Safe E Banking- Some initiatives that calls for attention

Posted on June 8, 2013 by Vijayashankar Na

Naavi has been following the developments in the Indian Banking scenario for the last 4 decades and has closely been associated with the industry as an employee of the Banking industry as well as a consultant and critique. In the background of this experience and in the environment of growing Cyber Crime threats around us, Naavi expresses his concern that Indian Banking industry is heading for a crisis created by  hasty introduction of technology without appropriate security initiatives being put in place.

Though the GGWG (G.Gopalakrishna Working Group ) recommendations provided a comprehensive guideline to the Banks, there is still a glaring shortfall in its implementation. At the same time there is an immense pressure on the regulator to further ease the controls on Mobile Banking and expanding the services of the Banks into non-Banking areas.

In the light of these developments, Naavi places before the public and the industry some requirements which appear to be needing immediate attention.

Recently, the Governor of RBI commented that no institution other than the “Bank” should be allowed to accept deposits from the public. This was in the context of the fraud in Chit Companies in West Bengal which resulted in a loss to several investors. We may recall here that it was a move against CRB Capital in the alte 90s that  prompted RBI to take steps to introduce mandatory Credit Rating for NBFCs accepting deposits. (Refer article “Don’t Massacre the NBFCs” and other articles around that time in Naavi.org). It is nearly 15 years since this decision which killed the NBFC industry as it was known at that time and was flourishing. If we look back on this decision, it is difficult to say that the move actually helped general investors. The failure of CRB Capital was a reflection of the failure of the regulatory agency itself but the corrective action taken by RBI at that time instead of helping the investor community at large actually killed a beautiful investment option available to middle class investors in India. The investors driven out of NBFCs at that time lost more money when other honest companies closed down under the artificial pressure created by the measures taken by RBI. They also tried to find alternative places for investments and since Bank interest rates were too low, they went to mutual funds and lost more money. It is a valid debate even today if these losses are to be attributed to wrong policies on the part of RBI.

A similar situation is developing now in the Banking industry today regarding some policies associated with the promotion of Technology use in Banks. I need to record my apprehension that some of the policy initiatives require immediate retraction as they are likely to affect the future of Banking in India. If the depositors who are depositing their money with banks for an interest rate of 7.5% p.a. as against 15% p.a.they were used to during the NBFC days, are to be disillusioned again, it is not clear where they can run to?

This time it will not end up with the depositors losing their money but they will take down the Indian Bank industry with them.

There are two important threats that are looming large now in the regulatory policies. The first is the information security risks from the Mobile Banking initiatives. The second is the diversification of Banks into ancillary services such as “Insurance Marketing”.

The Banking industry is yet to present a secure banking platform for Internet Banking and we are struggling to make them adopt security measures that were first suggested way bank in 2001 by RBI. Banks instead of improving the security of their systems are trying to persuade the RBI to dilute the security requirements. This is evident in the actions initiated by Payments and Settlement department and the promotion of Mobile Banking. it appears that the resources of IDRBT is being spent more in facilitating use of mobile banking applications rather than finding vulnerabilities in the systems and finding solutions. in my opinion, “Mobile Banking” is the poison which will completely destroy the confidence and trust which customers today have on an institution called “Bank”. It is therefore necessary for RBI to call for an all India virtual seminar on Mobile vulnerabilities and invite Cyber Security Experts to participate and express their views. From the RBI side the representatives of the payments and settlement department and IDRBT should participate with an open mind and assess the risk profiles which the cyber security experts may express.

The second aspect which is changing the profile of Banking in India is the loading of ancillary responsibilities such as “Insurance Marketing” to Bankers. RBI has indicated that it is under pressure to allow multi brand marketing where one bank could market several insurance company products where as RBI is insisting that they can market only a single brand. Whether it is multi brand or a single brand, Insurance product is a financial product and is in conflict with Bank’s own business and hence there is no logic in allowing Banks to cannibalize on its own business. By allowing Banks to become insurance marketing agencies, Banks will gradually cease to be “Banks” and become “Finance Houses”.

This will mean that one the one hand RBI does not want non Banks to accept deposits, Banks themselves will become “Non Banks” in course of time. The fact that other policies of RBI such as “Disincentivisation of cheques” also are aimed at changing the traditional Banking activities, the cumulative effect will accelerate the change in the profile of Banking business in due course.

Additionally the Payments and Settlement department is thinking of new system of consumer to consumer payments through the mobile network which is again a business which is not “Banking”.

I therefore suggest that RBI should formulate a new category of Financial institution such as “E-NBFC” and provide a separate license to deal with C2C mobile payments in addition to the relatively insecure mobile banking business. The mobile banking business itself should not be a direct link to the regular bank account and should be handled in a subsidiary account similar to the way margin money account on share trading accounts are handled.

Naavi

Related Article 1:

Posted in Bank, RBI, Uncategorized | Leave a comment

Cyber Policing Initiatives in Kerala

Posted on June 8, 2013 by Vijayashankar Na

Kerala Police have initiated a unique step to strengthen the Cyber Crime mitigation effortsby involving select members of public as “Honorary Police Officers”.

It may be recalled here that in Chennai, a senior Police officer by name Mr Prateep Phillip had initiated the “Friends of Police” program which had received international acclaim. Naavi has been suggesting that this concept should be extended to Cyber Policing also. The Kerala initiatve appears to be a step in this direction and could be useful in getting the much needed assistance from Cyber Security experts in tackling the menace of Cyber Crimes.

Related Story

Naavi

Posted in Uncategorized | Leave a comment

IT Security Summit 2013 held at Pune

Posted on June 8, 2013 by Vijayashankar Na

The College of Agricultural Banking, Pune, a premier training institute for Bankers in India an arm of the Reserve Bank of India conducted a two day workshop on IT Security. Attended by over 40 CISOs of different Banks, the two day event discussed various issues surrounding Information Security in Banking.

The program was inaugurated by the Principal of College of Agricultural Banking (CAB), Mrs Meena Hemachandra and Mr G.Gopalakrishna, ED of RBI addressed the gathering through a Video Conference and highlighted the measures required to be taken by Banks for complying with the Information Security guidelines recommended by the committee headed by him.

Mr Avinash Kadam of ISACA discussed the  COBIT 5  framework for Information Security Management.  Mr Patrick Kishore of IDRBT and Mr Kunal Pande of KPMG explained the issues surrounding measurement and evaluation of Information Security implementation.

Subsequently,  Mr Sastry of IDRBT explained the various initiatives taken by IDRBT in promoting Mobile Banking and Mr Sanjay Shinde (DCP, Pune) sharing some of his experiences in handling Cyber Crimes in the Banking sector.

This was followed by a discussion on the Legal aspects of information security for Banks by Naavi which included some thoughts on the measures that Banks, RBI and the CISOs needs to take to mitigate Legal Risks. (A Copy of the presentation made on this occasion may be requested from Naavi)

On the second day, Mrs Radha Somashekar, of RBI explained the initiatives taken under Payments and Settlement Act including the initiatives for use of Aadhar as an authentication feature for some of the Banking requirements. This was followed by a presentation by Dr Gulshan Rai, of IN-CERT on the Cyber Threats that needs to be taken into consideration by the Bankers.

The workshop ended with four different groups of the participants making presenting their view on the issues confronting the Information Security implementation in the Banks including their suggestions to be considered by the RBI.

The program ended with a valedictory address from Dr H.Krsihnamurthy of IISc, Bangalore.

The two day program coordinated by Mr Sundar Murthy of CAB gave an excellent opportunity for the Bankers from all over India to understand the views of RBI on some of the key issues sorrounding safety of Banking.

Naavi

Posted in Bank, ITA 2008, RBI | Leave a comment

Cyber Appellate Tribunal Chairman-Status

Posted on June 5, 2013 by Vijayashankar Na

Ever since the earlier Chairperson of Cyber Appellate Tribunal (CAT), Justice Mr Rajesh Tandon approached super annuation in June 2011, Naavi has been requesting for quick appointment of a new Chairperson in replacement of Mr Tandon or continue Mr Tandon until an alternate arrangement could me made.

However continuation of a person who attains super annuation is not within the executive powers and hence a decision for appointment of an alternate person had to be taken byt he DIT before Mr Tandon retired at the end of June 2011. Unfortunately, despite several eligible persons showing their interest for taking up the responsibilty the Government did not succeed in completing the formalities of the appointment in time and CAT became headless.

Several requests have been made in this regard by Naavi to the Ministers of the Union Government and attention of the President of India and Chief Justice of India have also been drawn into the requirement. But there was no action from DIT.

In December 2011, Justice S.K.Krishnan, former judge of High Court of Madras was appointed as a “Member Judiciary”. But he was not designated as “Chair Person” and hence had to remain in office without discharging any judicial responsibilities until Nove 2012 when he too attained super annuation. Why was he appointed without authority to conduct proceedings remain a mystery.

While the Government found time to appoint a “Member Technical” and “Head of Department” for CAT, the position of Chair person remained vacant all these days.

While some litigants bypassed the CAT and went for Writ Petitions to the High Court in lieu of an appeal at CAT whenever the need arose, applications already filed with CAT were stuck. The option of withdrawing of the appeal from CAT and filing a writ petition was daisy since the High Court could always hold the view that the remedy at CAT should be exhausted before the High Court is apporached.

The situation was therefore very confusing and called for resolution through judicial interevention.

In this context, a PIL had been filed in Karnataka High Court by an advocate Mr Chaitanya bringing to the notice of the High Court that several Cyber Crime victims were waiting for the CAT to be operational since their appeals were pending for a long time unattended at CAT. (WP37577/2012). After several months of delay,  the advocate for the Government of India filed a few documents  on 3rd of June, 2013, that revealed that on April 3, 2013, the Union Minister Mr Kapil Sibal had written a letter to the Chief Justice of India recommending one person for the post and requesting for the Screening Committee of the Supreme Court to approve the posting. On 10th April 2013, the CJI has also replied stating that such a meeting would be convened at the earliest.

The PIL therefore has had its tiny effect of making the Minister take one small step in the appointment after two years of inactivity. It is not clear why it took the Ministry 2 years to suggest one name for the post.

The Court is yet to dispose off the case and is now deliberating on the developments so far. Since the action appears to be pending with the screening committee at Supreme Court, it may be difficult for the Karnataka High Court to give any strong directions. It is possible that the screening committee of the Supreme Court may not find favour with the recommendation made by the Minister and request for alternate names. The situation may turn out to be similar to the case of appointment of Lok Ayuktas in Karnataka and Gujarat where the  difference of opinion between the Judiciary and Executive caused prolonged delays.

It is possible that the High Court may therefore seriously consider supporting the use of Writ Petitions to the High Courts as a remedy though this would not be useful for the cases now pending with CAT where hearings are already in progress.

This would bypass the CAT but there appears to be no other option at present to provide remedies to the Cyber Crime victims of India. Such a measure would be required at least as a temporary measure until CAT becomes functional once again.

The next date of hearing of the PIL in Karnataka High Court is July 1, 2013 and we need to see if there is any further development in this period.

Naavi

Posted in Cyber Crime, Cyber Law, ITA 2008, Uncategorized | Leave a comment

Android Mobile Virus for Phishing found in South Korea

Posted on June 4, 2013 by Vijayashankar Na

A Phishing malware operating int he Android mobile platform has been detected in South Korea. McAfee Mobile Security detects this threat as Android/FakeBankDropper.A and Android/FakeBank.A and alerts mobile users if it is present

This new trojan targets, South-Korean bank users with a  fake message that asks users to install the new anit-malware protection. The message carries a link which installs an application replacing the genuine bank application. On installation, the trojan asks users to enter the banking credentials such as account number, password, Internet banking ID, social security number.  The collected info is later sent to remote server.

What is today observed in the South Korean market may tomorrow enter the Indian market also. Bankers who areMobile  promoting mobile banking in India needs to take note.

Naavi.org recommends customers of Banks not to use Mobile Banking untill the mobile security scenario matures.

Naavi

Posted in Cyber Crime, Cyber Law, ITA 2008 | Leave a comment

PIL on Non Appointment of CAT Chairman

Posted on June 3, 2013 by Vijayashankar Na

A Writ Petition (WP37477/2012) filed in Karnataka High Court regarding the non appointment of a Chair person for Cyber Appellate Tribunal will be coming up for hearing today.

During the past several hearings, the Government advocate has been requesting time to file a reply on behalf of the Government of India. Hope a reply will be filed today.

It appears from the news paper reports today that the Government of India is trying to change the system of appointments to the judicial positions and have a greater say for the Government in the appointments.

Probably in the CAT chairman’s appointment also the Government of India has a specific interest which could be the reason for the non appointment of the Chairperson. Whether it is Lok Ayukta in Karnataka or Gujarat or the CAT Chair person, it appears that the politicians want to have a greater say in judicial appointments. While such interest is understandable in the Lok Ayukta appointments since the appointee is expected to handle politically sensitive cases, there is no such consideration in the CAT appointment. The delay and the reluctance of the Government is therefore indicative of some personal interest of the Ministry officials in the appointment rather than the Government as a whole. Now that the same minister heads both the IT and Law Ministry, there is no inter ministerial conflict either. The implications on who is behind the delay is therefore clearer than before.

Cyber Criminals of the Country are happy that the political and judicial confusions on the matter of appointment of a judicial authority gives them more time to continue their nefarious activities without the fear of law.

Naavi

Posted in Uncategorized | Leave a comment