Advisory on Section 66A

Posted on February 5, 2013 by Vijayashankar Na

A copy of the advisory sent by the Ministry of Communications and Information Technology to State Governments following the recent controversies on arrest of Palghar ladies is now available here

The advisory is issued by the Group Coordinator & Director General, Department of Electronics and Information Technology, Government of India to the Chief Secretaries and DGPs of all States and Union Territories.

According to the Advisory

“State Governments are advised that as regard to arrest of any person in complaint registered under section 66A of the Information Technology Act 2000, the concerned police officer of a police station under the State’s jurisdiction may not arrest any person until he/she has obtained prior approval of such arrest from an officer not below the rank of the Inspector General of Police in the metropolitan cities or af an officer not below the ran of Deputy Commissioner of Police or Superintendent of Police at the district level, as the case may be.

It is requested that appropriate instructions may be issued in the matter to all concerned”

Since the advisory is in conflict with the provisions of Section 80 of ITA 2000/8 this advisory appears to be ultra-vires the Act.

Naavi

Posted in Cyber Crime, Cyber Law, ITA 2008 | Leave a comment

Dont be confused with iaadhaar.com or iaadhar.com

Posted on February 2, 2013 by Vijayashankar Na

Cyber Squatting is a practice where some people register popular domain names or small typographic variations thereof with the object of attracting visitors. Some times it may be harmless to the visitor since the purpose may be to only generate advertisement revenue out of such stray visitors. But there is a potential risk of the site being misused for gathering personal information of visitors.

We have recently come across two websites iaadhar.com and iaadhaar.com both being “Confusingly similar” to the Government of India project of issuing Aadhar cards through UID authoity of India (UIDAI).

Both these sites are not related officially to UIDAI. Though the site iaadhaar.com provides information about the aadhaar registration process only and also provides a disclaimer, the iaadhar.com site is presently only a domain parking site.

It is necessary for the public not to misunderstand these as the official sites and part with any sensitive information about them. UIDAI is however is using a sub domain http://eaadhaar.uidai.gov.in.

It is to address situations like these that naavi had way back in 2000 introduced a service which is still available at www.lookalikes.in.

It is preferable for UIDAI to place a possible disclaimer in its own site so that public are not at any time in future be misguided with cyber squatters resulting in identity thefts.

Screen shots: iaadhaar.com :: iaadhar.com::eaadhar.uidai.gov.in

Naavi

Posted in Uncategorized | Leave a comment

2.5 lakh Twitter passwords compromised

Posted on February 2, 2013 by Vijayashankar Na

It is reported that about 2.5 lakh Twitter IDs with passwords have been compromised. It is also reported that Twitter has informed the affected users and asked them to change passwords.

Details in TOI

Posted in Cyber Crime, Privacy | Leave a comment

Rs 1 Crore lost by executive in Mumbai Bank fraud

Posted on February 2, 2013 by Vijayashankar Na

In one of the larger Bank frauds of recent times, an executive in Mumbai has lost Rs 1 crore through a series of fraudulent transactions in his Bank account. The transactions occurred through 12 RTGS debits within a space of 45 minutes indicating a total failure of the Bank’s security warning system.

The Bank involved is Yes Bank.

As it always happens the victim is now running around the Police where as it is the Bank which should run around the Police. The victim is entitled to be fully reimbursed of his losses by the Bank immediately and it is the Bank which has to file a police complaint and pursue its recovery.

Details  in TOI

It must be pointed out that the Damodaran Committee on Customer Services set up by RBI had recommended that Customers should be provided complete control on fixing daily limits on such transactions as well as a freedom to switch on and off the Internet banking facility. It had also clearly defined the bank’s liabilities in such cases and the need to immediately reimburse the losses to the customers.

Unfortunately, powerful Bankers such as SBI and ICICI Bank have used their influence in the Indian Banking Association and prevented RBI from implementing the recommendations of the Damodaran Committee.

RBI has not shown the courage to ignore the objections of IBA and go ahead with the Damodaran Committee recommendations.

If therefore this case is taken to a  Court, I would advise IBA to be made a party to the suit along with RBI.

Naavi

Naavi

Posted in Bank, Cyber Crime, Information Assurance | Leave a comment

Mumbai Consumer Court awards compensation in ATM fraud case

Posted on February 2, 2013 by Vijayashankar Na

Maharashtra State Consumer Disputes Redressal Commission ordered Citibank to pay Rs 9.44 lakh to a man, after Rs 6 lakh wasfraudulently withdrawn from his account with an ATM card which he did not even possess.

In December 2006,Ratilal Israni a SB Account holder in Citi Bank noticed that between November 22, 2006 and December 5, 2006, Rs 6 lakh was shown as withdrawn using an ATM card. Israni contended that he never had an ATM card relating to his saving bank account. Israni alleged that it was a fraudulent act on the part of the bank officials to debit the account for the amount claimed to be withdrawn by using an ATM card.

Details in TOI

Posted in Bank, Cyber Crime, Uncategorized | Leave a comment

PCI Guidelines for E Commerce websites

Posted on February 1, 2013 by Vijayashankar Na

On Jan. 31, the Payment Card Industry Security Standards Council issued its PCI DSS E-commerce Guidelines Information Supplement, a set of guidelines for e-commerce security. The guidelines relate to online infrastructures and how merchants work with third-party providers.

The guidance offers a checklist of security recommendations and reminders. The guidance reviews how merchants can work with third parties to address those risks and provides a checklist for easy-to-fix vulnerabilities.

It is observed that Merchants may develop their own e-commerce payment softwar or use a third-party developed solution,
or use a combination of both. Merchants may also use a variety of technologies to implement e-commerce functionality, including
payment-processing applications, application-programming interfaces (APIs), inline frames (iFrames), or hosted payment pages. Merchants may also choose to maintain different levels of control and responsibility for managing the supporting information technology infrastructure like for example, choosing to manage all networks and servers in house or outsource the management of all systems and infrastructure to hosting providers and/or e-commerce payment processors, or use a combination.

The guidelines provide that

1. No option completely removes a merchant’s PCI DSS responsibilities. Regardless of the extent of outsourcing to third parties, the merchant retains responsibility for ensuring that payment card data is protected.

2. Connections and redirections between the merchant and the third party can be compromised, and the merchant should monitor its systems to ensure that no unexpected changes have occurred and that the integrity of the connection/redirection is maintained.

3. E-commerce payment applications such as shopping carts should be validated according to PA-DSS,and confirmed to be included on PCI SSC’s list of Validated Payment Applications. For in-house developed e-commerce applications, PA-DSS should be used as a best practice during development.

4. Third-party relationships and the PCI DSS responsibilities of the merchant and each third party should be clearly documented in a contract or service-level agreement to ensure that each party understands and implements the appropriate PCI DSS controls.

A high level check list has also been provided to assist the Merchants regarding compliance requirements.

A Copy of the guidelines are available here.

Naavi

Posted in Information Assurance, Uncategorized | Leave a comment