iSec is empanelled as information security auditor for block period 2016-2019 by CERT-In

Example blog post alt

CERT-FIN: A case for providing legislative backing

By iSec News

March 5, 2017

One of the major announcements in 2017 Budget was to establish CERT-Fin (computer emergency response team for financial sector) in India. This is the first time that cybercrime menace affecting the financial sector will be handled through a dedicated computer emergency response team. While, exact structure and function of CERT-Fin are yet to be disclosed, it’s time to examine existing data breach reporting norms and the manner in which they will support this initiative.

In Oct 2016, almost 3.2 million debit cards, issued by major banks in India were allegedly compromised due to the presence of malware in affected ATMs. Website of a major depository in India was hacked in the same month. Reacting to the compromise of cards, issuing banks responded by blocking the cards and reporting the details to RBI. The depository reported the incident to CERT-in (Computer Emergency Response team under Ministry of Electronics and Information Technology) and later to SEBI. Public, who are the actual stake holders, whose money was in the banks and stocks were with the depository, probably got to see this only through the news reports. Regulators too were probably not informed in time. It was due to the delayed reporting that RBI directed the banks to report such incidents in space of two to 6 hours. SEBI directed the depository to report any such breach within a reasonable time. Directions to inform the public however, are still missing.

Even this one sided reporting, almost neglecting the true owners of assets, i.e. the citizens, lacks any legislative sanction. This however is not how cyber incidents are reported and handled internationally. European Union in April 2016 adopted General Data Protection Regulation (GDPR). As per this regulation, failure to report within 72 hours of the breach could lead to fine up to 2% of the annual turnover of the entity involved. Almost all states in Unites states of America except Alabama, New Mexico, and South Dakota have security breach laws. Proposed CERT-Fin, to be effective, will require the backing of legally mandated data breach reporting norms for disclosure of security breaches both to itself, regulators and the public.

Besides making the reporting of security breaches mandatory, CERT-Fin will be best served if each reported security breach leading to loss of public money is also reported to the Police. As of now in absence of any law requiring compulsory reporting, most such cases are probably neither reported nor criminally investigated. Most cases involving intricate technology details, enquiries end with detailed reports of internal/external auditors and technical committees. Recently in an alleged misuse of High Frequency Trading option in one of the stock exchanges, probably only internal enquiries/audit by the exchange and the regulator were done. If a breach or misuse of resource provided wrongful advantage to some and wrongful disadvantage to others, it requires being criminally investigation. In cases like these, proposed CERT-Fin will possibly play a pivotal role in providing much needed technical support to investigating agencies.

Building this background of legislative framework for proposed CERT-Fin is also not too difficult. This can be achieved by amending the existing Information Technology Act, 2000. Section 43A of IT Act already provides for compensation to be provided for failure to protect data. Same section can be amended to include time frame in which a security breach has to be reported, both to the concerned regulator/law enforcement agency as well as to the concerned citizens. Punitive action in case of failure to report can also be included in the amendments.

With these changes in existing laws, proposed CERT-Fin will help not only in prompt disclosure of cyber security incidents to the public and regulators, but will also provide much needed technical support to financial institutions in case of future cyber incidents.

Example blog post alt

Cyber Assessment of Banks

By iSec News

Jan 27, 2017

As India celebrated its 68th Republic day, the last quarter of the past year will go down in history as one of the most significant quarters in providing a decisive push towards adopting digital economy.

After the demonetisation many of the 661.8 million debit card holders in India, used their cards for the first time. Quite a few of these persons had no or little knowledge of security requirements in usage of these cards. This happened while India, in October 2016, was grappling with the fact of nearly 3.2 million debit cards issued by some of its major banks having been compromised due to malware in some ATMs. As a precautionary measure, Banks had sent out an advisory that people should use only bank owned ATMs. After the demonetisation announcement, this was undone. People were told to withdraw money from any bank’s ATM. If this has had any adverse effect is yet to be reported, but vulnerabilities associated with cards remain.

Most cards in use are still non-EMV (Europay, Master and Visa) cards. These non-EMV cards are inherently vulnerable and are prone to letting account related information being read by hacked ATMs. Process to change to EMV chip and pin-based cards in spite of RBI directives in this regard, has been slow.

Besides non-EMV cards and malware prone ATMs robustness of Point of Sale (POS) machines is another concern. BIS prescribes standards for these machines which are imported. To meet the growing demand new POS machines are being purchased without BIS labeling till March 2017. Possibilities of rogue machines mixed with genuine imports cannot be ruled out.

Along with increasing use of cards, online transactions using apps and digital wallets have grown too. As per RBI figures, mobile banking transactions grew 175 percent, while money transacted using mobile banking grew 369 percent in a period between October 2015 to October 2016, when compared to similar period in earlier years.

These digital wallets and apps are regulated by RBI, however, RBI’s, 1 July, 2015 circular, does not clearly spell out security requirements for these payment apps and digital wallets. It’s not too surprising that frauds have started to happen. Paytm’s, recent complaint regarding cheating of around Rs 6.15 lakhs is surely a wakeup call. With government sponsored Bhim app in market and growing usage of digital wallets and payment apps, security measures need to be clearly defined.

Scary as they may sound, these issues are not too difficult to tackle. RBI has already directed replacement of non EMV cards. There is a need to strictly enforce these directions and educate the public regarding security hazards of non-EMV cards. ATMs may be periodically examined by National Payment Corporation of India (NPCI) and labeled secure for use. Benchmarking of POS terminals as per BIS norms may not be relaxed to meet the demand. And lastly, digital wallet service providers need to mandatorily use assigned encryption levels for transactions as well as for storing customer data.

Once these basic steps are taken, only then, surprise audits by RBI and routine audits mandated to the Banks will help in sustaining this digital push year after year.

The author is currently Additional Director General Home guards, Mumbai and former Controller, Legal Metrology, Maharashtra.

Example blog post alt

Whatsapp-Facebook Data Sharing

By iSec News

Sep 30, 2016

On 25th of August , WhatsApp announced that it is going to share user data with its parent company, Facebook. This has raised a serious debate on privacy issues around the world. In India, a petition has been filed in the Delhi HC, which has asked for the government’s reaction to the purported leak. This hue and cry is more because of the exemplary user experience that WhatsApp users have enjoyed so far.

While most social media sites freely use user’s data, WhatsApp is different. WhatsApp as its policy in 2009, stated that it will never share any user data with any one. WhatsApp’s founder, Jan Koum on 2014 had said that in spite of the merger with Facebook no user data will be shared with Facebook. With this background, in spite of WhatsApp giving an option to users to opt out of sharing of data within 30 days of the announcement, concerned citizens are alleging compromise of user rights.

Sharing of data with Facebook will reveal users’ phone numbers. It will also disclose friends with whom a person interacts. Facebook may use close to one billion user data of WhatsApp in multiple ways. With the available phone numbers it can send more informed friend suggestions. It will be able to send more targeted ads based on user interactions. It can also let businesses directly contact users based on the ads that get viewed by the users. It is this sharing of phone numbers and their use for advertisements is what is causing grave privacy concerns.

While it may be compromising user privacy, present Indian laws may not be able to provide any relief for these concerns. Reasons are not far to seek. Privacy issues in electronic media are addressed in the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 under Information Technology Act. These rules in case of WhatsApp, will not be of much use as there exists a contractual agreement between the users and WhatsApp. This agreement is signed at the time of opening a WhatsApp account. Though this agreement guaranteed user data privacy, in current announcement of WhatsApp, users still have a choice to opt out of this disclosure. Due to this, litigation may not result in any great outcome.

Whatever be the outcome of the current PIL, citizens feel tricked. They have been using WhatsApp freely under the promise of secrecy (through end to end encryption) and privacy as vouched for by WhatsApp. Now that they are stuck on the platform they find no way of going back. They are also unsure whether this, opt out policy too, will change in future. More worrisome is the fact that while the rules under Information Technology Act provide for safeguards, compliance of the same and their enforcement is a weak area. Going forward, mandatory compliance to the current Information Technology Act rules ensuring complete privacy of citizen rights may alleviate current helplessness.

Example blog post alt

Cashless to Cardless: A Revolution in Making

By iSec News

Dec 06, 2016

Prime Minister Narendra Modi's message in the latest Mann Ki Baat program on All India Radio was loud and clear. He exhorted the nation to start transitioning from less cash to cash less economy. This sounded like a big boost to the cards and digital wallet industry. In fact, this may not be true. India may soon not only be moving to cashless economy but might be moving towards card less economy. Digital wallets tied to specific banks or provided by specific merchants too may soon be history.

Dealing a deadly body blow to the card industry and proprietary digital wallet industry are two indigenous innovations. One is the purported move to have Aadhar chip embedded in smart phones which support Iris scans. And the other is the launching of Unified Payment Interface by National Payment Corporation of India.

In current scenario when a purchase is made using a card it is swiped on the point of sale machine and a pin is entered to authenticate the card. This affects money transfer from the customer’s bank to the account of the merchant. In cases where money has to be transferred using a digital wallet, it is done using the digital wallet app. Money from one digital wallet can be transferred to another digital wallet provided they subscribe to the same provider i.e. PayTm, HDFC Chillr etc. This scenario is now set to change.

Iris scan supported Aadhar card enabled smart phones provide for authentication through the mobile phone. Process is simple. If a transaction has to be made once the Iris is scanned, Aadhaar chip embedded in the phone will communicate with Aadhaar servers and provide instant authentication. Once the authentication is done money transactions can be done. There will be no need of either a point of sale machine or a card for the purposes of transaction.

Alongside proposed Aadhaar enabled mobile phones, Unified Payment Interface, launched by National Payment Corporation of India with Reserve Bank of India is revolutionizing the way digital wallets get used and transactions are made.

Using UPI app persons can create their digital wallets and have a virtual private address. This Virtual private address could either be the Aadhaar card number of just the mobile phone number of the person. In case of any transfer to be affected it can be done from one VPA to another without the restriction of these digital wallets being of the same bank or the same provider. Money in case of UPI enabled wallets always remains with the banks and transactions involving transfers are free. This is unlike the current digital wallets where money gets out of the banking system and in case money has to be sent to the bank there are charges for the same. With this ease of use and freedom to transact across participating banks it’s only a matter of time that Unified Payment Interface enabled apps will replace proprietary digital wallets.

Unified Payment Interface is also enabling person to person (P2P) transactions besides person to merchant (P2M) transactions. In P2P persons transact among themselves using UPI enabled digital wallets. Once this happens even the 2.1 lakh ATMs may become redundant. Each mobile will become a payment device both accepting and making payments.

Making this a reality, are the current 371 million mobile internet users (35% of the population as of June 2016) in India, and approximately 108 Crore Aadhaar card holders (as per UIDAI). These numbers coupled with an estimate 50 Million internet users getting added each year; Prime Minsters’ wish for a cashless economy may well get realized much sooner than anticipated.

(First published in Firstpost)