Naavi.org

During the recent visit of Prime Minister Modi and German Chancellor Angela Merkel to Bengaluru, the Chief Minister Mr Siddaramaiah and more so his party was unhappy that NASSCOM did not invite him for the interaction with the industrialists. It appears that this displeasure is now playing itself out in the form of policy implementations designed to hurt the IT and E Commerce industry in Karnataka.

For some time Congress is taking various steps to discredit the Modi Government and one part of this strategy is to ensure that no cooperation is given to the Center on its economic initiatives. It is possible that the Modi team would have felt that Karnataka politicians could even try to put spokes in the wheels on Modi’s initiatives and decided to keep the State Government at a distance during the Anela Merkel meet.

Some time back Karanataka lost one expansion plan of Infosys and possibly from Tata Motors. Recently  flipkart chose Hyderabad as the location to open its biggest warehouse and fulfillment center.  (See report here) . In April  Amazon India’s had announced that it was putting all future investments in Karnataka on hold due to the state government’s “non-cooperative attitude.” Announcing the setting up of its FC in Telangana, Amazon company said the policy parameters in Karnataka were not in sync with e-commerce industry demands. 

It is clear that neighboring Andhra and even Telengana are actively poaching on projects both in IT and non IT and Karnataka is slipping in its development curve. It is only the momentum of the past that is keeping the state afloat.

One of the recent studies by KPMG indicate that E Commerce gives a boost to the SMEs. There are many success stories of SMEs making it a big success with the help of the online stores. (See report here). At such a time when E Commerce needs to be encouraged, the Government has taken yet another step in down grading its status for “Ease of Doing Business” particularly in the E-Commerce area by proposing a “Value Added Tax Deduction At Source”.

See Report in ET here

It is stated that the Government is proposing a 1 per cent levy on payments by buyers to sellers on e-commerce sites, a move that could encourage other states to follow suit.  If put in place, e-commerce companies will have to deduct 1 per cent of payments made to vendors before passing the money on, making goods costlier for consumers.

The state says the levy will help keep tabs on the revenue of sellers, who would be able to claim credit for the tax. The authorities feel this will ensure that disclosures are accurate and companies are paying the right amount of tax.

However one can visualize that  this move will introduce more hurdles in the operation of E Commerce in Karnataka and would be construed as a retrograde step which could have been prompted by the recent face off with the NASSCOM.

I hope that wiser counsels in the Government would sense that there is a gradual erosion of the credibility of the Government in business circles which is not good for the economic development in the State. Sooner this is realized and corrective steps taken, better it is for the State.

For this purpose, it is necessary for Mr Siddaramaiah to break himself out of the policy bind dictated by his high command which is interested in taking the Indian economy backwards lest Modi may claim credit.  Siddaramaiah should try to emulate Devraj Urs and consider the betterment of the State ahead of other political game plan. It is true that  Devraj Urs lost out politically because Indira Gandhi was too strong but the current Congress high command is more dependent on Karnataka and Siddaramaiah may have a good chance to win his way of he shows some courage and conviction to restore the pride of Karnataka in Congress circles by taking an independent political policy stand that is good for the State.

Let’s watch how this war between the Government and the NASSCOM play out..

Related Article:

Karnataka Hold meeting with E Commerce players

Karnataka Loses upto 2000 crores in tax revenue to e-commerce

In a development which has disturbed over 4500 companies in US doing business in EU region as data processors under the “Safe Harbor” agreement, the Court of Justice of the European Union has struck down the 15 year old agreement for not providing “Adequate Privacy Protection”.

Safe Harbor agreement was established between the United States Department of Commerce and the European Union (E.U.) in November 2000 to regulate the way that U.S. companies export and handle the personal data (such as names and addresses) of European citizens. The agreement was a policy compromise set up in response to a European directive that differed from the 1998 European Commission Directive on Data Protection, which prohibited data transfer to non-European countries that did not adhere to stringent criteria. .

See Reports in Wall Street Journal and Computer World

The agreement had established a framework for a compromise solution between U.S. and E.U. privacy procedures.

In force since 2000, the data framework allowed companies based in the U.S. to store personal data about Europeans on U.S.-based computer servers by simply undertaking by a declaration to abide by a series of EU principles, enforced by the U.S. Federal Trade Commission. More than 4000 companies had availed this simple self-certification process.

The decision of the Court now requires these companies to find alternative means of continuing to process data of European citizens.

One of the alternate means is to enter into a contract on the lines of what is suggested by EU (See more about Model Contracts here).

The apprehension in EU circles is however that any arrangement between the parties may not prevent the US Government authorities having access to the data. Any individual commitment given by the data processing company would not be able to prevent the request of the law enforcement in US as well as the other Government authorities to either seek the information under a due process of law or by illegal snooping.

The Judgement does not have any direct impact on India since we are already working under the “Individual Contractual bindings” as well as the statutory commitments under ITA 2008 which includes a “Due Process” for interception. However at present the EU market may not have adequate trust in Indian Privacy Protection law particularly since we donot have a “Privacy Act”.

Following the confusion created in the US market, there is an opportunity that is now available to India which NASSCOM can pursue. Firstly, we need to speed up the passing of the Privacy Bill. Secondly the Privacy Bill can incorporate a commitment to protect privacy of any Person (including the citizen of another country) and set a “Due Process” which is “Stringent” for interception. Simultaneously the “Encryption Policy” should also support the need for Privacy Protection.

If possible, India can also try to enter into a separate Safe Harbor agreement with EU which addresses the concerns expressed by the Court and develop its own model contract (which is already inherent under Sec 79 and 43A of ITA 2008) so that Indian data processors can bid for the EU data processing contracts.

We look forward to the Government  initiating some action on this.

Naavi

The credit card fraud reported in media today involving use of 580 fake cards created by fraudsters resulting in withdrawals of Rs 2.84 crores from Kotak Mahindra Bank is a lesson to all those men in Judicial positions who have been always difficult to be  convinced that Banks can fail in their security procedures.

The details of the case is available here

Fortunately, in this fraud, no customer is involved. The fraudsters obtained the details of “yet to be used” credit card numbers assigned to K0tak Mahindra Bank by Master Card and created card accounts in fictitious names and encashed the same through online portals.

It is surmised that a security breach at DZ Card India Ltd, Gurgaon could have resulted in the fraud. Possibility of insider involvement in DZ card or Kotak Bank is not ruled out. But “negligence” and “Failure of Information Security policy and Procedures” is a certainty.  Violation of RBI regulations on how to manage information security with an outsourced agent can also be visualized. Possibility of negligence by  multiple agencies involved in the processing of the card printing, and its encashment is not ruled out.

While the Police can follow the available leads and try to resolve the case, I would like to make this a case to be quoted in all Bank fraud litigation hearings where the Banks make a statement….

“We have international level of information security and no breach can happen at our end. If there has been a fraud, the negligence must be at the customer’s end and hence the loss should be borne by him and him alone.”

I have heard this argument from all the banks against whom I have either directly or indirectly followed complaints some with the Banking Ombudsmen,  some with  Adjudicators and also Judges of various courts.

Even in this case, if there is any query, the Bank as well as the Card printing agent will claim that they are “PCI-DSS Compliant” or “ISO 27001 Compliant” and file a one page document signed by one of the Big4 audit firms or some other firm stating that they have satisfactorily undergone an audit as of a particular date.

Ask them “Are you ITA 2008 Compliant?”.. they will perhaps say “What do you mean by it?..

These companies think that technical best practice compliance is better than legal compliance. All of them will learn the hard way that when the bell rings, it is the legal compliance that can save them from liabilities and not the technical best practice compliance.

The Judicial authority who may not know the difference between ISO 9001 and ISO 27001 or what  PCI-DSS means, is likely to be impressed by the weight of the audit firm’s reputation and ignore any plea by the poor customer that he has no knowledge how his Credit Card or Debit Card appeared in some ATM or Merchant Establishment’s claim or how his identity could have been stolen.

I therefore invite the attention of all such judicial authorities to realize and start believing that Frauds such as  Phishing or Credit/Debit/ATM Cards or Mobile Banking or Mobile Wallet frauds can occur without any knowledge of the customers.

The subject case proves that such frauds can occur even when cards are not issued at all to any customer. If so, it can also happen on a clone of a card issued to a customer.

If this truth is understood by these Judicial persons, I would be happy that this fraud had a beneficial impact on the society.

At the same time, I consider that Kotak Mahindra Bank is one of the better Banks in the pack in terms of Information Security and I hope they did cover themselves with appropriate Cyber Insurance to recover this loss.

Naavi

Dr Triveni Singh, the additional Superintendent Lucknow is emerging as a “Super Cyber Crime Cop” of the country having resolved many individual and organized cyber crimes in the areas around Noida and NCR region of Delhi. Dr Tiveni Singh is an exceptionally qualified police official with an MBA and  PhD, as well as certifications of CEH and CHFI. He is one of the few Police officers in India who are both qualified and also have many field accomplishments to their credit. Perhaps it looks strange that he belongs to the UP cadre and not working in Delhi or other major metros leading a National level Cyber Crime Police Force.  Such a specialized police force is necessary for the security of Digital India and hopefully, Mr Triveni Singh will soon be provided an opportunity to use his skills in a more productive posting.

In solving some  of the recent crimes involving  Bank Frauds, Mr Triveni Singh has reported that a special task force studied 210 FIRs and 1500 complaints from the residents of Haryana, Rajasthan, Maharashtra, Punjab and Bihar and came to certain interesting conclusions as the behaviour of these gang members. The total value of the frauds involved in these cases was around Rs 80 lakhs.

The police have found that the fraudsters used the proceeds to buy mobile phones and also kept money in mobile wallets. They were able to use the e-commerce merchants and mobile wallet managers as conduits to commit crimes, exposing them to risks of being held liable for the frauds under ITA 2008. These e commerce and mobile wallet managers are guilty of weak KYC and identity verification systems contributing directly to frauds.

See Report in Times of India

One of the immediate thoughts that occurred to me on reading the report is about the Cyber Crime statistics. The report indicates that in the few states mentioned, there was nearly 1700 cases reported involving  banks. But it is not clear if these cases get reported as “Bank Frauds” in the RBI’s records. In the absence of proper recognition of the incidence of such crimes, RBI is blind to the risks of e-banking and keeps allowing Banks introduce more and more technology in Banking without appropriate safeguards.

While it is exciting to hear about innovative banking practices such as the social media banking, card less banking etc., there is no accountability for Bankers when it comes to frauds. Now RBI has provided licenses to Small Banks and Payment Banks who are more technology dependent and therefore more vulnerable to Cyber Crimes.

With every new step in the advancement of technology in Banking, the customers are being driven into higher and higher risk situations.

Banks continue to evade any liability for frauds and RBI’s ombudsmen  collude with Bankers and refuse relief to Customers in ATM card, Credit Card and Mobile frauds. The supervision of RBI on information security in Banks is inadequate and Banks work with more risks than they can afford.

To top it all, Banks which were mandated to obtain Cyber Insurance against such frauds and ensure that customers donot suffer losses by none other than RBI itself through its Internet Banking Guidelines of June 2001, refuse to take such cover even today after 15 years.

If RBI was serious about customer safety it should have ensured that by this time all Banks had a suitable Cyber Insurance cover and not bully its customers to bear the cyber fraud losses. Without such insurance cover for their customers, no new Bank should have been licensed. But despite representations to this effect, RBI did not take any action and let new Banks be licensed with more risks than existing Banks.

I wish Dr Triveni Singh books a few Bank officials for their negligence in maintaining proper information security in their systems causing losses to the customers. We are aware that under ITA 2008, vicarious liabilities accrue to Bank for their negligence which causes identity theft and unauthorized access.

In fact one of the largest phishing frauds in India occurred in PNB, Noida where a customer lost Rs 1.64 crores. The case is lingering along in the National Consumer Forum and despite atrocious negligence in “Banking Service” displayed by the Bank, justice is being delayed for more than 7 years. Around this time in 2008 a series of frauds occurred in PNB and if Dr Triveni Singh studies all such frauds, it will be clear that PNB had put all its customers to a huge level of risks entirely by their own ineptitude. While the victims of the cyber crimes are suffering for last 7 years, the then Chairman went on to become IBA chairman and enjoy the fruits of his office built over the losses of the customers of PNB. I am not sure if there is any mechanism in RBI to monitor such matters which are simply reported by the Banks as “Under litigation”. RBI should study the impact of such unresolved frauds on the trust and confidence that people have on Banks and the danger of a back lash from customers.

I wish that at least now RBI assumes accountability for safe e-banking and ensure that the future of Digital India is not endangered.

Naavi

 Regular visitors of this site remember the article “If NAMO is the CEO of Digital India, who is the CISO”?

This thought is still ringing in the minds of many of us who are wholeheartedly supporting the Digital India project but frequently expressing adverse comments on many policy initiatives of the Department of Electronics and Information Technology” (DeitY).

A few days back a group Information Security Professionals in a WhatsApp group came together with a thought that Government of India is going ahead with its Digital India project without an appropriate Information Security back up and we need to do something to contribute our thoughts on how to change things for the better.

With this idea, the group decided to promote what can be called a “Voluntary Special Interest Group on Secure Digital India and start deliberating on how to progress further.

In order to collaborate with the persons of similar interest, a Facebook page was opened at www.facebook.com/securedigitalindia.

As a thought starter, I had placed a PPT on the initial thoughts I had shared it with the members of the group. Now I find that I am getting requests from many on this PPT which is only an information on the proposed activities of this group. We are yet to come up with any documents containing suggestions which can be shared with the public. We hope to do the same in due course.

However, since it is difficult to handle individual requests for the sharing of the document, I am placing the current version of the document on this website.

The document is available here

I welcome comments. Comments can be posted as visitor’s comments on the facebook page or here on naavi.org. You can also communicate with Naavi on his email.

I also welcome any detailed white papers that can be published on naavi.org that would go with the objective of the group. This SIG and its activities is a voluntary activity of  a virtual group of IS Experts who we believe may be able to collectively provide recommendations to the DeitY which would be useful. Success of the thought is in your hands. Participate in full.

Naavi