Corporate Executives arrested for Cyber Crime

Posted on July 11, 2013 by Vijayashankar Na

The owner and an IT official of Vast India Pvt Ltd (VIPL), a company in Mumbai were arrested by Mumbai police for alleged violation of ITA 2008. The dispute arose with the data of 3.22 lakh candidates appearing for the Maharashtra Public Service Commission examination got deleted from the MPSC server causing a postponement of the examinations.

The report states that the arrested persons were trying to flee from Solapur. The alleged motive is that the two persons wanted to discredit MPSC and hence indulged in the crime.

Report in TOI

At this point it is not clear if VIPL was maintaining the data and were negligent in maintaining the security of the system which caused the data loss or there is any evidence as to the malicious intention of the accused.

According to the report, it was the MPSC’s internal probe which “revealed” that there was no virus. This needs to be established by an independent forensic evaluation since it is difficult to trust the capability of MPSC to come to a proper conclusion in this regard.

It is stated that the  Police have seized certain hard disks and are investigating the cause for the data loss.

Naavi

Posted in Cyber Crime, ITA 2008 | Leave a comment

RBI Faces first challenge in Bank licensing on Aditya Birla Group and Conflict of interest

Posted on July 10, 2013 by Vijayashankar Na

When the Chairman of a Group which applies for Banking license happens to be a Director of RBI for the last 6 years and continues to be so while the license application is being processed, do we need a second opinion on whether there is any conflict of interest?

The debate about whether there is any conflict of interest or not due to the application of Aditya Birla Nuvo Limited for Banking license amongst the 26 applicants appears strange. How can it be otherwise?

For the Company to say that “There is no conflict” is to be expected. But it is surprising that RBI says that it will refer the matter to the Government to decide if there is any conflict.

A senior official of SEBI has reported to have commented that

“.. till the company was considering applying for the licence and was weighing its options it was fine for the chairman to continue to be on the RBI’s board but then he should step down when the application is taken up for consideration. This is similar to a situation where a father is present on the panel interviewing his own son. There is always a possibility that the panel is influenced even if the person excuses himself from interviewing his son. The Birlas are a reputed group and the chairman will definitely take the right decision of stepping down as director of the RBI board when the time comes”

Some have suggested that Mr Kumar Mangalam Birla should recuse himself from Board meeting where the licenses are likely to be discussed. Some have stated that he should resign.

In our opinion, a person who has been a director for the last six years will continue to exercise influence on the decision of the Board in a situation like this even after he goes out.  The statements from the group indicate that they donot accept that there is a conflict and are also expressing the confidence that they will get the license. This actually increases the perception of conflict and any decision in their favour will only vitiate the sanctity of the selection process.

Naavi has already suggested that there should be a transparent process of selection with the publication of the business plans submitted by the licensees and the reports to be submitted on each of the applicants by the selection panel. This would to some extent reduce the perception of unfairness in the allocation of licenses.

However,  the only clear solution to the resolution of conflict is for RBI to reject the application of Aditya Birla Group.

The decision of RBI not to rule out the application due to conflict of interest and instead referring it to the Government is therefore an abdication of its responsibility and a first confirmation that political powers will determine who will get the licenses in this round of Bank licensing.

If my hunch is right, since Mr Subbarao will retire as the RBI Chairman, the Government will appoint a suitable person as the next chairman and ensure that the favoured real estate companies and share brokers will all get Banking license so that they can return the favour to their political masters in the days to come.

Naavi

Related Articles:

Will look into conflict of interest issue in Birla bank licence plea

Confident of getting bank licence: Kumar Mangalam Birla

Recuse or resign, that’s the question for Birla now

RBI to look into ‘conflict of interest’ in AB Nuvo’s bank bid

Communist Party voices concern over Birla’s role at RBI

Not all applicants may get licence: Subbarao

Issues over Kumar Mangalam Birla’s role now at RBI

Posted in Bank, RBI | Leave a comment

Naavi’s proposition on Sanctions on Banks is reflected also in the EU guidelines

Posted on July 9, 2013 by Vijayashankar Na

“Mandatory Sanctions” as a part of the Information Security policy has been advocated by HIPAA way back in 1996 and is being increasingly accepted as a necessary part of a good Information Security policy. The theory of Information Security Motivation advocated by the undersigned also provides an important role for mandatory “Sanctions” to ensure that intended information security measures are implemented in practice.

Now the EU has issued a directive that indicates that employersSupervisory employees of organizations who donot take appropriate measures when cyber crimes are committed by their employees could themselves have to face the consequences.  The rules allow member states to serve punishment even if an employee carried out hacking without bosses’ knowledge.

The detailed text of the directive is available here.

Basically the directives impose a responsibility for “Due Diligence” and failing which criminal liability may attach on the executives of the company.

 This is the concept of “Vicarious Liability” inherent in ITA 2008 both under Section 85 and Section 79.

The directive expects that member states shall impose penalties that are effective, proportionate and dissuasive criminal penalties. An interesting provision is

Member States shall take the necessary measures to ensure that a legal person held liable pursuant to Article 10(1) is punishable by effective, proportionate and dissuasive sanctions, which shall include criminal or non-criminal fines and which may include other sanctions, such as:
(a) exclusion from entitlement to public benefits or aid;
(b) temporary or permanent disqualification from the practice of commercial activities;
(c) placing under judicial supervision;
(d) judicial winding-up;
(e) temporary or permanent closure of establishments which have been used for committing the offence

Naavi writing on “Will RBI disclose “Sanction Mechanism” to enforce sanctity of Banking license conditions?” in the context of the new Banking licenses in India had highlighted the need for RBI to disclose what sanctions it would impose on the Banks for failing to meet the regulatory requirements.

In the past RBI has not been able to impose its own regulations on the Banks and hence Banks in India openly indulge in money laundering, flout ITA 2008, flout RBI guidelines on Internet Banking and force customers to accept illegal operating conditions. These have been increasingly exposed in some adjudication proceedings against leading Banks such as ICICI Bank, Punjab National Bank, Axis Bank etc. Violations of RBI guidelines and law have been brought to the attention of RBI also with a request for cancellation of the licenses of the erring branches. RBI however has failed to respond with such strict sanctions and allowed the weak information security in Banks to continue and take the toll of the customers.

RBI should now observe the clear directives in the EU guideline and see the merit in the demand of the undersigned that closure of a few erring branches of Banks will make them realize that they cannot continue to take the customers for granted.

Similarly when it comes to the norms for licensing that RBI has set up for the 26 applicants, RBI should ensure that along with the licensing norms, the sanctions for non compliance should also be disclosed and implemented without fear or favour.

Naavi

Posted in Bank, RBI | Leave a comment

New Banking Licensees- Beware of IT Companies who want to trap you.

Posted on July 9, 2013 by Vijayashankar Na

RBI has now invited applications for new banking license from private sector which has attracted 26 aspirants to make an application. Many of these are thinking of building their Banking empire on the edifice of technology.

Already, Indian Banking system has become extremely “Technology Dependent”. In fact RBI is making it mandatory even for RRBs to run on “Core Banking Platform”. RBI looks at Core Banking Software systems as a means of better information collection which may help RBI in the administration of its monetary policies. However, in the process RBI is forcing a banking platform which is unfamilar to the Bankers unmindful of the unsafe nature of the software.

The “Eurograbber” risk that has resulted in more than 36000 banking frauds across the European countries and is threatening to enter India. Once it hits the Indian shores, it can destabilize even the strongest of the strong Banks who are operating in India at present.

At this time the new Banking entrants appear to present an even higher risk for the Customers than the existing Bankers since their technology dependence is expected to be higher.

One of the reasons why these new Banks will be more technology dependent is that they will chase profits in a competitive world as late entrants they need to make money by being more efficient. This of course is a good strategy and perhaps even inevitable.

Even before the applicants can be sure about getting their licenses, the IT Companies are already behind them to sell their “Core Banking Applications”. Some of them may even like to be called “Partners” is setting up the new Banks. This again is a genuine marketing activity and is to be expected.

However in the process of listening to the high profile marketing pitch from IT Companies, the new Banks should be aware of the dangers of setting up their Banking entity as a dependent entity on the technology platform supplied by the IT Companies.

We must remember that all these companies are supplying “Core Banking Systems” that have not only failed to stop the Euro grabber type of Trojans but are also not cyber law compliant since they are using “Password based authentication systems” instead of “Digital Signature Based authentication systems”.

Since many of the new Bank license applicants are not fully conversant with the Information Risk environment in the Banks and at least some of them are new to the Banking system itself, they could end up becoming over dependent on the software in driving their Banking business.

Bankers should understand that it is not Infosys or Oracle or Tata Consultancy that will determine how the Banks need to carry on their Banking activities. IT is only a tool with which Banks do their business as defined by the Banking regulation act 1949.

In the past these IT Companies have hoisted under performing software on the industry which is one of the root causes for the information risk inherent in the industry today. These IT companies sell software which is convenient to them and not what is safe for the customers. This is the reason why the “Eurograbber” or “Zeus” type of trojans can make merry in the system.

Unless the Bank owners demand a “Secure Banking Software” as a pre-condition these IT Companies will continue to make money at the expense of Bank customers.

Even the Banks need to ensure that they have enough internal expertise in “Core Banking” with which they can evaluate the functional aspects of a software and identify the security loopholes. Unfortunately many of the new generation Banks think banking to be a “Customer Acquisition Marketing program” and engage professionals who are good in marketing but have little knowledge of the domain. They consider each customer as a “Profit Center” and try to maximize the profit per customer. In the process, if the customer collapses, they donot mind and move onto the next customer.

We need “Customer Centric Bankers” who keep the interest of long term customer relationship as the key principle of banking and convert it into software specifications. The present situation where Banks are reluctant to use Digital Signatures for banking authentication and ignore the need to use “Real time risk management software” are indications of the fact that most Bankers are not able to understand the Banking risks and how it translates into information risk in a technology banking area.

Though there has been an improvement of information security practices in some Banks in the last 6 months, many Banks are far below the expected level of security.

The new Banking license aspirants should therefore avoid falling a prey to the IT Companies by accepting their proposals on the dotted line and demand that the software vendors assume the responsibility for frauds arising out of technology issues.

Customers are indifferent as to whether the technology vendors bears the risk of technology frauds or the Bankers but are keen that RBI makes Cyber Crime Insurance mandatory for the new Banks as a part of the licensing regime.

Older Banks may be happy with the proposal since it will create an additional barrier to the new Banks. It is left to the RBI to decide if Cyber Crime Insurance should be made mandatory even for the existing Banks. But even if Cyber Crime insurance is not mandatory for existing Banks and becomes mandatory only for the new generation Banks, it could become a factor of differentiation with which new Banks may promote their deposit products.

Whether the Banks are happy or not, if RBI makes Cyber Crime Insurance mandatory for new Banks, it would make the customers of the new Banks happy.

This should also add to the viability of the new Banks amidst the pressures of Financial Inclusion and Priority Sector lending. Since the technology platform of these Banks is being created afresh, it is possible for the Cyber Crime Insurance industry to work in close alliance with the technology vendors, Information Security professionals and the user Banks and ensure that the systems are tweaked to improve the security levels to levels higher than at present.

We can therefore look for more interesting and exciting times ahead for the Banking industry in India.

Naavi

Related Article:

Indian IT companies chase banking licence hopefuls

Earlier articles on New Banking License

Posted in Bank, Cyber Crime, RBI | Tagged , , , , , , , | 1 Comment

The Thief who stole Rs 286 crores from Banks coming to India

Posted on July 9, 2013 by Vijayashankar Na

Recently all across Europe, the “Euro Grabber” stealthily stole around 36 million euro (Rs 286 crores) from Bank customers. These were all customers who thought that

a) Their money in the Bank was safe.

b) Internet Banking was a great way to do Banking

The Banks thought that they had introduced the “Two Factor Authentication” which was a sophisticated system and made Internet Banking safe.

However, there came a great thief called “Euro Grabber” along with his team of assistants and invaded thousands of  PCs and Mobiles and finally stole money from around 30000 retail and corporate customers of different Banks across different parts of Europe.

“Eurograbber” is a new variant of the Zeus Trojan which steals the credentials of the banking customer both at the desktop and the associated mobile. Hence it easily bypasses the 2 Factor authentication system and is able to execute unauthorized transactions in the customer’s accounts. The trojan is currentlly known to have successfully attack the mobile systems using Android, Blackberry and Symbian operating system which in other words may mean more than 95% of the systems in usage.

The “Eurograbber” is an intelligent trojan which is often dropped through “Drive by Download” method. In otherwords, the infection does not require the user answering a “Phishng Mail”. All those Bankers who are crying from rooftops that “We donot ask for your passwords” and then say “Password can never be compromised unless the customer answers a phishing mail” must realize that  the methodologies used by trojan droppers are above all these routine security warnings. Customers may get infected when they have visited a news paper site or clicked on an unrelated google search result or some times even by visiting the Bank’s own website. (Eg: Bank of India infection in 2007).

Once infected, the Eurograbber, when the customer visits the Bank website, it starts injecting instructions within the running session asking the customer to upgrade security etc. Since these instructions appear during a session initiated by the customer himself he believes that the instructions are from the Bank and proceeds to provide information that compromises his identity including the mobile number. The trojan then sends an SMS message to the mobile with similar instructions ensuring that the customer clicks on a link that infects the mobile also.

With both the desktop and the mobile being infected, the trojan then is able to manipulate both the banking instructions and the OTP password interception and is able to carry out fraudulent transactions.

When such “Unauthorized Transactions” are carried on during a valid session opened by the customer, it creates a huge evidentiary problem for the customers since the time of the transaction coincides with the time of a valid session. Even the IP address of the transaction initiation may tally with the IP address of the customer. Unless the judge hearing the case therefore understands the way these trojans function, it would be near impossible for the hapless customer to convince that the transaction was “Unauthorized”.

Who is to be blamed for placing the Bank Customer in such a situation?

It is clear that Banks are mainly responsible for operating a system of Internet Banking without the adequate  security which places its customers in a compromising position.

To some extent, RBI also should share the blame since it places lot of thrust on the 2 Factor authentication through the mobile.  Users are increasingly being coerced into the use of “Mobile Banking” with false promises. Banks also adopt the policy of  “No Mobile-No account” and mandate the use of mobiles for Internet Banking. 

In this scenario, it will not be long before we will witness a huge Banking fraud emerging in India on the back of the “Eurograbber” trojan.

Naavi

 

Related Article:

Inside Eurograbber: How SMS Was Used to Pilfer Millions

A Case Study on Eurograbber

Posted in Bank, Cyber Law, RBI | Leave a comment

New Banking Licenses in India

Posted on July 7, 2013 by Vijayashankar Na

The recent decision of RBI to  invite fresh applications for new Banking licenses have evoked response from 26 applicants. The undersigned who joined the Banking industry in 1973 and has been in working in the industry upto 1987 and later around the industry in Marketing of Banking services since 2000, diversified  as a consultant in Information Security for Banks particularly working for “Safe E Banking” environment.

With this background, some of my thoughts on the new licencing aspects have been placed on this website.

Here is a summary of articles so far placed on the website.

1. Should Indian Post be granted Banking license?… Do they need one?

2.Which of the 26 applicants deserve Bank license

3.Banking License aspirants should disclose business plans to public.

4.Will RBI disclose “Santion Mechanism” to enforce sanctity of Banking license conditions?

5. Not all Eligible applicants to get Banking license

6. New Bank Licenses-Make Cyber Crime Insurance Mandatory

7. “Deep Pockets” need not be the sole criteria for Bank licenses

8.Banking Licenses and Public Sector aspirants

9. New Banking License-Let’s remember Gandhian Principles of Banking

Naavi

Posted in Bank, RBI | Tagged , , , , , , , | Leave a comment