Naavi.org

It was reported yesterday that two of the Government officials whose houses were raided by IT department revealed that more than Rs 4 crores of new currencies were held by them. Obviously this has been converted from the black money holdings with the help of some dishonest Bank managers.

Similarly, in Delhi an Axis Bank branch was found to have converted over Rs 40 crores to black money owners.

In the process, genuine persons continued to suffer in the ques and political opponents of Mr Modi continued to blame him for all the ills.

We are aware that during the last 3 weeks, many bankers have worked hard to meet the goals with no extra reward by a sense of duty to serve the nation. It is only some bad apples here and there who actually tarnish the image of all the Bankers.

As an ex-Banker, I therefore wish that we need to ensure that dishonest Bank officers/Managers donot collude with black currency holders by reporting such incidents to the IT department.

I am confident that in every branch where such a fraud has taken place, there will be at least one honest person who has witnessed the fraud and is today carrying the tag of a dishonest Bank employee.

Such honest bank officials, whether they are officers, clerks or messengers can now turn whistleblowers of such incidents. Many of them may like to remain remain anonymous for obvious reasons.

To assist such persons, Naavi.org would offer to act as an “Ombudsman” to receive such information, anonymize the identity of the person and inform the relevant IT officers/PMO to take suitable action.

Any person wishing to send such information may send the details to naavi through e-mail as mentioned at http://www.e-ombudsman.in/ 

If we are able to bring out at least a few such frauds, it will be a tribute that we can pay to the persons who are allegedly lost their life waiting in the que to withdraw their money.

Please spread this word widely.

Naavi

Addendum: On 16th December 2016, Government has made a formal appeal to the public to inform them on any blackmoney issue at the e-mail : blackmoneyinfo@incometax.gov.in

Naavi

16th Dec, 2016

One of the consequences of the demonetization drive which was prompted as much by the declared need to suck black money in cash form as to starve terrorists and Naxalites of their funding, and drying out political parties of their cash holdings, is that we are suddenly left with an economy which is charging towards a cashless or less cash economy. I am not sure if the forced pace of movement towards digitization of payment systems was factored into the demonetization decision.

It is in this context we need to see the increased risks that may come up when the Niti Ayog’s suggestion of payments authenticated by Aadhar number on a mobile without PIN or password or even a Card should be subjected to a security risk analysis.

According to the statement of the Niti Ayog and UIDAI authorities, (Refer here) the mobiles would use a finger print input and aadhar number inout in  an app and enable fund transfers perhaps using both USSD and UPI interfaces in a feature phone or a smart phone.

The first risk that we need to factor in here is that if the mobiles are Chinese made, then the information both of Aadhaar as well as the payments may get passed through Chinese servers subjecting the country to a huge financial risk.

If the app is limited to Indian mobiles where some form of security oversight is possible, then we are still left with the OS related hacking prospect. We cannot discount that in the past the only attempt made to provide security clearance to devices was attempted by a team led by IISc under the funding of Huawei and if the same team now vets the indigenously developed mobile phones, it is doubtful if we are sufficiently mitigating the risk.

Since any such system places the two uncorrectible identity parameters namely the biometric and aadhaar number in circulation across insecure networks, it will permanently compromise the Indian citizen’s privacy to a level where nothing but scrapping the aadhaar system will be able to restore semblance of order.

I am not sure that the Government or the Niti Ayog has evaluated such risks and how they are likely to handle a situation where the 1 billion aadhar holder’s biometric and financial records become available to Chinese Government.

I request Mr Ajay Pandey of UIDAI and Amitabh Kant, CEO of NITI Ayog to clarify how they intend responding to this risk.

Naavi

Just today, I had sent a letter to the RBI Governor Mr Urjit Patel to immediately issue the “Limited Liability Circular” of August 11th in an operational form. (Refer this article)

The circular was first issued in draft form for public comments upto August 31. Now, it is 3 months since the closure of the public comments but RBI has not yet re-issued the circular.

We had expressed our apprehension earlier that the powerful vested interest lobbies may prevent the RBI from going ahead and unfortunately, our apprehension has proved to be correct.

The letter sent today has been marked as copy to the Finance Minister and the Prime Minister and hopefully it would not be ignored.

In the meantime, the hacking of Twitter accounts of Mr Rahul Gandhi and other INC accounts created a flutter today about the need for Cyber Security in the emerging digital India. Though the current issue was relatively innocuous from the point of view of Cyber Security in Digital India, the noise made by the Congress workers in the TV studios today has attracted some public attention about the risks ahead of us and to that extent, we welcome the attention that Cyber Security deserves.

Just to place things on record, preliminary information indicates that the e-mails in the inc.in server might have been compromised and resulted in the twitter passwords being stolen leading to what we now call as hacking. This is similar to the website defacements and despite the public outcry is a low priority cyber security event.

However, there is a possibility that the information in the compromised e-mail accounts  could have reached the hacker’s hands and there is a faint possibility that it may lead to a situation similar to what Hillary Clinton is facing in USA due to Wikileaks hacking of her personal e-mail server.

The views of Cyber Security specialists is that possibly some of these account holders must have been using wweak passwords of the type “Password123” or “abcd1234” etc which could have resulted in the compromise. May be this will be known in the next few days. The way Congress spokes persons were talking as if it was a national security issue was a little amusing.

On the other hand, the existence of risks to the digital India projects including the now aggressively promoted digital banking systems is very real and needs to be addressed. Government is now thinking of an Aadhar based bank payment system which could result in its own risk vectors to add to the UPI, the USSD codes and Mobile wallets besides Internet banking. Our Bankers are yet to implement adequate security measures for Internet Banking which is in use since around 2000 and there is no way to consider that they are ready for handling the risks associated with other platforms.

The proposed system intends to integrate all bank accounts of a customer linked to Aadhar to be accessible through a mobile using a biometric capturing app/usb device to enable all banking transactions. While the idea looks attractive, it would be a KYC based account access which can expose Rs 50000/- from each of the customer’s account to the risk of hacking, unlike a limit of Rs 1000/- per month in the PayTm type of mobile wallets. This will therefore increase the risks for uninformed customers several folds.

In this context the need for the “Limited Liability” of customers to be defined under regulation and provision of “Cyber Insurance for All”  become essential for survival of  digital India as well as Mr Modi’s political future.

This has been brought to the attention of Mr Modi himslef through direct letters but unfortunately there is no confirmation about any action taken suggesting the recognition of this risk so far.

There is definitely lack of support at the PMO level and DeITy to enable Mr Modi to focus on the developmental projects without worrying about security issues.

Now it appears that a committee of experts has been formed by the Government to further promote Aadhar based payment systems but there is no indication if this committee would also take care of the security issues.

Knowing the composition of the team (which consist of Mr Nandan Nilakeni amoing others) and the pressing priorities of finding a quick solution to the currency shortage, this committee will further push implementation of new avenues of digital banking but will not focus on security.

The Committee would be like any IT team in a company which focusses on functionality but does not prioritize on security which needs a separate Infosec team to supervise along with a compliance team to ensure that the technical measures are within the legal framework.

It is the lack of such foresight which has placed the demonetization action under the judicial review of a generally hostile Supreme Court which could have been avoided if there was better compliance consultancy available to the Government.

In other words, apart from the committee already formed, the Government needs an expert committee on “Security of Digital India Projects” and an expert committee on “Legal Compliance of IT and Inforamtion Security Initiatives of Digital India”.

Let’s hope that the Twitter hacking incident will remind Mr Modi to initiate necessary action in this regard.

Naavi

A debate has ensued in Germany that IT industry should be held responsible for security breaches affecting the public.

According to this report  “Leading German politicians have called for IT and telecoms equipment makers to be held liable for cyber attacks, after a failed attempt to hijack consumer router devices caused widespread disruption for Deutsche Telekom customers”.

The incident involved outages that occurred in the system due to a cyber attack.

The call for “Accountability” of IT equipment manufacturers to assume part of the risk for cyber attacks has naturally invited criticisms from the industry.

A similar question has been raised at naavi.org several times particularly on companies who sell sub standard software for Banking as well as equipment manufacturers such as ATMs.

As per ITA 2000/8 there is a concept of “Vicarious Liability” where by an “Intermediary” and a “Company” is liable for any offence committed with the use of the resources managed by the “Intermediary” or the “Company” unless “Due Diligence” is practiced.

The concept of “Due Diligence” means that every IT stake holder should take such steps as are necessary at his level to prevent cyber crimes from occurring. Otherwise it may be considered as “Abetment” by “Passive assistance”.

There is no doubt that there has to be a limit upto which this argument has to be carried but the core concept of “Liability for Negligence” is necessary to ensure that the environment is kept safe.

We often argue that the civic authorities should be held liable if there are pot holes on roads that cause accidents. We want cinema hall owners/even organizers to be jailed if fire safety has been ignored causing loss of lives, automobiles  or mobiles are recalled for defects. If this is fine, there is no problem in considering a software/IT equipment vendor responsible for damages caused by the product failing some minimum expected quality aspects.

The limit to which the vendors should be subjected can be loosely defined as “If reasonable precautions are not taken”.

One of the areas where software vendors are guilty is to release software versions with known “Bugs” without proper “Documentation” when they pass on the ownership of a software to the buyer/licensee.

Software/Equipment manufactures must disclose the “Known Bugs” and also disclose and declare that “Reasonable Testing processes have been adopted” to ensure that the product is free from known bugs. If therefore a “Zero day Vulnerability” is found, there has to be a liability fixed on the vendor at least to a nominal extent.

This is part of developing “Cyber Law Compliant” products sold in a “Cyber Law Compliant Process” and must be adopted by all IT software/equipment vendors.

When cyber attacks arise due to exploitation of “back doors” deliberately left by the vendors some times for genuine reasons and the consent of the buyers are not taken for keeping them open, the liability should be boarne completely by them.

I hope that the call by German Politicians is considered as also a wake up call for Indian IT manufactures and that they initiate actions on Cyber Law Compliance to be integrated into their process without further delay. They should understand that such compliance does not end with “Reasonable Security Practice” under Section 43A of ITA 2008 and extends much beyond.

Naavi

Readers of naavi.org have seen discussion on IRCTC website being misused and hacked several times in the past. (Earlier articles can be found here. https://www.naavi.org/wp/index.php?s=irctc

In a fresh  move,  (See here), police have busted a gang which was committing the “Tatkal Booking Fraud” to book tickets fraudulently ahead of the genuine travellers by manipulating the online booking system.

In the process, they seem to have used IP spoofing, call spoofing, captcha breaking and several other software tools. They have used social media for advertising their service. Additionally they are reported to have used fake Bank accounts and Wallets as well as SIM Cards where KYC failures were also responsible.

Police have been successful in arresting five prime accused and taking further action.

Naavi

A long awaited measure to make filing of Cyber Crime Complaints easy has now been announced by the Central Government.

According to the news reports emerging, Government of India is setting up a central portal where such a complaint can be filed either by a victim or any good samaritan.  (refer here)

The complaint will be registered and numbered and the jurisdictional police station would be alerted. The status of the complaint gets updated at appropriate levels so that it can be followed up.

This is a simple provision that was recommended long time back and is now seeing the light of the day. An earlier attempt was made in some states including Karnataka to introduce such a system but it remained on paper since the police establishment did not support the move. Hopefully this time it is a reality.

Further details are awaited.

Naavi