SIM hijacking vulnerabilities puncture Bank’s legal arguments

In all cases of Banking frauds involving “Unauthorized Access”, Banks have been putting across various arguments to shift the blame entirely on the customers.

We had reported a recent incident where HDFC Bank had tried to bully a customer for a credit card fraud in which the money had been drawn on a foreign website and the customer disputed the transaction forthwith.  After the customer brought the incident to the attention of RBI, immediate action was initiated by RBI which forwarded the complaint to the local Banking Ombudsman. Within hours, HDFC Bank confirmed that the transaction was reversed. But it was a fact that the Bank made multiple attempts to trap the customer and force him to file a police complaint. Had he filed a police complaint, the Bank would perhaps have taken it as an excuse to delay the payment.

When such bullying fails, Banks take up the argument that “Banks security system is fail safe” and if there is any compromise of credentials, it can happen only at the customer’s end and because of his negligence. They often hold out some old ISO27001 certificate and claim immunity from their responsibilities.

After the two judgements of TDSAT in the cases of  ICICI Bank Vs S Umashankar and another case of IDBI Bank vs Sudhir S Dhupia TDSAT has established the precedence of “Negligence by Bank as a Section 43(g) contravention” making them liable for cases of Phishing.

Though, the Banks may knock at the doors of High Courts to continue their fight against customers further, if the Courts are honest and informed, it is unlikely that the Banks will succeed in over turning these judgements from a specialized tribunal with adequate technical understanding.

However, considering that not all High Courts are equipped to handle such techno legal cases and there is a possibility that the highly paid Bank’s lawyers can also be influential enough to sway the Courts in their favour, there is a danger of some adverse decisions from the Courts if informed public donot monitor the Court proceedings in these cases.

Some times Banks also hold out the “OTP” as a security measure that is good enough to say that Banks are always right and customer is always wrong when a OTP based second factor authentication is used in a fraudulent transaction.

Naavi has always held that even when a customer mistakenly provides the OTP information to a fraudster, it is only because he thinks that he is interacting with the Bank and not otherwise. Banks make such deception possible first by not adopting the more secure authentication systems including the digital signature system or adaptive authentication using Artificial Intelligence which is now available without much of a cost.

Additionally, it has been now revealed that two critical vulnerabilities have been found in the SIM software which makes it possible for the fraudsters to hijack a mobile phone and thereby compromise the OTP system.

I would not like to go into the technicalities of SIMjacker vulnerability and WIBattack which have been explained in the articles linked above.

The summary however is that the authentication based on the OTP is not reliable enough to say that Banks should be absolved of their negligence in not adhering to the law of the land which mandates the use of “Digital Signature” or “E-Sign” for authentication or follow

a) the Internet Banking guidelines of June 2001 mandated by RBI or

b)  the E Banking Security guidelines of G Gopalakrishna Working Group, or

c) the Cyber Security Framework of 2016 or

d) the Limited Liability Circular of July 2017 from RBI.

I hope that the Courts will check with these guidelines before accepting any arguments from the Banks against Customers in cases of internet or card related frauds.

I request all Bar Councils to create an awareness amongst the Advocates so that they can defend the rights of the customers against the powerful Banks. The Judicial academies should also ensure that sufficient awareness is created amongst the senior judges on why they should be resistant to the vocal arguments from senior counsels in favour of the negligent Banks who only want to exploit the less informed customers represented by less informed or junior advocates.

Naavi

This entry was posted in Cyber Law. Bookmark the permalink.

1 Response to SIM hijacking vulnerabilities puncture Bank’s legal arguments

  1. Vikram says:

    Problem is banks enable the features that a customer may not need…. The N number features on each product should not enabled by default to each customer… They should be enabled on request basis for each feature each customer… In this instance the bank should have enabled the international transaction option only if the customer is a traveler, which saved the customer and the bank to…

Leave a Reply to Vikram Cancel reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.