46% of Bank Customers donot trust Internet Banking System! (?)

Posted on April 25, 2013 by Vijayashankar Na

An interesting survey conducted in three countries namely US,UK and Germany have indicated that 46% of the consumers donot trust websites which rely only on “Passwords” for authentication. (Refer findings here)

If the findings of this survey is extended to India, then it means that the Internet Banking system in India where passwords are being used as a means of authentication instead of the legally mandated “Digital Signature” is also not being trusted by the customers. Though from the research angle it may not be proper to extend the findings without appropriate correction, if we consider that “Frequent users of Internet Banking” can be equated with the profile of the website users referred to in the survey, the situation in India may be qualitatively similar.

The survey also reports that an additional factor of authentication is prefered by the users. But different customers prefer different types of additional factor of authentication such as the mobile based authentication or ID cards or biometrics. Thus the Two Factor authentication which is being pushed by RBI appears to provide some additional comfort to the customers.

The current generation intelligent malware has however grown beyond the security offered by th 2F authentication and we need to have a serious re thinking on the authentication systems that can secure Indian Banking systems.

The Digital Signature System is definitely a legally recommended choice which is the minimum compliance standard. But time is fast approaching for the industry to start looking beyond mere adoption of the digital signature system and to think of further hardening of the authentication methodologies which are legally compliant and also is technologically as good as possible.

At the same time, we need to keep in mind the factor of “Social Engineering” and “Lack of Security Awareness” as additional factors for considerations and not assume that what is technologically superior will necessarily be so in practice. We are aware how the Certifying authorities in India abuse the digital signature system and how the Controller of Certifying Authorities (CCA) is turning a blind eye to the irregularities.

Since our country has adopted the PKI system with a regulatory body controlled by the statute, the security of digital signature in usage is dependent on how effectively the system is monitored by the public authority such as the CCA.

Presently CCA would be happy just if digital signature is adopted. But this attitude needs to be quickly shifted to tightening the system so that the respect accorded to digital signatures in Indian law should not be eroded.

Naavi

Posted in Bank, Cyber Law, RBI | Leave a comment

Beware of the Micro Credit Card Fraud

Posted on April 19, 2013 by Vijayashankar Na

Credit Cards are today being used by many of us as a means of convenience to make payments for various day to day requirements. Some times we use the same credit card also online. While the use of credit cards is on the increase, a new Micro payment scam is being reported from US.

According to this article in bloggernews.net fraudsters open a website and register themselves as “Merchants”. They then pass on small charges of 10 cents or so in the hope that card holders donot bother to check their statements and raise a dispute.

We in India might not have yet observed this sort of a fraud. However we may expect similar frauds in India also since Banks are not very vigilant in appointing the merchants.

According to the latest RBI guidelines of February 28, 2013 on Risk Mitigation, it is mandatory for Banks to ensure that the merchants are subjected to PCI DSS audits. If this is faithfully followed the risk may be contained. However credit card users need to be vigilant and check their statements without fail.

Naavi

Posted in Uncategorized | Leave a comment

Government issues clarification on Section 79 rules

Posted on April 19, 2013 by Vijayashankar Na

The rules issued under Section 79 for Intermediaries had created a confusion in some circles about the action to be taken by the intermediary on receipt of a complaint about a specific content. Since the rules suggested that action had to be taken within 36 hours, most intermediaries had wrongly interpreted that they need to take down the objectionable content within 36 hours. This had made many intermediaries assume the role of censoring any objectionable content.

Naavi has been suggesting that this interpretation is incorrect and it would be sufficient to initiate a remedial action within 36 hours thought he resolution may require more time.

Now the DeiTy has provided the required clarification on similar lines. See the clarification here.

Naavi

Posted in Cyber Law, ITA 2008 | Leave a comment

Adjudicator Maharashtra on Privacy of employee data

Posted on April 16, 2013 by Vijayashankar Na

In an interesting award from the Adjudicator of Maharashtra, an employer (Rud India Chains Private Limited) who fought the complaint of  an employee (Amit Patwardhan) for privacy violation with the counter charge of employee sharing confidential company data with a rival company, for financial benefit has been caught in his own web and faces the charge of wrongfully hacking into the information of the employee.

See the Judgement here

The employer has produced a bank statement of the employee as evidence that he had received some money from a rival company. However they have failed to convince the adjudicator about the legality of the means by which they have obtained the information since the Bank has denied having officially provided the data. This has lead to the inference that the employer must have obtained the information through “unauthorized access”. The Award has made a mention of recognizing the offence under Section 43(b) read with Section 66.

The Adjudicator has however not awarded any compensation or costs to anybody. There is a good logic here because it appears that the Adjudicator was otherwise convinced that the employee had made money from the rivals of the company and had not therefore come with “Clean Hands”. He has therefore considered that he should not be given any benefit as a compensation against privacy violation. At the same time the employer also cannot benefit from an illegal activity though it is to prove another activity which may be unethical and against an employment contract. So the Adjudicator has felt that he also does not deserve any benefit from law.

The judgement appears to be in accordance with the principle of natural justice and deserves to be commended.

The incident also indicates the common mistake that some litigants commit without knowing the legal implications of their action. The ill advised litigants hire the services of half baked security practitioners who help them use key loggers to hack into employee e-mails or otherwise illegally extract information to be used in a legal battle. The end result is that for sustaining a civil damage claim they expose themselves to a criminal liability.

For example now that a judicial entity such as the Adjudicator has categorically given a view that “Section 66 Offence has occurred”, the  police will not have any option but to take cognizance of the offence and proceed against the employer for criminal prosecution. On the other hand it will be difficult for them to get  civil compensation from any other Court. It is therefore a situation where the employer is doomed. Probably the blame for this should be taken by the person who advised the employer to take this route of “hacking for evidence.”. Such an activity is only possible on specific permission of a Court of law or under special powers that the Police may exercise under emergencies.

Naavi

Posted in ITA 2008, Uncategorized | 1 Comment

Netizens influence Elections

Posted on April 15, 2013 by Vijayashankar Na

A study conducted by IRIS Knowledge Foundation, Mumbai has thrown up an interesting finding that nearly 28% seats in the Loksabha can be significantly influenced by the social media like Facebook. The study has listed 150 constituencies where there would be a “Significant Impact”.

In these contituencies the number of Facebook users was higher than the victory margin in the previous election or were more than 10% of the voters. The survey has identified 160 such constituencies out of 543 constituencies in total.

Additionally,  67 constituencies have more than 5% of voters as Facebook users have been identified as contituencies where the Facebook users can have  moderate impact on the elections.

In Karnataka which is going to polls on May 5th, the study has identified that in nearly 43% of the seats, Facebook users could have an influence on the outcome.

More on this is available at : http://www.aifon.org.in/wp/?p=105

The full report is available here: http://www.esocialsciences.org/Articles/showArticle.aspx?acat=Recent+Articles&aid=5308

I request Netizens who agree with this post may use the banner image above (or create similar message banners) and insert it in their personal web pages, and blogs. They can also use it in e mail messages to their friends so that Karnataka Voters may vote for better candidates.

Naavi

Posted in Uncategorized | Leave a comment

Comments on IT Rules from Center for Internet and Society

Posted on April 12, 2013 by Vijayashankar Na

The Center for Internet and Society (CIS) has released a commentary on the rules which the DeiTy had released some time back on

a) Electronic Service Delivery under Section 6A of ITA 2008
b) Reasonable Security Guidelines under Section 43A of ITA 2008
c) Cyber Cafe guidelines under Section 79 of ITA 2008

The commentary includes suggestions and is very informative. It also indicates how inefficient the DeiTy works in matters as important as framing legislations.

However many of the problems in ITA 2008 originate in the Act itself and hence correcting it through the rules may not be completely possible.

Mr Bhairav Acharya who has created the commentary may be complemented for his excellent work.

Naavi

Posted in ITA 2008 | Leave a comment