Naavi.org

RBI has clarified that any unreturned notes of denominations of Rs 500 and Rs 1000 will remain as unclaimed/claimable liability on their balance sheets but will not be transferred to Government in the form of dividend. It will therefore remain as a “Special Fund” arising out of demonetization.

I would like to draw the attention of the RBI as well as the Government and the Courts in India, besides the public that on August 11, 2016, RBI issued a circular stating that under certain circumstances the victims of card frauds would have zero liability.  Banks were mandated to send SMS alerts and victims were required to inform the Bank about any unauthorized transaction after which there would be no liability for the card holder.

This circular was marked as “Draft for public comments” and August 31 was the last date for such comments. Until now there is no further information on the circular.

On 1st December 2016, the undersigned has sent a letter to the Governor of RBI (Copy available here) under copy to PM and FM. The letters have been received at the destination on 3/12/2016 in Delhi and 5/12/2016 at Mumbai by the respective addressees as per speed post delivery information.

As mentioned in the said letter, in view of the silence of RBI, it is deemed that the circular of August 11th 2016 on limited liability is now operational.

As per the circular, Banks have to publish their policies on how they will handle delayed reporting of fraudulent transactions. Banks are also responsible to institute that SMS alerts are sent mandatorily to all card customers on the transactions irrespective of the amount. Also since most of the times the dispute with the Bank is on the sending or not sending of the alert SMS, Bank need to assume the responsibility for providing necessary evidence as and when required.

As regards the customer reporting the fraudulent transaction, Naavi will provide assistance to the victims to record their notice so that Banks cannot repudiate such notices having been received by them through the services of ceac.in and cyber-notice.in.

These services will be provided free of charge until 31st January 2016 or until further notice whichever is later.

If a proper service has been sent to the respective Bank and it continues to dispute the return of money to the victim customer, the victim may consider taking legal action not only for recovery of the dues but also for harassment etc.

We hope that victims will make use of such services so that the expected spurt in the cyber frauds following the recent demonetization and special thrust for digital payments does not result in personal losses for the newly converted digital India enthusiasts.

In the meantime, since Banks will raise a dispute of their own that RBI is responsible for the draft circular contents, (since it has not been clarified that the circular is now operational) RBI may have to assume the liability on behalf of the banks. We therefore suggest that RBI may create a “Cyber Fraud Insurance Guarantee Fund” on the lines of  DICGC and utilize the special reserve created out of the un returned notes as a seed fund. Further Banks may be required to pay upto say 2% of their card liabilities on a monthly basis as fees and build up the necessary fund base for this guarantee fund.

I draw the attention of the FM and PM to facilitate such a move.

I request my friends in Mumbai and Delhi to file appropriate RTI applications to know what follow up action has been taken by RBI/FM/PM on this issue.

Naavi

In the last few months, there have been many start ups in Bangalore and elsewhere who have introduced many mobile app based services in Health Care industry. Some of them have ventured into areas which may come under the provisions of the Pharmacy Act 1948. (Refer here under the link Rules &Regulations). Some of  these Companies are functioning as e-Pharmacies who need to also keep an eye on the effect of the “Pharmacy Practice Regulations 2015” on their business activities.

Additionally the pharmacists will also be subject to the proposed Health Care Data Privacy and Protection Act. (Refer www.hdpsa.in) .

According to the Pharmacy regulations, registered pharamcists need to maintain medical/prescription records pertaining to a period of 5 years. He should be in a position to make it available on demand by the patient/authorized attendant. Pharmacist is bound to maintain “Privacy” of patient information and the associated security when the information is maintained in electronic form.

The critical aspect of the regulations from the perspective of the App developers is that the definition of “prescription” takes cognizance of e-prescriptions.

The definition states, “Prescription” means a written or electronic direction from a Registered Medical Practitioner or other properly licensed practitioners such as Dentist,Veterinarian, etc. to a Pharmacist to compound and dispense a specific type and quantity of preparation or prefabricated drug to a patient.

The “Electronic direction” is considered as an “e-prescription” and meet all the requirements of a written prescription.

The requirements of a written prescription include the following:

Prescribers office information – [Name, qualification, address & Regn. No.]
(ii) Patient information – [Name & address, Age, Sex, Ref.No.]
(iii) Date
(iv) Rx Symbol or superscription
(v) Medication prescribed or inscription
(vi) Dispensing directions to Pharmacist (or) subscription
(vii) Directions for patient [to be placed on lable]
(viii) Refill, special labeling and /or other instructions
(ix) Prescriber’s signature and licence (or) Drug Enforcement Agency (DEA) number as required.

Hopefully, the e-pharmacies and e-prescription app developers take these into consideration before the department starts questioning them on the legality of their activities.

Naavi

Today I visited the following 5 Bangalore One centers in South Bangalore

1. Srinagar (Ramanjaneya Road)
2. Srinivasanagar (80ft Road)
3. BDA complex, Banashankari II stage
4. .N.R.Colony
5. BBMP office near Ashoka Pillar

with a request to get my finger prints updated on my Aadhar card.

Unfortunately, in none of the offices the aadhar service was open. In some offices, there was a board put up that the service was temporarily suspended. Being Sunday, there appeared to be only a few employees who were in the office attending only to other activities. They were not authorized to handle Aadhar activities.

The impression I got was that Bangalore One as a policy is trying to shy away from Aadhar based services for some reason. I would request the e-Governance department of Karnataka to check and find out the reason.

On the basis of my enquiries it appears that UIDAI or the Government has mandated that those who man these counters need to pass an examination and get certified. This ofcourse is a good move and has to be supported. However, in the process, there appears to be shortage of manpower with the requisite certification. Probably the certified workers would require to be paid a little extra compared to people in the other counters and this needs to be handled by the Bangalore One agency.

Whatever be the reason for closure of Aadhar services, it is necessary that the e-Governance department of Karnataka conducts an audit of all Bangalore One offices and ensure that the services are restored immediately.

Also in none of the above 5 offices there were officers to supervise and there was no security for the one or two ladies who were working there along with significant cash holdings. This is a security risk being imposed on these people.

Naavi

[I am one of the vocal supporters of the Modi’s initiatives on Note ban and other measures. However, it is necessary to bring instances such as the following to the attention of the public since they indicate the unknown risks that Mr Modi is taking in a bid to push his Digital India agenda. Before the opposition takes advantage of such comments and the media takes it up for discussion, I wish that the Modi Government to take corrective action.  Unfortunately, Mr Modi is not only fighting with the corrupt elements in other parties but also the bureaucracy. Hence many of his efforts are derailed by deliberate mismanagement by subordinate officers. Nowhere is such doubt more glaring than the 2G scam tainted DeITy. I therefore urge Mr Modi and Mr R.S.Prasad to be doubly careful since there are many bureaucrats who may be waiting for an opportunity to put spokes in the wheels of development…Naavi]

Today, I went to one of the Jio dealers to get a new Jio SIM with aadhar based KYC. After Aadhar registration was done by me several years back, for the first time, I saw a vendor using aadhar KYC and I was happy.  In fact this was the first time my finger print was tested against the Aadhar data base for authentication though my Aadhar number has been taken for KYC purpose at several places with a photocopy of the aadhar card/letter.

Unfortunately however, in this first attempt at authentication, my finger prints did not pass through successfully despite multiple attempts and the vendor said that I need to re-register my fingerprints with UIDAI . In my presence, another customer was authenticated and hence there was no problem with the vendor’s device and it was a denial of authentication at the server level or at an intermediary authentication service provider.

This meant that I suffered a “Denial of Service” from UIDAI which is an offence under Section 66 of ITA 2000/8.

Further I got a doubt that if my finger print is not showing up against my Aadhar number, then which other finger print might have been mapped with my aadhar number and if so, does it mean that there is a “Hacking” of my aadhar records, which is another offence under Section 66. Both warranted an immediate police complaint.

In the meantime, I checked the finger print again with another Jio vendor and to my great relief, I was successfully authenticated. This at least relieved me from the doubt about my aadhar data had been hacked but still my dissatisfaction on “Denial of Service’ remained”. The incident meant that the e-KYC has still not become as reliable as it should be.

I therefore request UIDAI authorities to make public statistics of “False Negatives” and if possible “False Positives” from their experience. If necessary, UIDAI should conduct a massive testing to identify if the false negatives and positives are within reasonable limits. This is a duty that UIDAI owes to the public.

Secondly, CEO of NITI Ayog recently brandished a Micro USB connected finger print reader for Android phones in a TV program. I tried to check its availability on the online stores and could not find it either on Amazon, eBay, Snapdeal or Flipkart. Showing the device he was promoting the use of digital wallets connected to e-KYC.

However, my experience on the unreliability of the e-KYC should raise a red flag on the digital push that Mr Modi is personally spearheading.

I request PMO and DeiTy to let me know  what action they would take to improve the reliability of the e-KYC and reducing the false negatives such as what I experienced today to the bearest minimum. For this purpose we first need the metrix and DeiTy needs to arrange for a pan India survey in this regard.

Naavi

It was reported yesterday that two of the Government officials whose houses were raided by IT department revealed that more than Rs 4 crores of new currencies were held by them. Obviously this has been converted from the black money holdings with the help of some dishonest Bank managers.

Similarly, in Delhi an Axis Bank branch was found to have converted over Rs 40 crores to black money owners.

In the process, genuine persons continued to suffer in the ques and political opponents of Mr Modi continued to blame him for all the ills.

We are aware that during the last 3 weeks, many bankers have worked hard to meet the goals with no extra reward by a sense of duty to serve the nation. It is only some bad apples here and there who actually tarnish the image of all the Bankers.

As an ex-Banker, I therefore wish that we need to ensure that dishonest Bank officers/Managers donot collude with black currency holders by reporting such incidents to the IT department.

I am confident that in every branch where such a fraud has taken place, there will be at least one honest person who has witnessed the fraud and is today carrying the tag of a dishonest Bank employee.

Such honest bank officials, whether they are officers, clerks or messengers can now turn whistleblowers of such incidents. Many of them may like to remain remain anonymous for obvious reasons.

To assist such persons, Naavi.org would offer to act as an “Ombudsman” to receive such information, anonymize the identity of the person and inform the relevant IT officers/PMO to take suitable action.

Any person wishing to send such information may send the details to naavi through e-mail as mentioned at http://www.e-ombudsman.in/ 

If we are able to bring out at least a few such frauds, it will be a tribute that we can pay to the persons who are allegedly lost their life waiting in the que to withdraw their money.

Please spread this word widely.

Naavi

Addendum: On 16th December 2016, Government has made a formal appeal to the public to inform them on any blackmoney issue at the e-mail : blackmoneyinfo@incometax.gov.in

Naavi

16th Dec, 2016

One of the consequences of the demonetization drive which was prompted as much by the declared need to suck black money in cash form as to starve terrorists and Naxalites of their funding, and drying out political parties of their cash holdings, is that we are suddenly left with an economy which is charging towards a cashless or less cash economy. I am not sure if the forced pace of movement towards digitization of payment systems was factored into the demonetization decision.

It is in this context we need to see the increased risks that may come up when the Niti Ayog’s suggestion of payments authenticated by Aadhar number on a mobile without PIN or password or even a Card should be subjected to a security risk analysis.

According to the statement of the Niti Ayog and UIDAI authorities, (Refer here) the mobiles would use a finger print input and aadhar number inout in  an app and enable fund transfers perhaps using both USSD and UPI interfaces in a feature phone or a smart phone.

The first risk that we need to factor in here is that if the mobiles are Chinese made, then the information both of Aadhaar as well as the payments may get passed through Chinese servers subjecting the country to a huge financial risk.

If the app is limited to Indian mobiles where some form of security oversight is possible, then we are still left with the OS related hacking prospect. We cannot discount that in the past the only attempt made to provide security clearance to devices was attempted by a team led by IISc under the funding of Huawei and if the same team now vets the indigenously developed mobile phones, it is doubtful if we are sufficiently mitigating the risk.

Since any such system places the two uncorrectible identity parameters namely the biometric and aadhaar number in circulation across insecure networks, it will permanently compromise the Indian citizen’s privacy to a level where nothing but scrapping the aadhaar system will be able to restore semblance of order.

I am not sure that the Government or the Niti Ayog has evaluated such risks and how they are likely to handle a situation where the 1 billion aadhar holder’s biometric and financial records become available to Chinese Government.

I request Mr Ajay Pandey of UIDAI and Amitabh Kant, CEO of NITI Ayog to clarify how they intend responding to this risk.

Naavi