Naavi.org

Just today, I had sent a letter to the RBI Governor Mr Urjit Patel to immediately issue the “Limited Liability Circular” of August 11th in an operational form. (Refer this article)

The circular was first issued in draft form for public comments upto August 31. Now, it is 3 months since the closure of the public comments but RBI has not yet re-issued the circular.

We had expressed our apprehension earlier that the powerful vested interest lobbies may prevent the RBI from going ahead and unfortunately, our apprehension has proved to be correct.

The letter sent today has been marked as copy to the Finance Minister and the Prime Minister and hopefully it would not be ignored.

In the meantime, the hacking of Twitter accounts of Mr Rahul Gandhi and other INC accounts created a flutter today about the need for Cyber Security in the emerging digital India. Though the current issue was relatively innocuous from the point of view of Cyber Security in Digital India, the noise made by the Congress workers in the TV studios today has attracted some public attention about the risks ahead of us and to that extent, we welcome the attention that Cyber Security deserves.

Just to place things on record, preliminary information indicates that the e-mails in the inc.in server might have been compromised and resulted in the twitter passwords being stolen leading to what we now call as hacking. This is similar to the website defacements and despite the public outcry is a low priority cyber security event.

However, there is a possibility that the information in the compromised e-mail accounts  could have reached the hacker’s hands and there is a faint possibility that it may lead to a situation similar to what Hillary Clinton is facing in USA due to Wikileaks hacking of her personal e-mail server.

The views of Cyber Security specialists is that possibly some of these account holders must have been using wweak passwords of the type “Password123” or “abcd1234” etc which could have resulted in the compromise. May be this will be known in the next few days. The way Congress spokes persons were talking as if it was a national security issue was a little amusing.

On the other hand, the existence of risks to the digital India projects including the now aggressively promoted digital banking systems is very real and needs to be addressed. Government is now thinking of an Aadhar based bank payment system which could result in its own risk vectors to add to the UPI, the USSD codes and Mobile wallets besides Internet banking. Our Bankers are yet to implement adequate security measures for Internet Banking which is in use since around 2000 and there is no way to consider that they are ready for handling the risks associated with other platforms.

The proposed system intends to integrate all bank accounts of a customer linked to Aadhar to be accessible through a mobile using a biometric capturing app/usb device to enable all banking transactions. While the idea looks attractive, it would be a KYC based account access which can expose Rs 50000/- from each of the customer’s account to the risk of hacking, unlike a limit of Rs 1000/- per month in the PayTm type of mobile wallets. This will therefore increase the risks for uninformed customers several folds.

In this context the need for the “Limited Liability” of customers to be defined under regulation and provision of “Cyber Insurance for All”  become essential for survival of  digital India as well as Mr Modi’s political future.

This has been brought to the attention of Mr Modi himslef through direct letters but unfortunately there is no confirmation about any action taken suggesting the recognition of this risk so far.

There is definitely lack of support at the PMO level and DeITy to enable Mr Modi to focus on the developmental projects without worrying about security issues.

Now it appears that a committee of experts has been formed by the Government to further promote Aadhar based payment systems but there is no indication if this committee would also take care of the security issues.

Knowing the composition of the team (which consist of Mr Nandan Nilakeni amoing others) and the pressing priorities of finding a quick solution to the currency shortage, this committee will further push implementation of new avenues of digital banking but will not focus on security.

The Committee would be like any IT team in a company which focusses on functionality but does not prioritize on security which needs a separate Infosec team to supervise along with a compliance team to ensure that the technical measures are within the legal framework.

It is the lack of such foresight which has placed the demonetization action under the judicial review of a generally hostile Supreme Court which could have been avoided if there was better compliance consultancy available to the Government.

In other words, apart from the committee already formed, the Government needs an expert committee on “Security of Digital India Projects” and an expert committee on “Legal Compliance of IT and Inforamtion Security Initiatives of Digital India”.

Let’s hope that the Twitter hacking incident will remind Mr Modi to initiate necessary action in this regard.

Naavi

A debate has ensued in Germany that IT industry should be held responsible for security breaches affecting the public.

According to this report  “Leading German politicians have called for IT and telecoms equipment makers to be held liable for cyber attacks, after a failed attempt to hijack consumer router devices caused widespread disruption for Deutsche Telekom customers”.

The incident involved outages that occurred in the system due to a cyber attack.

The call for “Accountability” of IT equipment manufacturers to assume part of the risk for cyber attacks has naturally invited criticisms from the industry.

A similar question has been raised at naavi.org several times particularly on companies who sell sub standard software for Banking as well as equipment manufacturers such as ATMs.

As per ITA 2000/8 there is a concept of “Vicarious Liability” where by an “Intermediary” and a “Company” is liable for any offence committed with the use of the resources managed by the “Intermediary” or the “Company” unless “Due Diligence” is practiced.

The concept of “Due Diligence” means that every IT stake holder should take such steps as are necessary at his level to prevent cyber crimes from occurring. Otherwise it may be considered as “Abetment” by “Passive assistance”.

There is no doubt that there has to be a limit upto which this argument has to be carried but the core concept of “Liability for Negligence” is necessary to ensure that the environment is kept safe.

We often argue that the civic authorities should be held liable if there are pot holes on roads that cause accidents. We want cinema hall owners/even organizers to be jailed if fire safety has been ignored causing loss of lives, automobiles  or mobiles are recalled for defects. If this is fine, there is no problem in considering a software/IT equipment vendor responsible for damages caused by the product failing some minimum expected quality aspects.

The limit to which the vendors should be subjected can be loosely defined as “If reasonable precautions are not taken”.

One of the areas where software vendors are guilty is to release software versions with known “Bugs” without proper “Documentation” when they pass on the ownership of a software to the buyer/licensee.

Software/Equipment manufactures must disclose the “Known Bugs” and also disclose and declare that “Reasonable Testing processes have been adopted” to ensure that the product is free from known bugs. If therefore a “Zero day Vulnerability” is found, there has to be a liability fixed on the vendor at least to a nominal extent.

This is part of developing “Cyber Law Compliant” products sold in a “Cyber Law Compliant Process” and must be adopted by all IT software/equipment vendors.

When cyber attacks arise due to exploitation of “back doors” deliberately left by the vendors some times for genuine reasons and the consent of the buyers are not taken for keeping them open, the liability should be boarne completely by them.

I hope that the call by German Politicians is considered as also a wake up call for Indian IT manufactures and that they initiate actions on Cyber Law Compliance to be integrated into their process without further delay. They should understand that such compliance does not end with “Reasonable Security Practice” under Section 43A of ITA 2008 and extends much beyond.

Naavi

Readers of naavi.org have seen discussion on IRCTC website being misused and hacked several times in the past. (Earlier articles can be found here. https://www.naavi.org/wp/index.php?s=irctc

In a fresh  move,  (See here), police have busted a gang which was committing the “Tatkal Booking Fraud” to book tickets fraudulently ahead of the genuine travellers by manipulating the online booking system.

In the process, they seem to have used IP spoofing, call spoofing, captcha breaking and several other software tools. They have used social media for advertising their service. Additionally they are reported to have used fake Bank accounts and Wallets as well as SIM Cards where KYC failures were also responsible.

Police have been successful in arresting five prime accused and taking further action.

Naavi

A long awaited measure to make filing of Cyber Crime Complaints easy has now been announced by the Central Government.

According to the news reports emerging, Government of India is setting up a central portal where such a complaint can be filed either by a victim or any good samaritan.  (refer here)

The complaint will be registered and numbered and the jurisdictional police station would be alerted. The status of the complaint gets updated at appropriate levels so that it can be followed up.

This is a simple provision that was recommended long time back and is now seeing the light of the day. An earlier attempt was made in some states including Karnataka to introduce such a system but it remained on paper since the police establishment did not support the move. Hopefully this time it is a reality.

Further details are awaited.

Naavi

In the past we have discussed the indications that China is preparing for a Cyber War supremacy by various means. It is interesting to note that using the strength of cheap manufacturing, China has virtually become the hub of global IT device manufacturing. This has also given an opportunity for China to manipulate the manufacturing of Computers and Mobiles and install backdoors to enable stealing data from all the computing devices across the world.

In this connection therefore it is no surprise that a security firm now reveals that the firmware managed by a company called Shanghai Adups Technology and contained in about 700 million phones worldwide contains a backdoor which has the capability of sending full bodies of text messages, contact lists, call history with full telephone numbers and unique device identifiers including IMEI umbers and IMSE numbers. (Refer here)

It is stated that Adups  firmware is used by 400 mobile operators, semiconductor vendors, and device manufacturers, covering everything from smartphones to wearables to cars and televisions.

According to the security firm Kryptowire, data transmission of text messages and call logs takes place every 72 hours, and all other personally identifiable information is sent every 24 hours and the data is sent to four servers belonging to Adups.

This enables Adups to identify specific devices and also track the activity. This provides a capability to the company to track Government officials and key business organizations where the mobile phones are being used. It also provides a capability to disable the phones for a massive denial of access attack.

At this point of time the brands that use Adups technology is not known but any device from Huwei and ZTE. (See here)

It is necessary for the world to wake up to this Cyber Intrusion and device appropriate security measures to prevent any data going out of the mobiles without the knowledge and permission of the owner of the phone. Since this is an offence in all Cyber Crime laws, a criminal case has to be filed against the company Adups and followed up internationally.

As a long term measure, Chinese IT devices should be completely eliminated from use by any critical Government or Corporate employee and probably by every body else. This requires alternate manufacturing facilities to be set up.

India should also immediately start a dialogue with the new US President in the making Mr Donald Trump how the manufacturing of mobile phones is taken out of China and shifted to India and USA.

There should be a global Cyber Security initiative in this regard that India and USA should lead to protect the Globe from the Chinese control of Cyber Space.

There is also a report that Micromax phones may also be vulnerable to this threat (See here). On the basis of this article,it should be possible for an investigation to be launched in India and the Company may be charged under Section 43 and Section 66 of ITA 2008. This should get more details of the “Computer Contaminant” and this “Micromax Virus” should be rooted out of India.

Naavi

Related Article:

Are any Mobile Phones Made outside China?

Clarification from Adups

The UK based Tesco Bank recently observed suspicious transactions in around  40000 Current Accounts and had to temporarily shut down transactions in the accounts. Subsequently it was indicated that about 9000 accounts saw fraudulent withdrawals to the total extent of about UK Sterling 2.5 million (About Rs 21 crores). The average loss per account was around Rs 21000/-.

Some reports allege that over 21000 accounts have seen the fraudulent withdrawals putting the potential loss at over Rs 50 crores.

Most of the fraudulent transactions occurred overseas such as Spain and Brazil.

The exact nature of the breach is yet to be ascertained/published. However it appears to be a hacking of the Bank’s systems at some level caused by failure of internal processes including negligence of intermediary service providers. An investigation by the national crime agency s underway. We may not be surprised if this breach finally leads to some BPO located outside UK hopefully not India.

For More information: Guardian.com report

It is expected that regulators may impose a multi million pound fine. (See report) The share prices have also been adversely affected. Tesco has been offering 3% interest to the current account customers and hence provided competition to other bigger Banks. But this incident could put a brake on its business growth for some time. The general allegation is that the Bank has systematically neglected cyber security and the breach is a result of such compromise…much like the Indian Banks.

The Bank has after the incident taken steps to inform their customers through SMS and has also put up a note prominently on its website indicating the latest position.

 Indian Banks often deliberately avoid notification of  breaches on their website and even to RBI. For such Banks it is important to notice the response of Tesco Bank to the breach.

The complete update as available on the website is available here: 

The update contains an apology, contact information, and an FAQ for further information. In contrast Indian banks fail to admit breach, refuse to refund the amount to the customer, deny their failure to notify customers individually and enter into a prolonged legal battle with the customers.

What RBI and Indian Banks should note

RBI should make a note of this incident and issue suitable instructions on “Data Breach Notification” for Indian Banks. Ofcourse we need to remind that it should not be a toothless advisory but an action oriented directive. RBI should also stop cheating the public with an issue of draft circular for public comment and going silent there after.

It is also recently found that RBI has not provided Banks with any guideline on Social Media Banking and Banks have started using Twitter and Facebook Banking on their own. Even after RBI was questioned in a RTI application, they have not taken any action to distinguish Internet Banking and Mobile Banking from the less secure Twitter and Facebook banking. This gross negligence on the part of RBI will come to haunt Mr Urjit Patel sooner than he may anticipate.

Presently the Banks are grappling with the “Note Exchange” program and in the process using “Mobile Centers” armed with “Micro ATMs”. Customers will be exposing their Banking credentials to these POS machines which could result in a new security risk.

We are not sure if Indian Banks and RBI are alert to the security issues. If the attitude of Vijaya Bank cashiers at M S Ramaiah Hospital in Bengaluru recently (Sitting in a Maruti Van with Open doors and dispensing cash instead of closing the doors and operating through the window) without any physical security, is any indication, Banks could be not even aware of the risks to which they are exposing themselves and their customers in a bid to satisfy the critical politicians of the opposition who are anyway habitual critics to be ignored.

Hope the current crisis in Indian banks pass off peacefully without a Tesco or SBI Card type of incident recurring.

Naavi