Naavi.org

The recent Bank Fraud in Mumbai in which an amount of Rs 2.41 crores was transferred out of RPG group’s account with Yes Bank coming close on the heels of US$45 million Card fraud in USA should raise the concerns of RBI on the security status of E Banking in India.

The Yes Bank fraud occurred in the RTGS system of a company . In February a similar fraud of Rs 1 crore had occurred in the same Bank indicating a systemic failure. It is easy for the Banks to dismiss the issue as a negligent handling of the password. But this is only an excuse and cannot be considered as a final word. The threat landscape in Internet Banking is so vibrant that viruses and trojans are lurking in the cyber space and could sneak into a system despite all the care that a customer can exercise. If Stuxnet virus could get into high security nuclear and defense installations, we can understand that penetrating a corporate computer cannot be considered as rocket science.

The systemic failure therefore is in the Internet Banking system that relies on the password based access which could authorize pay out of Rs 2.41 crores within minutes to different beneficiaries across the country. There is also the failure evident in the Banking system which enables several branches to keep maintaining mule accounts to which 2.41 crores could land and be withdrawn within a short time.

Further, if we look at the $45 Million fraud referred to earlier in which the security system of two Indian card processing companies were breached, it is evident that a similar security breach in the Bank’s system cannot be ruled out. Even in the Yes Bank instance it is stated that the transactions are processed by Wipro as an outsourcing agent.

We therefore need to investigate the staff of Yes Bank, their outsource agents and any body else who may be connected with the maintenance of the security of the E Banking system.

This is not to conduct a witch hunt on the hapless bank but to ensure that there will not be more such Banks landing into difficulty in the coming days.

RBI therefore should step in immediately and take stock of the outsource dependencies of the Indian Banks. In case the agencies which have a history of security breach incidents  are associated with the Banks as outsource partners, then RBI needs to act decisively to tighten the security vigilance on these outsource partners.

It may be recalled that the history of HIPAA-HITECH Act indicate that the US health Card regulators who had originally left Business Associates to be regulated with contractual agreements with the Covered Entities have now moved to bring them under direct supervision of the HHS.

Similarly, time has come for RBI to exercise direct regulatory control on the outsource partners of Banks who present a risk to the system.

As a first step, RBI needs to shoot out a survey form to all Banks to report the particulars of their outsource partners and the measures that the Banks have taken to ensure compliance of the IS guidelines. There needs to be an exclusive “Outsourcing Partner’s Audit” which RBI needs to initiate. Like HHS conducting mandatory audits on a select number of Covered Entities each year, RBI should conduct mandatory audit on the out source partners each year and dis-accredit those who donot practice adequate security measures.

RBI should not rely only on audit certificates being produced by either the Banks or the outsource agencies as it is clear that the agencies involved in the recent frauds were PCI certified and yet were insecure.

Many Banks are complacent with an ISO 27001 certificate which though a good beginning is not adequate to ensure security. Hence though Banks may be encouraged to undertake any type of audits on their own either ISO 27001, COBIT, PCI or ITA 2008 compliance etc., RBI should conduct its own audit to ensure that an Information Security Culture is established in the Indian Banking system.

Presently, RBI inspectors may not have adequate skills or capacity to conduct Information Security audits and hence it is natural for them to rely on the audits conducted by the Banks as an indication of compliance. However it is necessary to train the RBI inspectors to understand the ISO 2700, PCI or other audit reports and quiz the Bank executives to pry open any cosmetic window dressing the Bank might have indulged in.

If immediate action is not initiated and a fraud of the nature that hit USA occurs in India, then the entire Indian Banking system will be in jeopardy. It could even destroy the Indian Banking system and at the same time provide enough funding for terrorists for the next decade to carry on their proxy war on India.

I urge RBI to start thinking in the direction of finding a remedy to the emerging threat..

Naavi

The recent fraud in Mumbai where Rs 2.41 crore was siphoned off from RPG group’s account through RTGS is a repetition of many such frauds which are happening on a regular basis in India.

While we continue to debate that Banks are responsible for making good the amount immediately, Banks continue to use their money power and influence to prevent or postpone such claims on one ground or the other.

Banks go to any extent including misrepresenting facts to Courts to confuse un-informed judicial persons that money lost belongs to the customer and he should file a police complaint and pursue the police to recover the money from the beneficiaries. They claim that they are doing a great service by cooperating with the police in the investigation but refuse to take the responsibility for the fraud.

I have discussed this in many forums and would like to reiterate here that

a) Banker Customer relationship is one of debtor and creditor. Money lost in the account is that of the Bank and not that of the customer. Hence it is the Bank which should file a police complaint and pursue and not the customer.

b) The compromise of the password may occur due to many reasons including negligence of the customer, ignorance of the customer, collusion of the Banker, vulnerabilities in the Bank’s systems, Virus, Trojans etc. In any such event, what occurs is a “Forgery” and the customer should not be held responsible for such forgeries.

c) Banks are using password based access systems instead of the digital signature systems recommended in law and by RBI because this saves them some cost. using such systems which are not legally accepted is exposing the public to risks where the Banks are doing a disservice to the community. Technology introduction cannot be at the cost of security and insecure E banking is against the Banking license norms.

d) I have so far seen three Banks namely Punjab National Bank, Axis Bank and ING Vysya Bank who are arguing that in Internet Banking frauds customer should only file litigation in the place where the server is kept. In effect they are saying that I will open a branch in your city, take your deposits, collect interest on loans etc., but when it comes to dispute resolution, you have to come to Delhi (PNB), or Mumbai (Axis Bank and ING Vysya Bank) where our servers are located. Tomorrow if my servers are in Timbaktu, you will have to come there and file a case. This is a serious violation of the Banking license terms and I have already raised the issue of cancellation of Branch license in places outside Delhi for PNB if they insist on this condition. The same now applies to Axis Bank of ING Vysya.

e) The so called Internet Banking terms which permit the Bank to use passwords of access and hold the customer resposnbile for phishing is ultra vires. In most cases no valid contract for Internet Banking exists on record.

f) There are already many judicial decisions in India and abroad holding Banks liable for phishing even when he has answered phishing mails out of ignorance.

g) RBI has categorically stated that Banks should shoulder the liability for phishing.

I would like legal professionals all over India to take note of the above points and file Adjudication applications in the respective States to protect their customers. I will be able to provide further assistance and guidance in this regard if required.

In the meantime the Bankers instead of improving their security are trying to close down the Adjudication system and the Cyber Appelate Tribunal. They are trying to take the litigation to conventional civil courts where it is expensive and frustrating for public to litigate.

Many of the Courts either out of ignorance or because a senior counsel appears for the Bank are accepting whatever contention is made by the Bank and issuing stay orders on the functioning of the Adjudicators.  We have already gone through one such case in Chennai.

First of all it is difficult to convince IT Secretaries of different States that they are “Adjudicators” under ITA 2008 and they are judicial authorities having exclusive powers under ITA 2008. Then to convince them of the legal position that Banks are responsible and not the customer even through the name of the Bank is big and the lawyer appearing for the bank is a big lawyer is even more difficult. Even then there are forces at work preventing a few of the judicially active IT Secretaries. Today there are only one or two IT Secretaries in India who are prepared to accept adjudication application and conduct the required proceedings.

Mr PWC Davidar of Chennai was one such person who was transferred by Jayalalitha in a routine manner after she took charge and since then Tamil Nadu adjudication is dead. Presently Maharashtra adjudicator Mr Rajesh Aggarwal is the only other IT Secretary who is prepared to entertain cases.

Under the circumstances my advise to Bank customers particularly the Companies who keep large funds in the account to disable their RTGS accounts immediately. Whenever they need to transfer funds online, they should issue paper based instructions or digitally signed electronic instructions to the Banks to execute the RTGS like issue of DDs. Since Companies have the manpower to depute a person to visit the branch if required, they are not constrained like individuals who need such services as a matter of convenience.

Individual also need to ensure that they maintain low balances in accounts where NEFT/RTGS facilities are available and donot link such accounts to other deposits with auto debit features.

I think there is a need to declare a war for safe  Banking. I have personally pursued this mission for the last several years and I invite others to participate in this crusade and strengthen my hands.

Naavi