From CAPTCHA to GOTCHA?

Posted on November 10, 2013 by Vijayashankar Na

Internet  users are familiar with the CAPTCHA system of identifying website users where the users will be presented with a picture which is humanly readable but difficult for a machine to read. When CAPTCHA is used in this manner the website presents a CAPTCHA picture and asks the user to enter the word or number shown in the  CAPTCHA in another box. Since CAPTCHA cannot be read or identified by a machine it is believed that only humans will be able to pass through this CAPTCHA test.  In many cases CAPTCHA is used independent of a password just to prevent automatic robotic access.

CAPTCHA test can also be used after the password entry if the objective is to prevent a computerized log in after a password has been stolen by fraudsters. In such a case it becomes a second line of defense with the limited objective of preventing mass break ins.

In India,  some Banks use a picture as a second factor of identification at the time of log in. In this case after the user enters the password,  some picture is displayed which the user has to confirm as his preferred choice. However this system is being implemented very poorly (eg: Corporation Bank website) and does not seem to offer any additional security. It is also reported now that the system of CAPTCHA has now been completely broken and it is possible to run an algorithm which breaks the CAPTCHA with 90 to 97% success.

In order to replace the CAPTCHA system now a new system of GOTCHA ink blot test has been developed by a team in Carnegie Mellon university which is referred to as the “Ink blot test” which is being hailed as a significant improvement over CAPTCHA and is being recommended as a second factor authentication to fortify the password system. It is a a randomized puzzle generation protocol, which involves interaction between a computer and a human. In such a system, after the password entry is successful (or simultaneous to the password entry), the user is presented with a set of ink blot pictures along with some phrases associated with the ink blots. The user is required to match the pictures with the phrases. The ink blot pictures are randomly developed by the system when the password is created. The phrases are created by the user himself when he first selects the password and ink blot pictures are presented to him and associated with the pictures at his choice.

Though the system appears a bit complicated and could be considered as an irritant (as all security measures are) it would be welcome if it can improve the security of the system to some extent. Though the system in theory appears to be innovative, it is necessary to see how it would be adopted by an average Internet user. If he finds ti too cumbersome and face too many rejections the system may ultimately become unpopular unless the users device their own innovative methods to remember the patterns and the associated phrases.

Naavi

Related Article

Posted in Cyber Law | Leave a comment

Will the CM of Karnataka respond?

Posted on November 7, 2013 by Vijayashankar Na

Continuing the relentless effort to restore the availability of Judicial support to the Cyber Crime victims of India, the undersigned has recently written a letter to the Chief Minister of Karnataka namely Mr Siddaramaiah. This is the fourth time the undersigned has approached the Chief Minister of the State in this connection. Earlier similar letters have been written to Mr Yeddyurappa, Mr Sadananda Gowda and Mr Jagadish Shettar. None of them had time to respond since they were busy with their infighting. Now we need to wait and see if Mr Siddaramaiah has the time to look into the vows of the people of Karnataka.

(Refer Article in Vijya Karnataka, a Kannada daily)

For the information of those who have not followed the fight on this website, I would like to provide the essence of the dispute.

The essence of the issue is

a) The Adjudicator of Karnataka (the IT Secretary) on 27th December 2011 gave a judgement that Section 43 of Information Technology Act 2000 cannot be applied to any complaint where the complainant or the complained entity is a corporate entity. It therefore ruled that a Company namely Ms Gujarat Petrosynthese Ltd cannot file a complaint under Section 43 which can be invoked only by individuals. Also the adjudicator opined that an individual such as one Mr Rajendra Prasad Yadav could not file a complaint against ICICI Bank which was a company.

b)When the decision was sought to be reviewed with reference to the General Clauses Act, the Adjudicator remained silent and non responsive. The fact that the beneficiary of the decision was Axis Bank which was a contractor of the same IT department and could benefit to the extent of Rs 50 lakhs by the decision made the decision look murky.

c) When the next Adjudicator took over and referred the matter to the Law department based on a query by the Karnataka Human Rights Commission, the law department gave an opinion that the earlier decision was wrong. This prompted the new Adjudicator to issue fresh notices to parties to continue the hearing.

d) Axis bank attended the hearing, took time to reply and before the next date of hearing moved the vacation bench of Karnataka high Court alleging that the hearing should not have been reopened without giving prior notice to them and hence there was a failure of natural justice.

e) The vacation bench of Karnataka High Court agreed with the contention of Axis Bank that natural justice was denied to them by reopening of the hearing and there was no need to provide natural justice to the cyber crime victim. The Court also opined that Axis bank had the right to move the High Court ignoring the presence of Cyber Appellate Tribunal as the appellate authority but the Cyber Crime Victim can only seek redressal of his grievance at the Cyber Appellate Tribunal.

The Court did not recognize the inherent discrimination of a Cyber crime victim against a commercial entity in arriving at this decision and showed that the Court has less appreciation of the problems of cyber crime victims as compared to the profitability concerns of a Commercial Bank. The decision of the High Court suggesting the cyber crime victim to approach the Cyber Appellate Tribunal has to be seen in the context of the Tribunal not being in operation since June 2011 since the Chair person has not been appointed by the Kapil Sibal’s department in the center.

d) In the process, Axis Bank has been able to use the law to its advantage defering even a judicial review of the complaint which claims a compensation from the bank for money lost by a customer due to the failure of security in the Banking system and possible connivance of Bankers in robbing the customer.

e) Thus both the Adjudicator of Karnataka who is also an official of the Government of Karnataka as well as the High Court of Karnataka are unresponsive to  the plight of Cyber Crime victims.

f) Though the matter has been brought to the notice of the Chief Justice of India formally and informally, there has been no suo-moto corrective action

In the background of these developments, the undersigned has now asked the Chief Minister to refer the legal issue namely “Whether the term PERSON used in Section 43 should be restricted to mean only an individual and not a corporate entity” to the Chief Justice along with an enquiry on whether there was any vested interests behind the decision.

I would like to point out that if Section 43 is restricted to “individuals” as what the Adjudicator appear to believe, then all cyber crimes under Section 66 will also be restricted to individuals. hence no company can either commit a cyber crime under Section 66 nor any complaint can be made by a company under section 66. Additionally, if this interpretation of “Person” means an “individual” is extended to other sections in ITA 2008, there will be chaos in the cyber judicial system.

I suppose those on whose laps the next level of decision lies namely the Chief Minister of Karnataka and the Chief Justice of Karnataka will remember the interlinking of Section 43 and Section 66 and how  the continued validity of the erroneous order dated 27th December 2011 of the Adjudicator of Karnataka has made Karnataka a “Cyber Crime Heaven” where no cyber crime such as “Unauthorized Access”, “Unauthorized Downloading”, “Virus introduction”, “Damage of a computer”, “Denial of Service”, “Wrongful charging”,”Assisting contravention”, “diminishing value of information”,”Deleting source code” etc which are all part of Section 43/66 can be tried under ITA 2000/8.

Since Chief Minister Mr Siddaramaiah himself was once a law teacher, he must be able to appreciate the legal issue involved here without the assistance of any body else. But will he have the political will to take up the issue and see it to the logical end?… only time will tell.

Naavi

Earlier Related Posts:

Karnataka IT Administration Wakes up

Plight of Cyber Crime Victims in Karnataka

IT Secretary Maharashtra creates history

Axis Bank will now has to eat its own words..

Posted in Cyber Law, ITA 2008 | Leave a comment

IRDA files Sec 66A complaint against an activist

Posted on November 3, 2013 by Vijayashankar Na

It is reported that a Cyber Crime complaint has been filed in Hyderabad by IRDA against persons who highlighted corruption and irregularities in IRDA.

In February 2013 and earlier, the IRDA officer’s association had reportedly brought to the notice of the Chairman various irregularities. Since no action was taken by the Chairman, the Vice President of the Association had shared the details with CEOs of insurance companies.

Now in July 2013, an FIR has been filed because IRDA received by IRDA where the irregularities committed by one of the executives had been reported. It appears that the complaint letter has been considered as  an offensive material warranting the invocation of Section 66A of ITA 2008.

Related Article in indiartinews.com

While it is possible that the email might have caused “annoyance” to a person , it is unclear how Sec 66A will be fitted in the case since E Mail was received by IRDA and some body else is alleging having felt “annoyed”. If the sender of the email believed it to be true, then it is difficult to invoke section 66A (b). If he knew it to be false then the message should be considered as “Grossly offensive” or “Menacing”. The sender of the message appears to be a person other than the accused and we can presume that the accused believed that the allegation was true. Hence the police have to first find out if the allegation was true or false and then whether the accused knew it to be false and that the accused himself had sent the message. If any of these conditions fail, it may be difficult to sustain the FIR.

Naavi

Posted in ITA 2008 | Leave a comment

Karnataka IT Administration Wakes up

Posted on October 23, 2013 by Vijayashankar Na

After a long period of lull, the IT department of Karnataka appears to have woken up. Under the leadership of the new IT Secretary, the State has unveiled certain welcome policies to give a boost to IT in Karnataka. One of the key policy announcements is the declaration of IT services as “Essential Services” and to protect it from the risks of bundhs, strikes and other interruptions to its 24X7 operations. Though the workforce in the IT industry may find it uncomfortable and claim that they may be exploited by the companies, this sacrifice is essential to keep the IT industry going and retain the global services running.

While we welcome the initiatives announced by the Karnataka Government in encouraging the industry in Karnataka particularly in Tier II and III centers, it is necessary to point out that IT cannot prosper in the State without adequate attention to Information Security and Cyber Law implementation. A law less jungle cannot be a fertile ground for attracting investment.

At present, Karnataka Government and more particularly the earlier IT Secretary (Mr M.N.Vidyashankar) has rendered Karnataka to be a State which can be called a “Cyber Crime Haven”. In Karnataka a cyber crime victim cannot seek cyber judicial assistance if the crime is committed by a company. Also no Company can seek redressal of its grievance under ITA 2008 since substantial parts of the Act have been ruled to be out of bounds for corporate entities.

Karnataka High Court has declined to intervene and  correct the ridiculous state of law-less ness in the State and has contributed to the problem.

The undersigned has for the umpteenth time taken up the matter once again with the Chief Minister of the State. A copy of the letter written to the Chief Minister Mr Siddaramayya in this regard is available here.

Let’s hope that the new IT Secretary and the new Chief Minister understands why the undersigned is calling the State as “Cyber Crime Haven” and takes the necessary steps to correct this anomaly.

Without a correction of the Cyber Judiciary Status in India, international investors have no reason to look at Karnataka as a destination for their investments despite any other advantages that the Government may promise.

Naavi

Refer article in DH

Posted in Cyber Law | Leave a comment

Rs 24600 crores per annum is the cost of Cyber Crimes in India

Posted on October 23, 2013 by Vijayashankar Na

According to the 2013 Norton Report, the total cost of cyber crimes to India during August 2012 to July 2013 is estimated to be $4 billion (about Rs 24630 crores). This is 8% more than what was estimated for last year.

The basis for this cost is based on the “Amount spent by a user on replacing hardware or software as well as data after he/she has been subjected to a cyber attack”.

From the definition of the cost it appears that Norton has only taken the “Technical aspects of Information Security” into consideration and used the “replacement cost” as the basis. The estimate appears to have not considered the “Legal Dimension” of the information security or the financial losses suffered by the victims or the liabilities faced by the victims (whether actually incurred or not). Hence the estimate  has completely ignored what the common man considers as “Cost of Cyber Crimes”.

It is high time that security firms such as Norton realize that Information Security cannot be looked from a uni dimensional concept of technology. The total cost of cyber crime includes the legal liabilities that may arise on account of a security breach incident. Additionally, costs related to manpower hardening (covering the third dimension in Naavi’s Total Information Assurance model) is also a cost of cyber crime.

However, from a corporate perspective and technical investments into information security tools, the Norton estimate may provide a useful insight.

Refer Report in ET

The study also revealed that nearly 48% of smart phone and tablet users do not take even the basic precautions such as using passwords, having security software or backing up files from their mobile devices.

Norton Press Release

India Report

Naavi

Posted in Cyber Crime | Leave a comment

Board Room Responsibility for Cyber Security

Posted on October 19, 2013 by Vijayashankar Na

The undersigned has been highlighting the need for Directors of Companies and the CEO to take responsibility for Cyber Security in an organization. Section 85 of ITA 2008 as well as Section 79 has clearly laid out the need for “Due Diligence” without which Directors of Companies may find themselves saddled with civil and criminal liabilities.

The infamous Baazee.com litigation dragged the CEO Mr Avnish Bajaaj to a Court battle which prolonged for 8 years. Though he escaped conviction because of a technical error by the Police which in reasonable probability could be deliberate, the need for due diligence at Board levels was well emphasized in the process.

This article in Forbes titled “Boards are still Clueless about Cyber Security” highlights that even in US the level of Board attention on Cyber Security is still lacking. According to a Carnegie Mellon report,

71% of their boards rarely or never review privacy and security budgets
79% of their boards rarely or never review roles and responsibilities
64% of their boards rarely or never review top-level policies
57% of their boards rarely or never review security program assessments.

If this is the situation in a Compliance sensitive corporate community like US, one can imagine that the status in India can be pretty bad.

The undersigned has a personal experience of how the well known CEOs of ICICI Bank, Axis Bank and PNB have shown absolute incompetence and arrogance in understanding the cyber security risks which have landed some of their customers in trouble when confronted with complaints on Phishing and other frauds. It is only when one or more of such celebrity CEOs find themselves confronting FIRs like Avnish Bajaj, they will realize their true responsibilities. However as the wheels of justice grind slowly, it is possible that these executives may be long retired when law tries to catch up with them. However, if law can catch up with a retired executive like the Coal Secretary Mr Parakh, may be one day law will also catch up with the current CEOs of Banks who are playing with Customer’s lives by adopting a commercially motivated risky banking policies.

It is high time that the Boards of all IT user organizations to start devoting some attention on Cyber Security before it is too late.

Naavi

Also Read:

“Cyber Risk and the board of directors-closing the gap”

New Measures to Mitigate Mobile Banking Risks

Posted in Cyber Law | Leave a comment