Naavi.org

Naavi has been expressing a thought that India should work at being the Global Hub for ODR and hence the services of odrglobal.in needs to be promoted vigorously.

Today IE reports the following quote from Mr Modi.

“Seeking that India emerge as a global hub for arbitration, the PM pointed out that businesses seek assurances that commercial disputes would be resolved efficiently. Hence, a robust legal framework backed by a vibrant arbitration culture is essential, he said. This alternative dispute resolution should simultaneously facilitate arbitration, mediation and conciliation, Modi said. “This will provide additional comfort to investors and businesses. More importantly, it will also ease the case load on Indian courts. An enabling alternative dispute resolution ecosystem is a national priority for India. We need to promote India globally as an arbitration hub,” he said.

CJI Mr T.S. Thakur concurred with the view and said the “ever increasing avalanche of cases” to push this alternative method of resolving commercial disputes.They were addressing a global conference on ‘National Initiative Towards Strengthening Arbitration and Enforcement in India’.

Refer Article here

Hope they also see value in the existence of a ready to use service in www.odrgloal.in and encourage its adoption in some organizations under their control.

Naavi

RBI in continuation of its fire fighting efforts after the “Mega Data Breach” in the Indian banking system has suggested that the “CISO” (Chief Information Security Officer) in a Bank which is already a senior position is to be upgraded from an “Operational Level” to a “Strategic Level”. (Refer article in IE).

The Gopalakrishna Committee which in 2011 gave a comprehensive recommendations on the E Banking security (Refer here for more information) which included the Administrative structure for Information Security Management. It included a Board Level Committee followed by an Executive Level Committee and a mandatory position of CISO etc.

Any sensible information security structure places the role of CISO as a top level officer who needs to be consulted on new product releases and other strategic initiatives besides managing the day to day security issues.

Again in June this year, RBI gave further mandatory instructions in the form of Cyber Security Framework.

Now RBI for the umpteenth time has reiterated the importance to be given to the CISO in the organization. Banks need to now look at whether the CISO should be at the Chief Officer level or at AGM/DGM level or at GM level.

Also it is important to note that the roles of the Chief Compliance officer and Chief Security Officer in an organization overlaps with the role of the CISO. For a proper functioning of the system it is necessary to identify that there is an apex level “Chief Security Officer” who oversees the work of the Information Security officer, the Physical Security Officer and the Compliance officer.

Ideally, such a person in the Bank should ideally be at the Executive Director’s level. At present there are a few Banks who may have multiple “Executive Directors”. Probably there should be one exclusively designated as “Executive Director-Security”.

We hope some Bank takes the lead in creating the CISO at the Executive Director’s level who naturally will be supported by several Deputy CISO s at lower levels.

Naavi

Related Article:

RBI points out many shortcomings of Banks

Banks should not get away

People Distrust on Plastic money Grows

If you find a pen drive in the Car Park or elsewhere, What are you likely to do? …particularly If you find it with your company sticker?

In a recent survey, in the University of Illinois, 48%  of the respondents said that they would not only pick it up, but connect it to the computer to find out to whom it belongs or what it contains. The first drive used in the survey was tried within 6 minutes when a malware in the drive generated a signal to the researchers. A majority (68%) of the persons who picked up the drive took no precautions with the drives. 16% scanned the drive for anti-virus. It is interesting to note that 8% decided to try it on the office computer and not on their personal computer so that the risk could be offloaded into the office computer. Another 8% trusted their system and tried it despite knowing the risk.

In another experiment conducted by CompTIC in four US cities Chicago, Cleveland, San Fransisco ad Washington DC. 20% of the drives were picked up and plugged in the drives to their computers and opened various files, clicking unfamiliar weblinks etc..all considered risky from the point of view of malware infection possibilities.

It is clear that therefore a “Dropped USB Drive” is a good system for hackers to get into the otherwise secured corporate systems. When malwares such as “Stuxnet” can be configured to target specific companies, specific devices, run in stealth, defeat the anti-virus systems etc, it is therefore no surprise that we are at a risk that needs to be contained with proper education of our employees.

Today, if we find an unattended bag in an airport lounge or a box even in a public place, we donot touch them. We call the Police and the Bomb Disposal squad since we know the risk. Similarly,if some stranger asks us to carry a gift packet during travel or offerf biscuits while travelling in a train, we shun them because we know the risks.

Similarly we need to learn that if we find a Pen Drive either on the street or more so in the Company vicinity, there is every possibility that a stuxnet type malware which could be also a ransomware be hiding inside and may get into any system in stealth the moment it is connected. Only an expert who runs it in a sandboxed environment can try to find out what it contains.

Let’s therefore inform all our employees today about this “Dropped Pen Drive Attack”

Naavi

The Mega Data Breach of 32 lakh debit cards in India is reported to have affected 19 Banks directly. It is presumed that these are the banks whose debit cards passed through the poisoned switch maintained by NPCI to route the ATM/POS requests. Also they maybe the Banks who are using the HITACHI ATM/POS systems suspected to have the vulnerability.

All these banks will be expected to cancel their current set of cards issued to their customers and replace them with new Cards just as what SBI has done. The total estimated number of cards considered compromised is 32 lakhs. So far about 1000 frauds appear to have been registered and they should be handled by the individual Banks as “Charge Backs” to the card without any legal struggle.

While the affected Banks try to tackle their problem as above, there are “Other” Banks who may have issued debit cards but are not in the list of the 19 Banks directly involved. Additionally there are a number of other FinTech Companies who process debit card and credit cards of their customers. An incident of this magnitude is considered as an “Environmental Development” warranting a self audit of their systems and procedures to identify if they are equally vulnerable to such attacks and if so what should be done to mitigate the risk.

Every such organization should therefore call for an “Introspection” of their systems starting with a “Board Meeting” and  “Top Management Meeting”. The Board needs to take note of the developments and the perceived threat to the company and suggest the operating executives to take such actions as may be necessary to report back to the Board and appraise them of the risk exposure and countering plans. The Executive team needs to also meet and review all their systems and where necessary trigger some pro active measures to reduce the possibility of similar risks materializing in their environment.

These meetings and the actions taken need to be documented as part of the “ITA 2008 Compliance” program of the Company.

For the Directors, it is essential to protect their interests to ensure that necessary instructions are passed on down the line. It is also important for the CEO to ensure that the risks escalate to him personally. If by any misfortune a fraud occurs in the company which could have been reasonably prevented from the lessons drawn from this mega breach but was not taken, then the Officers in Charge of the Business, The CEO, The Directors may all have to shoulder the vicarious liabilities.

To mitigate the adverse consequences of such liabilities, they need to show “Due Diligence” and conduct of this “Review meeting in the light of the Mega Card Data Breach” is considered a critical step.

I suggest all company directors to take note of this suggestion and act.

Naavi

Related Articles

Let RBI Show Who is the Boss

RBI Cannot Remain silent… and so also NPCI,CERT and Ministers of HOME,IT and Finance

Challenge to Mr Urjit Patel… Don’t let down Indian Baking system

Over the last few days, there have been lot of discussions in all levels about what caused the mega data breach that compromised a suspected 32 lakh debit card data belonging 10 around 19 Banks.

As we expected and desired, RBI and CERT-In as well as the Finance Ministry have made some sounds. But they are still murmurs and mostly to cover their backs. There is very little substance in what has been done so far.

CERT-In says that they had issued an advisory that “After URI Attack and the Counter Military operation, there could be a retaliatory cyber attack”. Yes. This is a reasonable expectation and it was the duty of CERT In to issue such an advisory. But such advisories have been issued by many security specialists also since it is always easy to guess the minds of the enemy. But the difficulty is that when the advisory does not constitute an “Actionable Intelligence”, it gets ignored at the recipient’s end. Knowing that any such attack requires months of preparation, if the CERT-In had advised immediate systemic change of all Card and Internet Bank related passwords of all customers immediately after the surgical strikes, we could have appreciated their advisory. To simply tell the Banks, “Take Care..there may be attacks”… is like telling the BSF that there may be cross border firing. We know the risk exists and the advisory gets ignored as yet another circular to be dumped.

As regards RBI, there is no doubt that since June this year, there has been a real upping of the security ante, and the measures suggested such as setting up of SOCs, under the Cyber Security Framework and the August 11 circular on Limited Liability of Customers can be considered as specific proactive steps initiated to defend the system against the attacks such as this mega breach indicates. However, where RBI can be faulted is that it appears reluctant to walk its talk and go beyond issue of paper instructions. Even now, after the incident, RBI has sent a letter to the Banks to give a report about the incident. It will be long before any action is taken by RBI. If by that time the heat is off, then nothing is going to happen.

An indication that there will be no change is visible in the way the stock markets reacted to the news of the mega breach. The Bank shares have actually been moving upwards instead of nosediving. SBI, Yes Bank , ICICI Bank and HDFC Bank shares should have come down significantly in anticipation of strict regulatory action. But they have not. This indicates that the wisemen in the stock markets donot feel there will be any adverse financial impact on these Banks arising out of the data breach.

On the contrary, if any reasonable action is expected to be taken on the Banks, any professional in Banking or Information Security would immediately foresee a quantum jump in information security related expenses, card replacement expenses, payment of penalties to RBI, Payment for frauds, increased insurance expenses etc. Probably stock markets donot see this happen.

RBI should compare its actions with what TRAI has been doing to regulate the Telecom Industry.  TRAI has imposed a penalty of Rs 50 crores per circle on Airtel, Vodafone and Idea for deliberately sabotaging Reliance Jio’s launch. In this case the penalty is for non compliance and not for compensation to any customers.

On the other hand, RBI is talking of Rs 5 lakhs to Rs 1 crore per Bank as penalty for some violations.  (RBI Framework for imposing penalty under PSSAct) This is grossly insufficient to be a deterrent. Considering the serious dent caused to customer confidence in the Indian Banking system in a digital era, each of the 19 Banks involved should have been imposed not less than Rs 100 crores as penalty or a penalty of Rs 10000/- per breach (Total Rs 3200 crores) should have been imposed.

I hope RBI will consider this after they get the response from the Banks to its query.

However, there is no reason why RBI should still be waiting to issue the August 11 circular as an operational circular. Going by some press reports, many consider that the circular is already applicable. But when it comes to a real case of a fraud, I am sure that Banks will argue that the circular was only a “Draft” and is not applicable.

RBI must therefore confirm the circular as operative immediately…not withstanding the opposition from IBA.

Let RBI not allow the tail to wag the dog. Let it show who is the boss.

If RBI continues to remain silent on this circular on limited liability, it can be presumed that Governor Mr Urjit Patel is personally protecting the interests of the erring Banks which includes SBI. It will also be interpreted as  RBI’s inability to face the political pressures that must be playing to protect the reputation of the Chair Persons of some of these erring Banks.

I wait to be proven wrong on this account.

Naavi

Naavi.org has pointed out several times in the past the security risks in the Indian Banking system and how the customers are vulnerable. We have also pointed out the responsibility of RBI in this regard. It is therefore no surprise at all that we are now talking of 32 lakh card data having been compromised. The writing has been clear on the wall and only some people preferred not to see.

(Please peruse past articles on Bank frauds here)

Conventional Media as always remained silent when they should have raised an alarm and are now focusing on the sensational part of the story. What we now need to focus on is on the “Negligence” of the Bankers and RBI besides the organizations meant to secure the Cyber space in India.

In the instant case, it is reported that a malware sneaked in through one brand of ATMs (namely Hitachi) in one of the Banks (namely Yes Bank) and then wormed its way to the ATM switch operated by NPCI. For over 3 months, the malware is said to have remained in the Switch and sniffed at the traffic. This means that the card data passing across the switch which could be not only of cards of Yes Bank but other banks were copied and sent by the malware to systems controlled by the perpetrators of the massive data breach. Some news papers have indicated that the data has been stolen by Chinese. If so, we are really talking of a “Cyber War”. However it is not clear if it is a state sponsored attack or simply a bigger crime syndicate attack.

If all data required for authenticating the payment passes through the switch, then all of it might have been stolen. This contains the data such as the name, card number, expiry date, CVV number etc which are sufficient to conduct an online transaction. It may also contain some data in hash/encrypted form such as the PIN.

The fraudsters can by observing the pattern of the data in multiple transactions can easily generate the decryption keys and break the encrypted data and compose the entire set of data regarding the Card that would enable them to use the card in both online and offline situations.

We can recall that in December-March 2013, over Rs 200 crores of cash were drawn from US ATMs in a few hours in which several cards cloned out of 12 stolen card data  in a coordinated  E-Robbery from an international criminal gang. The money belonged to customers of Bank of Muscat and Indian back end data processors were  responsible for the breach.

Now we are staring at about 32 lakhs of data having been compromised. The potential loss that may befall on the public, this time customers of Indian Banks in India is unimaginable.

We must appreciate that SBI had been bold enough to recall its 6 lakh cards and disclose the data breach to the public without which the vulnerability and the breach would have been hidden longer.

Now if the adverse consequence of the breach needs to be mitigated and contained, there are some immediate actions that are required to be taken by the Banking system.

1. First of all we need to ensure that no card owner would be liable for any loss arising out of misuse of cards. SBI has blocked its cards and other Banks who might have been exposed should also do the same. For this, we need to identify the date from which this particular malware could have started collection of data and all cards which have been processed through the same switch since then should be identified, blocked and replaced by the respective Banks.
2.  Any reportedly fraudulent transactions of such cards in the last two/three months since the malware was active should be cancelled without demur by the Banks and amounts credited to customers immediately without interest loss.
3. RBI should open a special customer complaint center for this card frauds and collect public complaints in this regard since we cannot trust individual Banks to act

After these preliminary action we need to ask questions of those who were entrusted with the management of these systems.

1. The supplier of Hitachi machines need to be investigated to understand how the vulnerability arose. If it is because of non patching of the operating software or such other fundamental security lapses, both the manufacturers as well as the Banks and the persons responsible for maintenance should be investigated for “Negligence” and penalties fixed. The penalties cannot be Rs 5 lakhs to 1 crore that RBI is talking of. It should be in the range of Rs 100 crores plus without which the Banks will never feel the pinch and take security steps for the future.
2. The NPCI should explain how as manager of the switch it could not identify the malware and the diversion of data to unknown destinations whether in China or not. The vulnerabilities in this need to be identified, removed and responsibility fixed.
3. Banks were subject to the new Cyber Security Framework (CSF-2016) regulations applicable from June 2, 2016  in which several new security measures including the data breach notification were introduced. It is time to review how many of the Banks were in breach of these regulations and fix responsibilities.
4. Officers in RBI who failed to follow up non submission of data breach notifications and confirmations of compliance of the CSF-2016 should also be cooked for their negligence and apathy.
5. IDRBT is the wing of RBI that is entrusted with its own responsibility of security and should have been a whistleblower much bigger than Naavi.org. But has it done its duty?… There should be an introspection at this organization. Failures should be made accountable.
6. Similarly, CERT is also  entrusted with its own responsibility of security at the national level and should have been a whistleblower much bigger than Naavi.org or IDRBT. But has it done its duty?… There should be an introspection at this organization. Failures should be made accountable.

I hope that we shall not rest with the satisfaction that only 1000 frauds were reported etc. If so we should thank our stars but proceed to secure our system that there would be no repetition of the incident in future.

There is a serious need to review the operations of NPCI from the security perspective and have a suitable oversight that prevents such mishaps in future when our neighbors in Pakistan and China are itching for a Cyber War which will like the Cross Border Terrorism be another asymmetric war in which India will be at the receiving end.

We closely observe how the Ministry of Home Affairs under Mr Rajnath Singh,  and Ministry of IT under Mr Ravishankar Prasad and Ministry of Finance under Mr Arun Jaitely respond to this crisis. So far they donot seem to have stirred and so is Mr Urjit Patel, the Governor of RBI.

I look forward to a  Press conference today in Mumbai by Mr Urjit Patel to explain the RBI stand and also a joint press conference in Delhi with the three ministries to explain their stand.

Naavi

P.S: RBI and Ministry of Finance is reported to have called for “Reports”. Necessary first step…but not good enough as an emergent measure…