Monthly Archives: September 2013

Is ICICI’s Facebook Application Pockets Violating Indian Cyber And Banking Laws?

RBI Exploring Use Of Encrypted SMS Based Fund Transfers In IndiaEngaging in an online business or transaction requires compliance with various laws of India. If the online business or transaction pertains to banking industry, especially online transfer and receiving of money, the applicable provisions can include the internet banking guidelines, mobile banking security practices, e-commerce regulations and compliances, risk management for card present transactions, etc.

Cyber security of banks in India is still not taken seriously. Banks are not interested in ensuring cyber security of electronic transactions. The recommendations of Reserve Bank of India (RBI) to ensure cyber security, appointment of chief information officers (CIOs), establishing a steering committee at board level, etc has remained unfulfilled. Even RBI has warned banks for inadequate cyber security.

In a significant development, the deadline for ensuring security and risk mitigation measures for card present transactions in India would come to an end on 30th September 2013. Banks that have failed to comply with these guidelines would be not only liable to be punished but they would also be required to bear the losses arising out on insecure card transactions.

Recently, the ICICI bank has launched a web application named “Pockets” in association with Facebook. The web based application would allow account holders of ICICI to use Facebook application to transfer and receive money online. However, some individual(s) have raised their doubts about the legality and security of ICICI’s pockets application. Further, it is users’ responsibility to ensure safety of their computers/devices for using this application.

The online banking system of India is still not secure. Even allegations of ICICI’s online banking system being insecure were leveled in the past.  If these allegations are true, then this is a serious cyber security lapse on the part of ICICI bank and it must be addressed properly. As far as the ICICI’s Facebook application pockets is concerned, ICICI must address both cyber security and legal issues as some have demanded attention of Reserve Bank of India (RBI) in this regard.

ICICI Bank states that all banking activities will take place on the bank server only. While you see the Facebook frame, the activities will happen on ICICI Bank’s server. The bank claims that the Facebook application is as secure as their Net banking platform. Although all consumer disputes and legal claims must be directed to ICICI bank but Facebook cannot deny its liability under Indian laws, especially cyber law of India. Only time would tell how this initiative of ICICI would work for the consumers, Facebook and ICICI.

Mobile Payments Cyber Security In India Needed

Mobile Payments Cyber Security In India NeededWe have heard a lot about mobile banking in the recent past. This euphoria can be well understood keeping in mind the attraction towards changes that technology can bring into our lives.

However, technology can also cause problems for us. Incidences of ATM frauds, credit card frauds, phishing, RTGS frauds, Internet banking frauds, etc have increased significantly in India. Malware targeting mobiles specifically have also raised the threat level further. On top of it we have poor adoption cyber security practices and policies by banks of India. In short, the online banking system of India is not cyber secure.

The truth is that India is not ready for mobile governance as on date. Mobile banking cyber security in India is still missing and the same must be established on a priority basis.

Reserve Bank of India (RBI) has taken some very significant policy steps to boost cyber security of Indian banks. However, banks of India have failed to comply with various regulations and guidelines of RBI in this regard.

The banking infrastructure of India is wide open to be exploited by cyber crooks and we are not at all ready to deal with the same. As a result litigations between bank customers and banks have increased significantly. The RBI Ombudsmen is already flooded with complaints pertaining to ATM frauds, credit card frauds, excessive charging, etc.

Similarly, bank consumers have approached the adjudication officers of various States of India under the Information Technology Act, 2000 to get their grievance redressed. In many case, the adjudication officers have held the banks liable for various financial frauds for which the consumers have suffered the losses.

As per the media reports, RBI is exploring use of encrypted SMS based fund transfers in India for expanding the reach of banking to remotest corners of India. This is another significant suggestion by RBI that would have both positive and negative consequences.

Pushing such a service without proper mobile payments cyber security infrastructure in India would be a bad policy decision on the part of RBI. The RBI must first ask the banks of India to strengthen their cyber security infrastructure and then only expect some development in this regard. For instance, Malware Dump Memory Grabber has been targeting POS systems and ATMs of major US banks. The same can also happen for Indian banks.

Similarly, the cyber security awareness in India is also missing. Bank consumers must be made well aware of the dangers of malware, viruses and social engineering tactics. The hardware providers in India have already been asked to make available cyber security brochures along with their sold hardware equipments to raise cyber security levels among masses.

Till banks are made liable and accountable for non adoption of cyber security practices, all technology driven initiative of RBI are meaningless. This would only create more problems than solutions.

RBI Exploring Use Of Encrypted SMS Based Fund Transfers In India

RBI Exploring Use Of Encrypted SMS Based Fund Transfers In IndiaThe ideals of mobile banking in India are not new. We have seen media reports from time to time regarding suggested use of mobile banking in India. Although the idea is good yet its actual implementation is far from being accomplished.

There are many techno legal issues that are hindering the use of mobile banking in India. Absence of cyber security culture among the banks in India is the main reason for the failure of mobile banking in India.

The Reserve Bank of India (RBI) has been playing an active role to inculcate sense of cyber responsibility among banks of India. However, all its efforts have proved to be a waste till now in the absence of time bound results and stringent penalty provisions for failure to comply with RBI’s directions.

Similarly, the Internet banking guidelines in India by RBI must be further refined keeping in mind the ever increasing Internet banking frauds in India. Cyber security of banks in India is in a very poor state. Cyber security due diligence for banks in India must also be ensured by RBI that is presently missing. Although appointment of chief information officers (CIOs) has been made mandatory for all banks in India yet till now banks have not followed this requirement. Norms for mobile governance and e-authentication in India is also missing as on date.

As per the latest announcement of RBI, it has been considering setting up of a committee to examine feasibility of encrypted SMS-based fund transfers. RBI would set up a technical committee to examine the feasibility of using encrypted SMS-based funds transfer using an application that can run on any type of handset.

Smart phones are vulnerable to all sorts of malware and cyber attacks. For instance, Android is facing serious malware issues and such vulnerable phones cannot be kept in loop for mobile banking purposes. Absence of mobile cyber security in India can frustrate the efforts of RBI in this regard.

Mobile banking cyber security in India is urgently required on a priority basis before we start using mobile banking or related services in India. For the time being India is not ready for mobile governance and its mindless use may bring counterproductive results.

Imported Software And Hardware Testing For Embedded Malware Postponed Till 1st April 2014 By India

Imported Software And Hardware Testing For Embedded Malware Postponed Till 1st April 2014 By IndiaForeign hardware and software vendors have been facing the telecom security heat around the world. Even in India there have been lots of security concerns regarding imported electronic hardware and software components.

For instance, Huawei and ZTE have already faced telecom security issues in India. Similarly, India is also considering making the norms for import of telecom equipments in India more stringent. The security agencies of India have gone to the extent of even suggesting for the developing indigenously manufactured cyber security software.

India experts have also suggested starting India’s own social media platforms. India has also proposed a new policy that would give preferential market access (PMA) to domestic telecom manufacturers for government contracts. Clearly, the Indian mood is to support and encourage indigenously manufactured hardware and software components.

Foreign hardware and software vendors can relax a little bit in this regard as Indian government has postponed the testing requirement till April 1, 2014. This comes as a big relief to all imported mobile phones, sim cards, 3G & 4G base stations, customer database servers, etc that would have been required to undergo the requisite telecom security testing.

The earlier deadline for this testing was 1ST October 2013 but the absence of global standards for conducting security tests on handsets, sims and telecom network devices, and lack of clarity on who will set up the proposed test lab in the country has delayed the project.

The document for accreditation of testing labs is now likely to be released by October 2013, instead of September, while the accreditation process itself will start from January 1, 2014, according to an internal telecom department document seen by Economic Times.

Till now 25 telecom products have been identified in India that will be screened at an authorised test lab in India. Twelve of these items have been classified “high risk items”, which need to be “security checked” from April 1 now.

Telecom operators had opposed the October 1 date, saying that there were still no established global telecom standards for security testing of core network elements, mobile handsets and sim cards.

Some handset makers had even suggested that subjecting imported handsets to security checks would hurt growth since smartphone makers would be unable to launch latest devices in India on time.

The home ministry of India, however, has repeatedly warned that “the embedded software can be manipulated”.