Naavi.org

An Advisory has been issued by deity on ITA 2008 compliance requirements by matrimonial websites.

It is well known that matrimonial websites are “Intermediaries” under ITA 2008 and the guidelines already issued under Section 79A for “Due Diligence”are applicable. Such rules are applicable not only for matrimonial sites but also for many other types of websites including Job portals and corporate websites. It is therefore surprising that this advisory has been issued now as if there was no such requirement so far. This advisory is therefore considered redundant though one can say that perhaps it can be treated as a reminder for the websites which never considered ITA 2008 compliance as their duty.

In fact the right thing to do was for CERT-IN to issue notices to some of these websites and imposing some fines for not following the Sec 79 rules. This would have a more salutary effect on them.

By issuing the advisory only for matrimonial websites and not for other websites it appears as if this is not required for others. The advisory should have clarified this matter.

We would like to keep every other website that collects personal information of the public with or without displaying them on the website is also liable for maintaining the records as indicated in the advisory failing which they will be liable for any offence committed with the use of such information.

Naavi

Over the years, RBI has grown in multiple directions and the management of its responsibilities is getting increasingly complicated. The media is obsessed with the monetary policy related functioning of the RBI such as the management of interest rates and liquidity ratios. The discussions on Raghuraman Rajan’s continuation and its impact on the stock markets is an indication of this obsession.

However, one of the areas which the public are interested and what we normally focus through these columns is how RBI manages the security of Banking operations in the technology era. This covers the work of DBOD and the Department of Payment and Settlements.

The perception is that DBOD focussses more on Loans and frauds related to loans where as all  the new generation issues such as cards and mobile wallets are directed by the Department of Payments and Settlements. However when we discuss “Frauds”, RBI normally talks of NPAs and Loan related issues as “Frauds” and the Cyber Crime related frauds which we try to focus is normally relegated to the background. This is the reason why RBI does not have a proper statistics of credit card and Phishing related frauds as revealed in many RTI applications.

It appears that the Department of Payment and Settlement  focusses on introduction of technology and leaves it to the DBOD to deal with the fraud related issues. The converging point for both is the issue of “Information Security”.

In June 2001, RBI first came up with the Internet Banking Guidelines based on the passage of ITA 2000. Then in April 29, 2011, RBI came up with the GGWG based guidelines on E Banking security which took into account the amendments to ITA 2000 made in 2009 (ITAA 2008) and some data protection elements implemented in 2011.

In the last month or so, there have been some serious activity on Information Security in RBI. First an IT Subsidiary was formed in RBI to take care of Information Security requirements of RBI itself. Probably, this would automatically absorb the activities of the Information Technology Cell of RBI.

Additionally, it has been informed that this subsidiary will also advise the regulated Banks on Information Security requirements.

On June 2, Department of Banking Supervision came up with a comprehensive guideline that revised the June 29, 2011 circular on E Banking Security. This circular did not mention the IT Subsidiary but recognizes existence of a “Cyber Security and Information Technology Examination (CSITE) cell of the Department of Banking Supervision. It is not clear if this is the same as the IT cell which was in existence earlier or is a different monitoring and audit  section.

All along, there was one subsidiary institution called IDRBT which was assisting RBI in technology related issues.

Thus we now have an IT Subsidiary, IDRBT and the CSITE Cell as the trinity of  institutions being involved in guiding and advising Banks on Information Security.

IDRBT has already issued an Information Security framework, GGWG had issued its own framework and now the Cyber Security framework is the third framework that has been provided by RBI to guide the Banks in information security issues. While the earlier frameworks were more technical in nature, the recent Cyber Security Framework is more in the “Techno Legal Nature” as we normally recognize.

Banks therefore need to negotiate through multiple RBI arms and their guidelines to work on Compliance. This would be a challenge which the CISO s of Banks need to negotiate. Let us not forget that there is also the CERT-IN and several Government agencies which have been empowered under ITA 2000/8 to monitor the activities of the Banks and CISOs need to worry about satisfying the compliance requirements of these entities also.

The Bank CISOs would find it better if there is clarity on what is expected of them and if there is a good coordination between these three institutions.

In fact one wonders if there was really a need for the creation of multiple institutions instead of entrusting IDRBT with the responsibilities that the new IT Subsidiary is expected to discharge but this discussion may be redundant at this point and the two subsidiaries need to work together along with the departments supervising their activities.

I suppose the relative responsibilities of the three institutions would crystalize over time and all the three will find some justification to exist irrespective of the efficiency considerations.

In terms of “Compliance” however, there would be possibilities of some confusion when different guidelines come up from different organizations overlapping in terms of operational issues.

The CISO’s of Banks should through their CISO Forum ensure that there is clarity on the functioning of these three organizations and coordination of their activities so that the Banks are not left not left to handle inter departmental non coordination issues.

 I also envisage that soon the Compliance issues will grow beyond the capabilities of the CISOs and every Bank will have to create designated Compliance Officials and the Chief Compliance Officers need to form their own Forum and address some of the issues raised in the recent Cyber Security Framework.

As regards the trinity of Cyber Security institutions that have now come to exist, it would be necessary for them to form a coordination committee amongst themselves so that any instruction/guidance going out from any of them to the Banks carry the approval of all of them.

This “Cyber Security Regulation Coordination Committee for Banking in India” could be the apex body which will be a single point policy formulation entity that could absorb all the problems arising out of the existence of multiple organizations with overlapping functions.

I suggest any of these three entities may take steps to formalize the formation of this committee.

Naavi

One of the customers of SBI has reported a faulty behaviour of the NEFT system in SBI which needs to be explored both by SBI and the RBI. It could be considered as causing a “Legal Risk” both to the Bank itself as well as the customers.

The customer has sent video evidence of the incident which is with me and I am not immediately posting it in public domain since it contains information that is confidential. It can however be shared with SBI or RBI if it is requested.

The observation reported is this:

As we all know, when a customer logs into the account, he can view the previous transactions. In the incident referred to, the customer observed that there was an NEFT receipt from one Mr X. But when the customer refreshes the transactions, each time he sees different names as the remitter of the NEFT credit. One time it says money received from X or and another time Y or Z and so on. The amount and the transaction number  remains the same but only the name changes.

The customer has not so far lost any money due this peculiar behaviour which appears to be a bug in the software and it is said that the changing of the names of the remitter stops after lapse of a period which could be after the transaction moves to a different status in the server.

However, my objection is this:

If I capture the screen record at one point of time, it will show all the details of the customer and an evidence  that a remittance with a certain transaction ID has been received from Mr X. At another time, the same transaction is shown as money received from Y and yet another time it is shown as Z and so on.

This means that the evidence presented by the server is unreliable and any other information from a similar source presented as evidence either under Section 65B or under Banker’s Book of Evidence Act will be unacceptable in a Court of Law.

We can interpret this issue in two ways:

1. We can demand that no Court should henceforth accept any evidence presented from SBI server showing a remittance since it is unrelaible and could be a result of a faulty software. or
2. We can say that SBI has manipulated the evidence to show a person who has not sent the money as the remitter.

-This is “Tampering” with the electronic file and an offence under Section 65, 66 and other sections of ITA 2000/8.

-These are cognizable offences under which the SBI officer responsible for the business and the CEO and Directors may face prosecution.

I request SBI and RBI to undertake an investigation of this incident and whether this is a one off occurrence with the particular customer or it occurs with others.

This report appearing in a public website is to be treated as an “Incident” coming to the knowledge of SBI and RBI and should be documented in the books of SBI.  Also, according to the recent “Cyber Security Framework” released by RBI  it should be reported to the RBI in the periodical report along with its resolution.

(P.S: If after a time, an RTI with RBI does not show the report of this incident, then it would confirm that there was non compliance of the RBI guideline.)

I look forward to appropriate action from SBI and RBI, though I would not be least surprised if both of them simply ignore this public notice and carry on with the “All is Well Syndrome”.#

#”All is Well Syndrome” is a behavioural trait often expressed by Information Security professionals,  businessmen, regulators and software professionals that nothing will go wrong and has gone wrong in their systems and occasional reports of bugs are better ignored… a trait which is the bane of all compliance managers.

Naavi

Recently, NASSCOM (through DSCI) conducted product promotion seminars for FIDO alliance at Mumbai and Bangalore, introducing some online authentication solutions along with some partners of FIDO alliance in India like Persistent Systems.

According to the website of FIDO alliance, FIDO stands for Fast IDentity Online and FIDO alliance is a US based non profit organization [Section 501(c)(6) organization] nominally formed in July 2012 and has certain solutions which are aimed at helping the users who need strong authentication in the form of strong passwords but find it difficult to remember multiple passwords across different service providers. FIDO claims that they are creating a new open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. The objective is said to be to remove the world’s dependency on passwords.

FIDO claims membership of several organizations including Microsoft, Google, Paypal, Qualcomm, Bank of America etc who represent online service providers who need their customers to use passwords and two factor authentication for using their services.

Membership to the FIDO alliance is open to different organizations with the following fee structure.

a) Board Member : US $ 50,000

b)Sponsor : US $25,000

c) Government: US$ 15,000

d) Associate: US$ 2,500 to 15,000

Members may also pay fees for testing and certification after they implement the “Online authentication standard”. Basically, the members will be entitled to different commercial benefits such as use of FIDO alliance trademark, etc.

Each of the members may implement the common standards which are tested and certified to enable interoperability of what is called the “Standards” so that they may use the process as part of their authentication mechanism.

To be brief, what these standards imply are that there will be two kinds of solutions.

a) One is a solution that substitutes the OTP over mobile process as second factor authentication. (U2F)

b) Second is a solution where the biometrics of the user is used as a password to trigger a digital signature authentication. (UAF)

From the presentations made during the event in Bangalore, the following information emerged.

1. Both UAF and U2F use an USB token
2. In the UAF protocol, an user registers himself at a website (eg at Paypal) providing his biometric along with other profile details such as his name, address etc. This generates an RSA key pair in the token and the public key is sent to the web server where it is stored along with the profile details.
   1. When next time an authentication is required to be used, the user provides his biometric to the token which creates an authentication request encrypted with the private key developed during the registration process and sends it to the web service provider. It is decrypted with the public key already available and authentication is accepted as per the registered records.
   2. The system is said to be able to also capture additional parameters such as facial recognition and key stroke pattern as additional parameters of authentication.
3. In the U2F protocol, the token will have a button which when pressed sends the private key encrypted message to the authentication server. Biometric is not used. This substitutes the current OTP mechanism where the user has to wait for a pin to be received either on his mobile or e-mail and submit it back for authentication.

It is clear that FIDO alliance is a sort of marketing alliance where all have agreed to use a common methodology and implement the “Standard” at their individual costs and benefit by the collective marketing. A 501 (c)(6) entity is called a “Non Profit” organization but is allowed to “perform activities dedicated to improving the conditions of their industry, including lobbying and promotion”. If lobbying is the organization’s primary purpose, it must notify its members of the percentage of dues being allocated to lobbying expenses.

As far as FIDO alliance is concerned, it is fine for the alliance to lobby and enroll members in India. However, NASSCOM joining in the promotion of the FIDO alliance raises certain questions which need to be answered by NASSCOM board and I look forward to their response.

Primarily,the so called “Standard” uses no “KYC” and the person declares himself as who ever he is. Even when a biometric is provided, it is not authenticated. On the other hand, in India we have the e-signature method where a biometric is authenticated with reference to the Aadhar data base which forms a KYC process. Similarly, even the simple OTP process through mobile has the backing of a KYC conducted by the  mobile operator. (We can ignore the problems arising out of inefficient KYC conducted by a Mobile service provider or Aadhaar enumerator at this point of time).

FIDO process is therefore not in conformity with the KYC process which is mandatory in India for Banking transactions above a certain limit.

Secondly, the public-private key pair used in FIDO alliance standard is not the system certified by a licensed certifying authority in India  who is responsible for KYC. (Again we can ignore the inefficiencies in this process).

The FIDO process therefore fails to comply with the RBI requirement of KYC and ITA 2000/8 requirement of a digital signature/electronic signature.

During the interaction, I was informed by one of the implementers namely Persistent Systems (a public limited company based in Pune) that at least two Banks in Mumbai have already signed up for the alliance and it would be necessary to know which are the Banks which have agreed to use this system and whether they have taken any special permission from RBI in this regard. (I look forward to more information in this regard).

Under these doubts it is surprising that NASSCOM is endorsing this event and misleading the industry.

Through these columns

I am requesting NASSCOM and DSCI  to inform me

-How it is endorsing this disguised marketing activity of a non Cyber Law Compliant process of digital authentication.

I am also requesting RBI to get information and reveal

-which are the two Banks which have signed up with Persistent Systems Pune for FIDO alliance system to be used for their authentication purpose and

-whether any assessment has been made on the compliance or otherwise of KYC and ITA 2008 compliance and approval given.

This information can be sought under RTI but I suppose it would not be required.

The objective of this article is to bring to the notice of NASSCOM and RBI that some commercial activities may be unwittingly promoted by Government agencies against the law of the land and if so they need to be identified and corrected.

At this point of time, I am not accusing FIDO alliance of trying to by-pass the Indian law since I presume that they are not aware of the existence of the legal provisions in ITA 2000/8 as well as the KYC procedures mentioned above. I also consider that Persistent Systems may not be aware of these provisions and hence there is no allegation on any of these parties that they have deliberately tried to flout the rules.

However, it is definitely necessary to bring these objections to the notice of the industry so that no entrepreneur including the start ups in Bangalore who are into many digital activities involving online authentication starts using this service in substitution of the mobile based OTP or e-sign or the traditional digital signature as a means of digital authentication like the two unnamed banks in Mumbai.

If NASSCOM and DSCI agree with my point of view, I expect them to respond and also send out circulars to all the participants of the two seminars in Mumbai and Bangalore disclaiming their responsibility on the legal validity of the said FIDO standard and giving reasons thereof.

I request readers to send this information to the relevant NASSCOM and DSCI members if they have their contacts. In case whatever mentioned above is not correct, I am willing to publish a suitable rejoinder as may be required. Those of the readers who are technically proficient may study the standard specifications available on the website and check if they provide any more information either in support of or in opposition to the views expressed here.

Naavi

RBI has been from time to time providing guidelines to Banks for managing the Information Security aspects. Recently, RBI also has created an Information Security Subsidiary which apart from looking after the Information Security in RBI will also provide policy guidelines to the Banking industry as a whole.

While the IT subsidiary is kicking off its activities with the appointment of a CEO (Mr Nandakumar Sarvade), RBI has come up with a notification on a “Cyber Security Framework for Banks”, vide its circular dated June 2, 2016, RBI/2015-16/418, DBS.CO/CSITE/BC.11/33.01.001/2015-16) as an extension of the circular of April 29, 2011, after the well known GGWG report on which extensive comments were made in 2011.

In particular the new circular of June 2, 2016, recognizes the growing sophistication of attacks in the Banking sector and highlights the need to putting in place an “adaptice Incident Response”, Management and Recovery framework to deal with adverse incidents/disruptions, if and when they occur.

Some of the key aspects of the circular are reproduced here. (Detailed Circular is available here)

1. Banks need to communicate to the Cyber Security and Information Technology Examination (CSITE) cell of the DBOD that they have in place a “Cyber Security Policy” elucidating the strategy containing an appropriate approach to combat Cyber threats.
2. The Cyber Security policy is to be distinct from the broader IT Policy/IS Security policy of a Bank and highlight the risks from cyber threats and measures to address/mitigate these risks.
3. While identifying the inherent risks, banks are required to reckon the technologies adopted, alignment with business and regulatory requirements, connections established, delivery channels, online / mobile products, technology services, organisational culture and internal & external threats.
4. It is mandated that a SOC (Security Operations Centre) be set up at the earliest, if not yet been done. It is  essential that this Centre ensures continuous surveillance and keeps itself regularly updated on the latest nature of emerging cyber threats.
5. Banks, as owners of such data, should take appropriate steps in preserving the Confidentiality, Integrity and Availability of the same, irrespective of whether the data is stored/in transit within themselves or with customers or with the third party vendors; the confidentiality of such custodial information should not be compromised at any situation and to this end, suitable systems and processes across the data/information lifecycle need to be put in place by banks.
6. A Cyber Crisis Management Plan (CCMP) should be immediately evolved and should be a part of the overall Board approved strategy. Cyber-risk is different from many other risks and hence the traditional BCP/DR arrangements may not be adequate. 
7. Banks need to take effective measures to prevent cyber-attacks and to promptly detect any cyber-intrusions so as to respond / recover / contain the fall out. Banks are expected to be well prepared to face emerging cyber-threats such as ‘zero-day’ attacks, remote access threats, and targeted attacks.
8. The adequacy of and adherence to cyber resilience framework should be assessed and measured through development of indicators to assess the level of risk/preparedness.
9. It is reiterated that banks need to report all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify) to the Reserve Bank. Banks are also encouraged to actively participate in the activities of their CISOs’ Forum coordinated by IDRBT and promptly report the incidents to Indian Banks – Center for Analysis of Risks and Threats (IB-CART) set up by IDRBT. Banks are required to report promptly the incidents, in the format given. 
10. The format indicates that the report on  “Cyber Incidents” submitted within two to six hours, which includes an “Impact Assessment” including the “Legal Impact”. (Looks too good to be true!)
11. The material gaps in controls may be identified early and appropriate remedial action under the active guidance and oversight of the IT Sub Committee of the Board as well as by the Board may be initiated immediately. The identified gaps, proposed measures/controls and their expected effectiveness, milestones with timelines for implementing the proposed controls/measures and measurement criteria for assessing their effectiveness including the risk assessment and risk management methodology followed by the bank/proposed by the bank, as per their self-assessment, may be submitted to the Cyber Security and Information Technology Examination (CSITE) Cell of Department of Banking Supervision, Central Office not later than July 31, 2016 by the Chief Information Security Officer.
12. Top Management and Board should also have a fair degree of awareness of the fine nuances of the threats and appropriate familiarisation may be organized.
13. Banks should proactively promote, among their customers, vendors, service providers and other relevant stakeholders an understanding of the bank’s cyber resilience objectives, and require and ensure appropriate action to support their synchronised implementation and testing.
14. It is well recognised that stakeholders’ (including customers, employees, partners and vendors) awareness about the potential impact of cyber-attacks helps in cyber-security preparedness of banks. Banks are required to take suitable steps in building this awareness.
15. Concurrently, there is an urgent need to bring the Board of Directors and Top Management in banks up to speed on cyber-security related aspects, where necessary, and hence banks are advised to take immediate steps in this direction.
16. A Copy of this circular may be placed before the Directors in the ensuing meeting

A close observation of the guidelines indicate that this is significantly different and aggressive than the earlier guidelines and comes close to what Naavi has been suggesting as “Techno Legal Information Security”. RBI must be congratulated for coming up with these guidelines.

The responsibility of the Directors is being emphasized by the insistence of placing the circular in the next meeting. The circular also recognized that the data is processed by the Bank as an “Owner” and not as an “Intermediary” which was often a point of difference in my discussions with the Bankers. Another notable feature is that by including the “Zero day” attacks in the list of threats, the expectation on the security measures required has been significantly enhanced.

The CISOs will no longer be feeling comfortable with this circular which actually will force Banks to create a separate “Cyber Security Policy” over and above the “Information Security Policy”. This may also require a seggregation of duties by designating a separate “Cyber Security Compliance Officer” in addition and above the CISO.

The policy also highlights the need for Banks to consider “Data with outsource vendors” as “Data owned by the Bank” and ensure its security. This will require a significant additional oversight on the vendors.

A new measurement criteria has been suggested to be developed by the Banks to assess their preparedness and this calls for some effort from the Banks.

Obviously the “Gap Assessment” will be one of the requirements that banks have to immediately undertake and this will develop the further road map for the Bank. Since “Gap Assessment” is an assessment of the current status, it can be and should be ordered immediately. Hence, the Board of Directors after taking note of this circular should immediately order a Gap assessment and expect the results to be available by the  next board meeting. Otherwise they need to record a delay in compliance at that meeting, failing which, their oversight will itself show a shortfall.

Independent directors should take special note of this requirement and should not allow this circular to be brushed under the carpet.  (They can expect numerous RTI applications from industry watch dogs which should keep them on their toes).

Overall, the circular has brought a “Quantum Jump” in the  Reasonable Security Practice criteria of ITA 2008 which should shake up the industry.

We may add however that in the past RBI has been good in providing advisories to the Banks but has not cared to follow up. Major Banks have used their clout in IBA to delay or defer good practices that RBI has tried to initiate. This circular should not be allowed to be treated in a similar manner.

Now that RBI has also set up an IT Subsidiary in addition to the Cyber Security and Information Technology Examination (CSITE) Cell referred to above, it would be interesting to observe the role segregation between the IT subsidiary and CSITE. Perhaps CSITE should continue to monitor the member Banks while the subsidiary will get busy with the Information Security within the RBI.

Also the role of IDRBT which was hither to taking care of advising Banks on security matters including providing security clearances on applications (which might have been ignored in recent years) may get revised since the CSITE and the IT subsidiary already will be addressing similar concerns.

It would be interesting to watch how the CISOs of Banks start reacting to this circular. I am sure that if the implications of the circular sync in, they will not be able to sleep properly at least for some time now.

Naavi has been critical of RBI management in recent days basically because of its inability to push e-banking security. This circular will address most of these concerns. I only hope that the guidelines will not simply remain on paper and RBI will develop its own plan of action to monitor the implementation over the next few quarters.

Pushing Banks for compliance should not be forced on Netizen activists through RTI applications and should be part of the responsibility of a person in RBI who should be designated as a “Compliance Monitoring Official”.

Hopefully, Mr R.Ravikumar, the CGM who has issued this circular should consider himself the “Chief Cyber Security Compliance Monitoring Officer” and develop a road map/check list for himself to follow up.

I would have appreciated that the circular had also mandated submission of a monthly compliance report signed by the Chairperson and Managing Director to RBI before 5th of every month and to be placed before the Board in subsequent meetings for their post-facto information and approval.

Perhaps this can still be done and I suggest RBI to add this guidance.

To summarize, great news for Customers of E Banking… difficult time for CISOs and Independent Directors in Banks.

Naavi