Naavi.org

One of the suggestions under the Unified Payment Interface is that the participating bank would issue a “Virtual Address” to the customer. This will replace the account number. This virtual address would be used by remitters to send payment.

This system appears exactly similar to the domain name system where the IP address was replaced by a human understandable words.  To access this site you therefore used naavi.org rather than the static IP address of the server with a folder identity. This system has also given rise to the  problem of “Similar” or “Confusingly similar” domain names and conflicting claims. There could be a naavi.org which is in conflict with naavi.cn or naavi.co.uk and so on. These give raise to issues related to trademark and fraudulent impersonation.

Now NPCI  is proposing a naavi@icicibank vs naavi@axisbank vs naavi@sbi etc and a definite possibility of not only trademark issues but also genuine wrong credits and fraudulent charges. If a naavi@axisbank initiates a payment pull from a flipkart purchase, all that is needed for a fraudulent charge on naavi@sbi would be an OTP response which can be engineered by a malicious app.

We are therefore in the brink of a new kind of “Bank Name Disputes” and lookalikes.com need to start working on this new business opportunity.

For the common man, this would be a new headache to contend with.

Has NPCI thought of this “Identity Risk” and the legal issues arising out of them?

Who cares? Mr Raghuram Rajan has given his clearence and that is enough to hoist the system on the unsuspecting public.

Naavi

The Unified Payment System launched by RBI on 12th April 2016 on a platform managed by National Payment Corporation of India (NPCI) poses a huge challenge to the security of public money held in Banks.

As we go forward, the Banking IDs and Mobile Wallet IDs  of individuals will get integrated into a single “Virtual Address” with which a person can push or pull monetary payment from others. At the back end NPCI will maintain a repository similar to the repository of Aadhar in which the mapping of different Banking accounts for a customer is maintained.

Conceptually the idea appears attractive and efficient, and the technology enthusiasts can boast of a break through in “Mobile as a Universal Payment Management Device” and Tax authorities can gloat over a “Cashless Society”.

However the risks in committing the national payment in introducing such a system on an immature technology such as a mobile platform where a large number of devices are supplied from China, known for planting  “Manchurian Chip” into Credit Card swiping equipments and “Planting of People” into companies in India are too huge from the National Security perspective.

It is unfortunate that, the risks of any compromise of security are boarne by the Citizens of India and neither NPCI nor the Banks can be trusted for protecting the consumer.

The various cases which are being fought in the country between Phishing victims and the Banks are a standing example of how common people are losing money every day and the Banks, supported by RBI and IBA flex their legal muscle to browbeat customers into bearing the loss.

The Government of India is also compromised under the influence of the Banking lobbies and the result is that Cyber Appellate Tribunal is not having a Chair person since 2011, consumer oriented Adjudicators such as Rajesh Agarwal of Mumbai and PWC Davidar of Chennai were shunted out from their positions. Adjudicators in Karnataka went a step ahead in twisting law to support the Banks against victims of fraud even taking on the legal department of the State and the Human Rights Commission. Some High Courts such as Karnataka were also unable to provide justice as they were blinded for whatever reason not to see through the games played by Banks to avoid their liabilities.

Our honourable Prime Minister  has also repeatedly ignored the call for mandatory introduction of “Cyber Insurance” to protect the insecure mobile payments and technology innovations in Banking. Poor Rahul Gandhi can only understand the plight of “Farmers” who form a vote bank and not the plight of victims of Bank frauds and hence there is no pressure on the Government to ask Banks why they donot have Cyber Insurance in place to protect consumer interest which was in fact made mandatory through the RBI’s Internet Banking guidelines in June 2011.

The CERT IN which should be concerned and the CCA which is the custodian of digital identity of Indians are part of the Ministry of Information Technology and donot have independent thinking. They support the technology initiatives without trying to fulfill their statutory obligations.

Overall the future of financial security in India appears to be grim.

It is common knowledge that when we travel, we donot keep all our cash in one single pocket because of the threat of the pick pocket. But NPCI thinks that keeping all our financial IDs under one “Virtual Address” is a great idea. Idea may be good but risks are being ignored.

When a mobile is being used as a universal financial ID, we must factor in the possibility of a mobile being stolen or at least compromised through malicious Apps. Has the NPCI considered this possibility where a mobile can be hijacked by a fraudster. If done, then the bank balance of persons across multiple Banks and limits under Credit cards are prone to be stolen. It has now become common practice for Apps to be designed with an ability to read “SMS” and thus the so called OTP sent to a mobile always gets back an automated reply back. How can this be called 2 factor authentication?.. without an affirmative consent from the mobile owner of the OTP? While the law in India wants digital signature, why is Government supporting OTP as a universal technology even to obtain a digital certificate under e-sign system?.. Opening  All this defies logic. Now top it all, we are opening the financial vault of an individual to execution of USSD codes.  I consider this as an unacceptable risk. But as a bank customer, the service and insecure banking has been forced on me.

The only logic that explains all this stupid acts of technologists and bureaucrats is that the global fraud industry is slowly taking over the Indian economy for commercial gains.

What is however more alarming is that one day this will explode as a “Cyber War” or a “Cyber Terror Attack” much before the Pak Nukes fall into the hands of AlQueda.

I hope the deaf bureaucrats in the Government who may actually be more patriotic than me but ignorant of the risks listen to these shouts and protect the National Security interests before getting blown over by presentations by technologists.

The only way out of this for the individual is to de-register mobile from my bank account, get back to cash transactions, use the good old mobile handset which is not smart but can meet my communication requirements… Yes, for the sake of securing ourselves from the insecurity spreading around us, we need to take a few steps back in technology use since we need to survive before we can enjoy life.

Naavi

If you are an ICICI bank customer, beware that your Bank account information is open to anybody who is in possession of your mobile. This is breach of privacy under the age old Banking laws besides it is a violation of Section 72A and Section 43A of ITA 2000/8 on which the CEO of the Bank can be imprisoned for 3 years and compensation claimed for the loss.

This is because, if anybody takes your mobile (If it is the registered mobile associated with the account) and types *99# in the calling dial pad and hits enter, the USSD code would execute and ask for first four letters of the IFSC code to be entered. When you enter ICIC, you  will be given direct access to the bank account with options to

1) View Balance

2) See mini statement

3) Send Money using MMID

4)Send Money using IFSC

5) Generate MPIN

For viewing the balance and mini statement, there is no password requirement and on entering the code 1 or 2 the relevant information would be displayed on the mobile.

It is unfortunate that this security flaw exists not only in ICICI bank but in a few other Banks as well. Readers can check their mobiles and keep me informed about other Banks.

I hereby give notice to ICICI Bank and RBI as well as CERT IN that the above flaw puts “Sensitive Personal Information” of ICICI Bank customers at risk of Breach of Privacy and consequential further risk of monetary loss.

The incident should be an eye opener to Indian Bankers led by RBI and IBA where they have embraced the mobile technology without understanding the risks associated therewith. This is negligence at the level of the highest banking authorities in India and exposes the systemic inadequacies.

The incident is a potential “Data Breach” and according to Section 79 read with Section 43A, should be reported by Banks to CERT IN. Will CERT IN respond if they take action?

Hope the Finance Minister and the PM takes note.

Whether politicians take note or not, whether the Bankers take note or not, I request public to take note and initiate corrective action. I hope some body files a PIL in a Court and demand answers from the Banks.

Naavi

The RBI has introduced the Unified Payment Interface that is expected to change the way the current payment systems especially over mobile wallets change…hopefully for the better.

NPCI (National Payment Corporation of India) has released the details of the architecture under which the system would function.

The UPI is expected to make it easy for transfer of money from and to a bank account merely on the basis of a virtual address. It is claimed that one need not disclose the bank account number to receive a payment but instead use a “Virtual Address” provided by the same Bank.

It is not clear in what way this will make security better. Using the Virtual address, e-commerce companies may be able to send a request for payment which in other words mean “Can dig into the Bank account”.

The system is completely dependent on the mobile network and uses the mobile ownership as the sole identity.  It appears that the system poses grave danger to the mobile users using mobiles for banking purpose.

If some body types *99# in a mobile, it spits out the Bank balance.  Money can also be instantly transferred to a known MMID.  This means that if a mobile device is stolen or given out to another person for a while, it can be used to transfer money from his Bank account.

NPCI has given some use cases to explain how useful is the system for a labourer to transfer money to his wife etc. It appears that NPCI is naive to believe that the system would be used only for genuine transactions. In fact, many of the less educated labourers can easily be cheated out of their savings by this dangerous system.

I am now trying to disable *99# accessing by bank balance. Alternatively, I need to de register my mobile from the ICICI Bank and forego the option of mobile banking.

( I observed that *99# did not work on my HDFC and Corporation Bank account but worked on ICICI Bank account)

Presently different Banks were using different e-wallets and the marketing claim is that UPI makes it easy to integrate all e-wallets. But it appears that it enables money to be siphoned off by fraudsters from all e-wallets.

I request RBI to put the system on hold before further damage is done.

Naavi

True Caller is a reasonably popular mobile App which many mobile users in India have downloaded and installed. When the user receives a call from another True Caller user, though his name may not be in the contact list of the receiver, the receiver would get a display of the name of the person who is calling. This is meant to help the receiver to know the name of the caller when he is an unknown person outside his contact list.

When a user downloads the App, he gives permission for the App to access his contact list which goes into a global data base from which the service is delivered. In this process, the name of the owner of a mobile number is the name assigned to him by the member who shares the information.

There is no doubt that when this service  was conceptualized by a techie and became a successful venture, every body would have hailed the service as innovative. In fact it may have some positive uses also.

However, unfortunately, Cyber Criminals try to exploit every service on the  Cyber Space to their advantage and find various methods of using any useful and trusted service to commit frauds.

When a fraud is committed with the use of a service, the service provider becomes vicariously liable to third parties as an “Abetter” of crime. To avoid such liabilities, the service provider tries to adopt a “Privacy Policy” and “Terms of Use” to absolve himself of the liabilities through disclosures and consents.

Recently, it was brought to the notice of Naavi.org that a call was received by a user in Bangalore from one of the fraudulent entities operating as “Representatives of a Bank” and calling to threaten that the “Bank account is being deactivated… unless…”.

(Such frauds in the case of SBI Credit Cards are the most prevalent and soon it will become synonymous with the name of SBI. Just as we recognize advance fee frauds as “Nigerian Fraud”, soon we will recognize the Phishing frauds as “SBI Frauds”. I hope Ms Arundati Bhattacharya takes note of the PR implications of such association of a fraud to SBI’s name.)

The receiver has checked the number under the True Caller data base and found that it had been listed as “SBI”. This would be a reasonable confirmation to any ordinary person to believe what the caller says and act as per his instructions leading to a classical phishing fraud. It is easy to get the name of SBI or any other Bank associated with the telephone number of the caller if one or more of the fraud associates save the number as their contact under the Bank’s name and install True Caller.

When such a fraud occurs, the responsibilities of True Caller as a service provider who provides “Caller ID” as a service will come into question. In Indian law, ITA 2000/8 provides guidelines under Section 79 for intermediaries to maintain “Due Diligence” which also includes “Reasonable Security Practice” under Section 43A for sensitive personal information and additional responsibilities under Section 72A.

If this is an unintended compromise of the service, the service provider can defend by initiating corrective action. If he neglects, Court can interpret as intentional recklessness deserving invoking of law.

SBI  is well within the jurisdiction of India and hence has to recognize this potential risk of liability arising out of the operations of these call centers misusing its name. If no action is initiated by them, it would not only be a reason for holding them liable for the crime, but also for not providing adequate provisions in the balance sheet and thereby misrepresenting the financial position of the bank to the share holders constituting a Corporate Governance failure.

The Corporate Governance auditors of SBI are hereby given notice of the potential financial risk going un-reported in the balance sheet. Hope they will ask the right questions before they sign off on the audit.

True Caller declares as subject to jurisdiction of Courts in Stoclkholm, Sweden.

ITA 2000/8 however over rides the jurisdicional limitation under Section 75 to make Crimes committed outside India and by persons who are not citizens of India also come under the jurisdiction of ITA 2000/8.

Though True Caller presents its Privacy Policy and Terms of Use with several disclaimers, they can be considered as inadequate if the service is known to be used for committing frauds and the service provider has not taken sufficient steps to prevent the same.

I therefore urge the Police to initiate action against True Caller and demand if they have adequate measures

a) To prevent a User or a set of users deliberately registering an impersonated name to a number and commit frauds.

b) To initiate a process by which the Company takes knowledge of any misuse of its service and initiate appropriate immediate counter action

This article in public space is considered as a reasonable notice both to True Caller and the Police in India as well as SBI that True Caller service is being used as a tool of Crime in the name of State Bank of India and the Police are aware of this “Abetment to a Cognizable Offence”.

If no action is taken by any of these parties, future victims can invoke “Negligence” on the part of SBI and True Caller and make them liable under Section 79 read with Section 85 of ITA 2000/8 and other sections of ITA 2000/8.

I suppose efficient and dutiful police officers such as Dr Triveni Singh of Noida will issue notice to both SBI and True Caller to show cause why action cannot be initiated against them for abetting these  Phishing frauds.

For those who receive such calls, I recommend that they immediately post their own disclaimers using the service of Cyber-notice.com and Identity theft notice under ceac.in. This is to offset the possibility that a fraudster makes such a call and then in association with an employee of the bank hacks the Bank account even when the receiver has not revealed any information.

It must be appreciated that in such cases where a hacking is committed after a phishing call,  the evidence would stack against the victim since he cannot deny having received a phishing call but has to convince a Judicial authority that he did not reveal his identity parameters which the Bank will assertively claim.

Naavi

Software is a unique industry where from Operating Systems to applications, programs are released for public use, without any real commitment from the software developers as to whether the program is free from vulnerabilities.

In fact, vulnerabilities give raise to more opportunities in the industry and are silently adored. The Indian software boom which now claims to make the Country a IT super power itself was greatly aided and abetted by the Y2K bug. The trend continues to this day when applications keep on hitting the market and patches are released as a matter of routine. The EULA is drafted in such a manner that we are living in an imaginary law less jungle where the user is responsible for the mistakes of the software developer.

Imagine an automobile manufacturer who releases a new model with defects that lead to an accident or a potential accident. He is made to withdraw millions of products in the market, replace them at his cost and also be liable for payment of damages. Industries are routinely made to pay for intentional and unintentional environmental damage unless we they are blessed to be a “Union Carbide under an obliging  Government” when a mishap occurs. Software industry similarly admits the need for periodical patches and makes it the responsibility of the user to conduct his own vulnerability and penetration tests, install patches and live with zero day vulnerabilities.

The recently reported incident in which 5 Engineering students in Kolkata were arrested for criminally exploiting a bug which the software developer left in the program is an immediate reminder to all of us on the responsibilities that a software vendor has to take up before commercially releasing a software product which exposes the public to risks financial or otherwise.

There is no doubt that most of the software developers do follow ethical principles of Corporate Governance and adopts measures to ensure “Quality” and “Security”  during the software development cycle. There could be processes they put in place certified by ISO bodies to mitigate the risks of a “bug” seeping into a product that is released in the wild. But nothing is perfect in this world and even these processes do fail some times too often for comfort.

When it comes to critical applications that deal with sensitive data such as financial or health or national security, there is a world of hackers trying to enrich themselves with the mistakes of honest software developers through targeted attacks. There are virus developers, malware droppers, managers of Command and Control centers for spamming, phishing, and other malicious activities etc all hunting for opportunities to steal money from you and me trying to make an honest buck.

The Cyber Laws are meant to fight such menace and make it difficult for Cyber Criminals to exploit the society. There are therefore laws that impose stringent punishments on Cyber Criminals both for commission of an offence and an attempt as well as assistance to commit an offence. There are however, the misguided persons, who are only interested in making profits for themselves irrespective of the harm they cause to the society in the long run. Some of them identify an opportunity to make a fast buck out of a software vulnerability and are tempted to use them only in their self interest. The five students who got arrested in Kolkata belong to this category. If they had a strong ethical background, they would never have tried to exploit the vulnerability and instead either published the same in the media or informed the Bank/Company which was responsible for the software.

This would not be the last time when some of our intelligent youth  chose such deviant path and ruin their own careers besides the dreams of their parents.

There is therefore a need for the society to do whatever is necessary to reduce the possibility of such “Technology Intoxicant” and “Deviant Minds” pursuing the path of crime.

One step of course is in “Education”. There is a need for mandatory teaching of “Ethics in IT” right at the time when school kids are introduced to Computers, Laptops. At the time education starts teaching “Software development”, it should be mandatory for teaching basics of “Cyber Law” so that the techies are aware of the adverse consequences.

I urge honorable Minister of Human Resources, Mrs Smrithi Irani to consider these educational innovations without any further delay.

From the industry perspective, it is also necessary that some efforts are made to reduce the incentives for “Hacking” and increase incentives for “Ethical Software Quality Research”.

To start with, we need to stop recognizing “Hackers” by rewarding them with jobs as a part of their rehabilitation. It should be a principle that every organization makes it a policy to discourage hackers from being accommodated as information security professionals like a thief being appointed as a policeman.

Past hackers should be tagged and rehabilitated through a stringent psychological drill that should include forced community service which hopefully should transform their mindset over a period of time.

Further, every software company should be made to take responsibility for the public damage that the software may create.

Presently the Companies use their financial clout to ensure that victims don’t get any justice. The way Cyber Crime victims are being treated by Indian Banks is an example to this attitude and has been repeatedly discussed in these columns in the past. This should stop and Companies should obtain Cyber Insurance to cover their liabilities.

While law can look at the possibility of considering all software owners as “Intermediaries” under Section 79 of ITA 2008 and make them responsible for “Due Diligence”, the industries can preempt the punitive provisions of law through their own measures to mitigate the risk of “Bug Exploitation”.

(P.S: It is the considered view of Naavi that  even as law stands today,  ITA 2000/8  requires software owners to be considered as “Intermediaries” and be financially liable for the defects of the software. Software developers need to be made responsible as Business Associates through an indemnity clause in the software delivery contract)

Through these columns therefore, I call upon all software developers to make it a policy to introduce measures not only to make their product testing procedures more robust but also involve the responsible and ethical members of the public by enrolling them as “Watch Dogs” to check on the quality of their software particularly from the point of view of presence of any vulnerabilities.

This can effectively be done through a “Bug Bounty” program that provides incentives to any person who spots a vulnerability to immediately bring it to the notice of the responsible persons within the Company. The Company should for this purpose adopt a “Bug Bounty policy” and provide rewards commensurate with the risks mitigated and efforts invested by the bug reporter.

Regulators may consider if it is necessary to create a public body to ensure that Companies donot sit on the reported vulnerabilities which then become zero day vulnerabilities and are exploited.  Honourable IT Minister Mr Ravi Shankar Prasad may do the needful in this regard.

Cyber Insurance companies who have a stake in the early detection of vulnerabilities should initiate their own programs to subsidize the Bug Bounty programs of companies.

In the meantime, NASSCOM can also initiate some measures in this regard to develop a “Best Practice guideline” for “Bug Bounty Programs”.

What is essential in such programs is not a huge financial reward but creation of a “Recognition” followed by other assistance such as educational scholarships or reservation in higher educational institutions such as the IITs and IIMs, over riding the society dividing reservation policies based on Caste and Religion which our politicians have erroneously adopted. This will be an adjunct to the “Skills Registry” that NASSCOM is supposed to be maintaining.

As a Netizen Rights Activist organization, Naavi.org would like to contribute whatever little it can do in this regard through complimentary services. To start with, the Cyber Law Compliance Center (CLCC) has tried to develop a “Model Bug Bounty Policy” which can be adopted with necessary changes by any user company.

The CLCC would also be happy to assist the Bug Reporter through a free “CEAC” service where the reporting is certified through a third party intervention to prove the good faith credentials of the reporter. (More information on this would be provided in the web site of ceac.in.

Under this service, a Bug Reporter can report the suspected Bug to the relevant company under copy to naavi through e-mail.

Since mitigation of the risk of financial liability arising out of defective products of a Company is part of the Corporate Responsibility, professionals within a company responsible primarily for Corporate Governance such as the Company Secretaries and Chartered Accountants should take the lead in introducing appropriate Bug Bounty programs and ensure its introduction within a Company.

I invite comments on the above suggestion.

Naavi