📰 The cyber threat to mobile banking
The lack of adequate cybersecurity and the dearth of talent in banking could potentially lead to a further rise in cyberattacks on user devices
•According to a 2020 Statista survey across 25 States in India, two-third respondents said they had a smartphone. Of these, half said they sent and received money digitally, and about 31% said they had a mobile app for banking. Nearly 14% said they used their mobile phones for banking-related purposes.
•Global cybersecurity firm Kaspersky warns of an increase in cyberattacks on Android and iOS devices in the Asia Pacific (APAC) region. One mobile banking trojan, called Anubis, has been targeting Android users since 2017. Roaming Mantis is another prolific malware targeting mobile banking users.
•There is push from regulators to make payment platforms interoperable at a time when the demand for technical experts is a serious concern in the banking industry.
•As cash transactions become a thing of the past, an increasing number of people’s interactions with their bank or bank accounts happen through their smartphones. According to a 2020 Statista survey of five thousand odd households across 25 States in India, two-third respondents said they had a smartphone. Of these, half said they sent and received money digitally, and about 31% said they had a mobile app for banking. Nearly 14% said they used their mobile phones for banking-related purposes. This number further jumped as the COVID-19 pandemic made a lot more people switch to digital modes of payment instead of transacting with cash. Convenience and quickness in completing payments via mobile applications also played a key role in accelerating this trend. This acceleration brings along with it a vulnerability: an increased threat of cyberattacks on mobile devices.
Kaspersky’s view of the threat
•Global cybersecurity firm Kaspersky warns of an increase in cyberattacks on Android and iOS devices in the Asia Pacific (APAC) as more people switch to mobile banking in the region. According to Kaspersky’s senior malware researcher Suguru Ishimaru, mobile banking Trojans are dangerous malware that can steal money from mobile users’ bank accounts by disguising the malicious application as a legitimate app to lure unsuspecting people into installing the malware. (A Trojan is a malicious code or software that looks legitimate but can take control of your device, including smartphones.)
•At the APAC Cyber Security Weekend conference on Thursday, Mr. Ishimaru pointed out two prominent malware campaigns that operate in the region and target smartphone users in several countries.
Trojans let loose
•One mobile banking trojan, called Anubis, has been targeting Android users since 2017, and its worldwide campaigns have hit users in Russia, Turkey, India, China, Colombia, France, Germany, the U.S., Denmark, and Vietnam. The malware has continued to be one of the most common mobile banking trojans with one in 10 unique Kaspersky users encountering a banking threat from the malware. The perpetrators infect the device through legitimate-looking and high-ranking malicious apps on Google Play, smishing (phishing messages sent through SMS), and BianLian malware, another mobile banking Trojan, Mr. Ishimaru noted.
•Roaming Mantis is another prolific malware targeting mobile banking users. The group attacks Android devices and spreads the malicious code by hijacking domain name systems (DNS) through smishing exploits. Kaspersky’s research team has been tracking the malware since 2018; and between the start of 2021 to the first half of 2022 alone, they detected nearly half a million attacks in the APAC region.
•Mr. Ishimaru said that while this threat group is known for targeting Android devices, their recent campaign has shown interest in iOS users. The group targets users by sending smishing texts with a short description and a URL landing page. If a user clicks on the link and opens the landing page, they are redirected to a phishing page. For iOS users, the landing page mimics Apple’s official website; while Android devices download another malware. And once the individual inputs their login credentials and proceed to the two-factor authentication, the attacker gets to know the user’s device and login details.
•“There is a notion that iOS is a more secure operating system,” Mr. Ishimaru said. “However, we [users] must take two things into account — the increasing sophistication of mobile bankers’ social engineering techniques and malware arsenal and the possibility for human errors.”
Interoperability compounds problems
•Mobile payment platforms like Google Pay, PaytM, PhonePe, Square, PayPal, and Alipay have benefited from the shift in consumers’ adoption of mobile banking.
•As a result, they have also permanently changed the payments game to their advantage. But these platforms are operating in a closed-loop payment world where a Google Pay user can send money to another bank account via only the search giant’s payment platform. This is similar to how Visa and Mastercard operate as they let payment transactions happen only within their own networks, not between each other.
•This business model could change “driven partly by regulators that prefer open, standardised platforms that lower barriers to entry,” according to an Accenture report on banking trends in 2022.
•Some countries are already making payment platform providers change their business model. China, for instance, has ordered its internet companies to offer their rival firm’s link and payment services on their platforms. In India, a new law demands all licensed mobile payment platforms to be capable of providing interoperability between wallets. The push from regulators to make payment platforms interoperable comes at a time when the demand for technical experts is a serious concern in the banking industry.
•The shortage of technology, engineering, data and security experts needed by banks to realise their digital aspirations tends to hide a much wider problem: banks’ appeal as first-choice employers of all kinds of talent has faded, Accenture’s report adds. The lack of adequate cybersecurity and the dearth of talent in banking could potentially lead to a further rise in cyberattacks on user devices. And until this mismatch is fixed, it helps to be careful and extremely cautious when using a mobile device to make payments. Apart from the usual digital hygiene practices like keeping the phone up-to-date and rebooting regularly, consumers can ensure they use their phones for banking only when the device is connected to a secure VPN. iOS 16 users can turn on the Lockdown Mode as it limits the device’s functionality and protects it from any potential malware.
Government, Twitter must reassure the public that user data has not been compromised
•A whistle-blower’s disclosure that the Indian Government forced Twitter to hire its agent, who then got access to the platform’s user data, should alarm anyone even remotely interested in the health of democracy in the country. At the very least, it requires an official response from the Government as also from Twitter, arguably the most influential social media network of these times. Instead, there now is silence. But perhaps this is hardly surprising, given how such matters have played themselves out in recent years. The disclosure was made to U.S. government agencies and congressional committees last month but came to light when CNN and The Washington Post reported about it last week. The whistle-blower is Peiter ‘Mudge’ Zatko, a cybersecurity expert brought in to help a Jack Dorsey-run Twitter in November 2020 to confront challenges related to security and privacy. He was fired by Mr. Dorsey’s successor Parag Agrawal early this year. In his short stint there, he found that Twitter had a long way to go to address security vulnerabilities — the disclosure says, “he uncovered extreme, egregious deficiencies by Twitter”. But, according to Mr. Zatko’s disclosure, Twitter conveyed a very different message to the outside world, and thus ended up deceiving everyone from users to investors, and from the Federal Trade Commission to Elon Musk (who not long ago seemed to want to buy the social media network).
•The Indian angle may be a side-story in all this but, worryingly for the world’s largest democracy, comes under the ambit of what Mr. Zatko considers “multiple episodes suggesting that Twitter had been penetrated by foreign intelligence agencies and/or was complicit in threats to democratic governance”. To be fair, there are unanswered questions about this part of his disclosure, whose most important line is the following: “The Indian government forced Twitter to hire specific individual(s) who were government agents, who (because of Twitter’s basic architectural flaws) would have access to vast amounts of Twitter sensitive data”. It is not clear, for instance, whether the agent he is referring to is the grievance officer that social media networks operating in India are required to recruit, as per the new laws framed last year. Also, it may seem that the access to sensitive data that this agent has is a product of Twitter’s own flaws and not anything else. That is why a clarification is important. In recent years, the Government has come across as being too eager to block its critics on social platforms. That, on top of unfettered access to sensitive user data, as is being alleged in the disclosure, can kill free speech. It is now time for the Government to assure everyone that it is indeed batting for the individual’s rights of free speech and privacy.
📰 The concerns around Aadhaar-Voter ID linkage
Why is the Election Commission keen on voters linking their Aadhaar with voter IDs?
•There have been instances of block officers mandating the linking of Aa dhar with Voter IDs after the Election Commission’s campaign to promote the linkage of Voter ID and Aadhaar which began on August 1.
•Form 6B provides the format in which Aadhaar information may be submitted to the electoral registration officer. However, the option to submit other listed documents is exercisable only if the voter is “not able to furnish their Aadhaar number because they do not have an Aadhaar number”.
•Civil society has highlighted that linking of the two databases of electoral rolls and Aadhaar could lead to the linkage of Aadhaar’s “demographic” information with voter ID information, and lead to violation of the right to privacy and surveillance measures by the state.
•The story so far: Reports have surfaced online of instances where block level officers have asked individuals to link their Aadhaar with their Voter IDs, failing which their Voter IDs could be cancelled. This comes in the aftermath of the Election Commission’s (EC) campaign to promote the linkage of Voter ID and Aadhaar that began on August 1. In the first ten days since its launch, the campaign saw almost 2.5 crore Aadhaar holders voluntarily submitting their details to the EC.
Why does the government want this?
•The EC conducts regular exercises to maintain an updated and accurate record of the voter base. A part of this exercise is to weed out duplication of voters, such as migrant workers who may have been registered more than once on the electoral rolls in different constituencies or for persons registered multiple times within the same constituency. As per the government, linkage of Aadhaar with voter IDs will assist in ensuring that only one Voter ID is issued per citizen of India.
Is the linking of Aadhaar with one’s Voter ID mandatory?
•In December 2021, Parliament passed the Election Laws (Amendment) Act, 2021 to amend the Representation of the People Act, 1950, inter alia. Section 23(4) was inserted in the Representation of the People Act, 1950. It states that the electoral registration officer may “for the purpose of establishing the identity of any person” or “for the purposes of authentication of entries in electoral roll of more than one constituency or more than once in the same constituency” for citizens already enrolled, require them to furnish their Aadhaar numbers.
•To reflect this amendment, in June 2022, the government notified changes to the Registration of Electors Rules, 1960. Rule 26B was added to provide that “every person whose name is listed in the roll may intimate his Aadhar number to the registration officer”. Although, the use of discretionary language throughout the amendments have been accompanied by assurances by both the government and the EC that linkage of the Aadhaar with Voter ID is optional, this does not seem to be reflected in Form 6B issued under the new Rule 26B.
•Form 6B provides the format in which Aadhaar information may be submitted to the electoral registration officer. Form 6B provides the voter to either submit their Aadhaar number or any other listed document. However, the option to submit other listed documents is exercisable only if the voter is “not able to furnish their Aadhaar number because they do not have an Aadhaar number”. To that extent, the element of choice that has been incorporated in the amendments seem to be negated or at the very least thrown into confusion.
Why is the mandatory linking of Aadhaar to the Voter ID an issue?
•The preference to use Aadhaar for verification and authentication, both by the state and private sector, stems from two reasons. First, at the end of 2021, 99.7% of the adult Indian population had an Aadhaar card. This coverage exceeds that of any other officially valid document such as driver’s licence, ration cards, PAN cards etc that are mostly applied for specific purposes. Second, since Aadhaar allows for biometric authentication, Aadhaar based authentication and verification is considered more reliable, quicker and cost efficient when compared to other IDs.
•But these reasons do not suffice the mandating of Aadhaar except in limited circumstances as per the Puttaswamy judgment. It needs to be considered whether such mandatory linkage of Aadhaar with Voter ID would pass the test of being “necessary and proportionate” to the purpose of de-duplication which is sought to be achieved. In Puttaswamy, one of the questions that the Supreme Court explored was whether the mandatory linking of Aadhaar with bank accounts was constitutional or not. The Court observed that the mandatory linking of Aadhaar with bank accounts was not only for new bank accounts but also existing ones, failing which the individual will not be able to operate their bank account. The Court held that depriving a person of their right to property for non-linkage fell foul of the test of proportionality. Even though the situation at hand is slightly different in that other means of verification and authentication are allowed if the person does not hold an Aadhaar, given the wide coverage of Aadhaar, the current design would in effect mandate Aadhaar linkage. In this context, it needs to be considered whether requiring an Aadhaar holder to mandatorily provide Aadhaar for authentication or verification would not be considered violative of their informational autonomy (right to privacy) which would allow them to decide which official document they want to use for verification and authentication.
•Moreover, in Lal Babu Hussein (1995), the Supreme Court had held that the Right to vote cannot be disallowed by insisting only on four proofs of identity — voters can rely on any other proof of identity and obtain the right to vote.
What are the operational difficulties?
•First, the preference to Aadhaar for the purposes of determining voters is puzzling as Aadhaar is only a proof of residence and not a proof of citizenship. Therefore, verifying voter identity against this will only help in tackling duplication but will not remove voters who are not citizens of India from the electoral rolls.
•Second, the estimate of error rates in biometric based authentication differ widely. As per the Unique Identification Authority of India in 2018, Aadhaar based biometric authentication had a 12% error rate. This led the Supreme Court to hold in Puttaswamy that a person would not be denied of benefits in case Aadhaar based authentication could not take place. This concern is also reflected in the previous experiences of using Aadhaar to clean electoral rolls. A similar exercise undertaken in 2015 in Andhra and Telangana led to the disenfranchisement of around 30 lakh voters before the Supreme Court stalled the process of linkage.
•Lastly, civil society has highlighted that linking of the two databases of electoral rolls and Aadhaar could lead to the linkage of Aadhaar’s “demographic” information with voter ID information, and lead to violation of the right to privacy and surveillance measures by the state. This, however, would seem to be the case with the use of any other officially valid document to verify or authenticate the identity of the voter. This would leave the EC with the option of verifying its information only through door-to-door checks. It also needs to be noted that the Puttaswamy judgment, after reviewing the Aadhaar architecture, held that the use of biometric based authentication and verification, did not lead to the creation of a “surveillance state”. To address these concerns, one needs to have enforceable data protection principles that regulate how authentication data will be used.
What is the way forward?
•Even as the amendments have been made and the EC has launched a campaign for linkage, a writ petition has filed with the Supreme Court challenging the same. It challenges the amendments as being violative of the right to privacy. The Supreme Court has transferred the writ to the Delhi High Court.
•In the meantime, it is important that the government clarifies through correction in Form 6B that the linking is not mandatory and expedites the enactment of a data protection legislation that allays concerns of unauthorised processing of personal data held by the government.
📰 Revisiting the S. Subramaniam Balaji vs Tamil Nadu judgment
What is the significance of this judgment in the context of the current debate surrounding freebies by political parties?
•The Supreme Court referred to a three-judge Bench a series of petitions seeking a judicial direction that political parties who make “wild” promises of largesse should also reveal in their poll manifestos where they will get the money to pay for them.
•The 2013 Balaji judgment states that election manifesto promises do not amount to ‘corrupt practice’ under Section 123 of the Representation of People Act.
•This revisit by the Supreme Court on its earlier judgment is unique as the court is exploring whether judicial parameters can be set on a purely political act of promising freebies.
•The story so far: On Friday, the Supreme Court referred to a three-judge Bench a series of petitions seeking a judicial direction that political parties who make “wild” promises of largesse should also reveal in their poll manifestos where they will get the money to pay for them. The reference is a shift from the court’s own stand in the S. Subramaniam Balaji vs Tamil Nadu judgment of 2013.
What happened?
•In the Balaji case judgment, a Division Bench of the Supreme Court had held that making promises in election manifestos do not amount to a ‘corrupt practice’ under Section 123 of the Representation of People Act (RP).
•However, the Supreme Court is now worried that freebies promised by political parties to win elections could bleed the public exchequer dry. The Court said that parties who form the government riding the wave created by their pre-poll promises of “free gifts” are bleeding the State finances dry by actually trying to fulfil their outlandish promises using public money.
•The Supreme Court has therefore decided to revisit the Balaji verdict.
What triggered the Balaji case?
•The course of events started in 2006, during the run-up to the Tamil Nadu Assembly elections. The Dravida Munnetra Kazhagam (DMK) released its election manifesto announcing a scheme of free distribution of colour television sets (CTVs) to “each and every household” which did not have one if the party was voted to power. The party justified that the TV would “provide recreation and general knowledge to household women, more particularly, those living in the rural areas”. The party swept to power in the polls and decided to implement its scheme and portioned off ₹750 crore from the budget for the project. The government finally distributed 30,000 TV sets across the State. In 2011, rival All India Anna Dravida Munnetra Kazhagam (AIADMK) and its alliance also announced its election manifesto with free gifts to “equalise” the gifts offered by the DMK. AIADMK promised grinders, mixies, electric fans, laptop computers, four gram gold thalis, a cheque of ₹50,000 for women’s marriage, green houses, 20 kg of rice to ration card holders (even to those above the poverty line) and free cattle and sheep. Mr. Balaji, a resident of Tamil Nadu, challenged the schemes introduced by the parties in the Madras High Court. He said the expenditure to be incurred by the State from the exchequer was “unauthorised, impermissible and ultra vires the constitutional mandates”. The High Court dismissed his case, following which he had moved the apex court.
How did the case play out?
•Mr. Balaji, represented by senior advocate Arvind Datar, said the State cannot act in furtherance of “eccentric principles of socialistic philanthropy”. He argued that the promises of free distribution of non-essential commodities in an election manifesto amounts to electoral bribe under Section 123 of the RP Act. The Comptroller and Auditor General of India has a duty to examine expenditures even before they are deployed. Money can be taken out of the Consolidated Fund of the State only for “public purposes”. The distribution of goods to certain sections of people was violative of Article 14 of the Constitution.
•In response, the State of Tamil Nadu countered that promises of political parties do not constitute corrupt practice. Political parties are not the State and ‘freebies’ is a nebulous term which has no legal status. The promises implemented by the party after forming the government is an obligation under the Directives Principles of State Policy. The State is only doing its duty to promote the welfare of its people. The promises are implemented by framing various schemes/guidelines/eligibility criteria etc. as well as with the approval of the legislature. Thus, it cannot be construed as a waste of public money or be prohibited by any statute or scheme.
•The court’s judgment held that promises by a political party cannot constitute a ‘corrupt practice’ on its part. It would be “misleading” to construe that all promises in the election manifesto would amount to corrupt practice. The manifesto of a political party is a statement of its policy. The question of implementing the manifesto arises only if the political party forms a government. It is the promise of a future government and not of an individual candidate. However, the court agreed that freebies create an “uneven playing field”. It had asked the Election Commission of India to consult political parties and issue guidelines on the election manifesto and make it a part of the Model Code of Conduct.
Why is the Court’s move to review the Balaji judgment significant?
•In its order, the court foresees that “freebies may create a situation wherein the State government cannot provide basic amenities due to lack of funds and the State is pushed towards imminent bankruptcy”. The court said it wants a transparent debate before the three-judge Bench on whether an “enforceable” judicial order can stop political parties from promising and distributing ‘irrational freebies’. The case is unique as the Supreme Court is exploring whether judicial parameters can be set on a purely political act of promising freebies.
📰 PIN code @50 years
The system of postal code may not be operationally relevant in the new role of post offices
•India Post introduced a six-digit Postal Index Number (PIN) code on August 15, 1972, the day the silver jubilee of India’s independence was observed. The idea was to give a unique identity to all physical addresses of the country in terms of the delivery jurisdiction of the post offices. This code was expected to help in bypassing the challenge of inaccurate addressing and ensure accurate and fast delivery by post offices. Now it is time to introspect whether the system succeeded in achieving its purpose in the last 50 years.
•The postal code, known differently in different countries viz. postcode, zip code, etc, is an alpha-numeric or numeric number that is included in the postal address for easy identification of the sorting-district and the addressee’s delivery post office. The codes were introduced nationwide in Germany in the year 1944, Singapore (1950), Argentina (1958), the U.S. (1963), Switzerland (1964), India (1972), and the U.K. (1974). Introduction of sorting machines in the West in the 1960s also necessitated the introduction of codes since the machines could not read the addressee’s post office easily if described in writing. The Universal Postal Union says that 160 countries of the world have so far introduced postal codes.
Speeding up the sorting
•The post code revolutionised the system of manual postal sorting as the sorters are not required to keep in memory the locations of thousands of post offices. To what extent did the PIN code succeeded in speeding up the sorting in India? It is intriguing that even after five decades, a substantial volume of mail in India is not PIN coded. The Government took efforts to educate the citizens to write the PIN code of the addressee on the mail. It succeeded to a small extent. Until about a decade ago, government offices and the billers of the utility services were the biggest culprits. In cities such as Delhi and Kolkata, where sorting work is done by machines, mails without PIN code must be coded separately before they are put to sorting machine, causing delay in processing at the sorting centres.
•Of late, the proportion of PIN-coded mails in India started improving after the introduction of computerised billing by utility service providers and the launching of KYC norms by banks, where providing complete and accurate addresses is mandatory. Now, new challenges have come up. Personal mail has almost vanished after the revolution of mobile telephony in the last two decades. What remains with the postal system are documents and e-commerce parcels where there is stiff competition from the couriers. Is the present structure of PIN code capable of handling that challenge?
•The PIN code helps in taking a piece of mail to the addressee’s post office. The delivery jurisdiction of the post office is normally divided into beats and there is a postman assigned to each beat. Beat sorting at the post office is done manually in India.
•Can we think of integrating the beat code with the six-digit PIN code? The PIN code in that case will not only identify the addressee’s post office but also the concerned beat. If the post office makes the mobile number of the delivery person of the beat available, citizens may even leave instructions to him regarding his convenience to take delivery.
Machines to the rescue
•Nowadays, the letter sorting machines, flat sorting machines (handling packets) and parcel sorting machines have tremendous capacity for sorting in a day. With the dwindling volume of personal mail, it is not impossible to sort all incoming mail and shipments at one circle or regional hub, making the concept of sorting-district redundant. Even the beat-sorting, which is done at the level of the post office, can be done in the circle hub, if the beat code is integrated with the PIN code.
•The logistic system associated in processing of e-commerce articles is intrinsically different from that of handling personal mails. A postman used to go to his beat in a bicycle along with a hundred mail pieces for delivery. But he needs a vehicle for delivery of fewer number of e-commerce parcels. For that, we need to centralise the parcel delivery centres and mechanise the beats. This in the long run may even call for rationalisation of PIN codes.
•The system of postal code that was introduced 50 years back may not be operationally relevant in the new role of a post office. Is India Post ready to take that challenge? Though the code was originally designed to help postal operations, today it is used by couriers, e-commerce players and various other service providers as a means of locational identification of a person. This aspect also needs to be kept in mind before rationalising the PIN code.
