New RBI guidelines on E Banking security..contd

Posted on March 1, 2013 by Vijayashankar Na

This is in continuation of the previous article on the new guidelines of RBI on E Banking security issued on February 28, 2013.

Apart from the card related security measures covered in the previous article, the RBI circular also touches on some of the aspects of RTGS,NEFT and IMPS.

The recommendations are

1.Customer induced options may be provided for fixing a cap on the value and mode of transactions/beneficiaries. Additional authorization may be insisted when the customer wants to exceed the cap.
2.Limiting the number of beneficiaries to be added per day to be considered.
3. System alert to be introduced for beneficiary addition.
4.Number of transactions per day/per beneficiary may be monitored for suspicious transactions
5. Introduction of additional factor of authentication (preferably dynamic) for unusual transactions to be authenticated on special request.
6.Banks may consider implementation of digital signature for large value payments for all customers, to start with for RTGS transactions.
7.IP address capture for transaction may be considered.
8. “Adaptive Authentication” (means of providing authentication for end users without them having to know it is as work)may be considered for fraud detection.

These suggestions are also on the lines suggested by the Damodaran Committee on Customer service.

Though the circular uses the word “may” while referring to these suggestions, it mentions at the end that all these suggestions are “Expected” to be put in place by banks by June 30, 2013.

Naavi.org is happy that our long fight for better security in E Banking is bearing fruit.

Now we need to watch if Banks actually implement these suggestions and whether RBI will enforce its dictum.

In the past, Banks have simply ignored RBI guidelines and faced adverse comments in inspections as a matter of routine. RBI is also aware of such tendencies in some Banks. Hopefully this time RBI will use its powers to enforce compliance. Public are with RBI if they take strong measures to protect E Banking.

Once again, I personally and Naavi.org as a representative of public congratulate RBI on its initiative in issuing this circular.

Naavi

Posted in Bank, Cyber Crime, Cyber Law, RBI | 1 Comment

RBI issues new guidelines for E Banking security

Posted on March 1, 2013 by Vijayashankar Na

Naavi.org has been pointing out that RBI appears to have a dual character when it comes to policy implementation. There are one set of executives probably closer to retirement but occupying the top echelons of RBI who are still oriented towards “Safe Banking” and “Customer Interests”. But there is an emerging set of executives in the mid management cadre who are easily swayed by the powerful bank lobbies into recommending measures which are often anti consumer.

Another evidence of this is the issue of a new circualr dated February 28, 2013 by RBI addressing some Risk mitigation measures for Electronic payment systems, in the midst of the controversial “Discussion Paper” on “Disincentivisation of Cheques”.

Copy of circular available here

Speaking of “Securing Card Payment Transactions”, the circular specifies that

1.new cards will be issued for use only within India. If international use is specifically requested by the customer, it may be allowed but only on a card with EMV chip and Pin enabled.This will be effective from June 30, 2013.

2.Existing cards which have been used internationally( E commerce and POS or ATM) at least once will have to be in the EMV/PIN format only and older magnetic strip cards will have to be replaced by June 30, 2013.

3.Until such time the EMV cards are issued, there would be an omnibus limit of USD 500/- on international payments of any magnetic strip card. Lower limits may be fixed by the Banks based on the customer profile.

In terms of security, it is advised that

1. all POS systems should be certified for PCI-DSS and PA-DSS compliance by June 30, 2013

2. Banks should frame rules based on transaction pattern of the card usage to prevent frauds.

3.All acquiring infrastructure based on IP based solutions should be mandatorily put through PCI-DSS and PA-DSS certification.

4.Real time fraud monitoring system should be introduced at the earliest.

5.Card blocking through SMS should be enabled.

6.Two factor authenticaiton should be applied even for international payment of cards.

7. Call referral system should be introduced. Under this system the issuer may respond to the merchat with a “Call issuer” decision. Merchant may then call the acquiring bank with details after which the acquirer calls the issuing bank and seeks authorization. Before authorization, the issuing bank will speak to the customer. After the authorization, merchant has to swipe the card again.

The above measures will go a long way in mitigating the card related frauds. Some of these suggestions are on the lines suggested by the Damodaran Committee.

It is time to congratulate RBI for this move.

(More to follow)

Naavi

Posted in Bank, Cyber Crime, Cyber Law, Netizen's Forum, RBI | 1 Comment

Who is trying to hide Cyber Fraud scam in Indian Banks?

Posted on February 27, 2013 by Vijayashankar Na

It has been pointed out that the answer given by the Government on the status of Bank frauds in India does not appear to contain correct information. It was pointed out that the figure of frauds for 2009 quoted in the February 22,2013 press release places the frauds at Rs 4048.94 lakhs where as for the same period, reply given to a Parliamentary question on 30.7.2010 stated the fraud value as Rs 16.69 crores.

At the same time we also pointed out that an RTI reply from RBI to DNA Mumbai had placed the frauds in 2006-2011 to be of the order of around Rs 4500 crores just in the top 5 cities of India with Mumbai alone accounting for Rs 1882 crores.

Today a report in TOI  reiterates that Cyber Frauds are around Rs 130 crores in three years based on the PIB release.

It is also known that RBI has earlier been stating that the Fraud reports that it obtains from Banks donot cyber frauds separately. However the PIB press release of 22nd February clearly points out that the figure is for Cyber Frauds. It is not clear how RBI was suddenly able to get these figures.

Also according to the Fraud guidelines all frauds reported in Banks should be reported to the Police by the Banks. According to the PIB release there were 8322 cyber fraud cases in 2012 alone. In 2011 and 2010, the number of frauds were 9588 and 15018 respectively. This means that a total of 32,928 Cyber fraud complaints should have been registered all over India by Banks. These should have reflected as “Cyber Crimes” int he NCRB statistics.

However, NCRB statistics donot show these numbers.

From these various observations it is clear that either the Government is trying to mislead the Parliament and the public about the real status of Cyber fraud incidence in Banks or neither the Government nor RBI is even aware of the actual position.

If RBI and the Government donot know the actual fraud situation, then they it reflects a gross incompetence. If they are aware and are misleading the public, we need to investigate why they are concealing the facts and whether there is any attempt to hide a scam in the Banking industry.

The industry observers estimated the extent of Cyber Frauds in Indian Banks to be way above the figures quoted in the recent reports. The belief is that the frauds are in the region of Rs 6500-8000 crores per annum as against Rs 50 crores now being talked about.

There is therefore a prima facie evidence that there is some thing fishy about the PIB release. There is an apparent motive to suppress the Cyber Fraud situation with vested interests who are promoting disincentivisation of cheques and it is possible that the same people are behind this misinformation.

There needs to be some investigation and a clarification in the Parliament. I wish some MPs such as Rajeev Chandrashekar should take up this matter and seek the clarification from the Finance Ministry.

Naavi

Posted in Bank, Cyber Crime, RBI | Leave a comment

Government misleading Parliament on Bank fraud information

Posted on February 26, 2013 by Vijayashankar Na

The PIB press release of 22nd February 2013 has provided some data on Bank frauds. According to this press release the fraud information for the last three years were as follows.

bank_fraud_data_2013

The Bankwise data is also available here

According to these figures which it is presumed must have been given to the Parliament in response to a question, the total frauds reported in 2010 was Rs 4048.94 lakhs.

On 30.7. 2010, the Government in reply to a Loksabha unstarred question no 1072 had stated that the total frauds reported in 2010 was Rs 1669.83 lakhs.

It appears that the Government does not have correct figures and it is misleading the Parliament by giving false information on the status of Bank frauds.

Naavi.org had earlier carried a report of DNA Mumbai which had stated that according to an RTI reply from RBI, Bank frauds in 2006-11 in 5 major cities was of the order of Rs 4500 crores. (See report here). It appears that RBI has no proper information on this key performance parameter of the Banking industry.

Will some MP clarify the position?

Naavi

Posted in Bank, Cyber Crime, RBI | 1 Comment

Banking frauds in India

Posted on February 26, 2013 by Vijayashankar Na

RBI has for the first time released some statistics of frauds in the Indian Banks. (Details here) :  (Press Release)

According to the figures released Cyber Frauds in 2012 were about Rs 52.7 crores as against Rs 40.5 cores in 2010. The number of frauds in 2012 is reported to be 8322 as against 15018 in 2010.

The reported value of frauds appear to be far less than what the market had otherwise estimated. It represents the actual frauds reported by Banks and absorbed by them.

According to the PIB release the data excludes frauds which have been treated as NPA. Perhaps it may not also include frauds in which customers have been forced one way or the other to absorb the losses. This also explains the reduction of the number of fraud cases since the losses that have been absorbed by customers would be mostly the frauds of smaller value where they might not have considered it worthwhile to fight it legally.

ICICI Bank is the Bank which leads in the reported fraud cases. Even ICICI Bank is reported to have observed a decline of the fraud numbers which is surprising.

Naavi

Posted in Bank, Cyber Crime | Leave a comment

Sec 66A abused again

Posted on February 25, 2013 by Vijayashankar Na

Kerala Police have joined the bandwagon of Section 66A abusers by booking 111 persons for comments on Facebook. This is in respect of a Facebook comment made by one person and shared by other 110 persons regarding Mr P.J.Kurien who has been accused in a rape case at Suryanelli.

It is stated that the comment was shared by over 2000 and the logic of booking case against the chosen 111 is not known.

The complaint was made by the Kerala Mahila Congress Chief, Mrs Bindu Krishna. The complainant who is herself a women has stated that the comments made were obscene which “no woman could tolerate”. It is interesting to note that Bindu Krishna considers that perhaps the rape itself was something that could be tolerated and not the comments against the Congress leader!

The evidence against the Facebook users is that they have “Shared” the comment which is obscene. On the other hand the evidence against Mr Kurien is the statement of the victim herself. Police need to consider whether this evidence is strong enough to consider booking the case against Mr Kurien and proceding against him rather than proceeding against Facebook users.

Kerala Police are considered well informed when it comes to Cyber Laws but it appears that even they act more under political influence rather than logic or public interest. It is however good that Police have not jumped to arresting the Facebook users and have stopped only at booking cases.

In our opinion Sec 66A of ITA 2008 is not meant to be applied to Facebook postings and more such misapplications will only strengthen the demand for its removal from the statute.

Naavi

Related Story in TOI

Posted in Cyber Crime, Cyber Law, ITA 2008, Netizen's Forum, Uncategorized | Leave a comment