Naavi.org

This is an open letter to

The Manager, State Bank of India, Musiri Branch, Tiruchirapalli Branch, Tamil Nadu.

Dear Sir

I am informed that on June 7th 2017, 5 fraudulent withdrawals have been made from one of the customer’s of your branch having account number 3353XXXXX38  (P.S: Full Name and other details are already known to you and hence it is not reproduced in this public forum. If required, it will be provided) amounting to Rs 49773/- which was the hard earned savings of a poor customer.

I have reasons to believe that SBI has been completely negligent in passing these fraudulent debits to the account without following proper security measures as required under Information Technology Act 2000/8 and RBI guidelines.

I am aware that you would be having your excuses on why you passed the forged transactions without following reasonable security practices. These are subject matter of further detailed litigation if it becomes necessary.

I also request you to refrain from obtaining any false declarations from the customer under duress to defend your position.

In the meantime, I would like you to kindly inform your customer in writing the following:

1. Full details of each of the 5 debits including the nature of transaction, IP addresses if they were online transactions, Merchant establishment details if they were offline transactions.
2. Details of any awareness training you had provided to the customer regarding the risks of digital payments when you decided to provide him a Debit card and internet access.
3. Reasons why you have not reimbursed the amount as per RBI guidelines on “Limited Liability” when the fraud was reported to you
4. Reasons why you have indulged in a money laundering exercise in association with the fraudsters and allowed your customer to be cheated.
5. Reasons why you have not invoked Cyber Insurance and given a refund to the customer immediately.
6.  Your views on whether this fraud related to the recent incident when SBI recalled 6 lakh debit cards which were compromised and if not, why do you think it is not so related.
7. The details of when and how you have reported this fraud to CERT-In and your HO and if not, why you chose not to report the fraud as required under law as well as regulatory guidelines.
8. If the payments have been made at any ATM outlets or Merchant Establishments, kindly obtain and forward CCTV footages with Section 65B (Indian Evidence Act)  certification. If you are unable to produce such footage, please provide reasons on why you are unable to produce such evidence.
9. If the transactions were made online, please obtain and send all log records showing the entry of CVV, VBB and other security PIN if any with date time etc again with Section 65B (IEA) certification. If you are unable to provide such information, kindly let us know the reasons why you donot want to produce such evidence.
10. If the transactions were made offline, please obtain and send the POS machine logs along with transaction summary slips showing the customer’s signature. if you are unable to provide the same, kindly give reasons on under which RBI guideline you are allowing Card Not Present transactions without obtaining the customer’s signature and matching it with the signature on the back of the card.
11. If the money is purported to have been drawn by some third party fraudsters, kindly obtain and forward the KYC documents to identify the fraudsters. If you are unable to produce such information, kindly indicate why you are allowing such money laundering to be committed by your Bank and its associates.
12. Please also send the names and designations of all SBI officials and the Merchant Establishments and ATM owners who are involved in this money laundering exercise.

I will collect the information from your customer so that decision can be taken on further course of action including launching of criminal proceedings against State Bank of India and its officials including you.

I wish you would immediately take steps to refund the amount to your customer as per RBI guidelines so that there would be no requirement of further action.

Regards

Naavi

I am also intending to initiate launch of a public movement at Musiri to ask all your customers to return all cards issued by SBI as they are likely to be used by associates of the Bank to defraud innocent customers. I hope this would be a national movement that will make SBI realize its responsibilities in dealing with E Banking.

I also call upon the Chair person of State Bank of India to take suitable steps to redress the grievance of the customer without raising any excuses.

I request the Adjudicator of Tamil Nadu (IT Secretary) to use his powers under Section 46 of ITA 2000/8 and initiate a suo-moto action against SBI to redress the grievance of the customer.

I request NGOs such as Cyber Society Of India (CySi) to take up the issue as a Public Interest and persuade SBI to see reason and redress the grievance of the customer.

I also request Reserve Bank of India to advise SBI to take immediate remedial action.

I also request NPCI and CERT In to intervene and assist in the resolution of the dispute since they are also responsible for the lack of adequate security of digital payment transactions.

I also request Mr Arun Jaitely and Mr Narendra Modi, honourable Finance Minister and Prime Minister of India who are pushing for digital payment systems without understanding if the public are ready or not and without ensuring that Banks are not hands in glove with fraudsters and looting public money to instruct SBI to redress the customer grievance immediately.

Naavi

Section 65B of Indian Evidence Act requires a certificate to be produced with any Electronic Document submitted as evidence in a Court of law, at the admission stage.

The mandatory requirement of Section 65B certificate came into effect on 17th October 2000 when ITA 2000 (Information Technology Act 2000) was notified. However it was the undersigned who produced first such certificate in a Court. It was  in 2004 in the State of Tamil Nadu Vs Suhaskatti case for criminal prosecution under Section 67, in the Egmore AMM Court, Chennai. Based on the certified evidence the Court went on to proceed with the trial and convict the accused. The conviction sustained even in the appeal at the Session Court upholding the validity of the evidence. Since then the Section 65B certificates produced by the undersigned have been produced in other courts from time to time.

However it was not until the Supreme Court judgement in the P A Anvar Vs P.K Basheer that the litigation market players realized that electronic evidence without Section 65B certificate would not be admissible in the Courts. Even the Police have started adding in their CrPc notices calling for information which may be in electronic form to be provided with Section 65B certificate.

Naturally, there is a scramble now on understanding how the certificate has to be given. Though Naavi.org and ceac.in have put out clear information on how Section 65B certificate is to be produced, there are a few legal practitioners who may hold some different view points on some of the finer points of certification. Such differences will persist for some time and will be resolved over a period of time as long as we try to understand the purpose of the section and its use case scenarios.

What is however necessary for Companies in particular from the ITA 2008 compliance angle and ordinary citizens relying on such evidences to fight cases in the Courts is to understand that if the evidence is not properly produced, they may be rejected by the Court at the admission stage itself.

On the other hand, we also need to warn companies and individuals that some times there is a tendency to produce evidence which is deliberately falsified with the hope that no body would find out.

I recently came across such an incident where a large Telecom company had filed an apparently falsified electronic evidence to support its case against one of their employees. The electronic documents were supported by Section 65B certificate and also an affidavit in the Court.

It is possible that the defense may submit suitable arguments to throw this evidence out but what we need to remember is that production of falsified evidence is clearly an offence under Section 193 of IPC which is a cognizable offence carrying 7 years of imprisonment.

The person who produced a falsified Section 65B certificate and an affidavit in respect of the certificate would be liable for punishment under Section 193.

Such an Act will also be an offence under Section 43/66 of ITA 2000/8. Some of these incidents would also be offences under Section 65 and Section 67C of the Act as well.

When such person is an employee of a company and the interest of the Company is involved, the Company would also be guilty of the offence and it would extend to the “Officers in charge of Business” and “Directors” under acts such as the Companies Act  and ITA 2000/8.

While the offence under Section 193 of IPC carries 7 years imprisonment the ITA 2000/8 offences carry 3 years imprisonment.

I therefore advise those who donot know how to produce Section 65B evidence should not take the risk of producing falsified evidence as it may boomerang on them during the course of the trial when it is proved to have been falsified.

In Civil cases when such falsification comes to the knowledge of the Court it would be possible for the Judge to order that criminal action should be initiated by the prosecution separately either under IPC or ITA 2000/8. Perhaps it may be possible for the Court to initiate Contempt of Court proceedings for misleading the Court through falsified evidence.

Even in cases where an electronic evidence was present at one point of time but the litigant has failed to get Section 65B certificate for an evidence and subsequently it is no longer available, instead of trying to falsify the evidence with a compromised Section 65B certificate, it is better to forego the presentation of the documentary evidence in the form of electronic documents and try to proceed with other evidence on hand including oral evidence and witnesses.

Naavi

ACT Fiber net (Atria Convergence Technologies Pvt. Ltd.)  has been an Internet Service Provider which was the first service provider (particularly in Bangalore) to offer internet access service through optical fiber network. In view of the high bandwidth provided by the technology and with no major competition, the Company expanded its business into several cities in India.

Now when Reliance Jio has started setting up its own optic fiber network which is already been introduced in some cities on an experimental basis,  ACT appears to be responding to the threat strangely by degrading the existing service shutting out the competition with improved services.

It has modified its tariff plan to create a new revenue model for the company by stripping the existing service of some of the features.

The Company has  implemented a new tariff plan without providing any notice to its customers which restricts its internet service to the basic level of “Browsing” and “E Mail”. It has de-linked some aspects of the  “FTP access” which some experts say has been done by blocking some open ports used for FTP access. Any requirement of such service would now require a subscription to what the company calls as a “Static IP address” which may simply be a set of IP addresses in which full services are configured as against other customers.

As a result of this change, for the users of ACT broadband service,  “Secure FTP Access” has now become a “Value Added Service” for which a separate fee needs to be paid.

While it is the prerogative of any company to price its products as per its own plans, there is a need to remember that a change in tariff plan needs to be notified to the customer. Unfortunately, customer service may not be the top of the agenda for the Company as it refuses to inform its customers and refuses to even raise a proper bill. It has unilaterally degraded the service hoping that most of the customers may not be able to understand why some if their services have stopped functioning.

It is interesting to note that a company which wants to lead in technology does not have the marketing acumen to take it to the next level where it will have to compete with the kinds of Reliance Jio.

Perhaps this gives a cue to Reliance Jio on how to enter the markets where ACT is now present by a service offering which would be able to face the competition with some ease. Reliance Jio in the recent days has demonstrated the marketing acumen that it possesses to penetrate a market which is already entrenched with established players and create a dent over night.  ACT Fibernet would perhaps be an easy prey to the marketing giant called Jio.

I look forward to an interesting battle when Reliance Jio enters the Bangalore market with its optic fiber services.

Naavi

The Aadhar based payment system which is meant to capture the biometrics and initiate banking transactions is being pushed for implementation by June 30, 2017.

However, we request the authorities not to stand on false egos and try to introduce a system which could create a huge security hole in the financial eco system in the country.

The main problem in the proposed system is that there will be thousands of Business Correspondents, “Bank Mitras” who will be authorised to carry biometric devices and initiate banking transactions. The concept is great provided it is having checks and balances to avoid misuse and fraud.

At present, it appears that the authorities have not taken sufficient steps to protect the users from the adverse impact of frauds.

Before we proceed further, I would like to draw the attention of the public to the recent incident when 32 lakh debit cards were supposed to have been compromised through HITACHI ATMs where the malware is presumed to have wormed its way to a NPCI controlled switch and compromised multiple banking systems. There are theories that the compromise of multiple bank’s systems were compromised not through NPCI but because some card holders used the infected Yes Bank ATMs and then other Bank ATMs spreading the infections. The exact nature of the infection is not known. However the following article explains in detail one research report on the incident and is worth reading in detail.

Report: India’s sluggish response to cyberattack that infected 3.2 million cards exposes its vulnerabilities

There is no doubt that all the compromised ATMs reported in the above incident were “Certified” by authorized vendors of RBI and Banks. They were also under direct control of licensed ATM operators most of them being Banks. There was physical security in the form of guards and electronic surveillance in the form of CCTVs. Despite this, the systems were compromised.

The compromise also prevailed in the system for a long time and no body realized it until the damage was done. When breaches started happening, no body reported it to CERT-In and there was every attempt to brush the controversy under the carpet. Security experts who were assigned the responsibility to conduct forensic audits ended up erasing evidence, not knowing the law of the land.

Finally there is an “Admission” by Hitachi that they accept responsibility which makes things more suspicious as whether they were trying to protect any other agency in the process which could also have been held either solely or collectively responsible for the breach.

In this background we need to see how secure is the AEPS system where the biometric devices or the Micro ATMs are held in the custody of public and is out of sight of the regulators.

The devices are certified by some agency such as STQC as fit for use as per some standards but are manufactured by different private sector companies many of them from abroad. Some of these Micro ATMs may work as an application running under Android OS systems.

While the certifying agencies may certify the functionality of the devices, it is a myth that these devices are tamper proof.

It is a common security understanding that any device which a hacker has access to for a prolonged period in confidence is subject to the risk of being manipulated with the introduction of a changed mother board or a Manchurian chip add on. In the past we have seen that POS devices for credit card swiping at the Merchants supplied by China to UK merchants were stealing data and Scotland yard had to conduct an elaborate exercise to identify and remove those devices. Very recently in India we have observed that the Petrol vending machines in Lucknow were tampered with to cheat the customers of the quantity of petrol dispensed, by adding a chip in the circuit. Some time back, Digital auto rickshaw meters in Bangalore were also similarly tampered by insertion of a chip in the meter.

It is therefore possible and reasonably certain that the Micro ATMs and POS systems using Aadhar Enabled Payment Systems will be compromised in due course. This would result in the biometrics of customers being copied and re used on a systematic basis. This also has been demonstrated by Axis Bank and E Mudhra not so long ago.

Since some of these biometric devices may be imported from China to meet the rush and also because they may be considered cheap, we may expect that backdoors may be installed in such equipments which could defeat the STQC audits and prevail while the system goes into use.

We may recall that VolksWagon designed a software to cheat the emission standard tests to give false results while resetting itself in actual usage where emission standards were compromised for better pick up and power.  Similarly, the manufacturers of these equipments will design their systems to behave well before STQC and turn rogue when it goes into the usage environment.

In due course there is therefore a possibility that we are creating a network of financial devices which can be exploited by an enemy country in a Cyber War situation.

The Indian Election Commission (EC) recently faced a comparable challenge on the EVMs as the AAP MLA showed how he can replace the mother board if given access to the machine and therefore how the elections can be tampered with. The EC however rightly pointed out that the EVMs used in actual elections would not be out of its sight and is randomly assigned to different booths and hence cannot be tampered with as indicated by AAP MLA.

The Aadhar Enabled Payment System has to take a cue from the EVM controversy and understand that they donot have controls which EC has designed for EVMs as regards the Micro ATMs and biometric devices.

It is not impossible to introduce security controls to prevent any misuse or quickly catch a delinquent transaction if it happens but such controls donot seem to exist in the current devices which are standard devices meant for a different security scenario.

In future, we can get these devices manufactured by BEL or ECIL under close supervision and with all the security features which make tampering nearly impossible. But for this there is a need to take time and not rush implementation of AEPS by June 30, 2017.

I wish the authorities listen to this sane advice unless they are ready to place Indian Financial system into jeopardy for the sake of impressing upon Mr Modi that we are technologically ahead of other countries in implementing a digital payment systems.

Naavi

When Aadhar was in its initial stages, whenever security issues were raised with Mr Nandan Nilekani, he used to assure that Aadhar is not a “Card” but it is only a data base. Information in aadhar database never travels across the network and only “Yes” or “No” responses to queries travel. If there is any duplication, the de-duplication exercise will ensure that two people will not be issued the same Aadhar number etc. He never accepted that things could change during implementation and security holes could develop in course of time.

Even now, to be fair to UIDAI, the leakage of aadhaar data has happenned outside the servers of UIDAI, firstly at the time of enrollment when enrollment laptops were stolen in many places, and more recently when some Government departments put up Aadhar data on the web along with some benefit payment information. In between frauds in enrollment occurred in large scale in the name of people who could not provide proper finger prints because they either had lost their hands or the finger prints were not good.

The recent breach when stored bio metrics were used by Axis Bank and E Mudhra, some technical patch seems to have been found to detect such attempts in future. Just like trying to identify a “live” finger, a perfect match of two finger prints is also flagged as doubtful.

Thus UIDAI may claim that technologically they are upto any challenge where data protection at the server level is considered.

UIDAI has also taken steps in ensuring that the AUAs and ASAs are all “ITA 2008 compliant” at least by declaration. If these agencies make a sincere attemt at ITA 2008 compliance, the security would be taken to a slightly higher level since more heads will focus on the issue particularly from outside of the technology professionals whose vision would be clouded with the functionality of the software/hardware and fail in taking a holistic view.

But when we discuss the security or insecurity of the Aadhar Enabled Payment system (AEPS), we are not restricting our vision to only “Technical Security” of the UIDAI server side. We are discussing the security vulnerabilities across the entire system of usage which includes the Business Correspondents, Banks, NPCI and any other intermediary involved.

Now the biggest risk in AEPS comes from the Biometric devices that are used by the Business Correspondents (BC) which includes many merchants and individuals. These merchants could be dishonest or negligent and ignorant causing problems of misuse of payment credentials which are shared by the customers.

There have been instances in the past of people selling goods below the market rates only to steal the credit card data either in offline “card present” transactions or online “card not present” transactions. It can happen even in AEPS transactions if the biometric data can be stored and replayed.

There have been instances of Trojans/Viruses affecting the POS systems stealing the card data. There have been also instances of Manchurian Chips being installed in POS machines for data stealing.

All these vulnerabilities can be relevant to AEPS also.

Man in the Middle attacks particularly of the Man in the Browser type are very much possible in the case of AEPS.

 When AEPS is compromised in any manner, the entire chain of Bank accounts of a person could be compromised in one go and money from multiple Bank accounts of the person can be wiped out in a single breach.

We know that in such a case, UIDAI will not take any responsibility and Banks will also try to wriggle out placing the blame on everybody but themselves. NPCI is hidden behind the screens along with the App developers and software developers who specialize in releasing software with bugs and play with Zero day vulnerabilities.

Ultimately the customer is left to fight with the Police and blame them for not being able to solve Cyber Crimes.

Government has repeatedly refused to accept the principle of “Mandatory Cyber Insurance” to protect customers and technology people are happy to experiment with the system since they are never questioned for any fraud.

With the present push on AEPS , what is happening is that customers are left with “No Alternative” but to accept AEPS. They can themselves avoid the use of the system but they have no control on any fraudster impersonating them with the use of fake Aadhar cards.

We therefore urge the Government not to rush introducing AEPS in the current status. There is a need for taking some security measures that prevents frauds committed with social engineering and insider involvement.

Until such time, it is recommended that the introduction of AEPS should be deferred. I suppose that the solution could be worked out perhaps in about 3 to 6 months if the Government is keen.

Naavi

In January 2017, an interim report of the NITI Ayog Committee of Chief Ministers on digital payments recommended

1.  To ensure wide-scale adoption of AEPS and Aadhaar Pay, banks need to be mandated to complete Aadhaar seeding of all their customers in a time bound manner.  All banks must ensure that their AEPS gateway are up and running all the time and have proper reconciliation teams in place.
2. All Payment banks to be made interoperable on AEPS
3. All BCs to be made interoperable on AEPS.
4. Biometric (Finger Print & Iris) sensors may be provided at 50% subsidy for all merchants to onboard on to AadhaarPay
5. Rollout of Aadhaar Pay application riding on the AEPS platform may be expedited by encouraging banks to adopt the same. Bank branches to be given target to onboard merchants in their vicinity to adopt Aadhaar Pay with their existing android smartphone and biometric reader which would present a significantly cost-effective alternative compared to the traditional PoS infrastructure. There should be a bank-wise target to achieve 10 lakh active Aadhaar based merchant outlets by June, 2017 and 40 lakhs by December, 2017
6. RBI should allow white-labelled business cum merchant correspondents for spreading AEPS PoS devices across the country. Common Service Centers (CSC),De- 5 partment of Posts and India Post Payments Bank should be allowed to begin with. It be extended to other entities who meet the criteria prescribed by RBI.
7. NPCI and Banks should enable Iris authentication on AEPS so that people with worn out fingerprints are also able to do AEPS transactions.
8. All ATMs/Micro-ATMS/POS should be mandated to have Aadhaar biometric authentication facility from June 1, 2017

RBI vide its circular dated December 2, 2016 had also indicated that the deployment of Aadhar based devices should be completed by June 30, 2017.

As a result of these measures there is a rush to implement AEPS gateway and make it operational at the earliest.

Some of the Banks have already issued “Aadhar Cards” for their customers and obtained IIN numbers assigned to them. While NPCI and NITI Ayog are excited and are pushing the implementation, RBI has no option but to oblige.

In all this excitement, the safety and security of the Indian Consumer appears to be the last and perhaps a lost priority.

The system as is envisaged is creating a network of Bank accounts which are all inter connected with the Aadhar number, PAN number and Mobile numbers operating through NPCI switch/es which are also open to Banking software, Mobile wallets, ATMs, UPI apps etc.

If any one of these network elements is compromised, there is a possibility of the entire financial system in India to be compromised.

Aadhar was not designed for this kind of usage as is being envisaged under AEPS. It was meant to be a confidential data base with only the ability to send out binary responses of Yes or No when a specific query is made with a reference to a parameter associated with an Aadhar Number or a biometric input. It was never meant to send out the entire data sheet on request with just the verification of an OTP. It was not meant to be used as a ID substitute nor as a sole  KYC instrument. In this role aadhar data of individuals is getting broadcast widely and gets stored in innumerable places with many vendors and agents of vendors where there is no control on privacy or security.

While it has helped Government to check misuse of Direct benefit Transfer, it has also opened other vulnerabilities that are a risk to those who have no interest in Direct Benefit Transfers. Today honest citizens have no control on their Aadhar and the linked PAN card being used in impersonation. Now linking Bank accounts will further open the gateway to money transfer from the accounts of individuals because their Aadhar data was compromised some where by some vendor like a mobile operator or a domestic gas supplier if not a fraudulent banker.

Aaadhar system today is itself dependent heavily on the associated mobile numbers where the security is very lax and obtaining duplicate SIM and fake SIM is extremely easy.  Since  Bank accounts are operable under USSD, UPI and AEPS systems, the entire security infrastructure of the Indian financial systems will be at the mercy of the mobile identity of individuals.

Now all the SIM card vendors are also becoming Business Correspondents who can put their hands into my/our Bank account and there in lies one of the major risks of AEPS system.

Since the Mobile devices are already under the control of Chinese manufacturers and innumerable number of viruses and trojans are already on the prowl on mobile devices, Indian financial system will be at the mercy of China in a Cyber War situation. Since China is always on the side of Pakistan, this entire Chinese Cyber War machinery would be at the disposal of Pakistan.

There are any number of Paksitani dalals in India (some of whom have already requested that Pakistan should help them defeat Mr Modi), there will be enough number of traitors within the country who would welcome any development where Pakistan can discredit Mr Modi through a Cyber attack on his favourite “Digital Payment System”.

The proposed AEPS system is the last straw on the camel’s back and will push Indian financial system to a point of no return.

I therefore reckon that the Digital Payment Systems in India as it is being conceived now can turn out to be a Honey trap for Mr Modi and BJP and spoil the chances of BJP winning the next Loksabha elections.

What the Political Maha Khatbandhan cannot achieve, this Financial Khatbhandahan called AEPS can achieve.

Already, Aadhar data base has been compromised, there are many fake Aadhar IDs in circulation and many more that will come up in the coming days because the cost of obtaining a fake aadhar ID is as low as Rs 100/- as indicated by the Pakistani nationals who were arrested in Bangalore recently.

The UPI system has its own weaknesses as indicated by the Bank of Maharashtra UPI fraud.

UIDAI is itself vulnerable to “Stored Biometric Replay” attack demonstrated by Axis Bank and E Mudhra.

Banks would do anything for a price and if accounts are to be opened with manipulated KYCs, there are many Banks and branches who specialize in this.

Hence opening a bank account in the name of a fraudster linked to a fake aadhar card is as easy as ABC.

It is this infrastructure that is weak at a number of points that the Government is now relying upon to introduce Aadhar Based Payment System (AEPS) and link the biometrics of all Bank customers to an ability to pass debits to the Bank account.

The entire process has many loop holes and does not comply either with the laws of the Banking industry nor RBI’s own guidelines.

Unfortunately, there appears to be no sane voice available to the Government in flagging the risks and even if some emerge, the counter force will drown such voices.

While innovations in technology are required and are inevitable, at each stage of transformation, we need to ensure that there are enough checks and balances to ensure the security of people who use the systems.

I think there is a huge gap on what is needed to be done and what is being done by technology intoxicated persons who are advising the Government agencies.

AEPS is a test case in which the commitment to security by these agencies are challenged. So far the technology administrators have not come out exuding confidence to the community.

There is no doubt that we can innovate technology solutions that can improve the security by many notches. But these solutions may not be available off the shelf. We need to create indigenous technology to protect the proposed AEPS objective of “Place your finger and transfer money”.

But one needs an eye to see and readiness to absorb higher costs if Government has to chart an escape plan from the trap that they are entering into.  At present the Government is not able to see the risks properly and not therefore thinking of solutions that are required. The cost consideration is therefore yet to come into the radar.

It is premature and inappropriate to discuss the technology solutions in this public platform since it is a matter which even NITI Ayog recognizes as a “Patentable” innovation.

However, in the interest of preserving the political future of Mr Modi, we can state that the system of AEPS  as being envisaged now (giving allowances for the fact that some security aspects might have been introduced by UIDAI and not made public), may have risks that are not easily addressable in the current dispensation and this is likely to be a honey trap that Mr Modi should guard against.

Naavi