AXIS Bank admits liability for ATM Fraud in Mumbai

Posted on June 17, 2013 by Vijayashankar Na

It is reported that Axis Bank has agreed to refund the losses suffered by its customers in Mumbai who had lost about Rs 37 lakhs through the ATM card cloning fraud. It is good that Axis Bank has decided to admit its liability rather than fighting a legal battle with the customers.

Perhaps the fact that the customers were members of Police influenced the decision of the Bank. Also since the withdrawals were made abroad, made it difficult for the Bank to blame its customers for causing the fraud.

Further the stand which Axis Bank has adopted in a Phishing case in Bangalore left little legal option for the Bank to pursue any other option. The reason is that in this case against a corporate customer in Bangalore, Axis Bank has argued that ITA 2008 provisions regarding Hacking is not applicable to any crime against a Corporate entity such as itself.

The Bank by adopting this stand stands committed to abdicating the protection available in ITA 2008 for any crimes committed against Axis Bank.

I wish the shareholders of Axis Bank question their management on this voluntary abdication of its rights under ITA 2008 and how it has affected its operational risk profile under Basel II/III.

Related Article

Naavi

Posted in ITA 2008 | Leave a comment

Data Breach Costs in India

Posted on June 16, 2013 by Vijayashankar Na

A study by Symantec and Ponemon institute on “Cost of Data Breach Study: Global Analysis-2013” has provided some interesting insights into the efficacy of information security and consequences of data breach. The study covers data breach incidents which occurred in 2012.

The study estimated that the global average cost of data breach is Rs 7360/- per compromised record. In India the estimated cost of data breach is Rs 2271/- per compromised record. This is an increase from Rs 2105/- in the previous year showing an annual increase of around 8%. The Indian study covered 28 companies in 11 industries. The size of data breach ranged between 4500 to more than 95000

For the purpose of the study, a “Record” is a unit of information that identifies an individual whose personal information has been compromised.

While system glitches was the primary root cause of data breach causing 46% of the breaches, 29% of the breaches were caused by employee negligence. 25% of the data breaches were caused by malicious attacks.

The criminal activities resulted in the highest per data breach cost at Rs 2470/- per record as against Rs 2150/- for losses arising out of system glitches and Rs 2294/- arising out of employee negligence.

Costs of data breach differed across industries with Financial industries recording a significantly higher per capita loss of Rs 4890/- per record. Loss at Technology companies was placed at Rs 3219/- per record.

Increase in the cost of Data breaches caused by sub contractors and business partners was estimated at Rs 307/- per record. At the same time if the organization had a formal incident response plan and a strong security posture with a CISO and external consultant, the data breach cost reduced by Rs 195/- per record. (8.6%).

It may be noted that the study does not cover “Catastrophic breaches” and hence data breaches of more than 100000 compromised records were not included in the study.

The study is a significant step towards understanding the real impact of Cyber crimes on the industry and should be an eye opener for the Cyber Crime Insurance industry.

(Related Article)

Naavi

Posted in Cyber Crime, Information Assurance, ITA 2008 | Leave a comment

Axis Bank will now has to eat its own words..

Posted on June 15, 2013 by Vijayashankar Na

In the Adjudicator’s forum in Bangalore, Axis Bank has advanced a mischievous argument that Section 43 of ITA 2008 cannot be invoked by a Company. If this argument is given credence, no company can invoke any offences under Section 66 of ITA 2008 which includes hacking and denial of service etc . Hence Axis Bank cannot file a complaint in Mumbai against the ATM hackers a complaint under Section 66 of ITA 2008.

Since Axis Bank has managed to get the Karnataka High Court endorse this view by implication, the view now has judicial credibility until it is reversed.

It would therefore be interesting if the arrested hackers in Mumbai quote the words of Axis Bank itself in their defense and bind Axis Bank to their own committed position. This will also expose the absurdity of the situation created by Axis Bank in Karnataka to the detriment of all Cyber Crime victims of Karnataka whose cumulative curse should be affecting Axis Bank.

(Please refer to the earlier articles in this site to appreciate the point made here)

Naavi

Posted in Cyber Crime, Cyber Law, ITA 2008 | Leave a comment

ATM Insecurity Exposed

Posted on June 15, 2013 by Vijayashankar Na

In India, Banks  are pushing Customers to interact with them only through ATMs. Even RBI is encouraging this mode of interaction and discouraging customers from visiting bank branches.

As a result of this policy, Bank customers are being exposed to increased levels of insecurity in their Banking transactions. Apart from the various incidents reported in India involving skimmers and hacking of ATMs, the video in this link provides a clear indication of how unsafe are the current systems.

Please view this Video which contains a demo in a hacker’s conference.

A Complete demonstration and details of how the systems were compromised are available here

Related Article in bankinfosecurity.

In one of the attacks, the demonstrator reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.

The ATM fraud is therefore a threat looming large in Indian Banks. Hence there is a need for a special ATM security mechanism to be introduced by the Banks to protect themselves and their customers.

Hope RBI will take note.

Naavi

Posted in Cyber Law | Leave a comment

Outsourcing security of Banking transactions

Posted on June 15, 2013 by Vijayashankar Na

The recent ATM frauds in Mumbai and elsewhere has re-opened the discussion on the risks arising out of “Outsourcing” in the Indian Banking scenario.

The commercial Banks in India have grown so greedy that they are looking at every opportunity to outsource their activities to increase their margins. I was amused to read this report in Economic Times which appeared last year (July 5 2012) titled “PSBs Strike Outsourcing Deal”.

The report highlighted how Banks have reduced their ATM maintenance costs by inking a large outsourcing contract for over 63000 ATMs. The report stated that the country was divided into different zones and the right to maintain the ATMs was auctioned.

There is no doubt that it makes sense for commercial Banks to consider outsourcing of Non Critical” operations to reduce operational costs.  However, in all such outsourcing arrangements, there is a need to ensure security measures since the liability for frauds ultimately rests with the Bank though it may be indemnified by the service operator to some extent. Since the financial backing of the service operator is unlikely to be better than that of the Bank, it is unclear how good these indemnities would be when large-scale ATM heist take place.

In most of the recent ATM frauds there have been suspected installation of skimmers, cameras and key loggers in the ATM premises. There have also been the involvement of ATM servicing personnel in some of the frauds. This tendency is likely to continue unless very strong measures are initiated by the RBI to protect ATM transactions.

The undersigned has made some low cost suggestions in this regard to secure the ATM environment using two cameras and a face recognition based identification of the customer along with the presence of a guard lock to the ATMs to reduce the risks substantially. If any Bank is interested, implementation of such plans can be considered on a pilot basis and tried.

Naavi

Posted in Bank, Cyber Law, ITA 2008 | Leave a comment

Axis Bank ATM license should be cancelled by RBI

Posted on June 15, 2013 by Vijayashankar Na

Axis Bank has been in the news for the wrong reasons in recent days involving one kind of Cyber Fraud or the other. There have been many Phishing frauds and KYC failure reports as well as organized money laundering in the Bank. The Bank has been defending itself in Courts by effectively manipulating the law to delay justice to the genuine customers. RBI has so far been mild in reprimanding the Bank. It has only resorted to imposing fines for KYC failures and not resorted to more drastic measures such as cancellation of some branch licenses where KYC failures were observed as a part of a systematic procedure to boost branch business.

This mild reprimand by RBI has enabled the Bank to continue its “Negligent Banking”

Way back in 2011, there was a report in Hindu Business Line where it was suspected that Axis Bank ATM software could have been hacked. (See report here). The more recent incident in Mumbai where 29 customers have found that their ATM cards have been cloned and used abroad for withdrawing around Rs 13 lakhs in cash (See report here) shows that Axis Bank continues to practice “Negligent Banking” and  makes depositor’s money vulnerable to frauds.

Today’s Economic Times reports yet another ATM fraud of Rs 80000/- from Gurgaon in which another Axis Bank ATM is involved. In this case involvement of local frauds loitering in the ATM centers were involved.

In all these cases there is a clear indication that Axis Bank has failed to maintain a reasonable level of security at its ATMs which has caused the losses. It is therefore time for RBI to revisit its ATM security instructions and if it is found that Axis Bank has been systematically neglecting the security at its ATMs, RBI should consider suspending or cancelling the ATM licenses of Axis Bank.

In one of the news paper reports it is mentioned that Axis Bank would pay the victims from “Insurance”. Axis Bank resorts to such settlement selectively when the victims are celebrities. In the instant case the victims are Policemen whose assistance is perhaps required by Axis Bank to support its other not so legal activities. But when it comes to other common customers, Axis Bank is known to try all its tactics to twist the law to harass the customers until they agree to bear the loss of fraud caused by the Bank’s negligence.

RBI needs to examine the fraud reporting and management practices of Axis Bank,check if RBI’s Cyber fraud guidelines are being followed  and take steps to tighten the security against frauds.

Naavi

Posted in Bank, Cyber Crime, Cyber Law | 2 Comments