Centre for Internet and Society

Millions of Indians move from cash to digital payments. But some ask whether it’s safe

praskrishna — 2017-01-16T02:52:33Z

Minutes after Indian Prime Minister Narendra Modi began an ambitious new mobile-phone-payment application in December, several clones of the app popped up at Android smartphone stores.

The article by Rama Lakshmi was published by Washington Post on 14 January 2017, Sunil Abraham was quoted. Annie Gowen contributed to this report.

In the first few days, users were flooded with spam requests for money.

The Bhim app sponsored by the government was rushed out after Modi’s abrupt withdrawal of large currency bills two months ago. More than 10 million people downloaded it in just 10 days, but in a country where awareness and regulation of privacy, data protection and digital security are low, the number of cyberattacks is rising.

“We are rushing toward launching and using these plethora of financial tech apps without the exhaustive security testing and education that is needed,” said Sunil Abraham, executive director of the Center for Internet and Society. “We are operating in a bit of a regulatory vacuum.”

Modi’s ambitious move to swap old bills for new was intended to fight the hoarding of illicit cash reserves. But it was derailed by shoddy implementation, left citizens in Asia’s third-largest economy without cash for weeks, slowed manufacturing and sent workers home, and is now likely to significantly affect the country’s economic growth this year, economists say. It was acutely painful for a country where 80 percent of transactions were conducted with cash.

Modi quickly responded by turning the adversity into a call for Indians to kick their overwhelming dependence on cash and opt for digital payments overnight. The Bhim app is just one of many available. But in this leap, experts say, security concerns are being overlooked.

The new payment apps and e-wallet companies are governed by India’s outdated information technology law of 2008 and central bank guidelines.

“India urgently needs a new digital payment law that regulates all these mobile payment apps that have sprung up overnight,” said Pavan Duggal, a cyber-law expert. “We are right now in a completely uncharted and unsupervised territory legally. The norms for wallet companies are undefined. If I lose my money due to a fraud, I can go round and round in circles with no remedy.”

The central bank recently issued guidelines asking payment banks to carry out security audits, but Duggal said “there is no penalty or punishment for noncompliance.”

The problem is compounded by the fact that education about security risks online is abysmally sparse, especially in India’s small towns and villages. Indians are complacent about cyber risks in their online behavior, according to the Norton Cyber Security Insights Report. India does not have a privacy law.

India reported more than 39,000 incidents of cyberattacks in the first nine months of 2016, according to the government, including phishing, scanning and probing, website intrusions, defacements, virus and malicious code, and denial-of-service attacks.

“The Pentagon got hacked, right? You haven’t closed down the Pentagon as yet,” said Piyush Goyal, a minister. “These things will happen, and we have to be one step ahead of the hackers and the so-called security breaches and continuously improving and improvising as they do in America or other developed economies.”

In October, top banks had to fix the security codes of about 3.2 million debit cards in one of the biggest data breaches in India. Some users complained that their cards had been used in China.

Last month, hackers attacked Twitter and email accounts of prominent politicians and journalists and defaced the website of the National Security Guard, an elite commando force.

“The focus of global hackers has shifted to India. The cyber risk is a direct fallout of the growth in the number of digital users,” said Saket Modi, the chief executive of Lucideus Tech, the firm that conducted the security audit of the government’s Bhim app.

Since the cash crunch began, the largest private e-wallet company, Paytm, has experienced a 400 percent jump in new downloads.

But only 342 million people access the Internet on their mobile phones. The government has introduced dial-in service for those who have basic cellphones to make digital payments.

The government is airing radio jingles telling citizens not to share their personal identification numbers and has a toll-free helpline to teach people how to make online payments.

“Officials understand how security worries can be a big dampener in their campaign to get people to go digital,” said Vinayak Godse, senior director at the Data Security Council of India, an industry body that advises the government.

But in a trade-off between convenience and security, the central bank recently waived the mandatory two-factor authentication for transactions less than $30 online.

Some cybersecurity experts say that Indians are not ready for this step.

The police recently arrested a gang in the eastern state of Jharkhand; operators were calling people posing as bank executives and tricking them into sharing their card details. They used the cards to do online shopping and transferred money into their e-wallet accounts.

“People are gullible and can be threatened or lured to part with their bank details easily. We need as many safeguards as we can have,” said Surendra Kumar, a senior police officer in New Delhi who busted the gang.

But the biggest problem people face is that police in one state get very little cooperation from those in another state in digital-crime complaints, said Rakshit Tandon, a cybersecurity expert who trains police, military members and school students.

“Only in big-ticket frauds will police departments from different states coordinate their investigations,” Tandon said. “If a person loses a relatively smaller amount digitally, the case won’t go far. Even though that amount may mean a lot in that person’s life.”

For more details visit http://editors.cis-india.org/internet-governance/news/washington-post-january-14-2017-rama-lakshmi-millions-of-indians-move-from-cash-to-digital-payments

Milestones

praskrishna — 2012-10-02T00:12:54Z

For more details visit http://editors.cis-india.org/home-images/milestones.jpg

Mikel Maron

praskrishna — 2012-02-11T03:34:29Z

For more details visit http://editors.cis-india.org/home-images/mikel_maron.jpg

Mike

praskrishna — 2012-02-15T09:34:50Z

For more details visit http://editors.cis-india.org/home-images/Mike.jpg

Microsoft says WannaCry ransomware must be a wake-up call for governments

praskrishna — 2017-06-07T00:55:40Z

Computer security experts said the current attack could have been much worse but for the quick action of a young researcher in Britain who discovered a vulnerability in the ransomware itself, known as WanaCryptor 2.0. It has, however, retweeted a blog post by Brad Smith, president and chief legal officer at Microsoft, who directs much of the blame toward the USA government, arguing that it should have alerted the $524 billion tech titan about the problem.

The article was published in Journaldu Maghreb on May 20, 2017

"This is an emerging pattern in 2017", he continued. "We have seen vulnerabilities stored by the Central Intelligence Agency show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world", wrote Smith in a blog post on Sunday. Then there's the US government, whose Windows hacking tools were leaked to the internet and got into the hands of cybercriminals.

"An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen", Mr Smith wrote. Brad Smith, Microsoft's top lawyer, criticized US intelligence agencies for "stockpiling" software code that can be used by hackers. In February, Smith first called for the creation of what he has dubbed a Geneva Convention for cyberspace, which would outlaw nation-state cyberattacks on critical infrastructure and tech companies.

Cyber-security firm HumanFirewall said that on account of high use of pirated Windows operating system in India, it was more susceptible to the attack. Microsoft has connected previous exploits of its products released by the mysterious Shadow Brokers group to tools which were stolen from NSA cyber warfare operations. "All our systems are updated as required". This sophisticated, self-propagating malware was created to spread to all other computers on the same network after infecting one machine.

Estimates by law enforcement agency Europol estimated yesterday that more than 200,000 computers in 150 countries were infected, but with the worm continuing to spread to vulnerable Windows machines, that number will surely rise. When 22 year olds are the heroes of the anti-cyber attack fight, rather than the agencies tasked to defend countries against these types of threats, it is perhaps time to question what these organisations have been doing all this time? NHS staff shared screenshots of the WannaCry programme, which demanded a payment of $300 (£230) in virtual currency Bitcoin to unlock the files for each computer. That dump included a vulnerability codenamed EternalBlue, which preys on a flaw in Microsoft Word to transmit malicious software from one Windows Computer to another. Usually used by cyber criminals, ransomware is a popular means of making illicit money from victims who have to pay the criminals in order to have their data decrypted.

Today is likely to be painful for many organizations all over the world that took the weekend off and are returning to the work-week to find hundreds or thousands of computers on their networks encrypted by WannaCry ransomware, which surfaced Friday and has been propagating ever since. It was a stress-filled weekend for many IT workers this past weekend as the WannaCry ransomware attack spread, crippling Windows systems worldwide.

Security firm BinaryEdge, which specializes in internet-wide scans, has detected more than 1 million Windows systems that have the SMB service exposed to the internet. "Otherwise they're literally fighting the problems of the present with tools from the past", he said. However, a cyber security expert working with the Centre for Internet and Society, Udbhav Tiwari working on vulnerabilities such as these, said as most ATMs in the country especially of the public-sector banks run on outdated operating systems, or are not updated regularly, they can be easily compromised. This allowed users of the older systems to secure their computers without requiring an upgrade to the latest operating software.

For more details visit http://editors.cis-india.org/internet-governance/news/journaldu-maghreb-may-20-2017-microsoft-says-wannacry-ransomware-must-be-a-wake-up-call

MHRD Estimate Expenditure.pdf

praskrishna — 2016-05-26T16:36:07Z

For more details visit http://editors.cis-india.org/a2k/blogs/MHRD%20Estimate%20Expenditure.pdf

MHRD and Planning Commission Conference on Higher Education

praskrishna — 2014-03-06T07:28:39Z

For more details visit http://editors.cis-india.org/a2k/blogs/education-conference-bombay.pdf

Messaging apps find another foe in India’s market regulator

praskrishna — 2013-06-05T10:46:32Z

Paranoid governments and mobile operators aren’t the only one that dislike messaging apps. Regulatory bodies aren’t crazy about them either. The Securities and Exchange Board of India (SEBI) is worried that attempts to pass on confidential information or manipulate markets are originating from within services like WhatsApp and Blackberry Messenger.

This blog post was published in Quartz on May 8, 2013. Elonnai Hickok is quoted.

The regulator already analyzes data from trades for irregularities through its “integrated market surveillance system”. That gives it an idea of what stocks are being manipulated. Now it wants to expand its horizons. The Press Trust of India reports that SEBI has looked into tracking Twitter and Facebook and is grappling with messaging apps—though as yet it has no systems in place for doing either, according to Elonnai Hickok of the Center for Internet Studies in Bangalore. A SEBI spokesperson could not be reached for comment.

Even if SEBI did start following you on Twitter, it cannot snoop on your WhatsApp messages. That sort of power is the preserve of intelligence and police authorities. And there is good reason for SEBI’s restricted powers. Keeping the markets clean may be an honorable pursuit, but the regulator hasn’t always used honorable means.

India’s finance minister last year said that SEBI would be allowed to request call records, which are the data kept by operators about who called whom, for how long and from where. Such information can help investigators discover sources of leaked information. It can also be used to figure out whether traders are trying to influence other investigators. But a freedom-of-information request recently revealed that SEBI had been requesting—and receiving—such data from carriers at least since 2009, well before it was supposedly allowed to do so.

For more details visit http://editors.cis-india.org/news/quartz-may-8-2013-leo-mirani-messaging-apps-find-another-foe-in-indias-market-regulator