Naavi.org

India has reportedly completed its diplomatic negotiations and formalities to ensure that Switzerland will automatically share the details of Bank accounts opened by Indian nationals in that country with Indian authorities so that numbered Swiss Bank accounts can no longer be used to park black money.

While  it has perhaps come a little too late in the day and its impact on curbing black money in India could be limited, this can be appreciated as a step in the right direction.

However, intelligent Black money operators have already found alternate means to park their Black money in the form of “Bitcoins” and other “Private Crypto Currency” (AltCoins) and hence are not much concerned with the Swiss Bank accounts now. The pressure is therefore now on the Government to some how legitimize Bitcoins as a “Digital Currency” so that it can be an easy instrument for parking black money.

Bitcoins and other Private Crypto Currencies will also be  a boon to terrorists in Kashmir, as well as Naxalites who need to receive funding from abroad for their nefarious activities in India and printing fake currency in Pakistan and tossing it over Malda-Bangladesh border or pushing it through Nepal is a cumbersome process. On the other hand, Crypto currency transaction is a great digital solution to the operation of transferring funds from ISI to terror networks in India.

Obviously, there are many in India who have great sympathy for the cause of breaking India and all those are interested in getting Bitcoins legitimized.

Though the Government of India formed a Committee under the Finance Ministry and sought the opinion of public formally through the MyGov.in website, the way the MCX and other quasi Government organizations tried to influence the decision in favour of recognition of Bitcoins, it was clear that there could be supporters of Bitcoins within the Government itself.

We can therefore expect that left to the Committee, no decision may come forth in near future and the current status of where “RBI is not prepared to declare Bitcoins as illegal” or “SEBI not being prepared to declare Bitcoin Exchange as illegal”, “ED acting deaf and dumb in not taking action against FEMA violations” will continue.

I therefore urge the Ministry of  Electronics and Information Technology (MeitY) under Mr Ravi Shankar Prasad to take suitable steps within their control to bring about suitable changes in the Information Technology Act to protect the country from the menace of Private Crypto Currencies.

Since ITA 2000/8 is already under a process of amendment, some amendments can be taken up when these amendments are considered. However, this would be a long drawn process and hence some action is required immediately in the form of a Notification which is within the hands of the Secretary of the department. It can be issued as a Gazette Notification and later presented to the Parliament for ratification in the next session.

The first step required to be done in this regard is

a) De-recognizing the Crypto Currency including Bitcon as a valid Electronic document under Section 4 of ITA 2000/8

b) Introducing criminal penalties for the use of Bitcoins and other Private Crypto currencies as a perceived currency or a legitimate commodity with value attached.

c) Introducing regulatory checks which act as deterrents to the spread of the Bitcoin and other Crypto currencies as part of  various legitimate  IT services

Some suggestions in this regard are as follows:

1. Presently, First Schedule of ITA 2000/8 lists documents that are not within the purview of the Act. The documents listed here have no “Recognition” under Section 4 of ITA 2000/8. In this list Bill of Exchange and Promissory notes are already included as “Excluded Category” and are defined as “Negotiable Instruments other than the Cheque”.

“Currency” is not considered as a “Negotiable Instrument” and is regulated through RBI Act with an exclusive power to RBI to issue “Currency Notes”.

Crypto Currencies are “Electronic Documents” and hence are recognized under Section 4 of ITA 2000/8.

RBI does not however declare it as “Currency Note”. But in practical usage, it is promoted and used as if it is a currency like other currencies like the dollar or pound or euro. There are exchanges that convert these AltCoins to other fiat currencies some times through sophisticated money laundering schemes such as using Lindens (currency of the secondlife.com).

There is therefore a misconception that these Crypto Currencies are “Virtual Currencies” and should be encouraged just like the PayTm or similar digital payment systems.

In order to remove the misconception and to prevent misuse and misrepresentation of Crypto Currency as a legitimate legal tender, Schedule I of ITA 2000/8 should be expanded with addition of the following instrument as excluded either with an explanation or amendment.

” Any Electronic Document that purports to constitute a negotiable instrument (other than the cheque) under the Negotiable Instruments Act 1881, or purports to be a “Currency” under the RBI Act 1934″

2. Section 66C of ITA 2000/8 makes fraudulent use of signature of a person as punishable.

The scope of the section may be extended by adding the words ” or  fraudulently and dishonestly makes use of any electronic document” within the section so that it applies both to the fraudulent use of a signature as well as any other electronic document. (This would also cover some crimes omitted when Section 66A was scrapped)

3. Section 69, 69A and 69B  of ITA 2000/8 provides powers to authorities to intercept, block or decrypt or seek information from any person. If the person is unable to provide assistance, he would be liable for punishment.

In the rules associated with these sections, it must be made clear that the authorities may demand decryption information of Bitcoins or other AltCoins and if the person is unable to provide the decrypted information, it should be considered as a punishable offence. (P.S: Encryption includes any form of hiding the information including the use of numbers for identifying the holders of bitcoins or wallets. Hence “Decryption Demand” means revealing the identity of the persons behind the transaction)

Notices under these sections can be issued to Bitcoin wallet companies and exchange companies to reveal the identity of transactions including the entire chain of transactions that constitutes the block chain.

Bitcoin holders may also be demanded to decrypt the Bitcoin information failing which they may attract penalty. Such property can be confiscated as property that is subject to investigation.

This would make Bitcoin and crypto currency  holding and trading as untenable and unless a separate positive regulation legitimizing such currencies is introduced, the current market of crypto currencies will vanish.

Since the above measures are well within the powers of the MeitY, it should be considered for immediate use even before the committee constituted for the purpose comes to an agreement on what kind of regulations can be considered.

It is the duty of every honest citizen of the country to ensure that the currency system of the country cannot be undermined by anonymous private crypto currencies like the Bitcoins.

I trust that MeitY will find suitable means to address the de-legitizimization of Bitcoins and Private Crypto currencies without any further delay.

naavi

Yesterday, I highlighted the plight of a customer of State Bank of India Musiri branch in Tamil Nadu who lost Rs 49773/- through a fraud. We can recall here the decision of the Adjudicator of Tamil Nadu in the case of S.Umashankar Vs ICICI Bank that even in the case where the customer has compromised the credentials in a phishing attack, the Bank is liable for its negligence and is liable to pay the customer for his loss.

I want State Bank of India, Musiri branch manager read this judgement when he contemplates replying to our open letter of yesterday.

The logic is very clear. A fraud happens when there are is an ultimate victim who is out of pocket and the ultimate fraudster who has enriched himself with a wrongful gain. In between there are different entities some of whom have participated in the chain of transactions which together form a “Money Laundering Exercise” where money is stolen from an honest person and the tainted money is passed through different filters leading to a clean possession of an asset in the hands of the fraudster .

The intermediaries facilitating the fraud who are all “Partners in Crime” include the Banks, Mobile service providers and the PPI and even the E Commerce Site where the fraudster uses the stolen

money to buy products and services. The Mules who function as Phishing agents and the BPOs that run in Noida/Gaziabad area where IT companies are set up as “Phishing Call Centers” are directly involved in cheating the Bank customer.

There is no doubt that the Phishing mules are no longer innocent youngsters who are earning their daily meal by creating phishing websites and making calls etc. They are using all their social engineering skills to cheat innocent victims and their masters are like mafia gang leaders. These people deserve to be put behind bars for a long long time. Though some of these are arrested from time to time, I presume the Courts and the Criminal lawyers ensure that they are out on bail soon to continue their nefarious activities.

As far as the victim is concerned, he does not have the resources to fight the mafia network and therefore is at a disadvantage having to fight the crime mafia.

On the other hand, the intermediaries like the Banks, the Mobile Service Providers and PPI service providers have no business to be assisting the fraudsters with their own negligence.

The E Commerce service providers who actually deliver goods against such fraudulent payments some time fail to cooperate with the law enforcement by not sharing the product delivery addresses or delivering products on street corners instead of at an identifiable address of the buyer. To that extent of negligence they also have to take the blame for letting the frauds perpetuate.

However, the greater responsibility lies on the other intermediaries who help in the money laundering scheme of the fraud gang. None of the phishing fraudsters will be able to encash their crime booty except with the assistance of the intermediaries. Without opening a Bank account or a PPI account in a mobile, it is impossible for these frauds to be successful.

Hence these financial intermediaries are the key to controlling such frauds and their negligence is unpardonable.

The most visible form of the negligence of these financial intermediaries is in not having a robust KYC system and enabling the fraudsters to open fake accounts either in the Bank or in obtaining SIM cards. As a genuine customer we all know that when we want to open a Bank account or obtain a SIM card, we are subject to all forms of rigorous checks and if this is a common practice, it should not normally be possible for fraudsters to open fake accounts. But it is a fact that fraudsters do succeed in opening fake accounts and use the account repeatedly to commit frauds on others.

This only proves that these financial intermediaries have moles in their own organizations who enable fraudsters to open fake accounts by tampering with the KYC documents. In most cases, the KYC documents of a genuine customer may be used for the fake accounts putting the genuine customer also at the risk of being accused of a fraud at a later time. Since these moles are employees or contractors of the financial intermediaries, the vicarious responsibility for their fraudulent activities lies with the financial intermediaries.

It is in this context that financial intermediaries need to develop rigorous KYC practices starting not with their technology hardening but with the hardening of their processes in appointment and management of KYC agents.

Until such time these Banks and Mobile operators understand their responsibilities and discharge them with a sense of duty to the public, we will continue to say that India is not ready for financial innovation and introduction of products such as Aadhar Enabled Payment Systems.

We also continue to hold that these intermediaries should be not only made to pay for their negligence by picking up the fraud liabilities but also be criminally charged for reckless handling of the financial systems putting the society at stake.

I therefore call for Police in Musiri to file a criminal charge on State Bank of India, Musiri for defrauding their customer by adopting inadequately secured authentication methods which have enabled in the commission of the fraud.

In case SBI tries to divert the charge to various PPI operators such as PayTM, mPesa, one97.com, Oxigen, who are the companies which SBI appears to have pointed out as beneficiaries of the above fraud, Police should file cases against these operators also since their KYC could have failed.

If some of these are non KYC accounts, still the log records of these operators would be useful and they should be called for. If they are not able to provide log records, they should be charged for negligence and non compliance of ITA 2000/8.

Today, Banks want to continue their present approach to digital Banking where they want to pocket their commissions and service charges and expect Customers to underwrite the risks. This is unacceptable. Banks should pay for their negligence and if necessary cover themselves with Cyber Insurance.

Any system of electronic banking that does not protect the customer against “Phishing” is not a secure system and must be abandoned.

Unless we try to make an example of this case which represents instance of an ignorant customer being provided with an unwanted banking facility which he is unable to understand and therefore becomes a victim of a fraud, we will not be able to make progress in improving the security eco- system.

Since it is a policy decision of the RBI that such services are being pushed to ordinary people in a false sense of digital progress, the RBI Governor Mr Urjit Patel is also answerable for lack of proper understanding of the Banking customer.

It appears that the current state of affairs where “Insecure Banking” has become the accepted norm, is also a result of RBI being managed by “Economists” instead of “Bankers”. These economists know only how to tinker with interest rates and appear to have inadequate understanding of the retail Banking system.

It is difficult not to also blame our Finance Minister and Prime Minister who are being mislead into promoting digital habits as a part of the digital revolution and driving the Indian Banking customers towards a day when Indian Banking system will collapse.

For the time being, my advise to rural Banking customers is to ignore the  call of the politicians to go digital and stay at transactions which they can understand. If they are comfortable in going to the Bank and meeting the Bank manager to deposit and withdraw your money, they should stick to it and not go for mobile Banking. If they are comfortable in dealing with cash, they should stick to it and return your debit cards today to the bank and obtain an acknowledgement.

I know that this message may not directly reach the target customers who are illiterate villagers but I am placing it here so that NGOs may pick it up and spread the message.

I have already placed these suggestion with Mr Modi stating that until he is able to introduce mandatory Cyber Insurance, he should stop promoting digital payment systems as he is knowingly or unknowingly committing the Indian society to doom.

The dream of “Less Cash Society” cannot be pushed without a mandatory Cyber Insurance protection for all customers of digital payment system. If the Government is not ready for this, they should stop talking of “Less cash society”. Such Cyber Insurance cover should come at the cost of the Banks and should not be loaded on to the customer.

As some economists have pointed out, the system of digital payment replacing the cash transactions where every transaction is loaded with a service cost would erode the wealth of the transferor with each transaction until the “Cash in digital form becomes zero after successive deductions of service charges”.

Hence it is not feasible to load costs onto digital transfer and it has to be boarne by the Banking system out of the efficiency related savings and benefits.

Hope these words of wisdom from an ex-Banker, E-Business Consultant and Techno Legal Information Security observer reaches the right persons and they act in the right direction without branding me as “Anti Developmental” or “Anti BJP” since I am neither.

I am one who believes that technology can be harnessed in a manner that does not endanger the financial system but technologists who donot care about the society and the regulators who donot understand the risks along with Politicians who look for short term gains are not using technology in a responsible manner.

I presently trust Mr Modi to be able to take corrective action but he has left this responsibility to Mr Arun Jaitely who is too busy to identify where the shoe pinches for the ordinary people and apply corrections. Others donot seem to matter.

Naavi

This is an open letter to

The Manager, State Bank of India, Musiri Branch, Tiruchirapalli Branch, Tamil Nadu.

Dear Sir

I am informed that on June 7th 2017, 5 fraudulent withdrawals have been made from one of the customer’s of your branch having account number 3353XXXXX38  (P.S: Full Name and other details are already known to you and hence it is not reproduced in this public forum. If required, it will be provided) amounting to Rs 49773/- which was the hard earned savings of a poor customer.

I have reasons to believe that SBI has been completely negligent in passing these fraudulent debits to the account without following proper security measures as required under Information Technology Act 2000/8 and RBI guidelines.

I am aware that you would be having your excuses on why you passed the forged transactions without following reasonable security practices. These are subject matter of further detailed litigation if it becomes necessary.

I also request you to refrain from obtaining any false declarations from the customer under duress to defend your position.

In the meantime, I would like you to kindly inform your customer in writing the following:

1. Full details of each of the 5 debits including the nature of transaction, IP addresses if they were online transactions, Merchant establishment details if they were offline transactions.
2. Details of any awareness training you had provided to the customer regarding the risks of digital payments when you decided to provide him a Debit card and internet access.
3. Reasons why you have not reimbursed the amount as per RBI guidelines on “Limited Liability” when the fraud was reported to you
4. Reasons why you have indulged in a money laundering exercise in association with the fraudsters and allowed your customer to be cheated.
5. Reasons why you have not invoked Cyber Insurance and given a refund to the customer immediately.
6.  Your views on whether this fraud related to the recent incident when SBI recalled 6 lakh debit cards which were compromised and if not, why do you think it is not so related.
7. The details of when and how you have reported this fraud to CERT-In and your HO and if not, why you chose not to report the fraud as required under law as well as regulatory guidelines.
8. If the payments have been made at any ATM outlets or Merchant Establishments, kindly obtain and forward CCTV footages with Section 65B (Indian Evidence Act)  certification. If you are unable to produce such footage, please provide reasons on why you are unable to produce such evidence.
9. If the transactions were made online, please obtain and send all log records showing the entry of CVV, VBB and other security PIN if any with date time etc again with Section 65B (IEA) certification. If you are unable to provide such information, kindly let us know the reasons why you donot want to produce such evidence.
10. If the transactions were made offline, please obtain and send the POS machine logs along with transaction summary slips showing the customer’s signature. if you are unable to provide the same, kindly give reasons on under which RBI guideline you are allowing Card Not Present transactions without obtaining the customer’s signature and matching it with the signature on the back of the card.
11. If the money is purported to have been drawn by some third party fraudsters, kindly obtain and forward the KYC documents to identify the fraudsters. If you are unable to produce such information, kindly indicate why you are allowing such money laundering to be committed by your Bank and its associates.
12. Please also send the names and designations of all SBI officials and the Merchant Establishments and ATM owners who are involved in this money laundering exercise.

I will collect the information from your customer so that decision can be taken on further course of action including launching of criminal proceedings against State Bank of India and its officials including you.

I wish you would immediately take steps to refund the amount to your customer as per RBI guidelines so that there would be no requirement of further action.

Regards

Naavi

I am also intending to initiate launch of a public movement at Musiri to ask all your customers to return all cards issued by SBI as they are likely to be used by associates of the Bank to defraud innocent customers. I hope this would be a national movement that will make SBI realize its responsibilities in dealing with E Banking.

I also call upon the Chair person of State Bank of India to take suitable steps to redress the grievance of the customer without raising any excuses.

I request the Adjudicator of Tamil Nadu (IT Secretary) to use his powers under Section 46 of ITA 2000/8 and initiate a suo-moto action against SBI to redress the grievance of the customer.

I request NGOs such as Cyber Society Of India (CySi) to take up the issue as a Public Interest and persuade SBI to see reason and redress the grievance of the customer.

I also request Reserve Bank of India to advise SBI to take immediate remedial action.

I also request NPCI and CERT In to intervene and assist in the resolution of the dispute since they are also responsible for the lack of adequate security of digital payment transactions.

I also request Mr Arun Jaitely and Mr Narendra Modi, honourable Finance Minister and Prime Minister of India who are pushing for digital payment systems without understanding if the public are ready or not and without ensuring that Banks are not hands in glove with fraudsters and looting public money to instruct SBI to redress the customer grievance immediately.

Naavi

Section 65B of Indian Evidence Act requires a certificate to be produced with any Electronic Document submitted as evidence in a Court of law, at the admission stage.

The mandatory requirement of Section 65B certificate came into effect on 17th October 2000 when ITA 2000 (Information Technology Act 2000) was notified. However it was the undersigned who produced first such certificate in a Court. It was  in 2004 in the State of Tamil Nadu Vs Suhaskatti case for criminal prosecution under Section 67, in the Egmore AMM Court, Chennai. Based on the certified evidence the Court went on to proceed with the trial and convict the accused. The conviction sustained even in the appeal at the Session Court upholding the validity of the evidence. Since then the Section 65B certificates produced by the undersigned have been produced in other courts from time to time.

However it was not until the Supreme Court judgement in the P A Anvar Vs P.K Basheer that the litigation market players realized that electronic evidence without Section 65B certificate would not be admissible in the Courts. Even the Police have started adding in their CrPc notices calling for information which may be in electronic form to be provided with Section 65B certificate.

Naturally, there is a scramble now on understanding how the certificate has to be given. Though Naavi.org and ceac.in have put out clear information on how Section 65B certificate is to be produced, there are a few legal practitioners who may hold some different view points on some of the finer points of certification. Such differences will persist for some time and will be resolved over a period of time as long as we try to understand the purpose of the section and its use case scenarios.

What is however necessary for Companies in particular from the ITA 2008 compliance angle and ordinary citizens relying on such evidences to fight cases in the Courts is to understand that if the evidence is not properly produced, they may be rejected by the Court at the admission stage itself.

On the other hand, we also need to warn companies and individuals that some times there is a tendency to produce evidence which is deliberately falsified with the hope that no body would find out.

I recently came across such an incident where a large Telecom company had filed an apparently falsified electronic evidence to support its case against one of their employees. The electronic documents were supported by Section 65B certificate and also an affidavit in the Court.

It is possible that the defense may submit suitable arguments to throw this evidence out but what we need to remember is that production of falsified evidence is clearly an offence under Section 193 of IPC which is a cognizable offence carrying 7 years of imprisonment.

The person who produced a falsified Section 65B certificate and an affidavit in respect of the certificate would be liable for punishment under Section 193.

Such an Act will also be an offence under Section 43/66 of ITA 2000/8. Some of these incidents would also be offences under Section 65 and Section 67C of the Act as well.

When such person is an employee of a company and the interest of the Company is involved, the Company would also be guilty of the offence and it would extend to the “Officers in charge of Business” and “Directors” under acts such as the Companies Act  and ITA 2000/8.

While the offence under Section 193 of IPC carries 7 years imprisonment the ITA 2000/8 offences carry 3 years imprisonment.

I therefore advise those who donot know how to produce Section 65B evidence should not take the risk of producing falsified evidence as it may boomerang on them during the course of the trial when it is proved to have been falsified.

In Civil cases when such falsification comes to the knowledge of the Court it would be possible for the Judge to order that criminal action should be initiated by the prosecution separately either under IPC or ITA 2000/8. Perhaps it may be possible for the Court to initiate Contempt of Court proceedings for misleading the Court through falsified evidence.

Even in cases where an electronic evidence was present at one point of time but the litigant has failed to get Section 65B certificate for an evidence and subsequently it is no longer available, instead of trying to falsify the evidence with a compromised Section 65B certificate, it is better to forego the presentation of the documentary evidence in the form of electronic documents and try to proceed with other evidence on hand including oral evidence and witnesses.

Naavi

ACT Fiber net (Atria Convergence Technologies Pvt. Ltd.)  has been an Internet Service Provider which was the first service provider (particularly in Bangalore) to offer internet access service through optical fiber network. In view of the high bandwidth provided by the technology and with no major competition, the Company expanded its business into several cities in India.

Now when Reliance Jio has started setting up its own optic fiber network which is already been introduced in some cities on an experimental basis,  ACT appears to be responding to the threat strangely by degrading the existing service shutting out the competition with improved services.

It has modified its tariff plan to create a new revenue model for the company by stripping the existing service of some of the features.

The Company has  implemented a new tariff plan without providing any notice to its customers which restricts its internet service to the basic level of “Browsing” and “E Mail”. It has de-linked some aspects of the  “FTP access” which some experts say has been done by blocking some open ports used for FTP access. Any requirement of such service would now require a subscription to what the company calls as a “Static IP address” which may simply be a set of IP addresses in which full services are configured as against other customers.

As a result of this change, for the users of ACT broadband service,  “Secure FTP Access” has now become a “Value Added Service” for which a separate fee needs to be paid.

While it is the prerogative of any company to price its products as per its own plans, there is a need to remember that a change in tariff plan needs to be notified to the customer. Unfortunately, customer service may not be the top of the agenda for the Company as it refuses to inform its customers and refuses to even raise a proper bill. It has unilaterally degraded the service hoping that most of the customers may not be able to understand why some if their services have stopped functioning.

It is interesting to note that a company which wants to lead in technology does not have the marketing acumen to take it to the next level where it will have to compete with the kinds of Reliance Jio.

Perhaps this gives a cue to Reliance Jio on how to enter the markets where ACT is now present by a service offering which would be able to face the competition with some ease. Reliance Jio in the recent days has demonstrated the marketing acumen that it possesses to penetrate a market which is already entrenched with established players and create a dent over night.  ACT Fibernet would perhaps be an easy prey to the marketing giant called Jio.

I look forward to an interesting battle when Reliance Jio enters the Bangalore market with its optic fiber services.

Naavi

The Aadhar based payment system which is meant to capture the biometrics and initiate banking transactions is being pushed for implementation by June 30, 2017.

However, we request the authorities not to stand on false egos and try to introduce a system which could create a huge security hole in the financial eco system in the country.

The main problem in the proposed system is that there will be thousands of Business Correspondents, “Bank Mitras” who will be authorised to carry biometric devices and initiate banking transactions. The concept is great provided it is having checks and balances to avoid misuse and fraud.

At present, it appears that the authorities have not taken sufficient steps to protect the users from the adverse impact of frauds.

Before we proceed further, I would like to draw the attention of the public to the recent incident when 32 lakh debit cards were supposed to have been compromised through HITACHI ATMs where the malware is presumed to have wormed its way to a NPCI controlled switch and compromised multiple banking systems. There are theories that the compromise of multiple bank’s systems were compromised not through NPCI but because some card holders used the infected Yes Bank ATMs and then other Bank ATMs spreading the infections. The exact nature of the infection is not known. However the following article explains in detail one research report on the incident and is worth reading in detail.

Report: India’s sluggish response to cyberattack that infected 3.2 million cards exposes its vulnerabilities

There is no doubt that all the compromised ATMs reported in the above incident were “Certified” by authorized vendors of RBI and Banks. They were also under direct control of licensed ATM operators most of them being Banks. There was physical security in the form of guards and electronic surveillance in the form of CCTVs. Despite this, the systems were compromised.

The compromise also prevailed in the system for a long time and no body realized it until the damage was done. When breaches started happening, no body reported it to CERT-In and there was every attempt to brush the controversy under the carpet. Security experts who were assigned the responsibility to conduct forensic audits ended up erasing evidence, not knowing the law of the land.

Finally there is an “Admission” by Hitachi that they accept responsibility which makes things more suspicious as whether they were trying to protect any other agency in the process which could also have been held either solely or collectively responsible for the breach.

In this background we need to see how secure is the AEPS system where the biometric devices or the Micro ATMs are held in the custody of public and is out of sight of the regulators.

The devices are certified by some agency such as STQC as fit for use as per some standards but are manufactured by different private sector companies many of them from abroad. Some of these Micro ATMs may work as an application running under Android OS systems.

While the certifying agencies may certify the functionality of the devices, it is a myth that these devices are tamper proof.

It is a common security understanding that any device which a hacker has access to for a prolonged period in confidence is subject to the risk of being manipulated with the introduction of a changed mother board or a Manchurian chip add on. In the past we have seen that POS devices for credit card swiping at the Merchants supplied by China to UK merchants were stealing data and Scotland yard had to conduct an elaborate exercise to identify and remove those devices. Very recently in India we have observed that the Petrol vending machines in Lucknow were tampered with to cheat the customers of the quantity of petrol dispensed, by adding a chip in the circuit. Some time back, Digital auto rickshaw meters in Bangalore were also similarly tampered by insertion of a chip in the meter.

It is therefore possible and reasonably certain that the Micro ATMs and POS systems using Aadhar Enabled Payment Systems will be compromised in due course. This would result in the biometrics of customers being copied and re used on a systematic basis. This also has been demonstrated by Axis Bank and E Mudhra not so long ago.

Since some of these biometric devices may be imported from China to meet the rush and also because they may be considered cheap, we may expect that backdoors may be installed in such equipments which could defeat the STQC audits and prevail while the system goes into use.

We may recall that VolksWagon designed a software to cheat the emission standard tests to give false results while resetting itself in actual usage where emission standards were compromised for better pick up and power.  Similarly, the manufacturers of these equipments will design their systems to behave well before STQC and turn rogue when it goes into the usage environment.

In due course there is therefore a possibility that we are creating a network of financial devices which can be exploited by an enemy country in a Cyber War situation.

The Indian Election Commission (EC) recently faced a comparable challenge on the EVMs as the AAP MLA showed how he can replace the mother board if given access to the machine and therefore how the elections can be tampered with. The EC however rightly pointed out that the EVMs used in actual elections would not be out of its sight and is randomly assigned to different booths and hence cannot be tampered with as indicated by AAP MLA.

The Aadhar Enabled Payment System has to take a cue from the EVM controversy and understand that they donot have controls which EC has designed for EVMs as regards the Micro ATMs and biometric devices.

It is not impossible to introduce security controls to prevent any misuse or quickly catch a delinquent transaction if it happens but such controls donot seem to exist in the current devices which are standard devices meant for a different security scenario.

In future, we can get these devices manufactured by BEL or ECIL under close supervision and with all the security features which make tampering nearly impossible. But for this there is a need to take time and not rush implementation of AEPS by June 30, 2017.

I wish the authorities listen to this sane advice unless they are ready to place Indian Financial system into jeopardy for the sake of impressing upon Mr Modi that we are technologically ahead of other countries in implementing a digital payment systems.

Naavi