Human risk is a big problem for Indian financial institutions,

says Vicky Shah, founder of the security firm The Eagle Eye, and
banks need to start proactively educating their employees and
customers to prevent cyber threats from persisting.
Banks should work on improving awareness of the different
threats that currently exist, including e-mail
fraud, phishing and malware.
"Banks need to work on how to have affective customer awareness
programs as far as cyber fraud and banking fraud are concerned,"
Shah says in an interview with BankInfoSecurity.com's Tom Field
[transcript below].
The technology currently in place, as well as the infrastructure, is
fairly secure, Shah says. Financial institutions need to make sure
they are addressing security concerns and following the guidance
that's already out there.
A notification was sent out a few months back by the Reserve Bank
of India stating that every bank needs a mandatory CISO position
to be accountable for the risks. Other standards, such as one-time
passwords, have helped to protect Indian banks and their
customers.
In an exclusive interview about cybercrime in India, Shah
discusses:
His new book, "Are You Protected?";

 Top cyber risks to banks and banking customers;

How banks can better protect themselves from fraudsters.
Shah is an information security professional having over seven
years of experience and provides consulting and advisory services
for information security practices, information security awareness,
corporate fraud investigations, incident handling and response,
computer forensics services, cyber crime prevention methodology,
training and research.
He was invited by The Reserve Bank of India, Mumbai to address
the High Level Committee Meeting on Governance, Risk and
Compliance, The Indian Bank Association, Gujarat Government,
Maharashtra Police in recent past among various other important
organizations and has been working with Rajasthan Police,
Haryana Police, Chennai Police, Kolkata Police, Mumbai Police and
various other departments on as is basis for Investigations.
Shah also has written many articles and papers and has been
speaker for over 50 seminars/workshops/events combing his
previous assignments while serving as employee of NASSCOM and
DSCI and since last one year through The Eagle Eye. He has been
involved in training over 7500 police officers across India in
Investigations of cyber crimes, judiciary and public prosecutors.

TOM FIELD: To start with, why don't you tell me a little bit about
yourself and your experience in both information security and
cybercrime?
VICKY SHAH: I've been working in the information security domain
for over seven years now. In terms of educational qualifications I'm
a master of computer applications, having two diplomas in IT and
cyber laws. I was a forensic examiner from 2009-2010 and a lead
auditor in ISO 27001. I'm also preparing for my CFE, certified
foreign examiner. It's been a great experience that started seven
to ten years back with NASSCOM. NASSCOM is India's IT industry
association. My primary job was to create law enforcement
agencies with the association of cybercrime techniques. I grew into
an administrator and management role in about two years. Lastly,
when I left I was part of DSCI, which is the Data Security Council of
India, an initiative by NASSCOM which is a self-regulatory
organization and was instrumental in setting up the same. Also, I
have had a chance to work with the IT industry, the regulators and
compliance authorities. Now with my firm, The Eagle Eye, I'm
working with various privacy industries comprised of insurance
banks, loan departments and police agencies.
In terms of experience in cybercrime, I've been fortunate to work
in several cases. We provide technical assistance to law
enforcement agencies in India, because here now law enforcement
is capable of investigating these cases. Five years back that was a
different scenario. We basically help companies in considering and

training for the advisory role, and we help them to be more

proactive rather than reactive.

"Are you Protected?"

FIELD: Now you just authored a new book entitled "Are you
Protected?" Who is the audience for this book and what would you
say the main messages are?
SHAH: This book isn't a substitute for cybercrimes or other
computer offenses. It's intended to sell as an information
handbook for educational guidance, reference and initiating
processes. In all my years, I've been fortunate to address several
conferences and workshop training events in India where we get a
lot of questions from users. There's a lack of knowledge on the
subject. There's lack of responsibility on where this issue is
because people don't want to accept their role in this security
domain. Questions represented by the associates vary from those
who are ready to very fundamental concepts, definitions,
attributes, prevention and intellectual property when it comes to
corporate and those related to practical applications.
This book is useful for each and every person who uses internet
or mobile services, as far as India is concerned. It's generally used
for academia purposes, for educating the officers in IT security for
the states of India. We educate auditors, the Bollywood industry
and a lot of intellectual property that's being used. But there are a
lot of risks which are associated with it. We have industries; we
have chambers of commerce and so and on and so forth. As I said

it's for everybody who uses technology because there are many
definitions and explanations that are very confusing.
For example, people are always confused with hacking and a
denial-of-service, because both, in terms of concept, are the same
as far as the secure access is concerned. This handbook attempts
to clear misconceptions and provide a business understanding
with India being the focus. It also helps people outside of India
who want to do business in India as to what are the rules, laws in
India and what are the governing rules which would be applicable
to them if they are using any IT in India, IT infrastructure or setting
up new IT infrastructure in India.
It's a handbook which aims to build awareness about cybercrimes.
And there are about 54 types of cybercrimes which I have
particularly mentioned in my book, which is an FAQ and questionand-answer format, with the crime definition, example, the rich IT
law it falls under and what the punishments specific for it are. It's
more of an intellectual book. It has no context of various cyber
cells across India, whom to contact, what to do, how to report the
crime or how to protect and prevent one from being a victim.
Usually IT users are victims of various offenses, mostly
unknowingly due to the lack of awareness or due to intentional or
unintentional crimes which are committed by the Internet or
actual people. To summarize, the threat to the Internet is
unpredictable, but it's still manageable. This book aims to give
answers.

Top Cyber Risks to Indian Banks

FIELD: That's a very good overview and I would like to talk with you
specifically about financial institutions. What do you see as the top
cyber risks to Indian banks today?
SHAH: With the advances in IT, most banks in India have migrated
to core banking firms and have moved transactions to payment
cards, debit/credit and to electronic channels like ATM, Internet
banking and mobile banking. The threat has followed customers
into cyberspace with mechanisms like phishing, keylogging,
spyware, malware and other internet-based frauds targeted
specifically to the bank customers. And phishing is a major
concern for India. There was a study released by the Ministry of
Finance in 2009 where only 340 companies were registered in
India and the loss was around 15.6 crores. I'm sure this status only
talks about the crimes which are reported, and the crimes which
aren't reported there's no data available as to how much financial
loss was there.
Often in the press and media we find once or twice a month there
are instances of banking fraud because of the lack of user
awareness and security. A lot of the finances and funds are getting
lost. Also, IT governance from the bank perspective and the
information security audit which a new amendment that's come
into place which mandates that the audit has to be done annually
and bi-annually for specific processes. The outsourcing job of bank
operations, like KYC norms, has further documentation. The
human element is a big, big risk in Indian banks today because

people are collecting and handling the information of customers they are the biggest challenge. That's why I keep on saying human
behavior is the biggest risk in security, specifically in bank security.
In a nutshell, the banks need to work on how to have affective
customer awareness programs as far as cyber fraud and banking
fraud are concerned in order to reduce this thing.
FIELD: What would you say are some of the specific risks to both
the consumers as well as the corporate customers of the banks?
SHAH: Consumers always want a secure environment, a peace of
mind kind of feeling. Suppose a customer wants to do some
transaction online, he or she wants their systems secure, their
data not known to others and their finances safe. But at the same
time their security and responsibility is in their hands. No bank can
provide a facility. They are just a facilitator to provide you a service.
They can't guarantee you 100 percent security in terms of the
password laws or ignorance of the user.
From the corporate perspective of corporate customers, their risks
are more to do with the sales and the websites. And in terms of
the consumer it's more individualistic where they're concerned
about their accounts and the financial part of it. There are two
different perspectives here. For the consumers' it's more about
individual requirement, protection of data, theft and hacking of
their accounts. Whereas corporate customers would be more
worried about the larger spectrum of the said brand reputation,
which could be lost with the risk.

Are Banks Protected?

FIELD: From your perspective Vicky, how well protected would you
say the banks are today from these cyber risks we just talked
about?
SHAH: One hundred percent security isn't possible for anyone in
this world. Banks are skeptical and are unavailable for certain risks
like human risk where they're dealing with a lot of confidential
data of the customers, the account opening procedures and the
KYC norms which are part of the RBI. Those are the areas where
banks need to improve upon. But as far as the technology and
infrastructure are concerned, I think banks are fairly secure. They
have double authentication after the August 2009 notification from
the RBI, and they're also now initiating one-time bank passwords
and IVR-based passwords. You get one-time passwords on your
mobile phone, where you register, get an SMS and a password pin.
As far as the banks are concerned, I think they're very well
protected. The only thing is the human element which needs to be
improved upon.
FIELD: Now take a step back from the banks and look at
cybersecurity law. How would you assess the state of cybersecurity
law in India today?
SHAH: If you see the laws in India, it takes time for them to be
discussed, updated and connected. We first had the India
Information Technology Act in 2000 and the amendment came in
2009. The time it took for this amendment was a very huge time

gap. But the amendments have given new scope, ideas and
thought processes. Earlier they were very vague in terms of
actually what to do and how to go about it, but now the new law
after the amendment is fairly good.
Also, I would like to highlight that ignorance of law is not
acceptable. Most of the IT users do not know the many useful
provisions which are there. It also applies to corporate. They're just
focusing more on the infrastructure and not on the other aspects
which the law provides. With India most challenges come in
developing criminal law procedures, because the context of crimes
that involve the internet or the computer are different. A lot of
technologically associated challenges are changing and faced with
new challenges. In a nutshell, the laws are fairly there. We have
good company laws. The IT Act, corporate affairs and the company
laws are there, so things are stable.

Key Fraud Trends

FIELD: I know you are a student of fraud. What would you say are
some of the key fraud trends that most interest you right now?
SHAH: In the last quarter or so, we've had a lot of innovative
frauds which are dealing with the income tax refund money given
by the Indian government. The tax payers get a refund after paying
the excess tax. The fraudsters have started sending mail which is
more personal in customizing them and changing the value to the
specifics. Financial frauds, the variation of financial frauds in terms
of income tax refund and your phishing banking frauds are

common, innovative ways we are getting the funds from the

transfers of shares. A lot of financial fraud is coming. These are the
new trends which are coming up.
Also, a lot of exploitive transactions are being reported. I have
complaints coming from clients where most of the time people
change the e-mail. E-mail spoofing currently brings fraud because
it looks deceptive, and people are being victimized by such fraud
where a person intercepts the e-mail IDs of party A and B and then
the transactions happen. A lot of financial fraud is out there in
multiple variations. These are the new trends now.
FIELD: Just a final question, I want to bring you back to the banks
for a minute. If you could offer a single piece of advice to the
banks, for a way that they could protect themselves and their
customers better than they are today, what advice would you
offer?
SHAH: The banks are already doing a lot as far as RBI Guidance
and adopting the new processes which are being specified. A
couple of months back there was a notification which said that
every bank needs to have a mandatory CISO position to be
accountable for the risks and also there needs to be committees
set up within the bank for data security issues and reporting of the
same. For those banks that haven't already incorporated this, they
can do it. They can initiate this.

Apart from this, there are a lot of sensitivity, compliance and

norms issues which are there. With credit cards and debit cards
being in circulation, they're also adopting the PCI/DSS standards
which are there. Banks which are in India are ISO 27001 compliant,
so they need to follow the guidelines on time. Five months back
there was a report from the Reserve Bank of India by the working
committee on risk technology, cyber frauds and risk management.
So there are a lot of best practices and approaches which are given
in that report which they could adopt and follow so there would be
systems that are more robust.