Naavi.org

The Digital Signature system based on Public Key Infrastructure was defined as the sole electronic authentication method under Information technology Act 2000 notified on 17th October 2000. However, as on the date of the notification of the Act, there was no infrastructure present for issue of Digital Certificates in India. As a result, the community had to wait until the first Certifying Authority license was issued on 5th February 2002 to Safescrypt which was a subsidiary of Sify.com. Subsequently licenses were issued to IDRBT, NIC, TCS, (n)Code, e-mudhra, MTNL, and Department of Central Excise. In the last few years, MTNL, the Department of Central Excise and TCS exited from the business (TCS license expires in 2017), leaving Safescrypt, (n)Code and E-Mudhra as Certifying Authorities (CAs) for the public, NIC for the Government and IDRBT for Bankers.

In the last one year, two new licensees have been added to the list of CAs. First was CDAC-PUne which was licensed on 29th June 2015 and more recently, “Capricorn Certifying Authority” in Delhi was licensed on 16th May 2016.

Of these two, CDAC  CA is set up to cater to the needs of issuing Digital Certificates for eSign Services, which was notified as an additional method of authentication under Section 3A of ITA 2008 vide G.S.R. 61(E) dated 28th June 2015, under which e-authentication guidelines were issued by CCA on 24th June 2015. The notification of 28th June 2015 was however modified on 30th June 2015 vide G.S.R.539(E).

The eSign facility was first used on a beta basis in the DigiLocker service of the Government of India. Now it is learnt that a private company in Bangalore has launched a web based service using the e-Sign facility offered by CDAC.

The Capricorn Certifying Authority is launched in Delhi recently and is offering its services to the public. It therefore becomes the fourth CA besides Safescrypt, (n) Code and e-Mudhra to offer such services to public.

In the list of licensed CAs as available in the CCA website, there is a mention of Indian Air Force as a licensed Certifying Authority but no details of information has been provided. Assuming that this is not an error, it may be presumed that Indian AirForce has obtained a license probably for its internal use so that secure communication can take place between the AirForce employees which may include the defense personnel, the equipments used in air defense systems etc. In order to secure further information of the same the full details might not have been provided in the website.

This development where IAF has set up its own Certifying Authority with legal validity in India but for captive use is a good security policy which could be adopted by the Army and Navy.

While trying out the CDAC system of e-Sign, it was not clear if the system has been implemented properly and we hope in the coming days, the system would be fine tuned.

Naavi

 After Mr K C Chakrabarthy, the former Executive Director of RBI, it appears that the mantle of Cyber Security has passed on to Mr R. Gandhi, Deputy Governor, who appears to be pushing the Commercial Bankers for better Cyber Security.

Speaking recently in a Conference on “Protection of Critical Infrastructure” in Mumbai, Mr Gandhi has pointed out five important focus areas for bankers which he has termed as “Five Commandments” which should, if followed by Bankers bring about a lot of improvement to the state of “Secure Banking” in India particularly in the light of new licenses being issued in the industry.

In a hard-hitting speech (See the full speech here), Mr Gandhi has punched several wise observations and empathized with the customers by recognizing that

“…while the Banks may have better resilience in terms of risk mitigation structures, and ability to absorb the losses and expenses, the customers may not be so privileged. A relatively small value fraud of a few thousands of rupees may endanger the purchase of basic needs and most customers may be ill-equipped to effectively handle the security features provided with the service”

This is an excellent observation coming from a person who has risen to the present position from a small town in Tamil Nadu, namely Tirunelveli. (Incidentally, Tirunelveli is the town from which the fighter Mr S.Umashankar emerged to challenge ICICI Bank in a Phishing Fraud which became history when the TN adjudicator held the Bank liable for Phishing… though the continued apathy since 2011 of successive Central Governments and CJI s has kept the fight incomplete).

In highlighting the defense strategies, he has rightly recognized that the liabilities and responsibilities of the financial Intermediaries by stating that..

“…ecosystem for financial transaction not only includes banks and their customers, but also network service providers, IT infrastructure providers, providers of security solutions and providers of the end-point device which is used for accessing the financial service including the ATMs which may or may not be bank-owned/managed devices”.

Highlighting the need for Cyber Security Preparedness, he has also indicated his five commandments for safety in Banking namely

1. Thou shall know your customer
2. Thou shall know your employee
3. Thou shall keep your IT Systems up-to-date and free of all risky components
4. Thou shall provide for maximum IT Governance
5. Thou shall ensure continued Cyber Security Awareness 

Mr Gandhi continued to also list some of the recent initiatives that RBI has introduced in this regard and referred to the June 2, 2016 guidelines for Cyber Security framework for Banks. Among other things he has pointed out the important of Cyber Incident Information sharing and expressed confidence that Banks will respond adequately to the initiatives suggested by RBI.

As a long time critic of the E-Banking safety in India,  I appreciate the tone and the content of this speech which indicates that RBI is really serious about Cyber Security this time.

However, knowing that in the past the IBA as an industry body has always put commercial interests before the security requirements and ignored the dictats of RBI and its initiatives have all fallen by the way side. So, we need to watch out further developments before celebrating the new Cyber Security thrust.

I would however urge Mr Gandhi to continue his push with the following additional initiatives.

1. Make Cyber Insurance mandatory for all new Banking licensees as a part of the approval criteria.
2. Enforce the existing mandate on Cyber Insurance contained in June 2001 Internet Banking guidelines on  present Internet Banking licensees.
3. Direct Banks not to harass the cyber crime victims by prolonged legal battles across multiple Courts and enforce compulsory compromises at a maximum liability of 10% of the loss to the customer.
4. Punish  Bank’s own negligence in KYC facilitating the frauds by fining them heavily and create a fund for providing “Cyber Security Fraud Guarantee” to the customers.
5. Ensure that the aggregation of risks under the proposed UPI scheme and the user of Aadhaar based DigiLocker schemes is adequately dealt with to avoid adverse impact on Indian Banking systems.
6. Ensure that Consumer Voice is heard in RBI policy making by providing representation to Cyber Security Activists in RBI’s policy recommending working groups.
7. Improve the Banking Ombudsman scheme to ensure quick settlement of disputes involving Bank’s negligence even when frauds are the root cause.
8. In the light of the proper functioning of the Adjudication System, RBI should explore setting up of an external multi member online Adjudication/Mediation/Arbitration body for quick, low-cost resolution of all Bank disputes as a replacement or in addition to the Ombudsman scheme.
9. Ensure implementation of its guidelines under Cyber Security Framework and the earlier April 2011 E Banking security guidelines without fail and penalize the Bank Boards if they fail to do so.

Looking forward to a more secure E Banking era.

Naavi

There is a WhatsApp message in circulation that states

“Breaking News, Amazon Selling Samsung J7 Mobile Phone at Just 499 Rs because of Golden Anniversary. Buy It Now Before Sale Ends. Cash On Delivery Also Available. Visit just now  http://amazon.mobile-flashsale.com/“

This appears to be an attempt to steal contact information and probably a fraud to steal Rs 499/- from some.

Presently Chrome/Google has flagged the site as a “Suspected Phishing Site” and the site is also  blocked by anti virus software .

However it is interesting for the general public to take note of this kind of fraud where the fraudster is riding on a genuine mega sale being promoted by Amazon where discounts upto 50% are being provided on certain items. This fraudulent message however says that the discount is 97% ! and it is for a poplar mobile product. It is possible for many to fall prey to such frauds.

What people should observe is that the domain name starts with “Amazon” but it is only a sub-domain and the main domain is mobile-flashsale.com. If people can recognize this difference, most would be able to identify the fraud.

Now that the website has been blocked by Google itself, the fraud through this domain name may be over. But it may come back in another name again. It is therefore necessary to take some steps to prevent such frauds recurring.

I therefore request the law enforcement agencies to take note of this and try to identify the perpetrator of the fraud and book him for the offences both under ITA 2000/8 and IPC.

The domain name mobile-flashsale.com has been registered by GoDaddy who is the intermediary facilitating the fraud and liable under Section 79 of ITA 2000/8. The website is hosted at cloudfare.com

The registrant noted by GoDaddy is

Mr Anil Kumar, Kanakumari, with a registered mobile number 9886554323 and an email address rv984950@gmail.com.

The sending of the Whats App message, and creating a fraudulent website can be considered as an impersonation/attempted impersonation for commission of/attempt to commit “Cheating” and hence punishable under both ITA2008 and IPC.

I therefore call upon the Police in Kanyakumari to identify this Anil Kumar and prosecute him. It is possible that the e-mail address or the mobile number may be untraceable since wrong addresses might have been provided by the registrant.

In that case the Police needs to book cases against

a) GoDaddy.com

b) Cloudfare.com

c) Google.com

d) The Mobile Service Provider at whom the number 9886554323 is operating. (Vodofone Karnataka) It is possible that this might have been ported from Vodofone Karnataka to some TN service provider in which case Vodofone should provide the new service provider who is handling the current billing for this fraudster.

These intermediaries are guilty of “Negligence” and “Assisting” in the commission of the fraud. They are liable under Section 79 of ITA 2000/8 for lack of due diligence facilitating the fraud.

If any member of the public has suffered loss on account of this crime, they should file a Police Complaint naming these intermediaries as accused and also approach the Adjudicators of their respective states (IT Secretary of the State) to file a complaint under Section 46 of ITA 2008 for recovery of their losses.

Adjudicator of Tamil Nadu can also start a Suo Moto enquiry and direct Police in Kanyakumari to conduct an investigation and report back to him. Once the person is enquired into, the Adjudicator can impose a penalty for a reasonable amount and appropriate it into a fund from which any complainant can be redressed.

This incident should be made into a test case of how the State should respond to such Cyber Frauds. Probably the State administrators will be too busy for such public service and I therefore request public interested advocates to take up the issue and draw the attention of appropriate judicial authorities to take up the issue for prosecuting the fraudster/attempted fraudster alias Anil Kumar.

Naavi

[P.S: If there are any innocent persons by name Anil Kumar particularly in Kanyakumari, kindly excuse me for using the name in this post. I welcome all such people to inform me so that a disclaimer can be put up on this platform stating “I am not that Anil Kumar”.]

The RBI Deputy Governor Mr R Gandhi has confirmed that the recent cyber attack that was reported in Mumbai was on Union Bank of India but no loss might have been reported. Mr Gandhi also reminded the Banks about the new Cyber Security Framework that RBI wanted Banks to implement.

Under this framework, there was a need for Banks to confirm that a gap analysis had been completed and taken note of by the Board before July 31, 2016. Since the deadline has already passed yesterday (given the weekend holidays), it would be interesting to know whether at least one Bank has reported to RBI about the compliance to its compliance requirement. Since his statement is silent on this aspect, it can be presumed that no Bank has so far completed the gap analysis and got the approval of its board and reported it to RBI so far though one or two might have been able to complete the gap analysis at departmental level and kept it ready for presentation to the Board whenever it meets next.

 Now we need to watch out what would be the follow up action of RBI for non compliance of this first level default.

Naavi

In a little surprising but welcome development, the Government of India has released a notification under Section 67C of ITA 2008 viz G.S.R. 711 (E) dated 21st July 2016 titled “Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules 2016. which may not perfectly fit under Section 67C but is otherwise related to the setting up of a new regulatory authority called the Digital Locker Authority and defining a new set of business in the Digital India project.

Apparently, the purpose of this notification is to define the rules under which public documents shall be preserved and protected when lodged with the Digilocker authorities and the notification is issued under Section 67C of Information Technology Act 2000/8. It sets a new trend of “Data Retention” defined specific to a domain of activity.

Sec 67C was perhaps meant to define “how long” and in “what form” intermediaries may retain information and “manner” of retention was incidental. However, this notification actually goes to define the “Manner” in which a certain type of intermediary shall retain information without much emphasis on the format and period for which the information has to be retained. Also the “Information” referred to in the Section 67C  of the Act is being used to identify the “Documents” that a subscriber would like to lodge in the safe custody of an agency as an “Uniquely Identifiable Document” with an “URI” (Unique Resource Identifier). No specific structure for the URI like a standard structure for a URL has been defined as part of the “manner of retention of information” under Sec 67C.

It therefore appears that Section 67C has been used as an excuse to define some new business proposition which has its own implications for Digital India. It has redefined Sec 67C itself and altered its scope.

May be we can call this an innovative and creative interpretation of law but the possibilities of unintended consequences that may follow from a loosely regulated service needs to be watched out.

New Opportunities Unleashed

In effect, through this notification, the Government seems to have defined a new business proposition for private sector to develop services to set up and manage “Portal”, “Access Gateways” and “Repositories” to store electronic documents deposited by public and verifiable and retrievable by authorised entities.

The service as conceived is bigger than UIDAI and without a separate Act like the UIDAI Act, it enables a new system by which electronic documents are authenticated, preserved and verified.

Obviously there will be Privacy and Security issues as well to contend with.

Further, since the Main DigiLocker authority would be the Government, the notification provides an admission that its own department may now be considered as an “Intermediary” if it also provides its own digilocker services in addition to private sector players. Such department will therefore be subject to Sec 79 obligations.

To ensure protection of the department as well as avoid conflicts, it may be necessary for Deity to refrain from directly providing the digi locker service as they are dong now and to make the DLA as the regulator like the  Controller of Certifying Authorities which will only restrict itself to regulatory issues and not provide a service of its own. These should have been part of the notification such as “Appointment of a Digital Locker Authority”, but unfortunately they are not released as of now.  We need to wait for the notification  to be issued as a supplementary notification in due course.

The “Digilocker Credentials” which may ultimately be just the log in ID and Password will henceforth become a pointer to the other documents such as Aadhaar, PAN etc held within the Digital Locker and its security would be a key obligation of the service provider since it becomes a proxy to the subscriber’s identity.

Just as the Unified Payment Interface (UPI) is becoming a Universal identification for all financial instruments owned by an individual, this Digi Locker Account may become the universal identity document for an individual.

The Digi Locker service provider would be having a “Digital Locker Practice Statement” similar to the one used by a Certifying Authority for Digital Signature and would be bound by it.

The practice statement  would be a self declaration and only verified by an audit by an independent auditor. Since the Digital Locker Service Provider has to be gazette notified, the practice statement may be subject to an approval process.

The service provider would obviously be open to obligations under Section 43A for reasonable security practice and compliance of all aspects of ITA 2000/8.

At present the qualifications of an Auditor is not defined and I hope it would be determined on a “Ability to Audit basis” and not on a “Qualification Certificate Issued by Preferred entities basis”.

In summary, it appears that the Government through this notification has opened up a new business opportunity which is as responsible as a Licensed Certifying Authority in the case of a Digital Signature issue and the Unique Identification Authority of India (UIDAI) without an elaborate legislation. It could be an innovative approach but hopefully not questioned in the Courts for its validity.

The Start Up community may welcome this move as it opens up new opportunities where they can integrate several of their services.

We need to watch out how this notification gets absorbed by the community and harnessed for business.

Naavi

(These are preliminary views and more would follow)