Naavi.org

It has been pointed out ad nauseam on this forum that Cyber threats in Banks are looming large to be considered as a “National Security Issue”. However, the commercial considerations in Banks have pushed technology solutions ahead of security considerations in most Banks and new services dependent on insecure technology has been embraced with enthusiasm by the system. Customers are being lured by the fancy of “Convenience” to adopt technologies that they donot understand and open themselves to threats of Cyber Crimes.

While our repeated cries in the name of Customer Fraud Protection through Cyber Insurance have still not caught the attention of the Government, what seems to have moved them now is the direct attacks on the Banks such as what Union Bank Faced in the SWIFT system. It appears that the “Intelligence Officials” have nudged the ministry to initiate the latest set of measures.

Recognizing the risks in the compromise of the Banking system, the Finance Ministry has sent out a warning  to state owned Banks to strengthen the Bank’s Information Technology Systems. Coming close on the heels of the RBI’s notification of the Cyber Security Framework-2016, there appears to be some positive action from the regulatory system to harden security in e-Banking.

In the past there have been such short bursts of enthusiasm which have later fizzled out due to commercial considerations.

Last Saturday, the undersigned addressed a group of Bankers in Chennai and spoke on “Role of Banks in Cyber Security”. During the interaction the immediate measures that the Bankers need to initiate to meet the September 30 deadline for implementing the Cyber Security Framework were briefly discussed.

In the latest monetary policy speech, the Governor of RBI has hinted at some more immediate regulatory notes on the FinTech industry . In particular, there could be some measures to regulate P2P lending and aggregation services in Financial Services.

Following the deliberations in the workshop, Naavi is intending to launch a “CSF-2016 Compliance initiative” directed to create better awareness with the Bankers on the implications of the new RBI guidelines. Watch out for more information on the developments in the coming days.

However these new regulations are likely to be more on regulating the business of these FinTech companies rather than addressing the information security issues arising out of these services.

We need to wait and watch the shape of these new regulations before passing any specific comment on them. But our earlier warning to FinTech companies remains in tact.

Naavi

“Privacy” is a concept most dear to human right activists and is considered as an important pillar of democracy. Constitutions of all democratic countries swear by Privacy Rights to its citizens. However, it is well known that no Government in the World is really intending to provide “Privacy Rights”  which infringe on the Security of the State and hence all Privacy legislations provide for  “Reasonable Exceptions”.

If there is a direct conflict between providing “Privacy” for Citizens and “National Security”, there is no option but to chose National Security.

The problem however is that while “Surrender of Privacy Rights” in the name of National Security is normally accepted by all right thinking Citizens, there is a fear that the information so surrendered may not be used by the State for the purpose for which it is collected. The misuse may be for political reasons or for the self interest of officials who are provided with powers to deal with the information in the interest of national security.

Similarly, when commercial organizations seek information which is in violation of the general privacy norms, for the purpose of providing some services in return, most Citizens are able to forego their rights if they see value in return.  Hence if Google maps provide directions for driving, we obviously donot mind sharing our locations. We also may not mind Google maps suggesting through some advertisements, services such as hotels on the highway as part of its service since it could be of some use.

Again the problem arises when the commercial entities donot provide adequate value in return for the private information exchanged by the individual or use it in contexts different from the purpose for which they were shared or simply are not transparent of their intentions.

With the new developments such as Smart Cities, Smart Grid, IOT, Big Data etc, the concept of mining data from multiple sources has become an acceptable practice. E-Governance in India has placed large quality of both Personal and Sensitive Personal Data in narrow funnels such as the Aadhar system, the Digi Locker System or the UPI or the upcoming GST. Citizens donot have the confidence that these agencies will be able to protect the integrity of the system and sooner or later (if not already) the data shared by millions of Indians with these authorities in good faith and in confidence will be available in public domain.

Hence the fight for “Privacy” may already be a lost cause at least for the current generation. We therefore need to learn to live without privacy.

However, the next generation which have not already shared their personal information to Aadhar and other agencies may still have an opportunity to keep their future activities away from the risk of privacy breach if we can develop a suitable system which provides a middle of the road solution between Privacy and National Security.

The solution for “Privacy in harmony with National Interest” is therefore to find a method by which an individual can interact with the world without disclosing his identity to the extent it is not necessary either in the interest of the transaction nor national interest.

The quest for such a solution is the challenge to all of us who need to leave a legacy of “Privacy Protection” to our posterity though we ourselves may not consider it feasible at this point of time.

“Anonymization” of transactions could be a solution but it needs to be protected in the interest of “Security”. Hence the solution lies in building a system of “Regulated Anonymity System” which is also a system of “Filtered Identity Management” system.

The time for such a solution seems to have arrived now with Aadhaar, Digi Locker and UPI systems becoming a part of every individual in India and all these are dependent on the Mobile identity of an individual which therefore has become a universal ID for all of us. Unfortunately the KYC system under which the mobile ID is issued as well as the security risks in its compromise place all our other IDs in danger of being subsumed by the insecurity associated with the Mobile ID.

Hope technologists will start working towards finding a solution to this problem..

Naavi

The Digital Signature system based on Public Key Infrastructure was defined as the sole electronic authentication method under Information technology Act 2000 notified on 17th October 2000. However, as on the date of the notification of the Act, there was no infrastructure present for issue of Digital Certificates in India. As a result, the community had to wait until the first Certifying Authority license was issued on 5th February 2002 to Safescrypt which was a subsidiary of Sify.com. Subsequently licenses were issued to IDRBT, NIC, TCS, (n)Code, e-mudhra, MTNL, and Department of Central Excise. In the last few years, MTNL, the Department of Central Excise and TCS exited from the business (TCS license expires in 2017), leaving Safescrypt, (n)Code and E-Mudhra as Certifying Authorities (CAs) for the public, NIC for the Government and IDRBT for Bankers.

In the last one year, two new licensees have been added to the list of CAs. First was CDAC-PUne which was licensed on 29th June 2015 and more recently, “Capricorn Certifying Authority” in Delhi was licensed on 16th May 2016.

Of these two, CDAC  CA is set up to cater to the needs of issuing Digital Certificates for eSign Services, which was notified as an additional method of authentication under Section 3A of ITA 2008 vide G.S.R. 61(E) dated 28th June 2015, under which e-authentication guidelines were issued by CCA on 24th June 2015. The notification of 28th June 2015 was however modified on 30th June 2015 vide G.S.R.539(E).

The eSign facility was first used on a beta basis in the DigiLocker service of the Government of India. Now it is learnt that a private company in Bangalore has launched a web based service using the e-Sign facility offered by CDAC.

The Capricorn Certifying Authority is launched in Delhi recently and is offering its services to the public. It therefore becomes the fourth CA besides Safescrypt, (n) Code and e-Mudhra to offer such services to public.

In the list of licensed CAs as available in the CCA website, there is a mention of Indian Air Force as a licensed Certifying Authority but no details of information has been provided. Assuming that this is not an error, it may be presumed that Indian AirForce has obtained a license probably for its internal use so that secure communication can take place between the AirForce employees which may include the defense personnel, the equipments used in air defense systems etc. In order to secure further information of the same the full details might not have been provided in the website.

This development where IAF has set up its own Certifying Authority with legal validity in India but for captive use is a good security policy which could be adopted by the Army and Navy.

While trying out the CDAC system of e-Sign, it was not clear if the system has been implemented properly and we hope in the coming days, the system would be fine tuned.

Naavi

 After Mr K C Chakrabarthy, the former Executive Director of RBI, it appears that the mantle of Cyber Security has passed on to Mr R. Gandhi, Deputy Governor, who appears to be pushing the Commercial Bankers for better Cyber Security.

Speaking recently in a Conference on “Protection of Critical Infrastructure” in Mumbai, Mr Gandhi has pointed out five important focus areas for bankers which he has termed as “Five Commandments” which should, if followed by Bankers bring about a lot of improvement to the state of “Secure Banking” in India particularly in the light of new licenses being issued in the industry.

In a hard-hitting speech (See the full speech here), Mr Gandhi has punched several wise observations and empathized with the customers by recognizing that

“…while the Banks may have better resilience in terms of risk mitigation structures, and ability to absorb the losses and expenses, the customers may not be so privileged. A relatively small value fraud of a few thousands of rupees may endanger the purchase of basic needs and most customers may be ill-equipped to effectively handle the security features provided with the service”

This is an excellent observation coming from a person who has risen to the present position from a small town in Tamil Nadu, namely Tirunelveli. (Incidentally, Tirunelveli is the town from which the fighter Mr S.Umashankar emerged to challenge ICICI Bank in a Phishing Fraud which became history when the TN adjudicator held the Bank liable for Phishing… though the continued apathy since 2011 of successive Central Governments and CJI s has kept the fight incomplete).

In highlighting the defense strategies, he has rightly recognized that the liabilities and responsibilities of the financial Intermediaries by stating that..

“…ecosystem for financial transaction not only includes banks and their customers, but also network service providers, IT infrastructure providers, providers of security solutions and providers of the end-point device which is used for accessing the financial service including the ATMs which may or may not be bank-owned/managed devices”.

Highlighting the need for Cyber Security Preparedness, he has also indicated his five commandments for safety in Banking namely

1. Thou shall know your customer
2. Thou shall know your employee
3. Thou shall keep your IT Systems up-to-date and free of all risky components
4. Thou shall provide for maximum IT Governance
5. Thou shall ensure continued Cyber Security Awareness 

Mr Gandhi continued to also list some of the recent initiatives that RBI has introduced in this regard and referred to the June 2, 2016 guidelines for Cyber Security framework for Banks. Among other things he has pointed out the important of Cyber Incident Information sharing and expressed confidence that Banks will respond adequately to the initiatives suggested by RBI.

As a long time critic of the E-Banking safety in India,  I appreciate the tone and the content of this speech which indicates that RBI is really serious about Cyber Security this time.

However, knowing that in the past the IBA as an industry body has always put commercial interests before the security requirements and ignored the dictats of RBI and its initiatives have all fallen by the way side. So, we need to watch out further developments before celebrating the new Cyber Security thrust.

I would however urge Mr Gandhi to continue his push with the following additional initiatives.

1. Make Cyber Insurance mandatory for all new Banking licensees as a part of the approval criteria.
2. Enforce the existing mandate on Cyber Insurance contained in June 2001 Internet Banking guidelines on  present Internet Banking licensees.
3. Direct Banks not to harass the cyber crime victims by prolonged legal battles across multiple Courts and enforce compulsory compromises at a maximum liability of 10% of the loss to the customer.
4. Punish  Bank’s own negligence in KYC facilitating the frauds by fining them heavily and create a fund for providing “Cyber Security Fraud Guarantee” to the customers.
5. Ensure that the aggregation of risks under the proposed UPI scheme and the user of Aadhaar based DigiLocker schemes is adequately dealt with to avoid adverse impact on Indian Banking systems.
6. Ensure that Consumer Voice is heard in RBI policy making by providing representation to Cyber Security Activists in RBI’s policy recommending working groups.
7. Improve the Banking Ombudsman scheme to ensure quick settlement of disputes involving Bank’s negligence even when frauds are the root cause.
8. In the light of the proper functioning of the Adjudication System, RBI should explore setting up of an external multi member online Adjudication/Mediation/Arbitration body for quick, low-cost resolution of all Bank disputes as a replacement or in addition to the Ombudsman scheme.
9. Ensure implementation of its guidelines under Cyber Security Framework and the earlier April 2011 E Banking security guidelines without fail and penalize the Bank Boards if they fail to do so.

Looking forward to a more secure E Banking era.

Naavi

There is a WhatsApp message in circulation that states

“Breaking News, Amazon Selling Samsung J7 Mobile Phone at Just 499 Rs because of Golden Anniversary. Buy It Now Before Sale Ends. Cash On Delivery Also Available. Visit just now  http://amazon.mobile-flashsale.com/“

This appears to be an attempt to steal contact information and probably a fraud to steal Rs 499/- from some.

Presently Chrome/Google has flagged the site as a “Suspected Phishing Site” and the site is also  blocked by anti virus software .

However it is interesting for the general public to take note of this kind of fraud where the fraudster is riding on a genuine mega sale being promoted by Amazon where discounts upto 50% are being provided on certain items. This fraudulent message however says that the discount is 97% ! and it is for a poplar mobile product. It is possible for many to fall prey to such frauds.

What people should observe is that the domain name starts with “Amazon” but it is only a sub-domain and the main domain is mobile-flashsale.com. If people can recognize this difference, most would be able to identify the fraud.

Now that the website has been blocked by Google itself, the fraud through this domain name may be over. But it may come back in another name again. It is therefore necessary to take some steps to prevent such frauds recurring.

I therefore request the law enforcement agencies to take note of this and try to identify the perpetrator of the fraud and book him for the offences both under ITA 2000/8 and IPC.

The domain name mobile-flashsale.com has been registered by GoDaddy who is the intermediary facilitating the fraud and liable under Section 79 of ITA 2000/8. The website is hosted at cloudfare.com

The registrant noted by GoDaddy is

Mr Anil Kumar, Kanakumari, with a registered mobile number 9886554323 and an email address rv984950@gmail.com.

The sending of the Whats App message, and creating a fraudulent website can be considered as an impersonation/attempted impersonation for commission of/attempt to commit “Cheating” and hence punishable under both ITA2008 and IPC.

I therefore call upon the Police in Kanyakumari to identify this Anil Kumar and prosecute him. It is possible that the e-mail address or the mobile number may be untraceable since wrong addresses might have been provided by the registrant.

In that case the Police needs to book cases against

a) GoDaddy.com

b) Cloudfare.com

c) Google.com

d) The Mobile Service Provider at whom the number 9886554323 is operating. (Vodofone Karnataka) It is possible that this might have been ported from Vodofone Karnataka to some TN service provider in which case Vodofone should provide the new service provider who is handling the current billing for this fraudster.

These intermediaries are guilty of “Negligence” and “Assisting” in the commission of the fraud. They are liable under Section 79 of ITA 2000/8 for lack of due diligence facilitating the fraud.

If any member of the public has suffered loss on account of this crime, they should file a Police Complaint naming these intermediaries as accused and also approach the Adjudicators of their respective states (IT Secretary of the State) to file a complaint under Section 46 of ITA 2008 for recovery of their losses.

Adjudicator of Tamil Nadu can also start a Suo Moto enquiry and direct Police in Kanyakumari to conduct an investigation and report back to him. Once the person is enquired into, the Adjudicator can impose a penalty for a reasonable amount and appropriate it into a fund from which any complainant can be redressed.

This incident should be made into a test case of how the State should respond to such Cyber Frauds. Probably the State administrators will be too busy for such public service and I therefore request public interested advocates to take up the issue and draw the attention of appropriate judicial authorities to take up the issue for prosecuting the fraudster/attempted fraudster alias Anil Kumar.

Naavi

[P.S: If there are any innocent persons by name Anil Kumar particularly in Kanyakumari, kindly excuse me for using the name in this post. I welcome all such people to inform me so that a disclaimer can be put up on this platform stating “I am not that Anil Kumar”.]