Naavi.org

My article on the Bank of Maharashtra(BOM)  UPI fraud where in I had expressed an opinion that NPCI and RBI also have  some responsibility elicited some off the record remarks  from NPCI and one of the senior technical members of another Bank. Their main contention was that the BOM Core Banking System (CBS) interacts with the BOM-UPI system which inturn interacts with NPCI, and in this instance the problem of mis communication was between BOM-CBS and BOM-UPI interface. Hence they argue that NPCI was not in a position to understand if the transaction was genuinely cleared by the CBS system or not. It is also stated that BOM-UPI interface belongs to BOM and hence it has to assume complete responsibility for the transaction and NPCI cannot be held liable.

I suppose that this is the structure of communication used and if so, it may be technically correct to consider that NPCI was not in a position to find out whether the transaction was cleared in the back end between BOM CBS and BOM UPI systems or not.

That apart, we should discuss some additional aspects of how the system was adopted between NPCI and BOM without an end-to-end testing so that a faulty sub system became part of the whole system that operated between a customer of the Bank and an intended payee.

It is possible that technical persons in NPCI as well as BOM were only focussing on how the UPI interface of BOM interacts with UPI interface at NPCI and only tested the technical aspects involved in this exchange of data.

The technical persons forgot that what UPI interface of BOM was communicating to NPCI was whether a certain money was debited to a certain account and the debit was passed by the Banking officials.

Here was a banking transaction bound in law. Had it been a cheques transaction,  Negotiable Instruments Act 1881 (NI Act) as amended in 2002 would require the payment should be a “Payment in Due Course”.  Even in this case of e-instructions substituting the cheque transaction,  it is essential that the payment from BOM CBS system should be a “Payment in Due Course” or its equivalent. If not, the Paying Bank may be liable for the fraud.  At the same time the Collecting Bank (to which the money was credited on behalf of the payee) should also fulfill its responsibilities similar to what is contained in Section 131 of NI Act for collection of cheques, which should be taken care of by the technology team configuring the UPI app at that end.

Without satisfying the legal requirements of the NI Act, or its equivalent,  the transaction cannot be considered as legally complete.

In the digital payment transaction, between the Paying Bank and the Collecting Bank, there is NPCI as a clearing agency. It is an intermediary which instructs both the Paying Bank and the Collecting Bank on what they should do to complete the banking transaction using the UPI interface.

As an intermediary, NPCI has its own responsibilities under ITA 2000/8 besides some immunity derived under the Payment and Settlements Act.

NPCI should have supplied APIs to different Banks along with instructions on how they may be configured at the respective Banks and linking it with their own CBS systems. If the API belongs to NPCI, then it is also responsible to ensure that it is compatible with the different CBS systems that may be under use by different Banks.

It appears from this BOM incident that the UPI interface as built by BOM was not properly functioning and hence it’s instructions to NPCI were unreliable. But NPCI did not know because it had not tested  the “transactions” from the banking perspective and was satisfied only in testing the technical connectivity within a section of the transaction.

In this type of transaction, the transaction originates from one mobile using an UPI app and the digital instruction travels to NPCI, then onto the paying Bank, comes back and is communicated by NPCI to the sender. In case of successful transactions, information is also sent to the intended payee’s mobile app and his bank’s UPI interface. The authentication system used in each segment of the transaction may not conform to the legal standards necessary in Indian laws but is only riding on a technical belief that nothing will go wrong.

The way UPI system developed, it may be argued that NPCI is the owner of the system and has enrolled the Banks as members to use the platform. Therefore, the responsibility for the integrity of the platform lies more with NPCI than the Banks. Even if in the case of individual Bank’s UPIs, there is a possibility for NPCI to shift the responsibility to the Banks, at least in the case of BHIM, it is clear that NPCI is the lead institution and others are supporting organizations.

Frauds can occur right from the downloading of the App by either of the two  transaction parties, with possible malware infections at various levels.

It would not be possible for Banks and NPCI to consider that they donot have responsibility for technology related frauds and the customer should bear the cost of such frauds. Since the Government is behind forcing users to adopt digital payments, it is the responsibility of the Government and RBI to ensure that the system is safe and does not create a technology based risk to the customers.

Technology persons especially the software developers should understand that they are building software that substitutes humans at different points of decision making and unless they view the software from the perspective of the underlying transaction and not as  few bytes of data that go in between, they will not be able to build secure applications. Applications that are tested only for the functionality without any regard to the underlying business transaction, are to be considered as “Faulty ab-initio”.

Software developers who are used to releasing software with bugs and later on sending patches and holding the users responsible for not applying the patches in time cannot be called “Responsible Software Developers”.

Knowing the difficulties in technology, there are two things which software developers and their owners should do.

First is that any software released to the public should be put on extensive field test at first. During this time, there should be a “Bug Bounty” program which attracts other specialists to pool their skills in cleaning up bugs. UPI did not go through this standard process.

Secondly, in financial transactions related software, the users must be protected by “Cyber Insurance” and part of the liability of the insurance premium must be borne by the software developers.

In the present instance, none of the players such as the Banks or NPCI or the RBI or the Government is concerned about the risks that an UPI user is exposed to. Banks are interested in their profits, RBI is powerless to regulate the Banks and the Government officials and politicians donot know what is the risk they are pushing  into the system. Since public love Mr Modi, they are adopting digital payment systems faster than they should and hence exposing themselves to greater and greater financial risks by the day.

By making NPCI as a giant universal gateway for financial transactions across India, a huge amount of financial risk has converged on the organization. In the event of a war or a major terrorist attack, NPCI may be rendered dysfunctional by our enemies and the Indian financial system may take a huge hit.

I am not convinced that the technologists who donot have a holistic view of the transactions will be able to visualize all the risks in the system and take adequate action.

In the meantime, we the honest citizens of the country are left to keep praying to our favorite Gods that they should be spared from Cyber Crime risks, more so  in the coming days when payments happen with their aadhar registered biometric.

One technology person complained that I am creating a “Scare” by exaggerating the risks. I donot agree. But even if it is so, it does not matter. Because I know that software developers suffering from “Technology intoxication” are likely to over speed and cause accidents to the passer’s by while they themselves are protected behind sophisticated air bags.  Some body like us should therefore challenge them from time to time for the general good of the society.

Naavi

The recent Cyber fraud in Mumbai where an elderly (72 year old)  woman was duped to the extent of Rs 42 lakhs in a Nigerian Scam (Refer here) open up a discussion on how it that  seemingly intelligent people fall for this old trick of fraudsters. We often dismiss such frauds as a result of “Greed” where the victim wanted to get rich overnight and fell to a trap. It is true that some of the Nigerian frauds are induced by the greed of the victim. But there could be other reasons as well for which some people seem to get carried away by the various promises made by their online friend and behave as if they are “hypnotized”.

It is not only this case where there is no reason for a 72 year old lady with Rs 42 lakhs in her Bank account should feel greedy and lose her life time savings. There have been similar cases where elderly persons and young kids have fallen for the sweet talk of fraudsters on the facebook or chat apps.

In all these cases, if we look beyond the motive of greed, it appears that the victim was led to behave in a particular manner which appears irrational for many of us exactly in a manner a “hypnotized” person behaves with a post hypnotic suggestion.

We need to analyse these cases scientifically to understand if there exists a phenomenon of “Cyber Hypnotism” where a person can induce hypnosis through written words, implant suggestions and make the  subject behave differently under post hypnotic state.

Hypnosis itself is a very interesting phenomenon and this age old art perhaps is still not fully understood though there  could be several theories to explain the phenomenon.

One easy to understand explanation of hypnotism is that the human brain consists of a conscious part which we interact with the surroundings on a day to day basis but beneath this conscious part seems to exist a “Sub Conscious mind” which can come to the fore during a hypnotized state of mind.

This sub-conscious mind is a store house of every one of our experiences though it is not available for recall by our sensory organs and conscious memory.  In a way it is like our computer where files are stored in a “hidden” storage space and are not accessible by our operating systems and hence are invisible. But if we can use a suitable software to  “undelete a deleted file” or “discover the hidden files”, we may suddenly realize that there are many files which we ourselves have created and saved may be as earlier versions of currently used files and later on over written with other versions.

In the case of human mind, the storage space available is very large compared to what we normally use and hence the “Sub Conscious Memory” holds a very large volume of data that has a “Photographic memory recording” of every one of our past experiences through our sensory organs.

A hypnotist finds a way to put the conscious mind to sleep and awaken the subconscious mind to make the subject remember long forgotten experiences. A therapist uses this to discover reasons for unexplained attitudes and behavioural pattern of individuals and through hypnotic suggestions during the state of hypnosis alter the attitude and behaviour in the post hypnotic state even though the subject is no longer in a “trance”.

It is however a part of theory that the post hypnotic suggestions may be resisted by the subject if it goes against fundamental beliefs of the person and hence cannot be used to make the person do “Criminal Acts”. According to this theory, there are some basic beliefs which a person has got embedded in his mind which cannot be wished away even under the hypnotic state by the hypnotist. But if the hypnotist is clever and makes a person believe that a post hypnotic state is not actually against the basic tenets but in support of it, then the post hypntic state may work. This explains the growth of ISIS type of terrorism in the world and also some of the schizophrenic personalities built through self suggestions.

The post hypnotic suggestions which are harmful are like “Trojans” implanted in the minds of persons which lie low under normal circumstances but make the person behave differently when certain circumstances converge.

This is a state of mind that is created in some persons who exhibit the propensity to fall to the “Social Engineering” of  online fraudsters. As a society, we need to fight against not only such fraudsters but also the susceptible potential victims. It is like preventing the “Addiction” to undesirable habits.

Normally, the hypnotist induces a hypnotic state of mind in a willing subject by making him relax and then speaking to him in a relaxed state of mind, through spoken words the subject is made to slip gradually from a conscious state to a sub conscious state. In some cases it is as simple as telling the subject that “You are now completely relaxed….your eyes are feeling heavy…when I count 5 you will go into deep sleep…etc”. For many this appears like magic particularly when some suggestions are also implanted during this “Inducement stage” as to the subject partially waking up and working under a trance and also waking up completely to come out of the trance. For example when the subject opens his eyes and is still in a trance, a mere statement of “Sleep” may quickly take him back to hypnotic state while a suggestion that after a count down from 5, he will be wide awake brings him out of trance.

What we understand from this phenomenon is that there is a way to take a person from his conscious state to a subconscious state by talking through intelligently. There is no reason to think that this can only be done through spoken words, or through dangling a pendulum or darkening the surroundings etc. These are all methods to ensure that there are no distractions and similar effect is automatically present in the case of most lonely individuals working in the social media  I donot rule out the use of psychedelic images to induce hypnotic state of mind in some cases. Perhaps “Voice Messages” and “Video Messages” can also be used to induce Cyber hypnotism in the same way that hypnotists do in the physical world.

If a person is staring into the Computer monitor and is chatting for a period of time, he is so involved in the conversation that he could slip into a state of pre-hypnotic inducement. If the other person is considered trustworthy and he starts making some suggestions, the subject may start getting into a trance like state of mind letting himself to be “Cyber Hypnotized”. Some games including the “Secondlife.com” kind of situations may take the visitor into a fantasy world where there could be interactions with malicious characters who can “brainwash” the victims into a hypnotic state.  The rest follows as per the normal principle of hypnosis where the subject trusts the hypnotizer and executes his commands in the post hypnotic state later. This in the case of the Nigerian frauds could be going into the Bank and sending out payments or even sharing the Banking credentials online.

Now, how do we prevent our lonely elders and young kids from being so Cyber hypnotized?

The first step is to create a “Self Awareness” in an individual that he is susceptible to “hypnosis” through “Cyber talk”. When a person receives an SMS message ..”Are you feeling lonely? … Can we chat?, the lonely elder male or female should realize this is not a “Friendly therapist” talking to him but a potential fraudster. The best thing is not to test out of curiocity and avoid responding to such messages .

People should think of binding themselves with the “Ulysses Contracts” (Research on finding out what is Ulysses contract and how to use it to avoid irrational and impulsive decisions). The technique has been successfully used in the Finance world as well as Medical world to avoid irrational decisions by subjects. This works well for adults… in the present case the elderly people who feel lonely, who feel aggrieved that they have been neglected by the society and seek alternate remedies on the social media to find company. This is nothing different from being addicted to smoking, drinking or drugs though it is fashionable to say that I am old but I have active facebook profile with many many friends and likes.

We often think Kids are difficult to handle the same way like adults. But the same techniques that work on the adults may also work on those kids who are likely to fall prey to the online inducement of pedophiles or fraudsters since most of the time they also suffer from the psychological state of personal neglect and isolation from busy parents and feel that they are no longer kids and “Know all”. In this state of mind they behave with the confidence that they are adults mentally though they may not be so physically.

Hence, an awareness campaign on”Don’t get Cyber hypnotized” amongst the school kids can be the first step in combating this addiction.

Second precaution that people should adopt is to break away from the computer or mobile screen from time to time to ensure that they are not in a trance. This could be also good for the eyes of the Computer user.

Can this be done with an App that is an add on to social media that “Pops out” at periodical intervals to interrupt a computer user on Facebook or Twitter or other social media to talk to the user and wake him up from a half hypnotic state if he has slipped himself into?.

Yes, this could be annoying for serious Computer users but I am suggesting this only when a person is on social media.

In fact advertisers may grin and be happy with my suggestion that their annoying pop up full screen ads also have a positive purpose!

Probably the Fitness Bands of tomorrow should be programmed to throw up such ads just the way some Car manufacturers are thinking of waking up persons who tend to sleep while driving.

Beyond these three measures of….

 “Creating Awareness on Cyber hypnotism”,

“Motivating people to adopt Ulysses Contracts to avoid irrational cyber induced decisions” and

“Forced breaks with pop up ads with relevant reminder messages”,

the need to make these vulnerable sections of the society feel that they are not alone and are wanted by their family members and friends in the real society is also essential.

This is the toughest part in our society since every youngster feels that he is too busy with his work and hence has no time for socialization with his elders or kids at home.

Hopefully we start thinking in this direction and each one of us may find our own solution that helps to combat malicious use of  “Cyber Hypnotism”.

Naavi

[P.S: Author has been an interested student of hypnotism since 1971 and also holds a basic level certificate in hypnotism…. just for knowledge enhancement and not for practice.]

The first question that an Indian Company needs to satisfy for itself is whether it is at all exposed to the provisions of the dreaded GDPR and if so whether there is need to respond.

It must be clarified that Indian Companies appreciate the principle of Privacy and the need to protect privacy in data form as a part of the protection of human rights of any global citizen. What is however creating a resentment is the obnoxious level of penalties that GDPR is empowering itself to impose on companies which are actually not established in EU. This is seen as an attempt to build an hegemony in the Data Processing market across the globe.  It is also perceived that the GDPR is trying to re-write the jurisdictional laws as is understood in the “Border less Cyber Society”.

There is a need for the authorities implementing GDPR to abrogate the clause of “percentage of global turnover” in article 83. The financial limits of 10 or 20 million Euros is not an issue but an open ended turnover based penalty is unreasonable and smacks of an arrogance that needs to be challenged. This should however be done by organizations such as NASSCOM which should discuss it with countries such as USA and Australia to form a global forum to protect the interest of the industry bodies.

At present, it is not however completely clear how the GDPR penalty clause will play out in the Indian market.

The GDPR recognizes two main roles for IT Companies namely

1. Data Controller
2. Data Processor

A “Data Controller” is one who has the power to decide on how the “personal Information” will be processed. “Data Processor” is the one who processes the information as determined by the Data Controller. The “Data Processor” is therefore a “Sub Contractor” to the “Data Controller” and does not have the contractual power to act independently.

A similar issue also exists under HIPAA-HITECH Act where the Business Associates (BA) are presently directly under the regulation of HHS in terms of the audits and imposition of penalties.

However, in the case of HIPAA-HITECH Act, the jurisdiction boundaries are well defined and a company which has no legal establishment in USA but works as a Business Associate is more appropriately recognized as a “Sub Contractor” bound only by the Business Associate Contract which may have an indemnity clause to protect the liabilities arising on the Covered Entity or another BA in USA  which has outsourced the business to the Indian Sub Contractor.

The GDPR has however tried to establish its control even over companies established outside EU through some of its provisions which needs a close watch.

Under Article 3 (1),

“GDPR applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.”

Under Article 3(2),

“GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:

(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or

(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.”

Under Article 3(3)

“GDPR  applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.”

Article 3(3) obviously applies to countries under some kind of a Treaty or Convention which includes the protection of Privacy of EU citizens.

Article 3(1) applies to Data Controllers or processors who have an establishment in the EU including those who outsource the data processing to another entity outside the EU or use Cloud for certain part of its services.

It is Article 3(2) which tries to include extra-territorial jurisdiction to the regulations and contains two sub clauses.

The first sub clause is directed to Data Controllers or Processors which are not established in the Union but “Offer services of goods and services” to data subjects in the Union.

The second sub clause is directed to Data Controllers or Processors which are not established in the Union but “Monitor the behaviour of EU Citizens to the extent that it takes place within the EU”.

It may be noted that the definition of a “Data Controller” is that he is one “” who determines the purposes and means of the processing of personal data”.

A person who collects the data is not included as a “Data Controller” though he may come under the category of a “Data Processor”.

Indian Companies who have direct IT contracts with EU Companies like Infosys, TCS or Wipro may be “Data Controllers” but most other companies will be “Data Processors” since they may be only sub contractors.

However, most of the Indian Companies may not be  “Offering Services” to EU data subjects though they may be offering services to “EU based companies”. In such cases, it is possible interpret Article 3(2) as not being applicable to such Indian Companies.

This interpretation also goes with the ITA 2000/8 where in defining the due diligence under Section 79, the Government of India has clarified that the obligation of obtaining  “Consent” from data subjects lies with the “person collecting the information from the data subject” and not the company which receives the personal information of data subjects from another company which has collected it.

In Other Words, ITA 2008 recognizes the “Collector of Personal Information from the data subject” as the “Data Controller” (though this terminology is not used) and every body else becomes a “Sub Contractor”. GDPR has knowingly or unknowingly created a class of a “Recipient of Data” who is the first party to interact with the Data subject but may not be a “Data Controller”. The “Recipient” could be a sub contractor of a Data Controller and hence a “Data Processor”. Subsequently, under the directions of the Data Controller, the Recipient may transfer the data to another “Data Processor” who may actually have a contract with the Data Controller and not have direct relationship with the “Recipient”.

Indian Companies which are not receiving personal data from the data subjects and not having an establishment in EU are purely “Data Processors who are not established in EU and not offering services to EU data subjects”. Their liability for GDPR implementation is therefore only through the Contract with the Data Controller who may be an establishment in EU or one who may not have establishment in EU but determines how the data is to be processed.

The “Indian Sub Contractors” are therefore bound by ITA 2000/8 which of course defines reasonable security practice as what is contained in the contract with the data supplier. The Data Controller is therefore well within his rights to state in the contract that the data processor in India has to follow all the security measures indicated under GDPR. He can also put an indemnity obligation that if any loss is caused due to his action or inaction, it should be reimbursed to the extent of a stated limit.

The open ended contract which makes an Indian Company liable to pay a foreign entity may actually be a violation of the FEMA and hence is ultravires the Indian law. The “Turnover based penalty” can therefore not be applied on Indian Companies nor accepted by Indian companies.

As regards websites of Indian Companies or mobile Apps which may be used globally, it is essential for the companies to include a “GDPR Exclusion Clause” on the lines of what is proposed under the privacy policy of Naavi.org which states as under.

QUOTE:

GDPR Exclusion

It is declared that Naavi.org follows the principles of Privacy protection under Information Technology Act 2000 as amended from time to time and where there is a conflict with any other international law or guideline, the provisions of ITA 2000 shall prevail. In particular, Naavi.org does not subject itself to the administrative jurisdiction of GDPR and any data subject who intends to be protected by GDPR and not ITA 2000 shall not use any of the services of this site or its networked sites. Any claims made under non-ITA 2000 statutes or regulations regarding privacy protection or otherwise are unacceptable and may be deemed as maliciously intended.

UNQUOTE

It is also possible to consider that the act of visiting a website established from the shores of India and availing any of its services is like “Virtually visiting Indian shores” and hence does not constitute an “Activity of the Data Subject in the EU”.

Hence I would like Indian Companies on the web and the App developers to review their privacy policies and include a “GDPR Exclusion Clause”  so that they are not unnecessarily becoming liable under GDPR for a stray visitor who may come from EU.

Naavi

The recent Bank of Maharashtra UPI Fraud in which Rs 25 crores were siphoned off from the Bank through UPI payment requests which were honoured by the system though there were no funds in the accounts, as well as the report that a security firm has indicated that at least 7 UPI apps of different Banks are infected with malware has raised the question yet again on the irresponsible manner in which RBI has been conducting itself in pushing insecure digital payment systems down the throats of unsuspecting citizens.

The Government of India knowingly or unknowingly incentivising the digital payment usage for its own reasons, without ensuring the safety of the citizens. Naavi.org has been time and again warning the Government and Mr Modi that without a security blanket of a Cyber Insurance for all, the digital payment initiative is a boon for fraudsters and ultimately the price will be paid by the ordinary citizens in the country.

The Bank of Maharashtra fraud created loss for the Bank only and not its customers since the payments were made without balance in the account. If the Bank had a Cyber Insurance for itself, it should have been covered. This is like the Bank of Muscat fraud in which over Rs 245 crores were siphoned off by international fraudsters from accounts without balances. However this indicates the surfacing of the  inefficiency in our Banking system when they are pushed too fast into the digital process.

Government and RBI should appreciate that transformation has to be managed properly and even a good medicine works only when given in proper doses.

The key to the current digital payment system is the organization called NPCI. NPCI today operates the technology platform  through which all the UPI payments go through. It has also taken over the systems which were earlier being managed by IDRBT. It is today the hot bed of digital payment risks in India and there is a need to question if it is adequately equipped to shoulder its responsibilities.

Firstly, NPCI is not constituted to be an “Independent Organization” free from the operation of vested interests in the Banking circles. IBA and 10 prominent Banks are the promoters of NPCI and this is the biggest flaw in the structuring of NPCI. IBA is a body of commercial Banks and the Banks are profit oriented commercial organizations. They have completely lost their vision of public service with which they were started. Hence NPCI also has complete conflict of interest. RBI on its own cannot manage this conflict as it is completely dominated by the IBA when it comes to critical decision making.

Hence the management of NPCI and its decisions is always expected to protect the interests of the commercial Banks and not meant to fulfill the objectives of Secure Banking regulation in India which is the RBI’s role.

I welcome RBI to challenge this statement and prove that I am wrong.

In the Bank of Maharashtra case, NPCI has washed its hands off stating that it was the responsibility of the Bank to reconcile its NPCI transactions with the Core Banking ledgers and it had failed to do so. However, technically when the Core Banking system sent  two messages, “Success” and “Error” and the UPI system failed to recognize that “Success” was that “the transaction reached the Core Banking server and was processed” and “Error” was that “transaction is rejected because there is no balance in the account”, and NPCI servers accept the first message  as if the “transaction was successful”, the problem lies squarely with the NPCI.

If the fraud is adjudged fairly, the legal liability for the fraud should lie more with NPCI rather than Bank of Maharashtra.

RBI and probably NPCI adopts the same principle in managing the ATM transactions. In the case of all transactions with cloned cards, the NPCI managed systems only indicate to the Banks “Transaction Successful” and this is claimed by Banks as that the genuine card only was used in the transaction. Most of the Card frauds are disposed off by the RBI”s Banking Ombudsmen only on the basis of a piece of paper doled out by the NPCI system that “Transaction was successful”.

The same way, now NPCI has responded to the statement from the Core Banking system that the fraudulent “Pull Request” sent through the bank of Maharashtra UPI. NPCI is blind to recognize that “Transaction Successful” only means that technically the handshake was established between the two systems and the session was successfully established. If this was followed by the next message that “There is no balance in the account and hence transaction is rejected”, NPCI cannot say that I have already closed the session and lost the second message. The systems were perhaps wrongly configured and the session was prematurely closed without a “session close” message from the Core Banking system.

My views here are not based on any direct interaction with NPCI and may therefore be incorrect. But the probability of this view being correct are high and I welcome of NPCI has any technical explanation why it interpreted the Core Banking message wrongly.

Further, it was as much the responsibility of NPCI to test the system of UPI integration as that of Bank of Maharashtra and such integration had to be tested not only for the technical aspects but also “Techno Legal Aspects”. NPCI has failed to make its systems techno legally robust.

It is this same negligence which allowed the malware in the HITACHI ATM which resulted in 32 lakh SBI Debit cards being withdrawn and millions more compromised by allowing the malware to worm its way from the ATM to NPCI servers, sit there and send out information to fraudsters without NPCI detecting the presence of the trojan in its systems.

Now that 7 more Bank UPI s are said to have been infected with malware, NPCI has a duty to publicize the names of the Banks so that customers can take a decision to un-install these apps. By withholding the names of the compromised Apps, NPCI is abetting the fraudsters and further endangering the customers. It also violates the RBI regulations that the breach has to be notified by Banks and CERT-IN  notification that  NPCI needs to report it to CERT IN.

In the light of these developments, the AEPS (Aadhar Enabled Payment Systems) which is likely to introduced despite the recent revelations that “Biometric store and Replay attack” is very much possible (Refer to the incident where Axis Bank, E Mudhra was charged or Jio SIM  Cards were fraudulently issued) will increase the fraud risks in digital payment systems. NPCI, RBI and the Government of India will be responsible for any scams that may be perpetrated in this domain in which public may lose money.

I have warned time and again that Mr Modi’s Government may have to pay a price for their not instituting a “Mandatory Cyber Insurance” that covers the public for all such digital payment frauds. I hope they listen to this friendly advise or face the risk of a huge reputation loss in the next elections.

PayTM has shown the way by providing cyber insurance cover for its customers and this should be mandatory for all Banks (RBI stated as much in its Internet Banking Guidelines issued in June 2001 but promptly rejected by most Banks for cost considerations).

NPCI cannot absolve itself of its responsibilities for the digital payment frauds since it is an intermediary in all the transactions. It can have its indemnity with the Banks but litigation where NPCI is a party as “Accused” for “Facilitating the fraud by negligence” cannot be avoided.

Last but not the least…. Dear Mr Urjit Patel, What happenned to the “Limited Liability Circular” of August 11, 2016? …Your team is still looking into public comments?… Or Is RBI lying in the RTI application? unable to say…”Sorry, our Bankers are not willing to accept the terms of the circular and hence we will keep quiet untill every body forgets the issue”

Naavi

Related Articles

Mobile apps of 7 Indian banks infected with malware, says study

Bug in UPI app costs Bank of Maharashtra Rs 25 cr in one of India’s biggest financial frauds

Bank of Maharashtra’s UPI app bug: Old world fraud using new age toys

Bank of Maharashtra accounts lost Rs25 crore due to UPI bug, says NPCI

Bank of Maharashtra reports another UPI breach; bank loses Rs 1.42 crore: report

NPCI and iSpirt say glitches in a bank’s UPI app caused fraudulent transactions

Bank of Maharashtra fraud: Accused committed similar crime earlier in Pune, say cops

[P.S: NPCI has in a personal clarification from one of the top management persons,  reiterated that the fault in the case of Bank of Maharashtra fraud does not lie with NPCI. This implies that either the Core Banking software of Bank of Maharashtra is to blame or configuration of the Core Banking software was faulty. The Core Banking software of Bank of Maharashtra has been implemented by TCS which can clarify. Further details of how the communication between the Core Banking system and UPI system  could have lead to erroneous results is awaited and will be published when received. As regards the report about 7 UPI apps being infected with malware, NPCI has stated that the report itself is faulty…..Naavi]

Indian IT industry has a high stake in the outsourced business from US and EU, UK markets. A good part of this outsourced business involves processing of “Personal Data” of data subjects of the respective country. As regards US, India has many processors who process health data and are accustomed to complying with HIPAA and HITECH Act. India has its own ITA 2000/8 which also imposes protection of both personal data and sensitive personal data. Now the EU has upped the stake in privacy protection by pushing the GDPR (General Data Protection Regulation) that replaces the Data Protection Act which has been in place for the last two decades. UK is now under transition where it is out of EU but is yet to adopt the regulatory mechanisms in its own name. However, UK is also expected to adopt GDPR in toto.

The Challenge for Indian data processors is that GDPR regulation requires them to appoint a “Representative” in any one of the EU countries if they have a stake in the processing of data related to EU residents. This makes them directly exposed to the risks on non -compliance in addition to the clauses that may be found in the Business Associate Contract where the data processor agrees to an indemnity clause with the data controller to compensate him for any losses caused to him on account of any data breach.

What is important for Indian Companies to realize is that the penalties  payable under the GDPR by the data controller may be humongous since the GDPR speaks of upto 20 million Euros or 4% of the world wide turnover which ever is higher. If the Indian companies blindly agree to complying with the GDPR along with an open indemnity clause, they will be signing their death warrants.

The Boards of Indian Companies exposed to GDPR risk should therefore disclose in their financial statements what precautions they are taking to protect the interest of the share holders. The first thing that a share holder would like to know is whether the Company has an exposure to GDPR and if so whether an impact assessment has been made. If so, the share holders would like to know if the Company has obtained Cyber insurance against losses arising out of any data breach and whether the quantum of such insurance is adequate. If not, the Company needs to justify to its share holders why they think they are insulated from this risk.

Additionally, it is necessary for the Indian Companies to

a) Identify if they are exposed to GDPR risk and if so where and how the GDPR data exists in their data environment, who have access to them and how are they secured.

b) A risk assessment should be undertaken to identify the risks of data breach

c) Policies and procedures should be put in place to ensure compliance

d) Accountability for the compliance requirement should be documented through an appropriate technical and other measures.

e) A proper testing and audit environment should be available to check from time to time if the compliance measures are holding and any corrections are required.

The deadline for implementation of GDPR is 25th May 2018. However, if any EU Company is processing data with an Indian Company, then it would be interested in freezing their compliance documentation much before May 2018 since if the Indian Company is unable to meet the stringent standards, the EU company needs to find an alternate supplier and build the technical bridges that are required for the transfer of business. It would therefore be reasonable for such companies to start their negotiations today if they have not already started.

At the same time, it is also prudent for the Indian companies to introspect their systems and procedures and be ready to face any questions that the EU client may raise. It should be able to face an audit from the customers if the stakes are high.

GDPR Audit will therefore be required to be undertaken by  Indian Companies who have any relationship with an EU Company with the likelyhood of undertaking data processing involving EU data.

GDPR requires “Privacy By Design” which may mean that the EU Client may require some process changes in data processing which may impact the cost of processing and also involve some time for implementation. If the data processor has himself sub contracted any of its processes, there is a need to ensure that the compliance requirements are also implemented at the sub contractor’s level which is another huge responsibility. In most cases the data processors may have to take up the currently sub contracted work in house. This will again change the cost profile of the service.

In most cases of sub contracting it will be inevitable to introduce “Deidentification” or “Pseudonomisation” of data with attendant technical issues. This would be yet another reason for cost escalations and data breaches due to failure of technical controls.

In view of these implications beyond the technical aspects of preserving the Confidentiality, Integrity and Availability, the Information Security professionals of Indian Companies need to immediately start internal discussions with the top management for rolling out the process of GDPR compliance.

The very first step in GDPR compliance is the designation of a senior person as the “Data Protection Officer” who may have to take up the next step of creating “Awareness” firstly among the top management so that further implementation steps can be undertaken.

I would urge all Indian Companies to start a review to see if they cross these two steps before actual implementation challenges can be identified for further action.

During the next month or so, most of the large IT Companies will have their shareholder’s meetings and financial audits by the audit firms. I urge shareholders to raise questions in the AGM about the action taken by the Company for meeting the GDPR non compliance risk and for all CA firms involved in financial auditing to ensure that suitable qualifications are made to the disclosures as may be required on account of the GDPR risk not having been identified and adequately covered.

Naavi

Recently a judgements from Hyderabad under ITA 2000/8 has raised interesting debates in Cyber Law Circles which make a good case study for academic purpose.

Presently we are commenting on the basis of the following two news reports

Times of India Report : Navy Man gets 2 years imprisonment 

Indian Express Report : Sentence under Section 66A.

We shall try to get the copy of the judgement for further clarification.

One of the debates that has ensued post the judgement is that the conviction includes “Section 66A” which the Supreme Court quashed on 24th March ,2015 , in what is popularly called the Shreya Singhal Case.

Most specialists are shocked at how the Court can pass a sentence on a section which has been termed by the Supreme Court as “Anti Constitutional” and quashed.

Does it indicate that the lower Court was ignorant? Did the investigating officer mislead the Court? are some of the questions that are making rounds.

The facts of the case indicate that the incident happened in 2010. At that time the victim was a minor and Section 66A was still valid. The object of crime was an online Chat dated 27th February 2010 where the accused was supposed to have lured the girl to an online relationship. The conviction is said to be under Sections 67, 67-B, IPC 509 besides Section 66A.

The accused has now preferred to file an appeal and the final word on the judgement will be known later.

As regards the Court giving a judgement against the Supreme Court view, it appears that the Judge has gone with the view that the Shreya Singhal judgement did not have any “Retrospective” effect and the cause of action in the current case arose in 2010 when Section 66A was very much valid. In our opinion, this is a correct reading of the Shreya Singhal judgement and the Judge must be credited for his brave decision against the popular sentiment.

If it is argued that at the time of judgement Section 66A had been scrapped and hence this should have been taken into account by the judge, the case also arises that at this point of time, the victim was no longer a “Minor” and 67B  was not applicable, though Section 67 was still applicable.

Further the presentation of admissible evidence should have been done under Section 65B (IEA) certification though this loses significance if the accused admitted the offence.

But the judgement has really raised an important point that we need to look at an offence in the light of the date on which the cause of action arose and the laws present at that time unless there is a compelling law that brings retrospective or prospective effect to the provisions. October 17, 2000 was when Section 67 of ITA 2000 and Section 65B of IEA became effective and October 27, 2009 was the day when Section 67A, 67B, and 66A became effective and March 24  2015 was the day whn Section 66A was quashed. These dates have to be kept in mind by Police and Courts to apply the different provisions of law as contained in ITA 2000.

The second point of debate that has come up in the case is that the accused was a Navy personnel. The victim was the daughter of a Navy personnel and the crime was committed on board a Navy vessel. In this case the question of whether the jurisdiction for trial should have been with the Military Court is a point to discuss.  Probably the victim was not on board the Navy vessel and was in the Civil area. (Or was she residing in a Cantonment area?).

Had the Navy Court taken cognizance of the matter and started a trial, it would have been difficult for the Hyderabad Court to proceed with the trial as it would have become a fit case for “Double Jeopardy”. By not initiating action, the Navy has allowed the proceedings in the Hyderabad Court to continue.

I understand that Madras High Court in a case in 2009 had refused to transfer a criminal case to the Army Court. (Refer here). This was however a case of physical crime of murder in the civil society and stood on a different ground. In that case the person was on leave and the claim for transfer was based on Section 475 of Cr Pc which states as under:

Quote:

475. Delivery to commanding officers of persons liable to be tried by Court- martial.
(1) The Central Government may make rules consistent with this Code and the Army Act, 1950 (46 of 1950 ), the Navy Act, 1957 (62 of 1957 ), and the Air Force Act, 1950 (45 of 1950 ), and any other law, relating to the Armed Forces of the Union, for the time being in force, as to cases in which persons subject to military, naval or air force law, or such other law, shall be tried by a Court to which this Code applies or by a Court- martial; and when any person is brought before a Magistrate and charged with an offence for which he is liable to be tried either by a Court to which this Code applies or by a Court- martial, such Magistrate shall have regard to such rules, and shall in proper cases deliver him, together with a statement of the offence of which he is accused, to the commanding officer of the unit to which he belongs, or to the commanding officer of the nearest military, naval or air force station, as the case may be, for the purpose of being tried by a Court- martial. Explanation.- In this section-
(a) ” unit” includes a regiment, corps, ship, detachment, group, battalion or company,
(b) ” Court- martial” includes any tribunal with the powers similar to those of a Court- martial constituted under the relevant law applicable to the Armed Forces of the Union.
(2) Every Magistrate shall, on receiving a written application for that purpose by the commanding officer of any unit or body of soldiers, sailors or airmen stationed or employed at any such place, use his utmost endeavours to apprehend and secure any person accused of such offence.
(3) A High Court may, if it thinks fit, direct that a prisoner detained in any jail situate within the State be brought before a Court- martial for trial or to be examined touching any matter pending before the Court- martial.

Unquote:

According to this section, the Magistrate “Shall” transfer the case to the commanding officer, though the word “in Proper cases” is subject to interpretations. The Madras High Court used this interpretation to refuse transfer of the trial to the Military Court.

However, under the Uniform Code of Military Justice -UCMJ (Refer here)   if the offender is an active service member, the UCMJ applies. If the Crime violates both the State Civilian Law and Military law, it may be tried by either or both. But the two Courts need to coordinate and avoid “Double Jeopardy”.

In the Telengana Case, this point was completely missed though this being a “Cyber Crime”, the “Crime is deemed to have been committed at a place from which the offending message was sent, namely the Navy vessel”. Hence the place of crime was a military space and the offender was a military personnel. Even the principle of natural justice indicated that the trial should have proceeded in the military Court since the complainant was also a Navy person (victim being a minor).

Since in the case,

a) Jurisdiction of the Civil Court is itself questionable

b) Evidence was in admissible due to lack of Section 65B certification (assuming that the admission is not sufficient)

the judgement requires a review.

Naavi

(P.S: I am waiting for further information on this case as well as Supreme Court judgements on Section 475 of CrPc based on which supplementary discussions can be continued by experts)

Related Article:

USI of India:

This article says that defence of Double Jeopardy is not available. Needs to be explored further by experts.