The Cosmos Bank fraud.. Could better security at NPCI have prevented it?

Posted on October 7, 2018 by 98410spice

The recent fraud in which Rs 94 crores were siphoned off the Cosmos Bank system on August 11th and 13th through over 14800 ATM withdrawals has once again highlighted that for fraudsters it makes no difference if the money comes from a Cooperative bank or an SBI . They seek to attack the systems where the security is weak .

If a Bank like Cosmos Bank of Pune thinks it is big enough to offer  cards and ATM facility to its customers and implement a CBS system over multiple branches, it must understand the risk of expanding the vulnerability of the systems and it requires adequate security measures to be in place.

A few years Bank (2013) the Bank of Muscat Fraud  was carried out in which about Rs 250 crores were fraudulently drawn out from the Bank through about 40000 ATM transactions carried out in 27 different countries in two bursts each of which lasted only a few hours. The fraud was carried out by hacking into the back end systems of the card data processors in India. The second and the larger burst of this fraud occurred three months after the first indicating that the vulnerability was not recognized and corrected when the first burst of withdrawals took place.

Subsequently RBI has been warning the Banks to ensure that adequate security measures are taken by the Banks. But at the same time, RBI has been pushing co-operative Banks to the use of technology without providing them adequate support and time in terms of introducing security measures. In the meantime some of the Co-operative Banks have grown big and introduced innovative technology based services without adequately covering the risks.

The Cosmos Bank episode is indicative of this negligence as the method of withdrawal of the money by fraudsters is similar to the Bank of Muscat fraud…namely cloned cards used to withdraw money from ATMs in foreign centers. But the modus operandi appears more sophisticated.

In the Bank of Muscat incident, the systems of the card processing companies were hacked and the information of about two dozen pre paid cards were changed. In the Cosmos Bank case, it appears that the fraudsters created a proxy server to approve the ATM transactions and bypassed the real CBS system to fool the ATMs into believing that the transactions were approved by the Bank. They also cloned debit cards both VISA and Rupay cards and withdrew money in 28 different countries. One of the contributory factors was that the ATMs were using Windows XP system which some time back was also the cause of ransomware attack on some Indian Banks.

Though NPCI has indicated that there was a malware attack in the Bank that created a proxy authentication system, NPCI cannot wash its hands off because there could be several security measures which it may be able to implement at the Switch level to prevent frauds of this nature.

For example, it is not clear why the ATM switch operated by NPCI should allow any ATMs anywhere in the world to connect to it if such ATM is running on a  Windows XP system. It would have been prudent that NPCI stops servicing such outdated and proven to be fraud prone systems even if such systems are from abroad.

Also a question needs to be asked, if there is an ATM withdrawal request (and thousands of them in quick succession) from a Co-operative Bank customer/s from abroad, does it not automatically indicate a “Risk” since we donot expect customers of Cooperative Banks to be globe trotting executives?

It is our view that such transactions should have been stopped and flagged at the switch itself before being transferred to the Bank’s server.

I am sure that NPCI will frown if we say that they are responsible the breach of security in Cosmos Bank but we need to ponder if they could have by upgrading their own risk identification and management measures have prevented the Cosmos Bank fraud.

But unless we accept that the ATM, the Switch and the Bank’s server all parts of an integrated financial authentication system and secure the transaction in its totality, the customers of the Banks and the owners of the Banks will be exposed to risks that will ultimately fall on individuals who trusted the system.

From the legal perspective, it is the Bank which engages the services of the Switch and the ATM to provide services to its customers and has to ensure through contractual agreements that the intermediaries provide secure service. It is a presumption that if  Windows XP systems in ATMs are considered as obsolete, they should not be used by the ATM operators and the Switch should refuse services to such ATM machines.

The Switch operators cannot be dumb routers of transactions but should implement and manage their own security systems to detect suspicious transactions.

In particular, approving transactions from abroad which are outside the legal jurisdiction of India for further investigations should be subjected to a greater level of security prescriptions.

It does not matter if a stray individual is unable to draw money from an ATM while he is on a tour of Thailand or Turkey, and complains of bad service, but it is essential that in order to score a brownie point that the Bank can issue globally acceptable debit cards, the security of the Bank itself is not jeopardised.

RBI should therefore immediately instruct NPCI to impose restrictions that any ATM debit transaction request coming from outside the country is flagged as a special case and subjected to better security measures even while the Banks are also required to do so. It is however possible that it may be only at the switch that the transaction can be better identified as coming from abroad.

Additionally, the switch should maintain the digital signature of all ATMs installed in India and should be able to instantly identify whether the call is from an Indian ATM or from abroad and initiate necessary security procedures as required.

The Switch should identify any abnormal pattern of withdrawals and take immediate action to block the suspicious ATMs, or Cards to prevent continuance of the fraud over an extended time.

Probably frauds will continue to happen even in an increased security preparedness of the Switch but it would make the life of the fraudster difficult and reduce the incidence of frauds.

Look forward to comments from security specialists on the above.

Naavi

Addon:

One of the alert readers of the post has suggested some corrections to what is stated above and I am happy to add the clarifications:

  1. Within India,
    1. an ATM of a particular Bank connects to the switch operated by the respective Bank when the transaction relates to the Bank itself.
    2. In respect of Inter Bank transactions, the authentication call is routed through NPCI
  2. In the case of foreign transactions, it may be routed through the payment gateway of VISA or an agent of Rupay which could be an aquiring Bank in that country which being an interbank transaction may go through NPCI switch.
  3. In all cases some information such as IP address, ATM ID, Aquiring Bank transaction ID etc., is collected. The OS details may not be presently collected.
  4. NPCI Switch comes into play  in InterBank requests and not in inter-bank debit card transactions.

I thank the reader for the clarifications. NPCI may try to check if it can re-define the parameters that the ATM request should contain and how it can be expanded if required so that at least transactions from abroad are filtered effectively.

Transactions in India can be tracked further since RBI insists on the CCTV in ATM and some remedy against the mules is possible.

In case of withdrawals from abroad, the hands of the law enforcement are tied. Consultants like us insist insist that they register FIRs and they are uncomfortable since it is a dead end of investigation any way.

Further Add on:

RBI has indicated that by default cards should not be payable outside India. Banks should ensure that only at the specific request of the customer card should be payable abroad. If therefore a request comes from outside India, the Switch as well as the Bank’s Server should recognize that it is an exceptional transaction and has to be subjected to some kind of secondary verification. The ATM transactions in India, The online transactions and the International transactions  should be recognized as different levels of transactions and subjected to the differential levels of authentication. Responsibility for this has to be taken by all the stake holders since the objective is to make the system more secure.

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Posted in Cyber Law | Tagged , | 2 Comments

Aadhar Judgement-10: Let us debate the changes required in PDPA 2018

Posted on October 6, 2018 by 98410spice

This is in continuation of the series of articles on this topic

Over the last 9 articles on Aadhaar Judgement, I have provided some views on the interpretation of the Judgement specifically with reference to the upcoming PDPA 2018 which has been introduced in the Parliament as a bill and will be taken up for debate in the next session. The public comments for the same are open upto 10th October 2018. Since the Adhaar judgement has just now been released, it is necessary that we re-visit our views on the PDPA 2018 draft from the perspective of what the judgement implies.

The Srikrishna Committee itself made an elaborate recommendation on the amendments to the Aadhaar Act in the main report but did not make it part of the draft PDPA 2018.  Now the Government apart from making whatever amendments are required to be made in PDPA 2018 may also make the recommended amendments  in the Aadhaar Act taking care that they donot conradict what this Aadhaar Judgement has indicated.

I draw the attention of the readers to the Appendix to the Srikrishna Committee Report which contains a detailed list of “Suggested Amendments to the Aadhaar Act”. It is not clear if the Supreme Court while finalizing the judgment went through these suggestions which were put together under the guidance of a former Supreme Court Judge spending nearly one year on understanding the issues involved in designing a Privacy Act.

It is to be noted that the recommendation contained interesting thoughts of alternate forms in which Aadhaar can be used for authetnication (eg Offline Authentication), strengthening of the dispute resolution mechanism (Introduction of adjudication and Appeallate Tribunal), mechanism for obtaining legal sanction for future use by a law passed by the Parliament, etc.

As regards Section 57, this recommendation included “Offline Verification” as the means by which the authentication was to be made so that all the objections that the current judgement has indicated would be completely irrelevant.

We therefore suggest that the Government while passing the PDPA 2018 also pass the amendment to the Aadhaar Act where by they may replace Section 57 with a read dwon Section 57 and introducing a new Section 57A incorporating the recommendations of the Srikrishna Committee.

Srikrishna Committee rightly did not get into providing prescriptions on information security such as the data retention, meta data collection etc and stuck to the legal issues unlike the current judgement. It’s recommendations are therefore worth looking into in detail.

Probably the Government needs to create a sub committee headed by Justice Srikrishna himself to re draw the Appendix in the light of the Supreme Court judgement.

I recommend that organizations such as Foundation of Data Protection Professionals in India (FDPPI) work with premier academic institutions like NLSUI and develop a draft recommendation of refining Appendix to the Srikrishna Committee in the light of this judgement.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Posted in Cyber Law | Leave a comment

Aadhaar Judgement-9: Definition of Personal Information revised?

Posted on October 6, 2018 by 98410spice

This is in continuation of our earlier Article in this topic

The judgement of the three judges made a significant observation which may leave a significant impact on the PDPA 2018.

While answering the question “Whether the Aadhaar Act violates right to privacy and is
unconstitutional on this ground?”, the judges observed as follows:

“…it is held that all matters pertaining to an individual do not qualify as being an inherent part of right to privacy. Only those matters over which there would be a reasonable expectation of privacy are protected by Article 21”

Article 21 is the Article under which Privacy has been held as a fundamental right. When the earlier Puttaswamy judgement was pronounced there was some ambiguity about what rights are protected under “Privacy”. Though some of the judges in the bench correctly identified that Privacy is a “Mental State” and not possible to be properly defined and we can only protect “Information Privacy”, there were at least one Judge who went at a tangent to say that any thing can come under “Privacy”. ..What you eat, Where you go, etc are all part of Privacy.

The current judgement however is more sober and it recognizes that  any thing and everything connected to a person cannot be considered as a matter of privacy.

In other words, when we identify what is “Personal Information” which is subject to “Privacy Protection” we need to identify ony “those matters over which there would be a reasonable expectation of privacy” as part of the personal information.

For an individual, will his father’s name be considered as private? Will his grand father’s name or mother’s name be considered as private”, Will the mobile number or e-mail address or IP address or meta data associated with a  message be considered as “expected to be held private”? are issues that need to be considered.

In other words, the definition of “Personal Information” cannot be omnibus and include “any information that can directly or indirectly be used to identify a person”, which was the opinion which most carried after the GDPR and even in the draft of PDPA 2018.

Now there is a need to tone down the rhetoric of “Any information about a person” being held as “Personal Information” and check if there was a “Reasonable Expectation  by the individual that the information had to be held private”.

This is a significant opinion that also has a conflict with that part of the judgement which prohibits collection of meta data such as time of location of a transaction, IP address etc. Can we say that the user of an Aadhaar authentication has a reasonable expectation that UIDAI should not know such information about the transaction? In most cases there is no such expectation.

On the contrary, the Aadhaar users would have a reasonable expectation that such records would be kept by Aadhaar and tomorrow if there is any crime or dispute, the user can call for help from Aadhaar for the information.

For example, if I make a payment of Rs 10000/- through PayTM to another person and later he disputes that he has received the payment, we expect PayTM to stand as witness and confirm that the payment was made from such and such account to such and such account at such and such time etc. Similar expectation about Aadhaar is also reasonable.

Hence the view that meta data should not be collected and if some transaction authentication data is recorded, it is to be discarded within 6 months becomes a contradiction to the view that “All matters pertaining to an individual donot qualify as being inherent part of the right to privacy”.

I welcome this clarification which can be cemented in the PDPA 2018 by the Government.

The  Section 3(29) of PDPA 2018 should therefore be redefined as follows:

“3 (29) “Personal data” means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, or any combination of such features, or any combination of such features with any other information; subject to the data principal having a reasonable expectation that such data would be protected under Article 21 of the Indian Constitution.”

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Posted in Cyber Law | 2 Comments

Aadhaar Judgement-8: Limited use

Posted on October 5, 2018 by 98410spice

This is a continuation of the previous article on this topic

The second question which was answered by the three judges was “Whether the Aadhaar Act violates the right to privacy and is unconstitutional on this ground?

The judges proceeded to answer this question by stating that since the scheme is backed by the statute and serves a legitimate State aim and it does not infringe on the Privacy of the individuals. It however held that it should be used for delivery of benefits and services but not for reasons such as making it mandatory for CBSE exam etc.

In otherwords it stated that the Government should use it only for schemes where subsidies are distributed  from the consolidated fund of India by drawing attention to Section 7 of the Aadhaar Act.

It is however not clear why Supreme Court considered that Section 7 limited the use of Aadhaar only for schemes involving funds from the consolidated funds of India since the section does not seem to make such limitations. The section only states that it may be used for such purposes.

Since on the one side the Court felt that Aadhaar Act does not violate Privacy, it contradicts itself by imposing limitation of its use.

Aadhaar is a scheme which has been implemented with public funds and if it can be used as a tool for any activity without the Privacy or other Rights being infringed, the logic of restricting its use to only the welfare schemes appears unconvincing.

As regards the enrolment of children, it was held that  it can be done with the consent of the parents  and on attaining the age of majority, the children may have the option to exit from the Aadhaar  if they donot avail the benefits of the scheme to which they are enrolled.

The linking of the Aadhaar number with Mobile has however been declared illegal for the reason that it is not backed by law. This could be one of the aspects that may be considered in some law related to telecom regulations or even the PDPA 2018 itself.

All other objections raised on the validity of processes by which the Act was passed as a Money Bill and linking of Aadhaar with PAN  were held to be valid.

As regards opening of bank accounts, mandating that existing account holders need to provide Aadhaar or closing existing accounts if Aadhaar is not linked are not permitted. However for opening new accounts, if there are no alternative less invasive measures, it may be possible to use Aadhaar identification methodology.

The Telecom companies have however been disallowed to mandate linking of the mobile with the account since it is not backed by any law.

Additionally in the event of any offence, Supreme Court wants the consumer to be given the right to take legal action.

This remedy for civil and criminal action was already available under ITA 2000/8 when a wrongful loss had occured due to “diminishing of the value of information residing inside a computer/affecting it injuriously by any means (Section 43/66) and hence there is no additional benefit except adding one more section under Aadhaar Act into a complaint when made.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Posted in Cyber Law | 3 Comments

Aadhaar Judgement-7… Can the Private Sector use Aadhaar for Authentication?

Posted on October 5, 2018 by 98410spice

This is a continuation of the earlier articles on the topic

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

Incidental Issues:

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

the judges have responded….

(v) That portion of Section 57 of the Aadhaar Act which enables body corporate and individual to seek authentication is held to be unconstitutional.

The Section 57 has been one of the widely discussed aspects of the judgement since it has a a direct impact on the industry.

The section states:

57. Act not to prevent use of Aadhaar number for other purposes under law.

Nothing contained in this Act shall prevent the use of Aadhaar number for establishing the identity of an individual for any purpose, whether by the State or any body corporate or person, pursuant to any law, for the time being in force, or any contract to this effect:
Provided that the use of Aadhaar number under this section shall be subject to the
procedure and obligations under section 8 and Chapter VI.

Interesting debate happenned on this section and has been discussed in detail in the body of the judgement. But what is important is to look at this operating part of the judgement.

We can also simultaneously see the clear conclusion that is included in the Justice Ashok Bhushan’s judgement which states,

Section 57, to the extent, which permits use of Aadhaar by the State or any body corporate or person, in pursuant to any contract to this effect is unconstitutional and void. Thus, the last phrase in main provision of Section 57, i.e. “or any contract to this effect” is struck down.

The three member judgement stated that “that part of Section 57 that enables a body corporate and the individual to seek authentication is unconstitutional”. If we interpret that this “that part” relates to the entire section, then it means that Body corporate cannot use the Aadhaar authentication even  “Purusant to any law” .

This would look illogical since even “Privacy” is not an “Absolute Right” under the Constitution and the Parliament cannot be prevented from making a law which it considers suitable if it can justify that it does not violate the principles of fundamental rights subject to reasonable restrictions. Justice Ashok Bhushan has expressed his views with clarity but the three judges have not drafted this part of the judgement properly and left the words “That part” to be interpreted more widely than necessary.

But the same judges in the later part of their Issues-Answers,  in page 560 of the judgement., point 4, answer (h), state as follows:

Insofar as Section 57 in the present form is concerned, it is susceptible to misuse inasmuch as:

(a) It can be used for establishing the identity of an individual ‘for any purpose’. We read down this provision to mean that such a purpose has to be backed by law. Further, whenever any such “law” is made, it would be subject to judicial scrutiny.

(b) Such purpose is not limited pursuant to any law alone but can be done pursuant to ‘any contract to this effect’ as well. This is clearly impermissible
as a contractual provision is not backed by a law and, therefore, first requirement of proportionality test is not met.

(c) Apart from authorising the State, even ‘any body corporate or person’ is
authorised to avail authentication services which can be on the basis of purported agreement between an individual and such body corporate or person. Even if we presume that legislature did not intend so, the impact of the aforesaid features would be to enable commercial exploitation of an individual biometric and
demographic information by the private entities. Thus, this part of the provision which enables body corporate and individuals also to seek authentication, that too on the basis of a contract between the individual and such body corporate or person, would impinge upon the right to privacy of such individuals. This part of the section, thus, is declared unconstitutional.

In this part of the judgement, the judges accept the power of the State to make law though such law also is subject to review. The section 57 is meant for both the State and the Body Corporates and for use both under a law or under a contractual agreement.

The intention of the judges appears to be to say that the individual and a body corporate cannot enter into a contract where by the body corporate can seek Authentication of Aadhaar data. But unlike Justice Ashok Bhushan, the other judges in their combined judgement failed to word their intentions without ambiguity.

As a result of this ambiguity, some are interpreting the judgement as if body corporates are completely barred from using Aadhaar.

We record our serious reservation to this interpretation because the Aadhaar infrastructure has been created out of public funds and it is a national resource. There is therefore no reason to prevent its wide usage as long as the Privacy concerns including Surveillance concerns are addressed.

The Court failed to also consider that the use of Aadhaar by private sector companies with biometric is already restricted only to “Global AUAs” like Banks. Other entities which are licensed as “Local AUAs” are barred from seeking authentication on the basis of Aadhaar number.

However, an Aadhaar number holder can generate a different random ID called “Virtual ID” (VID) which is a 16 digit number  as against the 12 digit Aadhaar number and is issued by UIDAI on request to the Aadhaar holder. This number can be used for purposes such as self identification since a body corporate can verify the correctness of the demographic information provided by an individual with reference to the VID.

When VID is presented to a body corporate along with some demographic parameters that need to be verified, the body corporate can submit the parameters one by one along with the VID and at the other end, UIDAI will provide a service which says whether the parameter as presented is correct or incorrect. For releasing this verification, the UIDAI may use the mobile OTP as a second factor authentication.

In this process, UIDAI does not dump the demographic information to a body corporate nor the body corporate collect the biometric nor the Aadhaar number. UIDAI is the only authority that knows the mapping between the VID and the Aadhaar ID.

This VID is a service that is being offered by UIDAI and has been mandatory from around July 1st 2018.

It is true that not all private sector companies have migrated from the use of Aadhaar number to VID and most of the Aadhaar users are not aware of the VID. But this is a different issue to be resolved by the industry and is not an issue on which Supreme Court should bar the usage .

It was surprising that the Supreme Court in its judgement did not make a special mention of the availability of VID. It completely ignored it as if it is not relevant at all. It is true that VID is not Aadhaar and hence it was not the subject matter of the petiton. But it would have been prudent for the Supreme Court to have made a mention of the VID so that the public would have become aware that there is an alternative which the private sector companies have ignored for some time and can be used now.

The use of VID for verification of demographic information as presented by an Aadhaar user (without populating the form at the user end with a dump of data from the UIDAI) particularly without biometric should have been ideally pointed out by the Court.

Nevertheless the judgement by ignoring to refer to VID has confirmed that VID is not Aadhaar and its use is not affected by any part of this judgement.

It is however better for the Government to include the use of VID as an acceptable method of verification of personal data in the PDPA 2018 draft.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Posted in Cyber Law | 2 Comments

Aadhaar Judgement-6.. Joint Secretary is too junior?

Posted on October 5, 2018 by 98410spice

This is a continuation of the earlier articles on the topic

Continuing our discussion on the Judgement of the three Judges, Dipak Mishra, A K Sikri and A W Khanwilkar, responding to the first issue answered by them namely,

(1) Whether the Aadhaar Project creates or has tendency to create surveillance state and is, thus, unconstitutional on this ground?

Incidental Issues:

(a) What is the magnitude of protection that need to be accorded to collection, storage and usage of biometric data?
(b) Whether the Aadhaar Act and Rules provide such protection, including in respect of data minimisation, purpose limitation, time period for data retention and data protection and security?

the judges have responded….

(iv) Insofar as Section 33(2) of the Act in the present form is concerned, the same is struck down.

The relevant section as it stands today and is being struck down is:

(33)(2) Nothing contained in sub-section (2) or sub-section (5) of section 28 and clause (b) of sub-section (1), sub-section (2) or sub-section (3) of section 29 shall apply in respect of any disclosure of information, including identity information or authentication records, made in the interest of national security in pursuance of a direction of an officer not below the rank of Joint Secretary to the Government of India specially authorised in this behalf by an order of the Central Government:

Provided that every direction issued under this sub-section, shall be reviewed by an Oversight Committee consisting of the Cabinet Secretary and the Secretaries to the Government of India in the Department of Legal Affairs and the Department of Electronics and Information Technology, before it takes effect:

Provided further that any direction issued under this sub-section shall be valid for a period of three months from the date of its issue, which may be extended for a further period of three months after the review by the Oversight Committee.

The objection to this section was perhaps the Court considered that “Joint Secretary” was not the appropriate level at which this responsibility could be vested with.

The Government can therefore through the PDPA 2018 raise this level of intervention to the Secretary to meet the objections.

The Court has also pointed out in its answer that

(vi) We have also impressed upon the respondents, to bring out a robust data protection regime in the form of an enactment on the basis of Justice B.N. Srikrishna (Retd.) Committee Report with necessary modifications thereto as may be deemed appropriate.

As a result of this push, Government will have to bring up the PDPA 2018 for discussion as early as possible and get it passed. Alternatively, Government may have to resort to an ordinance to make PDPA 2018 effective immediately.

Naavi

Disclaimer: The views expressed here and elsewhere on this site are the personal views of Naavi and not the views of any organization or group that he may be associated with.

Posted in Cyber Law | 2 Comments