ATM Insecurity Exposed

Posted on June 15, 2013 by Vijayashankar Na

In India, Banks  are pushing Customers to interact with them only through ATMs. Even RBI is encouraging this mode of interaction and discouraging customers from visiting bank branches.

As a result of this policy, Bank customers are being exposed to increased levels of insecurity in their Banking transactions. Apart from the various incidents reported in India involving skimmers and hacking of ATMs, the video in this link provides a clear indication of how unsafe are the current systems.

Please view this Video which contains a demo in a hacker’s conference.

A Complete demonstration and details of how the systems were compromised are available here

Related Article in bankinfosecurity.

In one of the attacks, the demonstrator reprogrammed the ATM remotely over a network, without touching the machine; the second attack required he open the front panel and plug in a USB stick loaded with malware.

The ATM fraud is therefore a threat looming large in Indian Banks. Hence there is a need for a special ATM security mechanism to be introduced by the Banks to protect themselves and their customers.

Hope RBI will take note.

Naavi

Posted in Cyber Law | Leave a comment

Outsourcing security of Banking transactions

Posted on June 15, 2013 by Vijayashankar Na

The recent ATM frauds in Mumbai and elsewhere has re-opened the discussion on the risks arising out of “Outsourcing” in the Indian Banking scenario.

The commercial Banks in India have grown so greedy that they are looking at every opportunity to outsource their activities to increase their margins. I was amused to read this report in Economic Times which appeared last year (July 5 2012) titled “PSBs Strike Outsourcing Deal”.

The report highlighted how Banks have reduced their ATM maintenance costs by inking a large outsourcing contract for over 63000 ATMs. The report stated that the country was divided into different zones and the right to maintain the ATMs was auctioned.

There is no doubt that it makes sense for commercial Banks to consider outsourcing of Non Critical” operations to reduce operational costs.  However, in all such outsourcing arrangements, there is a need to ensure security measures since the liability for frauds ultimately rests with the Bank though it may be indemnified by the service operator to some extent. Since the financial backing of the service operator is unlikely to be better than that of the Bank, it is unclear how good these indemnities would be when large-scale ATM heist take place.

In most of the recent ATM frauds there have been suspected installation of skimmers, cameras and key loggers in the ATM premises. There have also been the involvement of ATM servicing personnel in some of the frauds. This tendency is likely to continue unless very strong measures are initiated by the RBI to protect ATM transactions.

The undersigned has made some low cost suggestions in this regard to secure the ATM environment using two cameras and a face recognition based identification of the customer along with the presence of a guard lock to the ATMs to reduce the risks substantially. If any Bank is interested, implementation of such plans can be considered on a pilot basis and tried.

Naavi

Posted in Bank, Cyber Law, ITA 2008 | Leave a comment

Axis Bank ATM license should be cancelled by RBI

Posted on June 15, 2013 by Vijayashankar Na

Axis Bank has been in the news for the wrong reasons in recent days involving one kind of Cyber Fraud or the other. There have been many Phishing frauds and KYC failure reports as well as organized money laundering in the Bank. The Bank has been defending itself in Courts by effectively manipulating the law to delay justice to the genuine customers. RBI has so far been mild in reprimanding the Bank. It has only resorted to imposing fines for KYC failures and not resorted to more drastic measures such as cancellation of some branch licenses where KYC failures were observed as a part of a systematic procedure to boost branch business.

This mild reprimand by RBI has enabled the Bank to continue its “Negligent Banking”

Way back in 2011, there was a report in Hindu Business Line where it was suspected that Axis Bank ATM software could have been hacked. (See report here). The more recent incident in Mumbai where 29 customers have found that their ATM cards have been cloned and used abroad for withdrawing around Rs 13 lakhs in cash (See report here) shows that Axis Bank continues to practice “Negligent Banking” and  makes depositor’s money vulnerable to frauds.

Today’s Economic Times reports yet another ATM fraud of Rs 80000/- from Gurgaon in which another Axis Bank ATM is involved. In this case involvement of local frauds loitering in the ATM centers were involved.

In all these cases there is a clear indication that Axis Bank has failed to maintain a reasonable level of security at its ATMs which has caused the losses. It is therefore time for RBI to revisit its ATM security instructions and if it is found that Axis Bank has been systematically neglecting the security at its ATMs, RBI should consider suspending or cancelling the ATM licenses of Axis Bank.

In one of the news paper reports it is mentioned that Axis Bank would pay the victims from “Insurance”. Axis Bank resorts to such settlement selectively when the victims are celebrities. In the instant case the victims are Policemen whose assistance is perhaps required by Axis Bank to support its other not so legal activities. But when it comes to other common customers, Axis Bank is known to try all its tactics to twist the law to harass the customers until they agree to bear the loss of fraud caused by the Bank’s negligence.

RBI needs to examine the fraud reporting and management practices of Axis Bank,check if RBI’s Cyber fraud guidelines are being followed  and take steps to tighten the security against frauds.

Naavi

Posted in Bank, Cyber Crime, Cyber Law | 2 Comments

Cyber Surveillance in India

Posted on June 15, 2013 by Vijayashankar Na

The public outcry on the US program “PRISM” under which US Government is said to be spying on Cyber Communication of individuals has naturally raised some attention on the Indian situation.

Under ITA 2008 there are powers for the Government to intercept cyber communication under reasons of national security, prevention of cognizable crimes etc. However it is also true that Indian intelligence agencies often resort to interception without adequate legal sanction or procedures. The past indications clearly point out the misuse of intelligence for political purposes also. Since India does not have a strong “Privacy” law, it is presently difficult to prevent surveillance by intelligence agencies. The Government also uses the ISP licensing regime to gain access to ISP data.

It is believed that not only the Indian Government but also several other countries such as UK and Australia have huge surveillance mechanisms in place.

Though Government of India has recently stated that their National Security agencies may tap only the meta data and not go into content, the assurance can only be taken with a pinch of salt. Individuals therefore need to bank upon private encryption if they want privacy. Though law may still be invoked by the Government to demand decryption, in a majority of cases the user may at least be aware that his communication is being monitored.

The biggest challenge for the security agencies is to ensure that the need to monitor criminal activities where they genuinely need power to surreptitiously carry on surveillance is suitably met. In such cases the intelligence agencies may need to break the encryption themselves. Since breaking a strong encryption could be difficult, any person using encryption could be treated as a “Suspect” in the eyes of the Government and may be subjected to physical surveillance as well. The cost of security of the nation is therefore likely to sky rocket in the coming months.

In order to find a solution to this problem it is necessary for the Indian intelligence agencies to broker a treaty with the privacy community, establish a trusted relationship so that common public would not resort to wide usage of encryption and make national security costs prohibitive. For this purpose Government should offer a system of Monitoring of  surveillance agencies by a committee” consisting of select members of public and putting in place a strict regime of procedures that the mechanism would not be used for political and tax purposes.

Related Article in ET

Naavi

Posted in Cyber Law | Leave a comment

IB Warnings on WeChat app

Posted on June 15, 2013 by Vijayashankar Na

It is reported that Indian intelligence agencies have flagged a mobile application by name WeChat developed by a Chinese company “Tencent” as a “Threat”.

After the revelation about the US intelligence program PRISM through which the US Intelligence agencies are reportedly spying on all communications passing through Google, FaceBook etc. it appears that intelligence agencies in India also have become a little more alert.

The threat of Chinese intelligence agencies intruding into Indian Cyber Space is well known. The WeChat may be one such application. However there are bigger threats since India imports a huge number of computers, laptops and mobiles from China, some of which are branded where there could be backdoors at the OEM level.

Until the dependence on China for IT assets is removed, Indian Cyber Space will remain vulnerable. Hence one important aspect of Indian Cyber Security program should be encouragement of a large scale indigenous investment in Cyber Security research and subjecting all Chinese products to be put through a security check for certification.

I urge Indian Corporates to also think in the direction of setting up specialized Cyber Security labs that can analyze source codes and test hardware for security. The Government backed security lab led by IISc Bangalore has lost credibility since it is reported to carry substantial funding  by the Chinese Company Huawei itself.

Related Article:

Naavi

Posted in Cyber Law | Leave a comment

Use of Aadhar for Cardholder authentication

Posted on June 13, 2013 by Vijayashankar Na

It is reported that RBI is considering use of Aadhar as a second factor authentication for Credit Card transactions.

Report in TOI here

The cost of upgrading the card swipe mechanism at the merchants with a biometric capable instrument is being held as a stumbling block. However it is also necessary to examine if the move has legal sanction.

First of all the UIDAI bill is yet to become law. A case is before the Supreme Court to decide the examine the validity of the scheme. But the Government is going ahead with the scheme to render it more and more difficult for Courts to cancel the scheme.

Further the current move talks of using aadhar for “authentication”. It is to be noted that “Authentication” of a customer’s instructions is the prime responsibility of the Bank.

The move proposed by RBI  means that UIDAI will be used as an outsource partner of the Bank to examine and authenticate a customer of the Bank. This raises the question as to whether in this process the “UIDAI” will act as an “Officer” of the Bank and “Pass Payment Instructions of the customer” and if so whether this is legally within the mandate of Banking.

If however this system of “Outsourcing” is to be legitimized, the Bank has to execute an SLA with the UIDAI authorities and follow the instructions on information security issued by RBI for “Outsourcing”.

If these considerations are not taken into account, the move will be contradicting RBI’s own earlier instructions.

Naavi

Posted in Bank, RBI, Uncategorized | Leave a comment