Naavi.org

[I am one of the vocal supporters of the Modi’s initiatives on Note ban and other measures. However, it is necessary to bring instances such as the following to the attention of the public since they indicate the unknown risks that Mr Modi is taking in a bid to push his Digital India agenda. Before the opposition takes advantage of such comments and the media takes it up for discussion, I wish that the Modi Government to take corrective action.  Unfortunately, Mr Modi is not only fighting with the corrupt elements in other parties but also the bureaucracy. Hence many of his efforts are derailed by deliberate mismanagement by subordinate officers. Nowhere is such doubt more glaring than the 2G scam tainted DeITy. I therefore urge Mr Modi and Mr R.S.Prasad to be doubly careful since there are many bureaucrats who may be waiting for an opportunity to put spokes in the wheels of development…Naavi]

Today, I went to one of the Jio dealers to get a new Jio SIM with aadhar based KYC. After Aadhar registration was done by me several years back, for the first time, I saw a vendor using aadhar KYC and I was happy.  In fact this was the first time my finger print was tested against the Aadhar data base for authentication though my Aadhar number has been taken for KYC purpose at several places with a photocopy of the aadhar card/letter.

Unfortunately however, in this first attempt at authentication, my finger prints did not pass through successfully despite multiple attempts and the vendor said that I need to re-register my fingerprints with UIDAI . In my presence, another customer was authenticated and hence there was no problem with the vendor’s device and it was a denial of authentication at the server level or at an intermediary authentication service provider.

This meant that I suffered a “Denial of Service” from UIDAI which is an offence under Section 66 of ITA 2000/8.

Further I got a doubt that if my finger print is not showing up against my Aadhar number, then which other finger print might have been mapped with my aadhar number and if so, does it mean that there is a “Hacking” of my aadhar records, which is another offence under Section 66. Both warranted an immediate police complaint.

In the meantime, I checked the finger print again with another Jio vendor and to my great relief, I was successfully authenticated. This at least relieved me from the doubt about my aadhar data had been hacked but still my dissatisfaction on “Denial of Service’ remained”. The incident meant that the e-KYC has still not become as reliable as it should be.

I therefore request UIDAI authorities to make public statistics of “False Negatives” and if possible “False Positives” from their experience. If necessary, UIDAI should conduct a massive testing to identify if the false negatives and positives are within reasonable limits. This is a duty that UIDAI owes to the public.

Secondly, CEO of NITI Ayog recently brandished a Micro USB connected finger print reader for Android phones in a TV program. I tried to check its availability on the online stores and could not find it either on Amazon, eBay, Snapdeal or Flipkart. Showing the device he was promoting the use of digital wallets connected to e-KYC.

However, my experience on the unreliability of the e-KYC should raise a red flag on the digital push that Mr Modi is personally spearheading.

I request PMO and DeiTy to let me know  what action they would take to improve the reliability of the e-KYC and reducing the false negatives such as what I experienced today to the bearest minimum. For this purpose we first need the metrix and DeiTy needs to arrange for a pan India survey in this regard.

Naavi

It was reported yesterday that two of the Government officials whose houses were raided by IT department revealed that more than Rs 4 crores of new currencies were held by them. Obviously this has been converted from the black money holdings with the help of some dishonest Bank managers.

Similarly, in Delhi an Axis Bank branch was found to have converted over Rs 40 crores to black money owners.

In the process, genuine persons continued to suffer in the ques and political opponents of Mr Modi continued to blame him for all the ills.

We are aware that during the last 3 weeks, many bankers have worked hard to meet the goals with no extra reward by a sense of duty to serve the nation. It is only some bad apples here and there who actually tarnish the image of all the Bankers.

As an ex-Banker, I therefore wish that we need to ensure that dishonest Bank officers/Managers donot collude with black currency holders by reporting such incidents to the IT department.

I am confident that in every branch where such a fraud has taken place, there will be at least one honest person who has witnessed the fraud and is today carrying the tag of a dishonest Bank employee.

Such honest bank officials, whether they are officers, clerks or messengers can now turn whistleblowers of such incidents. Many of them may like to remain remain anonymous for obvious reasons.

To assist such persons, Naavi.org would offer to act as an “Ombudsman” to receive such information, anonymize the identity of the person and inform the relevant IT officers/PMO to take suitable action.

Any person wishing to send such information may send the details to naavi through e-mail as mentioned at http://www.e-ombudsman.in/ 

If we are able to bring out at least a few such frauds, it will be a tribute that we can pay to the persons who are allegedly lost their life waiting in the que to withdraw their money.

Please spread this word widely.

Naavi

Addendum: On 16th December 2016, Government has made a formal appeal to the public to inform them on any blackmoney issue at the e-mail : blackmoneyinfo@incometax.gov.in

Naavi

16th Dec, 2016

One of the consequences of the demonetization drive which was prompted as much by the declared need to suck black money in cash form as to starve terrorists and Naxalites of their funding, and drying out political parties of their cash holdings, is that we are suddenly left with an economy which is charging towards a cashless or less cash economy. I am not sure if the forced pace of movement towards digitization of payment systems was factored into the demonetization decision.

It is in this context we need to see the increased risks that may come up when the Niti Ayog’s suggestion of payments authenticated by Aadhar number on a mobile without PIN or password or even a Card should be subjected to a security risk analysis.

According to the statement of the Niti Ayog and UIDAI authorities, (Refer here) the mobiles would use a finger print input and aadhar number inout in  an app and enable fund transfers perhaps using both USSD and UPI interfaces in a feature phone or a smart phone.

The first risk that we need to factor in here is that if the mobiles are Chinese made, then the information both of Aadhaar as well as the payments may get passed through Chinese servers subjecting the country to a huge financial risk.

If the app is limited to Indian mobiles where some form of security oversight is possible, then we are still left with the OS related hacking prospect. We cannot discount that in the past the only attempt made to provide security clearance to devices was attempted by a team led by IISc under the funding of Huawei and if the same team now vets the indigenously developed mobile phones, it is doubtful if we are sufficiently mitigating the risk.

Since any such system places the two uncorrectible identity parameters namely the biometric and aadhaar number in circulation across insecure networks, it will permanently compromise the Indian citizen’s privacy to a level where nothing but scrapping the aadhaar system will be able to restore semblance of order.

I am not sure that the Government or the Niti Ayog has evaluated such risks and how they are likely to handle a situation where the 1 billion aadhar holder’s biometric and financial records become available to Chinese Government.

I request Mr Ajay Pandey of UIDAI and Amitabh Kant, CEO of NITI Ayog to clarify how they intend responding to this risk.

Naavi

Just today, I had sent a letter to the RBI Governor Mr Urjit Patel to immediately issue the “Limited Liability Circular” of August 11th in an operational form. (Refer this article)

The circular was first issued in draft form for public comments upto August 31. Now, it is 3 months since the closure of the public comments but RBI has not yet re-issued the circular.

We had expressed our apprehension earlier that the powerful vested interest lobbies may prevent the RBI from going ahead and unfortunately, our apprehension has proved to be correct.

The letter sent today has been marked as copy to the Finance Minister and the Prime Minister and hopefully it would not be ignored.

In the meantime, the hacking of Twitter accounts of Mr Rahul Gandhi and other INC accounts created a flutter today about the need for Cyber Security in the emerging digital India. Though the current issue was relatively innocuous from the point of view of Cyber Security in Digital India, the noise made by the Congress workers in the TV studios today has attracted some public attention about the risks ahead of us and to that extent, we welcome the attention that Cyber Security deserves.

Just to place things on record, preliminary information indicates that the e-mails in the inc.in server might have been compromised and resulted in the twitter passwords being stolen leading to what we now call as hacking. This is similar to the website defacements and despite the public outcry is a low priority cyber security event.

However, there is a possibility that the information in the compromised e-mail accounts  could have reached the hacker’s hands and there is a faint possibility that it may lead to a situation similar to what Hillary Clinton is facing in USA due to Wikileaks hacking of her personal e-mail server.

The views of Cyber Security specialists is that possibly some of these account holders must have been using wweak passwords of the type “Password123” or “abcd1234” etc which could have resulted in the compromise. May be this will be known in the next few days. The way Congress spokes persons were talking as if it was a national security issue was a little amusing.

On the other hand, the existence of risks to the digital India projects including the now aggressively promoted digital banking systems is very real and needs to be addressed. Government is now thinking of an Aadhar based bank payment system which could result in its own risk vectors to add to the UPI, the USSD codes and Mobile wallets besides Internet banking. Our Bankers are yet to implement adequate security measures for Internet Banking which is in use since around 2000 and there is no way to consider that they are ready for handling the risks associated with other platforms.

The proposed system intends to integrate all bank accounts of a customer linked to Aadhar to be accessible through a mobile using a biometric capturing app/usb device to enable all banking transactions. While the idea looks attractive, it would be a KYC based account access which can expose Rs 50000/- from each of the customer’s account to the risk of hacking, unlike a limit of Rs 1000/- per month in the PayTm type of mobile wallets. This will therefore increase the risks for uninformed customers several folds.

In this context the need for the “Limited Liability” of customers to be defined under regulation and provision of “Cyber Insurance for All”  become essential for survival of  digital India as well as Mr Modi’s political future.

This has been brought to the attention of Mr Modi himslef through direct letters but unfortunately there is no confirmation about any action taken suggesting the recognition of this risk so far.

There is definitely lack of support at the PMO level and DeITy to enable Mr Modi to focus on the developmental projects without worrying about security issues.

Now it appears that a committee of experts has been formed by the Government to further promote Aadhar based payment systems but there is no indication if this committee would also take care of the security issues.

Knowing the composition of the team (which consist of Mr Nandan Nilakeni amoing others) and the pressing priorities of finding a quick solution to the currency shortage, this committee will further push implementation of new avenues of digital banking but will not focus on security.

The Committee would be like any IT team in a company which focusses on functionality but does not prioritize on security which needs a separate Infosec team to supervise along with a compliance team to ensure that the technical measures are within the legal framework.

It is the lack of such foresight which has placed the demonetization action under the judicial review of a generally hostile Supreme Court which could have been avoided if there was better compliance consultancy available to the Government.

In other words, apart from the committee already formed, the Government needs an expert committee on “Security of Digital India Projects” and an expert committee on “Legal Compliance of IT and Inforamtion Security Initiatives of Digital India”.

Let’s hope that the Twitter hacking incident will remind Mr Modi to initiate necessary action in this regard.

Naavi

A debate has ensued in Germany that IT industry should be held responsible for security breaches affecting the public.

According to this report  “Leading German politicians have called for IT and telecoms equipment makers to be held liable for cyber attacks, after a failed attempt to hijack consumer router devices caused widespread disruption for Deutsche Telekom customers”.

The incident involved outages that occurred in the system due to a cyber attack.

The call for “Accountability” of IT equipment manufacturers to assume part of the risk for cyber attacks has naturally invited criticisms from the industry.

A similar question has been raised at naavi.org several times particularly on companies who sell sub standard software for Banking as well as equipment manufacturers such as ATMs.

As per ITA 2000/8 there is a concept of “Vicarious Liability” where by an “Intermediary” and a “Company” is liable for any offence committed with the use of the resources managed by the “Intermediary” or the “Company” unless “Due Diligence” is practiced.

The concept of “Due Diligence” means that every IT stake holder should take such steps as are necessary at his level to prevent cyber crimes from occurring. Otherwise it may be considered as “Abetment” by “Passive assistance”.

There is no doubt that there has to be a limit upto which this argument has to be carried but the core concept of “Liability for Negligence” is necessary to ensure that the environment is kept safe.

We often argue that the civic authorities should be held liable if there are pot holes on roads that cause accidents. We want cinema hall owners/even organizers to be jailed if fire safety has been ignored causing loss of lives, automobiles  or mobiles are recalled for defects. If this is fine, there is no problem in considering a software/IT equipment vendor responsible for damages caused by the product failing some minimum expected quality aspects.

The limit to which the vendors should be subjected can be loosely defined as “If reasonable precautions are not taken”.

One of the areas where software vendors are guilty is to release software versions with known “Bugs” without proper “Documentation” when they pass on the ownership of a software to the buyer/licensee.

Software/Equipment manufactures must disclose the “Known Bugs” and also disclose and declare that “Reasonable Testing processes have been adopted” to ensure that the product is free from known bugs. If therefore a “Zero day Vulnerability” is found, there has to be a liability fixed on the vendor at least to a nominal extent.

This is part of developing “Cyber Law Compliant” products sold in a “Cyber Law Compliant Process” and must be adopted by all IT software/equipment vendors.

When cyber attacks arise due to exploitation of “back doors” deliberately left by the vendors some times for genuine reasons and the consent of the buyers are not taken for keeping them open, the liability should be boarne completely by them.

I hope that the call by German Politicians is considered as also a wake up call for Indian IT manufactures and that they initiate actions on Cyber Law Compliance to be integrated into their process without further delay. They should understand that such compliance does not end with “Reasonable Security Practice” under Section 43A of ITA 2008 and extends much beyond.

Naavi

Readers of naavi.org have seen discussion on IRCTC website being misused and hacked several times in the past. (Earlier articles can be found here. https://www.naavi.org/wp/index.php?s=irctc

In a fresh  move,  (See here), police have busted a gang which was committing the “Tatkal Booking Fraud” to book tickets fraudulently ahead of the genuine travellers by manipulating the online booking system.

In the process, they seem to have used IP spoofing, call spoofing, captcha breaking and several other software tools. They have used social media for advertising their service. Additionally they are reported to have used fake Bank accounts and Wallets as well as SIM Cards where KYC failures were also responsible.

Police have been successful in arresting five prime accused and taking further action.

Naavi