Digital Gambit

1230
Lead Illustration: Anthony Lawrence
Lead Illustration: Anthony Lawrence

Even as Indians are being exhorted to go cashless, there are few security systems in place, no infrastructure to deal with IT offences and no legal framework to tackle cyber crime  

~By Ramesh Menon

As Prime Minister Narendra Modi drives the nation to go digital, are we prepared for cyber frauds that threaten to dismember our lives? Though Modi has been urging people to use their mobile phones for transactions, many are unsure if this is safe. As online frauds surface on a daily basis, they are even more scared of using digital wallets. Even those who are net-savvy, try to avoid net banking. Clearly, for mobile wallets and e-cash to succeed, it has to be foolproof. We are a long way from that.

The potential for online transactions is huge. According to RBI, in the last four years the value of mobile banking transactions increased by 222 times to Rs 4.04 lakh crore in 2015-16. Transactions through Prepaid Payment Instruments like Paytm, FreeCharge and MobiKwik rose to Rs 74.8 crore in 2015-16 as compared to Rs 29.8 crore transactions a year back. Recent breaches of debit cards in India raise fears about how risky mobile banking can be.

On top of that is the lack of knowledge about cyber security. There are over 40 million small and medium business enterprises that largely used cash all these years. Suddenly, they are being forced into a new system without even the basic training about how to avoid and detect online frauds. Plus, cyber security capabilities are almost non-existent, making these businesses easy targets of cyber frauds. They do not have the technology, intelligence or expertise to deal with even relatively modest cyber security threats.

Neeraj Aarora, cyber lawyer and an expert who trains judicial officers, police personnel and others to tackle cyber crime, told India Legal: “We just do not have the infrastructure to deal with IT offences. Only in the metros do we have something called a cyber cell. Till now, the police have been able to catch only the ‘carriers’ who are the people whose accounts are used for transfer and withdrawal of money. They have no knowledge of the offence. The main gang never falls into the police ambit as the policemen cannot connect with them. They are also not able to get any admissible evidence. Electronic evidence is very fragile.”

Extract from former CJI TS Thakur’s speech at a Bangalore event

T S Thakur“Understanding the legal dynamics of a changing digital world is one of the crucial aspects of striving for excellence in judicial work. India is going digital. The encouragement to adopt digital payment mechanisms by the government of India will inevitably give rise to complex legal issues for the judiciary to address shortly. We have to be prepared for a rise in unlawful activities in a changed digital environment. We have to be watchful of increasing criminal activities like data theft and digital fraud. With extension of digitisation to banking and transaction services, concerns about money laundering will also increase.”

Photo: UNI

What is frightening are threats like Ransomware which steals your data, infects your system, makes your computer system unusable and then demands a ransom for restoring it. If you do not pay, you lose everything you had. Most just pay as even security agencies cannot understand where and how they operate as they use the Dark Web. Cyber criminals are increasingly mastering how to use this programme as it is easy and quick money. Their route is through the web or your email. It makes sense for businesses to install security systems to prevent such attacks.

All of us are at risk. How safe are passwords, PIN numbers and smart chips? They can all be hacked, resulting in havoc. One way to be safe is to be careful with online transactions. Never ever divulge your CVV number and if someone is asking for it, it must trigger off a red flag immediately. If the ATM asks you to re-enter your PIN, cancel the transaction right away and do it again.

Institutions like the RBI and SEBI, NSE and BSE can no more be complacent thinking they have firewalls. Cyber thieves are constantly evolving and finding out loopholes to enter their systems. There has to be a coordinated policy that applies to stock exchanges, financial institutions, government organisations and private companies.

From these small infractions, cyber attacks could encompass power plants, defence establishments, ministries, metro systems and so on. Some of these have already been attacked. A report by KPMG and Confederation of Indian Industry pointed out that while cyber attacks were largely used for causing financial and reputational loss, they had a potential of posing a threat to human life too.

It is a frightening scenario. A hacker in a foreign land could get access to poorly secured government networks in India and steal vital national security data to create havoc. He can also steal personal data of citizens and bank data and make your money disappear. This may sound difficult and impossible to many who do not understand the dynamics of cyber crime and the reach of its long, menacing hands.

Secure yourself

  • Secure your email
  • Check the email id of the sender. If it is similar sounding or just has a small alteration like a dash, a full stop or an extra alphabet cleverly weaved into it, beware
  • To defeat Ransomware, organisations must be in total control of their internal security systems
  • The organisation must be aware of the numerous tools and procedures that an attacker would employ
  • Backup strategies to recover data should be regularly tested and evaluated
  • Onsite backups are often targeted and it would be wise to have copies of backups stored offsite

Last year, there was an attempt to heist $951 million from the Central Bank of Bangladesh. Taking advantage of the weak security system of the Bank, cyber thieves tried to illegally transfer $951 million to numerous fictitious bank accounts around the world. Compromising the Bank’s computer systems, they authorized about three dozen requests to the Federal Reserve Bank of New York to transfer funds to accounts in Sri Lanka and the Philippines. The Bank’s forensic investigation found that malware was installed in the system in January 2016 and the heist was carried out a month later after cyber thieves had gathered information of the Bank’s operational procedures for international payments and transfers. This should serve as a reality check for banks in India.

Here, too, credit and debit cards of millions were compromised in October 2016, forcing many banks, including SBI, Axis Bank, HDFC Bank and ICICI Bank to either replace them or request users to change the security codes.

There are over 40 million small and medium business enterprises that largely used cash all these years. Suddenly, they are being forced into a new system without even the basic training to detect frauds. Plus, cyber security capabilities are almost non-existent.

Sushil Kambampati, online security expert, told India Legal: “India needs a privacy law and also one that deals with disclosure of data breaches. Banks never tell their customers when their data is breached, fearing that their stock will come down. That leaves customers in the dark, but it is their right to know. But since public disclosure is not mandatory, they do not do it.”

What should raise hackles in the Indian establishment is the latest Deloitte’s India Fraud Survey which shows that small and medium enterprises continue their business without securing them despite the proliferation of cyber crime. While larger companies are not prepared to tackle cyber crime, the smaller ones say they do not have the budget to do so though more than 65 percent agree that cyber frauds in India are going to increase in the next two years. Many say they find it difficult to comply with anti-fraud regulations.

Reasons given by industry for fraud

  • Diminishing ethical values (38%)
  • Lack of efficient systems (37%)
  • Inadequate due diligence (37%)
  • Unrealistic goals linked to monetary compensation (37%)
  • Vendor favouritism (42%)
  • Diversion/theft of funds (33%)
  • Bribery and corruption (30%)
  • Limited or lack of segregation of duties (68%)
  • Limited employee education on fraud (60%).

The Deloitte Survey found that 29 percent of consumers doubt the safety of a digital wallet, 54 percent use mobile phones only to check bank balances, 54 percent use their mobile phones to pay utility and service bills and 38 percent use it to transfer money via mobile banking. It is going to take years for India to go cashless.

According to another study by Ernst and Young which surveyed 60 organisations in India, over a third of them have no real-time insights to combat cyber risks, even though nearly 55 percent are facing rising threats. Devendra Parulekar, Chief Growth Hacker, SaffromStays.com, said that organisations would think of developing a risk strategy only if they understood how to anticipate cyber crime and how cyber attacks could not only be financially crippling but also be damaging for their reputation and brand. “Organisations must undertake a journey from a reactive to a proactive posture, transforming themselves from easy targets for cyber criminals into more formidable adversaries,” he said.

Regulatory agencies too need to get their act together to tackle cyber crime. Institutions like the RBI and SEBI, NSE and BSE can no more be complacent thinking they have firewalls. Cyber thieves are constantly evolving and finding out loopholes to enter their systems. There has to be a coordinated policy that applies to stock exchanges, financial institutions, government organizations and private companies.

What is crucial is how quickly companies can figure out when data is being stolen and how quickly they inform the possible victims about redressal mechanisms. Kambampati said: “If you are a company of a certain size, there must be a law to ensure that you have someone at the board level overseeing security policies. Organisations must now look at having a chief information security officer. Knowledge of forensic data breaches is very poor in India and so people must be educated about them. There has to be specialized training to fight cyber crime and organisations should allocate resources to ensure online security.”

A report by KPMG points out that despite multiple warnings, the response on the part of the Indian government and private organisations has been underwhelming. The government needs to proactively monitor and respond to attacks. Lawmakers need to pass laws establishing privacy policies and mandatory disclosures. Companies will also need to invest in better security practices as well as gain public trust by reacting to breaches promptly and letting the public know what they are doing to recover the data. Organisations have to invest in training their employees on the dangers of cyber crime and how it can be avoided by looking out for tell-tale signs. As government departments will become major targets of cyber attacks, they should hire ethical hackers to protect themselves and be one up on the cyber thieves who are constantly evolving and operating from different corners of the world.

Kambampati said: “When the World Trade Centre was attacked, those tasked with security did not imagine something like this could ever happen. Cyber attacks will also be on a scale we cannot imagine. If a power grid is attacked, the power can be restored in a few hours. But when your data is stolen from an e-commerce site or your details are mined from, say, Facebook and then traded on the Dark Web, your profile can be built up to engineer an attack.”

cyber rameshS Ramadorai, chairman of the National Skill Development Corporation, has said that the government must hire cyber security experts just like social networking sites like Facebook and Twitter do. These companies actually challenge hackers to hack into their systems so as to identify the weak spots.

But for that, there should be a will. Neeraj Aarora, cyber lawyer, said: “There have been many credit card breaches in the last few years. None of the cases have been cracked by the police or bankers. India is getting into IT in a big way without any technical, legal or administrative framework or infrastructure to meet the challenge. There seems to be also no intention to repair the damage as the government has not appointed a judge or chairman to head the Cyber Appellate Tribunal for the last five years despite court judgments passing strictures asking it to appoint the judge.”

In early January 2017, the cyber cell of the Gujarat Crime Branch received call details from US-based voice-over internet protocol service providers to aid its investigation in a case where over 80,000 US citizens were defrauded by fake calls. These callers pretended to be from the Internal Revenue Service and said the US citizens would be raided if they did not cough up the tax they had tried to evade. The calls were made by an Ahmedabad-based call centre. The police have been able to identify only 25 victims. It will take years to identify the rest as it is estimated that calls were made to over 4.5 lakh US citizens.

Pavan Duggal, cyber law expert and Supreme Court advocate, said that India is not at all prepared to take on cyber criminals as it needs a solid legal framework to tackle cyber crime. As India tries to race on the internet highway and go digital, it needs to first create systems to secure itself. Other-wise, it will have to pay a heavy price in the months to come.

Lead Illustration: Anthony Lawrence