RBI’s responsibility in preventing Aadhar Misuse for Bank Frauds

Posted on January 22, 2013 by Vijayashankar Na

I refer to the news report in Midday indicating a new modus operandi in the commission of a Bank fraud in India. This fraud has been committed as a combination of “Phishing”, “Security lapses at the victim’s Bank”, “Compromise of KYC by the mobile operator” and “Compromise of KYC by the collecting Bankers”. The compromise of KYC at the fraudster’s bank has been caused by the use of Aadhar identities.

So far we have seen the  first generation Bank frauds of this nature consisting of “Phishing” associated with the opening of fraudulent accounts at receiving branches. To complete this fraud the fraudster had to steal the password of the customer and then also use several recipient accounts. To open such accounts he normally used fake PAN card or other strategies. Opening and maintenance of such accounts as well as inability to spot the unusual nature of transactions during the fraud amounted to “Negligence” of the collecting Banker and failure of KYC process. This made the collecting bankers liable for the fraud along with the victim’s bank where the authentication system used passwords instead of the legally mandated “Digital Signature”. As a result, the victim’s bank as well as the banks where the fraudster’s accounts were held vicariously liable for the fraud.

This aspect has been brought to the attention of RBI and RBI has been issuing periodical guidelines to the Banks. Banks, on the other hand have formed a cartel to oppose any moves by RBI to secure the Bank transactions by improving the security. On the other hand they have pushed RBI to introduce more of insecure technology such as Mobile Banking. RBI has been a mute spectator to this technology invasion and gradual erosion of Bank security.

It is not out of place here to mention that the Ministry of Communication and Information Technology has been procrastinating on the appointment of the Presiding Officer of Cyber Appellate Tribunal and preventing legal remedies to be available for the victims of cyber crimes.

RBI has to take the responsibility for having made the Bank security dependent first  on the OTP system and now on the Aadhar system. The linking of Aadhar to ban accounts was suggested by the UPA Government as a means of transferring certain subsidies directly to the beneficiaries. What this has achieved is a dilution of KYC at the bank level and dependence on Aadhar as the sole KYC to open the accounts. These Aadhar account holders have now become the facilitators of the fraud and have to face jail prospect. They can thank UPA for this favour!.

There is an immediate need for RBI to re consider its wisdom of linking Aadhar to the opening of Bank accounts and alert all the Banks to the possibility of Aadhar being misused.

 naavi

Posted in Bank, Cyber Crime | Leave a comment

Donot link Aadhar to your Bank account

Posted on January 22, 2013 by Vijayashankar Na

I observed during the Aadhar registration process in Bangalore that by default the registrar was encouraging registrants to link their Bank accounts to the Aadhar application. Risk associated with such process has been highlighted by the fraud reported in Midday

According to this report a fraudster operating from China had used the information to open fake accounts in the name of several Aadhar card holders in six different locations and transfer about Rs 1.75 lakhs to those accounts from the account of the victim.

This is an indication that the bank which opened the fake accounts was grossly negligent in opening the accounts using the Aadhar linkage as a KYC process.

Of course the case also involves fraudulent access at the Bank where the account was kept and the failure of the OTP system relied upon by the RBI is also indicated. The fraudster seems to have blocked the SIM card of the bank customer and diverted the SMS messages as well as probably the OTP messages. The mobile company also appears to be at fault in the process.

Though legally the Bank where the account was kept, the Mobile Company and each of the Banks where the fake accounts are opened are all liable for both civil and criminal consequences and liability to compensate the victim, the process of initiating suitable action in this regard and recovering the amount requires efforts. ..More so since Bankers act as rogues and bully the customers into absorbing the liability themselves or persuade them to follow up with the Police.

Naavi has been pursuing several cases of this sort and found that Banks have friends in many places to delay delivery of justice. Hope RBI will wake up to recognize its folly to depend on OTP in the first place and then on the Aadhar in the second place. These strategies have subordinated Bank security to the security of the Mobile and Aadhar systems. Since these are weak at present, Bank systems have also been rendered weak. This is a serious policy lapse. In future cases of such nature, I will not be surprised if RBI is also made a party to the fraud for its own negligence.

Naavi

Posted in Bank, Cyber Crime, Cyber Law, Uncategorized | Leave a comment

Cloud Computing and ITA 2008

Posted on January 22, 2013 by Vijayashankar Na

Though “Cloud Computing” has been on discussion for the last 4 to 5 years, the rate of adoption is considered slower than expected. One of the main reasons is that during this period while there are new developments in the cloud computing arena, the cyber law regime has also made progress and is becoming more and more stringent. This has put spanner in the growth of Cloud computing by raising increased Information Assurance barriers.

In a recent survey of 2,000 CIOs, a Gartner report has reportedly revealed that the execs’ top tech priorities for 2013 include cloud computing in general, as well as its specific types: software as a service (SaaS), infrastructure as a service (IaaS), and platform as a service (PaaS). No surprise there. (Infoworld)

In this context we can look at the Indian scenario and examine the legal structure to understand whether it is supportive of Cloud Computing either for Indian corporates to use or to offer as service.

The legal background for cloud computing in India is provided by ITA 2008 (Information Technology Act 2000 as amended in 2008). There are also administrative policies of the Government of India issued from time to time as when the controversy over the Blackberry service broke out.

ITA 2008 incorporates some data protection aspects and under Sections 43A and 72 A provide for contractual bindings to be placed between contracting parties who may share sensitive and other data, failure of which could lead to civil and criminal liabilities. However the “Deterrence impact” of these sections is low. Section 43A has been diluted by the April 11, 2011 notification on “reasonable Security Practice” since holding an ISO 27001 audit certificate has been equated to sufficient security. Such security is completely unreliable for Cloud users.

Additionally, the department of IT has increased the confusion on cloud security by the ISP guideline which restricts the encryption of data transmitted over the ISP network to 40 bits. Naavi has been of the opinion that this is only an ISP guideline and hence affects the intra ISP data transfer and does not impose legal restriction on client to ISP transmission. While this could be the legal reality, the Government can always push its own interpretation if necessary through a retrospective legislation and hence remains a Damocles sword for the Cloud users intending to use higher levels of encryption.

Some times Government of India tries to bypass the law with administrative guidelines with legal backing drawn out of “need to protect the interest of sovereignty and integrity of the country” etc. Such arguments have been used by the Government on many occasions including for protection of politically powerful personalities as was evident in the Section 66A related controversies in the country in recent days. As a result the “National Interest” clause has been significantly diluted. Irresponsible utterances of the Home Minister of the country in the recent days on terrorism has also further diluted the concept of “National Interest” and subordinated it to the interests of the ruling political party.

We therefore face a grim situation where international users of Cloud services are unable to trust the Indian legal system.

If India has to adopt Cloud Computing either as a tool of more efficient and economical deployment for Companies or for enabling it as a “Service” and harness the growing global opportunities, there is therefore a need to create a “Trusted Data Management Regime” in India. According to some estimates, by 2020, one-third of the global data will move to the cloud. Such a development would mean that India’s pre-eminent position in the IT industry cannot be sustained unless we make significant progress towards setting up Cloud supporting data centers in India which inter-alia depends on what assurances we can provide for data security under law and how we can create a trust for non political interference in the legal regime.

In our opinion, this is a huge opportunity in IT dependent on developing a trusted secure data management regime and in the interest of our economic development we need to do whatever is required to develop such “Trusted Secure Data management Regime” in India. This may ideally be achieved through a new law or a major amendment to ITA 2008.

I invite discussions from the public on this aspect.

Naavi

Posted in Information Assurance, Privacy, Uncategorized | Tagged , , | Leave a comment

Risk Assessment, the ISO maze

Posted on January 21, 2013 by Vijayashankar Na

Extensive promotion has made ISO 27001  the key recall when we think of “Risk Assessment”. No doubt ISO 27001 is the most popular ISMS framework. The fact that it lends itself to certification makes it attractive to organizations which want the certificate to plug in some compliance requirements.

However ISO is a maze. It is an excellent strategy for ISO to make money creating numerous documents and specifications sold at fancy prices. But for the users, the multiple frameworks with overlapping provisions make it increasingly difficult to cut through this maze and find out what is good for an organization.

While many are still confused with ISO 9000 series and 27000 series itself, of late more terminologies are coming out into the open. For example what is ISO 31000? What is ISO-2000-1 ? What is ISO 22301? how are they related to ISO 27001? are questions that often arise in the minds of corporate executives who need to take decisions about budgeting the ISO audits.

ISO 27001 is an ISMS standard focused on the keyword “information” protection. Information asset is ‘anything that has a business value”. In other words if an organization is seeking to protect all forms of information against unauthorized access (Confidentiality), unauthorized modification (integrity), and protection against loss and destruction (Availability), the standard provides a series of controls that enables you to pick and chose those that are relevant based on a formal asset-wise risk assessment. ISO 27001 certification involves 133 controls which aims are a combined secure architecture, preventive, detective controls and several controls and encompass procedural, physical, technical and personnel controls.

On the other hand, ISO 31000 standard aims to cover almost all areas of organization risk. So it covers personnel, operations, information, and financial. It is however a generic standards and does not cover the specifics. This is not a certification standard, and organization use it compare best practices. Unlike other standard the degree of implementation interpretation is left to users and advisers/consultants/internal auditors used by the organization. In comparison ISO 27001 addresses specifics and requires asset-wise risk valuation which should clearly articulate the state of an asset and its control environment.

The latest in the standard family (in terms of inclusion of the word ‘risk’) is ITSM – ISO 20000 certification which is aimed at making traditional IT organization/department free from service risk. It is aimed at making IT as a ‘service’ department and the standard has best practices aligned with ITIL. You would choose this if you wish to make your IT a “service” organization. A “service” catalog is a starting point for this and makes your organization aligns with business objectives.

Further, ISO 22301 – ‘societal’ business continuity management system is upgraded version of BS 25999 and gives more meaning to the scope of business continuity. ISO 22301 certification showcases the ability of an organization to demonstrate its ability to deliver in case of a disaster.

Within ISO 27000 family, every standard from the ISO 27000 series is designed with a certain focus – if you want to build the foundations of information security in your organization, and devise its framework, you should use ISO 27001; if you want to implement controls, you should use ISO 27002, if you want to carry out risk assessment and risk treatment, you should use ISO 27005 etc. There is a logic for the multiplicity though it is rather convoluted.

If we look through the above standards, it is clear that ISO is creating more confusion in the IS implementation community and trying to offset competition from other frameworks such as COSO or COBIT by creating multiple standards within its own fold.

It must be noted that most organizations have used and continue to use ISO 27001 to show their continuity maturity. It is not clear if the ISO organization expects corporates to implement ISO 31000 or 2000-1 for building a security culture and certify with ISO 27001 and ISO 22301 so that ISO gets multiple revenues. This also results in a multiple cost burden on the organizations which will certainly hurt the brand ISO.

One would not be surprised if this strategy borne out of a typical brand marketing exercise used in the marketing of consumer products such as soaps and shampoos with adjectives such as “New”, “New and Improved” etc backfires in the more informed Information Security market. Companies would soon find it more comfortable to back other frameworks which are sure of what they are doing.

I hope the Government of India (DIT) which has given an unfair, unconstitutional, misleading parliamentary endorsement for ISO 27001 in its “Reasonable Security Practices” notification of April 29, 2011, takes note of this situation and understands that it is backing up the wrong horse.

Naavi

Posted in Information Assurance, Uncategorized | Leave a comment

HIPAA Final Rule 2013-Data Breach Notification

Posted on January 20, 2013 by Vijayashankar Na

Data Breach Notification (DBN) has been one of the most contentious issues of HIPAA regulations. Presently breach of unsecured protected information either at the Covered Entity or at the Business Associate entity needs to be reported to the affected individuals, the HHS and the media by the Covered Entity. While public want such a disclosure, business organizations were vary of the disclosure because of the possibility of loss of reputation and creation of panic on account of innocuous and accidental breaches.

Taking into consideration both sides of the arguments the Final rule has made the following suggestion.

“Breach notification is not required if the covered entity/Business Associate can demonstrate through a risk assessment that there is a low probability that the PHI has been compromised”

The final rule has also provided some guidelines for the risk assessment to state that the following aspects need to be considered along with any other relevant matters,

(1) the nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
(2) the unauthorized person who used the protected health information or to whom the disclosure was made;
(3) whether the protected health information was actually acquired or viewed; and
(4) the extent to which the risk to the protected health information has been mitigated.

As a corollary, covered entities and business associates should examine their policies to ensure that when evaluating the risk of an impermissible use or disclosure they consider all of the required factors.

Such risk assessment must be conducted following both impermissible uses and disclosures (that do not otherwise fall within the other enumerated exceptions to breach).

Covered entities and business associates need to investigate an impermissible use or disclosure to determine if the protected health information was actually acquired or viewed or, alternatively, if only the opportunity existed for the information to be acquired or viewed.

Further, Covered entities and business associates should attempt to mitigate the risks to the protected health information following any impermissible use or disclosure, such as by obtaining the recipient’s satisfactory assurances that the information will not be further used or disclosed (through a confidentiality agreement or similar means) or will be destroyed, and should consider the extent and efficacy of the mitigation when determining the probability that the protected health information has been compromised.

A “post suspected breach audit” is therefore mandatory.

It is also clarified that for determining the time when the notice is to sent, the period is to be calculated “from the date of discovery” and not from the date of occurrence. However it is reiterated that the 60 day limit is only an outer limit and the notice has to be provided within a reasonable time at the earliest.

Naavi

Posted in HIPAA | Leave a comment

HIPAA Final Rule 2013-Definitions

Posted on January 20, 2013 by Vijayashankar Na

The HIPAA final rule 2013 made effective from March 26, 2013 makes a few important changes in the definitions.

Firstly, the definition of “Business Associate” has been expanded to include “Patient Safety Organizations”.  Hence Health Information Organizations (HIO), E-Prescribing Gateways, and Other Persons That Facilitate Data Transmission; as well as Vendors of Personal Health Records will be considered as “Business Associates” and such Business Associates will be directly covered under the obligations of Privacy, Security and Enforcement rules.

Secondly, any “Sub Contractor” of the business associate will also be considered as covered under the provisions of the Final rule as applicable for Privacy, Security and Enforcement. For this purpose, a Sub Contractor means “a person to whom a business associate delegates a function, activity, or service, other than in the capacity of a member of the workforce of such business associate.”. Hence the provision of obtaining satisfactory assurances for meeting HIPAA obligations extend to Sub Contractors as much as the primary business associates.

The third definitional aspect that is modified by the Final rule is to define that the ter “PHI” extends to the information of a deceased person upto a period of 50 years after death.

Naavi

Posted in HIPAA | Leave a comment