Bank Muscat suffers $39 M loss

Posted on May 10, 2013 by Vijayashankar Na

Hacking of a Credit Card payment processing service provider in Bangalore has reportedly caused compromise of sensitive customer data for a Muscat Bank resulting in a loss of US$39 million. The Bank has claimed that no customer has suffered a loss. (Report). This means that the Bank is going to absorb the loss and does not try to transfer it to the customer on some pretext.

According to a NewYork Times report, the operation involved people in more than two dozen countries acting in close coordination. In New York City alone the thieves withdrew about S 2.4 million from ATMs in over 2904 machines over a period of 10 hours.

The entire exercise involved “Hacking”, “Manipulation of information” and many street criminals to withdraw cash. Police have arrested 8 persons in New York in this connection and tried to unravel the modus operandi. . The incident indicates how the criminals were able to steal data from banks in one country, relay that information to a far-flung network of  cashing crews, and then have the stolen money laundered in purchases of luxury items like Rolex watches and expensive cars. It is reported that some of the thieves were carrying money in bulging carry bags reminding one of movie scenes of the “Ocean” series.

As a first stage  of the operation, hackers infiltrated the system of an  Indian credit-card processing company that handles Visa and MasterCard prepaid debit cards. Then the hackers,  raised the withdrawal limits on prepaid MasterCard debit accounts issued by the National Bank of Ras Al-Khaimah, also known as RakBank, which is in United Arab Emirates. Then  by using prepaid cards, the thieves were able to take money without draining the bank accounts of individuals, which might have set off alarms more quickly.

The first set of operations were done in December 2012. With five account numbers in hand, the hackers distributed the information to individuals in 20 countries who then encoded the information on magnetic-stripe cards. On Dec. 21, the cashing crews made 4,500 A.T.M. transactions worldwide, stealing $5 million using the cloned cards.

After this, the organization grew bolder, and two months later it struck again — this time nabbing $40 million. On Feb. 19, cashing crews were in place at A.T.M.’s across Manhattan and in two dozen other countries waiting for word to spring into action.

This time, the hackers had infiltrated a credit-card processing company based in the United States that also handles Visa and MasterCard prepaid debit cards. After securing 12 account numbers for cards issued by the Bank of Muscat in Oman and raising the withdrawal limits, the cashing crews were set in motion. Starting at 3 p.m., the crews made 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours.  This included  New York City where, a team of eight people made 2,904 withdrawals, stealing $2.4 million.

By all accounts this appears to be one of the “Great E Banking Robberies” of our times and the impact could be huge. It is not only the individuals who should be concerned about such a crime affecting them individually, but the Bankers themselves who should appreciate the level of risk that they are exposed to in such transactions.

Additionally we also observed in Mangalore an ATM theft of cash by two employees of a Cash loading firm (See report here) it is clear that Indian Banks are sitting on a volcano called “Unsafe E Banking”. At this level the incident isto be treated actually a “National Risk” which may seriously hurt the Indian economy and take suitable steps to address these risks.

Naavi

Posted in Cyber Crime, ITA 2008 | 2 Comments

M S Dhoni in legal trouble

Posted on May 6, 2013 by Vijayashankar Na

Indian Cricket Captain Mr M.S.Dhoni has been caught in a serious controversy related to an advertisement where Dhoni has modelled himself as Lord Vishnu and holding several products in his hand  including a shoe in one of his hands.

A case has been filed in Bangalore by an advocate  for the reason that the picture is hurting the sentiments of Hindus.

It is not clear if the picture is an advertisement modelled by Mr Dhoni or a cover page image created by Business Today. If this a creation of the business today art director, legal action has to be taken against the art director and the editor of the magazine. Mr Dhoni in that case needs to initiate his own legal action against Business Today.

It is alleged that the magazine is on stands since April 14 and Dhoni has not taken any action in this regard. Hence a clarification is required to be given by him immediately.

Naavi

Posted in Cyber Law | 1 Comment

Drawing the attention of SEBI on Karvy Consultants

Posted on May 5, 2013 by Vijayashankar Na

Karvy Consultants is one of the prominent share registrars in the country besides engaging themselves in trading and demat services. It is good if such a prominent registrar is serious about the legal responsibilities such as the requirement of KYC for share holders. However, Karvy appears to have lost sight of the basic purpose of share registry service which is to provide a facilitation for share investors to manage their investments. Karvy uses the requirements under KYC to harass the investors. I am not sure if this is a ploy to make more such investors to use Karvy sister company services for demat and trading services or is a simple inefficiency issue.

For the last several years I have been having a running battle with Karvy to get my addresses in some of the companies where I held shares changed. I have been an investor in the pre-demat era and most of my holdings were from the era where KYC was not a norm for either application for shares or for registration of shares. Share registers were held by respective companies and the system of recording proper name and address was not fully developed. There used to be number of mistakes in spelling in the names even in the share certificate itself. Spelling mistakes in addresses did not matter since the postal authorities would deliver the dividend warrants and other communication despite small errors. Hence the system was tolerant of some human errors in recording correct name, initials and address.

With the computerization, the deficient records got computerized along with the deficiencies and some times more of it. In the last few years there have been a spate of different identity documents issued to investors which has complicated the issue further. Presently documents such as the Passport, Aadhar Card, Bank Passbok, PAN Card, Ration Card, Voter Card, Driving license are all used as identity documents. Land line Phone bills, Electricity bill or Gas bill is often used as address proof.

These documents become defining documents which determine the KYC formalities. When there are discrepancies in such documents and they are not compatible, it gives raise to a serious difficulty in transactions involving KYC.

In the net world also we find such multiple IDs creating a problem either on the e-mail or social network. Some foreign digital signature certificate issuing companies provide facilities for attaching multiple e-mail IDs to one digital certificate which solves problems arising out of such multiple e mail IDs.

In view of the computerization and inconsistencies in different documents the inconsistencies in different ID documents and also the errors in registration of investors is creating a serious problem to genuine investors.

I have been personally experiencing the difficulties in this regard and the harassment I have felt from Karvy has forced me to go out of new investments and almost abandon my earlier investments. Add to this the Companies which have been de-listed and not traceable, Corporate investments have become untenable except for professional investors. These problems will get compounded when the investments need to be inherited by the legal heirs. Many legal heirs will be unable to encash or transfer the securities owned by their parents.

It is the responsibility of SEBI to find a solution to this problem.

For example, I am registered with several companies as share holders in names such as “Vijayashankar Nagaraja Rao” which can be taken as an official name. But in its rendition, the name may be written as “Vijayashankar Nagarajarao”, “Na.Vijayashankar”, “Vijaya Shankar” (with or without initials), “Vijaya Shanker” (with or without space and initials) etc. Similar issues may arise in the rendition of names for the joint account holder which will add one more name along with errors in its rendition. I am sure that there are others with more complicated name structures who may have even more problems.

When a registrar like Karvy needs to complete KYC for such investors, they need to know how to overcome what apparently is a human error in registration of names.

My experience with Karvy is that they often misplace old records and whenever a new transaction is to be done, they hold the transaction and request for new KYC. In my case they have held back address change requests and demat requests on the basis of signature differences and KYC requirements. I suspect that the reason is because they must have lost the old records and want to only update the records with new documents.

There is no issue on updation of records except that according to the procedure which Karvy has introduced, the share holder needs to spend around Rs 325/- for each change along with the physical problems associated with getting a Rs 100 stamp paper, an affidavit thereon and a letter from a Bank (Forw hcih Banks charge a hefty amount as fees) . Even after this, it is not possible to fulfill the formalities entirely to the satisfaction of Karvy since the documents are badly drafted in the first place.

I therefore urge SEBI to take a fresh look at the problems and design a proper procedure to set right the human errors that have crept into the system. One suggestion I have is that I should be permitted to create one “Omnibus Identity Affidavit” which can be usedd across companies and across registrars, demat agencies and Banks where I declare that ” I hold multiple IDs in the following different renditions. My recommended name rendition is ………, I authorize all agencies to make suitable changes in their records to synchronize with my main ID document which is my Passport where my name is rendered as ….  and my address is rendered presently as ……… I indemnify such agencies against any loss they may suffer on account of such change.”. ..etc

Copies of such affidavits should be considered sufficient for every KYC application. Beyond this, if the agency has issues, they should conduct a personal inspection and complete the process. If after this, they are not satisfied with the request for change, then they may handle such cases as exceptions through a responsible personal relationship manager.

Karvy consultants have in my case failed to respond even to such documents submitted  and have created irreparable damage to my investment holdings which are stuck . I have suffered financial losses on account of the unreasonably rigid and untenable stand that they have taken in relation to KYC. I urge that they should take a fresh look at their procedures. I also urge SEBI to take suitable action in this regard to introduce acceptance of an “Omnibus Identity Affidavit”

If Karvy or SEBI need further information on my particular problem, I am willing to share the details. However, what I am looking forward is a system change which will be helpful to all investors who have such problems.

Naavi

Posted in Cyber Law | Leave a comment

Karnataka Human Rights Commission forces reopening of Adjudication in the State

Posted on May 3, 2013 by Vijayashankar Na

Karnataka State Human Rights Commission has done a yeomen service to the Cyber Crime victims of Karnataka by facilitating the reopening of the Adjdudication under ITA 2008 in the State.

It may be recalled that the IT Secretary of a State is the “Adjudicating Officer” of a State under ITA 2008 and has sole jurisdiction to adjudicate civil compensation claims under iTA 2008 for any contravention of ITA 2008 where the compensation claimed is less than Rs 5 crores.

Unfortunately, the earstwhile IT Secretary of the State namely Mr M.N.Vidyashankar had ruled that no cases can be registered for contraventions under Section 43 of the Act either by a Company or against a Company. This ruling though absurd defined the legal position in the State since around December 2011.

Naavi has been fighting to get this ruling reviewed and had been repeatedly knocking at the doors of the IT Secretary, Chief Secretary as well as the ministers such as Mr Suresh Kumar, Mr Yeddyurappa, Mr Sadananda Gowda and Jagadish Shettar. However none had taken any action so far.

The last letter written in this regard to the new IT Secretary had been marked as a copy to the Karnataka State Human Rights Commission since non availability of judicial redressal is a matter concerning “Human Rights”. The Commission took cognizance of the matter and issued notices to the parties mentioned in the complaint which included the Chief Minister of the State.

A few days back, the Chief Minister’s secretariat had sent an acknowledgement stating that necessary directions had been given to the IT Secretary. Yesterday, one of the complainant who has been adversely affected in the process received a communication that the current IT Secretary has decided to review the case and take up fresh hearing. We hope that other pending cases in a similar status will also come up for review.

Naavi.org welcomes the decision of the new IT Secretary and thanks the Karnataka Human Rights Commission for having taken up the cause of the public of Karnataka. Even before the Commission could have a hearing, positive action has already been initiated by the IT Secretary and it comes as a very pleasant surprise.

Naavi

Posted in Cyber Crime, ITA 2008 | Leave a comment

Competitive Compliance is the need of the hour.. Naavi

Posted on May 3, 2013 by Vijayashankar Na

Speaking at the workshop on Safe E Banking, Naavi highlighted the regulatory aspects of Information Security in E Banking and the need for compliance. Speaking on the Risk mitigation guidelines released by RBI on February 28, 2013 and the fast approaching deadline for implementation by June 30, 2013, Naavi indicated that the regulations were a continuation of the G.Goplakrishna Working group (GGWG) recommendations and various other guidelines. He also pointed out that the GGWG as well as other regulatory guidelines had provided a time bound implementation plan for Bankers.

Refering to the comment of Mr G.Gopalakrishna during his introductory speech that the compliance of GGWG recommendations were only aroudn 38%, Naavi urged bankers to take urgent steps to improve the level of compliance.  In this context Naavi stated that what is required for Bankers is not only comply with the provisions of the GGWG recommendations but try to excel further as new technologies unfold. He pointed out that some Banks have a tendency to wait for other larger banks to comply before undertaking their own compliance measures and expressed his wish that Banks develop a sense of “Competitive Compliance” trying to do things better than other peers. He reminded that GGWG provided the “Flexibility” for the use of technology except where it was legally mandated and hence each Bank can explore better ways of achieving the security objective considering the GGWG recommendations as the base requirement.

Naavi

Posted in Bank, Information Assurance, RBI | Leave a comment

Security Protocol for Bankers

Posted on May 3, 2013 by Vijayashankar Na

E Mudhra consumer Services, a company associated with the certifying authority, E Mudhra, has announced launch of what it calls as an online banking security protocol. The product named “TRUSTFACTOR” is a combination of an authentication server solution, digital signature certificates, customized crypto-tokens and a secured process for issuance, The Company is also setting up certain dedicated centers which will provide a customer interface for issuance of digital certificates.

(See report here)

The initiative appears promising.

Naavi

Posted in Cyber Law | Leave a comment