 March 2018: Hotel Accord, Puducherry

 

This session is meant for all Business, IT and IS managers.

The workshop will be conducted by Na.Vijayashankar, Information Assurance Consultant, popularly known as Naavi and  is a pioneer in Cyber Laws in India ( https://in.linkedin.com/in/naavi)

Date & Timing :    Wednesday, 21 March 2018 – Starting from 0900 to 1700 hrs.

Venue :   Hotel Accord, No. 1, Thilagar Nagar, Ellaipillaichavady, (Near Rajiv Gandhi Statue & Opp to Muruga Theatre).

Those who are interested may contact CII, Puducherry. (www.cii.in)

Naavi

Posted in Cyber Law | Tagged , , , , | 1 Comment

Self Loans!… A New Dimension of Bank Frauds

Posted on March 4, 2018 by Vijayashankar Na

After the PNB Fraud in which over Rs  11400 crores are suspected to have been lost came to light, many other frauds are slowly tumbling out the closets of E Banking.

Leaving aside the fact that the lenders of different Banks who lent money to Mr Nirav Modi and Mehul Chokshi failed to check the “End Use” of funds and allowed renewal of LOUs without checking the previous utilization and need for extension, it was also realised that PNB had even allowed the Nirav Modi employees to directly access the SWIFT messaging system of the Bank.

The system of the Bank was so configured that SWIFT system could be accessed from outside the banking network. The operating officials of the Bank gave away passwords of multiple officials  to the Nirav Fraud team.

The system had no control that could detect that the log in was from outside the Bank’s network, multiple passwords were entered from the same computer and the messages did not reflect in the CBS system, nor created vouchers for commission or margin collection.

This was a gross failure of the Bank staff and the information security configuration of the systems.

It is true that any IS control can be defeated if the employees are dishonest. But still, the system design should be such that even if some of the employees are dishonest, the fraud should be detected, if not for the first time, in subsequent times.

Unfortunately the creators of the software in Infosys who sell FINACLE and supply it to a number of Indian Banks, are not aware of the intricacies of Banking transactions and how frauds could be committed. Hence their design is a faulty design and Banks are saddled with this defective product.

Now yet another fraud has come to the open in State Bank of India, Chennai where also it appears that the passwords of the Bank staff has been used by an outsider to divert over Rs 3.2 crores of money (Refer article here) meant for purchase of Cars as an unsecured cash advance which was used for funding a Film production. Here again, the security configurations of the CBS software has failed to recognize that Cars were not purchased, money was not credited to a Car dealer’s account, documents such as RC book etc was not submitted, asset inspection did not take place etc.

In all such cases, it is clear that it is not only the Software that failed, but also the internal audit system.

It is high time that Indian Banks rethink on how their “Internal Auditors” are equipped to conduct audits in the Computerized environment.

If internal audit cannot identify this new generation of Bank frauds where the customer himself is given access to the Bank’s systems to design his own loan sanctions, create approvals of several layers of bank officers and take the money out, then there is no need for such audits.

Where such “Self Loans” are used in the “Kite Flying Mode” and repaid with a roll over loan, it is very difficult for normal audit processes to find out the anomaly. There is definitely a need for Computer Assisted Audit techniques either with in built features of the core banking software or through specialised audit tools.

FINACLE Strengths and Weaknesses

The Banking software like FINACLE which costs a fortune for the Banks should have an inbuilt, non-tamperable audit module that should be effective in preventing such frauds to continue beyond the first couple of occurrences if not the first time.

FINACLE boasts of an Audit module as part of its system but it is clear that it has failed in the context of not only PNB Brady Branch but also SBI Chennai branch and in the many other similar cases that have come to light now.

If the Indian Banking system is in doldrums today, a large part of that responsibility should be boarne by the CBS software suppliers who have supplied defective products to the industry.

RBI has failed to subject the software itself to an audit of IDRBT which is mandatory and hence part of the responsibility for the use of defective software lies on the RBI also.

While checking on the Audit capabilities of FINACLE, I came across an article describing the audit capabilities of FINACLE.

Some key FINACLE menus and their use for an auditor has been described in this article. Some of them are briefly reproduced here.

  1. Account Leger Enquiry (ACLI)
  2. Customer Account Leger Print and Office Account Ledger Print (ACLPCA and ACLPOA)
  3. Audit File Inquiry (AFI)
  4. Average Balance (AVGBAL)
  5. BCREPORT
  6. Customer Master Inquiry (CUMI)
  7. Report on Expiring Documentary Credits (DCEXPLST)
  8. Query on Documentary Credit (DCQRY)
  9. Exception Report (EXCPRPT)
  10. Generate Report (GR)
  11. Financial Transaction Inquiry (FTI)
  12. Accounts Due for Review (ACDREV)
  13. Inward/Outware Remittance Maintenance (IRM/ORM)
  14. Outstanding Items Report (MSGOIRP)
  15. NPA Report (NPARPT)
  16. Letter of Acknowledgement of Debt Report (LADRPT)
  17. Loan Overdue Position Inquiry (LAOPI)/Ttemporary OD Report (TODRP)
  18. Print Reports (PR)
  19. Guarantee Issued Liability Register (GILR)
  20. Partywise Overdue Packing Credit (POVDPC)

The above list indicates that there should have been several reports that should have thrown up audit queries in respect of PNB Fraud as well as the SBI Fraud.

Now what we need to check is why did the discrepancies were not thrown up by the audits?

The reasons could be many.

  1. First reason could be that no audit was at all conducted. In PNB we are told that RBI did not audit the branch for more than 9 years. It is not clear if the internal audit was also bypassed. If so was there any declaration in the annual reports to the share holders providing the list of branches which were not audited for the last 1/2/3 or more years?
  2. If an audit was conducted, it is possible that the auditors were not aware of all these modules andhow to use them appropriately
  3. Perhaps there was lack of adequate training of  the auditors.
  4. It is also possible that FINACLE comes with some base module that does not include all features and a higher priced module that may include additional modules and the Bank could have not taken the full module for cost considerations.
  5. It is also possible that the FINACLE system itself might not be able to properly analyze the data in the above modules though it may create some printable reports.

Need for Data Analytics in Audit process

Computer Assisted Audit Techniques that are essential for proper auditing of any Computerized data environment requires a capability to

a) Acquire data of different types from across the network available in different platforms and collate it into a common platform for analysis

b) Extract, Classify and Re-classify data into different groups which create new meanings not visible in the direct report

c) Search data across multiple categories and filter them against some specific risk identifying algorithms

d) Use known statistical methods such as Benford law to check on potential frauds

e) Use Forensic audit tools to discover evidence that has been buried by the fraudsters

f) Use “Checking of Controls” as a part of the audit including the Information Security controls such as “Access Control”, “Log Analysis”, “Incident Management System” etc.

It is clear that the current Internal Audit process in Banks is not equipped to conduct an audit outside what reports are submitted by the Branch to the auditor. If the Auditor audits only what the auditee wants him to see, then the value of such audit is low. Perhaps it is what statutory auditors do. But Internal auditors have to go beyond checking the arithmetic accuracy of the transactions and go into an in-depth fraud possibility analysis.

Cost and Training Hurdle

In examining the solutions that the Auditors could use, it was observed that the tools normally considered as reputed “Computer Assisted Audit Tools” or CAATs are prohibitively expensive and require a rigorous training both of which seem to create a hurdle for Banks.

However, it is possible for RBI to equip itself with such tools (ACL, IDEA, ARBUTUS etc) and use it in its audit as a starting point. Other Banks may start using it depending on their size. Obviously the larger Banks donot have any constraint on budget nor ability to train the auditors, But smaller Banks may have a problem.

I therefore suggest that smaller Banks create a “Technology Resource Pool” in a “Centralized Fraud Investigation Center” which should be equipped with such tools and talent and conduct audits of member Banks as a service.

I hope RBI will take such steps to ensure that in future the audit system is strengthened to such an extent that the frauds such as what we are now seeing does not go undetected before it balloons into a huge scam.

Naavi

(P.S: I have been an ex-Banker and therefore may not be fully aware of the current situation in the Banks about how audits are conducted in the Computerised environment.

But looking at the frauds that are surfacing, it is clear that the system is not working properly and hence some of the observations made above may be true though I may not be able to give evidence of the same. If we want to clean up the Bank system, Bankers need to do a self evaluation of their systems and check if some of the points made here are relevant or not.

I invite comments and suggestions on how to improve Audit systems in Banks in the computerized environment… Naavi)

Posted in Cyber Law | Tagged , , , , , , , , , , , | 1 Comment

Cyber Law College starts a new In-College Course at BMS Law College, Bangalore

Posted on February 27, 2018 by Vijayashankar Na

Cyber Law College will be starting a compressed course on Cyber Laws for the students of BMS Law College, Bangalore starting from March 1st.

This course will cover an over view of Cyber Law in a course that extends to 10 sessions to be conducted in the college to students of different semesters.

In the past, Cyber Law College has conducted 3 courses each in KLE Law College, Bangalore and Hubli, SDM Law College Mangalore and JSS Law College, Mysore. These courses were of a longer duration and extended to about 60 to 70 hours of class room teaching. The BMS law college course is planned as a 25-30 hours of class room teaching.

Naavi is also associated as guest faculty with NLSUI, NALSAR. MSR Law College and other institutions and continues to contribute to the mission of “Cyber Law Awareness”.

Naavi is looking for more initiatives of this nature particularly a “Course for Law Faculty” so that Cyber Law Courses can be started in all Law Colleges in Karnataka.

Naavi is also looking for initiatives on “Cyber Law for IS Professionals” at Bangalore if there is a demand.

Naavi has already created online courses in Cyber Laws and HIPAA through apnacourse.com. Now a Course on GDPR is under preparation and details will shortly be announced.

Comments and suggestions are welcome.

Naavi

Posted in Cyber Law | Leave a comment

Cyber Insurance may not be available if you are “Negligent”

Posted on February 26, 2018 by Vijayashankar Na

In the context of huge regulatory fines envisaged under GDPR, there is a renewed interest in Cyber Insurance among Data Processors everywhere. Since liability under GDPR may arise not only for payment of compensation to data owners but also for making payment of fines that may be imposed by the regulatory authorities, the companies do demand that they should be covered by some Cyber Insurance policy for any liability that comes out of processing of EU citizen’s data.

As for as Indian data processors are concerned, their liability will be restricted to what is indicated in the data processing contract. Some of these contracts may be vague and not determine the exact liability or compliance responsibilities. It may make a reference to the liability that may arise on the Data Controller under GDPR and extend the liability in the form of an “Indemnity” to the associate data processor in India. Indian data processors some times assume that they would be liable directly under GDPR and rush to obtain insurance cover for large amounts. This could hurt the profitability of their operations.

If any data is compromised by an Indian data processing company then it would be as a result of a “Cyber Crime”. The cause of action lies with the persons who have lost money. Most of the time however, data compromise is recorded but the actual loss may not fructify or fructify only to a small extent not commensurate with the number of data elements lost.

Hence out of the total loss, the loss arising out of “Compliance” requirements which may include sending of notices, arranging identity theft protections for all the suspected compromised data subjects would be a huge cost even when not a single of the compromised data might result in actual loss. Similarly in such cases the regulator would impose millions of dollars fine depending on the nature of breach, the attitude shown by the data controller before and after the breach to protect the data subjects etc.

When a Cyber Insurance policy is invoked in such cases, an obvious question that would arise is whether the loss occurred more out of the negligence of the Company as a whole in implementing proper policies etc and whether the company should be protected against its own negligence. If Cyber Insurance routinely covers such breaches, then there will be no incentive for companies to improve their security.

Hence it is necessary and natural that the Cyber Insurance Company raises an objection or try to limit its liability citing that the cause of loss was “Not Insurable”.

A question has therefore arisen on “Whether Regulatory Fines are Insurable at law”. In this context, the article “GDPR Fines and Cyber Insurance”

presents some interesting thoughts as may be relevant in the Great Britain. Since India generally follows the English Law and the Insurance law has dependence on the British practices, it is presumed that the English law is also relevant for the Indian Context. Hence the points mentioned in this article are very much relevant to Indian companies both in the GDPR context as well as in other instances of fines arising out of non compliance of HIPAA, Non Compliance of ITA 2008 and even when there is a ransomware attack due to lack of proper security practices in a company.

One of the concepts discussed here is “illegality of defence” which may prevent a claimant from pursuing a civil claim based on the claimant’s own illegal acts.

The dividing line however is whether there was “Illegality” on the part of a company that caused the fine or there was merely “Negligence” in implementing the regulatory precautions.

As long as the negligence is related to “Best practice suggestions” that are made by sectoral regulatory bodies or industry practice, the cause may be contained within the concept of “negligence” unless the level of negligence is “ridiculous”. But if there is a statutory law which has been ignored then such negligence cannot be called anything other than “Illegal”.

To be more specific, if a Bank ignores RBI guideline, it may be “Negligence”. But if it ignores “ITA 2008”, then it would be “Illegal”.

Secondly what distinguishes “Negligence” from “Gross Negligence” or “Recklessness” is the precautions taken by an organization before an event occurs and also its response immediately after the occurrence of an incident.

If an organization has taken reasonable precautions which any other prudent person under similar circumstances would have undertaken but failed in some minor aspects, then the level of negligence is in the lower end. If however, there was no precaution taken or the precaution was ridiculously low, then the breach would be attributed to callous attitude and may be considered as a “Contributory Negligence” or even a “Passive Assistance” to a fraudster.

If we take the recent incident of PNB fraud and another fraud that followed at City Union Bank, it appears that the negligence at City Union Bank which allowed a compromise of its SWIFT system may fall under the category of “Negligence but Not Recklessness”. On the other hand, the PNB negligence which involved allowance of customer’s executives using the passwords of Bank officials to create their own “Sanction letters” and the sharing of passwords between multiple officers of the Bank can be called an abject complicity in the offence itself.

Even if there was no “Mensrea” at least for some of the executives of the Bank, the “Recklessness” was attributable to all employees of PNB who were aware that SWIFT messaging system was not linked to CBS and passwords were being shared.

The Association of employees in PNB has tried to put the blame on the top management. Similarly, the employees of Mehul Chokshi firm has placed their current loss of jobs to the Mehul Chokshi led Board. But if one is honest, we all know that if a fraud of this magnitude had taken place, then several persons within Mehul Chokshi or Nirav Modi companies as well as PNB, Other lending Banks, RBI, and the Ministry of Finance must have smelt that some thing wrong was going on.

What has collectively failed in the system of “Whistle Blowing” that RBI already has in place but has completely failed to work. The complaint that one franchisee Mr Hari Prasad made to PMO is like many complaints that are forwarded to PMO and are directed to appropriate departments for enquiry.

But each of the Banks had their own Whistle blowing systems and RBI  had a Whistle blowing system for the entire Banking system and it appears no body had the courage to report the possibility of such a fraud. The reason could be that the heads of each Bank involved as well as the Governor of RBI themselves were all friend of the then prevalent political system and personally appointed by Mr P.Chidambaram and hence no body trusted them to take action.

If the Whistle blowing system ensures that the whistle blower is protected, then the skeletons would have tumbled as soon as a junior Bank officer acquires a flat costing Rs 3-4 crores or throws up a fancy party in a five star hotel etc.

In all such cases therefore, the negligence is unpardonable and hence there should be no protection from Cyber Insurance.

Cyber Insurance contract being an  uberrimae fidei contract, the Insurance company is unlikely to discuss these issues with the clients at the time the Insurance policy is bought. But if the liability is huge and the client invokes the insurance, then the legal departments in these insurance companies may certainly raise the “Illegal Defence” clause.

The principle in Insurance is always, “Take as much precautions as you would take as if there was no insurance” and there after, if the loss materializes, it is an “Accident” for which the Insurer should gladly assume liability. If one takes decisions recklessly because there is an insurance to back up, then the insurer would definitely feel cheated and raise objections at the first instance.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Section 65B has become a tool to create judicial anarchy in India

Posted on February 23, 2018 by Vijayashankar Na

The SLP order of the Supreme Court in the case of Shafhi Mohammad Vs State of Himachal Pradesh dated 30th January 2018 in which a two member bench of the Court passed an order which was clearly meant to over rule an earlier three member Judgement of the Basheer Case as regards the applicability of Section 65B of Indian Evidence Act is now having its adverse impact on the system of judiciary in India.

The SLP order was delivered by  the two judges namely Justice Adarsh Kumar Goel (Seniority order 11) and Uday Umesh Lalit (Seniority order 15).

This order was conspicuously rebellious  over ruling the earlier judgement passed by three judges namely  Justices RM. Lodha (Then CJI now retired) Kurian Joseph(Seniority order 5) and Normally when a Judge has a different opinion from an earlier judgement Rohinton Fali Nariman (Seniority order 12).

Normally, when a Judge has a difference of opinion with the earlier order of a superior court, the option available to him is to make a reference back to a comparatively bigger bench and seek a review. This is an established convention. It was diligently followed in the Aadhaar case when the question of “Whether Privacy is a Fundamental Right in our constitution or not” came up with a smaller bench which felt that an earlier 5 member bench had a view which could be reviewed. Accordingly the matter was considered by a 9 member bench which gave its clarification after which the earlier bench resumed its hearing.

This process was not followed by the A.K. Goel-U.U.Lalit  bench which preferred to pass its clarification order in derogation of the order of the earlier three member bench. Though there was the next hearing on 13th February 2018, the bench simply continued with other matters and left its earlier order on Section 65B  remain on paper though its validity is questionable.

We consider that the order was erroneous, is amenable to be misused and would open doors of corruption in Judiciary.

It is also infructuous being an order of a smaller bench.

But by not reviewing the order in the next available opportunity the two member bench has shown disregard to the conventions and cyber jurisprudence.

It is necessary for the CJI to take note of this development and if he allows such breaking of conventions go unquestioned, it will be spreading like cancer in the Supreme Court and through out the judicial system.

Some time back we had the Justice Karnan episode where he challenged the Supreme Court and was later convicted for Contempt of Court.

But the current CJI did not take similar contempt action against the four judges who held a press conference. Now if CJI continues to remain quiet without acting against the breaking of convention by the AK Goel-UU Lalit bench,  every judge will ignore every other judgement of a bigger bench and turn  Jurisprudence upside down.

If a lower bench of Supreme Court can over rule a higher bench, a lower court can also over rule a higher Court. We will see chaos and anarchy spreading through the system if proper measures are not initiated by CJI now.

Such a situation will give a free hand for corruption to decide which order of a superior court will be followed as a precedence and which will be ignored under the special precedent set by the AK Goel-UU Lalit bench.

The Order of this bench to turn Jurisprudence upside down is completely illogical and indicates that this could be part of a rebellion developing inside the Supreme Court.

CJI needs to take note and take corrective action. Silence will not be a solution and it may be too late to correct the situation if more such decisions contemptuous of the higher benches can be allowed to be taken.

In the meantime, if any situation arises in Courts where there is an attempt to accept electronic evidence with Section 65B certification on the basis of the SLP order, it has to be challenged first with a request for review, if necessary supported with an expert counter opinion, failing which with an appeal to a higher court specifically on this issue.

It is regrettable that Supreme Court judges are creating anarchy in the system by not being consistent with their commitment to delivery of justice and the poison seeded by the four rebellious judges seems to be having its effect in destroying the revered system. I hope the fear is misplaced and things will turn out well with the bench in its next hearing on 7th march 2018, issuing a clarification that they are not over ruling the earlier judgement.

If the Amicus Curie is unable to find a solution to a practically permissible and legally acceptable solution to the problem on hand (Evidence to be presented by the Police from the crime scene videography), it is necessary for the Court to hold a larger consultation with other experts before passing further orders.

Naavi

Posted in Cyber Law | Tagged , , | Leave a comment

Role of Potential Digital Evidence in criminal investigations

Posted on February 22, 2018 by Vijayashankar Na

During the last week, Bengaluru witnessed a disturbing display of lawlessness by a group led by a son of a Congress MLA. The case involved a brawl in a Pub called “Farzi Cafe” in UB City in which another person was beaten to near death by the group.

Similarly there was another incident of VIP misbehaviour of another Congress worker sprinkling petrol and threatening destruction of a BBMP office also in the same week.

While the discussion on the incidents is outside the scope of this website, I would like to only discuss the role of “Digital Evidence” that plays an important part in both these incidents.

In both the incidents, there is video evidence and in one case the offence is an “Attempt to Murder” and in the other case it is “Threatening to commit arson and destruction of Government property”.  Both are very serious offences and requires a fair trial in a Court. The evidence available would therefore be very important.

But there are unconfirmed media reports indicating that since the offenders in both cases relate to the ruling party, the Police are favouring the accused and are unlikely to pursue the case properly. In the process, there will be a possibility of destruction or manipulation of the digital evidence which is in the form of CCTV footages.

The Video in the case of threat to burn BBMP office has already gone viral and is now in the public space. Courts can take cognizance of the incident even if the Police try to suppress it.

But in the incident related to the brawl in the Pub,  there are two videos one from the Farzi Cafe where the brawl first took place and the other from Mallya Hospital where the accused tried to break in perhaps to cause further hurt to the victim. Initial media reports suggest that the Farzi cafe Video has already been tampered with by the Police and will only show the victim slapping the accused and not the earlier first attack by the accused.

If the report is true, it is expected that the case will eventually not get proved in a Court of law and will be dismissed for lack of evidence. Worse still, the victim himself may be punished for attacking a respectable person who is the present accused and provoking him.

The incident highlights the importance of protecting the digital evidence which is extremely useful in such cases with CCTV cameras spread across the city and in most public establishments. Recently, Bangalore Police solved a case of harassment of a lady in the middle of the night only through the CCTV footage that was available.

But if CCTV footages become only tools of manipulation where at the discretion of the Police it would be used in certain cases and in certain other cases it would simply vanish, then the question of accountability for such CCTVs arise.

There is already an argument that installation of CCTV cameras is a threat to the Privacy of Citizens. This will only gets strengthened. The defence that it helps in “Security” falls flat because of the frequent misuse of the CCTV footage by the law enforcement to suit their political objectives.

I therefore request the Bangalore Police to make public the entire unedited version of the Farzi Cafe incident to the public in the interest of transparency in public life. The Court should also direct for such a disclosure.

I believe that Farzi Cafe owners would be having a copy of the video and unless they want to be called for taking sides in the dispute, should go public with the copy of the video in their hands. Since this Video would be relevant not only to the accused but also to the victim as well as other people who would be in the Cafe at the time of the incident, there is a “Public Interest” in the disclosure and Courts can order for the disclosure.

While some body who has the courage to face the wrath of Congress Government in Karnataka can take up the issue as a public interest litigation, the Courts also can take suo moto action if they consider the matter to be of consequence.

If however Farzi Cafe owners have deleted the evidence then they would be liable for prosecution under Section 65 of ITA 2000/8 and Section 204 of IPC for destruction of evidence. If manipulation of evidence has taken place after the Police took charge of the evidence, similar charge can be made on the police personnel also. Probably the Karnataka Human Rights Commission has the jurisdiction to investigate the matter.

It would be interesting to see how the case proceeds from here and what lessons the police and organizations like Farzi Cafe will take from the current incident on handling of CCTV footages which become “Potential Evidence” in criminal cases.

Our discussion would be incomplete without also highlighting why the recent decision on an SLP by the Supreme Court in the case of Shafhi Mohammad  was called by us as an “Recipie for Corruption…” If the order is to be accepted, then the CCTV footage which the Police will produce may be argued as acceptable as evidence without a Section 65B certificate. If the decision in the Basheer case is followed at least there will be one person who will look into the evidence and certify and while doing so will consider if the evidence is trustworthy or not. This important element of check on fraudulent production of digital evidence for admission would be removed if the Safhi Mohammad decision is to be considered as valid. Fortunately this is a two member order on an SLP where as the Basheer judgement is a three member judgement and hence it would prevail.

Naavi

Posted in Cyber Law | Tagged , , , , , , , , | Leave a comment