Naavi.org

Last week, Reserve Bank of India proudly announced the launch of a “Unified Payment Interface” (UPI) hailed as the next giant leap in “Digital Payment System Innovation”.

UPI is expected to make our mobiles a universal instrument for all forms of payments including person to person (P2P) money transfers or Government to Citizen (G2C) or Business entity to Consumer (B2C) or Consumer to a Business entity (C2B).

UPI would be used not only for making payment when the person who wants to pay pushes the money out from his account into a beneficiary’s account, but also to receive payment, when the person who has to receive money from another sends out a “Pull Request” to the payer.

The “Pull” system  has the potential to turn out to be a sinister system like the collection agent digging into your pocket and taking out money. For example, one use of this would be the arrack supplier supplying arrack on credit and taking money out of the labourer’s account on the pay day before his family can lay its hands. The system can also be used by fraudsters to pull money through fraudulent transactions.

Under UPI, the National Payment Corporation of India (NPCI) will maintain a Central Repository of information of an individual’s Aadhar ID, his various Bank and Card details and mobile number. This would create  a single point of access to an individual’s financial information, personal information and mobile information so that all this can be integrated to enable payment of money from one mobile owner to another. Mobile will become a universal KYC instrument querying Aadhar for information and identifying itself through an OTP to the mobile.

In the proposed system, the Bank account becomes secondary and the mobile becomes the primary access point to your bank account. When you ask your mobile to pay, it will instruct your Bank. If you want to receive money from another mobile owner, you ask your mobile to collect the money and it will contact the other mobile and pull the money.

At first glance, the system appears attractive and in fact exciting for the tech savvy persons. But in this rush to use the technology, it appears that security of the citizen’s savings in the Banking system appears to have been completely ignored.

Mobile as an instrument and its operating system and the App environment is yet to mature in security perspective. At present, there are numerous technical bugs that can be exploited by criminals when a mobile is used for financial transactions.

When Mobile is used as a KYC instrument through OTP, it would render the neighborhood mobile store worker who sells SIM cards an intermediary who can interfere in the process of new SIM card issue. This is a channel which is often exploited by criminals and terrorists to get fake SIMs and cloned SIMs.

When this unregulated channel is relied upon by Banks and the e-KYC system, the security of the entire ID process is subordinated to the KYC process of the Mobile service provider.

It is like your Airtel KYC verification agent  becoming a Bank officer to approve your signature on an account opening form. He may be a glorified courier boy who can verify address efficiently but does not understand the importance of KYC in financial transactions.

I am only highlighting the huge responsibility that the KYC agents are hoisted with and not trying to be disrespectful of the KYC agents presently operating in the scene.

A small example of the issues that come up when mobile becomes the universal payment interface is here.

Let us say your friend walks up to you and asks for a loan. You say, sorry friend, I don’t have money.

If your friend says.. “Yar, don’t bluff, I just saw you had a balance of 50,000/- in your account. You received a bonus yesterday Isn’t it?”, how would you feel? ..

…You may keep wondering how on earth he came to know about your bonus.

Remember, in the current scenario, knowing one’s bank balance may be as simple as dialing *99# in a mobile (may be of your friend’s or spouse’s) and just entering the first four digits of the IFSC code of the Bank (e.g.: ICIC for ICICI Bank or UTIB for Axis bank). This will execute what is called an USSD code and if the mobile is one of the registered mobiles for internet/mobile banking, it may give out not only the balance but also the last few transactions without even asking for a PIN or password. (Try it on your mobile and check its vulnerability to give out your bank information).

If anybody who gets a temporary access to a mobile can know the bank balance of its owner, it is a serious breach of privacy and confidentiality of information. This is not only against the established Banking tradition, but also a contravention of the legal provisions of Information Technology Act 2000 and constitutional rights of privacy.

Under the UPI system, it is also envisaged that every user would be provided a “Virtual Address” which will be linked to all his accounts and would work as a universal ID for financial transactions.

For example, let us say, your friend Ramesh is the customer of Axis Bank, and has an ID Ramesh@axisbank which is his virtual address for making payment into and out of the account. You send money to him occasionally through UPI using this virtual banking address. It is possible that another person may hold a virtual financial address Ramesh@icicibank and you may make an erroneous remittance.

More probably, a fraudster may use your contact list information which you have shared with an App and alter the virtual financial address from Ramesh@axisbank to Ramesh@icicibank. Once done your next payment goes to ICICI Bank’s fraudster and not your friend. Out of courtesy, your friend may never inform you and repeated payments may go to the fraudster and even if found out later, the recipient  may simply claim he was not aware that he was receiving money not belonging to him.

Yet another issue that UPI throws up is the risk in the facility to enable a receiver of money to “Pull” money from your account by sending a message through the mobile.

Now a days it is common for such incoming messages to be able to read SMS without any intervention of the mobile owner (e.g. auto fill up of OTP in some mobile banking apps).  When a request for a “pull money” comes into the mobile and asks for “permission” it is possible that your mobile may simply provide the permission without your even knowing what  is going on in the mobile.

If necessary, a fraudster will be able to send a malicious code to extract your permission say by sending an earlier message which may say, “Hi, I want you to send some money through UPI. Shall I?”…and such message may appear to come from one of your known contacts.

Most recipients will open such an SMS and even may reply if necessary, clicking a link which purports to send an automated reply.. “Yes. You can send. My virtual address is ……”.

In the meantime a virus could have already been implanted into the mobile and all the Bank accounts or mobile wallets accessed through the mobile may be compromised.

Who would be responsible for such incidences?

Banks may say that the user should be aware of frauds and protect himself from such frauds. But how practical it is to expect every mobile user which includes the uneducated rural beneficiary of MNREGA and our own urban kith and kin who are not so tech savvy to be aware of sophisticated mobile viruses and take care?

Police therefore will now have more challenging and perhaps frustrating complaints ahead of them in increased incidences of Mobile frauds, Mobile thefts and also  consequential frauds. Legal pundits would be sweating to prove lack of due diligence of multiple intermediaries involved in the transaction making it impossible for the victim of a cyber fraud to get a satisfactory legal remedy.

One safety feature which should have been an integral part of such technology innovation was coverage of every user through a Cyber Insurance Scheme at the cost of the Bank. Unfortunately, this is no where in the consideration of either NPCI or the individual Banks.

It is regrettable to note that despite the risks cited above being easily foreseen, RBI has failed to make it mandatory for the Banks to provide a Cyber Insurance Cover to the consumers against such frauds despite repeated demands.

The need for such Cyber Insurance has also been brought to the notice of none other than the PM himself and yet the importance of cyber insurance as an instrument of social security is yet to be appreciated by the Government promoting Digital India, in a manner which we may regret some time in future.

In fact both RBI and Banks are assuring that the UPI system is secure but it appears to be a false and misleading assurance given to promote the new system and needs to be challenged.

Time has come therefore for mobile users to take steps to ensure that their mobile is never out of their sight and they donot provide permissions to apps to automatically respond to incoming messages without an affirmative action like entering a PIN or a Password by clicking buttons.

Also, Consumer Protection Organizations need to initiate action in first educating the public of the risks of mobile banking in the UPI scenario and then on the security measures they need to take. They should also press for the mandatory introduction of Cyber Insurance for all mobile based financial transactions at the cost of Banks or the Mobile app owners.

Naavi

Today, I received an interesting question posed to me through the Cyber Law Guru mobile APP. The question was posed by one by name “Sisirk” and stated as follows:

Question: As per their RTI reply, RBI hasn’t really given permission to banks for social media banking. It only asked them to use SM to popularize their mobile banking. Some banks already offering services using Twitter or Facebook and RBI not saying a word! I came to know that RBI hasn’t audited the mobile apps being used by banks either!

So privacy and security of data of banking customers can be overlooked by such banks with blessings from RBI? How can we stop this nonsense? Thank you.

The keen observer has taken the trouble of checking with RBI and brought out an important aspect that Social Media Banking has not been specifically approved by RBI. Going by what the person has posted as a result of an RTI query, RBI has only asked Banks to use Social Media for promotion.

However what Banks have done is to use the Twitter and Facebook as their KYC agents and accept the messages posted from those platforms to trigger banking transactions.

Now the execution of USSD codes on mobiles also have access directly to Banking servers to the extent that information can be pulled out of the Banking servers without any meaningful security.

In this context, I really have no answer to the question posed by Mr Sisirk. I agree with him that Banks are greedy after their commercial interests and try to use technology to improve its earnings even if it is at the cost of the customers. RBI is only good for sending out guidelines and does not take any responsibility for its guidelines being followed. It is the IBA which drives RBI rather than the other way round.

If RBI has not made any audit of the mobile apps, it is certainly a matter of concern.

I hope this revelation by Mr Sisirk would open the eyes of RBI and take suitable care at least in future to ensure that common customer’s interests are not sidelined to boost the profits of Banks.

I thank Mr Sisirk for bring out this fact for public knowledge and hope some positive action comes forth from RBI.

I request Mr Sisirk to share the entire RTI query/reply for publication so that we can get a better picture of the issue.

I also request RBI to comment on the revelation of Mr Sisirk.

Naavi

One of the suggestions under the Unified Payment Interface is that the participating bank would issue a “Virtual Address” to the customer. This will replace the account number. This virtual address would be used by remitters to send payment.

This system appears exactly similar to the domain name system where the IP address was replaced by a human understandable words.  To access this site you therefore used naavi.org rather than the static IP address of the server with a folder identity. This system has also given rise to the  problem of “Similar” or “Confusingly similar” domain names and conflicting claims. There could be a naavi.org which is in conflict with naavi.cn or naavi.co.uk and so on. These give raise to issues related to trademark and fraudulent impersonation.

Now NPCI  is proposing a naavi@icicibank vs naavi@axisbank vs naavi@sbi etc and a definite possibility of not only trademark issues but also genuine wrong credits and fraudulent charges. If a naavi@axisbank initiates a payment pull from a flipkart purchase, all that is needed for a fraudulent charge on naavi@sbi would be an OTP response which can be engineered by a malicious app.

We are therefore in the brink of a new kind of “Bank Name Disputes” and lookalikes.com need to start working on this new business opportunity.

For the common man, this would be a new headache to contend with.

Has NPCI thought of this “Identity Risk” and the legal issues arising out of them?

Who cares? Mr Raghuram Rajan has given his clearence and that is enough to hoist the system on the unsuspecting public.

Naavi

The Unified Payment System launched by RBI on 12th April 2016 on a platform managed by National Payment Corporation of India (NPCI) poses a huge challenge to the security of public money held in Banks.

As we go forward, the Banking IDs and Mobile Wallet IDs  of individuals will get integrated into a single “Virtual Address” with which a person can push or pull monetary payment from others. At the back end NPCI will maintain a repository similar to the repository of Aadhar in which the mapping of different Banking accounts for a customer is maintained.

Conceptually the idea appears attractive and efficient, and the technology enthusiasts can boast of a break through in “Mobile as a Universal Payment Management Device” and Tax authorities can gloat over a “Cashless Society”.

However the risks in committing the national payment in introducing such a system on an immature technology such as a mobile platform where a large number of devices are supplied from China, known for planting  “Manchurian Chip” into Credit Card swiping equipments and “Planting of People” into companies in India are too huge from the National Security perspective.

It is unfortunate that, the risks of any compromise of security are boarne by the Citizens of India and neither NPCI nor the Banks can be trusted for protecting the consumer.

The various cases which are being fought in the country between Phishing victims and the Banks are a standing example of how common people are losing money every day and the Banks, supported by RBI and IBA flex their legal muscle to browbeat customers into bearing the loss.

The Government of India is also compromised under the influence of the Banking lobbies and the result is that Cyber Appellate Tribunal is not having a Chair person since 2011, consumer oriented Adjudicators such as Rajesh Agarwal of Mumbai and PWC Davidar of Chennai were shunted out from their positions. Adjudicators in Karnataka went a step ahead in twisting law to support the Banks against victims of fraud even taking on the legal department of the State and the Human Rights Commission. Some High Courts such as Karnataka were also unable to provide justice as they were blinded for whatever reason not to see through the games played by Banks to avoid their liabilities.

Our honourable Prime Minister  has also repeatedly ignored the call for mandatory introduction of “Cyber Insurance” to protect the insecure mobile payments and technology innovations in Banking. Poor Rahul Gandhi can only understand the plight of “Farmers” who form a vote bank and not the plight of victims of Bank frauds and hence there is no pressure on the Government to ask Banks why they donot have Cyber Insurance in place to protect consumer interest which was in fact made mandatory through the RBI’s Internet Banking guidelines in June 2011.

The CERT IN which should be concerned and the CCA which is the custodian of digital identity of Indians are part of the Ministry of Information Technology and donot have independent thinking. They support the technology initiatives without trying to fulfill their statutory obligations.

Overall the future of financial security in India appears to be grim.

It is common knowledge that when we travel, we donot keep all our cash in one single pocket because of the threat of the pick pocket. But NPCI thinks that keeping all our financial IDs under one “Virtual Address” is a great idea. Idea may be good but risks are being ignored.

When a mobile is being used as a universal financial ID, we must factor in the possibility of a mobile being stolen or at least compromised through malicious Apps. Has the NPCI considered this possibility where a mobile can be hijacked by a fraudster. If done, then the bank balance of persons across multiple Banks and limits under Credit cards are prone to be stolen. It has now become common practice for Apps to be designed with an ability to read “SMS” and thus the so called OTP sent to a mobile always gets back an automated reply back. How can this be called 2 factor authentication?.. without an affirmative consent from the mobile owner of the OTP? While the law in India wants digital signature, why is Government supporting OTP as a universal technology even to obtain a digital certificate under e-sign system?.. Opening  All this defies logic. Now top it all, we are opening the financial vault of an individual to execution of USSD codes.  I consider this as an unacceptable risk. But as a bank customer, the service and insecure banking has been forced on me.

The only logic that explains all this stupid acts of technologists and bureaucrats is that the global fraud industry is slowly taking over the Indian economy for commercial gains.

What is however more alarming is that one day this will explode as a “Cyber War” or a “Cyber Terror Attack” much before the Pak Nukes fall into the hands of AlQueda.

I hope the deaf bureaucrats in the Government who may actually be more patriotic than me but ignorant of the risks listen to these shouts and protect the National Security interests before getting blown over by presentations by technologists.

The only way out of this for the individual is to de-register mobile from my bank account, get back to cash transactions, use the good old mobile handset which is not smart but can meet my communication requirements… Yes, for the sake of securing ourselves from the insecurity spreading around us, we need to take a few steps back in technology use since we need to survive before we can enjoy life.

Naavi

If you are an ICICI bank customer, beware that your Bank account information is open to anybody who is in possession of your mobile. This is breach of privacy under the age old Banking laws besides it is a violation of Section 72A and Section 43A of ITA 2000/8 on which the CEO of the Bank can be imprisoned for 3 years and compensation claimed for the loss.

This is because, if anybody takes your mobile (If it is the registered mobile associated with the account) and types *99# in the calling dial pad and hits enter, the USSD code would execute and ask for first four letters of the IFSC code to be entered. When you enter ICIC, you  will be given direct access to the bank account with options to

1) View Balance

2) See mini statement

3) Send Money using MMID

4)Send Money using IFSC

5) Generate MPIN

For viewing the balance and mini statement, there is no password requirement and on entering the code 1 or 2 the relevant information would be displayed on the mobile.

It is unfortunate that this security flaw exists not only in ICICI bank but in a few other Banks as well. Readers can check their mobiles and keep me informed about other Banks.

I hereby give notice to ICICI Bank and RBI as well as CERT IN that the above flaw puts “Sensitive Personal Information” of ICICI Bank customers at risk of Breach of Privacy and consequential further risk of monetary loss.

The incident should be an eye opener to Indian Bankers led by RBI and IBA where they have embraced the mobile technology without understanding the risks associated therewith. This is negligence at the level of the highest banking authorities in India and exposes the systemic inadequacies.

The incident is a potential “Data Breach” and according to Section 79 read with Section 43A, should be reported by Banks to CERT IN. Will CERT IN respond if they take action?

Hope the Finance Minister and the PM takes note.

Whether politicians take note or not, whether the Bankers take note or not, I request public to take note and initiate corrective action. I hope some body files a PIL in a Court and demand answers from the Banks.

Naavi