Two years back we wrote the following posts:
Syndicate Bank loses Rs 1.13 crores of customer’s money: November 26, 2013
In these articles, attention had been drawn on Companies as well as RBI and ECGC about the e-mail identity hijacking fraud which had become a convenient tool of Cyber Fraud. I donot accept that these articles have escaped the notice of RBI and ECGC. It should not have escaped notice of even large companies which have professionals working as legal advisors, information security professionals, compliance professionals etc besides the finance professionals. Some of these companies might have kept “Fraud Mitigation Advisors” under retainership who are supposed to audit the business process and advise the companies on reduction of fraud lossses.
But it appears that ONGC has suffered a loss of Rs 197 crores to a simple impersonation fraud as this report indicates.
In Information Security, we often talk of the importance of “Awareness Building”. The above articles did try to build such awareness. But unfortunately, it has proved once again that “Awareness Building” is only the first little step and as long as there are irresponsible and uninterested people around, frauds will continue to happen.
What irks people like us is that the fraud that has happenned in ONGC did not involve any sophisticated trojans and viruses nor a cyber army or cyber terrorist attacks. It could have been done by an ordinary fraudster who was aware of the business processes used by the Company. That’s why I called it a silly fraud. If we cannot defend against such simple frauds, we donot have right to talk about Stuxnet or Zeus or other more sophisticated attack vectors.
The modus operandi of the fraud was,
A website was registered in the name of ognc.com probably by our own Indian ISP, Net4domains.com recently on 19th September 2015, as indicated by the following Whois information:
Domain ID:D9853385-AFINDomain Name:OGNC.CO.INCreated On:19-Sep-2015 02:36:10 UTCExpiration Date:19-Sep-2016 02:36:10 UTCSponsoring Registrar:Net4India (R7-AFIN)Status:TRANSFER PROHIBITEDRegistrant ID:R15091904345215Registrant Name:Robert KnowlesRegistrant Organization:Registrant Street1:116 Street NWRegistrant Street2:Registrant Street3:Registrant City:EdmontonRegistrant State/Province:ABRegistrant Postal Code:t6j6x5Registrant Country:CARegistrant Phone:+91.7804377824Registrant Phone Ext.:Registrant FAX:Registrant FAX Ext.:Registrant Email:email@example.comAdmin ID:A15091904345215Admin Name:Robert KnowlesAdmin Organization:Admin Street1:116 Street NWAdmin Street2:Admin Street3:Admin City:EdmontonAdmin State/Province:ABAdmin Postal Code:t6j6x5Admin Country:CAAdmin Phone:+91.7804377824Admin Phone Ext.:Admin FAX:Admin FAX Ext.:Admin Email:firstname.lastname@example.orgTech ID:T15091904345215Tech Name:Robert KnowlesTech Organization:Tech Street1:116 Street NWTech Street2:Tech Street3:Tech City:EdmontonTech State/Province:ABTech Postal Code:t6j6x5Tech Country:CATech Phone:+91.7804377824Tech Phone Ext.:Tech FAX:Tech FAX Ext.:Tech Email:email@example.comName Server:NS1.NET4INDIA.COMName Server:NS2.NET4INDIA.COM
E Mails have been sent in the name of firstname.lastname@example.org to a customer namely the Saudi based Aramco with whom perhaps an executive of ONGC was in touch with an email address of email@example.com with an order to deliver 36000 metric tons of Naftha
On September 7, ONGC dispatched the order, worth Rs 100.15 crore, from Hazira port in Surat. According to the police, the company usually transferred payments to ONGC’s State Bank of India (SBI) account, but did not do so this time.
ONGC was to send a second batch of naphtha to Aramco on September 22. However, since they had not received the earlier payment, they enquired with the Saudi-based company. On being told that the delay was on account of public holidays and bank holidays, ONGC dispatched the second batch of Naptha worth Rs 97 crore on September 22. Again, ONGC e-mailed a scanned copy of the tax invoice with its SBI account number to the company.
An e-mail ONGC received on October 7 from Aramco stating that the money had been transferred to a new account. Obviously such a change of bank name had been sent to Armaco from the alternate email ID. As of now the identity of that Bank is not known.
It is clear that the fraudster has started his action after the first batch of the order had been delivered and the money was due from the other end.
It is possible for us to blame Aramco that it was their negligence in not identifying the change in e-mail and remitting the money to a new account. It is also possible to blame the Bank which could have been used for completing the fraud by opening the account of the fraudster.
It is possible that ONGC may ultimately recover its money and the loss may have to be borne by Aramco.
I wish Dr Triveni Singh the celebrated police officer attached to UP cadre and who even yesterday busted a huge employment racket in Noida is made the special officer in charge for investigating this ONGC fraud.
But negligence should be recognized by ONGC on account of not using digital signature in communicating with its customers. Not identifying the presence of a confusingly similar domain name (Though the fraud has occurred immediately after the registration and perhaps it was too early for the recognition of the registration) could also be an area of negligence.
Net4Domains will also share a good part of the blame since it has unwittingly become a tool of this crime. I will not be surprised if Aramco files a case against this company and it will be tough for them to defend.
In summary we can again highlight that “Cyber Law Compliance” in business is being ignored by large companies and it is resulting in such frauds. Sooner they realize the need to have the right kind of advisors who understand Cyber Laws and how they impact the business in a verity of ways, better it is for the company
We may also highlight here that ONGC is a listed company and its CEO and CFO are signatories to the Clause 49 declaration of the listing requirements. How did they give a declaration without adequate security in their communications will be a point which the shareholders of the company need to raise in the next AGM.
Shareholders need to also watch out for the remedial steps that ONGC needs to take after the incident including whether they have Cyber Insurance and question the directors.
At the same time, I also would like to draw the attention of the Controller of Certifying Authorities (CCA) that while people like us are placing faith on the digital signature system since that is part of ITA 2008, CCA itself is diluting the legal validity of digital signature system as I have explained in greater detail in an earlier article on esign. This is a great disservice CCA is doing to ITA 2000/8 loyalists like the undersigned and CCA should call for a meeting of experts to discuss how it can resolve the esign issue and other issues that dilute the legal validity of digital signature and its non repudiable nature.