Naavi.org

Cyber Society of India (CySi), Chennai of which Naavi is the founder secretary, conducted a one day workshop on Cyber Crimes on August 6, 2016.

Naavi spoke on the Role and Responsibility of Bankers  covering the legal implications under ITA 2008 and the Cyber Security Framework of RBI.

This talk was before August 11, 2016 when RBI further tightened the screws on the Bankers through the draft circular on Limited Liability of customers.

Here is a video link to the session of Naavi. Each video is around 26 minutes.

You are welcome to send me the feedback.

Naavi

Yesterday, the Ministry of Civil Aviation made a public announcement that in about 10 days, passengers in Indian air space may be allowed to connect to Internet through a WiFi connectivity on the airplane.

It must have appeared exciting to hear a seemingly technological advance and several people who heard the official clapped at the announcement.

Unfortunately, it rang alarm bells in my mind as to the new kinds of risks that the ministry is hoisting on the air travel and a doubt if the known risks have been hedged.

It is time for an immediate RTI to be filed to enquire if a proper Information Security Audit has been conducted by the appropriate authorities before this service has been contemplated. (I request any of my friends in Delhi to immediately file an RTI with the Ministry of Civil Aviation and DGCA)

It is expected that the WiFi system could be similar to what is being used in USA and involve either

a) connectivity through mobile towers on ground which connect to a WiFi router on board

b) connectivity through a satellite link that connects to the WiFi router on board.

In either case, the service will be priced (could be prohibitive) and therefore there will be a log in to a specific website from which the access will be authorized to the router.

At present it is expected that the bandwidth will be low and will be shared by all the persons on board.

(More details of the technical aspects would be known once the service is announced)

While it is clear that in long haul flights, it may have value to have connectivity to send and receive e-mails or messages or even browsing some websites for urgent work, it is necessary for us to consider the risks that this proposed system would bring in to the Indian fliers.

The risks are of two types.

1. Risk that one user of the WiFi network may be vulnerable to another user hacking into his computer. This could result in data leak as well as ransom ware attacks. In case of corporate customers carrying sensitive files in their computer and e-mails, this is a huge risk and necessary of being addressed in the Information Security policy of the organization. (To say… “Use of on-board WiFi not allowed”).
2. Risk that a hacker on board or otherwise hacking into the communication systems of the plane and causing a terror attack which may crash the plane.

Some of these risks can perhaps be mitigated by securing the WiFi router adequately and segregating the communication network of the plane from the WiFi network. However, this is more a theoretical exercise and in practice, it is not possible to fully secure the system against hacking.

The admission of Mr Chris Roberts who hacked into a plane’s engine through its entertainment system and made it to execute a “Climb” unauthorizedly should open the eyes of anyone who thinks that security will be adequately managed by the airline staff.

The truth is that if we provide a single strand of entry to a hacker anywhere near the critical system, he will find a way to get in completely. The WiFi router could be one such entry point through which the hacker can enter and cause damages both to other passengers and to the air craft itself.

It is therefore not prudent for the Indian Civil Aviation authorities to introduce the WiFi on board.

I therefore call upon the Ministry to withdraw the pronouncement or clarify through a public statement what security measures have been initiated in this regard and who is accountable in case of a breach of security.

Naavi

Related Articles:

How does airplane Wi-Fi work? And will it ever get any better?

How Does In-Flight Wi-Fi Really Work?

 A look at the security of Wi-Fi on a plane: 

Midair Hack Shows the Dangers of In-Flight Wi-Fi:

Wi-Fi security – can inflight internet REALLY hack planes?

FBI: Hacker claimed to have taken over flight’s engine controls: 

Aviation experts dispute hacker’s claim he seized control of airliner mid-flight

In what can be termed as a milestone in the e-banking scenario in India, the Unified Interface app on mobile that can provide access to multiple bank accounts of a customer on a single mobile platform has gone live.

The scheme has been credited as an achievement of the outgoing RBI Governor Mr Raghuram Rajan.

The essence of the scheme is that a customer of any Bank can download one mobile app from any of the participating Banks and use it as a gateway to all his Bank accounts. (if his Bank is participating in the scheme).  He can also create an alias address such as abc@….bank. Then this ID can be used for sending and receiving money.

There is no doubt that the scheme brings in convenience to the current operations of the e-banking and mobile banking and would be welcome by many.

We have highlighted some of the risks in the past such as

a) Registration of a person’s name by another leading to consumer confusion and wrong debits or credits.

b) Fraudulent linking of accounts to cloned SIM cards

c) Fraudulent pulling of payments from the account

The registrant has been provided the option to impose restrictions in the form of time and amount limits. These  may limit the fraudulent use of the registered account. But it is not clear if the fraudulent registration itself is adequately protected.

We need to watch how the system functions in the next few days to assess the security risks in greater detail. I invite the views of others on this matter.

Naavi

Related Articles:

The Hindu:  UPI just turned your phone into a bank ::

NDTV Profit: Unified Payments Interface Goes Live: Here Is Your 10-Point Guide

Naavi.org, Unified Payment Interface introduced… New Threats unleashed… and 

Unified Payment Interface makes Mobile a better tool for financial frauds

Naavi has been maintaining several information oriented websites and certain online services all of which are parts of resolving online disputes.

For example,

Naavi.org provides information on Cyber law, Cyber Crimes etc and creates awareness for the consumers about their rights in case some thing goes wrong in cyber space.

Ceac.in provides services towards capturing evidence which is in electronic  form which needs to be presented in a Court of law in India.

Cyber-notice.in provides service to place public notices on Cyber space when required.

Odrglobal.in provides an online mediation and arbitration facility which can be used for any dispute resolution.

Now, in the context of the recent RBI’s draft circular dated August 11, 2016, on “Limited Liability for Customers on E Banking Frauds” which requires certain specific procedure to be followed by victims of e-banking frauds to claim the benefits under the circular, Naavi.org proposes to provide an integrated E-Banking Dispute Resolution Center to assist customers of E-Banking who need to file their complaints in the unfortunate event of suffering losses from Cyber crimes, ATM or Credit/Debit Card frauds and Mobile Wallet frauds.

The E Banking Dispute Resolution Center proposes to do the following:

a) Enroll members for the service to whom necessary guidance for safe e-banking practices would be provided.

b) Provide facility for filing ceac-certified notices on receipt of phishing e-mails

c) Provide facility for filing disputes on receipt of any fraudulent debit alerts from Banks

d) Provide assistance to mediate with the Banks on determination of limited liability as per the norms fixed by RBI

e) Provide assistance from a panel of Cyber Lawyers who may represent the customers in different legal proceedings at judicial proceedings.

At an appropriate time, efforts would be made to bring in Cyber Insurance cover to the members.

The objective of the service is to enable reduction of losses caused by ignorance and bad e-banking practices by the public, provide assistance for resolving the disputes under the norms prescribed by RBI and to negotiate for residual risk coverage through Cyber Insurance when available.

This is a long term mission for which the foundation is being laid now.

The service will be formally activated and more detailed information made available after the RBI issues the confirmatory circular which should happen after the deadline of August 31, 2016 given for public comments.

The project is in the stage of being launched and any person who would like to join the project and contribute towards its stated goals is welcome to contact Naavi.

In the meantime, if any of the readers have not yet responded to the RBI circular, please do so before August 31, 2016. (For details refer this article)

Naavi

In another huge ATM heist reported from Thailand, it is reported that 12 million Baht equivalent approximately US$ 350,000 or Rs 2.38 crores were stolen by fraudsters.

Refer Article Here

In the past, ATM frauds have been committed with the use of skimming and cloned cards. In one other instance it has been committed with the creation of cloned cards by hacking into the back end card issue system.

But this Thailand fraud appears to have been committed with a new modus operandi with the use of a malware infection of the ATM machines by inserting cards infected with malware into the machine.

Fraudsters withdrew cash from multiple machines in multiple transactions  in 21 ATM machines between August 1st and 8th. There must have been hundreds of transactions since it is indicated that the withdrawals were less than of 40000 baht per transaction.

What is important to note that when the card was inserted, it initiated electronic activities more than the expected process of reading of the card data which was not detected by the system.

Additionally,  after the initial payments, the Bank failed to detect the frauds for 6 to 7 days by identifying an unusual pattern of excessive withdrawals from the ATMs.

This  indicates a two fold failure of the information security system design.

While we can appreciate the inherent risks of technology as well as the ingenuity of fraudsters to find newer methods of committing a fraud, we must admit that our Bankers and the experts who design their Information Security Systems also should share the blame for major frauds such as these.  If they had been alert and designed the system properly frauds such as these should have been detected at least at the end of day one and should not have continued for 6 to 7 days.

It is also important to note that many ATMs run on obsolete operating system software such as Windows XP and are unable to be patched for new exploits. (It is not known if this was one of the causes for this fraud).

Now that this fraud has been reported in Thailand the Indian Banks need to wake up and check their systems to see if this vulnerability can be exploited in India.

If I were the Governor of RBI, the first thing I would have done was to call the Thailand counterpart and find out the root cause analysis of the fraud. If necessary, I would depute some body like Mr Nandakumar Sarvade to take the next flight to Thailand and personally meet the forensic specialists of Thailand to understand the issues involved so that we can check how vulnerable is the Indian ATM system to such frauds.

Well, this is a dream and may not happen. What I however consider feasible is that there are a few private sector White Label ATM owners in India who might want to undertake a tour of Thailand for investigation and understanding of the modus operandi of the fraud so that corrective security measures can be taken in India.

At present there are around 20 such companies including many listed companies. Such companies include Tata Communications Payment Solutions Ltd., Prizm Payment Services Pvt. Ltd., Muthoot Finance Ltd., and Vakrangee Ltd, BTI Payments Pvt Ltd, Srei Infrastructure Finance Ltd, RiddhiSiddhi Bullions Ltd.

For these companies, (As well as all other Banks who manage ATMs)  the news report about the Thailand ATM fraud is a “Risk Notice” and immediate action required is to analyze the information and initiate immediate action.

We are now about 36 days to the RBI deadline of for implementation of Cyber Security Framework 2016 and this ATM risk assessment and mitigation becomes an easily recognizable target for the information security team.

The Directors of these Banks and Companies need to therefore demand that in the next 48 hours, an emergency Board meeting may be called to appraise them about the vulnerability of their ATMs to this kind of frauds involving “Malware injection through  the ATM Card”.

Will the Bank Directors shoot out an e-mail today to the Chairman to convene such a meeting and demand information?

CISOs in the meantime may try to gather a list of ATMs, the OS systems on which they operate, the risks of malware injection, ability to identify unusual pattern of transactions etc and present their plan of action to secure the Bank against such frauds.

Exciting days ahead for the CISOs….

Naavi

P.S: My hunch is that Chip embedded cards are more vulnerable to malware injection attack rather than the old day magnetic stripe cards. Any opinion on this view?

Related Information:

RBI Guidelines on White Label ATMs

RBI guidelines on ATM usage

White Label ATMs in India

Economics of White Label ATMs etc

With increasing emphasis on digital progress in India, we often hear the term “Big Data” and the “Privacy” issues associated with it. Just as “Privacy” and “Security” issues have become objects of comparative controversy, Big Data and Privacy are also becoming another set of objects for comparative controversy.

In addressing the Privacy Vs Security issues, we have always held that Security is to be preferred over Privacy and in the context of growing terrorism in India and the world, it is impossible for “Privacy” to be at any time be preferred over Security. This controversy can however be settled with a win-win solution of “Regulated Anonymity” which has been debated earlier.

Now let us look at the Big Data Vs Privacy as a problem which we need to address. This requires a better clarification on what is Big Data before we can comment on the issues arising out of Collection, Mining,Processing, Publishing, Transmission, Disclosure and Harnessing of Big Data.

The Concept of Big Data as against the normal term of “Data” arose when the volume of data to be handled for processing in a single process grew too large to be handled by the normal data processing systems. Along with the size of the data, came the complexity of diverse nature of data and the need to process the huge and complex data.

Big data requires a set of techniques and technologies with new forms of integration to reveal insights from datasets that are diverse, complex, and of a massive scale.  The technical issues raised by the size and complexity gives raise to legal issues that are also difficult of being handled by the existing Cyber Laws.

Hence there is a need to have a re-look at Cyber Laws related to Big Data. In this context, Privacy is presently in the top of the discussion table. “Big Data Crimes” will also be relevant for discussion and will subsequently flow on to “Big Data Security” as we go along the path of understanding the issues raised by Big Data.

The raise of IOT, Smart Cities, Smart Grids etc feed onto generation of Big Data and along with it the need to discuss “Big Data Laws” as a necessary subject of discussion.

The growth of Cyber Terrorism and Cyber Warfare, prevention of which requires “Cyber Intelligence” also overlaps with the policies and laws that are needed for the Collection, Mining, Processing, Storage, Publishing, Transmission, Disclosure and harnessing etc of Big Data.

Nature of Big Data

In order to discuss the “Big Data Laws”, we need to first understand the nature of Big Data.

The Source of Big Data is the information transmission nodes and the public data storage points. Beyond these, data is stored in private custody, behind Firewalls and unless it is transferred from the place of creation across an open network, it may never become accessible to Big Data Sniffers.

When Big Data Sniffers “Mine” for data, they may not target any specific type of data or an individual. The data collected from an omnibus data collection drive may later get filtered and classified into different types of data and tagged accordingly for further harnessing.

Components of Big Data are

a) Personal Data collected from Individuals including individualized data such as emanating from devices embedded to the human body such as Wearable s and Medical implants.

b) Corporate Data which includes business information as well as personal data of individuals in the hands of a corporate either as custodians of employee data or as intermediaries processing data of customers and public.

c) Environmental data including those collected from Weather satellites, Mapping devices, CCTVs in public places etc where the primary aim is not to collect personal data but it becomes part of the overall data collected.

d) Meta Data which is “Data about Data” which involves transactions of Netizens, tracking of data movement over a public network and includes “Log Records” of all kinds. Though this data is impersonal at the time of collection, they are amenable to further analysis and conversion from a de-identified state to an identified state.

Privacy Issues are concerns that arise when an individual’s personal data becomes accessible to another without the knowledge and consent of the data subject.

When an individual is providing specific personal data, the principles of Privacy protection revolves around informing the subject of data being collected, the purpose for which it is collected, how it is being used, secured, disposed off etc., following which a consent of the data subject is obtained by the agency collecting the information.

This is a contractual obligation and any violation of privacy which is in breach of the contract is punishable under various laws.

Even in India where there is no specific Privacy Protection law, Information Technology Act 2000 as amended in 2008 (ITA2000/8) provides protection for the contractual arrangement between the data subject and the data collection agent through Sections 43, 43A, 72A etc. Additionally certain powers are vested with certain authorities which provides for exceptions to Privacy which is used for surveillance, intelligence gathering by security agencies, investigation and prosecution of crimes etc.

The problem in Privacy that arises in the Big data context is that at the time data comes into the hands of a Big Data Sniffer, neither he knows that he is collecting personal data nor the data subject knows that his personal data is being collected.

Take for example a street view CCTV which captures the movement of a Car in which the license plate is visible or the face of a person is visible as he is walking across the street. This is initially a data of an activity that a car is moving in a particular street or a man is walking along. But if this data is parsed along with the vehicle registration data it can be presumed that the car’s owner is moving in the street.

Similarly if a face recognition is made on the person walking along by checking with tagged photographs in the social media, the CCTV data becomes a highly personalized data.

If the camera is capturing the person entering and exiting an ATM or a Hospital, we are entering into sensitive personal information about the individual.

These examples indicate that “Data can Change its status from the time it is collected to when it goes into processing”. Herein lies the biggest challenge to Big Data law making.

We cannot prevent the CCTV footage being collected in the first place because there may be a myriad security reasons for the same. Beyond the security reasons there could also be purely functional requirements such as managing the traffic lights in an automated traffic light system.

Once the information which is collected in a public place has an element of “Privacy” there will always be disagreements on how the data can be handled.

We therefore need to perhaps re-think if our definition of privacy itself needs to be reviewed in the context of the development of a digitized environment.

If a person is using a public place, whether the fact that he used the public place can be an information which he can claim to be private? is a point of discussion. Similarly, we can question if  watching a person move along the road threough the CCTV cameras, amount to “Cyber Stalking”?.

Obviously, some would agree that such watching may amount to privacy violation and needs to be protected. But law makers need to think twice before recognizing the “Public Activity” of a person as  “Private Data” subject to privacy protection.

It is a common practice today to see notices such as “This area is under CCTV surveillance” just to ensure that there is no complaint on privacy violation. In the Big Data law making scenario, we need to debate if such a notice is required in a public place (including malls and public offices).

The key point we need to therefore settle is,

Do we try to make new laws that fit into the Big Data scenario by changing some of the existing concepts or try to fit existing laws to where it cannot be regulated and enforced?

When Cyber Laws were made by people who had no understanding of the Cyber Space, we observed many anomalies creeping into the system.  Most of these still remain in the statute and are often the cause of imperfect legal implementation. It will take generations before Jurisprudence develops and matures to address the doubts that arise because the laws made are imperfect to the needs of the society.

A similar situation now prevails where laws made for the normal Cyber Society for privacy protection may not be effective in a Big Data scenario.

We need to therefore re-define what is Privacy in the context of a Digital world and the Big data processing. What is “Personal Data” subject to “Privacy Rights” may have to be re-defined to exclude personal data which is in such state where it is in the form of “raw data not associated with the personal information” though it may be capable of being tagged by a further sequential process.

Once this re-definition of privacy is accepted, the Big Data collector can be free from the obligations of Privacy. It is however the responsibility of Big Data processors to ensure that the linking of “Big Data” with “Identifiable Individual” does not happen except through a regulated process. The new Privacy laws have to therefore address this technical stage of processing Big Data. In a way this is keeping data collected as anonymous data being retained in anonymous state even when it goes down the further processing stream.

For Big Data to be useful, at some stage down stream of the processing chain, it has to be identified with an individual and it is at this process that the Privacy Protection laws can be applied.

The several “Intermediaries” involved in the Big Data Analytics have to be therefore classified into different categories such as “Anonymous Data Processors”, “Identified Data Processors” and “Data Identification Gate keepers” . The “Big Data Privacy Law” can then apply different norms to these different entities.

I invite comments and suggestions …..

(…..Discussions will continue)

Naavi