Recently two Phishing Cases have been
reported involving a combination of a Bank and a Mobile Service
Provider. In both cases the combination is State Bank of India
and Vodafone. Ever since RBI introduced the OTP system as a
second factor authorization for some net based transactions,
many Banks have jumped to the conclusion that this could secure
them from Phishing liabilities. Banks like SBI and ICICI Bank
strongly favoured 2F authentication even at the expense of the
legally mandated PKI based digital signature system for
authentication of Internet based transactions during discussions
in the G Gopalakrishna Working Group.
Though RBI has always been in favour of the
use of PKI based authentication system SBI as the leading
representative of the industry and in control of IBA
has been opposing the introduction of digital signature based
authentication system. It is therefore significant that in a
series of frauds now surfacing are from SBI. Last week Naavi.org
reported a fraud from Mumbai involving Rs 10 lakhs. Now another
fraud has been reported from Kolkata involving Rs 3,39,000/-. In
both these cases SBI is the Bank involved.
Additionally in both these cases, the SIM
Card of the customers had been reported lost and replaced with
false KYC information and hence the 2 F authentication based on
OTP system as well as Mobile alert systems failed. The modus
operandi indicates that the Phishing fraudsters have not only
networked to be capable of opening false Bank accounts, they are
now also networked to obtain duplicate SIM cards.
So far, Banks were being held liable for
Phishing because of the failure of the security coupled with non
compliance of RBI guidelines and ITA 2008 regarding
authentication of transactions and KYC. Now failure of KYC at
the mobile company has been added to list of omissions and
brings the mobile service provider directly to face the
liability along with the relevant Bank.
While the victim can now blame both the Bank
and the Mobile service provider for his loss and seek damages
from both of them jointly and severally, the adjudicator may
take a call on inter-se distribution of the loss between the
Mobile service provider and the bank. In the absence of any
better system it is likely that he may rule that they need to
share the liability equally though it is possible that he may
continue to place the primary blame on the bank and let the Bank
proceed later against the Mobile service provider to recover a
part or whole of the loss from them.
Under these circumstances it would be
essential for the Mobile industry to estimate the extent of loss
that may befall on them in the coming days on account of such
frauds.
According to estimates based on the Norton
study, the total Phishing losses in India in 2010 is estimated
to be around Rs 6500 crores. If this is shared equally by the
Mobile industry, the loss shared by Mobile industry would be
around Rs 3250 crores. Now a company like Vodafone which is
having around 20% share of the mobile market can therefore end
up with a loss of around Rs 650 crores only on account of
Phishing.
The finance managers of Mobile companies will
now have to consider how they can absorb such losses. I feel
that banks may not find it too difficult to absorb the losses
but Mobile companies may go bust if they have to bear such
losses. Risk managers within the Mobile companies will now have
to work overtime to address the issue of mitigating the losses
with appropriate risk containing measures including ITA 2008
compliance so that they can effectively contain the Phishing
losses to the Banking industry. The industry association of
Mobile Service Providers need to take a look into the effect of
these cases on the industry.
Since the crisis is triggered by the RBI rule
on OTP, it is possible that the Mobile providers will now gang
up to bring pressure of some sort on RBI to protect them. RBI
itself needs to now put a stop to all mobile banking initiatives
until the system of KYC in mobile companies is rendered
reliable.
I take this opportunity to bring these
incidents to the notice of RBI and demand that a comprehensive
review of all Mobile based authentication systems for Banking
operations is undertaken. In the meantime RBI should inform all
their Ombudsman to take note of such frauds and deal with
customer complaints taking into account the possibilities
indicated in such incidents.
Naavi
September 23, 2011