The Reserve Bank of India is in the news for picking up a fight with the Central Government on the right to use its reserves in a manner it deems fit. The fight whether RBI is over capitalized with the retention of reserves or not and whether part of it should be made available for bridging the fiscal deficit or not is not a debate for this platform. We leave it to the economists to debate and resolve hopefully in the November 19 Board meeting.
However, we would like to point out to the RBI that its functions apart from being Banker to the Government includes as the “Regulator of the Banking System in India”. RBI in this capacity is responsible for the security of the Banking system in India.
Whether RBI should fight to defend its right over the disposal of its reserves or not is left to the economic experts but the Common Citizen who is a customer of the Bank is really concerned that RBI is not perhaps discharging its duty in protecting the interests of the Customers adequately.
We acknowledge that RBI has taken some right steps in the direction of safety of Banking transactions in the Digital Banking era, both by refusing to succumb to the pressure of the Bitcoin lobby and also by issuing the “Limited Liability Circular” to introduce the “Zero Liability” for Banking frauds.
However, the fresh outbreak of the Andorid Virus identified as the “Mazar”now poses a fresh challenge to the RBI and poses a question as to the adequacy of the measures initiated by the RBI.
I feel that RBI should start fighting Mazar on a priority rather than fighting with the Government on the issue of who should have a say in the disposal of its reserves.
The Mischief that Mazar is capable of
Just to make things clear, Mazar is a mobile virus which can be spread through an innocuous SMS message and enables the fraudsters to take over the mobile’s messaging function so that the OTP messages for Banking transactions are compromised.
Since the virus is known to be spread not through the messages linked to Banking transactions but through other messages such as
“The Income Tax Department is pleased to advise you that your return for the FY 2017-18 has been processed and refund has been processed. For details of the refund, kindly check here ……. (A shortened hyper link)”
it is a risk which is considered beyond the scope of normal alerts that the banks normally send to the customer such as “We donot ask for your password ..etc”
As we approach the elections or the IPL, we may see that messages linked to political issues or IPL or even to the controversial decisions of the Supreme Court such as the Sabarimala verdict etc can be used to lure the recipients into clicking such links.
If therefore an SMS is received saying ” Flash news…. Supreme Court all set to ban entry of women to Sabarimala temple. Click here for details…..” or “Virat Kohli meets with an accident in Sydney and hospitalized. Click here for details…”, there would be millions of Bank customers who would click the link in a blink and get their mobiles infected.
Are the Bankers and RBI prepared for such contingencies?
Are our Police and Courts ready to handle the flood of complaints that such messages may generate?
Mazar is a Risk Beyond Reasonable Capability
Mazar is a security risk which is beyond the reasonable capability of mitigation by a customer and has to be recognized as part of the fundamental flaw of the digital banking architecture for which the Bank and RBI are alone responsible.
SMS is not a reliable means of communication
Mazar indicates that the SMS has ceased to be a reliable means of communication between the Bank and the Customer and should be replaced with some other form of communication.
If RBI does not act in this direction and force the Bankers to switch over to a more secured form of communication which legally should be a “Digitally Signed message” or some other form of secure messaging, RBI will be failing in its duty.
I reiterate that RBI has addressed this issue in the past by mandating use of Cyber Insurance by the Banks but Banks have ignored the mandate and they should be pulled up for this lapse.
Further, Bankers have failed to introduce appropriate methods to identify unusual transactions through “Adaptive Authentication” which has been suggested by RBI earlier. Most of the fraudulent transactions including one which may use Mazar virus often happen at the dead of the night when the customer is not awake to respond to the SMS that may be sent by the Bank.
This “Nocturnal Transactions” need to be flagged by the system and subjected to a higher level of security verification. Banks cannot be blind to the fact that no sensible customer does transactions that wipe out the entire balance in the account through a series of transactions in the dead of the night.
Need to Reject Insecure CBS software
Not programming the CBS system to recognize the location of the origin of the transaction and the time of transaction and linking it to an alert system is a fundamental draw back of the software including the popular Core Banking software systems.
RBI should therefore re-visit its approval of software such as Finacle or Flexcube and any implementation that does not have a proper adaptive authentication system should be declared as unacceptable.
Beware of what happened in Pakistan
We must be aware that recently there has been a large scale hacking of Banking systems in Pakistan and there is no reason why we should not expect a similar attack on the Indian Banking system.
In case the Mazar has already been spread and installed in many mobile devices, it could be a tool to compromise a large part of the Indian Banking system. There could be a serious crisis looming ahead for the Indian Banking system which can be attributed to the failure of the supervisory system.
As has been pointed out in the earlier article Mazar is a notorious risk because it creates “Fake Evidence” against the Customer which Courts may find it difficult to understand.
If the Governor and Deputy Governors of RBI donot recognize that this threat is larger than the “Autonomy to decide on the disposal of the Reserves”, they would be doing a great disservice to the Indian citizens.
Steps which RBI should initiate
As a first step, RBI should warn the Banks about this Mazar Virus and remind them that in all cases of digital frauds the “Onus of proof” rests with the Banks and hence Banks should not unfairly hoist the liability on the customers.
RBI should reiterate the point which it has already made regarding the “End Point Security” being the responsibility of the Bank and such responsibility extends to the user end devices.
Banks should mandate implementation of such security measures as are used by Companies in allowing BYOD devices to securely access Corporate digital assets and stop Mobile Banking transactions until a satisfactory solution is found for Mazar kind of viruses which compromise the OTP system.
I once again reiterate that Mr S. Gurumurthy should raise this issue in the Nov 19 meeting even ahead of the reserve related issue.
P.S: Bank Customers may check their mobiles and deactivate App permissions which have been granted earlier to read SMS for all Apps besides avoiding clicking on any hyper links and more so the shortlinks (eg: bitly..)