Naavi.org

When Aadhar was in its initial stages, whenever security issues were raised with Mr Nandan Nilekani, he used to assure that Aadhar is not a “Card” but it is only a data base. Information in aadhar database never travels across the network and only “Yes” or “No” responses to queries travel. If there is any duplication, the de-duplication exercise will ensure that two people will not be issued the same Aadhar number etc. He never accepted that things could change during implementation and security holes could develop in course of time.

Even now, to be fair to UIDAI, the leakage of aadhaar data has happenned outside the servers of UIDAI, firstly at the time of enrollment when enrollment laptops were stolen in many places, and more recently when some Government departments put up Aadhar data on the web along with some benefit payment information. In between frauds in enrollment occurred in large scale in the name of people who could not provide proper finger prints because they either had lost their hands or the finger prints were not good.

The recent breach when stored bio metrics were used by Axis Bank and E Mudhra, some technical patch seems to have been found to detect such attempts in future. Just like trying to identify a “live” finger, a perfect match of two finger prints is also flagged as doubtful.

Thus UIDAI may claim that technologically they are upto any challenge where data protection at the server level is considered.

UIDAI has also taken steps in ensuring that the AUAs and ASAs are all “ITA 2008 compliant” at least by declaration. If these agencies make a sincere attemt at ITA 2008 compliance, the security would be taken to a slightly higher level since more heads will focus on the issue particularly from outside of the technology professionals whose vision would be clouded with the functionality of the software/hardware and fail in taking a holistic view.

But when we discuss the security or insecurity of the Aadhar Enabled Payment system (AEPS), we are not restricting our vision to only “Technical Security” of the UIDAI server side. We are discussing the security vulnerabilities across the entire system of usage which includes the Business Correspondents, Banks, NPCI and any other intermediary involved.

Now the biggest risk in AEPS comes from the Biometric devices that are used by the Business Correspondents (BC) which includes many merchants and individuals. These merchants could be dishonest or negligent and ignorant causing problems of misuse of payment credentials which are shared by the customers.

There have been instances in the past of people selling goods below the market rates only to steal the credit card data either in offline “card present” transactions or online “card not present” transactions. It can happen even in AEPS transactions if the biometric data can be stored and replayed.

There have been instances of Trojans/Viruses affecting the POS systems stealing the card data. There have been also instances of Manchurian Chips being installed in POS machines for data stealing.

All these vulnerabilities can be relevant to AEPS also.

Man in the Middle attacks particularly of the Man in the Browser type are very much possible in the case of AEPS.

 When AEPS is compromised in any manner, the entire chain of Bank accounts of a person could be compromised in one go and money from multiple Bank accounts of the person can be wiped out in a single breach.

We know that in such a case, UIDAI will not take any responsibility and Banks will also try to wriggle out placing the blame on everybody but themselves. NPCI is hidden behind the screens along with the App developers and software developers who specialize in releasing software with bugs and play with Zero day vulnerabilities.

Ultimately the customer is left to fight with the Police and blame them for not being able to solve Cyber Crimes.

Government has repeatedly refused to accept the principle of “Mandatory Cyber Insurance” to protect customers and technology people are happy to experiment with the system since they are never questioned for any fraud.

With the present push on AEPS , what is happening is that customers are left with “No Alternative” but to accept AEPS. They can themselves avoid the use of the system but they have no control on any fraudster impersonating them with the use of fake Aadhar cards.

We therefore urge the Government not to rush introducing AEPS in the current status. There is a need for taking some security measures that prevents frauds committed with social engineering and insider involvement.

Until such time, it is recommended that the introduction of AEPS should be deferred. I suppose that the solution could be worked out perhaps in about 3 to 6 months if the Government is keen.

Naavi

In January 2017, an interim report of the NITI Ayog Committee of Chief Ministers on digital payments recommended

1.  To ensure wide-scale adoption of AEPS and Aadhaar Pay, banks need to be mandated to complete Aadhaar seeding of all their customers in a time bound manner.  All banks must ensure that their AEPS gateway are up and running all the time and have proper reconciliation teams in place.
2. All Payment banks to be made interoperable on AEPS
3. All BCs to be made interoperable on AEPS.
4. Biometric (Finger Print & Iris) sensors may be provided at 50% subsidy for all merchants to onboard on to AadhaarPay
5. Rollout of Aadhaar Pay application riding on the AEPS platform may be expedited by encouraging banks to adopt the same. Bank branches to be given target to onboard merchants in their vicinity to adopt Aadhaar Pay with their existing android smartphone and biometric reader which would present a significantly cost-effective alternative compared to the traditional PoS infrastructure. There should be a bank-wise target to achieve 10 lakh active Aadhaar based merchant outlets by June, 2017 and 40 lakhs by December, 2017
6. RBI should allow white-labelled business cum merchant correspondents for spreading AEPS PoS devices across the country. Common Service Centers (CSC),De- 5 partment of Posts and India Post Payments Bank should be allowed to begin with. It be extended to other entities who meet the criteria prescribed by RBI.
7. NPCI and Banks should enable Iris authentication on AEPS so that people with worn out fingerprints are also able to do AEPS transactions.
8. All ATMs/Micro-ATMS/POS should be mandated to have Aadhaar biometric authentication facility from June 1, 2017

RBI vide its circular dated December 2, 2016 had also indicated that the deployment of Aadhar based devices should be completed by June 30, 2017.

As a result of these measures there is a rush to implement AEPS gateway and make it operational at the earliest.

Some of the Banks have already issued “Aadhar Cards” for their customers and obtained IIN numbers assigned to them. While NPCI and NITI Ayog are excited and are pushing the implementation, RBI has no option but to oblige.

In all this excitement, the safety and security of the Indian Consumer appears to be the last and perhaps a lost priority.

The system as is envisaged is creating a network of Bank accounts which are all inter connected with the Aadhar number, PAN number and Mobile numbers operating through NPCI switch/es which are also open to Banking software, Mobile wallets, ATMs, UPI apps etc.

If any one of these network elements is compromised, there is a possibility of the entire financial system in India to be compromised.

Aadhar was not designed for this kind of usage as is being envisaged under AEPS. It was meant to be a confidential data base with only the ability to send out binary responses of Yes or No when a specific query is made with a reference to a parameter associated with an Aadhar Number or a biometric input. It was never meant to send out the entire data sheet on request with just the verification of an OTP. It was not meant to be used as a ID substitute nor as a sole  KYC instrument. In this role aadhar data of individuals is getting broadcast widely and gets stored in innumerable places with many vendors and agents of vendors where there is no control on privacy or security.

While it has helped Government to check misuse of Direct benefit Transfer, it has also opened other vulnerabilities that are a risk to those who have no interest in Direct Benefit Transfers. Today honest citizens have no control on their Aadhar and the linked PAN card being used in impersonation. Now linking Bank accounts will further open the gateway to money transfer from the accounts of individuals because their Aadhar data was compromised some where by some vendor like a mobile operator or a domestic gas supplier if not a fraudulent banker.

Aaadhar system today is itself dependent heavily on the associated mobile numbers where the security is very lax and obtaining duplicate SIM and fake SIM is extremely easy.  Since  Bank accounts are operable under USSD, UPI and AEPS systems, the entire security infrastructure of the Indian financial systems will be at the mercy of the mobile identity of individuals.

Now all the SIM card vendors are also becoming Business Correspondents who can put their hands into my/our Bank account and there in lies one of the major risks of AEPS system.

Since the Mobile devices are already under the control of Chinese manufacturers and innumerable number of viruses and trojans are already on the prowl on mobile devices, Indian financial system will be at the mercy of China in a Cyber War situation. Since China is always on the side of Pakistan, this entire Chinese Cyber War machinery would be at the disposal of Pakistan.

There are any number of Paksitani dalals in India (some of whom have already requested that Pakistan should help them defeat Mr Modi), there will be enough number of traitors within the country who would welcome any development where Pakistan can discredit Mr Modi through a Cyber attack on his favourite “Digital Payment System”.

The proposed AEPS system is the last straw on the camel’s back and will push Indian financial system to a point of no return.

I therefore reckon that the Digital Payment Systems in India as it is being conceived now can turn out to be a Honey trap for Mr Modi and BJP and spoil the chances of BJP winning the next Loksabha elections.

What the Political Maha Khatbandhan cannot achieve, this Financial Khatbhandahan called AEPS can achieve.

Already, Aadhar data base has been compromised, there are many fake Aadhar IDs in circulation and many more that will come up in the coming days because the cost of obtaining a fake aadhar ID is as low as Rs 100/- as indicated by the Pakistani nationals who were arrested in Bangalore recently.

The UPI system has its own weaknesses as indicated by the Bank of Maharashtra UPI fraud.

UIDAI is itself vulnerable to “Stored Biometric Replay” attack demonstrated by Axis Bank and E Mudhra.

Banks would do anything for a price and if accounts are to be opened with manipulated KYCs, there are many Banks and branches who specialize in this.

Hence opening a bank account in the name of a fraudster linked to a fake aadhar card is as easy as ABC.

It is this infrastructure that is weak at a number of points that the Government is now relying upon to introduce Aadhar Based Payment System (AEPS) and link the biometrics of all Bank customers to an ability to pass debits to the Bank account.

The entire process has many loop holes and does not comply either with the laws of the Banking industry nor RBI’s own guidelines.

Unfortunately, there appears to be no sane voice available to the Government in flagging the risks and even if some emerge, the counter force will drown such voices.

While innovations in technology are required and are inevitable, at each stage of transformation, we need to ensure that there are enough checks and balances to ensure the security of people who use the systems.

I think there is a huge gap on what is needed to be done and what is being done by technology intoxicated persons who are advising the Government agencies.

AEPS is a test case in which the commitment to security by these agencies are challenged. So far the technology administrators have not come out exuding confidence to the community.

There is no doubt that we can innovate technology solutions that can improve the security by many notches. But these solutions may not be available off the shelf. We need to create indigenous technology to protect the proposed AEPS objective of “Place your finger and transfer money”.

But one needs an eye to see and readiness to absorb higher costs if Government has to chart an escape plan from the trap that they are entering into.  At present the Government is not able to see the risks properly and not therefore thinking of solutions that are required. The cost consideration is therefore yet to come into the radar.

It is premature and inappropriate to discuss the technology solutions in this public platform since it is a matter which even NITI Ayog recognizes as a “Patentable” innovation.

However, in the interest of preserving the political future of Mr Modi, we can state that the system of AEPS  as being envisaged now (giving allowances for the fact that some security aspects might have been introduced by UIDAI and not made public), may have risks that are not easily addressable in the current dispensation and this is likely to be a honey trap that Mr Modi should guard against.

Naavi

The recent ransom ware attacks with  Wanna Cry have woken up the Indian corporate sector  to the needs of having Cyber Insurance as a means of recovering the losses arising out of such attacks.

I refer to the article in Economic Times today where several industry executives have been quoted with there views on Cyber Insurance.

As readers here are aware, we conducted an all India survey two years back to document the awareness of Cyber Insurance amongst the CISOs and CIOs in India and found that most of them had very little understanding of the nuances of what constitutes Cyber Insurance.

Most CISOs do accept that “Transfer of Risks” is one of the four methods by which risks are managed (Mitigation, avoidance and absorption being the other three). But in most practical situations it is the CFOs who take decision son buying Cyber Insurance policies the risks to be covered, the financial limits to be accepted etc and CISOs are hardly allowed to link the Cyber Insurance needs of a company to the “Risk Mitigation efforts”.

Though RBI had mandated that banks should take Cyber Insurance against hacking, denial of service etc ., way back in June 2001, hardly any Bank obtained such insurance until the last few years.

Companies started looking at insurance after their data vendor business partners in  USA and EU started getting concerned from the liabilities that could arise by breaches that may occur in outsourced operations and made it part of their business contracts.

Now the ransomware attacks have brought an urgent need for cover as a part of the Corporate Governance policy.

The ransomware attacks create two kinds of liabilities namely

a) Cost of recovery of data and managing the reputation management

b) Actual payment of Ransom

In most cases of WannaCry demands, the actual ransom was upto 3 Bitcoins which was about Rs 4-5 lakhs and it often was less than the minimum self liability in most of the cases. Hence it was not considered as a coverage.

But in principle, ransom payment could be a claim under the policy and we need to understand if this is covered under insurance. We are aware that in another incident of ransom demand on Wipro, there is a demand of ransom upto Rs 500 crores and hence the possibility of ransom demand becoming a real liability is high.

It is understood that some Insurance companies provide specific coverage of ransom payments under an extension of the basic policy.

It is of course debatable if ransom payments should be covered under an “Insurance” since it is an “Illegal payment”. By covering the ransom payment as a genuine business expense, Insurers would be actually providing an incentive for companies to be less vigilant to take security measures and also encourage criminals by making it easier for the victims to pay ransom.

We have also pointed out that there are many challenges in Cyber Insurance including the “Zero day Vulnerabilities”, the “Delay between identification of a vulnerability and its patching up” and the general apathy of companies to subordinate security measures to profitability etc.

The “Uberrimaei Fidei” (utmost faith)  nature of Cyber Insurance contracts make it very difficult for the insured to really consider insurance policy as an adequate risk cover since they will be always at the mercy of the insurance companies at the time of a claim settlement.

We have therefore recommended that we need to take a cue from China which has converted the Insurance from a “Contract of Utmost faith” to a “Contract of honest disclosure”.

This is in the hands of IRDA which needs to consider Cyber insurance as a separate category of insurance and not club it with other forms of general insurance and then apply the principle of “Contract of honest disclosure” to these policies.

Today the insurance terms are dictated only by the reinsurance writers and hence IRDA needs to work with re-insurers to structure the Cyber Insurance policies in a manner that it will actually be considered useful to the insurer when the Cyber attack materializes.

The user industry needs to come together and form their own consortium to guide and if necessary lobby with the IRDA for a better structuring of Cyber Insurance plans which is acceptable both to the insurers and the insured.

Thanks to WannaCry companies are now better aware of Cyber Insurance!

Naavi

P.S. This is in continuation of the previous article

The second e-mail threat received by Wipro has been reported with some more detail today in this article in Times of India. 

According to this report, the investigation has now been taken back by CID from the Bellandur Police. However unless this is pursued like a Terror threat in full invoking the assistance of NIA, it is unlikely that any quick progress can be made.

Law enforcement naturally have a nose for smelling intelligence but Companies are more prone to displaying an “All is Well” syndrome and try to downplay such risks under the false impression that they are protecting their reputation which would otherwise be lost.

In this case, the natural complacency of the corporate sector  seems to have rubbed off on the Police also and hence over the last one month, no progress seems to have been made in tracing the e-mail.

For those who think Naavi.org is being needlessly hyper about the incident, it is necessary to point out that “Risk Management” requires identification of risk and assigning the probability of its manifestation. As long as the risk is not brought down to zero, it is the duty of the Risk manager to flag the risk and seek action. In the subject incident I feel the risk goes beyond the corporate boundaries of WIPRO and hence we the citizens have the right and also the duty to seek proper corrective action by all those concerned.

If this delinquent employee as is being believed turns himself up to be recruited by a terror organization, his threat may be used as a potent weapon against people outside WIPRO. Hence the incident cannot be buried as a coprorate event on which only WIPRO is interested

In Cyber Crime investigation, one month is an unpardonable delay and parking of the investigation at the local police station which every one knows is ill equipped  to handle was as good as abandoning the investigation.

I hope atleast now the investigation is taken up with a new vigour to catch up with the loss of time that has occurred.

I would like to also make a comment here about companies thinking that if they give weight to such incidents, they would be harming the reputation of the company.

Actually, in my opinion, the reputation of the companies would be enhanced when they respond promptly to adverse situations.

As the proverb goes,

“ It is not the way you fall down that determines your character, but it is the way you get up after a fall“

When a company hides problems under the carpet fearing a reputation loss fall out  (in a case like this where no fault can be ascribed to the Company in the first place), it is only enhancing the risk of the incident escalating in future with a greater force.

I hope the wisemen investigating the incident would correct for the deliberate neglect over the last month and go hyper now.

Naavi

We had extensively discussed the e-mail threat received by Wipro some time back in which an e-mail had been received by Wipro threatening that if Rs 500 crores is not paid in Bitcoins, they would spread “Ricin” in Wipro premises through Drones or mix it with food in Wipro canteens. Ricin is a poison extract from Castor seeds and can cause death. Extracting Ricin from Castor sludge from a castor oil extraction plant is considered to be easy.

There were two ways of dealing with the threat. One was to consider this as a prank or an empty threat from a disgruntled employee and ignore. This was easy and instinctive. The second was to take it seriously and take steps as if the attack was imminent.

Naavi.org had indicated that there was a need to take the threat seriously and suggested a series of measures mostly to be taken by the Police to meet the contingency of the attack actually being played out.  This included registering the case as a “Terror Threat” and go about tracing the e-mail with international assistance.

However, Karnataka Police took things lightly and registered the case as an ordinary e-mail threat and transferred it to the local police station in Bellandur. The Cyber Crime division traced the e-mail to a Switzerland IP address and left it to the Bellandur police station to follow up with CBI and Interpol to try to find out the sender. It was clear that everybody assumed that we will not hear about it once again and the prank can be forgotten.

But unfortunately, it is now reported that the e-mail threat has returned to haunt WIPRO once again with a renewed threat. The sender is aware that the earlier e-mail was not traced and was bold enough to use the same e-mail address ramesh2@protonmail.com.

Now the problem is back on the desk of the Police. Will they continue to ignore the threat (As reported in this article in Indian Express) and expect the Bellandur Constable to trace the Switzerland IP address and crack the case? or Will they invite the Anti Terror department of the Police to come in and take up the investigation?.

WIPRO says that they have taken some safety measures. Hope they are safety measures to prevent any form of dispersion of RICIN on any of the premises of WIPRO. They appear to have reported the incident to CERT IN and consider it as a sufficient fulfillment of the data breach notification requirements. It is not known if CERT IN has made any investigations and tried to trace the e-mail which should have been sent from India through some Proxy servers.

At this time we cannot say anything other than regretting that neither the Police nor the Company appear to be keen on escalating the issue to a “High Level Threat” and wish that it would simply go away.

If by any remote probability the threat gets executed and we are caught unprepared, then it would be in the fitness of things that the persons responsible for the negligent handling of the incident may have to stand trial for gross negligence leading to loss of life.

Let’s pray that nothing of that sort happens…. because I am talking of my personal friends both in the Police and Wipro whom I include in not being serious enough in this incident.

Naavi

Recently, I had raised an objection about a comment posted by MCX of India limited on the Discussion forum of MyGov.in regarding Bitcoin regulation. The Government had asked for public opinion on the forum which was expected to be used by the Committee formed for the purpose to arrive at a decision.

Obviously there were different stake holders with different vested interests. Some wanted Bitcoins to be legalized and some did not. The undersigned was one who held that Bitcoins is detrimental to the interests of the country and needs to be banned.

(Details are available in a series of articles at present ending with this article on naavi.org: Fight Against Corruption now has a new Slogan: Say No to Bitcoins).

Multi Commodity Exchange of India (MCX) is a licensed Commodity Exchange that allows trading of derivatives related to different commodities including Gold and Silver as well as Foreign Exchange under the regulations formed by SEBI and RBI. It is like BSE and NSE and is a quasi regulator of commodity derivatives.

In the event Bitcoin or any other Crypto Currency is recognized by India as a commodity, it would be naturally a “Commodity or a Derivative” which would come under the trading list of MCX. Hence MCX is a direct stake holder of the Government decision to legalize Bitcoins or otherwise.

Just as RBI or SEBI itself was not expected to participate in the forum discussions and give its views since they were the decision makers themselves, MCX was also considered as part of the regulator and not part of the public.

However, some  executive who did not understand the nuances of propriety posted an opinion using the official logo of MCX stating that MCX recommends legalization of Bitcoins. This was posted on the forum a few hours before the end of May 31 when the collection of opinion was to end.

The undersigned raised an objection and called it as an attempt of an “Insider” in “Fixing” the decision of the committee and demanded action. Since MCX is a Board managed company and the opinion expressed was a policy decision, it should have been taken only under the directions of the Board. Also since MCX is a listed company itself, major Policy decisions that are considered “Price Sensitive” need to be notified to the BSE/NSE before being released to the public.

What MCX did was therefore a failure of Corporate Governance and fit for penal action from SEBI.

When the objection was raised by the undersigned, the Board naturally moved in and perhaps wanted to take its own corrective action. The first thought that came to their mind was “Removing the Comment” which was perhaps not authorized. Perhaps most managers would come to the same conclusion. They would have therefore contacted My Gov forum administrator and requested for removal of the content. MyGOv.in admin obliged by removing the content.

However this raises one issue of “Electronic Evidence” being tampered with. MyGov.in in this context is an “Intermediary” and when a notice of objectionable content is given to them by a suitable authority, under Section 79 of ITA 2000/8 they could remove the content. But this was a forum where the persons posting the comments were not authorized to remove the content once posted and hence it was expected that content once posted was an “Evidence” that could be acted upon by others who could view the content and be influenced by it.

According to Section 79 rules, it is necessary that content removed needs to be preserved for evidentiary purpose for atleast 90 days ass “Provisional Evidence” . If however he becomes aware that actually there is a dispute related to the content and it is “Actual Evidence” then he needs to preserve it for a reasonable longer time.

In the current incident, anticipating the removal of content, CEAC had already captured the evidence as it existed on May 31 2017 and also captured the forum content on June 1, 2017 showing clearly the absence of the original content or more appropriately, the “Tampered Page” .

Now the My Gov.in administrator can be accused of allowing of tampering of the electronic evidence when it was required to be maintained under law. (Section 65 of ITA 2000/8).

The correct procedure for removal of content was one of the following two methods.

1. A rejoinder could have been posted along with the original content indicating prominently that the content has been reportedly been posted without the authority of MCX (which is an offence under say Trade Mark Act, Impersonation under Section 66C/66D of ITA 2000/8 etc) and the management has disclaimed the opinion made there in and should be ignored. Then the viewers would see both the original content and the correction. (This method was suggested by Naavi way back in December 2000 in the context of dalistan.org website in our article How To control Rogue Sites)
2. The administrator of MyGov.in could have masked the earlier message with his note that the content has been masked because it had been reportedly been posted without authority of the organization in whose name it was posted.

If therefore BSE or NSE now wants to take action as mandated by the SEBI regulations on MCX for violating the listing guidelines, they will have to contend with a situation that the offending evidence is no longer available on the web and has been tampered with by none other than MyGov.in administrator. He can plead ignorance and escape criminal prosecution but the evidence is lost at his end.

However, CEAC is maintaining the evidence and has also posted it on www.naavi.org . The article posted in naavi.org itself can be used as an evidence with Section 65B certification of the naavi.org webpage.

This article is being published to explain the Compliance requirements under Section 65 of ITA 2000/8 by public discussion forum owners.

It also explains the context in which Section 65 B certificates can be of use in public interest litigations as well as specific litigation involving tamperable electronic documents. (Provided one is alert to capture the before and after instances of the electronic documents through a trusted third party like CEAC).

Other aspects of Section 65B certification on who has to give such certification and how are discussed elsewhere.

Naavi