New
Versions of Naavi's E books Available in PDF
format at affordable prices
Virtual
Key Board unsafe under IE
Dec 13: A vulnerability in Internet
Explorer is said to make it possible for a hacker
to track the mouse cursor movements on the screen.
This would make the "Virtual key board" system
used by some Banks for password entry useless. At
present the vulnerability is identified for IE and
many would use other browsers. However some
sites are compatible only with IE and force
users to use IE. In such cases vicarious
liabilities may attach on the site for inadequate
security. Related
Article
FIR Filed Against Airtel CMD
Dec 12: Naavi has long been
complaining that Airtel is practicing unethical
practices for over charging its customers
including placement of fraudulent transactions in
the customer's mobile and data usage accounts
which amount to offences under ITA 2008. It is
therefore no surprise to learn that an FIR has
been filed against Airtel for extortion and
threatening of one of the clients in Bangalore who
has been allegedly wrongly billed for Rs 50000/-.
Report
Suspected Fraud-Make My Trip Credit Card offer
Dec 8: Today I received a telephone
call from 040-40502373 in the name of Make My Trip
with an offer for a special HSBC Platinum credit
card with two free air tickets. The offer was too
good to be rejected. However when the caller
wanted to know my Date of Birth and PAN Card
number before proceeding further, it appeared that
this was a suspected Identity stealing attempt. I
am trying to get more details and a confirmation.
In the meantime in order to keep public informed,
I am posting this information here. I request
public not to reveal sensitive personal
information such as the DOB and PAN Card number to
unknown persons as it may be involving a identity
theft risk.
How the OTP system for Bank
transactions is bypassed
Dec 7:
The commercial banks in India have banked heavily on
the two factor system where the OTP sent through a
mobile is used to authenticate the password based
access. Some Banks like SBI and ICICI Bank even
tried to convince the RBI that this two factor
authentication should be given a legal sanction. Now
this case study explains how the new variants of
Zeus Virus is used to defeat the two factor
authentication with the use of a mobile. Named
as "Eurograbber" this virus is reported to have been
used for defrauding over 30000 bank customers across
EU to the tune of around 36 million Euros. This also
represents the risk that Indian Banks are facing. It
is anybody's guess if the Indian Banking system can
survive such an attack. If such a damage occurs,
Indian economy will be in shambles not withstanding
any of the other efforts of the GOI. Case
Study
PWC
Survey on Security preparedness
Dec7: PWC has
released the findings of its "The State of
Information Security survey-2013"
indicating that there is an increasing
interest and budget allocations for
Information security in the Indian
companies.
Report
|
Centralized
IMEI data base to go on trial in a month
Dec 5: In a
measure that could put a break on Mobile
thefts, Government of India has approved a
trial running of a centralized IMEI data
base in India. This would enable tracking
of stolen mobiles and make it difficult
for sellers of stolen mobiles to find
buyers. Report
|
Cyber
Fraud Survey in India by KPMG
Dec 5: KPMG has
released a Cyber Fraud survey amongst
business units which is a useful document
of record. Called the Fraud Survey 2012,
it identified Cyber crime, IP fraud,
Identity theft as frauds of the future and
concluded that "Indian Firms ill-equipped
to mitigate fraud". It identified that 70%
of companies had no effective mechanism to
tackle frauds. It also said that 38% of
respondents had experienced cyber crimes
but 78% were unaware of the risks. 40% did
not have policies for access to web.
Details
|
"Photo
Sync" from Facebook-A New Threat to
Privacy
Dec 4: Facebook
has introduced a new feature called "Photo
Sync" for mobile users which is likely to
be a new threat to privacy to casual
users. If enabled, the feature will
automatically upload the photographs from
the mobile to Face book. Though initially
it is not shared, it will get into
Facebook and may eventually be either
shared with some unsuspecting click or
otherwise be available for Facebook
hackers. What is worrying is that a
person's photograph may be uploaded if it
is captured by another person in his
mobile and if and when it is deleted on
placement of a complaint from the mobile
it may still be available in the Facebook.
Users of Android.iphones are advised to
ensure that this feature is deactivated. Details
: ಫ಼ೇಸ್ಬುಕ್ಕ್
ಇಂದ ಮತ್ತೊಂದು ಹೊಸ ಆತಂಕ
|
GOI
to file Reply on CAT Chairperson
appointment in Karnataka High Court
Dec 3: The PIL
regarding the non appointment of the Chair
person for Cyber Appellate Tribunal (CAT),
in New Delhi was heard in Karnataka High
Court today. The PIL filed by an advocate
Sri Chaitanya has alleged that the non
appointment of a chair person to CAT has
placed several Bank fraud victims at a
disadvantage since their cases are held up
without judicial scrutiny since June 2011
and requested the Judiciary to direct the
Government to take necessary action. The
counsel for the GOI has requested for 6
week's time for filing the reply from the
Government side.
|
Julian
Assange on Internet Freedom
Dec 3: Wikileaks
Founder
Julian Assange speaks of how an
infrastructure for total control of
Internet is already in place and is
beig also used partially. ...
Details
|
PATCO
Case: Bank's Liability for Frauds
Dec
3: Naavi has been personally fighting several
Bank fraud cases on behalf of victim customers. This
struggle has been temporarily blocked because the
Government of India has failed to appoint the
chairperson for Cyber Appellate Tribunal (CAT) since
June 2011 when the previous chairperson retired.
Naavi believes that the delay is caused by some of
the influential Banks who donot want a progress in
the cases pending against them and are in the
meantime trying to convince the Reserve Bank of
India to change the regulations to their liking to
manipulate the environment in their favour. Much to
the disappointment of these Banks, RBI actually has
so far refused to dilute the security prescriptions
as desired by the influential Banks though the MCIT
appears to be more flexible to amend laws to make it
adverse to Bank customers.
In this context it is interesting to
observe that the case of Ocean Bank (now called
People's union) Vs PATCO has after a see saw battle
landed in favour of the customer.
District
Court ruling in faviour of the Bank: In
June 2011, a US Districit Court had ruled in favour
of the Bank holding it as not liable for the fraud
which occured with the use of a key logger trojan.
It had ruled that the security system adopted by the
Bank in the form of log in ID and password was not
deficient and met the contractual agreement between
the bank and customer. In the process the court had
disagreed with the earlier decision of another court
int he Experi-Mental Vs Commercia case.
Reversal
of the first ruling: :Here (on July 3,
2012) the federal appeal court reversed the
earlier District Court ruling holding that the
Password based system was "Commercially
Unreasonable".
Copy of order
Settlement:
The Bank finally settled with the customer and
reimbursed the loss of Us$ 345,000/- after the
customer agreed to drop claim for expenses and other
collateral claims.
This
has finally brought the curtains down on an
interesting battle which will be a guide even in the
Indian scenario.
Compliance of
Section 43A in a Corporate Environment
Dec
2: Here is a brief guideline
which companies may try to folllow to work towards
compliance of Sec 43A-ITA 2008 requirements as
a part of their Information Assurance Plan. ...Details
TELCOs are
responsible to counter Chinese Threat
Dec 2: An
US intelliegence report recently advised that
"American companies and its government should avoid
doing business with China's two leading technology
firms, Huawei and ZTE, because they pose a national
security threat to the US".
Copy of the report
After considering
this report, the GOI has placed the responsibilities
of countering the reported security threats arising
from the Chinese telecom supplies entirely on the
companies themselves.
In a press release issued by the Government, it is
stated that ..."it is mandated that Telecom Service
Providers are responsible for the security of their
network. It is also mandated that only those network
elements shall be inducted into their Telecom
Network, which have been tested as per relevant
contemporary Indian or International Security
Standards e.g. IT and IT related elements against
ISO/IEC 15408 standards, for Information Security
Management System against ISO 27000 series
Standards, Telecom and Telecom related elements
against 3GP, 3GPP2 security standards etc from any
international agency/ labs of the standards e.g.
Common Criteria Labs in case of ISO/IEC 15408
standards until 31st March 2013. From 1st April 2013
the certification shall be got done only from
authorized and certified agencies/labs in India. The
copies of test results and test certificates shall
be kept by the licensee for a period of 10 years
from the date of procurement of equipment, which can
be audited / demanded any time during this span, by
the licensor."
Ref:
Press Release
CRAC Meeting
Official Press Release
Dec 2: The
meeting of the Cyber Regulations Advisory Committee
held on November 29, 2012 was a historic event since
it was the first time that the committee met since
ITA 2000 came into effect. According to the act,
CRAC deliberation is mandatory for any amendments to
the Act. However there was no public knowledge of
any such meeting having been held when the ITA 2000
was amended in 2008 and Naavi.org has even commented
that the amendment process for ITA 2008 was faulty.
In this context the current meeting held in the
aftermath of the Palghar arrests under Section 66A
was significant. The press release issued after the
meeting records that " a suitable clarification in
the form of guidelines in this regard be issued by
the Government to States and Union Territories to
clarify the intent and enable uniform implementation
across the country. A consensus on the content of
the draft guidelines was also arrived at."
Press Release
Further
information available in the press only indicates
that the States have been advised that action under
Section 66A may be taken only by a police officer of
a higher rank as indicated in the
earlier
report
UK Twitter
Joke Case on Appeal
Dec 1: Paul
Chamber case in UK which has been wrongly quoted
some times in India in the Karti Chidambaram case
has been referred back to Court in UK. During snowy
weather, Doncaster's Robin Hood airport had closed,
threatening to derail Chambers' plans to fly to
Belfast to meet Sarah Tonner, a woman he had met on
Twitter. He tweeted on the publicly accessible feed:
"Crap! Robin Hood airport is closed. You've got a
week and a bit to get your shit together otherwise
I'm blowing the airport sky high!!. The Court
debated the issue of "Grossly Offensive" in
the judgement. The Indian case was moe on the fact
of whether "Tweet" is a "Message" or "Publishing".
Sec 6A applies to "Messages" while Section 67
applies of "Publishing" and hence this distinction
becomes relevant in India.
Report
For Articles of
Earlier Date Browse through Archives