Naavi.org

Naavi.org has pointed out several times in the past the security risks in the Indian Banking system and how the customers are vulnerable. We have also pointed out the responsibility of RBI in this regard. It is therefore no surprise at all that we are now talking of 32 lakh card data having been compromised. The writing has been clear on the wall and only some people preferred not to see.

(Please peruse past articles on Bank frauds here)

Conventional Media as always remained silent when they should have raised an alarm and are now focusing on the sensational part of the story. What we now need to focus on is on the “Negligence” of the Bankers and RBI besides the organizations meant to secure the Cyber space in India.

In the instant case, it is reported that a malware sneaked in through one brand of ATMs (namely Hitachi) in one of the Banks (namely Yes Bank) and then wormed its way to the ATM switch operated by NPCI. For over 3 months, the malware is said to have remained in the Switch and sniffed at the traffic. This means that the card data passing across the switch which could be not only of cards of Yes Bank but other banks were copied and sent by the malware to systems controlled by the perpetrators of the massive data breach. Some news papers have indicated that the data has been stolen by Chinese. If so, we are really talking of a “Cyber War”. However it is not clear if it is a state sponsored attack or simply a bigger crime syndicate attack.

If all data required for authenticating the payment passes through the switch, then all of it might have been stolen. This contains the data such as the name, card number, expiry date, CVV number etc which are sufficient to conduct an online transaction. It may also contain some data in hash/encrypted form such as the PIN.

The fraudsters can by observing the pattern of the data in multiple transactions can easily generate the decryption keys and break the encrypted data and compose the entire set of data regarding the Card that would enable them to use the card in both online and offline situations.

We can recall that in December-March 2013, over Rs 200 crores of cash were drawn from US ATMs in a few hours in which several cards cloned out of 12 stolen card data  in a coordinated  E-Robbery from an international criminal gang. The money belonged to customers of Bank of Muscat and Indian back end data processors were  responsible for the breach.

Now we are staring at about 32 lakhs of data having been compromised. The potential loss that may befall on the public, this time customers of Indian Banks in India is unimaginable.

We must appreciate that SBI had been bold enough to recall its 6 lakh cards and disclose the data breach to the public without which the vulnerability and the breach would have been hidden longer.

Now if the adverse consequence of the breach needs to be mitigated and contained, there are some immediate actions that are required to be taken by the Banking system.

1. First of all we need to ensure that no card owner would be liable for any loss arising out of misuse of cards. SBI has blocked its cards and other Banks who might have been exposed should also do the same. For this, we need to identify the date from which this particular malware could have started collection of data and all cards which have been processed through the same switch since then should be identified, blocked and replaced by the respective Banks.
2.  Any reportedly fraudulent transactions of such cards in the last two/three months since the malware was active should be cancelled without demur by the Banks and amounts credited to customers immediately without interest loss.
3. RBI should open a special customer complaint center for this card frauds and collect public complaints in this regard since we cannot trust individual Banks to act

After these preliminary action we need to ask questions of those who were entrusted with the management of these systems.

1. The supplier of Hitachi machines need to be investigated to understand how the vulnerability arose. If it is because of non patching of the operating software or such other fundamental security lapses, both the manufacturers as well as the Banks and the persons responsible for maintenance should be investigated for “Negligence” and penalties fixed. The penalties cannot be Rs 5 lakhs to 1 crore that RBI is talking of. It should be in the range of Rs 100 crores plus without which the Banks will never feel the pinch and take security steps for the future.
2. The NPCI should explain how as manager of the switch it could not identify the malware and the diversion of data to unknown destinations whether in China or not. The vulnerabilities in this need to be identified, removed and responsibility fixed.
3. Banks were subject to the new Cyber Security Framework (CSF-2016) regulations applicable from June 2, 2016  in which several new security measures including the data breach notification were introduced. It is time to review how many of the Banks were in breach of these regulations and fix responsibilities.
4. Officers in RBI who failed to follow up non submission of data breach notifications and confirmations of compliance of the CSF-2016 should also be cooked for their negligence and apathy.
5. IDRBT is the wing of RBI that is entrusted with its own responsibility of security and should have been a whistleblower much bigger than Naavi.org. But has it done its duty?… There should be an introspection at this organization. Failures should be made accountable.
6. Similarly, CERT is also  entrusted with its own responsibility of security at the national level and should have been a whistleblower much bigger than Naavi.org or IDRBT. But has it done its duty?… There should be an introspection at this organization. Failures should be made accountable.

I hope that we shall not rest with the satisfaction that only 1000 frauds were reported etc. If so we should thank our stars but proceed to secure our system that there would be no repetition of the incident in future.

There is a serious need to review the operations of NPCI from the security perspective and have a suitable oversight that prevents such mishaps in future when our neighbors in Pakistan and China are itching for a Cyber War which will like the Cross Border Terrorism be another asymmetric war in which India will be at the receiving end.

We closely observe how the Ministry of Home Affairs under Mr Rajnath Singh,  and Ministry of IT under Mr Ravishankar Prasad and Ministry of Finance under Mr Arun Jaitely respond to this crisis. So far they donot seem to have stirred and so is Mr Urjit Patel, the Governor of RBI.

I look forward to a  Press conference today in Mumbai by Mr Urjit Patel to explain the RBI stand and also a joint press conference in Delhi with the three ministries to explain their stand.

Naavi

P.S: RBI and Ministry of Finance is reported to have called for “Reports”. Necessary first step…but not good enough as an emergent measure…

When a catastrophe is about to hit us, we look upon leaders to respond with alacrity and with decisiveness. The difference between a Man Mohan Singh and Modi lies in that character of decisive action. Now such a challenge is before Mr Urjit Patel, the new Governor of RBI in the wake of new threat on the Indian ATM network system.

It is reported today that SBI has recalled 6 lakh debit cards and will be replacing them because there has been a “Malware” related security breach in one of the non-SBI ATM network. SBI tries to pose as if the breach is outside its system but tries to hide the fact that the “Vulnerability” is in its cards and hence there is a need to replace them.

We will not know the details of the threat but it could be because many ATMs may still be using the Windows XP based operating systems, operating without physical guards so that fraudsters can plant all sorts of attachments like skimmers to steal data or even at the network data transmission level where unencrypted data could have been moving.

While the security professionals focus on unraveling the mystery over this card recall, I would like to point out that the risk of fraudulent withdrawals will fall on the Bank customers and we need to ensure that the negligence of Bankers in maintaining their systems properly does not end up with frauds in which customer’s accounts are debited. Already mass ATM frauds have been reported in Kerala and Karnataka in which  a number of customers lost money and I am not sure they have got their money back.

We all know that when confronted by a victim of a card, Banks will always say that they have fool proof security and the fault always lies with the customer. In the ATM transactions Banks simply tell the customer that his card could have been used by any of their relatives and he should own the responsibility. The Banking Ombudsmen have been notoriously biased on the side of Banks and have failed to protect consumer interests. Adjudicators under ITA 2000 are also either uninterested or in collusion with the Banks to protect their interests. The CyAT as we know is non existent and Courts take ages to even take up preliminary hearing of such cases.

In this context the August 11, 2016 draft circular of RBI on “Limited Liability on Customers for Bank Frauds” appeared like a great relief.  But that circular was a draft for public comment and ought to have been re issued as an operating circular after August 31. The draft circular was issued during Raghuram Rajan’s fag end of tenure and the baton passed on to Mr Urjit Patel to confirm it.

Unfortunately, so far there is no news about the circular from RBI.

In the past also when committees like Damodaran Committee on Customer Service presented recommendations favouring customers, RBI did nothing and ignored the report. It was clear that Banks had exercised their unholy influence on the RBI to stall such reforms. SBI was in the forefront of such stalling technique along with ICICI Bank.

Now that we are faced with a prospect of huge customer loss in SBI, RBI and Mr Urjit Patel will have to be considered as culpable for the negligence of SBI.

I suppose Mr Urjit Patel will realize the gravity of the situation and immediately take steps to confirm the August 11 circular that states that

a) Banks must send alerts of every debit without fail

b) Customer shall not be liable if a misuse is reported within 3 days

c) Customer’s liability will be limited to Rs 5000/- if a wrong payment is reported within 7 days or such other limited amount if it is reported thereafter

d) Onus of providing proof of any customer’s culpability is with the Bank… etc

Now there has been an unreasonably long delay in confirming the circular and either it should be presumed as “Confirmed” or Mr Urjit Patel will be personally responsible for holding it up when there is a judicial scrutiny.

My reminders to RBI have so far not evoked response. But I will be forwarding this note to them and this will also be available on the public web and hence should be considered as a good notice to RBI about what they have failed to do.

Any customer who faces any Bank fraud may quote this public information and argue that RBI has been compliant by negligence by not operationalizing the circular…

I hope Mr Urjit Patel will call  an emergency meeting of his subordinate officers and issue a clarification immediately. If so, my advance congratulations for his quick response.

Naavi

Whenever a new law is framed, there are many stakeholders whose interests get affected. A law is normally meant for the Citizen of a country but is framed by the Government in consultation with those who are close to the law making body at the time of its formation.

Since the days of ITA 2000, a practice has emerged even in India where a proposed law is placed for public comments so that views of the public can be incorporated in the legislation. However, it is a fact that once a basic draft is framed by the group of experts in a Ministry, changing any part of it is next to impossible. Except some cosmetic changes, real changes are impossible. We have seen this happen in the framing of ITA 2000 and its amendments in 2008. (See Here for details).

Once the law was framed, there were complaints that the law was insufficient, draconian, drafted without understanding the industry realities, etc. The same politicians who defended the law in 2000 opposed it in 2008 and industry ignored it until in 2011, it started pinching them under Section 79 and 43A. Even now, when we talk of ITA 2008 compliance, industry finds it difficult to accept the law as it is and complains of misuse by Police and misinterpretation by the Judiciary.

Now that a new law is being proposed for “Health Care Data Privacy”, we should endevour to avoid the same mistakes that were committed when ITA 2000 was drafted and implemented.

One of the problems which Indian law faces particularly in the type of laws such as ITA 2000/8 or Data Protection is that the impact of law is on the industry and sensible industry captains want to be compliant with the law and not be at the wrong end of the stick.

When new laws are made, they are notified on a specific day which will be the day when it is passed in the Parliament or otherwise notified for effect. For example, until 17th October 2000, there was no recognition of legal documents in India and overnight it became recognized along with digital signatures, digital contracts and cyber crimes. Though Naavi.org had been preparing the ground in the industry since around 1998, until the rules were notified no body knew there would be such a law in effect.

Similarly, on 27th October 2009, suddenly, a host of regulations related to compliance under ITA 2008 became effective overnight. Along with it all IT companies in India without exception became “Legally Non Compliant to ITA 2008” and became “Rogue Companies not following the law of the land. Of course even the Police did not understand so that no case was booked immediately anywhere but the fact was that there were some legal provisions which all of us were not compliant.

Such forced state of “Non Compliance” should not be hapen once again when this new Privacy law for the healthcare is introduced in India.

We can recall here how the HIPAA was implemented in USA in 1996. HIPAA is a law which will be reflected in the proposed Health Care Data Privacy and Security Act (HDPSA) that is our subject of discussion here and hence we need to draw lessons from the implementation of this law.

When HIPAA was introduced as well as it was amended through the HITECH Act in 2009, there was a clear time line given to the industry for compliance….like Data standards by such and such data, Privacy rule by such and such date, Security rule by such and such date, with extensions for small business, time for running out of existing contracts etc.

All this meant that though the law became effective from a certain date, the industry was given time for compliance over an extended time so that all those in the industry who always wanted to be compliant had their opportunity.

This fixing of a time line for compliance is the first important thing which we need to incorporate in the law. We need to bring in this practice for the first time when this new law HDPSA is notified.

Additionally when such acts are drafted by non-industry persons, there will be many provisions which are difficult are too complex to implement and industry may try to find loopholes to avoid them or try to save costs by implementing it wrongly.

To avoid this, industry should be proactively involved in the framing of the law. Here again when we suggest this to the Government, it will simply say that NASSCOM or FICCI is represented in the working group and therefore industry is represented. But we all know that the NASSCOM Chair person or FICCI Secretary is not the person who can go to the micro level discussions that are required to make the law “Compliance Friendly”. He has to depend on his secretariat for bringing things to his attention to be raised before the Government.

In such cases the large companies may be able to have their say but the SMEs and public will never get to be heard.

This proposed law on Health Care Privacy will affect many small companies some of them are startups which have developed medical industry related Apps. It will include small Nursing homes and pharmacies as well as diagnostic centers. They need to have their say in the law.

I would like the community participation to be at a high level in the framing of this law, so that we will not have to accuse the Government of framing the laws that cannot be implemented.

We are still in the beginning of the thinking process as regards this law but we know the direction in which the Government is moving. We donot want to embarass the Government later by calling it a bad law by contributing our ideas in the beginning itself.

Hence I invite the stake holders to join this online forum and contribute both in the form of detailed articles and in the form of discussions in the Whats app group.

Naavi

Related Article: Times of India

I refer to an article which appeared in Hindustan Times recently, (Read the article here). I also refer to the article on Police action in Tamil Nadu on rumours on Jayalalithaa’s health.

The article on Jharkhand is headlined “WhatsApp admin to face action if sensitive posts shared in the group”. The news is about the Jharkhand police putting out a notice in the light of a Custodial death of a person who was arrested for posting some communally sensitive message. The Police appear to have issued a notice that action will be initiated against the Admin if he does not inform the police about posting of information considered sensitive under ITA 2008.

What we donot understand is that if a person had posted a sensitive information on a Whats App group and has been arrested and later dies in police custody, how is the WhatsApp admin be responsible for this custodial death. Also under what provisions of law in ITA 2008 does the Police intend to take action?.

By trying to cover up their custodial death problem, Police seems to be creating a panic in the WhatsApp community and diverting attention of the public.

By such actions the LEA will lose their credibility and fail to get sympathy of the larger sections of the society. They will also be open to question under the Human Rights Action.

Naavi.org had already covered the responsibilities of WhatsApp admins in great detail earlier. A link to the earlier article is available here : WhatsApp Model Admin Policy

It is however necessary to reiterate here some thoughts on the mistakes that Police are committing.  Since the Government of India is also revising ITA 2000/8, they also need to take into account different view points in this regard.

It is possible that different “Experts” may have different views. It requires a nationwide debate on controversial points to arrive at the most appropriate interpretation of the law.

Unfortunately, “Law” is always an “Interpretation” of the words contained in a statute which could have been drafted in a certain set of circumstances and with certain objectives, which gets forgotten over time.  Hence the “Legislative Intent” and the “Overall interest of the Community” has to be taken into account before interpreting the law.

There is no argument on the fact that if any activity is intended to create a law and order problem or commit any illegal activity, then the Police should have all the right to curb it by both preventive and punitive action. My views on this is too well known to the community to repeat here.

However, what this Circular of Jharkhand Police represents and what is happenning in Taml Nadu where more than 50 persons have been arrested for what the Police calls as “Spreading Rumours” on the health of J. Jayalalithaa are to be condemned as excesses that should be curbed.

There is however a difference between the Jharkhand-WhatsApp issue and TN-Facebook issue.  WhatsApp is a closed communication group and is more like an indoor meeting. Posting a message as “Public” in a facebook page may however may be similar to making a public comment on the street corner which anybody can hear.  WhatsApp posting is a “One to Many Message” where as FaceBook posting is “Publishing” though both may be called “message” loosely. One is a “private speech” and the other could be a “public speech”. Law has to distinguish the two.

Whether such “Speech” requires punitive action depends on “What is Said” and “With What intent”, “in What Context” and “With What effect”.

A street urchin wondering “Is Jayalalithaa Brain dead”? may be out of concern for her and may be in great anguish. To term it as an attempt to create law and order problem is the height of over reaction.  Similarly, in the Jharkhand case, if the person has died in custody Police cannot absolve of their responsibility by suppressing public speech on why the person was arrested  or the criticism of the Police there after.

The Police need to clarify both in Jharkhand and TN what followed the initial reaction expressed in Facebook or WhatsApp before the public can consider that the action was justified. But what has happened in TN is that several Facebook pages and you tube pages have been shut down and we donot really know what was the comment made by the 50 different persons which can be called an “Attempt to create unrest in the society”. In the Jharkhand case I presume that the Police want to stop public outcry on the custodial death rather than preventing communal hatred.

Further, in Jharkhand or TN  if the Police fear a large scale unrest, they can shut down the Internet and call for an “Internal Emergency” so that no information goes out.

I wonder how professional are doctors giving out misleading statements and politicians making a fool of themselves in visiting the doctor and giving a medical bulletin about the patient. Suppose the statements made by the doctors and the political leaders about Jayalalithaa’s health turns out to be incorrect, will they stand trial for lying before the public?.

It is sad that even the Madras High Court did not have the guts to ask for making the information public and it is clear that we are in a state of “Emergency” in Tamil Nadu which is more severe than what is there in Srinagar. The Central Government as well as the Courts seem to be willing parties to this suppression of information that needs to be made public in the interest of Democracy.

I seriously wish Mr Modi does not contribute to this farce by visiting Chennai to have a discussion with Dr Pratap Reddy and return to certify that Jaya’s health is improving. Let’s presume that her health is improving and she will return to rule Tamil Nadu without a certificate from Mr Modi.

In the case of Jharkhand, unless a WhatsApp Admin can be considered as part of a conspiracy, it is difficult to understand how he can be punished for a post.

I consider it a responsibility for the Admin to identify the member by the telephone number and possibly by name. If a post is inappropriate, it should be pointed out to the member. But not doing so should not immediately be considered as an offence grave enough for the admin to be arrested. Also most of the time the so called evidence that the Police may have on the WhatsApp posting should be considered as “Illegally acquired” and cannot stand in a Court of law unless a police officer is part of the group.

I completely agree and endorse that what is objectionable is “an incitement to violence” either on Cyber space or real space….and if it materializes. There can also be instances under Section 79 where non-cooperation of the Admins in an ongoing crime investigation can be objected to by Law Enforcement. But liabilities in such cases should be only when a notice is issued and there is a clear case of non cooperation that can be considered as complicity.

I am sure that what I say above could upset a lot of people including many of my friends. But there is a need for all adults in LEA to avoid irrational and inappropriate application of law which can create wrong precedence. I have many friends in the Police force and I know that they are aware of the law better than myself. I donot want their professional image to be sullied by such inappropriate action taken under some pressure political or otherwise.

We have already seen the ill effects of such over enthusiasm of Police in Palghar who by arresting two ladies for a facebook posting/like ended up getting Section 66A scrapped from ITA 2008.

The actions of the Jharkhand and TN police may end up banning of WhatsApp and Facebook or force the Government of India to introduce new provisions in the amendments proposed in ITA 2000/8 that would render ITA 2000 a draconian law to be feared with rather than a E Commerce promotional law for the progress of Digital India. If so, it would be a tragedy.

Naavi

Considering the threat that ransom ware poses to all businesses, it is possible that even small businesses and individuals may get trapped though they are not the primary target for the fraudster in view of their small value. While the big businesses need to secure themselves with the best of the tools with realtime updation and realtime back up facility, small businesses may need to look for a combination of personalized backup with a good anti malware software.

In this connection apart from the fundamental anti virus and anti malware software, there are some specific anti-ransomware tools that one needs to look for. Ransomware’s primary behaviour is “Encryption” and hence these anti ransomware tools may focus on spotting any signature that attempts to encrypt files.

The following page gives details of some of the available free tools in this regard. http://www.thewindowsclub.com/free-anti-ransomware-tools.

1] BitDefender Anti-Ransomware will immunize your computer. What it does is, basically it does not allow executable files from %appdata% and %startup% to run.

2] Kaspersky Anti-Ransomware Tool for Business offers complimentary security to protect corporate users from ransomware, It identifies ransomware behavior patterns and protects Windows-based endpoints effectively.

3] Trend Micro AntiRansomware Tool remove ransomware on infected computers. To use this tool, enter Safe Mode with Networking. Download the Anti-Ransomware software and save it to your desktop. Next double-click on it to install it. Once it has been installed, restart your computer and go to the normal mode where the screen is locked by the ransomware. Now trigger the Anti-Ransomware software by pressing the following keys: Left CTRL+ALT+T+I. Run the Scan, Clean and then Reboot your computer. This tool is useful in cases of ICE Ransomware infections.

4] CryptoMonitor will actually kill an encryption infection, blacklist it from running again, and notify you as soon as the infection starts. The tool detects ransomware as soon as the latter tries to take over your computer. It then alerts you via email and removes ransomware in most cases. In some cases, where it cannot remove ransomware, it will lock down the computer so that ransomware cannot take over until you get professional help.

5] CryptoPrevent modifies a few group policy settings to prevent executable files from running from some specific locations. CryptoPrevent can change about 200 such settings depending on the version and OS you are using. Some locations it keeps its eyes on are, Recycle Bin, default app directory, local temporary files, All Users application and local data settings folder and more.

6] HitmanPro.Alert is a free browser integrity & intrusion detection tool that alerts users when online banking and financial transactions are no longer safe. The latest version HitmanPro.Alert also contains a new feature, called CryptoGuard that monitors your file system for suspicious operations including CryptoLocker ransomware. When suspicious behavior is detected, the malicious code is neutralized, and your files remain safe from harm.

7] Cryptolocker Prevention Kit is a tool that automates the process of making a Group Policy to disable files running from the App Data and Local App Data folders, as well as disabling executable files from running from the Temp directory of various unzipping utilities.

8] CryptoLocker Tripwire follows a different approach. It runs on the file server.  After loading your data share folders, the free tool will copy a witness file that you choose, to a hidden subfolder in each of the folders you have selected.

9] Kaspersky WindowsUnlocker can be useful if the Ransomware totally blocks access to your computer or even restrict access to select important functions, as it can clean up a ransomware infected Registry.

10] Malwarebytes Anti-Ransomware is a simple software, light in weight capable of running in the background while quietly monitoring the behavior of the machine associated with file encrypting ransomware. Currently, this program is in the beta stage – and free to download and use. Once it goes out of beta, it is likely that it may not remain free.

Also added:

11. WinAntiRansom+ from the makers of WinPatrol (Not a Free Tool: For one computer costs US$14.95 per year)

Hope it would be useful. Please note that this is only given for information and I have not made any evaluation of any of these tools. I invite experts to submit their views if any

Naavi

Happy Digital Society Day of India

This day in the year 2000, India stepped into the world of Cyber Space with a recognition of electronic documents as equivalent to paper. Along with the recognition of digital signature as equivalent to “Signature” in law, the world of Digital Contracts became a Judically recognized reality. Thus was born the legally recognized Digital Society of India.

Let’s commemorate the day with some positive action that helps in the development of a Responsible Cyber Society in India.

Naavi.org takes a Digital Society Day resolution to fight a war against ransom ware by creating greater awareness in all stake holders about the dangers of Ransomware and how to fight it.

The theme for the year is

Naavi