Naavi.org

The recent news report that UIDAI has initiated investigation on three firms suspected to have violated the rules of aadhaar authentication by sending stored biometrics to UIDAI server for authentication. The firms involved are Axis Bank, Suvidha Infoserve and E Mudhra. (Refer article here). UIDAI claims that the data received for authentication multiple times was an “Exact Match” which is statistically impossible and hence indicate a “Stored Biometric” being sent for authentication. The firms on the other hand have stated that the authentication request refers to “Testing” of some applications and not any attempt in committing any fraud.

While in this particular instance, there may not be any fraudulent intentions on the part of the three parties involved, the incident has confirmed what we have been indicating as a possible security risk where the biometric can be stored in soft form and re used.

In the past we are aware that Certifying authorities have been indulging in the practice of keeping copies of private keys which can later be used for committing digital signature forgeries. Neither the CCA or the Government has taken corrective steps.

Now the entire “Aadhar Based Payment System” is in jeopardy because of the revelation of this incident. As one of the security professionals has pointed out (Refer article here), it was naive for UIDAI to announce in the public how they were able to identify the potential violation of Aadhaar authentication  in this case. Like it often happen when Police officials conduct press conferences to boast about a successful investigation, the revelations made by UIDAI will be information to future fraudsters on how to bypass known security measures.

Now, having committed one mistake too many, it is the responsibility of UIDAI to harden their authentication mechanism without necessarily giving out too many details to the public. It is of course still possible to secure  the authentication mechanism through innovative methods. But UIDAI may or may not be capable of identifying such mechanisms nor they may be interested, since it is the characteristic of UIDAI that they have been always in denial mode whenever security weaknesses are pointed out.

We hope that without first resolving the security issues, UIDAI does not jump into Aadhaar based payment systems through NPCI and land Indian citizens in trouble.

Naavi

GDPR (General Data Protection Regulation) introduced by EU in replacement of the Data Protection regime hither to in place has opened up a debate on whether it is an “Opportunity” or a “Threat”.

IDC predicts (Refer article here) that a substantial opportunity would be created for security and storage software vendors since the severity of fines would drive for a shake up of data protection practices. According to IDC, the total market opportunity created is of the order of $3.5 billion. Of this the securty software from GDPR concerns is expected to raise from $811 million in 2016 to$ 1.8 billion in 2019, and storage software would grow from $258 million in 2016 to $1.7 billion in 2019.

There is no reason to disbelieve this projection. However if one part of the industry is making $3.5 billion, it has to be spent by another part of the business. In the case of GDPR driven business change, the data processing industry will incur the expenditure while the data security and storage vendors including the cloud storage product vendors will gain the corresponding revenue.

Additionally, the data processing industry has to also incur expenditure on “Compliance Consultancy” and “Cyber Insurance” which is not a small expenditure by itself.

Also, though the GDPR is discussed globally as if it is an issue between EU and US, the Indian IT industry also has a huge stake since it works both for the US and EU clients and needs to provide a “GDPR Compliant Data Processing Service”.

Indian IT industry needs to observe that the GDPR is proposed as a “Global Regulation” and imposes restrictions which would mean that no Indian Company would get EU business if it is not compliant with GDPR and if it tries to be compliant, it has to confront the following penalty structure.

Fine: 10,000,000 Euros or 2% Global Turnover, for offenses related to:

Child consent;
Transparency of information and communication;
Data processing, security, storage, breach, breach notification; and
Transfers related to appropriate safeguards and binding corporate rules.

Fine: 20,000,000 Euros or 4% of Global Turnover, for offenses related to:

Data processing;
Consent;
Data subject rights;
Non-compliance with DPR order; and
Transfer of data to third party.

It would be essential for all Indian IT companies to plan for

a) GDPR Compliance measures such as Creating awareness, making gap analysis etc

b) Hardening the Security and Storage

c) Obtaining Cyber Insurance Cover

d) Auditing suspected data breach incidents

e) Incurring the expenditure on penalties if any

Obviously, the industry has to be prepared for at least a 5% increase in its data processing costs which along with the increasing VISA costs coming from the US markets, make it difficult for them to remain profitable and competitive.

I urge NASSCOM to take suitable steps to ensure that the impact of GDPR on India is not adverse. At the same time strategies to harness the benefits that may flow from the global implementation of GDPR should be drawn up urgently.

The DeiTy also needs to evaluate measures that it may contemplate to ensure that GDPR does not hurt the IT industry in India.

Naavi

In a bid to continue the legacy of naavi.org as an endeavour to “Build a Responsible Cyber Society”, Naavi has started yet another educational website that should complement the current activities in promoting Cyber Law Compliance in IT industry in India. This new effort is to build awareness about the “General Data Protection Regulation” (GDPR) which has replaced the Data Protection Regime in European Union and is set to change the landscape in Privacy practice in India and elsewhere in the globe.

Indian IT industry being a dependent on data processing of which a large share of business may come from the EU countries need to ensure that we donot lose business or incur liabilities on account of non compliance of GDPR.

SMEs and Mobile App companies specifically require knowledge input and consultancy to ensure that they are on the right side of the regulations to protect their business.  Towards building a knowledge infrastructure in this regard, Naavi has now started a new website www.gdpr.ind.in dedicated to the presentation of the regulation. This will be supplemented by analysis and discussions on  www.privacy.ind.in (Privacy Knowledge Center) besides this parent website.

Naavi recognizes that the field of Privacy is vast and we can only be a catalyst in starting what we can call as a “Knowledge Center”. For it to truly become one, contributions are to be made by other like minded professionals who can share knowledge for public good.

I take this opportunity therefore to invite Privacy professionals to contribute their thoughts to the building up of the knowledge related to compliance of Privacy Laws such as GDPR so that India may in due course becomes a country recognized as  the best GDPR compliant country. The articles may be published on the Privacy Knowledge Center with due acknowledgement of the contribution.

Come, let us start our journey towards making India the best GDPR compliant country.

Naavi

A welcome initiative of a dedicated website aimed at Cyber Security support for the public was launched today at Delhi in the form of www.cyberswachhtakendra.gov.in

The website is operated by CERT-In and appears to be supported by Quickheal and is promoted as a Botnet Cleaning and Malware Analysis Center”. One of the objectives of the CSK would be to detect botnet infections in India and notify, enable cleaning and securing systems of end users so as to prevent further infections.

The site proposes to provide Cyber Security information as well as free scanning tools from Quickheal for malware.

It may be noted that during the evolution of Naavi.org over a time, links to many malware removal tools and anti virus tools had been provided (See the archive of a page in 2005 showing link to panda scanning software and virus information links on the left menu) along with the educational aspects now proposed by Cyber Swatchhta Kendra. Naavi.org can take the pride that several years before securing Digital India concept evolved at Government level, we were already setting the trend. Naavi.org has evolved subsequently but we hope that many of its services and suggestions will continue to motivate and guide other institutions including Government agencies in the coming days.

We welcome the CSK  initiative and hope it will be maintained properly as it is expected to attract special attention of attackers with an intention to tarnish the image of the Government.

(CSK was a popular abbreviation used by  Chennai Super Kings, a team of the Indian Premier League (IPL). Since it is no longer in operation as an IPL team, the abbreviation CSK can be used for Cyber Swachchta Kendra. It has otherwise been referred to as the Botnet cleaning and Malware Analysis Center with the abbreviation BCMAC)

Naavi

For records we may say that RBI has sought public comments on its draft circular for revising MDR charges downwards as a part of the follow up on Watal Committee report implementation. A copy of the draft circular is available here.

According to the notification issued in this regard dated 16th February 2017    comments/ suggestions/ feedback, if any, may be sent by post to the Chief General Manager, Department of Payment and Settlement Systems, Reserve Bank of India, Central Office Building, 14th Floor, Shahid Bhagat Singh Road, Mumbai – 400 001, or by  e mail to mdrfeedback@rbi.org.in on or before February 28, 2017.

It has been pointed out in the case of the draft circular of August 11, 2016 regarding “Limited Liability of Customers on unauthorized transactions”,RBI issued the draft circular for public comments upto August 31, 2016, obtained the comments and then went silent.

Despite all forms of nudging, RBI continues to remain silent to the day and has not implemented the draft circular nor has made public the comments received. In RTI applications, RBI has stated that it is still evaluating the public responses even after 8 months and is apparently lying to the public that it is desirous of implementing the circular because Banks donot want it.

The Finance Minister and  PMO are also remaining silent on the representations about the non implementation of the August 11 circular.

This incident has proved that RBI is in the habit of issuing draft circulars for public comments without any intention of taking action based on such comments if the other stake holders namely Banks are not in agreement. The calling for public comments appears to be a farce.

It could perhaps be a strategy to kill a move pushed by some RBI executives who falsely believe that RBI is an organization with a mandate to safeguard the interest of the Banking public in India and not a promotional agency for promoting the share holder interests of Banks!

Under the circumstances, the draft circular on MDR charges may also be an eye-wash and RBI may not implement any reduction of MDR charges if Banks oppose the same. The underlying fact is that RBI is no longer regulating the Banks. It is the Banks and the IBA which is manipulating the policies that come out through RBI.

Despite a few individuals in RBI who have the intention of doing good to people and succeed from time to time to persuade the policy makers to move towards making some consumer oriented changes, their efforts are scuttled by issuing such draft circulars which are later buried without follow up.

I wish Mr Urjit Patel proves me wrong.

Naavi

The Government of India is placing a huge reliance on Aadhaar for all forms of KYC. In the coming days, the Aadhaar Enabled Payment System (AEPS) will also be introduced where the biometric of the Aadhaar owner will be used to trigger a financial transaction like the UPI/BHIM application that may be used to send or receive money from another UPI account. It is said that this will be a “PIN Less” and “OTP Less System”.

What this means is that as soon as the application is triggered with a fund transfer request and the biometric of the aadhaar owner is provided to the UPI application, the payment will be completed without a second reference to the account holder. It will be like a “Single Click Payment System”.

There is no doubt that from the user perspective the AEPS will be a very convenient system and particularly for the less educated persons, it appears to be an excellent system. However, one should not forget that in the financial transactions, “Convenience” is only one of the aspects of the transactions and “Security” is another important aspect that needs to be taken care of in any digital payment system.

It is to be reiterated that the systems being introduced by the Government expose the public to risks that are being ignored by the Government and its advisors.

Presently, Aadhaar has introduced a system where by the “Biometric” can be “locked”.  When the biometric is locked, the system may generate an OTP for unlocking. Alternatively, the aadhaar holder has to go to the website and unlock the biometric which again can be done by an OTP. While this is touted to be a security feature that will prevent misuse of an aadhaar number, it must be recognized that the locking and unlocking is only linked to the OTP sent to the registered mobile and hence if a fraudster can get hold of a duplicate SIM, he can over come the locking security.

Thus in many ways, the OTP becomes the determining factor to secure a digital transaction. The security of OTP is directly related to the KYC system adopted by a mobile service provider particularly when a SIM is reported lost and a replacement is sought.

Recently, the Supreme Court has suggested that every Aadhaar number may be linked to a mobile again thinking that this would secure the system.

If for any reason this mobile OTP becomes the norm, then there is a need to ensure that this system is hardened by

a) Sending OTP by encrypted message

b) Increasing the complexity of OTP from a 4 digit numerical to atleast 6 digit numerical and if possible a combination of letters and numbers

c) Using voice based OTP delivery instead of a text based delivery

d) Return OTP also to be encrypted

e) OTP on either side to be sent and received with a digital signature which is both secure and also cyber law compliant.

While I donot expect many operators to become cyber law compliant and use digital signatures on mobile, encryption can be adopted without much of difficulty. However there needs to be a secure key management system to ensure that the security is difficult to be breached.

I hope the authorities including the implementers of the  Watal Committee recommendations will consider appropriate measures to take steps to harden the security of the OTP system which has already been degraded by NIST in USA but continue to be used in India.

I presume that the mobile operators also realize their responsibility in exercising care in obtaining KYC of their customers both when new SIM cards are issued and when lost SIM cards are replaced.

The irony of the current system is that the mobile operator may use an aadhaar as KYC for issue of SIM cards while the Aadhaar uses the OTP on the SIM card for issue locking and unlocking biomeric or for issue of e-aadhaar. This circular authentication is not the ideal security support and it becomes more or less a “Single Factor” authentication system. There is therefore a need to think of alternate measures to break this “Circular authentication system”.

Naavi