Naavi.org

The Mega Data Breach of 32 lakh debit cards in India is reported to have affected 19 Banks directly. It is presumed that these are the banks whose debit cards passed through the poisoned switch maintained by NPCI to route the ATM/POS requests. Also they maybe the Banks who are using the HITACHI ATM/POS systems suspected to have the vulnerability.

All these banks will be expected to cancel their current set of cards issued to their customers and replace them with new Cards just as what SBI has done. The total estimated number of cards considered compromised is 32 lakhs. So far about 1000 frauds appear to have been registered and they should be handled by the individual Banks as “Charge Backs” to the card without any legal struggle.

While the affected Banks try to tackle their problem as above, there are “Other” Banks who may have issued debit cards but are not in the list of the 19 Banks directly involved. Additionally there are a number of other FinTech Companies who process debit card and credit cards of their customers. An incident of this magnitude is considered as an “Environmental Development” warranting a self audit of their systems and procedures to identify if they are equally vulnerable to such attacks and if so what should be done to mitigate the risk.

Every such organization should therefore call for an “Introspection” of their systems starting with a “Board Meeting” and  “Top Management Meeting”. The Board needs to take note of the developments and the perceived threat to the company and suggest the operating executives to take such actions as may be necessary to report back to the Board and appraise them of the risk exposure and countering plans. The Executive team needs to also meet and review all their systems and where necessary trigger some pro active measures to reduce the possibility of similar risks materializing in their environment.

These meetings and the actions taken need to be documented as part of the “ITA 2008 Compliance” program of the Company.

For the Directors, it is essential to protect their interests to ensure that necessary instructions are passed on down the line. It is also important for the CEO to ensure that the risks escalate to him personally. If by any misfortune a fraud occurs in the company which could have been reasonably prevented from the lessons drawn from this mega breach but was not taken, then the Officers in Charge of the Business, The CEO, The Directors may all have to shoulder the vicarious liabilities.

To mitigate the adverse consequences of such liabilities, they need to show “Due Diligence” and conduct of this “Review meeting in the light of the Mega Card Data Breach” is considered a critical step.

I suggest all company directors to take note of this suggestion and act.

Naavi

Related Articles

Let RBI Show Who is the Boss

RBI Cannot Remain silent… and so also NPCI,CERT and Ministers of HOME,IT and Finance

Challenge to Mr Urjit Patel… Don’t let down Indian Baking system

Over the last few days, there have been lot of discussions in all levels about what caused the mega data breach that compromised a suspected 32 lakh debit card data belonging 10 around 19 Banks.

As we expected and desired, RBI and CERT-In as well as the Finance Ministry have made some sounds. But they are still murmurs and mostly to cover their backs. There is very little substance in what has been done so far.

CERT-In says that they had issued an advisory that “After URI Attack and the Counter Military operation, there could be a retaliatory cyber attack”. Yes. This is a reasonable expectation and it was the duty of CERT In to issue such an advisory. But such advisories have been issued by many security specialists also since it is always easy to guess the minds of the enemy. But the difficulty is that when the advisory does not constitute an “Actionable Intelligence”, it gets ignored at the recipient’s end. Knowing that any such attack requires months of preparation, if the CERT-In had advised immediate systemic change of all Card and Internet Bank related passwords of all customers immediately after the surgical strikes, we could have appreciated their advisory. To simply tell the Banks, “Take Care..there may be attacks”… is like telling the BSF that there may be cross border firing. We know the risk exists and the advisory gets ignored as yet another circular to be dumped.

As regards RBI, there is no doubt that since June this year, there has been a real upping of the security ante, and the measures suggested such as setting up of SOCs, under the Cyber Security Framework and the August 11 circular on Limited Liability of Customers can be considered as specific proactive steps initiated to defend the system against the attacks such as this mega breach indicates. However, where RBI can be faulted is that it appears reluctant to walk its talk and go beyond issue of paper instructions. Even now, after the incident, RBI has sent a letter to the Banks to give a report about the incident. It will be long before any action is taken by RBI. If by that time the heat is off, then nothing is going to happen.

An indication that there will be no change is visible in the way the stock markets reacted to the news of the mega breach. The Bank shares have actually been moving upwards instead of nosediving. SBI, Yes Bank , ICICI Bank and HDFC Bank shares should have come down significantly in anticipation of strict regulatory action. But they have not. This indicates that the wisemen in the stock markets donot feel there will be any adverse financial impact on these Banks arising out of the data breach.

On the contrary, if any reasonable action is expected to be taken on the Banks, any professional in Banking or Information Security would immediately foresee a quantum jump in information security related expenses, card replacement expenses, payment of penalties to RBI, Payment for frauds, increased insurance expenses etc. Probably stock markets donot see this happen.

RBI should compare its actions with what TRAI has been doing to regulate the Telecom Industry.  TRAI has imposed a penalty of Rs 50 crores per circle on Airtel, Vodafone and Idea for deliberately sabotaging Reliance Jio’s launch. In this case the penalty is for non compliance and not for compensation to any customers.

On the other hand, RBI is talking of Rs 5 lakhs to Rs 1 crore per Bank as penalty for some violations.  (RBI Framework for imposing penalty under PSSAct) This is grossly insufficient to be a deterrent. Considering the serious dent caused to customer confidence in the Indian Banking system in a digital era, each of the 19 Banks involved should have been imposed not less than Rs 100 crores as penalty or a penalty of Rs 10000/- per breach (Total Rs 3200 crores) should have been imposed.

I hope RBI will consider this after they get the response from the Banks to its query.

However, there is no reason why RBI should still be waiting to issue the August 11 circular as an operational circular. Going by some press reports, many consider that the circular is already applicable. But when it comes to a real case of a fraud, I am sure that Banks will argue that the circular was only a “Draft” and is not applicable.

RBI must therefore confirm the circular as operative immediately…not withstanding the opposition from IBA.

Let RBI not allow the tail to wag the dog. Let it show who is the boss.

If RBI continues to remain silent on this circular on limited liability, it can be presumed that Governor Mr Urjit Patel is personally protecting the interests of the erring Banks which includes SBI. It will also be interpreted as  RBI’s inability to face the political pressures that must be playing to protect the reputation of the Chair Persons of some of these erring Banks.

I wait to be proven wrong on this account.

Naavi

Naavi.org has pointed out several times in the past the security risks in the Indian Banking system and how the customers are vulnerable. We have also pointed out the responsibility of RBI in this regard. It is therefore no surprise at all that we are now talking of 32 lakh card data having been compromised. The writing has been clear on the wall and only some people preferred not to see.

(Please peruse past articles on Bank frauds here)

Conventional Media as always remained silent when they should have raised an alarm and are now focusing on the sensational part of the story. What we now need to focus on is on the “Negligence” of the Bankers and RBI besides the organizations meant to secure the Cyber space in India.

In the instant case, it is reported that a malware sneaked in through one brand of ATMs (namely Hitachi) in one of the Banks (namely Yes Bank) and then wormed its way to the ATM switch operated by NPCI. For over 3 months, the malware is said to have remained in the Switch and sniffed at the traffic. This means that the card data passing across the switch which could be not only of cards of Yes Bank but other banks were copied and sent by the malware to systems controlled by the perpetrators of the massive data breach. Some news papers have indicated that the data has been stolen by Chinese. If so, we are really talking of a “Cyber War”. However it is not clear if it is a state sponsored attack or simply a bigger crime syndicate attack.

If all data required for authenticating the payment passes through the switch, then all of it might have been stolen. This contains the data such as the name, card number, expiry date, CVV number etc which are sufficient to conduct an online transaction. It may also contain some data in hash/encrypted form such as the PIN.

The fraudsters can by observing the pattern of the data in multiple transactions can easily generate the decryption keys and break the encrypted data and compose the entire set of data regarding the Card that would enable them to use the card in both online and offline situations.

We can recall that in December-March 2013, over Rs 200 crores of cash were drawn from US ATMs in a few hours in which several cards cloned out of 12 stolen card data  in a coordinated  E-Robbery from an international criminal gang. The money belonged to customers of Bank of Muscat and Indian back end data processors were  responsible for the breach.

Now we are staring at about 32 lakhs of data having been compromised. The potential loss that may befall on the public, this time customers of Indian Banks in India is unimaginable.

We must appreciate that SBI had been bold enough to recall its 6 lakh cards and disclose the data breach to the public without which the vulnerability and the breach would have been hidden longer.

Now if the adverse consequence of the breach needs to be mitigated and contained, there are some immediate actions that are required to be taken by the Banking system.

1. First of all we need to ensure that no card owner would be liable for any loss arising out of misuse of cards. SBI has blocked its cards and other Banks who might have been exposed should also do the same. For this, we need to identify the date from which this particular malware could have started collection of data and all cards which have been processed through the same switch since then should be identified, blocked and replaced by the respective Banks.
2.  Any reportedly fraudulent transactions of such cards in the last two/three months since the malware was active should be cancelled without demur by the Banks and amounts credited to customers immediately without interest loss.
3. RBI should open a special customer complaint center for this card frauds and collect public complaints in this regard since we cannot trust individual Banks to act

After these preliminary action we need to ask questions of those who were entrusted with the management of these systems.

1. The supplier of Hitachi machines need to be investigated to understand how the vulnerability arose. If it is because of non patching of the operating software or such other fundamental security lapses, both the manufacturers as well as the Banks and the persons responsible for maintenance should be investigated for “Negligence” and penalties fixed. The penalties cannot be Rs 5 lakhs to 1 crore that RBI is talking of. It should be in the range of Rs 100 crores plus without which the Banks will never feel the pinch and take security steps for the future.
2. The NPCI should explain how as manager of the switch it could not identify the malware and the diversion of data to unknown destinations whether in China or not. The vulnerabilities in this need to be identified, removed and responsibility fixed.
3. Banks were subject to the new Cyber Security Framework (CSF-2016) regulations applicable from June 2, 2016  in which several new security measures including the data breach notification were introduced. It is time to review how many of the Banks were in breach of these regulations and fix responsibilities.
4. Officers in RBI who failed to follow up non submission of data breach notifications and confirmations of compliance of the CSF-2016 should also be cooked for their negligence and apathy.
5. IDRBT is the wing of RBI that is entrusted with its own responsibility of security and should have been a whistleblower much bigger than Naavi.org. But has it done its duty?… There should be an introspection at this organization. Failures should be made accountable.
6. Similarly, CERT is also  entrusted with its own responsibility of security at the national level and should have been a whistleblower much bigger than Naavi.org or IDRBT. But has it done its duty?… There should be an introspection at this organization. Failures should be made accountable.

I hope that we shall not rest with the satisfaction that only 1000 frauds were reported etc. If so we should thank our stars but proceed to secure our system that there would be no repetition of the incident in future.

There is a serious need to review the operations of NPCI from the security perspective and have a suitable oversight that prevents such mishaps in future when our neighbors in Pakistan and China are itching for a Cyber War which will like the Cross Border Terrorism be another asymmetric war in which India will be at the receiving end.

We closely observe how the Ministry of Home Affairs under Mr Rajnath Singh,  and Ministry of IT under Mr Ravishankar Prasad and Ministry of Finance under Mr Arun Jaitely respond to this crisis. So far they donot seem to have stirred and so is Mr Urjit Patel, the Governor of RBI.

I look forward to a  Press conference today in Mumbai by Mr Urjit Patel to explain the RBI stand and also a joint press conference in Delhi with the three ministries to explain their stand.

Naavi

P.S: RBI and Ministry of Finance is reported to have called for “Reports”. Necessary first step…but not good enough as an emergent measure…

When a catastrophe is about to hit us, we look upon leaders to respond with alacrity and with decisiveness. The difference between a Man Mohan Singh and Modi lies in that character of decisive action. Now such a challenge is before Mr Urjit Patel, the new Governor of RBI in the wake of new threat on the Indian ATM network system.

It is reported today that SBI has recalled 6 lakh debit cards and will be replacing them because there has been a “Malware” related security breach in one of the non-SBI ATM network. SBI tries to pose as if the breach is outside its system but tries to hide the fact that the “Vulnerability” is in its cards and hence there is a need to replace them.

We will not know the details of the threat but it could be because many ATMs may still be using the Windows XP based operating systems, operating without physical guards so that fraudsters can plant all sorts of attachments like skimmers to steal data or even at the network data transmission level where unencrypted data could have been moving.

While the security professionals focus on unraveling the mystery over this card recall, I would like to point out that the risk of fraudulent withdrawals will fall on the Bank customers and we need to ensure that the negligence of Bankers in maintaining their systems properly does not end up with frauds in which customer’s accounts are debited. Already mass ATM frauds have been reported in Kerala and Karnataka in which  a number of customers lost money and I am not sure they have got their money back.

We all know that when confronted by a victim of a card, Banks will always say that they have fool proof security and the fault always lies with the customer. In the ATM transactions Banks simply tell the customer that his card could have been used by any of their relatives and he should own the responsibility. The Banking Ombudsmen have been notoriously biased on the side of Banks and have failed to protect consumer interests. Adjudicators under ITA 2000 are also either uninterested or in collusion with the Banks to protect their interests. The CyAT as we know is non existent and Courts take ages to even take up preliminary hearing of such cases.

In this context the August 11, 2016 draft circular of RBI on “Limited Liability on Customers for Bank Frauds” appeared like a great relief.  But that circular was a draft for public comment and ought to have been re issued as an operating circular after August 31. The draft circular was issued during Raghuram Rajan’s fag end of tenure and the baton passed on to Mr Urjit Patel to confirm it.

Unfortunately, so far there is no news about the circular from RBI.

In the past also when committees like Damodaran Committee on Customer Service presented recommendations favouring customers, RBI did nothing and ignored the report. It was clear that Banks had exercised their unholy influence on the RBI to stall such reforms. SBI was in the forefront of such stalling technique along with ICICI Bank.

Now that we are faced with a prospect of huge customer loss in SBI, RBI and Mr Urjit Patel will have to be considered as culpable for the negligence of SBI.

I suppose Mr Urjit Patel will realize the gravity of the situation and immediately take steps to confirm the August 11 circular that states that

a) Banks must send alerts of every debit without fail

b) Customer shall not be liable if a misuse is reported within 3 days

c) Customer’s liability will be limited to Rs 5000/- if a wrong payment is reported within 7 days or such other limited amount if it is reported thereafter

d) Onus of providing proof of any customer’s culpability is with the Bank… etc

Now there has been an unreasonably long delay in confirming the circular and either it should be presumed as “Confirmed” or Mr Urjit Patel will be personally responsible for holding it up when there is a judicial scrutiny.

My reminders to RBI have so far not evoked response. But I will be forwarding this note to them and this will also be available on the public web and hence should be considered as a good notice to RBI about what they have failed to do.

Any customer who faces any Bank fraud may quote this public information and argue that RBI has been compliant by negligence by not operationalizing the circular…

I hope Mr Urjit Patel will call  an emergency meeting of his subordinate officers and issue a clarification immediately. If so, my advance congratulations for his quick response.

Naavi

Whenever a new law is framed, there are many stakeholders whose interests get affected. A law is normally meant for the Citizen of a country but is framed by the Government in consultation with those who are close to the law making body at the time of its formation.

Since the days of ITA 2000, a practice has emerged even in India where a proposed law is placed for public comments so that views of the public can be incorporated in the legislation. However, it is a fact that once a basic draft is framed by the group of experts in a Ministry, changing any part of it is next to impossible. Except some cosmetic changes, real changes are impossible. We have seen this happen in the framing of ITA 2000 and its amendments in 2008. (See Here for details).

Once the law was framed, there were complaints that the law was insufficient, draconian, drafted without understanding the industry realities, etc. The same politicians who defended the law in 2000 opposed it in 2008 and industry ignored it until in 2011, it started pinching them under Section 79 and 43A. Even now, when we talk of ITA 2008 compliance, industry finds it difficult to accept the law as it is and complains of misuse by Police and misinterpretation by the Judiciary.

Now that a new law is being proposed for “Health Care Data Privacy”, we should endevour to avoid the same mistakes that were committed when ITA 2000 was drafted and implemented.

One of the problems which Indian law faces particularly in the type of laws such as ITA 2000/8 or Data Protection is that the impact of law is on the industry and sensible industry captains want to be compliant with the law and not be at the wrong end of the stick.

When new laws are made, they are notified on a specific day which will be the day when it is passed in the Parliament or otherwise notified for effect. For example, until 17th October 2000, there was no recognition of legal documents in India and overnight it became recognized along with digital signatures, digital contracts and cyber crimes. Though Naavi.org had been preparing the ground in the industry since around 1998, until the rules were notified no body knew there would be such a law in effect.

Similarly, on 27th October 2009, suddenly, a host of regulations related to compliance under ITA 2008 became effective overnight. Along with it all IT companies in India without exception became “Legally Non Compliant to ITA 2008” and became “Rogue Companies not following the law of the land. Of course even the Police did not understand so that no case was booked immediately anywhere but the fact was that there were some legal provisions which all of us were not compliant.

Such forced state of “Non Compliance” should not be hapen once again when this new Privacy law for the healthcare is introduced in India.

We can recall here how the HIPAA was implemented in USA in 1996. HIPAA is a law which will be reflected in the proposed Health Care Data Privacy and Security Act (HDPSA) that is our subject of discussion here and hence we need to draw lessons from the implementation of this law.

When HIPAA was introduced as well as it was amended through the HITECH Act in 2009, there was a clear time line given to the industry for compliance….like Data standards by such and such data, Privacy rule by such and such date, Security rule by such and such date, with extensions for small business, time for running out of existing contracts etc.

All this meant that though the law became effective from a certain date, the industry was given time for compliance over an extended time so that all those in the industry who always wanted to be compliant had their opportunity.

This fixing of a time line for compliance is the first important thing which we need to incorporate in the law. We need to bring in this practice for the first time when this new law HDPSA is notified.

Additionally when such acts are drafted by non-industry persons, there will be many provisions which are difficult are too complex to implement and industry may try to find loopholes to avoid them or try to save costs by implementing it wrongly.

To avoid this, industry should be proactively involved in the framing of the law. Here again when we suggest this to the Government, it will simply say that NASSCOM or FICCI is represented in the working group and therefore industry is represented. But we all know that the NASSCOM Chair person or FICCI Secretary is not the person who can go to the micro level discussions that are required to make the law “Compliance Friendly”. He has to depend on his secretariat for bringing things to his attention to be raised before the Government.

In such cases the large companies may be able to have their say but the SMEs and public will never get to be heard.

This proposed law on Health Care Privacy will affect many small companies some of them are startups which have developed medical industry related Apps. It will include small Nursing homes and pharmacies as well as diagnostic centers. They need to have their say in the law.

I would like the community participation to be at a high level in the framing of this law, so that we will not have to accuse the Government of framing the laws that cannot be implemented.

We are still in the beginning of the thinking process as regards this law but we know the direction in which the Government is moving. We donot want to embarass the Government later by calling it a bad law by contributing our ideas in the beginning itself.

Hence I invite the stake holders to join this online forum and contribute both in the form of detailed articles and in the form of discussions in the Whats app group.

Naavi

Related Article: Times of India

I refer to an article which appeared in Hindustan Times recently, (Read the article here). I also refer to the article on Police action in Tamil Nadu on rumours on Jayalalithaa’s health.

The article on Jharkhand is headlined “WhatsApp admin to face action if sensitive posts shared in the group”. The news is about the Jharkhand police putting out a notice in the light of a Custodial death of a person who was arrested for posting some communally sensitive message. The Police appear to have issued a notice that action will be initiated against the Admin if he does not inform the police about posting of information considered sensitive under ITA 2008.

What we donot understand is that if a person had posted a sensitive information on a Whats App group and has been arrested and later dies in police custody, how is the WhatsApp admin be responsible for this custodial death. Also under what provisions of law in ITA 2008 does the Police intend to take action?.

By trying to cover up their custodial death problem, Police seems to be creating a panic in the WhatsApp community and diverting attention of the public.

By such actions the LEA will lose their credibility and fail to get sympathy of the larger sections of the society. They will also be open to question under the Human Rights Action.

Naavi.org had already covered the responsibilities of WhatsApp admins in great detail earlier. A link to the earlier article is available here : WhatsApp Model Admin Policy

It is however necessary to reiterate here some thoughts on the mistakes that Police are committing.  Since the Government of India is also revising ITA 2000/8, they also need to take into account different view points in this regard.

It is possible that different “Experts” may have different views. It requires a nationwide debate on controversial points to arrive at the most appropriate interpretation of the law.

Unfortunately, “Law” is always an “Interpretation” of the words contained in a statute which could have been drafted in a certain set of circumstances and with certain objectives, which gets forgotten over time.  Hence the “Legislative Intent” and the “Overall interest of the Community” has to be taken into account before interpreting the law.

There is no argument on the fact that if any activity is intended to create a law and order problem or commit any illegal activity, then the Police should have all the right to curb it by both preventive and punitive action. My views on this is too well known to the community to repeat here.

However, what this Circular of Jharkhand Police represents and what is happenning in Taml Nadu where more than 50 persons have been arrested for what the Police calls as “Spreading Rumours” on the health of J. Jayalalithaa are to be condemned as excesses that should be curbed.

There is however a difference between the Jharkhand-WhatsApp issue and TN-Facebook issue.  WhatsApp is a closed communication group and is more like an indoor meeting. Posting a message as “Public” in a facebook page may however may be similar to making a public comment on the street corner which anybody can hear.  WhatsApp posting is a “One to Many Message” where as FaceBook posting is “Publishing” though both may be called “message” loosely. One is a “private speech” and the other could be a “public speech”. Law has to distinguish the two.

Whether such “Speech” requires punitive action depends on “What is Said” and “With What intent”, “in What Context” and “With What effect”.

A street urchin wondering “Is Jayalalithaa Brain dead”? may be out of concern for her and may be in great anguish. To term it as an attempt to create law and order problem is the height of over reaction.  Similarly, in the Jharkhand case, if the person has died in custody Police cannot absolve of their responsibility by suppressing public speech on why the person was arrested  or the criticism of the Police there after.

The Police need to clarify both in Jharkhand and TN what followed the initial reaction expressed in Facebook or WhatsApp before the public can consider that the action was justified. But what has happened in TN is that several Facebook pages and you tube pages have been shut down and we donot really know what was the comment made by the 50 different persons which can be called an “Attempt to create unrest in the society”. In the Jharkhand case I presume that the Police want to stop public outcry on the custodial death rather than preventing communal hatred.

Further, in Jharkhand or TN  if the Police fear a large scale unrest, they can shut down the Internet and call for an “Internal Emergency” so that no information goes out.

I wonder how professional are doctors giving out misleading statements and politicians making a fool of themselves in visiting the doctor and giving a medical bulletin about the patient. Suppose the statements made by the doctors and the political leaders about Jayalalithaa’s health turns out to be incorrect, will they stand trial for lying before the public?.

It is sad that even the Madras High Court did not have the guts to ask for making the information public and it is clear that we are in a state of “Emergency” in Tamil Nadu which is more severe than what is there in Srinagar. The Central Government as well as the Courts seem to be willing parties to this suppression of information that needs to be made public in the interest of Democracy.

I seriously wish Mr Modi does not contribute to this farce by visiting Chennai to have a discussion with Dr Pratap Reddy and return to certify that Jaya’s health is improving. Let’s presume that her health is improving and she will return to rule Tamil Nadu without a certificate from Mr Modi.

In the case of Jharkhand, unless a WhatsApp Admin can be considered as part of a conspiracy, it is difficult to understand how he can be punished for a post.

I consider it a responsibility for the Admin to identify the member by the telephone number and possibly by name. If a post is inappropriate, it should be pointed out to the member. But not doing so should not immediately be considered as an offence grave enough for the admin to be arrested. Also most of the time the so called evidence that the Police may have on the WhatsApp posting should be considered as “Illegally acquired” and cannot stand in a Court of law unless a police officer is part of the group.

I completely agree and endorse that what is objectionable is “an incitement to violence” either on Cyber space or real space….and if it materializes. There can also be instances under Section 79 where non-cooperation of the Admins in an ongoing crime investigation can be objected to by Law Enforcement. But liabilities in such cases should be only when a notice is issued and there is a clear case of non cooperation that can be considered as complicity.

I am sure that what I say above could upset a lot of people including many of my friends. But there is a need for all adults in LEA to avoid irrational and inappropriate application of law which can create wrong precedence. I have many friends in the Police force and I know that they are aware of the law better than myself. I donot want their professional image to be sullied by such inappropriate action taken under some pressure political or otherwise.

We have already seen the ill effects of such over enthusiasm of Police in Palghar who by arresting two ladies for a facebook posting/like ended up getting Section 66A scrapped from ITA 2008.

The actions of the Jharkhand and TN police may end up banning of WhatsApp and Facebook or force the Government of India to introduce new provisions in the amendments proposed in ITA 2000/8 that would render ITA 2000 a draconian law to be feared with rather than a E Commerce promotional law for the progress of Digital India. If so, it would be a tragedy.

Naavi