Author Archives: B Singh

EMV Chip Based Card Cloning Resulted In Loss Of Rs. 18000 Of A Retired Judge

EMV Card I

EMV originally stood for “Europay, Mastercard, and Visa”, the three companies that created the standard. The standard is now managed by EMVCo, a consortium of financial companies. However, in India people and banking institutions are still using the EMV nomenclature and standards. Despite the contrary view, EMV are slightly better secure than traditional magnetic strip based cards. We would cover this aspect in detail in our subsequent articles and share our views with Reserve Bank of India (RBI) and other banks of India.

Recently a media report claimed that a retired district judge lost Rs 18,000 in a suspected case of debit card fraud within 12 hours gap. One of the three transactions was affected after the judge, G T Wategaonkar, had blocked his card. In a related and previous event, he was travelling to Kothurd and his wallet was misplaced in an autorickshaw. It contained Rs 35,000, his old debit card and Aadhaar card.

“They misused my new EMV chip that was replaced by the bank on December 29. He said his old card was deactivated after he activated the new one. Such cards are supposed to be protected from skimming and stolen card frauds,” he told TOI.

The judge approached the cyber crime police station of the Pune police and gave a complaint application about his loss. “I have also blocked my account to avoid any further fraudulent transactions,” he added.

First he received an SMS stating that Rs 3,000 had been withdrawn from his account. “Before I could contact the bank, another Rs 10,000 was debited. I sent an SMS to the bank to block my card, but it was not delivered. So I called the bank’s number and told the person to block my card.” Wategaonkar said he received an SMS that the card had been blocked and he decided to approach the bank next day. But next day in morning he saw another debit message for Rs 5,000 from his account.

“Along with my daughter, I went to the bank and blocked my account. I told the bank official that I did not share details of my debit card and yet money was siphoned from my account,” Wategaonkar said.

Wategaokar said, “In comparison with huge amounts of recent bank frauds, the amount I have lost is less. But, I am a pensioner and that little amount is important for me. On one hand the government is insisting on using plastic money instead of cash transactions and on the other hand fraudsters are misusing it. I will have to rethink whether to use debit card or not.”

An officer from the cyber police station told TOI that it could be a case of card cloning. “The suspect withdrew the amount from an ATM kiosk in Thane. We will get the CCTV footage from the bank to identity the suspect,” the officer said.

Cyber Attacks And Cyber Crimes Fighting Portal Of PTLB Is Strengthening Indian Cyber Security And Cyber Law

Cyber Security Portal

 

Cyber attacks and cyber crimes have significantly increased in India. But the cyber security infrastructure of India is lagging far behind. So far we are not even able to manage basic level cyber crimes. To fill this gap, we at Perry4Law Techno Legal Base (PTLB) have launched an online portal where national and international stakeholders can lodge their complaints.

Once the complaint is lodged, we would analyse the same and take appropriate action. We would analyse the case and extend our techno legal expertise to national and international governments and authorities. We would also coordinate with national and international law enforcement agencies so that the case can be resolved in least possible time.

Filing of complaint is very simple. Choose the right category and create a ticket. For instance, if you have faced any cyber crime, select cyber crime category and create the ticket. Similarly, if you have faced any cyber attack, choose the cyber attack option and file the ticket/complaint.

For sensitive information and data, we have created a separate procedure so that privacy, confidentiality and integrity of the information is maintained in best possible manner.

To support this initiative, we are managing few blogs that are spreading cyber law and cyber security awareness in India. We are making people aware about threats of phishing, credit card frauds, customer rights in digital times, etc. We are also managing dedicated blogs in fields like cyber law, cyber security, privacy, cyber forensics, e-discovery, etc.

We encourage all stakeholders to use the online portal as much as possible as silently suffering cyber crimes and cyber attacks is not good for our national in long run. Let us collectively fight against cyber crimes and cyber attacks and make Indian cyber infrastructure robust, resilient and secure.

National Critical Information Infrastructure Protection Centre (NCIIPC) Of India Needs Rejuvenation

National Critical Information Infrastructure Protection Centre (NCIIPC) Of India Needs RejuvenationThese days more and more critical services are connected with and controlled by computers and other information and communication technology (ICT). As a result they are also vulnerable to sophisticated cyber attacks from around the world. Malware have evolved to such an extent that many times they are not traced for years and the cyber attacks keep on stealing sensitive and crucial information. This is a troublesome notion when critical information infrastructures are involved as the stakes are very high there.

We at Perry4Law Organisation (P4LO) believe that critical infrastructure protection in India (pdf) needs a more focused and extensive cyber security protection. We have recently provided cyber security trends of India 2017 here and here and even there we have mentioned the significance of critical infrastructure protection (CIP) in India. Indian government has still to do extensive work regarding ensuring cyber security in general and critical infrastructure protection in particular.

But in a very positive development, Indian government has already established the National Critical Information Infrastructure Protection Centre (NCIIPC) of India. The NCIIPC is also working to ensure robust cyber security for Indian critical infrastructure. However, for reasons best known to Indian government, NCIIPC seems to be a half hearted approach so far. Even the website of NCIIPC has little to offer regarding scope, nature, expertise and purpose of NCIIPC. We at Perry4Law Organisation (P4LO) believe that NCIIPC needs to play a more pro active and extensive role in present cyber security scenario of India.

Till the end of 2016, the cyber security infrastructure of India is not in a good shape. We have to cover a long road before India can be considered to be even moderately cyber secure. While India can afford to be little bit lax regarding general cyber security yet cyber security of CIP needs urgent attention of Indian government. For instance, using telemedicine and online healthcare systems without robust cyber security is inviting troubles of all sorts. In fact, healthcare industry and its infrastructure can safely be considered to be a critical infrastructure. Similarly, banks in India must be treated as critical infrastructure and cyber security must be accordingly managed. Mass usage of digital payments without cyber security would create lots of trouble for India in the long run. In these circumstances, role of NCIIPC must be more pro active than the present one.

There are many startups and entrepreneurs that would explore fintech and critical infrastructure related business activities in 2017. They would need strong cyber law and cyber security laws on the one hand and an authority to protect their critical infrastructures on the other. Similarly, cyber security breach disclosure norms would also be required so that CERT-In and NCIIPC can protect Indian infrastructures and systems in a better manner.

Perry4Law Organisation (P4LO) requests Indian government to consider these suggestions on priority basis.

Guidance On Cyber Resilience For Financial Market Infrastructures

Guidance On Cyber Resilience For Financial Market InfrastructuresCyber security has become indispensable for all business activities these days and financial market infrastructures (FMIs) are no different in this regard. FMI is defined as a multilateral system among participating institutions, including the operator of the system, used for the purposes of clearing, settling, or recording payments, securities, derivatives, or other financial transactions. FMIs play a critical role in the financial system and the broader economy and contribute to maintaining and promoting financial stability and economic growth. At the same time, the FMIs also concentrate the risk and, if not properly managed, FMIs can be sources of financial shocks or a major channel through which these shocks are transmitted across financial markets.

Therefore, it is imperative that cyber security of financial market infrastructures (FMIs) must be ensured by all stakeholders including Indian government, Reserve Bank of India (RBI) and Securities and Exchange Board of India (SEBI). Recently, the RBI has prescribed a cyber security framework for banks of India that has to be implemented till 30-09-2016. However, RBI is well known for its lax implementation of cyber security related issues in India and this deadline could prove to be another paper deadline only. Similarly, the SEBI has expanded the ambit of its Technical Advisory Committee (TAC) to include cyber security of the markets. Indian government is also working in the direction of ensuring cyber security in India but its efforts are too slow and too late in this regard.

In a latest international development in this regard, the Committee on Payments and Market Infrastructures (CPMI) and the International Organization of Securities Commissions (IOSCO) have published the Guidance on cyber resilience for financial market infrastructures (pdf) (“Cyber Guidance”). This builds on an earlier version of the report that underwent a three-month public consultation.

The safe and efficient operation of FMIs is essential to maintaining and promoting financial stability and economic growth. The Cyber Guidance aims to add momentum to and instil international consistency in the industry’s ongoing efforts to enhance its cyber resilience. This includes the ability of FMIs to pre-empt cyber attacks, respond rapidly and effectively to them, and achieve faster and safer target recovery objectives if the attacks succeed. In addition, the Cyber Guidance provides authorities with a set of internationally agreed guidelines to support consistent and effective oversight and supervision of FMIs in the area of cyber risk.

At its core, the Cyber Guidance requires FMIs to instil a culture of cyber risk awareness and to demonstrate ongoing re-evaluation and improvement of their cyber resilience posture at every level within the organisation. Furthermore, while the guidance is directly aimed at FMIs, it is important for them to take on an active role in reaching out to their participants and other relevant stakeholders to promote understanding and support of resilience objectives and their implementation. Effective solutions may require collaboration between FMIs and their stakeholders as they seek to strengthen their own cyber resilience.

The Cyber Guidance does not establish additional standards for FMIs beyond those already set out in the Principles for Financial Market Infrastructures (PFMI). Instead, the document is intended to be supplemental to the PFMI, primarily in the context of governance (Principle 2), the framework for the comprehensive management of risks (Principle 3), settlement finality (Principle 8), operational risk (Principle 17) and FMI links (Principle 20).

Healthcare Cyber Security Issues In India For Businesses And Entrepreneurs

Healthcare industry of India is facing novel techno legal issues that were absent few years back. These include issues like techno legal regulatory compliances, cyber security requirements, cyber breach disclosure requirements, obligations of directors of healthcare companies for cyber law and cyber security, privacy compliance, data protection requirements (pdf), etc. This article is discussing the cyber security issues of healthcare industry of India that is equally applicable to healthcare industry of other jurisdictions.

As healthcare industry has started using information and communication technology (ICT) in the form of telemedicine, online pharmacies, e-health, m-health, etc, cyber criminals have found that this industry is a goldmine and a money minting industry. Sophisticated malware are now targeting healthcare industry in the form of ransomware and information stealing malware. These malware are so sophisticated that even cyber security products and services are ineffective against the same.

There is no doubt that ICT has enabled the healthcare industry but at the same time it is also true that there is an increasingly high risk of healthcare cyber security attacks. Healthcare companies of all sizes need to ensure that they are not only regularly reviewing policies and procedures when it comes to privacy protection and data security but also that they are implementing the right cyber security best practices to keep healthcare related information secure. Ransomware is of particular concern to healthcare industry as sensitive healthcare information is encrypted and decrypted only once the ransom is paid.

Healthcare industry is not spending adequate amount on cyber security and is also not good at acquiring cyber law and cyber crimes related knowledge. This has made the healthcare organisations vulnerable to sophisticated cyber attacks. The overall impact of cyber attacks on the hospitals and healthcare systems is estimated to be nearly six billion per year. Furthermore, these organisations face internal threats due to factors such as the use of cloud services, insecure networks, employee negligence, bring your own device (BYOD), lack of internal identification and security systems, stolen devices with unencrypted files, etc. Human beings are the weakest link in the cyber security environment and healthcare organisations are no exception to this rule.

Presently, healthcare cyber security market consists of protection against malware, ddos, advanced persistent threat, spyware, lost and stolen devices, etc. However, the list is just illustrative and the cyber security requirements are as vast as are the options available to the cyber criminals.

Perry4Law Organisation (P4LO) strongly recommends that the healthcare industry must work on three fronts i.e. formulation of techno legal policies, adoption of best cyber security practices and a mechanism to ensure cyber breach disclosure and coordination with the statutory and government authorities. If any of these three stages is missing, then the concerned healthcare organisation is at graver risk of cyber attacks and loss of sensitive healthcare information.

Analysis Of National Cyber Security Policy Of India 2013 (NCSP-2013) And Indian Cyber Security Infrastructure

Analysis Of National Cyber Security Policy Of India 2013 (NCSP-2013) And Indian Cyber Security InfrastructureThe National Cyber Security Policy of India 2013 (NCSP 2013) (PDF) was announced by Indian Government in 2013. The policy aims to build a secure and resilient cyberspace for citizens, business and government. Perry4Law Organisation and Perry4Law’s Techno Legal Base (PTLB) welcome this initiative of Indian government that can help in strengthening of Indian cyber security infrastructure.

The mission of the policy is to protect information and information infrastructure in cyberspace, build capabilities to prevent and respond to cyber threat, reduce vulnerabilities and minimise damage from cyber incidents through a combination of institutional structures, people, processes, technology and cooperation.

The objectives of the policy are:

(a) To create a secure cyber ecosystem in the country, generate adequate trust and confidence in IT system and transactions in cyberspace and thereby enhance adoption of IT in all sectors of the economy.

(b) To create an assurance framework for design of security policies and promotion and enabling actions for compliance to global security standards and best practices by way of conformity assessment (Product, process, technology & people).

(c) To strengthen the Regulatory Framework for ensuring a Secure Cyberspace Ecosystem.

(d) To enhance and create National and Sectoral level 24×7 mechanism for obtaining strategic information regarding threats to ICT infrastructure, creating scenarios for response, resolution and crisis management through effective predictive, preventive, protective response and recovery actions.

(e) To improve visibility of integrity of ICT products and services by establishing infrastructure for testing & validation of security of such product.

(f) To create workforce for 5, 00,000 professionals skilled in next 5 years through capacity building skill development and training.

(g) To provide fiscal benefit to businesses for adoption of standard security practices and processes.

(h) To enable Protection of information while in process, handling, storage & transit so as to safeguard privacy of citizen’s data and reducing economic losses due to cyber crime or data theft.

(i) To enable effective prevention, investigation and prosecution of cyber crime and enhancement of law enforcement capabilities through appropriate legislative intervention.

Some of the shortcomings of the policy are:

(1) The declared cyber security policy has proved to be a paper work alone with no actual implementation till date.

(2) The cyber security trends and developments in India 2013 (PDF) have listed the shortcomings of Indian cyber security policy in general and Indian cyber security initiatives in particular.

(3) Indian cyber security policy has failed to protect civil liberties of Indians including privacy rights.

(4) Civil liberties protection in cyberspace has been blatantly ignored by Indian government and e-surveillance projects have been kept intact by the Narendra Modi government.

(5) The offensive and defensive cyber security capabilities of India are still missing.

(6) India is considered to be a sitting duck in cyberspace and cyber security field and the proposed cyber security policy has failed to change this position.

In short, India is not at all cyber prepared despite the contrary claims and declared achievements and the cyber security policy is just another policy document with no actual implementation and impact so far. Nevertheless, the policy is a positive step in the right direction.

Some of the related areas where Indian cyber security initiatives needs strengthening include international cyber security cooperation (PDF), critical ICT infrastructure protection (PDF), formulation of a cyber warfare policy of India (PDF), formulation of an encryption policy of India (PDF), reenactment of Indian cyber and telegraph laws, etc.

Meanwhile, India has been witnessing some new concerns and areas in the cyber field. For instance, cyber insurance, participation at Wassenaar Arrangement, intelligence agencies reforms, modernisation of police force, cyber security of banks, etc are some of the recent areas and developments that India has witnessed. Similarly, establishment of national cyber coordination centre (NCCC) of India and national critical information infrastructure protection centre of India (NCIIPC) are also good initiatives on the part of Indian government. The National Technical Research Organisation (NTRO) has also been entrusted with the duty to protect critical infrastructures of India.

The cyber security challenges in India would increase in the future as India has adopted the Digital India initiative and India must be well prepared to deal with the same. The sooner it is done the better it would be for the interest of our nation.

National Cyber Security And Coordination Centre (NCSC) Of India Under Consideration

Shri. Ravi Shankar Prasad, Minister of Telecommunications and Information TechnologyCyber security has never been a priority for Indian government. The cyber security trends and developments in India 2013 (PDF) have depicted this sad position of India cyber security. At this stage when the national cyber security issues are ignored by India it is very difficult to manage international legal issues of cyber attacks. The conflict of laws in cyberspace has added their own techno legal complicities to this situation. As a result India is considered to be a soft target and sitting duck in cyberspace.

Now there are some positive reports that cyber security in India would be strengthened. Cyber security has been made part and parcel of a larger initiative known as “Digital India”. In the past, a National Cyber Coordination Centre (NCCC) of India was proposed by Indian government. However, it remained on books alone as it was never constituted till now.

In January 2014 the Congress Government decided to launch the NCCC. However, NCCC never saw the light of the day. Now BJP Government is planning to launch the NCCC very soon. We at Perry4Law and Perry4Law’s Techno Legal Base (PTLB) welcome this move of Narendra Modi Government. There would be inter-ministerial discussions, before sending the proposal to the Cabinet. The Government is expected to send the proposal to the Cabinet in the next 15 days.

The NCCC proposal is a significant development as both NCCC and the National Critical Information Infrastructure Protection Centre (NCIPC) of India have failed to function properly so far. This has severely impacted the critical Infrastructure Protection in India (PDF). Perhaps, this is a good time to formulate Critical ICT Infrastructure Protection Policy of India as well. As an interim measure, it has been decided in the past that NTRO would protect the Critical ICT Infrastructures of India. A Tri Service Cyber Command for Armed Forces of India is also in pipeline.

Some policy decisions in the field of cyber security have already been taken by Congress Government. These include constitution of NCCC and NCIPC, formulation of a National Cyber Security Policy of India 2013 (NCSP 2013) and National Infrastructure Protection Plan in Thermal Power Sector of India, etc. The BJP Government is not doing anything new but making the efforts to implement exiting projects of Congress Government.

Of course, BJP Government can formulate and implement a working Cyber Attacks Crisis Management Plan of India, Cyber Warfare Policy of India (PDF), etc. Internet is full of unprotected and unsafe devices, SCADA Systems and computers and India has her own share of such unprotected devices. Cross border cyber crimes are also difficult to trace and resolve. The proposed NCCC and NCIPC would come handy in many cyber situations and we welcome the move and efforts of Shri. Ravi Shankar Prasad, Minister of Telecommunications and Information Technology in this regard.

Global Crackdown On Malware Blackshades Results In 90 Arrests Globally

Global Crackdown On Malware Blackshades Results In 90 Arrests GloballyHuman beings are the weakest link in cyber security chain and this was once again proved during the latest crackdown upon crackers and cyber criminals using the malware Blackshades. There were 700,000 estimated victims, whose computers have been hijacked by criminals using the Blackshades software. The crackdown was organised by law enforcement agencies of 19 countries around the world. This has also resulted in the arrest of 90 accused for allegedly using the malware. Among those arrested, in Moldova, was a Swedish hacker who was a co-creator of Blackshades.

Blackshades is another remote administration tool (RAT) that can compromise victim’s security and covertly activate his/her webcam. The modus operendi of infecting a victim’s computer is use of age old social engineering tactics using e-mail and other forms of electronic messages. Sending of a malicious link through e-mail and luring the victim to click the same is a common form of cyber attack that is very prevalent these days. Users of Blackshades also utilised this technique besides physically installing the malware wherever possible. The malware was used to commit various cyber crimes ranging from extortion to bank fraud.

Last week, watching it all play out were about two dozen FBI cyber crime investigators holed up in the New York FBI’s special operations center, high above lower Manhattan.  Rows of computer screens flickered with updates from police in Germany, Denmark, Canada, the Netherlands and elsewhere. Investigators followed along in real time as hundreds of search warrants were executed and suspects were interviewed. The sweep, capping a two-year operation, is one of the largest global cyber crime crackdowns ever. It was coordinated so suspects didn’t have time to destroy evidence.

Malware like Blackshades are successful because many computer users do not update anti-virus software. Many click on links sent in messages on social media sites such as Facebook, or in email, without knowing what they are clicking on. In seconds, malware is downloaded. Often computer users have no idea infection has taken place.

Cyber Security Laws In India Needed

Cyber Security Laws In India NeededThe correlation between a legal framework and cyber security is not difficult to anticipate and conceptualise. Cyber security compliances require adherence to certain well established legal principles. The moment a cyber security breach occurs; many legal issues and compliance requirements are automatically invoked.

For instance, in a typical cyber attack, it becomes imperative to ascertain and find the originator of such attack. The requirements to engage in first instance analysis, e-discovery and cyber forensics also arise due to such cyber attack. The reporting requirement to the compliance and regulatory authorities also arise.

However, none of this applies to Indian companies and individuals that are facing cyber attacks no matter howsoever sophisticated and damaging such cyber attack are. In India companies and individuals are not reporting cyber security breaches and attacks to the government and its agencies. The cyber security trends and developments in India 2013 (PDF) short listed all these shortcomings of Indian cyber security initiatives.

The Indian government has in the past declared that cyber security breach disclosure norms of India would be formulated very soon. However, till now no action has been taken in this regard and companies and individuals are still not reporting cyber security breached to Indian government and its agencies.

For instance, cyber crimes and cyber attacks against banks of India is a very common phenomenon in India. However, banks of India are not only lax while maintaining cyber security but they are also not disclosing such cyber crimes and cyber attacks due to fear of adverse publicity and regulatory penalties. This is creating more problems for the bank customers in general and banking cyber security in India in particular.

The Information Technology Act, 2000 (IT Act 2000) is the sole cyber law of India. However, it is not capable of forcing the companies and individuals to disclose cyber security breaches and cyber crimes. Nevertheless, the rules under the IT Act, 2000 prescribe cyber law due diligence (PDF), internet intermediary liability, reasonable cyber security practices, etc. they indirectly cover some aspects of cyber security disclosure norms. But they are not sufficient to meet the demands of present times.

Indian Parliament needs to enact a dedicated cyber security law of India that can cater all these regulatory and compliance requirements. Such a law needs to take into consideration techno legal requirements of cyber security. The sooner such a law is enacted the better it would be for the national interest of India as cyber security is an essential and integral part of the national security policy of India.

Cyber Attacks Are Targeting Bitcoin Users And Bitcoin Exchanges

Cyber Attacks Are Targeting Bitcoin Users And Bitcoin ExchangesCyber crimes and cyber attacks have taken a professional shape unlike traditional hobby based exercises. Now we have well organised crime syndicates that try their hands on anything that is lucrative and profit making. The latest to add to this list is the Bitcoins. The Bitcoins users are facing increased cyber attacks around the world and stealing of Bitcoins has become a normal phenomenon these days.

The Bitcoin exchanges around the world are facing numerous challenges. These include challenges from the point of view of laws, technical aspects, cyber security, etc. In India the Reserve Bank of India (RBI) issued an advisory cautioning Bitcoin users and Bitcoin exchanges of India of potential legal and security risks.

Cyber criminals have also realised the significance of Bitcoins as a potential virtual currency of the future. They have been using novel methods to steal Bitcoins from innocent users. In the absence of appropriate cyber security awareness and inadequate cyber security safeguards, Bitcoins ate stolen very frequently.

Third party applications are now bundled with illegal Bitcoins miners. .Recently, the E-Sports Entertainment LLC (ESEA) entered into a consent judgment for creating ESEA Botnet and violation of U.S. laws. Cyber criminals have also infected hundreds of thousands of computers with a malware known as “Pony” to steal Bitcoins and other digital currencies.

Thus, cyber security of Bitcoins exchanges and personal computers of Bitcoin users holding their virtual currency is a real challenge. Let us see how this highly volatile virtual currency would survive the sophisticated cyber attacks in the future.