Naavi.org

Section 65B of Indian Evidence Act requires a certificate to be produced with any Electronic Document submitted as evidence in a Court of law, at the admission stage.

The mandatory requirement of Section 65B certificate came into effect on 17th October 2000 when ITA 2000 (Information Technology Act 2000) was notified. However it was the undersigned who produced first such certificate in a Court. It was  in 2004 in the State of Tamil Nadu Vs Suhaskatti case for criminal prosecution under Section 67, in the Egmore AMM Court, Chennai. Based on the certified evidence the Court went on to proceed with the trial and convict the accused. The conviction sustained even in the appeal at the Session Court upholding the validity of the evidence. Since then the Section 65B certificates produced by the undersigned have been produced in other courts from time to time.

However it was not until the Supreme Court judgement in the P A Anvar Vs P.K Basheer that the litigation market players realized that electronic evidence without Section 65B certificate would not be admissible in the Courts. Even the Police have started adding in their CrPc notices calling for information which may be in electronic form to be provided with Section 65B certificate.

Naturally, there is a scramble now on understanding how the certificate has to be given. Though Naavi.org and ceac.in have put out clear information on how Section 65B certificate is to be produced, there are a few legal practitioners who may hold some different view points on some of the finer points of certification. Such differences will persist for some time and will be resolved over a period of time as long as we try to understand the purpose of the section and its use case scenarios.

What is however necessary for Companies in particular from the ITA 2008 compliance angle and ordinary citizens relying on such evidences to fight cases in the Courts is to understand that if the evidence is not properly produced, they may be rejected by the Court at the admission stage itself.

On the other hand, we also need to warn companies and individuals that some times there is a tendency to produce evidence which is deliberately falsified with the hope that no body would find out.

I recently came across such an incident where a large Telecom company had filed an apparently falsified electronic evidence to support its case against one of their employees. The electronic documents were supported by Section 65B certificate and also an affidavit in the Court.

It is possible that the defense may submit suitable arguments to throw this evidence out but what we need to remember is that production of falsified evidence is clearly an offence under Section 193 of IPC which is a cognizable offence carrying 7 years of imprisonment.

The person who produced a falsified Section 65B certificate and an affidavit in respect of the certificate would be liable for punishment under Section 193.

Such an Act will also be an offence under Section 43/66 of ITA 2000/8. Some of these incidents would also be offences under Section 65 and Section 67C of the Act as well.

When such person is an employee of a company and the interest of the Company is involved, the Company would also be guilty of the offence and it would extend to the “Officers in charge of Business” and “Directors” under acts such as the Companies Act  and ITA 2000/8.

While the offence under Section 193 of IPC carries 7 years imprisonment the ITA 2000/8 offences carry 3 years imprisonment.

I therefore advise those who donot know how to produce Section 65B evidence should not take the risk of producing falsified evidence as it may boomerang on them during the course of the trial when it is proved to have been falsified.

In Civil cases when such falsification comes to the knowledge of the Court it would be possible for the Judge to order that criminal action should be initiated by the prosecution separately either under IPC or ITA 2000/8. Perhaps it may be possible for the Court to initiate Contempt of Court proceedings for misleading the Court through falsified evidence.

Even in cases where an electronic evidence was present at one point of time but the litigant has failed to get Section 65B certificate for an evidence and subsequently it is no longer available, instead of trying to falsify the evidence with a compromised Section 65B certificate, it is better to forego the presentation of the documentary evidence in the form of electronic documents and try to proceed with other evidence on hand including oral evidence and witnesses.

Naavi

ACT Fiber net (Atria Convergence Technologies Pvt. Ltd.)  has been an Internet Service Provider which was the first service provider (particularly in Bangalore) to offer internet access service through optical fiber network. In view of the high bandwidth provided by the technology and with no major competition, the Company expanded its business into several cities in India.

Now when Reliance Jio has started setting up its own optic fiber network which is already been introduced in some cities on an experimental basis,  ACT appears to be responding to the threat strangely by degrading the existing service shutting out the competition with improved services.

It has modified its tariff plan to create a new revenue model for the company by stripping the existing service of some of the features.

The Company has  implemented a new tariff plan without providing any notice to its customers which restricts its internet service to the basic level of “Browsing” and “E Mail”. It has de-linked some aspects of the  “FTP access” which some experts say has been done by blocking some open ports used for FTP access. Any requirement of such service would now require a subscription to what the company calls as a “Static IP address” which may simply be a set of IP addresses in which full services are configured as against other customers.

As a result of this change, for the users of ACT broadband service,  “Secure FTP Access” has now become a “Value Added Service” for which a separate fee needs to be paid.

While it is the prerogative of any company to price its products as per its own plans, there is a need to remember that a change in tariff plan needs to be notified to the customer. Unfortunately, customer service may not be the top of the agenda for the Company as it refuses to inform its customers and refuses to even raise a proper bill. It has unilaterally degraded the service hoping that most of the customers may not be able to understand why some if their services have stopped functioning.

It is interesting to note that a company which wants to lead in technology does not have the marketing acumen to take it to the next level where it will have to compete with the kinds of Reliance Jio.

Perhaps this gives a cue to Reliance Jio on how to enter the markets where ACT is now present by a service offering which would be able to face the competition with some ease. Reliance Jio in the recent days has demonstrated the marketing acumen that it possesses to penetrate a market which is already entrenched with established players and create a dent over night.  ACT Fibernet would perhaps be an easy prey to the marketing giant called Jio.

I look forward to an interesting battle when Reliance Jio enters the Bangalore market with its optic fiber services.

Naavi

The Aadhar based payment system which is meant to capture the biometrics and initiate banking transactions is being pushed for implementation by June 30, 2017.

However, we request the authorities not to stand on false egos and try to introduce a system which could create a huge security hole in the financial eco system in the country.

The main problem in the proposed system is that there will be thousands of Business Correspondents, “Bank Mitras” who will be authorised to carry biometric devices and initiate banking transactions. The concept is great provided it is having checks and balances to avoid misuse and fraud.

At present, it appears that the authorities have not taken sufficient steps to protect the users from the adverse impact of frauds.

Before we proceed further, I would like to draw the attention of the public to the recent incident when 32 lakh debit cards were supposed to have been compromised through HITACHI ATMs where the malware is presumed to have wormed its way to a NPCI controlled switch and compromised multiple banking systems. There are theories that the compromise of multiple bank’s systems were compromised not through NPCI but because some card holders used the infected Yes Bank ATMs and then other Bank ATMs spreading the infections. The exact nature of the infection is not known. However the following article explains in detail one research report on the incident and is worth reading in detail.

Report: India’s sluggish response to cyberattack that infected 3.2 million cards exposes its vulnerabilities

There is no doubt that all the compromised ATMs reported in the above incident were “Certified” by authorized vendors of RBI and Banks. They were also under direct control of licensed ATM operators most of them being Banks. There was physical security in the form of guards and electronic surveillance in the form of CCTVs. Despite this, the systems were compromised.

The compromise also prevailed in the system for a long time and no body realized it until the damage was done. When breaches started happening, no body reported it to CERT-In and there was every attempt to brush the controversy under the carpet. Security experts who were assigned the responsibility to conduct forensic audits ended up erasing evidence, not knowing the law of the land.

Finally there is an “Admission” by Hitachi that they accept responsibility which makes things more suspicious as whether they were trying to protect any other agency in the process which could also have been held either solely or collectively responsible for the breach.

In this background we need to see how secure is the AEPS system where the biometric devices or the Micro ATMs are held in the custody of public and is out of sight of the regulators.

The devices are certified by some agency such as STQC as fit for use as per some standards but are manufactured by different private sector companies many of them from abroad. Some of these Micro ATMs may work as an application running under Android OS systems.

While the certifying agencies may certify the functionality of the devices, it is a myth that these devices are tamper proof.

It is a common security understanding that any device which a hacker has access to for a prolonged period in confidence is subject to the risk of being manipulated with the introduction of a changed mother board or a Manchurian chip add on. In the past we have seen that POS devices for credit card swiping at the Merchants supplied by China to UK merchants were stealing data and Scotland yard had to conduct an elaborate exercise to identify and remove those devices. Very recently in India we have observed that the Petrol vending machines in Lucknow were tampered with to cheat the customers of the quantity of petrol dispensed, by adding a chip in the circuit. Some time back, Digital auto rickshaw meters in Bangalore were also similarly tampered by insertion of a chip in the meter.

It is therefore possible and reasonably certain that the Micro ATMs and POS systems using Aadhar Enabled Payment Systems will be compromised in due course. This would result in the biometrics of customers being copied and re used on a systematic basis. This also has been demonstrated by Axis Bank and E Mudhra not so long ago.

Since some of these biometric devices may be imported from China to meet the rush and also because they may be considered cheap, we may expect that backdoors may be installed in such equipments which could defeat the STQC audits and prevail while the system goes into use.

We may recall that VolksWagon designed a software to cheat the emission standard tests to give false results while resetting itself in actual usage where emission standards were compromised for better pick up and power.  Similarly, the manufacturers of these equipments will design their systems to behave well before STQC and turn rogue when it goes into the usage environment.

In due course there is therefore a possibility that we are creating a network of financial devices which can be exploited by an enemy country in a Cyber War situation.

The Indian Election Commission (EC) recently faced a comparable challenge on the EVMs as the AAP MLA showed how he can replace the mother board if given access to the machine and therefore how the elections can be tampered with. The EC however rightly pointed out that the EVMs used in actual elections would not be out of its sight and is randomly assigned to different booths and hence cannot be tampered with as indicated by AAP MLA.

The Aadhar Enabled Payment System has to take a cue from the EVM controversy and understand that they donot have controls which EC has designed for EVMs as regards the Micro ATMs and biometric devices.

It is not impossible to introduce security controls to prevent any misuse or quickly catch a delinquent transaction if it happens but such controls donot seem to exist in the current devices which are standard devices meant for a different security scenario.

In future, we can get these devices manufactured by BEL or ECIL under close supervision and with all the security features which make tampering nearly impossible. But for this there is a need to take time and not rush implementation of AEPS by June 30, 2017.

I wish the authorities listen to this sane advice unless they are ready to place Indian Financial system into jeopardy for the sake of impressing upon Mr Modi that we are technologically ahead of other countries in implementing a digital payment systems.

Naavi

When Aadhar was in its initial stages, whenever security issues were raised with Mr Nandan Nilekani, he used to assure that Aadhar is not a “Card” but it is only a data base. Information in aadhar database never travels across the network and only “Yes” or “No” responses to queries travel. If there is any duplication, the de-duplication exercise will ensure that two people will not be issued the same Aadhar number etc. He never accepted that things could change during implementation and security holes could develop in course of time.

Even now, to be fair to UIDAI, the leakage of aadhaar data has happenned outside the servers of UIDAI, firstly at the time of enrollment when enrollment laptops were stolen in many places, and more recently when some Government departments put up Aadhar data on the web along with some benefit payment information. In between frauds in enrollment occurred in large scale in the name of people who could not provide proper finger prints because they either had lost their hands or the finger prints were not good.

The recent breach when stored bio metrics were used by Axis Bank and E Mudhra, some technical patch seems to have been found to detect such attempts in future. Just like trying to identify a “live” finger, a perfect match of two finger prints is also flagged as doubtful.

Thus UIDAI may claim that technologically they are upto any challenge where data protection at the server level is considered.

UIDAI has also taken steps in ensuring that the AUAs and ASAs are all “ITA 2008 compliant” at least by declaration. If these agencies make a sincere attemt at ITA 2008 compliance, the security would be taken to a slightly higher level since more heads will focus on the issue particularly from outside of the technology professionals whose vision would be clouded with the functionality of the software/hardware and fail in taking a holistic view.

But when we discuss the security or insecurity of the Aadhar Enabled Payment system (AEPS), we are not restricting our vision to only “Technical Security” of the UIDAI server side. We are discussing the security vulnerabilities across the entire system of usage which includes the Business Correspondents, Banks, NPCI and any other intermediary involved.

Now the biggest risk in AEPS comes from the Biometric devices that are used by the Business Correspondents (BC) which includes many merchants and individuals. These merchants could be dishonest or negligent and ignorant causing problems of misuse of payment credentials which are shared by the customers.

There have been instances in the past of people selling goods below the market rates only to steal the credit card data either in offline “card present” transactions or online “card not present” transactions. It can happen even in AEPS transactions if the biometric data can be stored and replayed.

There have been instances of Trojans/Viruses affecting the POS systems stealing the card data. There have been also instances of Manchurian Chips being installed in POS machines for data stealing.

All these vulnerabilities can be relevant to AEPS also.

Man in the Middle attacks particularly of the Man in the Browser type are very much possible in the case of AEPS.

 When AEPS is compromised in any manner, the entire chain of Bank accounts of a person could be compromised in one go and money from multiple Bank accounts of the person can be wiped out in a single breach.

We know that in such a case, UIDAI will not take any responsibility and Banks will also try to wriggle out placing the blame on everybody but themselves. NPCI is hidden behind the screens along with the App developers and software developers who specialize in releasing software with bugs and play with Zero day vulnerabilities.

Ultimately the customer is left to fight with the Police and blame them for not being able to solve Cyber Crimes.

Government has repeatedly refused to accept the principle of “Mandatory Cyber Insurance” to protect customers and technology people are happy to experiment with the system since they are never questioned for any fraud.

With the present push on AEPS , what is happening is that customers are left with “No Alternative” but to accept AEPS. They can themselves avoid the use of the system but they have no control on any fraudster impersonating them with the use of fake Aadhar cards.

We therefore urge the Government not to rush introducing AEPS in the current status. There is a need for taking some security measures that prevents frauds committed with social engineering and insider involvement.

Until such time, it is recommended that the introduction of AEPS should be deferred. I suppose that the solution could be worked out perhaps in about 3 to 6 months if the Government is keen.

Naavi

In January 2017, an interim report of the NITI Ayog Committee of Chief Ministers on digital payments recommended

1.  To ensure wide-scale adoption of AEPS and Aadhaar Pay, banks need to be mandated to complete Aadhaar seeding of all their customers in a time bound manner.  All banks must ensure that their AEPS gateway are up and running all the time and have proper reconciliation teams in place.
2. All Payment banks to be made interoperable on AEPS
3. All BCs to be made interoperable on AEPS.
4. Biometric (Finger Print & Iris) sensors may be provided at 50% subsidy for all merchants to onboard on to AadhaarPay
5. Rollout of Aadhaar Pay application riding on the AEPS platform may be expedited by encouraging banks to adopt the same. Bank branches to be given target to onboard merchants in their vicinity to adopt Aadhaar Pay with their existing android smartphone and biometric reader which would present a significantly cost-effective alternative compared to the traditional PoS infrastructure. There should be a bank-wise target to achieve 10 lakh active Aadhaar based merchant outlets by June, 2017 and 40 lakhs by December, 2017
6. RBI should allow white-labelled business cum merchant correspondents for spreading AEPS PoS devices across the country. Common Service Centers (CSC),De- 5 partment of Posts and India Post Payments Bank should be allowed to begin with. It be extended to other entities who meet the criteria prescribed by RBI.
7. NPCI and Banks should enable Iris authentication on AEPS so that people with worn out fingerprints are also able to do AEPS transactions.
8. All ATMs/Micro-ATMS/POS should be mandated to have Aadhaar biometric authentication facility from June 1, 2017

RBI vide its circular dated December 2, 2016 had also indicated that the deployment of Aadhar based devices should be completed by June 30, 2017.

As a result of these measures there is a rush to implement AEPS gateway and make it operational at the earliest.

Some of the Banks have already issued “Aadhar Cards” for their customers and obtained IIN numbers assigned to them. While NPCI and NITI Ayog are excited and are pushing the implementation, RBI has no option but to oblige.

In all this excitement, the safety and security of the Indian Consumer appears to be the last and perhaps a lost priority.

The system as is envisaged is creating a network of Bank accounts which are all inter connected with the Aadhar number, PAN number and Mobile numbers operating through NPCI switch/es which are also open to Banking software, Mobile wallets, ATMs, UPI apps etc.

If any one of these network elements is compromised, there is a possibility of the entire financial system in India to be compromised.

Aadhar was not designed for this kind of usage as is being envisaged under AEPS. It was meant to be a confidential data base with only the ability to send out binary responses of Yes or No when a specific query is made with a reference to a parameter associated with an Aadhar Number or a biometric input. It was never meant to send out the entire data sheet on request with just the verification of an OTP. It was not meant to be used as a ID substitute nor as a sole  KYC instrument. In this role aadhar data of individuals is getting broadcast widely and gets stored in innumerable places with many vendors and agents of vendors where there is no control on privacy or security.

While it has helped Government to check misuse of Direct benefit Transfer, it has also opened other vulnerabilities that are a risk to those who have no interest in Direct Benefit Transfers. Today honest citizens have no control on their Aadhar and the linked PAN card being used in impersonation. Now linking Bank accounts will further open the gateway to money transfer from the accounts of individuals because their Aadhar data was compromised some where by some vendor like a mobile operator or a domestic gas supplier if not a fraudulent banker.

Aaadhar system today is itself dependent heavily on the associated mobile numbers where the security is very lax and obtaining duplicate SIM and fake SIM is extremely easy.  Since  Bank accounts are operable under USSD, UPI and AEPS systems, the entire security infrastructure of the Indian financial systems will be at the mercy of the mobile identity of individuals.

Now all the SIM card vendors are also becoming Business Correspondents who can put their hands into my/our Bank account and there in lies one of the major risks of AEPS system.

Since the Mobile devices are already under the control of Chinese manufacturers and innumerable number of viruses and trojans are already on the prowl on mobile devices, Indian financial system will be at the mercy of China in a Cyber War situation. Since China is always on the side of Pakistan, this entire Chinese Cyber War machinery would be at the disposal of Pakistan.

There are any number of Paksitani dalals in India (some of whom have already requested that Pakistan should help them defeat Mr Modi), there will be enough number of traitors within the country who would welcome any development where Pakistan can discredit Mr Modi through a Cyber attack on his favourite “Digital Payment System”.

The proposed AEPS system is the last straw on the camel’s back and will push Indian financial system to a point of no return.

I therefore reckon that the Digital Payment Systems in India as it is being conceived now can turn out to be a Honey trap for Mr Modi and BJP and spoil the chances of BJP winning the next Loksabha elections.

What the Political Maha Khatbandhan cannot achieve, this Financial Khatbhandahan called AEPS can achieve.

Already, Aadhar data base has been compromised, there are many fake Aadhar IDs in circulation and many more that will come up in the coming days because the cost of obtaining a fake aadhar ID is as low as Rs 100/- as indicated by the Pakistani nationals who were arrested in Bangalore recently.

The UPI system has its own weaknesses as indicated by the Bank of Maharashtra UPI fraud.

UIDAI is itself vulnerable to “Stored Biometric Replay” attack demonstrated by Axis Bank and E Mudhra.

Banks would do anything for a price and if accounts are to be opened with manipulated KYCs, there are many Banks and branches who specialize in this.

Hence opening a bank account in the name of a fraudster linked to a fake aadhar card is as easy as ABC.

It is this infrastructure that is weak at a number of points that the Government is now relying upon to introduce Aadhar Based Payment System (AEPS) and link the biometrics of all Bank customers to an ability to pass debits to the Bank account.

The entire process has many loop holes and does not comply either with the laws of the Banking industry nor RBI’s own guidelines.

Unfortunately, there appears to be no sane voice available to the Government in flagging the risks and even if some emerge, the counter force will drown such voices.

While innovations in technology are required and are inevitable, at each stage of transformation, we need to ensure that there are enough checks and balances to ensure the security of people who use the systems.

I think there is a huge gap on what is needed to be done and what is being done by technology intoxicated persons who are advising the Government agencies.

AEPS is a test case in which the commitment to security by these agencies are challenged. So far the technology administrators have not come out exuding confidence to the community.

There is no doubt that we can innovate technology solutions that can improve the security by many notches. But these solutions may not be available off the shelf. We need to create indigenous technology to protect the proposed AEPS objective of “Place your finger and transfer money”.

But one needs an eye to see and readiness to absorb higher costs if Government has to chart an escape plan from the trap that they are entering into.  At present the Government is not able to see the risks properly and not therefore thinking of solutions that are required. The cost consideration is therefore yet to come into the radar.

It is premature and inappropriate to discuss the technology solutions in this public platform since it is a matter which even NITI Ayog recognizes as a “Patentable” innovation.

However, in the interest of preserving the political future of Mr Modi, we can state that the system of AEPS  as being envisaged now (giving allowances for the fact that some security aspects might have been introduced by UIDAI and not made public), may have risks that are not easily addressable in the current dispensation and this is likely to be a honey trap that Mr Modi should guard against.

Naavi

The recent ransom ware attacks with  Wanna Cry have woken up the Indian corporate sector  to the needs of having Cyber Insurance as a means of recovering the losses arising out of such attacks.

I refer to the article in Economic Times today where several industry executives have been quoted with there views on Cyber Insurance.

As readers here are aware, we conducted an all India survey two years back to document the awareness of Cyber Insurance amongst the CISOs and CIOs in India and found that most of them had very little understanding of the nuances of what constitutes Cyber Insurance.

Most CISOs do accept that “Transfer of Risks” is one of the four methods by which risks are managed (Mitigation, avoidance and absorption being the other three). But in most practical situations it is the CFOs who take decision son buying Cyber Insurance policies the risks to be covered, the financial limits to be accepted etc and CISOs are hardly allowed to link the Cyber Insurance needs of a company to the “Risk Mitigation efforts”.

Though RBI had mandated that banks should take Cyber Insurance against hacking, denial of service etc ., way back in June 2001, hardly any Bank obtained such insurance until the last few years.

Companies started looking at insurance after their data vendor business partners in  USA and EU started getting concerned from the liabilities that could arise by breaches that may occur in outsourced operations and made it part of their business contracts.

Now the ransomware attacks have brought an urgent need for cover as a part of the Corporate Governance policy.

The ransomware attacks create two kinds of liabilities namely

a) Cost of recovery of data and managing the reputation management

b) Actual payment of Ransom

In most cases of WannaCry demands, the actual ransom was upto 3 Bitcoins which was about Rs 4-5 lakhs and it often was less than the minimum self liability in most of the cases. Hence it was not considered as a coverage.

But in principle, ransom payment could be a claim under the policy and we need to understand if this is covered under insurance. We are aware that in another incident of ransom demand on Wipro, there is a demand of ransom upto Rs 500 crores and hence the possibility of ransom demand becoming a real liability is high.

It is understood that some Insurance companies provide specific coverage of ransom payments under an extension of the basic policy.

It is of course debatable if ransom payments should be covered under an “Insurance” since it is an “Illegal payment”. By covering the ransom payment as a genuine business expense, Insurers would be actually providing an incentive for companies to be less vigilant to take security measures and also encourage criminals by making it easier for the victims to pay ransom.

We have also pointed out that there are many challenges in Cyber Insurance including the “Zero day Vulnerabilities”, the “Delay between identification of a vulnerability and its patching up” and the general apathy of companies to subordinate security measures to profitability etc.

The “Uberrimaei Fidei” (utmost faith)  nature of Cyber Insurance contracts make it very difficult for the insured to really consider insurance policy as an adequate risk cover since they will be always at the mercy of the insurance companies at the time of a claim settlement.

We have therefore recommended that we need to take a cue from China which has converted the Insurance from a “Contract of Utmost faith” to a “Contract of honest disclosure”.

This is in the hands of IRDA which needs to consider Cyber insurance as a separate category of insurance and not club it with other forms of general insurance and then apply the principle of “Contract of honest disclosure” to these policies.

Today the insurance terms are dictated only by the reinsurance writers and hence IRDA needs to work with re-insurers to structure the Cyber Insurance policies in a manner that it will actually be considered useful to the insurer when the Cyber attack materializes.

The user industry needs to come together and form their own consortium to guide and if necessary lobby with the IRDA for a better structuring of Cyber Insurance plans which is acceptable both to the insurers and the insured.

Thanks to WannaCry companies are now better aware of Cyber Insurance!

Naavi