Axis Bank Files Writ petition against Adjudicator of Karnataka

Posted on May 16, 2013 by Vijayashankar Na

In an interesting development in Bangalore, Axis Bank which is a business client of the Government of Karnataka for e Governance payment system management  has filed a writ petition against the Principal Secretary IT and BT of the Government of Karnataka in his capacity as the “Adjudicator of Karnataka”. It may be noted that  “Adjudication” is an institution having powers of a Civil Court, regarding the administration of the Adjudication system under Information Technology Act 2000 amended in 2008 (ITA 2000/8) and the “Adjudicator” is having the powers equivalent to a Civil Judge. Hence the writ petition is on a judicial authority filed before the High Court.

The Writ petion number WP 21049 of 2013 will be heard for admission by the Principal bench of the High Court of Karnataka today in Bangalore.  The Writ petition has been filed objecting to the proceedings in the adjudication complaint filed by M/S Gujarat Petrosynthese Ltd. (GPL) a company which as a customer of Axis Bank had lost Rs 39 lakhs due to a suspected Phishing activity.

GPL had  filed an adjudication complaint in 2011 against Axis bank and several other Banks involved in the laundering of the proceeds. In December 2011, the then Adjudicator had abdicated jurisdiction on the issue and dismissed the complaint as not maintainable under Section 43 of ITA 2008.

The ground for rejection was that Section 43 can be invoked by a “Person” and the term “Person” means only an “Individual” and GPL was a Corporate entity and hence it cannot invoke the section. Immediately thereafter the same Adjudicator dismissed another Complaint of Mr Rajesh Yadav Vs ICICI Bank  again on phishing (filed earlier and held pending for judgement), under the same premise holding that “ICICI Bank” is a corporate entity and hence deciding that the complaint was not maintainable.

Thus the adjudicator had categorically opined that Section 43 cannot be invoked either against a Company or by a Company.

It may be noted that Section 43 inter alia also defines the offences under Section 66 which covers almost all Cyber Crimes arising out of unauthorized access, unauthorized downloading, Virus introduction, causing damage or denial of service, assisting another person to contravene, charging a service to another person (creidt card frauds) and any offence involving modification, deletion of data or diminishing in the value of information residing inside a computer etc.

As a consequence of the decision, Section 43 and by implication Section 66  could not be invoked by any company nor against any company. This meant that a substantial part of ITA 2008 was made irrelevant for the corporate sector. It also introduced anomalies such as rendering around 15 lakh digital certificates issued by Corporate Certifying Authorities infructuous by questioning the validity of the license issued to the Certifying Authority itself.

The undersigned therefore found that the decision  created an unhealthy precedent. It was considered so bad that the image of the Adjudication system in general which involved IT Secretaries across the country as well as the image of Karnataka as an IT Savvy State were seriously jeopardized. Readers may refer to other articles written in this blog over a time on this aspect.

A review petition had bee filed by the complainant (GPL) a day after the decision in December 2011  to protect the image of the State’s legal system for Cyber Crimes apart from protecting its own right to fair and equitable justice.

Unfortunately the Adjudicator kept the review pending without assigning any reason. During this period no adjudication applications could be filed in Karnataka against any companies or by any companies. There was therefore a void in the judicial system concerning contraventions of ITA 2008.

With several complaints being made to different authorities on the prevailing “No Judicial Redresss through Adjudication for Cyber Crime Victims in Karnataka”, the Karnataka State Human Rights Commission took cognizance of the adverse impact of the state of affairs on the Human Rights aspect and took up the issue with the State Government.

It is understood that the current Adjudicator (IT Secretary) sought the opinion of the Law department and upon their advise considered that the ground “Person does not include Corporate entity for the purpose of Section 43” was not tenable and accepted the request for review made by GPL and re started the process with a hearing scheduled for May 15, 2014.

On 14th May 2013, a day earlier around 4.00 pm, Axis Bank filed a Writ Petition (WP 21049/2013) at the High Court of Karnataka against Mr S.N.Prasad, the Adjudicator of Karnataka seeking cancellation of the order to re start the hearing. On the basis of the petition which was pending admission, Axis Bank requested the Adjudicator to stop the hearing on 15th May 2013. However the request was rejected and next date of hearing was posted for May 31, 2013.

In the meantime the writ  petition was modified  by naming  the “Adjudicator” by designation as the first respondent and GPL as the second respondent instead of S.N.Prasad as the only respondent. This petition is coming up for consideration of admission on 16th May 2013 at the principal bench of the Karnataka High Court.

The issue is of great importance since it challenges the provisions of Section 61 of ITA 2008 along with powers of Adjudication under Section 46 of ITA 2008. It also challenges the views of the State Human Rights Commission though the fact might not have been brought out in the petition.

It is pertinent to note that a similar petition had been filed by Punjab National Bank in the High Court of Madras last year challenging the jurisdiction and procedures adopted by the Adjudicator. The Honourable High Court of  Madras however dismissed the petition and directed that the Adjudicator may continue the proceedings.

We hope that Axis Bank would disclose the background to the Karnataka High Court before seeking any remedy.

I request the media in Bangalore to take note of the incident and ensure that the process of speedy justice envisaged under ITA 2008 is available  to the Cyber Crime victims of Karnataka.

Naavi

 

Posted in Bank, Cyber Crime, ITA 2008, Uncategorized | Leave a comment

$100 million stolen every day on the Internet

Posted on May 15, 2013 by Vijayashankar Na

The recent $45 million ATM fraud has attracted the attention across the globe for the ingenuity and global coordination of criminals that it represents. However it is good for people to realize that experts believe that this was only a “Half day” remuneration of the cyber criminals. It is estimated that over $100 million is stolen each day on the internet.

Probably the Information Security specialists should take note that the challenge ahead of them is enormous.

Naavi

Posted in Cyber Law | Leave a comment

Card Related Frauds and EMV Cards

Posted on May 14, 2013 by Vijayashankar Na

The recent Great E Banking Fraud in which $45 million was withdrawn in cash through ATMs after modifyng card data in the back end systems has triggered a fresh debate on how the security can be improved in card usage.

According to various surveys it is reported that 27% of the card holders around the world have experienced fraud in the past five years (See here). The average loss has been however int he region of $400. The current $45 million fraud is an exception since the modus operandi was to remove the card limit. Another observation is that frauds are significantly lower in Europe and are higher in US.One of the reasons for this is that Europe has migrated to Pin and Chip technology (EMV-Europay, Master, Visa standard) while US is still in the Magnetic Stripe technology.

Security experts have been telling that even the EMV cards are not immune to frauds but all experts agree that there is a significant additional layer of defense present in EMV cards which make it a little more difficult for the fraudsters to misuse than the MagStripe cards.

In India RBI has  already advised Banks to move to EMV technology but has not yet made it mandatory except for international cards.

These observations indicate that had ATMs been enabled for accepting EMV cards, the Great E Banking Robbery would have been difficult to execute. Part of the blame for using insecure technology therefore lies on the Banking system.

Instead of only blaming the back end processors, Banks need to fortify the front end technology for card acceptance since the point of sale devices can also be compromised with malicious codes and negate all security measures in the back end.

Costs are definitely a consideration for Banks. Presently it is stated that card frauds in US is around $8.8 billion as against a card usage of around $2.1 trillion. May be the insurance industry is still capable of absorbing the losses at this level but not taking measures to mitigate the loss prospects by hardening the front end card acceptance technology would be a criminal negligence on the part of Banks.

Naavi

Posted in Cyber Crime | Leave a comment

Break the Back of Bank Frauds

Posted on May 13, 2013 by Vijayashankar Na

The Great E Bank Robbery in which US$ 45 million (Rs 250 crores) was drawn in cash in about 40000 fraudulent withdrawals spread over 12 and half hours on two different days, across 27 countries is an eye opener to the Cyber Security world on how well the underground Cyber Criminal gang is organized.

The investigations so far have revealed that the information on certain cards were obtained through the hacking of the systems in the data processing companies and were used to clone the cards. But it required a group of individuals who had to go to individual ATMs one after another and draw the cash, stash them in their bags and run to the next ATM etc until they exhausted the cash in all ATMs around them or until they received a “Stop” note from their boss.

We need to note that without the assistance of these “End Point Fraudsters” whom we some times call as “Mules”, the fraud could not have succeeded. It is these end point fraudsters who took the risk of being caught and punished. The hackers who remained in the back felt a lot safer since it is difficult to identify, capture and prosecute them. Similarly even behind these hackers who actually downloaded the card data and increased/removed the card limits, there were others who dropped a Trojan or conducted a Social Engineering attack to steal the access credentials for the sensitive data. There is also a possibility of an existing or past employee of the organization in which the data breach occurred who might have caused the breach either out of financial lure or out of vengeance. The possibility of negligence without malice of such an employee also cannot be ruled out.

At this time it is difficult to say with certainty if the data breach occurred only at the two card processing companies which are in the center of the investigation. If the card data was not effectively encrypted then it would be a serious issue of negligence. It is reported that these card processing companies were “PCI Compliant”.

In this context, it is also necessary for us to focus on the general status of Information Security in the IT Sector and in particular the BPO sector all over India and more so in Bangalore,  Pune and Gurgaon. We need to initiate such action as would silence the India bashers in US who have already started their campaign against outsourcing. This can hurt the Indian economy seriously.

We need to recognize that what has happened today to Banks in Gulf and at ATMs in New York or elsewhere can happen or will happen to banks in India and the ATMs in India. Hence Indian Banks as well as RBI should start a campaign to ensure that such “Bank Heists” donot occur in India where Indian Customers will be left to fight with the Bankers in long drawn legal battles. We know that the cases of S.Umashankar Vs ICICI bank has dragged on now for 5 years despite a favourable verdict from the Adjudicator of Tamil Nadu and several more cases are pending with adjudicators for more than 2-3 years.  Banks will be happy to take all cases to judicial processes since they can regenerate the lost money within 3 years while the customer is kept waiting for justice.

Now it is time for RBI to immediately constitute an expert committee to ensure that its regulations are strictly followed by banks in letter and spirit. One of the requirements that need to be tightened is the CCTV camera system in ATMs. It is necessary to ensure that the CCTV cameras used are of high resolution and are always functioning. If CCTV cameras are dysfunctional, the ATM should stop cash dispensation. We should also encourage customers to register “Face Recognition Authentication” systems so that there is no way a third party can withdrawn money from the customer’s account. Since some customers are in the habit of allowing their relatives to withdraw the amount on their behalf, they should be properly educated and encouraged to obtain multiple ATM cards for their authorized kith and kin whom they want to authorize withdrawals and have their face recognition built into  the system.

We also need to further tighten the KYC system and penalize the Banks heavily when KYC failure leads to frauds. Banks should undertake a security audit of all their outsource partners  including those who conduct KYC. I have observed that for genuine customers like me Banks have posed problems in KYC while many fraudsters have been able to open and operate accounts without any problem. This indicates that some times KYC is followed in letter but not in spirit. This has to be corrected.

It is also necessary for Banks to use “Adaptive Authentication” and raise the bar when stakes are higher. This requires a close monitoring of customer behaviour and if Banks are not doing this already, it is a criminal negligence that needs to be punished. Current RBI guidelines suggest such systems to be in place by June 30, 2013 and we need to watch how Banks react to the latest guidelines.

If “End Point Fraudsters” are eliminated through the Face Recognition system at ATMs, better KYC at Banks and adaptive authentication, security can be enhanced by several notches and we can break the back of these Cyber Frauds.

Overall we need to re-evaluate the security of our Banking systems in the light of the Great E Banking Robbery and ensure a Safe E Banking environment.

Naavi

Posted in Bank, Cyber Crime, ITA 2008, RBI, Uncategorized | 1 Comment

INCERT to conduct enquiries on Great E Bank Robbery

Posted on May 13, 2013 by Vijayashankar Na

As referred to in our earlier post on the $45 million Global Card fraud, IN CERT is reportedly conducting an enquiry on the security breach alleged to have occurred at the two card processing companies in India. .

In the meantime the Pune based Electra Card services has given out a statement stating that the data breach has occurred “Outside their environment”.

 

Naavi

Related Article in ET:

Another Article in ET

Related Article in TOI

Posted in Cyber Crime, ITA 2008 | Leave a comment

Attention now turns on India as an outsourcing destination

Posted on May 12, 2013 by Vijayashankar Na

As could be expected, the Great E- Banking Robbery has now brought Indian Outsourcing industry to the center of controversy. The Reuter report

Already some security experts in US have started a campaign for shifting the card processing business to some large US companies. Probably in the short run some business will move out of India since “Security” is an issue on which no financial institution wants to compromise.

However, at this point of time it is not clear where the Indian companies failed. It would be necessary for INCERT to conduct its own  enquiry and undertake necessary steps to document what really caused the security breaches and what can e done in future to secure the BPO industry’s interests.

Naavi

Posted in Cyber Crime, RBI | 1 Comment