India has adopted a Governance policy involving high dependency on Digital Banking and this technological shift in Banking has the blessings of the Government, the RBI and also the Banks.
Government is happy with Digital Banking because it is an effective tool for reaching out to the masses with several direct benefit schemes of the Government. Banks are happy because it is cost effective.
But in the process of this digitization, the Bank Customer has been exposed to Risks which are beyond his reasonable capabilities of mitigation.
RBI is caught in between the drive for new technology and its responsibilities to maintain safety in the Banking system. It has not been able to upgrade its own capabilities to suggest appropriate security measures to meet the threats nor ensure that the Customers are properly insured against losses though some efforts have been made through the “Limited Liability System”.
The Banks which are collectively more powerful than the RBI, have successfully blunted the Limited Liability system and trying to push most of the responsibilities to the Customer.
New Strain of Mazar BOT android Virus appears to be on the prowl
A Dangerous Android malware which was first reported in 2016 with a capability of erasing data in the mobile, stealing the credentials and taking over the messaging application so that it can send and respond to SMS messages without the knowledge of the owner, is now again in the news.
A Security Company called Heimdel in Denmark reported this virus that could be sent like a hyperlink to any SMS message and if the Android mobile user clicks on the link, it infects the mobile.
Now in one of the Cyber Crime incidents reported from Bangalore, there is a suspicion that this Virus was probably in play.
After infection, this virus can read the incoming SMS messages and send outward SMS messages at the instance of the attacker besides stealing any other information in the mobile which may have some banking credentials.
It appears that the Virus may not require rooting of the phone and may not even display the permissions screen. It is possible that it may simply ride on one of the Banking applications which is legitimately installed in the mobile.
A research is required to understand the complete working of this virus.
This virus was perhaps countered in some of the anti-virus applications by an upgrade in 2016. But it seems that this has re-surfaced in India probably through an SMS message which appears to come from the IT department and informs that a refund order has been processed and details are available in the link.
We can therefore speculate that a new strain of the Virus must have been developed by the deep web and released.
Mazar is a Banker Friendly Virus !
The problem with the Mazar Virus is that it not only helps the fraudster to steal money from the Banking accounts of the mobile owner, it also creates a fake evidence which will work against the customer and in favour of the Bank.
Earlier we have seen “Coat tailing virus” which operates during a legitimate banking session of the customer and releases unauthorized instructions to the Bank server and transfers funds to the fraudster’s account. We have also seen “Man in the Browser” attacks where the form details entered by the Customer during a legit session for funds transfer is modified just before its transmission to the Banking server. Even in these cases, the evidence created would reflect genuine transactions of the Customer and unless we are aware of the functioning of the virus, we may be fooled by the evidence.
What is further annoying is that the New Mazar virus appears to be able to self destruct and remove itself from the mobile making it further hard to identify the evidence that the virus existed in the device.
There was only one small foot print that the Virus appears to have left which is in the form of “apparent errors” in the messages that can be attributed to a software. Further research may be able to improve our understanding of this virus.
The infected mobile will after the event, retain the SMS messages and even the service provider will show the details of messages sent and received. So, if the fraudster has tried to log into the Bank account of the Mobile owner and an OTP has been sent by the Bank, there will be record of an SMS sent from the Bank and the reply sent by the customer. The transaction therefore gets completed and the Bank can claim that the Customer has responded to the OTP though the response is by the fraudster and not the customer.
When we apply the Limited Liability rules of RBI, the Bank will claim that they are not liable since the OTP was given away by the Customer.
Thus the Virus creates a double jeopardy for the Customer, first by stealing the money and then by faking the evidence against him.
We need to find a solution
It is the responsibility of security specialists to find a solution to this problem.
If we donot find a solution, it is time to stop all Digital Banking Transactions where authentication is based on the OTP.
We are aware that USA has already degraded the OTP system for use in Government transactions because of the security concerns.
In India,
a) Bankers are ignoring the statutory provision of “Authentication through Digital Signatures” and conducting Banking transactions.
b) Bankers are also not resorting to sending encrypted messages instead of the present system of plain text messages.
c) Bankers (excepting a few) are also not using the split OTPs sent through multiple channels such as Mobile and E mail which could harden the security.
d) Bankers are also Not providing Cyber Insurance to the customers for such losses despite RBI mandate in the June 2001 circular.
I therefore urge RBI to either find an immediate solution to this Mazar type of Viruses or stop use of OTP based authentication forthwith.
Responses from the Information Security community is welcome with suggestions.
Officials of RBI like Mr Nandakumar Sarvade, who heads the IT division of RBI and has the experience of the IT environment and Policing need to take such issues seriously and bring it to the notice of the higher ups.
I hope this will be one of the points which the RBI board should discuss as an emergency measure in the meeting on November 19.
I request Mr Gurumurthy, the Director of RBI to specially take up the cause in the forthcoming meeting.
Naavi
Naavi,
Thanks for the article and RBI as the controlling authority should surely look forward to prescribe strong cyber security measures. At the same time, it needs to be ensured that these measures are implemented in the right spirit by the banking institutions. For this the RBI auditors will also need to be trained on verifying the controls / measures.
Do you think, providing some possible options to counter the Mazar kind of threats would help the team at RBI?
If there are suggestions we should consider advising RBI…
Pingback: RBI needs to Fight with Mazar Virus rather than fighting with the Government | Naavi.org
Normally, RBI or any other regulator will reach only, when there will be (a) either losses at mass level or (b) there is mass movement; (c) or there is a judicial order.
They work on wait and watch policy. Probably, either (a) the problem will disappear in due course or (b) some one will create some vaccine or (c) some one else can be blamed.
There seems to be no incident resolution mechanism/procedures for such incidents.
Thanks Sir There must be a robust mechanism to sure transactions. Another challenge is once the device is trusted after first transaction I have observed that the otp is also not required.