Naavi.org

Yesterday, in the conclave on “Securing Cyber Space” at IIC, Delhi, experts from different NGOs spoke on the topic of Civil Society Consultations on Net issues such as net Neutrality and Internet Shutdowns before an august audience of Cyber Security professionals.

Naavi speaking on the occasion discussed the concerns of the civil society and how it needs to be addressed.

He recalled the instance when around the year 2000, Mumbai High Court listening to a public interest case on whether people should be asked to produce IDs for visiting Cyber Cafes mandated that an Internet article of Naavi was to be placed on the Government website of VSNL (at that time VSNL was the sole Internet service provider) along with the proposal of the Government and ensure that the larger public could react. This trend is what the Internet has brought to the domain of Civil Society consultations. In fact Draft E-commerce Act 1998 which was the pre-cursor to the current Information Technology Act was also perhaps the first legislatory “Bill” to be placed for public comments. Even recently we have seen that in the Bitcoin issue was discussed on the forum of MyGov.in to solicit public opinion.

RBI is also frequently placing draft regulations for public comments before they are finalized.

There is no doubt that this is the norm and in future all legislations when in draft form would be placed for public comments. It is a good practice and needs to be strengthened.

However, the consultations will have meaning only when proper representation of the “Civil Society” is allowed to contribute their views and the decision makers actually take those views into consideration.

We have some times seen that the web based collection of views is only a formality and public really donot know if the views really go into the decision making process as an input. There are also instances (eg Bitcoin consultation) that vested interests take over such consultation process and flood the forum like a Twitter troll with their views corrupting the process. In the Bitcoin issue, MCX which as an insider to the process of Bitcoin regulation was caught using the forum to express vested interests and it was left to vigilantes like the undersigned to call their unethical act.

Similarly, when RBI floated a “Limited Liability Draft Circular” on August 11, 2016 and closed the consultations on 30th August 2016, the final rule was expected soon after. But it took time upto July 6, 2017 for the draft circular to be confirmed and that too after the undersigned brought it to the attention of all concerned including our busy PM, FM and others. In this time there were many more banking frauds where the victims could not get timely reaction from the Banks. Though the final notification is well appreciated, the delay could have been avoided and indicated that there was perhaps some differences of opinion that had to be contended with.

Presently there  are many other issues such as AEPS, P2P lending, HDPSA, amendments to ITA 2008, new Data Protection Act, Cyber Insurance etc which are under different stages of development in which public consultation is called for.

If we observe how US has handled the HIPAA consultation process (Refer to the Final Omnibus Rule”) the document that was finally published discusses the various comments made and the reasons why it was considered or not considered. The process is trust building since public know why a certain rule was made.

We need to adopt such a process of “Revealing the public response” along with what were the views of the decision making committee on specific points made in the response (after filtering  troll like opinions) and why a decision was finally taken was in a particular manner should be used in all future consultations.

It is needless to say that when a more detailed consultation with physical meetings are held it is the duty of the consultative committee to ensure that the Civil society representatives they chose to consult are limited to the few vocal media facing persons located near the seat of power. There has to be consultations in other places down south also so that a wide set of view points are used before coming to the final decision.

(These are part of the discussions…will be continued)

Naavi

In a welcome development on the Bitcoin front, Supreme Court of India has taken note of the possible illegal use of Bitcoin and is reported to have questioned RBI on its inaction in taking a decision on Bitcoins. It has given a four week deadline to examine all security related issues pertaining o virtual currencies including bitcoin.

The Supreme Court has also sought information on the steps taken by the government and the RBI to ensure digital currencies aren’t used for terror funding and money laundering.

(See Report here)

It may be recalled that the Government of India has been examining the issue of whether Bitcoins have to be legalized in India and there has been a gathering of public opinion in this regard through the Mygov.in website last month. During that time there was a concerted effort from the industry to push the Government into taking a stand inclined to either recognize Bitcoin as a “Legal Tender” or atleast say that the Crypto Currency is being “Observed”.

Naavi.org has been repeatedly stating that Bitcoin and all other privately controlled crypto coins has no place in the economy and there is no option other than declaring them as “Illegal”.

However there is undoubtedly an effort to influence the Government into taking a decision in favour of Bitcoin legalisation mounted by the industry. Even the above  report in Cryptocoinnews.com ends up with a hope that “A Ban is highy unlikely”.

Any attempt to promote Bitcoin as a “Currency” that can be used for payment for goods and services is per-se violation of the RBI Act and those who indulge in such promotion may be punishable with imprisonment of 3 years.

It is no secret that Bitcoin is being used by criminals and terrorists and hence any thought of continuing its usage in India is completely unacceptable.

If Bitcoin is not immediately declared illegal, there is likely hood of more Indian Black money being converted into Bitcoins.

It is good that the Supreme Court has taken cognizance of these possibilities and put pressure on RBI to spell out its policy and not remain silent in this regard.

A report in Livemint.com quotes M/s Nisthit Desai, the legal firm that is representing some of the Bitcoin industry players suggests that the industry should “Self-regulate”.

It is not clear how can an illegal activity can “Self-regulate”. The law firm is trying to mislead the public that by what they call “Self regulation”, the ill effects of Bitcoin could be curtailed. The self-regulation that the industry is talking of is for the Bitcoin exchanges to follow KYC principles and identifying the buyers and sellers in the exchange. This will not make “Bitcoin” legal or “Bitcoin Exchange activity” legal. It is surprising that SEBI has not so far taken penal action on Bitcoin Exchanges for running the exchange business like a “Commodity Exchange” without any authority.

Supreme Court should have also pulled up SEBI for its inaction in this regard.

During the recent effort to gather public view on Bitcoin regulation through MyGov.in, there was an effort from MCX itself to support legalization of Bitcoins. When this was vehemently opposed by Naavi.org, the comment posted by MCX on the MyGov.in site was removed without any explanation. This indicated that there were perhaps corrupt elements within the Government who want Bitcoins to be legalized.

The Supreme Court observation and direction therefore may perhaps be making some people in the power corridors a bit uncomfortable.

We however welcome the direction of Supreme Court and urge RBI to immediately come out with

a) Declaration that Bitcoin being represented as “Currency” is punishable under RBI Act

b) Declaration that Bitcoin being traded like either a commodity or a foreign exchange currency is illegal and punishable under RBI Act

Since Bitcoin is per-se not legal, there is no further regulation that needs to be considered except to declare that any person in possession of Bitcoin is presumed to have acquired it illegally through the illegal exchange activity and hence is punishable.

The question of collecting tax also does not arise since the trading itself is illegal and any profits made there on is not legal ab-initio.

Criminal punishment may perhaps be spared if the holders voluntarily declare and hand over possession of their Bitcoin possession to the RBI for destruction like it is done when fake currency or drugs are confiscated.

It is observed that the Bitcoin exchange rate has fallen drastically in the last few weeks and it could be a result of the realization that India may not fall into the Bitcoin trap by allowing current status.

Another trap which RBI should avoid is to restrict its ban only on Bitcoin and leaving other AltCoins. It must be recognized that Bitcoin is easily convertible into other Altcoins and hence all privately controlled Crypto currencies must be considered as fungible and equally illegal. Hence the ban should extend to all such Crytpo Currencies.

Unless RBI introduces its own Crypto Currency, there is no scope for any other Crypto currency to be legally recognized in India. What is left is for the RBI to clear the air and remove the uncertainty that may encourage some innocent persons to invest their hard earned white money into Crypto Coins and lose.

Naavi

Also Read:

RBI and Government should not drift in deciding about Bitcoin …

Bitcoin Regulation… What the Government needs to do.

Bitcoin is a National Security Issue… SEBI and RBI must step in and …

Can we replace Bitcoin argument with a “Law Compliant Crypto …

If Bitcoin is legalized in India, the money supply will jump up by 50 …

Is it time for a worldwide ban on Bitcoin to stop Cyber Financial …

How Does Bitcoin break India into bits and pieces and realize the …

The Bitcoin Battle…Will it be Modi Vs ZebPay?…like Kumble Vs …

Fight Against Corruption now has a new Slogan: Say No to Bitcoins …

Is MCX of India involved in insider tampering of the Committee on …

say_no_bitcoins – Naavi.org 

Regulate Bitcoins through ITA 2000 notifications under Section 1(4 …

Will the Government succumb to Zebpay PR pressure? – Naavi.org

Close on the heels of China Cyber Security Law, we now have a draft of a comprehensive Cyber Security law from Singapore. Both are interesting pieces of legislation that requires a detailed analysis which we may keep for a later day.

These developments will obviously trigger a thought on whether India should also consider a similar law.

In India, we have the ITA 2008 which provides the office of the Director General, CERT-IN all the powers that is required to implement an effective Cyber Security plan across the Cyber Space. These powers are supplemented with Sections 69,69A and 69B which provides powers to the secretaries of Home and IT additional powers that can lead to Cyber Security related decisions. Once the Data Protection law comes in, there will be a “Data Protection Commissioner” in place.

Presently, RBI already regulates the Financial Sector which is the key sector for Cyber Security. CERT-IN is restricting its control mostly to the Critical Information Infrastructure and is not imposing itself on the private sector as regards Cyber Security issues.

Most of the objectives that the Singapore legislation tries to achieve can be achieved in India through notifications by the CERT-IN. Legal empowerment is already present and we may not need a separate law to reach our objectives though the temptation for a new law is always great.

Probably CERT-IN needs to expand its work force base to meet all the responsibilities that an Apex Cyber Security Organization needs to fulfill. It also needs to step out of Delhi and start a sub-office in places like Bengaluru to be in close touch with South India and the IT hub.

Such regrouping and enhancement of CERT-IN resources is perhaps a more effective option than to think of another separate law with overlapping powers for executives and additional expenditure for the Government.

Perhaps more discussion is needed on this aspect and the two day conference in Delhi on “Securing Cyber Space-2017” on July 14th and 15th should be one forum in which these discussions may start.

Naavi

Reference:

Singapore releases draft of a Cyber Security Law

China Cyber Security Law-analysis by KPMG

China Cyber Security Law

US Cyber Security Laws

Yesterday, after the NSE technical glitch, Naavi.org raised the suspicion that it could be a Cyber Attack probably emanating from China. Today, it appears that this angle is being pursued with further investigation by the Home Ministry taking into account other recent incidents that occurred recently.

According to this report in Hindu, “The government’s senior cyber security officials are looking into both the Airtel and Jio incidents to see if they were possible attacks,” ….” they expected to know more about the cases in the next few days”….”the attacks could have emanated from a neighbouring country.”

The incidents flagged include the 32 lakh debit card data that was breached, Network outage experienced by Airtel on July 7, and Jio data breach reported on July 9.

This “China Risk” has long been ignored by the Telecom industry in pursuance of “Profits at any cost”. A few years back, the Government had set up a “Security Certification Lab” at IISc in Bangalore to certify telecom equipments from security perspective after coming to know that some of these equipments had a backdoor apparently to enable remote servicing of the software. We have not heard much about the activities of this lab except that the operations of the lab were sponsored by none other than “Huawei” !. The logic of getting the activity sponsored by the Chinese equipment supplier with connections to the Chinese Government must be known only to the then Government and the officials who represented in the committee that supervised in this project.

It is not clear if our Government under Modi has come out of the clutches of Chinese influence and the perception is that it has not. In this context the caution sounded by the Home Ministry as per this report is welcome.

The report also says that  the Home Ministry official also said “We have been warning the telecom companies for long regarding the use of Chinese products. Earlier personalisation of SIM cards was being done by Bharat Sanchar Nigam Limited (BSNL) for a fee, but later on the contract was given to Chinese companies. Essentially all telephone data is with the Chinese and we had warned against this dependence,”

Now that the Home Ministry has flagged this issue, we need to see some action to remedy the situation.

I had recently pointed out the danger of using Chinese made Finger Print scanners to be used for Aadhar Enabled Payment System suggesting that the data would be diverted to China. I therefore suggested that unless we are able to develop “Tamper Proof” biometric scanners in the facilities of BEL or ECIL, we should defer the implementation of AEPS.

I wish that at least now the relevant ministry officials realize the risk of using imported Biometric devices in AEPS and ensure that we donot make the mistake of going ahead with AEPS without proper preparation.

We know that Jio uses a biometric device for registration of customers and we donot know if it is a Chinese made equipment. May be some of the security professionals check out with the Jio dealers and let us know if this could be one of the reasons how the Jio customer data was leaked. According to one report even the CDR data of 120 million Jio users is available in the dark web for a price. If this is so, then Jio has a lot to explain about its security preparedness. Probably the giant IT companies who are working with Jio in designing the systems some of them are Indian companies, need to explain their perspective of security in Jio.

I have a doubt that apart from the data that was leaked out, there is a possibility of Aadhar registered biometric data also being available in a stored form because all Jio customers were registered with Aadhar KYC.

Now the Government has asked other mobile service providers also to link Aadhar and some of them are stating that it would require biometric based KYC and not merely providing the Aadhar number. The risk of biometric data being leaked is therefore very much there in this process.

I therefore request the Government to ensure that no Chinese made biometric devices are being used by the mobile service providers to register Aadhar.

In the meantime we await the result of the investigations about NSE technical glitch to find out whether it was in deed a Cyber Attack from China as we surmise or it was really a normal technical glitch.

Naavi.org is fully in support of the movement to reduce the national dependence on Chinese products as a means of opposing the Chinese support to Pakistani terrorists through border skirmishes. Many feel that the Chinese dependency is so deep rooted that it would be difficult to impose “People’s Sanctions” that can really hurt China, but it is still a mark of protest that requires pursuing.

Naavi

At around 9.15 am today as soon as the markets opened, after the first few ticks, the NSE system developed a glitch and its cash market rates stopped getting updated.

Probably the contracts also did not get executed. However the F&O continued to operate and BSE continued to operate smoothly.

The system is expected to come online back at 10.45 am.

The exact reasons are being analyzed. Let’s wait and watch.

If the dislocation of NSE is a result of any malicious attack, this needs to be considered as a case of Cyber Terrorism and handled as such irrespective of the reputation of NSE.

Naavi

Update 1:

The obvious question is whether the systems had a crash because of some technical glitch such as balance loading failed or such other network related issues.

There is a possibility that there was a cyber attack also which may not be immediately be revealed.

The BCP however has taken around 75 minutes to pull back the system into operation.

SEBI needs to check the cause and then determine if it has to take any further action to prevent such happenings in future.

Over the last few days, there is an online movement to boycott Chinese products in India and according to one report the sales of Chinese products in India has come down by 60% during this period.

I see a distinct possibility that  China may be flexing its muscle in the Indian Cyber Space which could be a reason for the NSE glitch. CERT IN should conduct a special investigation keeping this angle in mind.

We may have to be careful on the NPCI infrastructure being targeted next and then the Aadhar.

I urge CERT In to create a special gateway to prevent Chinese intrusion into any of our critical information infrastructure.

Update 2:

The re-opening has now been further deferred and it is not able to re-open at 10.45 am.

Update 3:

The markets re-opened at 11.15 am. But the F&O is still frozen. It is probably because they have moved some of the servers from Futures to Cash handling.  After a while both servers have been stopped at around 11.18.

I suppose both will re-open simultaneously after a few more minutes.

Update 4:

NSE to re start operations at 12.30 pm.

Update 5:

NSE seems to have come back to normal operations after 12.30 pm. Analysis of the cause etc are awaited.

Update 6:

Finance Ministry is expecting SEBI to submit a report on the incident by the end of the day. I think CERT IN should also seek a report from NSE and SEBI and prepare its own report.

Final Take

This incident is a “Denial of Access” incident in a nationally important system and it requires reporting to CERT-IN under Section 70B. If NSE does not report and CERT-In does not assert its rights, it will encourage other private sector entities also to avoid reporting security incidents to CERT-IN.

Naavi

A Bold Initiative by RBI

Just as our PM Mr Modi bit the bullet by demonetizing the Rs 500/1000 notes despite the stiff resistance from many, RBI has bit the bullet in issuing the Zero Liability guideline on E Banking transactions.

We need to congratulate Mr Urjit Patel for showing the courage in issuing the circular without making any critically adverse changes to the draft circular released in August 2016.

In the past, whenever RBI tried to bring in Customer friendly regulations, Bankers have always resisted the changes and in such cases, RBI has always been the one to yield. When Damodaran Committee on Customer Services made some very good suggestions in 2011, the recommendations were not operationalized by RBI ostensibly because Bankers were not supportive. Some of the suggestions made in that committee is now part of the Zero Liability circular of July 6, 2017.

We hope the same boldness will characterize the two more guidelines that we are expecting from RBI in the near future namely the “Bitcoin Regulation” and “P2P Lending Guidelines”.

For the time being we are happy that Mr Urjit Patel and his team has responded with a concern for the consumers in the Digital India environment where there is a push from the Government for adoption of digital methods of payment for which part of the population is not mentally equipped and hence need regulatory support with compassion.

Banks need to be reminded that when RBI or concerned citizens are speaking of “Zero Liability”, we are speaking in the interest of genuine customers of the Bank on whom the Banks should be more concerned than us. Most of the time when Banks respond in a friendly manner and pay back the fraudulent amount lost, they will not only be winning a loyal customer back and preventing him from shifting out but also a person who will get many more good customers to the Bank. On the other hand, when Banks start litigating against the customer, they are actually condoning the actions of a fraudster in preference to a genuine, honest though some what gullible and negligent customer and losing him and his friends for ever.

We can see some of this concern also reflected in the RBI’s circular if we closely observe some of the wordings used.

The systems and procedures in banks must be designed to make customers feel safe about carrying out electronic banking transactions.

Banks should put in place a system of continually and repeatedly advising customers on how to protect themselves from electronic banking and payments related fraud.

The SMS alerts shall mandatorily be sent to the customers, while email alerts may be sent, wherever registered.

 The existing customers must also be individually informed about the bank’s policy.

Banks must provide customers with 24×7 access through multiple channels (at a minimum, via website, phone banking, SMS, e-mail, IVR, a dedicated toll-free help line, reporting to home branch, etc.) for reporting unauthorised transactions that have taken place and/ or loss or theft of payment instrument such as card, etc.

Banks shall also enable customers to instantly respond by “Reply” to the SMS and e-mail alerts and the customers should not be required to search for a web page or an e-mail address to notify the objection, if any.

Further, a direct link for lodging the complaints, with specific option to report unauthorised electronic transactions shall be provided by banks on home page of their website.

The loss/ fraud reporting system shall also ensure that immediate response (including auto response) is sent to the customers acknowledging the complaint along with the registered complaint number.

The communication systems used by banks to send alerts and receive their responses thereto must record the time and date of delivery of the message and receipt of customer’s response, if any, to them.

On receipt of report of an unauthorised transaction from the customer, banks must take immediate steps to prevent further unauthorised transactions in the account.

Banks may also at their discretion decide to waive off any customer liability in case of unauthorised electronic banking transactions even in cases of customer negligence.

 The burden of proving customer liability in case of unauthorised electronic banking transactions shall lie on the bank.

 Banks shall formulate/ revise their customer relations policy, with approval of their Boards, to cover aspects of customer protection, including the mechanism of creating customer awareness on the risks and responsibilities involved in electronic banking transactions and customer liability in such cases of unauthorised electronic banking transactions. 

The policy shall be displayed on the bank’s website along with the details of grievance handling/ escalation procedure. The instructions contained in this circular shall be incorporated in the policy.

As an ex-Banker, I have always treasured the slogan of our Bank “Good People to Grow With” and hope this should be remembered by the new generation Bankers who focus only on profits even if it is at the cost of a good customer.

I urge  Banks like ICICI Bank, Axis Bank, PNB and SBI who have many past pending litigation from their customers  to respond positively and apply the guidelines under this circular to all their present litigations by settling the disputes by mediating with the customers. There should be no ego barriers in agreeing to pay back the customers of the losses they were made to suffer because of Phishing or other problems.

Don’t Blame Victim Customers 

Today, I saw a report in Times of India in which a Banker was quoted as saying

“We have had cases where the customer swore he had never shared his credentials but it turned out that the electronic payment was made by family members using the customer’s credential,”. 

The comment is attributed to a retail head of a Private Bank. I suppose this person whose identity has not been provided in the report should remember that there are many many more cases in which the Bank employees are hand in glove with the fraudsters in committing the fraud.

If the Banks donot open accounts for fraudsters without proper KYC, most of the phishing frauds would not occur. If the Banks take care to inspect their ATMs and check the working of CCTVs, many of the ATM frauds donot occur. If the Banks are careful that their own employees donot leak the passwords to the fraudsters, many frauds would not happen. If the Bank’s Information Security team understands how to configure “Adaptive Authentication”, many of the frauds would not occur.

I need not stress how Bankers have indulged in frauds that facilitated in conversion of black money by opening benami accounts, granting loans against non existent properties, unviable loans to industrials in consideration of the bribes paid to the bank executives.

So blaming a negligent or ignorant victim-customer and pass derogatory remarks that he could be fraudulently claiming loss is deplorable.

I hope that this “Retail head” who is blaming the customers as “Fraudulent” should turn his head inwards and see where the bigger fraudsters can be found.

I wish that this person tenders an apology to the public for making such derogatory comments. he should appreciate that the customers who approach the Bank reporting a fraud are “Victims of Fraud” and even if he has been cheated by his own family members, or spouse or a driver or other close acquaintances, it does not make him a willing fraudster himself. He has to be treated with respect.

If this is not understood, that person is unsuitable to be a “Retail head” in a Banking institution. I wish his top bosses in the Bank take note of this.

I wish Times of India reveals the identity of this person and seeks an apology from him and Times Now takes this up as an indication of “VIP Arrogance” like the politicians who throw fish at the officials or use chappals to hit Airline officials.

Another Executive Director of a Private Bank is reported to have expressed unhappiness that they will have to invest more on SMS and Monitoring services.

….Dear friend,

If you cannot secure the transactions you want to profit from, you have to avoid the risk by refraining from E-Banking. Donot expect poor customers to take the cost of insuring themselves while Banks introduce services without proper security.

Next time when you travel on an airplane if you find that the airline is not following proper security measures, because it costs more money, will you tolerate?

Remember that Banks exist for the Customers and By the Customers and not the other way round.

Naavi.org will now keep watching how different Banks start responding to the new RBI circular and periodically we shall report on this website the compliance efforts taken by the Banks. I request customers of the Banks to report their observations. I also invite Banks to report their own measures of compliance in this regard.

Naavi.org will also try to create a Hall of Fame to recognize those banks who do more than others to follow the spirit of this RBI Circular by watching the developments as reported in the websites of these Banks.

Let their be a “Competitive Compliance Effort” between the Banks to be more compliant than the other and Customers gravitate towards those Banks who are Customer oriented and use Technology to provide better service than to simply make more profits. We will soon provide the parameters for evaluation of the “Compliance Index” with specific reference to this Circular and indicate it on this site. Suggestions in this regard from other Customer Service organizations and Concerned citizens are welcome.

In the first phase, we will chose the top 5 Banks and evaluate them for compliance after one month.  The Banks which will be observed for compliance in this first phase will be State Bank of India, Punjab National Bank, ICICI Bank, HDFC Bank and Axis Bank.

Watch out for this “First Hall of Fame Evaluation”  report by next month.

Naavi

Also Read :

Business News

Moneylife