"Watch This Site as a Daily Habit. It may save careers".. A Banker's remark as an advise to fellow Bankers

---

Death of QR Code!

Dec 31: In recent days QR Code had emerged as a convenient tool on mobile devices for transfer of information from a printed code picture to data on the mobile. Unfortunately the QR code seems to be heading for a premature death since hackers have found it as an easy tool to spread malware. It may no longer be wise to use the QR Code scanner on the phone to scan any Code. Naavi.org will also remove the QR Code in its contact form to avoid any problems arising in future. Related Article

HIPAA Audit is a Business Threat!

Dec 26: The results of a recent survey in USA about patient data breach has come out with interesting results.  Firstly, 96% of the respondents reported some data breach within the last two years which is an alarming situation. 41% resulted from employee negligence. About 43% of the breaches were identified during an audit making it a dreaded business risk for most organizations. More details

One More ITA 2008 Case against Face Book

Dec 25: An FIR has been registered against Face Book under Section 66A of ITA 2008 for defaming Hindu Gods and asking for burning of Bhagvadgita in Gomti Nagar, Lucknow. Report

Cyber Law to enter BBM Curriculum

Dec 25: The forum of business Management Teachers in a workshop at Mangalore decided to make Cyber Law a part of the curriculum for BBM. The addition of Cyber Laws into Management curriculum was long overdue since any business presently is inseparable from E Business.  Details

Blocking of Websites by Reliance

Dec 24: It has been reported that Reliance has blocked a host of websites providing file hosting services on the pretext of possible copyright infringement of Don 2 movie released this week. Though a Court order is cited, it is unclear whether the implementation is as per the order and whether there was a reasonable ground for such blocking. It is unfortunate that ISPs are irresponsibly resorting to website blocking. It is necessary for them to realize that if their action is found to be not backed by an appropriate Court order, they will be liable for punishment for wrongful interception. Related Report

Social Networking Sites.. questioned by Delhi High Court

Dec24: 21 executives of different Social Networking sites were summoned by Delhi High Court in connection with a complaint filed by a journalist Mr Vinay Rai. Mr Rai is the editor of a Urdu daily Akbari. It is alleged that the You Tube, Face Book and Google amongst others have hosted content which is objectionable from obscenity and religious view point and accordingly they have been asked to remove the content before February 6, 2012. Report

Where is Internet Banking safety in India heading?

Recently, a security specialist in Bangalore released a video in which he demonstrated how the Internet Banking System of ICICI Bank was vulnerable to a virus attack....The revelation of the security vulnerability in the system of ICICI Bank is also to be considered as a notice to not only to ICICI Bank but also all other Banks which may have similar problems....More
 

Naavi gets the ID "Naavi" on Face Book

Dec 22: Over the last few months, I was corresponding with Face Book for release of the short ID "Naavi" which had been registered by some other user. Once the name was released but before it could be re-booked by me, it was booked once again by another person. Finally the name has been released by the second person and after a waiting period it became available again to me and it has been registered. Now http://www.facebook.com/naavi points to my Face Book account. This was made possible because the current user agreed with my request and voluntarily changed his ID from "naavi".

However the fact remains that "Naavi" was a registered trademark and as per the terms and conditions of Face Book, it was the responsibility of Face Book management to ensure that the ID was withdrawn from the earlier person who had registered and handed over to me when I  demanded. Face Book failed in discharging this responsibility.

In the recent controversy between Face Book and Mr Kapil Sibal, Face Book had publicly stated that if any user is violating the terms of agreement, they would take action to correct it. However it may be taken on record that in this case involving the claim on the short ID of "naavi",  Face Book failed to keep up to their words. Their commitment given to Mr Kapil Sibal therefore is not truthful.

ICICI Bank Picks a fight with a Security Consultant

Dec 21: ICICI Bank is touchy when some body questions the security in its E Banking systems. Recently a Security professional Mr K.S.Yash, from Bangalore had highlighted a vulnerability that existed in the ICICI Bank Internet Banking system  by posting a video of a demo. The demo showed how a user of ICICI Bank system may place a fund transfer order for a certain amount through the Bank's Internet Banking website and end up executing a fund transfer of a different amount to a different beneficiary. The demo involved a video of a live session and clearly demonstrated the existence of the vulnerability. Instead of taking steps to rectify the security loophole, ICICI Bank appears to have sent a notice to the security consultant threatening legal action.

ICICI Bank claims that the video contains false information meaning that the vulnerability does not exist. However, the undersigned has also seen the demo live and the fact that the vulnerability exists cannot be untrue. What should be done by the Bank is important. Bank should thank the consultant for having brought the security weakness to the notice of the Bank before real hackers get into the Act using the same or different methodology. The consultant has not given any source code for the exploitation of the vulnerability and therefore it is difficult to understand why the Bank should object to what is essentially a security alert.

It would be interesting if ICICI Bank challenges a public debate on the security vulnerability shown by the consultant rather than throwing up threats of legal action.

Mobile Dealers Targetted by Hackers.. Are the MSP s at fault?

Dec 20: In a TV program on mobile hacking in Suvarna News yesterday, it was revealed that a mobile dealer in Channapatna (a town about 60 kms from Bangalore) had suffered a loss of Rs 15000/- through mobile hacking. The dealer had several demo mobiles given by service providers which had a specific application to store re-charge stock. He received a call stating that he will be getting a bonus recharge from the service provider and it will reflect in his account after he keeps his mobile switched off for about 5 minutes.  When the dealer switched on the mobile again, he saw that instead of additional amount in his account, the available amount had also bee drawn out in the form of recharges to different mobiles at different places. According to the dealer 12-15 such cases have been reported in Channapatna itself over the last 6 months indicating the extent of such frauds across the country. The beneficiaries of this fraud are indirectly the mobile companies themselves since whether the amount was used by a fraudster or any body else, they have got their value. This also gives room to speculate that the mobile companies may be hand in glove with the fraudsters in such frauds to improve their turnover. Link to Suvarna News Program broadcast (in Kannada) on 19th December 2011 : Part 1 Part 2. Part3

How Much have Indian Banks lost due to Phishing?

Dec 20: It is always a tough task to get information about losses on account of Frauds in Banks. By tradition, Banks are permitted to hide the actual details of the losses on account of "Bad Debts" by making a "Provision" and reporting "Debts less provisions" in the balance sheet. However no such protection exists in respect of "Losses on account of Crimes in Banks". However, Indian Banks have no proper system of reporting such losses in their Balance sheets.

According to RSA, the estimate of Phishing losses in India in 2011 is to the extent of US Dollars 27.8 million (approximately Rs 140 crores). (See report) However earlier estimates by other agencies are of the order of at least Rs 1200 crores. Hence there appears to be a gross under estimation of the losses.

In a recent speech to the Chartered Accountants, Dr Subbarao, Governor of RBI also pointed out that the reported financial statements of Banks were not truthful. (Copy of speech). It is high time the Chartered Accountants Association of India reviews the current Bank audit system and ensures that "Estimated Losses on Frauds" are not suppressed under "Provisions".

More detais of the report from RSA is available here. : Copy of RSA Online Fraud Report

Ten Commandments of Banking

Dec 20: Dr K.C.Chakravarthy, Deputy Governor, RBI, has reminded Bankers that "Thou shalt manage the people with empathy". In a commendable sppech delivered at the Manipal Academy, Bangalore, he has reminded Bankers that an  "essential characteristic of Banks is that they are highly leveraged and, hence, special and need to be regulated for protecting the interest of depositors." Of late Bankers have become so commercialized in their approach that they are even ignoring the regulatory role of RBI. The "Ten Commandments" that Dr Chakravarthy has lead out should be an eye-opener to the current day Bankers who are more IT operators than bankers. The complete speech is worth putting into text books on Banking and is available here.

Courts to use Website to communicate orders

Dec 19: In a confidential report submitted by NIC to Mumbai High Court, it has been suggested that the High Court may use digitally signed e-mails for communicating its orders to the lower court. However it has been stated that since this may take some time, High Court may in the meantime upload their orders to its website  to be picked up by the other Courts.... Report in HT

2012 security threat predictions for Mobiles

Dec19: "Mobile pick pocketing" is on the increase and is estimated to have cost Rs 5 crores in 2011 from Android users. In 2012, there could be an increase in bluetooth viruses, application based malwares, spread of viruses through text and MMS messages which could try to steal money from your account. It could make free calls billed to your number, steal data, send out spam messages, premium SMS messages, download paid games etc. Since "mobile" is an always on device it has the potential to be used as a botnet component. These threats along with the threat of SIM card cloning has to be considered by users of Mobiles and in particular users of smart phones. In particular users should be circumspect of applications and games downloaded from un-trusted sources. Like in the computers, it is too risky to own a smart phone without a good anti virus application from a reliable source.  Related Story

Banks seek dilution of Damodaran Committee Report

Dec 19: M.Damodaran Committee on Customer Services gave its recommendations on Customer Service in Banks on 3rd August 2011.  The report contained several important customer oriented suggestions. However RBI is yet to finalize its view on the report. It is however learnt that some Banks are lobbying with RBI for a massive dilution of the recommendations so that Banks can escape liability arising out of their negligence.  In the interest of the customers, we hope RBI will resist this industry pressure. Related Report1 Related Report2 : Related Report3

Cyber Crimes on the rise..but

Dec 19: An article in livemint on current status of Cyber Crime statistics in India. Article

US Legalizes Cyber War

Dec 18: US has taken an important step to pass a law to legalize Cyber war operations by which an offensive attack from US on Cyber Space of other sovereign countries may now be legit in US.   The new law stipulates that  U.S. military is now authorized to make war via the Internet and all the rules that apply to conventional war, also apply to Cyber War. This development also underscores the need for more indigenization of Software and Hardware IT supplies to India since we cannot trust either China or US both of whom may supply software/hardware which is deliberately embedded with backdoors...Related Article : A draft

Internet Censorship through backdoor?

Dec 18: According to Privacy legislation observers in India, the amendments to Copyright Act presently pending before the Parliament could be used as an instrument of backdoor censorship. The concept of "Self Regulation" that the Government proposes is considered as a facade to cover the imposition of Government's intentions to regulate the content of the Internet to protect the Government against public criticism.: Related Article

DIT Guidelines on Social Media

Dec 17: In continuation of the earlier post on this subject,  a perusal of the draft guidelines  issued by the Government on the use of Social media by Government departments indicate the following two paragraphs.

"Since profiles on social network are linked  more often to individuals and not organizations, for organization's site/page, a separate work profile may be created which can then be linked to a general e-mail address that is accessible to anyone in the team, enabling them to administer the social networks without compromising on individual privacy."

 "Each new account requires a URL, user name and/or email address and a password. A proper record of log in ids and password must be maintained. This is critical as multiple people may be authorised to post on behalf of the department".

I think the report in ET is an  interpretation of the above two paragraphs.

This apart, the idea of Government departments using Face Book etc in the manner suggested  is not a desirable proposition and the issue of the draft guideline will be regretted at some point of time in the future. ..Copy of the draft guideline

Password Sharing to be legalized by Indian Government?

Dec16: A report in Economic Times today suggests that the Government of India is thinking of a code by which Government employees would use Facebook. One interesting aspect of this code is reported to be that "the password of the account would be known to others in the department". It is difficult to understand what the Government is upto. If "passwords" are officially meant to be "shared", the sanctity of the access system based on passwords would be officially destroyed. Report in ET

Bring Your Own Devices Opens up Security Concerns

Dec 16: A survey conducted by ISACA on the concept of Bring Your Own Devices (BYOD) has highlighted the the new threat perceptions arising out of the employee ownership of the devices. There is no doubt that certain sections of the industry favour the idea of employee's bringing their own access devices to their place of work. This may be both economical and convenient. However security is built neither on convenience nor economy though they do affect the final outcome of security implementation. If the concept is to be given any consideration the data security and access authentication systems as well as the real time security monitoring systems need to undergo a  substantial modification. Rushing the concept of BYOD at the current stage is likely to result in a huge legal risk for all organizations. Related Article

Seven Most Significant Hacks of 2011

Dec 16: Here is a compilation of seven most significant hacking events worldwide compiled by a security observer.  Report

First Adjudication Application filed in Kolkata

Dec 15: First adjudication application under ITA 2008 has been filed in West Bengal. The application has been filed by Mr R Gopi in respect of a loss of Rs 339,000/- suffered by a customer of State Bank of India through unauthorized access to his Internet Banking account. This was a typical case where the RBI's OTP system had failed since the fraudster had simultaneously disabled the original SIM card of the customer, got a duplicate SIM card with false documents and used it for completing the fraud. The Mobile service provider involved was Vodafone. The adjudication application notes SBI and Vodafone as respondents along with the executives of both SBI and Vodafone.

IP address Details from Gmail

Dec 10: Often an account holder of a gmail requires to know the IP address from which his account is accessed. This requirement is more and is of critical need when gmail services are being used for business and multiple access accounts are created. Presently gmail provides information about last 10 transactions as a security routine. However if information is required beyond the last 10 transactions, the position is unclear. There is a wrong interpretation that such requirement can be met with only a Court order. But this is legally untenable. It is the right of every data owner to request for and be provided information about himself from the data processor without need for court intervention. Court order is required only of a person wants information about some body else. This is of course a matter which should be part of the terms and conditions and privacy policy and Google may be interested in restricting the rights to some extent. But it is high time Google clarifies and introduces appropriate measures to disclose the account holder's information when required.

High Profile Cyber Crime Cases-2011

Dec8: Here is an interesting article on some of the successful Cyber Crime investigations that occured during 2011. ..The Most Notorious Cyber Crooks of 2011 – And How They Got Caught

Aaadhar Project may be discontinued?

Dec 8: It is reported that the Parliamentary committee has rejected the UID Bill and consequently the aadhar project in its present form may have to be kept in abeyance until a new Bill is drafted and passed. ..Related Report

Now I understand why CAT Chairman has not been appointed

Dec 08: The post of the chairman of Cyber Appellate Tribunal is remaining vacant for last six months. Despite repeated reminders at several levels no action has been taken by DIT. Now that we know that the ministry has to scan the Internet for "political criticism" and identify content indulging in criticism of Government or the Congress leaders, they donot have time for anything else. It is to be noted that during the first half of 2011, only one content has been found objectionable on Google on grounds of "National Security" while 255 items have been found objectionable for political expediency. Related Article

Government Criticism muzzled

Dec08: According to this report in Hindu, during the first half of 2011, Indian Government sought to remove 255 items classified as "Government Criticism" from Google content. Additionally 39 items were sought to be removed on grounds of defamation, 20 due to privacy and security concerns, 14 due to impersonation, three pornographic items and one due to national security reasons. This shows that the Government machinery in DIT is is working only to serve the political masters and not to serve people. Related Article

The report also says that Google refused to remove the content related to Government criticism and the news now is that the Income Tax department is making some demands on Google. It is not clear if the two are related. But knowing how this UPA Government is targetting Anna Hazare group, a link between the two incidents cannot be ruled out. Related Article

CNet Download.com bundles adware

Dec08: Security observers always say that "Nothing comes free on Internet" and warn users of "Free Downloads" with attached trojans. Normally people expect that reputed download sites donot resort to such unethical practices of bundling adware/spyware/malware with genuine free installations. It has now been exposed that CNet which runs download.com instals several adware programs with its free installations. Report : Apology from CNET

Mr Kapil Sibal should think of taking action on such misuse of public trust by intermediaries rather than think of using Internet censorship to curb Anna Hazare or to muzzle political opposition.

Social Media Censorship in India

Dec 6: In a surprising announcement,  Union Minister of IT who has not found time for last 6 months to appoint a chairperson for CAT found time to criticize social media and ask them to set up a human pre publication scrutiny of content. The suggestion is highly impractical besides being undesirable and unnecessary. There is already a law to deal with objectionable content and the current attempt is either to be treated as an attempt to bring a new censorship law or to act ultra vires the law. It is speculated that the announcement was triggered by some criticism of the Congress leaders on the Face Book or more probably a preparation for the prevention of the use of Social Media for the next stage of Anna Hazare Campaign.  As usual this could be another  mistake which the Congress may regret. Related Article : Assocham Opposes proposal

How weak Internet Banking systems pose a threat to customers

Dec 3: Internet Banking has been a nightmare for innocent customers who constantly live in the fear of Phishing frauds. Though RBI has brought several regulations in favour of the customers, intransigent bankers continue to place customers at risk. Though law is in favour of customers being compensated by Banks in such cases  and Naavi himself is in the forefront of some of these fights, the delay and cost in pursuing litigation continues to be a cause of worry. With GOI being completely oblivious to the need of appointing the presiding officer to CAT in place of the previous incumbent who retired, vicitms have been made to wait endlessly while the Banks are enjoying the funds of the customers.

In such a scnario here is a video of  how a "Man in the Middle Attack " can divert banking transactions to fraudsters. It is high time Bankers and RBI take note of these technical risks and ensure that adequate security is provided to customers. See the Youtube Video here

EHR Incentive deadline under HIPAA-HITECH Act extended

Dec2: In an effort to make it easier for Health Care Providers to qualify for maximum payments under HITECH Act, the deadline for Stage 2 compliance has been extended from 2013 to 2014 for those who attest by February 2012 that they qualified for Stage 1 by adopting EHRs this year. The change in the deadline is meant to remove the disincentive for providers to adopt and use health IT right away.  Related Article

USA conducting survey for ascertaining China Cyber Risk

Dec 1: US Government conducted a survey of telecom companies and software companies to identify presence of foreign hardware and software and to ensure that there are no malicious installations to spy on US assets. In the survey , the U.S. Commerce Department asked for a detailed accounting of foreign-made hardware and software on the companies' networks. It also asked about security-related incidents such as the discovery of "unauthorized electronic hardware" or suspicious equipment that can duplicate or redirect data The survey required companies to provide a detailed outline of who made equipment including optical-transmission components, transceivers and base-station controllers. Companies that refused to respond could face criminal penalties under the Defense Production Act, a 1950 law allowing the government to manage the wartime economy, according to the survey. It is time India also does a similar survey... Related Article

For Articles of Earlier Date Browse through Archives

Visit
www.Naavi.net

Visit
www.lookalikes.in