A Bug in a Mobile Wallet and 5 techies end in Jail.. Where was the Bug Bounty Program?

Posted on March 24, 2016 by Vijayashankar Na

The recently reported fraud in Kolkata where five engineering students were arrested for a Bank Wallet fraud involving Rs 8.6 crores is an incident to ponder. (See the report in TOI here).

According to the report, the persons arrested were Engineering Students who found out perhaps accidentally, a bug in the wallet program and its back end software functionality.

It appears that when a transaction was initiated, for a C2C transfer of money, an instruction went out to the Bank to initiate the payment to the destination mobile account. However when the destination account was not connected to Internet, at the originating end it was deemed as a failure of the transaction and the account was not debited. However, when the destination account reconnected to internet, the system recognized the event and  completed the payment from the Bank end without debiting the originating customer’s account.

This was distinctly an error in the way the transaction processing was planned by the wallet developer. The destination person not being immediately within reach is a standard use case scenario, the transaction ought to have beeen planned as a three legged transaction.

The first leg is the initiation of the transaction when the amount is debited to the originator’s bank account and transferred to a “Remittance in Transit” account. Then in the second leg, the bank’s server should try to establish contact with the destination end and if successful, debit the amount to the “Remittance in Transit Account” and credit it to the beneficiary. Then in the third leg, the beneficiary should accept the transaction and completes the transaction.

If all the three legs go through smoothly, the transaction would be completed in the sequence on a real time basis. However there would be a proper recording of a failure in each of the above three legs in which money would not fall into wrong hands.

If the transaction fails in the first leg, amount would not be debited to the sender’s account. If the transaction fails in the second leg, money remains in the Bank and can be returned to the originator if a complaint is raised or after a lapse of a default period of say one hour. Finally, if the transaction is rejected by the beneficiary, the transaction can be reversed. If the beneficiary is aware that no money is due but still accepts the receipt, he would be legally bound to return it in case of any credit by a mistake.

This process is a typical process for “Cyber Law Compliant App developing” which the undersigned has been advocating for a long time and techies are unable to comprehend.

It is unfortunate that the reported fraud occurred in a Bank where the Bankers should have tested and ensured that the above process was followed. This is a “Negligence” and failure of “Due Diligence” at the Banker’s end and hence make them directly liable for assisting the commission of the above crime and reimburse the victims.

The techies are normally not domain specialists and hence are naturally naive enough to accept whatever broad product specification is given by a client (who himslef may not understand how technology works). The techies focus on the functionality of the app and reducing the steps in completing the transaction so that the transaction goes through fast. In fact it would not surprise me if the wallet developer in the above case would have been proud of the way his wallet was processing the transaction without understanding the major flaw.

The techies in this case however failed in not subjecting the wallet to a proper testing and also not using a “Bug Bounty” program with sufficient incentives so that the Engineering students who were perhaps not “Born to Commit a Crime” would have been incentivised to report the bug rather than gang together to commit a grand fraud which will now put them in to jail and destroy their future permanently.

At present, the media has not published the name of the Bank nor the name of the App which was involved in the fraud. They may be presuming that they are protecting the privacy of the Bank and the App and preserving their reputation.

However, it must be stated that this is a major incident which has a need to be publicized in the interest of the public. In case I am the user of the App, I need to take care. If I am a customer of the Bank, I need to take care because I now know the Bank is reckless in technology adoption and can endanger me elsewhere. By protecting their identity, media is hiding the truth and protecting those who does not deserve protection. I therefore charge that the media has also failed in its duty at this point of time in not fully disclosing the incident details.

Since an FIR has been registered and a charge sheet is going to be filed shortly (Unless the Police are forced to be compromised before the filing of the charge sheet), the identity of the Bank and the App is a public information and hence should be in public domain sooner or later.

I request any of the readers who are aware of the name of the Bank and the App to consider revealing it in public interest.

At the same time, I request all App developers to take care of proper testing, proper domain knowledge inputs and a good Bug Bounty program as a standard procedure before releasing the app at least in the sensitive sectors.

All the Banks who are now using various wallet should also review their own Apps and ensure that similar bugs donot endanger their clients.

Naavi

Also Refer:

Wallet Frauds on the Rise: Business Standard

Mobile Wallet Frauds set to raise: Deloitte: Governancetoday.co.in

Aadhar Cards..should they be used in wallets..as KYC?: track.in

Bug Bounty Program from Government Required..

 

Posted in Cyber Law | 1 Comment

Flipkart CEO’s E mail hacked…

Posted on March 18, 2016 by Vijayashankar Na

In an interesting development of how even tech savvy CEOs often become victims of Cyber Crimes, it is reported (See the Report here) that Flipkart CEO’s E mail was hacked and two mails were sent from it to the company’s CFO asking for transfer of $80000/-.

Fortunately, the CFO decided to personally check with the CEO Mr Binny Bansal who immediately confirmed the fraud so that further damage could be prevented.

binny_bansal_email_hacked

The incident highlights that Cyber Criminals use well directed targeted attacks. Some times they may use sophisticated methods but many times, simple methods also work.

Preventing such frauds require building up of  an enterprise level culture of Information Security which does not stop at technological approach to information security but extends to legal and behavioural aspects.

Naavi

Posted in Cyber Law | Leave a comment

Flipkart blacklists Sellers for malpractice

Posted on March 18, 2016 by Vijayashankar Na

In a bid to check fraudulent practices by sellers, Flipkart has instituted a “Mystery Shopping” team and found several malpractices including,

a) Supply of substandard products

b) Selling of Counterfeit products

c) Buying out competitor’s products and returning them

d) Buying own inventory to benefit from cash back offers

(Refer Article in ET)

The exercise carried out over a period of 6 months resulted in about 250 sellers being black listed. Feedback were taken on about 600 sellers. Some of them were guilty of inefficiency in the form of wrong labeling or packaging and are being given training to improve their performance.

It is said that there are about 85000 sellers on the platform. It is understood that Paytm has blacklisted around 3000 sellers last year and similar exercise is done by other E-Commerce agencies as well.

Recently, three persons were arrested in Nagpur for floating an entire e-commerce website along with a payment gateway to defraud the public through fake transactions. (Refer Article in TOI here).

Fake websites in the Government sector have also been used to defraud Netizens. (Refer Article here)

It was therefore natural that frauds do take place in the platform of reputed e-commerce players both by sellers and even some buyers.

Flipkart and other E Commerce players need to therefore be ever on the vigil to check such malpractices.

Naavi

Posted in Cyber Law | Leave a comment

Cheque In Electronic Form, redefined, Implications on E Banking

Posted on March 16, 2016 by Vijayashankar Na

Section 6 of the Negotiable Instruments Act 1881 defined the term “Cheque” as follows:

A “cheque” is a bill of exchange drawn on a specified banker and not expressed to be payable otherwise than on demand.

This section was amended and expanded  by the Negotiable Instruments (Amendment and Miscellaneous Provision) Act 2002 with effect from 6th February 2003 to include “Cheques in Electronic Form”.

The amended section then read:

6. “Cheque”.– A “cheque” is a bill of exchange drawn on a specified banker and not expressed to be payable otherwise than on demand and it includes the electronic image of a truncated cheque and a cheque in the electronic form.

Explanation 1.–For the purposes of this section, the expressions–

(a) “a cheque in the electronic form” means a cheque which contains the exact mirror image of a paper cheque, and is generated, written and signed in a secure system ensuring the minimum safety standards with the use of digital signature (with or without biometrics signature) and asymmetric crypto system;
(b) “a truncated cheque” means a cheque which is truncated during the course of a clearing cycle, either by the clearing house or by the bank whether paying or receiving payment, immediately on generation of an electronic image for transmission, substituting the further physical movement of the cheque in writing.

Explanation II.–For the purposes of this section, the expression “clearing house” means the clearing house managed by the Reserve Bank of India or a clearing house recognised as such by the Reserve Bank of India.

The above amendment had a relation to ITA 2000 since “Cheque in Electronic Form” was one of the electronic documents to which the ITA 2000 applied.

Now the NI Act has been further amended with “The Negotiable Instruments (Amendment) Act 2015” passed on 29th December 2015 with effect from 15th June 2015.

This amendment inter-alia re-defines the  term “Cheque in Electronic Form” by replacing the explanations which now now read as follows:

Explanation 1.–For the purposes of this section, the expressions–

(a) “a cheque in the electronic form” means a cheque drawn in electronic form by using any computer resource and signed in a secure system with digital signature (with or without biometrics signature) and asymmetric crypto system or with electronic signature, as the case may be;
(b) “a truncated cheque” means a cheque which is truncated during the course of a clearing cycle, either by the clearing house or by the bank whether paying or receiving payment, immediately on generation of an electronic image for transmission, substituting the further physical movement of the cheque in writing.

Explanation II.–For the purposes of this section, the expression “clearing house” means the clearing house managed by the Reserve Bank of India or a clearing house recognised as such by the Reserve Bank of India.

Explanation III.—For the purposes of this section, the expressions “asymmetric crypto system”, “computer resource”, “digital signature”, “electronic form” and “electronic signature” shall have the same meanings respectively assigned to them in the Information Technology Act, 2000.’.

The amendment is meaningful and confirms what was already understood with the passage of ITA 2000 (effective from 17th October 2000) which recognized the electronic document and digital signature as equivalent to paper and written signature.

In the earlier system, there was a need to scan  a cheque to transform into an electronic form and cancel the physical cheque simultaneously. It was not practically convenient and it is good that RBI realized its mistake and corrected the system.

Now any document which is an unconditional order to a banker affixed with digital signature can be called a Cheque in Electronic form.

However, it will be necessary for Banks to make an addition to their Account operational instructions to include instructions on how a  non standard format satisfying the definition given in Section 6 (2015 version) received by the Bank would be handled.

It may however be necessary to take note that the amendment does not make any changes in the “Presentment” of  or “Payment in Due Course” or “Collecting Banker/Paying Banker responsibilities” of an electronic cheque.

Now that the definition of the cheque in electronic form has been  added to the NI Act without further changes to other aspects of NI Act, Banks should be prepared to receive an e-mail from a customer attaching a digitally signed cheque in electronic from issued by another customer of the same Bank or another Bank and take a decision on what to do.

Presently the clearing system operates on truncated cheque system and there is no defined system for clearing the new Cheques in Electronic form. RBI needs to take action on introducing a system of clearance of such cheques.

Since the NI Act has not been further amended to re-define the concepts of endorsement in electronic form, holder in due course of an Cheque in electronic form, etc, there are several aspects of NI Act which needs to be interpreted for Cheques in Electronic form.

An interesting phase of development in electronic banking is now before us. There will be certain adverse implications of the amendment not being comprehensive enough. Probably, there will be a need for a quick further amendment to reduce the uncertainties created by the amendment-2015

Naavi

Copy of the Amendment Act

(More on the implications of the new NI Act will be discussed in these columns in the coming days. I invite comments and views from readers in this regard)

Posted in Cyber Law | 1 Comment

Cheque Cloning Fraud that exposes the weaknesses in the Banking system

Posted on March 15, 2016 by Vijayashankar Na

While we are frequently discussing the sophisticated Digital Crimes, some times it is the simple crimes that pose a challenge to the system. One example of this is the report that appeared today in TOI about the busting of a “Cheque Cloning” gang in UP.

According to the reporta gang of five persons were involved in a fraud involving encashment of forgery of bank cheques. The modus operandi appears too complicated in this era of digital crimes and set to fail, but it also exposes the vulnerability of the Banking systems to simple frauds.

According to information in the press, the gang first tried to get a photograph of cheques issued by companies by loitering around in the Bank premises, then duplicated the cheque by chemically altering the number and forging the signature by tracing the signature. They also called the Bank and obtained the balances in the account giving some details such as the “last payment made”.

It appears that they used the cheque leaves issued to themselves while opening the account and created the forged cheques by altering the Cheque Number. They also encashed the same as account payee cheques.

As an Ex-Banker, I feel that the Bankers involved here were naive enough not to be able to detect the chemical alterations and not recognize forged signatures. They were also guilty of revealing the balance in the account to an unauthorized persons.

There were also negligence in the collecting bank where the fraudulent cheques were encashed and withdrawn.

I suppose the customers have been provided immediate credit of the fraudulent withdrawals without banks raising any objections about customer negligence.

While the Police will take care of prosecuting the fraudsters, we need to take a look at the systems that might have enabled commission of this fraud.

Presently, Banks are following the “Truncated Cheques” system of clearance where the paying bank does not receive and verify the cheque. It receives only a digital copy of the cheque forwarded by the collecting bank. The Collecting Bank is therefore responsible for recognizing  the material alterations which they have failed to do. The paying bank is however responsible for the non recognition of forgery in the signature.

Again just as the “Truncation” conceals the chemical alterations, the Banker’s verification of signature using only a digital image of the signature is also a reason why finer aspects of forgery cannot be detected.

Hence part of the problem can be attributed to the use of digital images in replacement of the physical cheques in the processing.

Another problem could be the over dependence of the staff on the computerised processing where the arithmetical accuracy overrides the verification of the genuinity of the transaction and passing of cheques becomes a routine that is handled by the systems with the human being reduced to pressing a few computer buttons.

Since digitization of banking is irrevocable, we need to only discuss how to mitigate the risks of using digital images in replacement of physical instruments for payment. This requires a change of mindset in the bank employees of the current generation who are born into an era of digitization and are unaware of the risks associated with the physical instruments particularly when a “physical instrument is used in a digital state”.

It would be interesting to see how the Bankers would respond to this “Cheque Cloning” fraud.

Naavi

Posted in Cyber Law | 2 Comments

Challenging Arbitration Awards under the new Arbitration Act

Posted on March 9, 2016 by Vijayashankar Na

One of the important changes that the new Arbitration Act in India (Arbitration and Conciliation Act 1996 as amended in 2015 or ACA 1996/2015) has brought in is in the matters relating to the Finality of Arbitration Awards.

Under the replaced section 36 of the Act on “Enforcement”, it is now stated that

” Where an application to set aside the arbitral award has been filed in the Court under section 34, the filing of such an application shall not by itself render that award unenforceable, unless the Court grants an order of stay of the operation of the said arbitral award in accordance with the provisions of sub-section (3), on a separate application made for that purpose.”

This provision means that unless a stay is specifically granted, mere filing of an application for setting aside an award shall not result in the arbitral award not being enforced .

As a result of this provision, it becomes necessary for the objecting party to satisfy the Court that a stay is necessary and there is a substantial case under Section 34 for the award to be set aside.

Under Section 34 of the Act, an arbitral award can be set aside only if the party furnishes proof that

a) A party was under some incapacity

b) Arbitration agreement is not valid under law

c) Party was not given proper notice of of the  Appointment of the Arbitrator or of the Arbitral Proceedings or that he was otherwise unable to present his case

d) Arbitral award was beyond the scope of the submission to arbitration

e) Composition of the Arbitral tribunal was faulty

Readers will appreciate that the procedure adopted by ODR Global (www.odrglobal.in) for Virtual ODR, effectively captures evidence that can be used to prove or disprove any of the above points when a Court sits in judgement. In the absence of the CEAC certified recording that ODR Global provides, it would be difficult to prove only with the copy of the Award that the point such as “was unable to present the case” can be proved.

Another factor under which the award can be set aside under Section 34 is when the award is in conflict with the public policy of India. This is a clause which is subject to interpretation and debate and could be a difficult aspect to prove.

The points that constitute conflict with public policy are

a) award induced by fraud

b) award induced by corruption

c) award was in violation of Section 75 (Confidentiality clause in a conciliation)

d) award was in violation of Section 81 (Production of evidence used in a Conciliation)

In connection with the above, it must be pointed out that the Virtual ODR process includes a role for an intermediary and the protection of confidentiality of a Virtual Conciliation proceeding rests with the confidentiality agreement that the Administrator of the ODR (eg: ODR Global) signs with the parties to the conciliation.

This view is recognized by the UNCITRAL Draft law on ODR which is in the final stages of being approved by the UN which states that the ODR Administrator shall follow a “Code of Ethics and The ODR administrator should adopt and implement appropriate confidentiality measures”.

Also the application under Section 34 should be made within 3 months after the receipt of the award.

Further the application shall be made only after serving a notice to the other party.

With all these conditions, the Court is expected to dispose off the application within one year.

The above safeguards indicate that getting an arbitral award delayed or over turned is not easy in most cases. In genuine cases, where the award needs to be challenged, the evidence that supports any of the requirements of Section 34 is very important.

A further appeal of the setting aside or refusal to set aside an award under Section 34 can be appealed in a higher Court and could be a possible means of delaying the award by one of the parties. But in view of the fact that “Stay” is not a presumption, the decree can be enforced even if the appeal is being discussed in a higher Court.

Parties entering into Arbitration must be aware of the finality of an award and ensure that at every point of the arbitration such as appointment of the arbitrator, meeting the deadlines in notices, placing its claim or defense, providing evidences before the Tribunal, or pressing for oral hearings and arguments etc, sufficient care is exercised so that they donot lose an arbitration by virtue of the laxity of the disputing party or his counsel. This adds an extra sense of responsibility on the Counsel as well as the choice of the Counsel by the party.

Despite a long history of Arbitration in India, with the new Arbitration Act there is a need for all Arbitrators as well as Counsels to study the material changes that have occurred in the Act an ensure that they donot contribute to any fault or error in the award.

In this connection it is also necessary for the Counsels and Arbitrators not to be mis-led by past Case laws which might have been decided under the old Act and apply it blindly to the new Act. In this connection, we may recall the Sundaram Finance Ltd V NEPC India Ltd  judgement in Supreme Court where the Court observed,

“… The Act of 1996 is very different from the Arbitration Act of 1940. The provisions of the Act of 1996 have, therefore to be interpreted and construed independently and in fact reference to the 1940 Act may actually lead to  misconstruction…”.

The above words hold true in the context of Act of 2015 modifying the Act of 1996 rendering most of the Case laws of the past being rendered not applicable in the current context. Legal professionals by force of habit should not simply quote past decisions and assume that the precedence would be acceptable even under the new law.

It is for this reason that this website tries to discuss the new law in great detail so that we can understand the difference between what the advocates studied and practiced until last year and what they are now confronted with.

Naavi

Posted in arbitration, Cyber Law | 1 Comment