Sec
43A clarification.. What has changed?
Aug 30: There have been a more than required attention on the
recent clarifications issued by the Ministry of Communications and
Information Technology (MCIT) on the earlier April 11 guidelines
regarding Sec 43A....More
Fake Employment Fraudster Arrested
Aug30: In a commendable investigative effort, it is reported that
CBI has arrested a fraudster who was stealing personal information from
Cyber cafes and using it to launch a targeted employment fraud attack on
individuals. The files were picked up from recycle bins where the CVs
were dumped by the users. This incident also highlights the need for
better security in Cyber Cafes. Some time back Naavi had suggested a
cyber cafe management software which prevented such frauds. Authorities
however did not show interest in considering the free software as a part
of the compliance measure.
Related Report
Nagpur Cyber Security Summit 2011
Aug29: BSNL Nagpur in association with Cyber Awareness Groups in
Nagpur conducted a three day Cyber Security Event on 25th/26th and 17th
August to build an awareness in the community about Cyber Security
Risks. Speakers from all over India participated in the event held at
the RTTC, BSNL auditorium. Several awareness lectures were also
conducted on the occasion at two Engineering Colleges in the city. Naavi
also participated in the event both at the main conference and the
workshops at the Engineering colleges. The event was highly successful
and several hindered delegates participated in the event on each of the
three days along with law enforcements agencies. Naavi spoke on the
Threats to National and International peace through Cyber Terrorism as
well as the need for Engineering students to study Cyber Law.
Changes in Sec 43A Rules Exempt Foreign Companies
Aug25: In a clarification issued by MCIT it is stated that the
April 11 rules on Sec 43A is not applicable to foreign companies. It has
been clarified that if service is being rendered under a "Contractual
obligation", the provisions of the contract will prevail. This was
evident with the reading of Sec 43A where the rules were only the third
option under sec 43A:
More
Related
Report
Press
Release :
Dr Gulshan Rai at CAT
Aug 24: It is reported that Dr. Gulshan Rai, DG (CERT-IN)
has been declared as Head of Department for the office of Cyber
Appellate Tribunal (CAT). This appears to be an additional charge for Dr
Rai. He may also be an additional member of CAT in a multi member CAT
providing the technical inputs. The Chairman's position in CAT still
remains vacant and the person has to be chosen from the Judicial
community.
Bank liable for Phishing.. US Court
Aug23:
In yet another court decision against a Bank, a Michigan
Court ordered a Bank liable for approximately US $560,000/-. It is
interesting to note that the Court stated that the Bank "Failed to
present evidence" that the Bank had acted fairly with the customer...
Report :
Detailed
Report :
Judgement
Discussion on IT rules in Chennai
Aug21:
Here is a discussion on the IT rules worth listening to.
The discussion is about rules under Sec 79 whether they are reasonable.
In particular the responsibilities hoisted in the intermediaries for
removal of objectionable content on receipt of complaint is also
discussed by the participants.
Is DIT misleading
the Public?
Aug 20: The GOI released the notification of
rule under Section 43A on April 11, 2011. Naavi has presented his
views on the same in the
article here. In response to an RTI query, the department
clarified that ISO 27001 is not mandatory as is presumed. Naavi had
still requested for the appropriate amendment to the notification for
which no reply has been received. However, the website
http://www.itgovernanceasia.com/t-iso27001.aspx?utm_source=DSCI&utm_campaign=iso27001
takes full advantage of the notification and promotes ISO 27001 as a
solution to Sec 43A compliance. Naavi has now asked for clarifications
from both DIT and the ITGOV-Asia...More
Employee Owned Laptops and ITA 2008 compliance
Aug 18: Many security specialists have been recommending a system
of "Employee Owned Laptops" as a recommended corporate practice. This
"Bring Your Own Computer" plan is expected to reduce the cost of
administration and better focus on security for essential IT assets.
Additionally this introduces an interesting prospect for ITA 2008
compliance where the Company assumes the role of only a network service
provider and shifts the hardware asset to the user.
Data itself remains the property of the company and can be hosted in
secure platform with the employee's computer being provided a remote
access facility. Data ownership also can be shifted to the employee
under a BPO model in certain cases.
Such a system need to however be supplemented with good access
management system where the employee's asset when connected to the
network needs to go through a good access validation system to
ensure that it is free of malicious codes. Considering the overall
benefits the system has a lot of potential as a means of ITA 2008
compliance.
Can we have an Online Referendum in India?
Aug16: India is one of the few countries in the world where there
is a judicially accepted method of authentication of an electronic
document with the use of "Digital Signatures". Time has now come for
putting this to test in a practical situation. There is now a serious
debate on "Democracy". One view supported by the Government is
that "Democracy means electing representatives in an election held from
time to time and letting them function until the next elections without
any questioning of their "Right to Govern". Another school of thought is
that "Democracy is not limited to election from time to time but
also to monitor and get Governed on a continuous basis based on the
wishes of the people". Presently there is a practical difficulty in
building a mechanism that provides for continuous monitoring of the
wishes of the people of the country and hence we need to settle for an
intermediary measure of "Referendums" from time to time instead of
elections every now and then.
It is now possible for the digital world to show case a pilot project of
a referendum. I request all the Certifying Authorities of India come
together and organize a referendum amongst those who possess digital
certificates and collect the essence of the public opinion on some of
the key points of contention surrounding the Anti Corruption movement
through voting on the basis of one vote per digital certificate. It can
be also extended with a slightly lesser evidentiary value by Mobile
Service providers through an SMS campaign where each mobile owner will
exercise one vote.
On the basis of the experience of these digital referendums conducted by
private agencies, the Government can organize another nationwide
referendum based on the electronic voting system. Probably this should
be the next logical move which should be acceptable for both the
Government as well as the Anna Hazare group.
"Do I authorize the Anna Hazare team’s draft
of the Lokpal Bill as against the draft recommended by the ManMohan
Singh Cabinet?” .. Yes or No
Multiple Mobile Connections on stolen ID
Aug16: Issue of SIM cards on stolen IDs is a serious security
risk for genuine citizens of India since the stolen IDs will invariaably
be used for criminal purposes. It is
reported that recently several such connections were detected in
Vodafone, Maharashtra. After the recent guidelines on Sec 43A, the
incident not only represents violation of KYC norms as a guideline of
DOT but also a contravention of Sec 43A and Sec 72A of ITA 2008. The
genuine customer who is affected by this ID theft can claim civil
damages and also file an FIR for prosecution of the mobile company under
Sec 72A of ITA 2008.
It is also important to think of solutions to prevent such misuses. One
of the requirements of Sec 43A is that any person who has provided his
personal information to another person/organization under a lawful
contract can demand accuracy of stored data and enforce that the e
information is not used for any purpose other than what it was provided
for.
Every mobile company should therefore be able to provide a reverse
search for a customer where he can check if his name or address or any
part of his ID (PAN card no etc) is not also the part of another account
with the same service provider or another service provider. A suitable
mechanism for providing such information through the grievance officer
of the company is therefore a requirement that every mobile company
needs to provide as a part of Sec 43A and Sec 79 requirements of ITA
2008.
Similarly Banks which have wrong registrations of mobile numbers of
customers and keep sending SMS alerts of one customer to another also
need to provide a mechanism for their customers to check if their mobile
numbers are associated with any account other than that of the customer.
Report in Pune Mirror
Bank of India Vs ATM
Customers
Aug 13: If you are a Bank of India customer in India and have an ATM card, it is
time to consider returning the ATM card to the Bank immediately since
the Bank is exhibiting a noticeably dangerous anti customer stance
related to Fraudulent ATM transactions...
More
Axis Bank
Responds to a Cyber Crime Victim..
Aug 11: Axis Bank has been in the eye of a storm for some time now for various
kinds of frauds. Recently a customer in New Delhi-Gurugaon had found
that fraudsters had drawn money from his account through ATMs in Greece.
When the customer complained Bank initially resisted the complaint but
after the matter was taken to the Banking Ombudsman agreed to refund
amount of Rs. 664857.14 as per the advisory of Banking Ombudsman.
Now in yet another ATM fraud case in Mumbai, it is reported that the
Bank restored a balance of Rs 2 lakhs wrongly withdrawn from the account
of a TV actress Rashmi Gosh. The Bank officials have confirmed that
there are many such ATM frauds reported to them and they are pursuing
the police complaint.
Related Report
Recently a customer in Bangalore found that Rs 39 lakhs were
fraudulently transferred from their Axis Bank account through
unauthorized access in which the customer had not responded to any
phishing mail. The Bank however has refused to refund the amount on the
first request and the next reaction of the Bank is awaited...
More
Damodaran Committee Report comes as a great relief to Phishing
victims
Aug09: The Damodaran Committee report on Customer Service in
Banks advocates that there should be zero liability for the customers of
the Bank due to frauds in electronic banking environment. This should
once for all settle the disputes about all Phishing and ATM fraud cases
that are presently with various Ombudsmen, Adjudicating offices and
Consumer Forums...
Related Article
RBI Should take a Cue from OCR
Aug08: Office of Civil Rights (OCR), USA has the implementation
responsibility for HIPAA-HITECH act data breach regulations. One such
regulation is the mandatory "Data Breach Notice" to be filed by a
company which ultimately will be reported in the website of OCR. It is
stated that by June 2011,
288 data breach incidents have been posted in this page often
referred to as the
"Wall of Shame". As could be expected, the organizations are not
happy with this provision and would like the data breaches to remain out
of public notice. Department of Health and Human Resources (HHS) however
is firm on the principle that the organizations should rather be
transparent on the efforts taken to correct the mistakes to retain
public confidence rather than keeping the public dark. This principle
needs to be adopted in India also by RBI and make the Phishing incidents
occurring in the Indian Banking scenario public. While the reality is
that Internet banking is inherently unsafe and huge amounts are being
lost by clients every day due to Phishing and ATM frauds, Banks continue
to state in their websites that "Internet Bank is inherently safe" and
try to mislead the public. RBI needs to distance itself from this mis
information campaign and start publishing the details of Phishing losses
perhaps without the name of the Bank to start with.
A Sad Story of a Framed Journalist in Dubai
Aug 08: The enigma of Cyber Crimes often come handy to
authorities when they want to frame somebody. This incident in Dubai
where a journalist narrates his experiences makes an interesting
reading. End of it we wonder when do we see similar things in
India as a part of censorship. We already know of cases being launched
for remarks made against Mrs Sonia Gandhi. Now I am
informed that a cyber crime case has been launched in Mumbai against a
journalist for having written against the Union Home Minister Mr P
Chidambaram. I am awaiting further details on this incident.
Report
An Open Letter to the President of India
Aug 07: In her address at the Diamond Jubilee celebration of the
Bangalore Bar Council, Mrs Pratibha Patil, honourable President of India
spoke about the need for the legal community to upgrade their skills in
Cyber Law and also highlighted the need for affordable justice for
victims of Cyber Crimes. The irony of the matter was that the Central
Government has recently closed down the Cyber Judiciary system in India
because of their inability to find a replacement for Justice Rajesh
Tandon who retired on June 30, 2011 as Chairman of Cyber Appellate
Tribunal. Naavi who has been trying to make DIT realize the
importance of the appointment and has been in correspondence with all
relevant persons including the Minister of Communications and
Information Technology. Naavi had also sent a letter to the President
in June. In the light of the latest statement of Mrs Pratibha Patil,
Naavi has sent one more letter
through the Internet.
Letter of June 21
Cloned sites in Indian Court's Names
Aug07: It is reported that 19 sites in the names similar to sites
of Courts in India are being used by Chinese sources to spread malicious
viruses. The dot in registrars should consider verification of such
sites during the registration as a part of their due diligence under Sec
79 of ITA 2008.
Report in ET
100 Phishing Cases in Bangalore in 2009!!!
Aug07: It was recently reported in the Parliament that the
Phishing cases reported in 2009 was around Rs 5.09 crores. However this
report in Express News says that Bangalore Cyber Crime division
itself had registered over 100 cases of Phishing in 2009. It iw well
known that Banks always hide frauds and to the extent they bully the
customer to take the loss such frauds donot get reported even to RBI.
Hence there is a huge understatement of phishing frauds in Banks. If CBI
conducts an investigation of all Banks then it would be possible to get
more information about the real losses that are occurring in the Indian
Banking system. Bangalore Police have now arrested a few persons in
Mumbai. Earlier Chennai police have also arrested a few persons from
Mumbai in respect of some Phishing cases reported to them. Mumbai has
actually becoming the Digital Banking Fraud center in India. If RBI does
not give a proper attention to this area, we are going to see chaos in
the Indian Banking industry.
Sachin Pilot Clarifies
on ITA 2008 rules
Aug 07: Tehelka.com has reported that Mr Sachin Pilot has
clarified that the GOI has no intention of censoring the web through the
rules released on April 11. While we appreciate the clarification, it
needs to be demonstrated by suitable action on the ground by modifying
the rules. ...
More
UID issued with Wife's Photo
Aug 06: It is common in voters ID to have cards with misspelt
names, gender, address etc. Unfortunately this sort of error is creeping
into UIDAI also. It is reported that a senior Citizen in Maharashtra has
got an UID card with hi wife's photo on it. Though the authorities have
expressed regret and may issue a new card, it is essential that a
substantial damage should be collected from the company which made the
error and it should be passed on to the customer. When I say
"Substantial" I mean of the order of 25000/-. This would be a deterrant
to the company and compensate for the difficulties the customer has to
undergo to get the card corrected. This issue has come out into the open
since it is early days and media has taken note of it.In future when
hundreds of such errors may come up the citizen may not be able to draw
the attention of the media and has to handle it himself. It is also
necessary for UIDAI to consider online receipt of provisional
applications as in the case of Passport applications where the details
are entered by the applicant himself. This will avoid certain types of
errors regarding the spelling etc.
Related Article in Pune Mirror
Public Comment invited on Banking Service Working Group Report
Aug 5: RBI has placed the D Damodaran Committee report on
Customer Service on its website and invited comments from public before
August 27. Public may kindly go through the report and respond.
Press Release :
Report
Online Banking Frauds in Banks in 2009..Rs 5.09 crores
Aug 5: Parliamentary Standing Committee of MCIT has reported that
in 2009, online Banking frauds worth Rs 5.90 crores were registered. The
panel has also reported that under Sections 43 and 43A of ITA 2000
compensation is being provided to victims.
Related Report :
It is well known that most Banks donot report Phishing frauds and many
customers donot pursue complaints. Hence this report appears to be
a gross underestimation. One of the news papers had earlier reported the
frauds to be of the order of Rs 1200 crores in three years. According to
CERT-In,
374 phishing incidents were reported in 2009. If the GOI publishes
Bankwise individual details of the frauds one can check if all reported
incidents are accounted for in the MCIT report.
GOI to undertake Security Audit of Government Websites
Aug 5: According to an answer provided in the Parliament by the
Minister of State, MCIT, Mr Sachin Pilot, Government of India is
making it mandatory for Government Websites to be audited from security
perspective before being hosted...
Related Article
Sec43A
Compliance Framework from Naavi
Aug3: Keeping in view the specific requirements of compliance
under Section 43A, Naavi has developed a recommended framework for
compliance under Sec 43A..
More
ITA 2008 Rules to be presented in the Parliament
August 2: The rules notified under ITA 2008 on April 11, 2011 have evoked many
comments and criticisms from Netizens, Companies, Media and others. ..The notifications will now be placed in the
Parliament during the current session and amidst the Lokpal and 2G scam
discussions it is possible that the rules may go through without debate...More
![[Valid RSS]](../../image/valid-rss.png "Validate my RSS feed"){kind=small}
![[Valid RSS]](http://www.naavi.org/image/valid-rss.png "Validate my RSS feed"){kind=small}
