Naavi.org | Towards building Cyber Jurisprudence in India

Let’s tighten our seat belts and let Mr Narendra Modi shake up and clean the Indian Banking system

Posted on February 18, 2018 by Vijayashankar Na

After the surfacing of the Nirav Modi-Mehul Chokshi scam in PNB, media is on its own interpretation some of which are politically motivated and some are born out of lack of information. According to NDTV and some other media, the loss may be over Rs 20000/- crores. Rahul Gandhi who may think he belongs to the Mahatma Gandhi family but he is still struggling to distinguish if Nirav Modi is the cousin of Narendra Modi. Mr Singhvi is caught in the “Unaccounted Money” allegations. The Alpha files and deep throat are also in the fray making this a great time for TRP oriented media.

Negligence in Banking is universal

The Dinesh Dubey revelations may appear sensational to Mr Arnab Goswami but the fact that Bank Boards are manipulated by the politicians is well known. The UPA Government which had mastered the art of making money by exploiting the land, see, air and even the spectrum, could not have missed an opportunity to take money directly from the Bank. Hence if Mr Narendra Modi says that when he took over, NPAs were more than 126000 crores and he could not have publicised it without hurting the industry, it does not come as a surprise to observers like us. From the old Indian Bank fraud to Harshad Mehta Fraud, we have seen enough of frauds in the Banks to believe that if Digital Banking is indiscriminately promoted, fraudsters will make merry.

If Global Bankers have a system where by SWIFT message from a deputy manager of a Bank can be used to lend Thousands of Crores to one company by several banks, then the problem is that Digital Bankers of the day donot know the Risks inherent in Banks. This includes even the wisemen in RBI who are good paper pushers.

Naavi.org had its own share of “Dooms day predictions” in Banking and there are plenty of articles in the past highlighting a day of this nature when Cyber Frauds or Frauds in the Cyber Banking scenario could be huge enough to wipe out even big Banks.

For a long time we have held that RBI has no control over influential Commercial bank Chairmen. We have stated this in the context of ICICI Bank, State Bank of India, PNB and Axis bank where we had observed frauds, brought it to the notice of RBI and found no action was taken. We had even demanded that some branch licenses of ICICI Bank and PNB should be suspended as a deterrent. Some of these Chair persons have held influential positions in IBA which has been more powerful than RBI. Hence many security guidelines of RBI are simply ignored by IBA and RBI has done nothing to enforce its authority.

As a result, the negligence and apathy in the Banking industry continues. Security is always subordinated to profits and hence we see weak IT systems and opportunities for frauds increasing by the day.

Yesterday, City Union Bank has also been confronted with the SWIFT fraud in which three fraudulent remittances seem to have been attempted. One of this has been prevented. One more may be retrieved quickly. Other may require some effort. But the fact that CUB faced the same problem which Bank of Bangladesh suffered long ago shows that our Banks donot learn lessons.

There is presently no doubt that officials of PNB were involved in the fraud to favour Nirav Modi-Mehul Chokshi. They might have been pressurized politically at the Chairman level. It is only when Mr K.R.Kamat the former Chairman of PNB is queried about some of these transactions, that the truth may come out.

In this confusion, we should not forget that it is not only PNB that should be hauled up, but each of the Banks which gave funded loans to Nirav Modi-Mehul Chokshi firms based on a SWIFT message from a junior officer without following the 90 day RBI norm or examining the end-use of funds and feasibility of the operations.

As Mr Dinesh Dubey’s statements indicate, there was political conspiracy where by multiple Bank Chiarmen were made to provide funded loans against the PNB’s LOUs. Hence all these Banks are part of the conspiracy to siphon off Rs 11000 crores or whatever amount we finally end up with as the loss in the funded accounts. It is for this reason that RBI should not force PNB to take all the liability and leave out the other Banks from the conspiracy. If this is forced, it would mean that RBI itself would be guilty of abetting the fraud.

The other independent Directors who were complicit with these frauds should also be questioned in each of these Banks.

The contribution of Finacle sofware

Another neglected aspect is the Company that is responsible for the Core Banking Software used in Indian Banking system which happens to be our beloved Infosys. The system is FINACLE. After the few PNB phishing frauds that I had come across, I have raised my voice against FINACLE not being Cyber Law Compliant. Now this PNB fraud indicates some of the systemic weaknesses in the Finacle software.

I am sure that my friends in Infosys will immediately object to my drawing their name into this controversy. When I objected to Finacle Marketing chief hailing it as a platform for Bitcoin usage, I had many of my friends displeased. But the reason why Infosys should find itself reviewing its own contributory role in this Banking fraud is because it appears that the software is not built by design to prevent such frauds.

Software developers may conveniently say that it is for the software user to provide specifications and the developer will provide a solution as desired. If the solution facilitates frauds, it should not be the responsibility of the software developer.

They may say that “Releasing a Software with Bugs is their right” and what conventional Bankers like the undersigned may dub as “Fraud friendly specifications”, is the responsibility of the Bank using their software.

I am aware that in the past developers of the Accounting software “Tally” telling me that some security features in the software was deliberately removed in subsequent versions because the users wanted “Flexibility” in the accounting. The flexibility wanted by the users was the ability to manipulate accounts so that false accounts can be created without the log system capturing the manipulations. This facilitated a fraud in an Exporter’s firm in Chennai in whose investigation, I had participated. Tally succumbed to this marketing pressure and fell into the practice of “Customization for Customer Convenience”.

It is possible that Infosys might be in the same situation where for commercial reasons, they have to configure FINACLE to facilitate convenience even though it makes it easy for fraudsters to misuse the system.

Today everybody is asking why The PNB’s SWIFT messaging system works outside CBS.

If certain messages sent out of SWIFT creates liabilities (contingent or otherwise) for PNB, and has to generate a corresponding “Margin Money Demand” and “Guarantee Commission Credit”, then FINACLE should have ensured that the messages are generated only from within FINACLE only.

If PNB officials did not want it this way, Infosys should have documented the request with the reasons. If Infosys developers were aware of “Banking” in depth, they would have immediately sensed that the request is made only to keep a “Backdoor for fraud” that can be exploited.

Infosys failed to show the commitment to prevent a “Fraud Friendly Configuration” to prevail which could hurt the society.

I would be happy to receive a clarification from the FINACLE team if my conjecture is wrong. I would expect Mr Nandan Nilekani to order a review of the security features of Finacle without restricting the definition of security to only the CIA principle of technical security but extending it to “Security of the underlying business which the software supports”, which is the “Total Information Assurance” principle.

Role of Auditors

We can now shift our attention to the auditors and Information Security department of PNB. Should they not have seen the “Vulnerability” in the CBS system and flagged it as a risk?.

Probably these are auditors did not understand how the IT system of Financle could be misused. Even if they were not IS experts and had to believed the management statements, the nature of financial transactions, the 365 day window provided for the LOUs, the frequent roll overs etc should have given them the clue.

Internal auditors who should be Techno Banking specialists also failed to note the suspicious patterns.

I am sure that SWIFT messages are separately audited and at least it should have been reconciled with margin money and guarantee commission account which the auditors ignored.

The Board which should provide an annual declaration under clause 49 of the listing requirements in the annual report stating that there are “Adequate Controls and the correct financial statements are reflected” have made false statement for which the entire board of directors are responsible.

The same questions of internal controls of auditing failures applies in each of the other Banks who are today claiming that they trusted the LOU of PNB and blindly paid out money in thousands of crores to beneficiaries. We are not fools to accept this argument.

I consider that the issue of loans by all these Banks under circumstances where the business feasibility was doubtful and known norms flouted, is a prima-facie evidence of the involvement of employees/Directors/CMDs in all these Banks (6 or 32?) in a great Banking fraud conspiracy.

CBI must enquire all these employees starting with Allahabad Bank Board members on whom specific information is now available.

Demoralization Effect

As an ex-banker, I am aware that this fraud which cuts across many Banks will have a demoralizing impact on the employees when CBI extends it’s net wide. We have seen this happen after the Indian Bank fraud surfaced two decades ago.

It is for this reason that Media should stop creating panic and putting pressure on BJP Government. Instead, they should try to instill confidence in the public that what the Government is trying to do is a very sensitive operation and has to be done discretely.

While the anti national forces which includes the present version of the Congress party would like to create more confusion with its demand for JPC so that the thieves can themselves be the judges, Government of India should resolutely move towards cleaning up the mess. Less they talk, better it is.

Only one word of comfort from Mr Arun Jaitely or Narendra Modi that proper action would be taken should suffice. All the spokes persons should stop talking on this scam even if they are tempted to do so because of the utterances of the opposition. The “Professional Panelists” like Sumant Sriram et.al, should be kept out of the channels for some time so that a sense of responsible reporting returns to the media rather than shouting for political gains.

In the process, we need to root out corruption in Banking and ensure that the future of Banking is saved. Let more heads roll and more bodies go behind the bars. It will be in good cause.

Indian Banking system has many honest individuals who can raise to meet the challenge, fill the void even if 25% of the top management in Banks are removed and manage the turmoil. All the independent directors of the 6-32 Banks who were complicit in the conspiracy should be removed forthwith and brought into the enquiry process.

This will have its share of demoralization in the industry. But it will spur the honest Bankers in the next level to work more honestly than before and restore the Banks back to health.

This is like the Kargil fight. We might have lost the battle but let us fight to win the War. Just as in the demonetization days, the public supported Mr Narendra Modi, they will support him even now.

Let’s therefore tighten our seat belts and let Mr Narendra Modi shake up the Banking system.

May be the above ad from PNB on its home page is meaningful in the current context.

P.S: It is now reported that Level 5 password for SWIFT which only AGMs could use was shared by Mr Shetty who was a deputy manager with the officials of Nirav Modi so that they could issue their own LOUs.

This means that the password was first shared by the AGM with Mr Shetty and the system was not configured to link the hardware ID from which the SWIFT could be accessed. Normally the adaptive authentication system should prevent logging in to SWIFT except from a designated computer. The IT Manager, the IS manager, the AGM himself all deserve to be put to jail for giving away the key to the strong room to the fraudster.

If the software had been designed with this possible use case in picture, such logging in would not have been allowed even if the fraudsters had come to Mr Shetty’s cabin and operated his computer since the AGM’s password should have been linked to his computer.

It also means that there was no digital signature or biometric authentication either to the SWIFT application or to the computers authorized to access SWIFT application. (Refer India Today article)

…Disgusting

Naavi

Posted in Cyber Law | Tagged city union bank, dinesh dubey, finacle, infosys, PNB, SWIFT | Leave a comment

Contingent Electronic Evidence and Evidence Drop Box, Concepts which we should be aware of..

Posted on February 17, 2018 by Vijayashankar Na

After the Basheer judgement, there has been several discussions on the Section 65B (IEA) certification of electronic evidence for “Admissibility”. I suppose some clarity has dawned on the community with these discussions, though there are some areas which continue to create doubts.

In the recent SLP order issued by Supreme Court in the case of Shafhi Mohammad Vs State of Himachal Pradesh, the two member bench consisting of Adarsh Kumar Goel and Uday Umesh Lalit actually challenged the P.V Anvar Vs P. K Basheer judgement given by a three member bench and created confusion in the judicial circles.

One of the issues discussed in the Shafhi Mohammad case was how an electronic document present in a device not under the control of the producer of the evidence be produced for admissibility. The Court came to a very illogical decision that in such cases, Section 65B certificate itself is not required. We have already stated that the decision has to be ignored since a two member SLP order cannot over ride a three member Judgement.

Our objection to the order was that if at some point of time the presenter of evidence had access to an electronic document and today that document is not available for Section 65B certification, then it is a failure of the person in getting the Section 65B certificate at the time when he had access to it.

Since Section 65B certificate can be provided by any person who has a viewing access to the document, there should be no problem in getting the certificate if people are aware of the provision. Ignorance of law is not an excuse and hence if the original electronic document is no longer available and the earlier copy is not admissible because it is not Section 65B certified, then the evidence should be considered as lost.

Just because “Documentary Electronic Evidence” is lost, it does not mean that justice would be lost. It would be difficult of course but not entirely unthinkable.

For example, if you have just witnessed a murder before your eyes but did not take out your mobile and take a picture, the documentary evidence of murder is lost for ever. It does not mean that you can excuse the evidence itself since every body does not carry a camera around to capture the events happening around.

However, we are not trying to debate why the SLP order said what it said and whether it was out of ignorance or out of a need to challenge other Judicial order or for any other purpose. We have another point emerging out of the situation which we have already discussed but can be recalled again.

In many instances, we donot know if an electronic document before us is an “Evidence” or not. But an intelligent person would know if it is a “Potential Evidence”. For example, when we enter into a business deal, we want a written paper so that if tomorrow there is any dispute, we know what we have agreed upon. The document becomes an evidence if there is a dispute before a judicial authority. Until such time, it is a redundant piece of paper.

In the case of electronic documents, the “Potential Evidence” if any, has to be archived along with a Section 65B Certificate so that if and when it is required later, the electronic document is already bundled with the Certificate at the archival center.

Once such a document is archived, even if the original gets destroyed, the evidence is still admissible. However, no person should deliberately destroy an evidence which is in his hands since it may attract Section 65 or Section 67C of ITA 2008 or Section 204 of IPC if what is being destroyed is an “Evidence” at the time it was destroyed.

There is however the case where we may have an archived electronic document along with Section 65B certificate but the original which was in the hands of a third party (eg ISP/MSP). Though law provides that such a person can be summoned to produce the evidence, many times this may not be practical or the document might have been removed in the ordinary course of business by the holder who did not know that it was “Evidential Matter”.

It was to accommodate such a situation that Shafhi Mohammad order came to the absurd conclusion “Let’s do away with the Section 65B certificate itself”.

On the other hand, CEAC (Cyber Evidence Archival Center) when confronted with the challenge in the E Commerce scenario, thought differently and introduced a service called “Evidence Drop Box”.

Evidence Drop Box is a service provided by CEAC to ensure that “Contingent Evidence” can be submitted for Section 65B certification without any cost and held in “Contingent” condition for a period of 30 days. By the end of this 30 day period if the person decides to use the “Contingent Evidence” as “Evidence”, he may request for a Section 65B certificate and acquire it at the cost specified by CEAC.

The “Contingent Evidence” becomes “Evidence” when the contingency materializes. For example, in an E Commerce transaction, when a purchase has been made on the basis of a product description that has been mentioned on the E Commerce website, the information provided about the product is a “Marketing Information” and is read before the purchase decision is made but is more often not kept on record. If subsequently, a “Dispute” arises and the buyer or the seller is claiming that the product description was not what the product supplied indicates, the “Marketing Information” becomes an “Evidence”. The “Dispute” is therefore is the contingency under which the contingent evidence turns into evidence.

The CEAC-Evidence Drop Box provides an opportunity to the buyer to deposit the evidence before he completes the purchase with no financial stake until the contingency arises.

It will take some time for the market to absorb the utility of this proposition and also some time for CEAC to automate and fine tune the certification process but it will be a boon to E Commerce in India.

Explore it next time when you make any online purchase.

Naavi

Posted in Cyber Law | Tagged CEAC, Contingent evidence, Drop box, Evidence, P K Basheer, Shafhi Mohammad | Leave a comment

RBI is making a mistake in the PNB fraud case

Posted on February 15, 2018 by Vijayashankar Na

As expected, media is crying as if Rs 11500 crores have been lost by PNB. Congress as expected is talking as if it is not Nirav Modi who is in question but Mr Narendra Modi himself. Both may be excused for their ignorance and need for TRP.

However, I am surprised that RBI has come out with a statement which is in my opinion legally incorrect.

Normally when letters of guarantee are issued, they are issued on stamped papers and with an understanding that the beneficiary will be “Paid without demur”. RBI is therefore saying that PNB should pay all the liabilities without contesting.

However , PNB Chairman has rightly stated in his press conference that the bank would repay only bonafide claims.

I fully agree with the contention of PNB that they should not make payment blindly to anybody who makes a claim as beneficiary of the guarantee. They should challenge the claim since there is a “Notice of Defective Title” to the beneficiary and PNB is bound to exercise caution.

In this case, the lenders are supposed to have financed some valid business proposition with the letter of comfort as a collateral security. No Bank is supposed to treat a letter of guarantee as just an endorsement of a cheque and make payment just like that. If after this the venture fails for some reason and the cause of action for which the letter of guarantee was issued arises, then only the guarantee can be invoked and the issuing Bank is obliged to pay.

If the beneficiary is Nirav Modi’s own firm or there are other reasons for which the transaction for which the lender disbursed money was not justifiable for business purposes, then the transaction is prima facie suspect and the beneficiary himself can be considered as an accomplice to defraud PNB.

The forged letter of undertaking should be considered as a “Nullity” and not an “Authorized instrument that can create liability”.

If PNB can prove that the beneficiary had reasons to believe that the transaction is suspicious, then PNB would not be liable to pay.

Share holders of PNB should therefore object to RBI’s instructions which is meant to protect the other Banks which actually had a direct contractual relationship with Nirav Modi’s beneficiaries while PNB itself is a victim of the fraud committed by its own officers.

We can accuse PNB of negligence but it is for another day and for another argument . It does not give license to other banks to accommodate Nirav Modi beyond his genuine business requirements and claim protection under the guarantee. The Guarantee would be valid if the beneficiary had taken the decision to lend as if there was no collateral in the form of the guarantee.

Further PNB should immediately revoke its guarantee and if there is any claim by any beneficiary, the beneficiaries may be asked to raise their claims with full particulars of how the lending decision was taken. It can then evaluate genuineness of the claims and decide the course of action.

At this point of time we donot have the actual text of the document and hence we donot know whether it was transferable and could be discounted with secondary lenders or whether any transfer was required to be registered with the PNB, whether there was a time limit for validity and the claim, etc.

I suppose the press will get these details shortly but RBI should let PNB handle its liability without jumping in to protect other Banks like Allahabad Bank or State Bank of India.

If the liability gets divided with 30 Banks it may be fine. No single Bank will take a big hit. In future RBI should insist that the beneficiary should register his claim within a reasonable time after the guarantee letter is submitted to him and that would avoid situations like this.

The Swift system should provide for digital signature of such transactions and the digital signing should be registered automatically in the Core Banking System so that frauds like this cannot happen. Finacle as a CBS software should integrate the Swift messages with the CBS so that every SWIFT message is generated from within the Finacle system and duly recorded for audit at the Central office level

Since it is stated that more than Rs 6500 cores worth assets have already been confiscated, and the lenders will have additional securities available to them, a substantial part of the actual losses may be fully recovered.

Hence neither RBI nor the media need to sensationalize this scam. The officials however need to be punished for the fraud.

Naavi

Posted in Cyber Law | Tagged finacle, fraud, nirav modi, PNB | 1 Comment

PNB Fraud of Rs 11500 crores was waiting to happen.

Posted on February 15, 2018 by Vijayashankar Na

The Rs 11500 crore fraud in India in Punjab National Bank (PNB) was a fraud which was waiting to happen due to the negligence of the Bank and the software developers supporting the Banking operations.

It appears that those who developed the Core Banking software for the Bank had no understanding of the nature of controls that were required to prevent misuse of “Non Funded Lending”. If money goes out of a lending transaction, it might be captured by the system. But when only a “Letter” goes out “Undertaking a liability to pay contingent to an event of default by a customer”, it may not get into the books until the liability fructifies.

If the liability does not fructify and the letter is issued for a period which lapses, no problem arises to the Bank except for the opportunity loss of a “Commission”.

Such activities lend itself to “Kite flying” frauds which is what has happened in this case. In the past the Harshad Mehta Scam.was in similar mould. Even the Satyam Computer fraud was also of the same nature. In all these cases, certain false papers were floated around on the basis of which another third party lent funds. When such kite flying frauds miss a repayment cycle, it would snow ball into a major scam with a casacading effect.

It is ironic that the name of the fraudster is Nirav Modi and the Congress would be happy to use the occasion to place the blame on Mr Narendra Modi as if Rs 11500 crores has gone to his pockets. Mr Rahul Gandhi who is an expert at spreading falsehood will soon start speaking about this fraud in the Karnataka elections. It would not help if Mr Nirav Modi has left the country and is absconding.

Compared to Mr Vijay Mallya’s case which appeared to be caused out of a business failure of the companies of Mr Mallya, this fraud is of a more criminal nature since it involves “Forgery” of a document in the name of PNB. Hence the kind of protection Mr Mallya may get from international legal processes for not forcing his return to India may not hold for Mr Nirav Modi. Once he is located, he can be quickly arrested in the foreign soil with the help of Interpol and brought back to India.

It is critical for such speedy action to categorize this scam as a result of a “Forgery”. The forgery is because a false unauthorized letter of undertaking has been issued by some of the officials of PNB. Since these letters were issued without proper authorization, they have no legal validity.

Whether the beneficiary of the letter can go behind the unauthorized letter and claim the money from PNB has to be evaluated from the terms of the letter. If the liability arises any time after the public notice of the fraud has been received, then the beneficiary cannot make any claim on PNB.

For the contingent liabilities to fructify, the cause of action should be before the date of publication of the fraud and and the demand should be immediately thereafter.

Whiles frauds using “Contingent Obligations” issued in the name of a Bank or another organization are not new, in this particular case, one can identify the failure of the internal controls of PNB in not properly recording the message sent out of SWIFT undertaking a liability as part of the Bank’s contingent liabilities in the balance sheet.

It is also supposed that no “Digital Signature” was used in the process of signing the letter of undertaking and it was an “Un-digitally signed” letter from the Bank sent out of a system where authentication was based only on password.

This is the failure of the design of the Banking software developed by large companies such as Infosys and used by all major Banks in India and abroad. The software developers only focus on functional aspects of the software and unless there is a domain specialist to assist the developer in understanding the fraud risks, they end up developing software which is not properly designed. The CBS used by PNB is one such software that appears to have not been developed by a proper Techno Banking professional team.

Unless Banks in India and the software companies providing CBS software donot understand the Fraud prevention requirements to be built into the software, we will continue to see more of such frauds not only in the Banking domain but also in other fields.

I recall one of the early software architecture suggestions given by the undersigned to a broking firm where I had suggested control in the form of using accounting principles to track the risks of trading from the placing of the orders to the realization of money from the client etc. Though it was not implemented, it appears that the PNB fraud would have been caught by such a design.

For the records however, we need to remember that

a) not all of Rs 11500 crores will become a loss to PNB. PNB has to immediately send notices to recall all such undertakings and freeze their operations. They should give notices that these are forged letters not binding on the Bank. If there is any leal fall out arising out of this in international Courts, it should be faced.

b) This is a case of forgery and not a case of business failure like that of Mr Mallya and hence extradition from whichever country Mr Nirav Modi is in is not going to be tough.

c) PNB and other banks should review their software systems to ensure that they capture all contingent liabilities for which there could be a simple solution.

d) RBI should recognize that the failure of PNB and the CBS ( Finacle) as part of their supervision failure.

e) Media should not create false propaganda and fear mongering that Rs 11000 crores might have been siphoned off. Most of these may be in the form of loans against assets and if they are recovered, most of the losses can be recouped.

f) Congress will keep shouting and this should be ignored.

g) The Government should not lose time in taking swift action across the globe and confiscate as may properties of Mr Nirav Modi as possible even before full legal process is initiated.

h) Courts and Anti-National Lawyers should be prevented from placing hurdles in the recovery of money which is of paramount importance now.

If proper action is taken the adverse impact of the fraud can be managed. At the same time proper corrective measures must be initiated for the future. “FINACLE” as a product appears to require a complete overhaul and hopefully the software companies involved must act immediately.

Naavi

Posted in Cyber Law | Tagged finacle, nirav modi, PNB | 3 Comments

Interaction with late Dr Abdul Kalam

Posted on February 13, 2018 by Vijayashankar Na

While exploring some archives at Naavi.org, I came across a memorable interaction with the Late Dr Abdul Kalam the scientist who became a unique President of India who remained a teacher till his death.

It was interesting to note that I had an occasion to explain to this teacher of teachers some aspects of digital forensics and demonstrate the utility of hardware disk cloning products.

This was during the 37th All India Police Science Congress held at Bangalore in June 06-08, 2006 at NIMHANS Convention Center.

Mr H.D. Kumaraswamy the then Chief Minister of Karnataka is in the background. It was during this occasion that Naavi’s book “Cyber Laws Demystified” was released.

During those days, Naavi was deeply involved in the marketing of Cyber Forensic devices and conducted many demos to Police and other authorities. Cyber Forensics has developed much from those days with Mobile Phone forensics becoming an important element of forensic investigation today. Naavi has also moved on acquiring additional knowledge in Cyber Forensics besides his work in Cyber Law and Information Security and could share his expertise in Cyber Forensics in some consulting projects in the days to come.

Naavi