Aadhar Nightmare continues

Posted on May 2, 2013 by Vijayashankar Na

Ever since the Aadhar scheme was introduced, security specialists have been warning about the large scale problems that may be caused by loss of identity of individuals.

The UIDAI authroities have been going ahead with spending of public money and enrolling the individuals who report at the counters of the registration agents.  Fraudulent registration agents have been creating their own enrollments with false identities as was revealed some time back when an aadhar card was issued in the name of “Coriander” (“Kottambari soppu” in Kannada. s/o Palav. (See the story here). In the meantime the UIDAI Bill is yet to be passed and several cases are pending in different Courts challenging the scheme altogether.

In the meantime many State Governments have been forcing citizens to go for Aadhar and linking mandatory public services to the Aadhar registration.

UIDAI however has been as irresponsible and as arrogant as the UPA Government and has continued with the project unmindful of the risks it is hoisting on the country. There have been many instances of data losses reported from different States. Even the successful registrants are battling with the practice of UIDAI sending aadhar registration cards by ordinary post which are reportedly dumped in dust bins in some places.

Now a massive data loss of 14 lakh cards has also been reported from Andhra Pradesh due to reasons that can be attributed either to negligence of UIDAI or criminal activities. (Report available here)

The fact that such large scale Aadhar related mischief is reported from Andhra Pradesh where the terrorist organizations from Pakistan are operating sleeper cells indicate the possibility of an organized threat to national security arising out of the stolen identities.

The stolen data can be used to create Aadhar ID for terrorists with different photographs. The biometrics can be switched if required. Even if the current biometrics is retained, since most of the ID use centers are unlikely to check biometrics and accept the parameters of name and address available in the given aadhar number and accept it as satisfactory identification of a person, (Eg Banks), the 14 lakh lost identities can be used to create that many false identities. using this false identity other IDs such as PAN cards and driving licenses can be created by terrorists.

This means that the system has been completely compromised and India is under threat.

It is therefore time for the Government to think of scrapping the scheme before further damage is done.

Naavi

Posted in Cyber Law | Leave a comment

mouthshut.com challenges ITA 2008 rules

Posted on May 1, 2013 by Vijayashankar Na

The Intermediary rules under Section 79 of ITA 2008 has been repeatedly used by parties to get adverse content on internet removed without appropriate procedures. The problem has been the interpretation that an Intermediary is bound to take down content objected to by a party within 36 hours.

As a result of these rules, many websites have been bombarded with notices for removal of objectionable content. Websites such as mouthshut.com are primarily meant for expressing consumer grievances and have been useful to general consumers looking for information on various products and services. It is also true that some times the comments posted on the site may hurt the business interests of the companies whose products are criticized. There could also be cases where adverse comments are posted by competitors while companies may also post self serving reports. However buyers can try to understand the strengths and weaknesses of products by browsing through the various comments.

There are also many instances of companies responding to the adverse comments of consumers on mouthshut.com.

In totality therefore a website like mouthshut.com is an instrument of “Consumer Protection” and deserves  encouragement.

However knowing the way some companies function and the threatening legal notices that lawyers can draft, it is not difficult to imagine the problems that mouthshut.com must be facing. More importantly the Police who may not understand law and who can be manipulated by the companies and their lawyers has the potential to unnerve the employees of mouthshut.com.

It must however be reiterated that Naavi.org has always been stating that Section 79 rules only indicate that “Action should commence” within 36 hours on grievance redressal. Such action need not start with the removal of the objectionable content unless there is a valid Court order for removal of content. This aspect was specifically clarified recently by the Government. (See here)

It is however essential for an intermediary like mouthshut.com to have a good grievance redressal mechanism on the site. At present a suitable system is not in place. According to the rules, the grievance redressal mechanism needs to be activated within 36 hours of the receipt of complaint.

It appears that mouthshut.com has now approached Supreme Court for the rules to be struck down. (See medianama report here). The cause of action cited is that it amounts to “Censorship”. However in the view of Naavi.org, “Censorship” rights cannot be presumed under the rules. The clarification of the government  on 18th March can be used as a defense against the petition. Hence though the petition is based on a genuine grievance, the grounds on which the remedy has been sought is incorrect.

Naavi.org has been repeatedly highlighting that when such petitions are made to Supreme Court under wrong pretences, the Court may be forced to reject the petition. The media which has highlighted the petition now as a “Challenge to ITA 2000 Rules” will also highlight that “Challenge has been dismissed”. This will give a wrong impression to the public that the Supreme Court has upheld the validity of the rule though the Court might have dismissed it for some other technical reasons. This is more harmful than leaving the rule as it is since such media reports will be taken as a vindication of the erroneous stand that may prevail now.

In such a scenario, many of the smaller websites which may be facing problems similar to what mouthshut.com is representing may have to shout down their business.

If however the Supreme Court goes beyond the technicality of whether Section 79 rules does in fact represents censorship or not and provides a positive assertion that “Expression of grievances of Consumers through websites such as mouthshut.com is part of the freedom of expression guaranteed by the constitution and needs to be protected for asserting consumer rights under  the Consumer Protection Act”, then there may be a positive impact of the case on the society.

I therefore urge mouthshut.com to include in their prayer such a declaration rather than asking only for the rules to be struck down. To ensure that its plea is strong, mouthshut.com needs to take immediate steps to make its site “Cyber Law Compliant” with appropriate changes to its terms of use.

Naavi

 

Posted in Cyber Law, ITA 2008 | Leave a comment

Workshop on Safe E Banking

Posted on April 30, 2013 by Vijayashankar Na

A day long workshop on Safe E Banking is underway at Reserve Bank of India, Bangalore. Mr G.Gopalakrishna, The Regional Director of RBI, Mrs Uma Shankar, Regional Director of RBI at Bangalore has inaugurated the workshop. ED is delivering the Key Note Address. Internaional Institute of Information Technology Law (IIIT Law) is organizing the speakers.

The workshop will discuss the GGWG regulations, the Risk Mitigation guidelines of February 28, 2013 and other regulatory aspects of regulation. Naavi  along with several other professionals and Banking security specialists will participate as speakers.

The event will mark the second anniversary of the issue of the RBI guidelines on April 29, 2011 on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (popularly known as GGWG guidelines).

Naavi

[Detailed Report will follow]

Posted in RBI | Leave a comment

Migrating to Adaptive Authentication

Posted on April 29, 2013 by Vijayashankar Na

Banks in India have been traditionally using the “Legally Non Compliant”, “Password based Authentication” for their E Banking requirements. As a result there are frequent customer-Bank conflicts where the customer demands that Bank should undertake the liability on account of Cyber Frauds while the Banks blame the customer for not securing the passwords.

The RBI on the other hand has been urging Banks to improve the authentication methods used by the Banks. Way back in 2001, RBI stated that if Banks donot use Digital Signatures for authentication, they should assume the legal risk for Phishing kind of frauds. They reiterated the same again in 2011 through GGWG (G Gopalakrishna Working Group ) recommendations on Information Security.

After the rap on the knuckles received by the S.Umashankar Vs ICICI Bank adjudication verdict, some Banks started thinking of digital signatures as a means of authentication. But most stuck to the passwords and only enhanced it through a mobile based second authentication for certain key elements of transactions.

On February 28, 2013, RBI again issued a set of guidelines for mitigating the risks in both the electronic payment transactions as well as the Payment card transactions. Apart from reiterating the need for using digital signatures at least for RTGS transaactions of a certain value, RBI in this guideline has spoken about the need for the use of “Adaptive Authentication Technology” .

Banking in India therefore is on the move from the 2 Factor authentication to a regime where apart from the multiple factors that contribute to the authentication of an online transactions, the technology of authentication should adapt to the “behavioural pattern” of the customer based on a real time assessment.

This technology should increase the security for the customers though Banks would grumble as always about the cost of implementation.  But since this is the direction in which the global banking is moving  , there is no option for Banks but to adopt the “Adaptive Authentication technology”. (AAT)

From the users perspective it should not make any difference. In fact the AAT is expected to be unobtrusive and non interfering. The foundation may still be based in the currently used authentication parameters such as “What the customer knows”, “What the customer has” and “What the customer is”, supplemented with technologies such as the public key encryption etc. But the difference is that the AAT provides a deeper level of security since based on the transaction parameters it will invoke additional security measures.

For example, if a person has never used his E Banking account from abroad and there is a debit request from a foreign IP, the system should get alerted and hold the transaction execution until further confirmation is obtained. Similarly, if the amount withdrawn is far in excess of the usual transaction or the number of transactions within a small time is high etc (All these are typical occurrences in a Phishing transactions), the system should invoke higher levels of security. The higher level of security may be to requisition an additional factor of authentication including a “Call Referral” where the customer is given a telephonic call where the voice of the customer may be recognized by the system for authentication.

Hopefully Bankers will start adopting this higher level of security soon. Today being the second anniversary of the RBI guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds (popularly known as the G Gopalakrishna Working group or GGWG Recommendations), it is the right time for Bankers to take a pledge that they will leave no stones unturned for making Indian Banking Safe. Naavi therefore urges the industry to treat 29th April as the “Safe E Banking Day” and ensure that we remember our obligations and take steps towards protecting the citizens against E Banking frauds.

Naavi

 

Posted in Bank, ITA 2008, RBI, Uncategorized | Leave a comment

Banking Ombudsman Scheme under Review

Posted on April 29, 2013 by Vijayashankar Na

As one of the follow up measures of Damodaran Committee report on Customer Service, RBI has set up a committee to review the Banking Ombudsman scheme. (Refer details here).

Members of the public who have their views on the functioning of the scheme may take this opportunity to pass on their views to RBI.

The Committee set up for review would be headed bySmt. Suma Varma, Chief General Manager ,Customer Service Department, Reserve Bank of India, 1st Floor, Amar Building ,Sir P.M. Road, Fort, Mumbai-400 001. (Ph: 22630483).

Naavi

Posted in Bank | Leave a comment

Banks can be fined upto Rs 1 crore for violating RBI regulation

Posted on April 28, 2013 by Vijayashankar Na

The Banking Regulation Act amendment Act 2012 which was recently passed by the Parliament has now become effective.(See PIB Press Release).  It amends several provisions of the Banking Regulation Act 1949.

Some of the amendments are directed towards new Branch licensing , raising of capital, voting rights etc.

The Act will

a) Increase the powers of RBI to regulate the erring Banks

b) Provides greater freedom for public Banks for mergers, captital issue etc

c) Increase voting rights

What is of specific interest to the general public are  the following  amendments

1. Depositor Education and Awareness Fund

A new section 26A has been introduced in the Act which provides for setting up of a “Depositor Education and Awareness Fund” to which the balances in the inoperative accounts in accounts not operated upon for 10 years would be transferred. (Can be claimed back by genuine depositors even after the period). The fund may be utilized for purposes which RBI may specify from time to time in “Depositor’s interest”.

2.Increased Fine for Non Compliance

Further for various kinds of violations under the Act the fines that RBI may impose have been substantially raised. The maximum penalty which was Rs 5 lakhs at present has been increased to Rs 1 crore.

This development is considered good for the industry since it has been found in recent days that the regulations of RBI addressing depositor’s interests were being repeatedly ignored by some Banks.

In recent days “Money Laundering” which generally means “Facilitating the use of Banking services for criminal funds” has been indulged in by Banks as a matter of general policy of business promotion. A sting operation recently exposed such activities un ICICI Bank, HDFC Bank and Axis Bank.

This Business Standard article advocates that fines upto Rs 1 crore may be imposed for KYC failures.

Naavi.org has been discussing how KYC failures are the essential ingredients of any Bank fraud and needs to be curtailed with heavy fines. We have also pointed out how most of the losses of Depositors arising out of Phishing Frauds could be met out of collection of fines on KYC failures at the maximum rate of Rs 5 lakhs per failure if a fund is created for the purpose of insuring the depositors against such losses.

It appears that the scope for creation of such funds has now increased with the above amendment.

RBI may now examine if under the amended Banking Regulations Act, it may create a suitable “Electronic Banking Fraud Protection Fund” from out of a corpus built from the fines collected out of KYC failures observed during encashment of any phishing frauds. The suggestion is that while the Banks can pursue the legal means of locating the offenders and recovering the money from them, the victims must be reimbursed the amount of loss immediately from out of such funds. The payments can be considered as a loan to the Bank and suitable interest may be charged.

The fund may absorb losses arising out of cases where the offenders are not apprehended and money becomes irrecoverable in which case the loan already raised in the name of the Bank is written off. In other cases, recovered money maybe reimbursed to the fund.

The initial fund may be started with a corpus created out of contributions from member banks based on their deposits like the fees payable under DICGC or ECGC schemes.

Naavi

 

Posted in Bank, ITA 2008 | Leave a comment