Naavi.org

The fact that Cyber Appellate Tribunal (CAT) the appellate authority for all Adjudications in the country under Section 46 of ITA 2000/8 has not been functional since June 2011 has been discussed adnauseam on this site. (Refer here). It was therefore heartening to note that a Parliamentary Panel made reference to CAT in one of its recent briefings. (Refer DNA article).

The committee is reported to have made the following observations.

Quote:

The committee also expressed concern on only one Cyber Appellate Tribunal (CAT) being set up in the country till date though the Act provides for setting up Benches in other parts of the country.

“The Committee are surprised to learn that since inception of CAT, only 17 appeals have been disposed off by the former Chairperson and 21 appeals are still pending for hearing in the Tribunal which are scheduled for disposal on appointment of the new Chairperson,” it said.

While expressing their displeasure over the undue delay taking place in disposal of appeal by the CAT, the committee strongly recommended the department to deploy adequate manpower at the earliest.
“Efforts may also be made to set up CAT branches in other parts of the country, if need arises,” it said.

Unquote:

We may recall that it is not only the CAT that has been rendered dysfunctional over the last 4 years, even the State level Adjudication systems have also been rendered dysfunctional.

The first adjudicator who recognized his powers and duties under ITA 2000 was Mr PWC Davidar of Tamil Nadu. He went on to provide the first adjudication decision against a Bank namely ICICI Bank in the complaint filed by Mr S. Umashankar who had lost money out of phishing. ICICI Bank promptly appealed to CAT. CAT admitted the appeal with the condition that the Bank deposits Rs 5,50000/- with the adjudicator against the loss they were decreed to pay.  The appeal was heard and when the judgement was about to be delivered, the then Chair Person attained Super annuation. Since then, the case is awaiting appointment of the new Chair Person.

Additionally TN adjudicator had provided other judgements and was also hearing certain cases against PNB which were also appealed against and got stuck in the CAT. In the meantime J Jayalalitha took over as CM and promptly transferred Mr Davidar out of his position as IT Secretary ( Adjudicator by designation) and the TN adjudication system went dead.

Subsequently Maharashtra IT Secretary Mr Rajesh Aggarwal became active and held out several judgements in which Banks were indicted. He also innovated with E-Adjudication and was threatening to disrupt the system. He was promptly transferred to Delhi and since then the Maharashtra Adjudication has gone dead.

In Bangalore some applications were made to the Adjudicator and one of which was against Axis Bank which was also the Bank which does E Governance work for Karnataka Government. With this conflict, the Adjudicator gave out a bizarre ruling that Section 43 of ITA 2000/8 cannot be invoked by a Company (In the subject case the complainant was a company) and also that no complaint could be entertained on a Company (Respondent Bank was the company) and dismissed the complaints. The argument was that the word “Person” used in Section 43 does not apply to a Body corporate. The appeal to this blatantly erroneous decision has also got stuck in the non functioning CAT.

These developments indicate that Banks who were hurt in some of these judgements brought undue influence on the MCIT and stalled the activation of CAT. The CJI is also a party to this delay in appointment of the Chair Person to CAT since the appointment suggested by the Ministry has not been approved by CJI.  The Karnataka High Court which was moved to correct the impasse got stalled because the decision to appoint a CAT Chair person was pending at the CJI’s office.

As a result of these developments, the Cyber Judiciary System in India is presenting a void.  At a time we are talking of “Digital India” and increasing cyber crimes, the situation is appalling.

The entire system therefore seems to have conspired against the Cyber Crime victims in India seeking a judicial remedy.

During 2010, CAT did sit in Chennai in the case of Umashankar Vs ICICI Bank and created a precedent. There were also advanced discussions for the setting up of a Southern Bench in Bangalore. But unfortunately with the transfer of the then IT Secretary/Adjudicator Mr Ashok Manoli, all these projects were shelved and subsequently the Government of Karnataka and the subsequent Adjudicators have not shown any interest.

The Parliamentary committee deserves commendation for flagging the issue of non functional CAT but needs to push through more strongly measures to re activate the CAT. This gives a glimmer of hope to all Cyber Crime victims that Cyber Judiciary is likely to be active once again in India.

Let’s keep our fingers crossed.

Naavi

I recall my earlier article titled “Is it a WhatsApp Moment or Napster Moment for Indian Financial System?”  in which I had pointed out certain doubts about the legality of the new Electronic Signature system that was notified by the Government of India and Controller of Certifying Authorities vide the notification dated 28th January 2015  read with guidelines issued by CCA in June 2015 on the e-Sign process.

(Detailed presentation by CCA on e-sign process)

I have not so far received any response from CCA and hence I am re-iterating some of the points mentioned in that article briefly and request CCA to clarify.

I refer to the “E-authentication guidelines for e-Sign-online Electronic Signature Service”  Version 1.0 issued by CCA on 24th June 2015.

This guideline has been issued in support of the Gazette Notification GSR 61(E) dated 27th January 2015 which the Government made in support of its Digi Locker program which introduced a new “Electronic Signature” system by an addition in the Second Schedule  of ITA 2000/8.

The second schedule introduced the system which it called  “E-authentication Technique using Aadhar e-KYC services”.

Details of Aadhar e-KYC services is at the UIDAI website . Under this scheme,  UIDAI acts as an “enabler” by issuing a “digitally signed Govt issued photo ID” in electronic form for KSAs/KUAs supporting paper-less KYC schemes for Aadhaar holders (KSA or KYC Service Agency means  a valid Authentication Service agency with a secure leased line connectivity to UIDAI’s data center who has been approved and has signed the agreement to access KYC API through their network. KUA or KYC User Agency means  a valid Authentication User Agency, which is an organization or an entity using Aadhaar authentication as part of its applications to provide services to residents such as a Bank who has been approved and has signed the agreement to access KYC API.

e-Authentication Service introduced in the second schedule as a valid electronic signature is dependent on the e-KYC service of UIDAI which itself uses the digital signature.

According to the proposed system as described in the GSR 61(E) of 28th January 2015, the application form of a subscriber would be sent by a trusted third party to the Certifying authority for issue of digital certificate. In the case of Digilocker kind of on-line system, the application submission would be an “On-line” process using an API. The details submitted by the subscriber would be verified by the Aadhar e-KYC service.

In this process, an “Undigitally signed” application of the subscriber would be forwarded by the trusted third party to the certifying authority with the aadhar number. The certifying authority would get the digitally signed confirmation of the aadhar information from the aadhar e-KYC service based on which it would proceed to issue the digital certificate. (This will be subsequently consented to online by the subscriber)

The unanswered question is

If the subscriber’s application and consent is done online without a digital signature, what is the validity of the digital signature certificate issued on the basis of such unauthenticated digital submissions?

The detailed procedure for issue of digital certificate is indicated in the CCA guideline of 24th June 2015.

The CCA guideline suggests that the private-public key pair would be generated on a HSM owned by the intermediary (the trusted third party mentioned in the Gazette notification), the private key is stored in the HSM for the validity period of 30 minutes and later destroyed. All these activities are done under systems which are not under the control of the subscriber. Hence it should be considered that the private key has been compromised ab-initio.

Secondly, the authentication process of approval of the application would be based either on “Biometric” or “OTP”. (OTP is presumed to be mobile based or e-mail based). If the approval is based on OTP, it means that the approval of the application form is dependent on the KYC already done by the mobile operator or the e-mail operator. If the e-mail approval is obtained, then there is no authentication for the application form. If the mobile OTP is used, it is as good or bad as the mobile operator’s KYC system.

The CCA circular says that the DSC application form should be electronically generated and programmatically filled up with the data obtained from the e-KYC process. This means that just by submitting the Aadhar number and confirming the OTP, the DSC application gets submitted without an “Digital Signature”. Hence it is an unsigned DSC application that gets the approval of the Certifying authority.

The entire process is a circular mutually authenticating procedure dependent on the KYC of the mobile operator only.

CCA should review this process and confirm if it is in accordance with the provisions of ITA 2000/8.

Naavi

P.S: This note has to be corrected for the notification made on 30th June 2015 [GSR 539(E)] where in the use of hardware module has been deleted from the earlier notification.

Some time back, Bangalore Traffic Police introduced a mobile app “Public Eye” inviting members of public to send pictures of traffic violation based on which the department will issue notices. Now a similar APP has been released in Delhi. Probably this will be taken up by traffic police in other cities also since it makes their work easy. Police can sit back and keep issuing notices without themselves doing any due diligence.

Recently, I pointed out to the Police an erroneous Challan issued by them based on evidence which was questionable. The challan was issued based on a photograph which showed a vehicle in front of the zebra crossing. What the notice ignored was that the traffic light at the time was in green and there were several vehicles in front of the charge vehicle. Evidence pointed to the fact that the bunch of vehicles was moving after the light had turned green and since it was a bumber to bumber traffic, the owner of the two wheeler which was charged, had one leg touching the ground. Interpreting this as “Parking in front of the Zebra Crossing” was an error and hence the challan was disputable.

However, when a complaint was sought to be sent, it was clear that t.here was no clear grievance redressal mechanism associated with this Public Eye Complaint system. Once a complaint is filed by a member of the public, his identity is not made known but the photo is taken as an “Evidence” and a charge is made on another member of the public. The “Evidence” itself is not authenticated by any digital signature and in the absence of the identity of the person filing the complaint, the accused is completely in the dark of why and how he is being pronounced guilty.

I have also come across occasions when challans are issued with the note “Photographic evidence not available”.

This is grossly unfair and legally questionable.

In such cases the citizen who is charged does not have any option to raise his objection and the issue of the challan becomes arbitrary. If the challan remains is unpaid, one does not know what consequences can follow when another offence is registered. Hence there is a perceived threat and coercion inherent in  the process. There is also a public perception that in order to increase traffic fine collection, Police may book false cases and send Challans since most people tend to pay up without demur. If some body starts clicking photographs near a traffic junction each time the traffic light turns red or green, one can find border cases of violation which in actual practice was not actually a violation. Hence Police can easily use this as a tool to increase the fine collection without any obligation to be either truthful nor instilling a sense of discipline.

Further this will encourage people to keep clicking photographs in public ostensibly for Public Eye but use it for private extortion or misuse. In such cases, there should be legal remedy to the victim to take action against the misuse. At present the system does not have these safeguards.

While the intention of the system to check on major traffic violations is acceptable, using it for minor offences without proper evidence is irritating and constitutes a harassment of the honest public.

Also, issuing of a Challan entirely based on a photo submitted by a Non Law Enforcement Member of the public does not seem to carry legal sanction. Though the system suggests that the photo would be reviewed by the Police, there is no evidence of the same.

Soon we will have photo- shopped evidences presented to either genuinely harass a person or rag a person for fun.

In order to render the scheme more acceptable, it is necessary to have a robust grievance redressal mechanism to support such complaints. I therefore suggest the following mechanism.

1. On receipt of the complaint, the complaint  should be serially numbered against the identity of the complainant and forwarded to an “Inspector” who has the authority for issuing challans if need be. 
2. The Inspector should examine the evidence and record his recommendation for issuing of a challan under a digitally signed note which should include a certificate that “He has examined the evidence and found it sufficient to issue the challan for the offence as noted”.
3. The recipient of the notice should be given only a “Show Cause” notice and not an automatic challan. 
4. On receipt of the reply if found unacceptable or failure to reply within a reasonable time, the notice can be converted into a Challan again with the due recommendation of the “Inspector”.
5. The process has to be recorded in the form of a log record.
6. An option should be provided in the Challan indicating what judicial option is available to the recipient of the Challan to dispute the charge along with an option to pay the fine without raising a dispute.
7. The ticket can be closed and archived with the log record after the payment is received or the process is brought to a culmination either by the Challan being reviewed and cancelled or by the Traffic Court disposing off the objection.

I suppose the Bangalore Traffic Police as well as the Delhi Traffic Police and others who may introduce similar system also adopt such procedures.

Naavi

It is unfortunate that some of the unpleasant prophesies of Naavi.org on increasing Card related frauds are becoming a reality. It is reported that Mumbai Police statistics show that in the first 9 months of 2015, Credit card frauds rose by 90% over the corresponding period last year. Overall Cyber Crimes rose by 52% and obscene e-mails by 34%.

Article in Indian Express

It has been pointed out in the article that the reasons for this massive raise in frauds include

a) Pushing of technology to persons who does not understand the security implications

b) Card cloning and Vishing

c) Lack of safeguards built around technology

Naavi.org agrees that the all the above reasons do contribute to the increasing card frauds and reflect that there is a fundamental flaw in the system of regulation.

Firstly, Banks are going too fast in introducing insecure technology to serve their commercial needs and RBI has failed in its duty as a regulator to prevent insecure services hitting the market.

In June 2001, RBI did mention that Banks need to obtain Cyber Insurance against technology related frauds and consider them as the Bank’s legal risk. However, Banks have neither obtained Cyber Insurance nor taken the onus on securing the system. On the other hand, they are going ahead with increasing risk in new services.

Though initially the “Adjudicators” in Chennai and Mumbai gave relief to victims of bank frauds by holding the Banks liable on Section 43 of ITA 2000/8 read with Section 85, Banks held up delivery of justice through appeals which were held up due to reasons such as “Non Appointment of Chair Person for Cyber Appellate Tribunal” since 2011, and mis-judgement of at least one Adjudicator in Bangalore which has not been corrected by Karnataka High Court and pending because of the Cyber Appellate Tribunal being non functional.

The mis-judgement was perhaps a consequence of ignorance of the Adjudicator or it could have been a decision influenced by the affected bank and the conflicting relations it had with the decision maker. The inability of Karnataka High Court was again a matter of the inability of the concerned judge to appreciate the facts of the case which was mis represented by the Bank as well as its reluctance to take responsibility for delivery of justice to the victims. The non availability of Chair person in Cyber Appellate Tribunal is perhaps a conspiracy between the affected Banks and the officials since 2011 as well as the controversies surrounding the NJAC.

The Modi Government is encouraging greater use of the card system in meeting its its digital economy goals but the IT ministry under Mr Ravi Shankar Prasad and RBI under Raghuram Rajan are both incompetent and uninterested in ensuring security of the financial model of Digital India.

As we go into the next decade, there will be more and more of these card frauds involving amounts less than 10000/-, with the use of mobile wallets where security is the secondary objective for the Banks. The amounts individually will be too small for victims to pursue legal remedies and hence most of the accused will go unpunished.

Police are doing a great disservice by not recognizing that Banks who introduce insecure banking services are to be considered as mainly liable for such frauds and have failed to charge the respective Banks in cases of frauds. These banks not only fail in introducing untested technology but also repeatedly fail in the KYC obligations.  Many of the mobile service providers are also guilty of KYC failures and since the mobile KYC is the foundation for many mobile based services, these failures of KYC reflect in increased frauds.

In many cases of frauds including the “Call from Information division of Delhi Consumer Courts” reported in these columns, Police have not taken any pro active remedial action. Call centers are operating in Delhi NCR region right under the nose of the countries top police authorities in which people are recruited for doing frauds by calling prospective victims and BPO operations are being run. Naavi.org itself has provided a couple of phone numbers during the last week and there is no news that Police has actually acted on it.

If Police want every such crime to be confirmed only with a complaint from the affected person and refuse to investigate without a complaint, then these frauds will not come down.

Just as Banks are an indirect cause of such frauds due to their negligence, Police by their inaction are also contributing to the proliferation of these crimes.

Despite the clear instructions of RBI for Banks to secure the victims by a system of Cyber Insurance, and their flouting of such regulatory guidelines, it is unfortunate that Police have not made Banks a co-accused in any of these card cases. In cases where there is a possibility of the involvement of Bank employees, Police may initiate action. But what we are trying to say is that even when there is no direct evidence of the involvement of Bank employees, using the “Negligence” aspect under Section 85 of ITA 2000/8, Police are bound to make Banks pay for the losses of the fraud victims. Banks themselves need to cover this risk through Cyber Insurance.

In the case of S.Umashankar Vs ICICI Bank, after the adjudicator held the Bank negligent and granted compensation, the undersigned wrote specific letters to the DGP of Tamil Nadu to pursue criminal charges against ICICI Bank. But they failed to do so. Now in Mumbai, there have been many decisions of the adjudicator Rajesh Aggarwal against Banks. He was transferred out of the position so that he does not create fresh problems for Banks. But the Police in Mumbai could have initiated their own criminal action against each of the Banks held guilty in the civil proceedings of the adjudicator. This would have created a deterrence against continuance of the crime and would have also woken up organizations such as RBI and Indian Bank’s Association. Their reluctance to charge Banks under Section 85 of ITA 2000/8 is therefore  a contributory factor for the increase of cyber frauds.

I hope that Mumbai Police will now show the way for the rest by filing cases under Section 43-66 of ITA 2000/8 read along with Section 85 of ITA 2000/8 in all the cases in which Mr Rajesh Agarwal has found the Banks guilty of negligence and granted compensation to the fraud victims.

Simultaneously, the Chief Justice of India should immediately clear the papers which is reportedly being held up at his office for appointment of the Chair person for Cyber Appellate Tribunal. Also the Karnataka High Court which is sitting on a PIL in this respect without listing it for final hearing to also expedite the hearing so that all these institutions work in unison with the Police to improve the counter cyber crime ec0 system.

It is not necessary to remind the authorities that a substantial part of this crime income may be also reaching the terrorists and funding their operations against India. Hence neglecting them is a grave error on the part of the Law enforcement, Judiciary and the Government.

As I have highlighted several times, the Anti Modi brigade will use the increasing Cyber Crime as a charge of inefficiency against Mr Modi’s Governance particularly when the heat is felt by the beneficiaries of Jandhan yojana in villages.

Law and Order in Cyber Space will be a relevant election issue in 2019 elections which will determine whether Mr Modi’s policies will survive to serve the country in future or not.  If Mr Modi does not realize it now and act appropriately,  it will be too late to save the country.

Naavi

Related Article: Hotel Industry will be the next big victim

The way the underworld for Cyber Crime tools has developed indicates how complicated is the world of Cyber Crimes from the law enforcement issue. Cyber Criminals are difficult to catch both because they are anonymous and spread across the globe and also because they are technically a step or two ahead of the best of the law enforcement. Also the Cyber Criminal has lot of time at his disposal to plan and commit a crime while law enforcement has only a limited time before the evidences start fading. Additionally the law enforcement has to deal with issues of Privacy and Freedom of Expression while the criminal is not bound by any norm or ethics.

One manifestation of this asymmetric warfare is the announcement of an open price list for Cyber Crimeware by a firm which is considered as a “Broker” for buying and selling  Cyber Crimeware. A company called Zerodium has put up a price list for different categories of exploits that people can buy. At the same time if there are any sellers, they can also use the chart for valuing their exploits.

The following is the chart published in an article at wired.com that indicates the current price of crimeware.

The pricelist indicates prices of upto $500,000 (Rs 3 crores) as annual subscription. It is unfortunate that the global law enforcement agencies have admitted their inability to control Cyber Crime or the illegal trading of such Crimeware by themselves subscribing to such services.

Zerodium proclaims itself to be a firm that pays premium rewards to security researchers to acquire and previously unreported zero day exploits affecting widely use operating systems, software and/ devices. Zerodium claims that normal Bug Bounty programs pay a smaller reward while it pays high rewards and focusses on high-risk vulnerabilities.

What is disturbing however is that Zerodium may also sell these by subscription. Though the company claims that it would not sell the exploits to oppressive Governments, the very fact that it is in the business of selling crimeware indicates that it is primarily prepared to sell for money.

It is possible that in due course ISIS may be able to infiltrate this organization or even force it to part with exclusive exploits that can be used against humanity. It is interesting to note that Zerodium is funded by a French firm Vupen and if for some reason the exploits fall into the wrong hands, then it would be ironical that a French firm itself would be responsible for the growth of ISIS.

While the concept of providing an appropriate reward for researchers is fine and I have also advocated it in the recent past (See: Bug Bounty Program from Government is required) ,my recommendation is that it has to be maintained by the Government agencies. (The fact that agencies like NSA have used it as Cyber war weapon is known and needs to be prevented separately by the checks and balances built in the system).

At the international level, a consortium of few countries need to manage such a program so that the exploits donot fall into wrong hands.

I suggest Prime Minister Mr Narendra Modi to start a discussion with global leaders and just has he has mooted the idea for Solar Energy consortium and Counter Terror Consortium, he can promote the concept of “Cyber Defense Consortium” which can operate this buying of exploits as a Bug Bounty program. The exploits however should be neutralized by quick patching so that they should never be available as a Zero day exploit.

Naavi

Related Article in infosecurity-magazine

I had pointed out through my earlier article “Beware of this Call from 90699 35661” about the calls that threaten the victim that there is a Consumer Court complaint against him/her in Delhi Consumer court and if help is required they may contact some person.

Yesterday I got the call again and I was referred to contact a person named Veerendra Singh Yadav at 08586067445.  When I searched the web for this number, I found a series of complaints of similar nature already noted at  the consumer forum website . I also saw one case reported by a consumer of Bajaj Finserv which has been promptly responded by a customer service executive indicating that event the organization Bajaj Finserv is unable to identify that this is part of a scam in which their name has been misused.

When I called back to this number, again a lady picked up and said that she was the assistant of Mr Veerendra Singh Yadav. When I insisted that I want to speak only to him, she said she will call back.  I suppose she is hunting for a male voice amongst her colleagues who all are part of a fraudulent organization and deserve to be in jail. Perhaps I may not get any call back.

From the background noise we get from these calls, it appears that the gang is operating like a call center with several persons engaged only in making such calls.

While these are criminals and chosen to be so, I take serious objection to the Police in and around Delhi who are letting such frauds continue to happen. If the information about these frauds are already available on the web, it is presumed that it is also known to the Police. (If not, they donot deserve to be called the “Police”).

Intelligence agencies including CBI should be not only aware of such frauds but also aware that most of these fraudsters raise money for terrorist organizations.  Hence the silence of Police could only mean “Complicity” to crimes including funding of terrorist activities.

I am sure that some of my Police friends may get annoyed with this comment but I would like them to realize that this is what the ordinary person on the street would think. Public think Police are incompetent, donot care about law and order in Cyber Space or are corrupt.

Being a friend of many policemen, I consider that this would be an unfair perception about the Police. Police in India are quite capable and if they want, they can take action to bring down such frauds. In this case I donot think  that inaction is a result of corruption. It could however be due to apathy and a belief that they need to act only when a complaint is registered.

I request Police who have jurisdiction on the phone numbers mentioned above to trace these calls and punish not only the proprietor of this business, but every one of these callers and also the Mobile Service Providers who have provided them the facilities to cheat public.

Let’s hope this criticism galvanise Police into action.

Naavi

More cases reported : board reader thread