Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Indian Government. Show all posts
User Security
Cyber Fraud E-Challan Scams Financial Fraud Indian Government User Security

Here's How Users Can Safeguard Themselves From E-Challan Scams

 

In light of the growing prevalence of e-challan scams, the Indian Computer Emergency Response Team (CERT-In) has released some crucial advice to prevent individuals from becoming victims and suffering financial loss. 

Nearly 4400 devices have been infected with malware, resulting in approximately Rs 16 lakh worth of fraudulent transactions, according to a recent PTI report. Users are tricked into falling for these scams by Vietnamese hackers who employ Android malware. 

As part of the campaign, the victims receive a fraudulent e-challan message on WhatsApp containing a fake payment link. By clicking the link, hackers are able to access the device. 

Modus operandi 

Phishing messages: You receive a text message or email claiming to be from an authentic traffic authority. The notification states that you have an unpaid traffic penalty and imposes a significant charge. 

Fake links: The mail will include a link that will prompt you to click to check the e-challan details or complete the payment. 

Spoofed websites: Clicking the link may direct you to a fraudulent website that appears to be an actual traffic authority website. This website is designed to steal your personal information, such as credit card information, login credentials, or Aadhaar numbers. 

Prevention tips 

Visit official site: The government security agency recommends users to only make e-challan payments using official websites. It's vital to note that each state has its own e-challan website. Legitimate e-challan websites typically end with a ".gov.in" domain extension. So, before making a payment, make sure you're using the right website.

Don't click on suspicious links: As previously said, it's best to avoid clicking on random links. This might have harmful software on it that could harm your device.

Use antivirus software: Antivirus software is able to search for, identify, and prevent this kind of malware from infecting the device. Make sure the antivirus program is updated and has the latest available database. 

If you have been a victim of financial fraud, you can file a report with your local police station as well as the cybercrime portal.
Read more »
Indian Government
Backdoor Attacks China cyber threats Data Breach Data Leak Indian Government

China's Backdoor Data Infiltration: A Growing Concern For Indian Government

 

Indian security agencies are concerned about a potential huge data breach triggered by Chinese microchips and hardware detected in biometric attendance systems (BAS) deployed in central and state government buildings, including sensitive departments. 

During their investigations, intelligence agencies discovered that over a dozen Indian enterprises that sold these biometric attendance systems to government offices used devices with Chinese-origin parts. The firms are under the scanner for potential data leaks. 

Nearly 7,500 central and state government institutions, employing around 900,000 central and 1.7 million state employees, may have been using over 80,000 dubious biometric attendance systems. This includes key central and state government buildings, as well as military and defence offices. 

According to intelligence sources, these biometric attendance systems can be easily utilised by Chinese firms to gain access to data such as the number of officials in a specific organisation, their designations, and even their locations. 

These companies are bound by China's National Intelligence Law, 2017, to send all of their data to Chinese state intelligence agencies. The law, which went into force in June 2017, gives the Chinese government extensive power to manage and access data from companies that fall under its jurisdiction.

Given China's aggressive spying tactics, India's ministry of home affairs has established a dedicated wing of intelligence officials to monitor Chinese firms' activity in India as well as the Indian security system. Furthermore, the Indian government is working to eliminate the presence of Chinese-made equipment, particularly from the national security apparatus. 

Earlier, security officials expressed serious concerns about the potential threat of data leakage from surveillance cameras, particularly those of Chinese origin, installed at various military installations across the country.

According to a letter from the Integrated Defence Headquarters at the Ministry of Defence (MoD), one of the market leaders in surveillance cameras, which is 41% owned by the Chinese government, is operating in India through a collaboration with an Indian company. The modules for these camera systems are supplied by a Chinese company, although the items are advertised as 'Made in India', the MoD stated. 

Following the Chinese troops' incursion into Ladakh, the ministry of finance's department of expenditure issued GFR (general finance rule) 144 XI on July 23, 2020, to ensure that Chinese firms do not participate in procurements directly or through Indian/Chinese subsidiaries without first registering with the DPIIT (Department for Promotion of Industry and Internal Trade).
Read more »
Indian Government
Data Breach Data Leak Data Privacy Employee Data Indian Government

Hacker Claims Data Breach of India’s Blue-Collar Worker Database

 

A hacker claims to have accessed a large database linked with the Indian government's portal for blue-collar workers emigrating from the country. 

The eMigrate portal's database allegedly includes full names, contact numbers, email addresses, dates of birth, mailing addresses, and passport data of individuals who allegedly registered for the portal.

The Ministry of External Affairs launched eMigrate, which helps Indian workers in emigrating overseas. The portal also offers clearance tracking and insurance services to migrating workers. 

The database for sale on a recognised cybercrime forum looks to be genuine and it even includes the contact information for the Indian government's foreign ambassador. While it is unclear whether the data was stolen directly from the eMigrate portal or via a previous breach, the threat actors claim to have access to at least 200,000 internal and registered user accounts. 

India's Computer Emergency Response Team (CERT-In) is working with the relevant authorities to take appropriate action, while the Ministry of External Affairs is yet to respond on the matter. This is not the first time India's government portals have been accused of data leak. 

Earlier this year, an Indian state government website was found exposing sensitive documents and personal information of millions of residents. In May, scammers were found to have tricked government websites into displaying adverts that redirected users to online betting sites. 

The implications of such data breaches is difficult to estimate. However, data breaches can have serious consequences for individuals whose personal information is exposed. Personal information provided on hacker forums is frequently used by attackers to launch phishing attacks, steal identities, and compromise users' financial security. 

“Personal data is its own form of digital currency on the internet and breaches cost organizations a significant amount. The breaches impacting organizations and government entities are what the public sees front and center, but the impact on the end user isn’t as visible.” Satnam Narang, sr. staff research engineer, Tenable stated.
Read more »
Telecom Sector
Cyber Fraud cybercriminals DoT Fake Calls Fraud Calls Identity Fraud India Indian Government Spoofing Telecom Sector

Combatting International Spoofed Calls: India's New Measures to Protect Citizens

 

In recent times, fraudsters have increasingly used international spoofed calls displaying Indian mobile numbers to commit cybercrime and financial fraud. These calls, which appear to originate within India, are actually made by criminals abroad who manipulate the calling line identity (CLI). 

Such spoofed calls have been used in various scams, including fake digital arrests, FedEx frauds, narcotics in courier schemes, and impersonation of government and police officials. To combat this growing threat, the Department of Telecommunications (DoT) and Telecom Service Providers (TSPs) in India have developed a system to identify and block incoming international spoofed calls. 

This initiative aims to prevent such calls from reaching any Indian telecom subscriber. The Ministry of Communications announced that TSPs have been directed to block these calls and are already taking steps to prevent calls with spoofed Indian landline numbers. In addition to this, the DoT has launched the Sanchar Saathi portal, a citizen-centric platform designed to enhance user safety and security amid the rising threat of fraud and international call scams. This portal includes a feature called "Chakshu," which allows individuals to report suspicious calls and messages. 

Chakshu simplifies the process of flagging fraudulent communications, providing an extra layer of protection against cybercriminals. Chakshu serves as a backend repository for citizen-initiated requests on the Sanchar Saathi platform, facilitating real-time intelligence sharing among various stakeholders. The platform also provides information on cases where telecom resources have been misused, helping to coordinate actions among stakeholders. 

Union Minister Ashwini Vaishnaw has highlighted additional measures, including creating a grievance redressal platform for reporting unintended disconnections and a mechanism for returning money frozen due to fraud. These efforts aim to address the concerns of citizens who may have been inadvertently affected by the anti-fraud measures. Since its launch in May last year, the Sanchar Saathi portal has been instrumental in enhancing the security of telecom users. It has helped track or block over 700,000 lost mobile phones and detect more than 6.7 million suspicious communication attempts. 

These efforts underscore the government's commitment to safeguarding citizens from cyber threats and ensuring the integrity of telecom services. The DoT and TSPs' proactive measures, along with the Sanchar Saathi portal, represent significant steps towards protecting Indian citizens from international spoofed calls and other forms of cybercrime. By leveraging advanced technology and fostering collaboration among stakeholders, these initiatives aim to create a safer digital environment for all.
Read more »
Third-Party Risks
Biometric data biometric vulnerability Data Breach Data Leak Hackers attack Indian Government Indian Government hacked personal information exposure Third-Party Risks

Massive Data Breach Exposes Sensitive Information of Indian Law Enforcement Officials

 

Recently, a significant data breach compromised the personal information of thousands of law enforcement officials and police officer applicants in India. Discovered by security researcher Jeremiah Fowler, the breach exposed sensitive details such as fingerprints, facial scans, signatures, and descriptions of tattoos and scars. Alarmingly, around the same time, cybercriminals advertised the sale of similar biometric data on Telegram. 

The breach was traced to an exposed web server linked to ThoughtGreen Technologies, an IT firm with offices in India, Australia, and the United States. Fowler found nearly 500 gigabytes of data, encompassing 1.6 million documents dating from 2021 to early April. This data included personal information about various professionals, including teachers, railway workers, and law enforcement officials. Among the documents were birth certificates, diplomas, and job applications. 

Although the server has been secured, the incident highlights the risks of collecting and storing biometric data and the potential misuse if leaked. “You can change your name, you can change your bank information, but you can't change your actual biometrics,” Fowler noted. This data, if accessed by cybercriminals, poses a long-term risk, especially for individuals in sensitive law enforcement roles. Prateek Waghre, executive director of the Internet Freedom Foundation, emphasized the extensive biometric data collection in India and the heightened security risks for law enforcement personnel. 

If compromised, such data can be misused to gain unauthorized access to sensitive information. Fowler also found a Telegram channel advertising the sale of Indian police data, including specific individuals’ information, shortly after the database was secured. The structure and screenshots of the data matched what Fowler had seen. For ethical reasons, he did not purchase the data, so he could not fully verify its authenticity. In response, ThoughtGreen Technologies stated, “We take data security very seriously and have taken immediate steps to secure the exposed data.” 

They assured a thorough investigation to prevent future incidents but did not provide specific details. The company also reported the breach to Indian law enforcement but did not specify which organization was contacted. When shown a screenshot of the Telegram post, the company claimed it was “not our data.” Telegram did not respond to requests for comment. 

Shivangi Narayan, an independent researcher, stressed the need for more robust data protection laws and better data handling practices by companies. Data breaches are so frequent that they no longer shock people, as evidenced by a recent face-recognition data breach involving an Indian police force.

Globally, as governments and organizations increasingly use biometric data for identity verification and surveillance, the risk of data leaks and abuse rises. For example, a recent face recognition leak in Australia affected up to a million people and led to a blackmail charge. It also has to be noted that many countries are looking at biometric verification for identities, and all of that information has to be stored somewhere. If they decide to farm it out to a third-party company, they lose control of that data.
Read more »
Telecom Firm
Cyber Crime DoT Indian Government Mobile Connection Telecom Firm

Indian Govt Targets Cyber Criminals: DoT To Deactivate 1.8 Million SIMs

 

According to a recent media report citing 'officials' as sources, telecom operators are planning to disconnect approximately 1.8 million mobile connections at once as part of the government's first all-India operation to combat cybercrime and online fraud. 

This development comes after a thorough investigation conducted by multiple law enforcement authorities to trace the usage of mobile networks for cybercrime and financial theft.

"During investigations, it was detected that in many instances, a single handset was used with thousands of mobile connections," an official privy to the details told the local media outlet. 

On May 9, the Department of Transportation directed telcos to deactivate 28,220 mobile devices and re-verify nearly two million mobile connections that had been misused with these handsets. 

Officials stated that in such cases, just 10% of the connections are verified, with the remainder being disconnected and failing re-verification. They also stated that the disconnection will take place once the telecoms completed the re-verification in 15 days. The action comes amid a consistent increase in the number of mobile phone-related cybercrimes in the country. 

The National Cybercrime Reporting Portal (NCRP) said that digital financial theft victims lost Rs 10,319 crore in 2023. The Parliamentary Standing Committee on Finance said that over 694,000 complaints were received in 2023. 

Officials stated that fraudsters generally employ SIM cards from other telecom circles and frequently change the combination of SIM and handset to avoid detection by law enforcement and carriers.

"For instance, an Odisha or Assam circle SIM could be used in Delhi NCR," a second official noted. "To avoid the radar, fraudsters make only a few outgoing calls and then change the SIM as too many out. going calls from the same number would get detected by telco systems.”

According to an earlier investigation, telcos disconnected almost two lakh SIM cards last year for alleged involvement in cybercrimes. In another case, the authorities investigated places such as Mewat in Haryana, and more than 37,000 SIM cards were disconnected. 

Coordinated Action: To combat cybercrime, the government believes that telecoms should improve their detection of SIM usage patterns, particularly those purchased outside of home circles."As part of their roaming detection system, telcos can instantly capture when a person moves out to a different circle," added the second official.
Read more »
Indian Government
Chinese Hacker Data Breach Data Leak Data Safety Indian Government

Indian Authorities Probes Data Breach Concerns Involving PMO and EPFO

 

The Open-Source Intelligence (OSINT) team at India Today reviewed leaked data that claimed a Chinese state-affiliated hacker group had targeted major Indian government offices, such as the "PMO" (likely the Prime Minister's Office), as well as businesses like Reliance Industries Limited and Air India. 

Over the weekend, thousands of files, images, and chat messages related to I-Soon—a claimed cybersecurity contractor for China's Ministry of Public Security (MPS)—were secretly shared on GitHub.

The leak reveals a complex network of covert attacks, spyware operations, and sophisticated surveillance by Chinese government-linked cyber criminals. 

A machine-translated version of the leaked internal documents, originally written in Mandarin, shows hackers documenting their techniques, targets, and exploits. Targets included the North Atlantic Treaty Organisation (NATO), an intergovernmental military alliance, European governments, and organisations, as well as Beijing's friends such as Pakistan. 

Indian targets 

The data stolen names Indian targets such as the Ministry of Finance, the Ministry of External Affairs, and the "Presidential Ministry of the Interior," which is likely a reference to the Ministry of Home Affairs. 

During the peak of India-China border tensions, advanced persistent threat (APT) or hacker groups stole 5.49GB of data from various offices of the "Presidential Ministry of the Interior" between May 2021 and October 2021. 

"In India, the primary work goals are the ministries of foreign affairs, finance, and other key departments. We continue to monitor this sector closely and want to capitalise on its potential in the long run," reads the translated India section of what appears to be an internal report prepared by iSoon. 

User data for the state-run pension fund management, the Employees' Provident Fund Organisation (EPFO), the state telecom provider Bharat Sanchar Nigam Limited (BSNL), and the private healthcare chain Apollo Hospitals were also allegedly compromised. 

The leaked documents also mentioned about 95GB of India's immigration statistics from 2020, referred to as "entry and exit points data". Notably, following the conflict in Galwan Valley in 2020, India-China relations deteriorated further.

"India has always been a major emphasis for the Chinese APT side of things. The stolen data inevitably covers quite a few Indian organisations, including Apollo Hospital, persons coming in and out of the nation in 2020, the Prime Minister's Office, and population figures," said Taiwanese researcher Azaka, who initially uncovered the GitHub hack. 

This is not the first time China has been blamed for cyberattacks on India. Seven Indian power hubs were reportedly targeted by hackers linked to China in 2022. Threat actors attempted to breach India's power system in 2021 as well.
Read more »
Indian Government
CyberCrime Cybersecurity Data Breach Financial Exploit Indian Government

Dawnofdevil Hackers on the Rise Again

 



In the ongoing battle to secure the cyber realm, the emergence of new hackers continues unabated, constantly innovating methods to breach the digital boundaries that safeguard your online world. A new hacking collective known as "dawnofdevil" has emerged as a potent threat to various Indian entities, with a particular focus on government organisations. This group, operating discreetly within the confines of BreachForums, has boldly asserted its successful infiltration into the security apparatus of the Income Tax Department of India. The potential compromise of sensitive information within this governmental body raises significant concerns about data confidentiality and the potential for unauthorised access to various affiliated websites.

Operating under the pseudonym "dawnofdevil," an unidentified individual has boldly claimed to breach the robust security infrastructure of the Income Tax Department. The purported breach involves gaining unauthorised access to an email account hosted on the incometax.gov.in domain, a development that could potentially open avenues for unauthorised registrations on a range of government-affiliated websites. Adding to the gravity of the situation, the hacker is actively seeking buyers for this compromised email access, attaching a price tag of US$500 to the illicit offering.

Expanding their cyber activities, dawnofdevil has recently made waves by claiming a successful breach of Hathway, a prominent broadband and cable TV service provider in India. The hacker boasts of obtaining personal data from a staggering 41.5 million customers, comprising names, addresses, phone numbers, and even password hashes. This extensive dataset is being offered for sale at a substantial price of US$10,000. Furthermore, the hacker asserts control over access to MySQL and Oracle databases, totaling over 400 GB of data spread across more than 800 tables with production data. Additionally, the claim includes possession of 4 million+ KYC documents, containing sensitive details like full names, Aadhar numbers, PAN cards, and other national ID information.

To underscore the magnitude of the breach, dawnofdevil has shared samples of the compromised data, revealing the depth and variety of information at risk. In a move to facilitate the sale of this illicit information and enable targeted searches, the hacker has established a Tor site. This dark web portal allows individuals to search for specific data entries using mobile numbers and email addresses.

The implications of these security breaches are profound, necessitating a comprehensive understanding of the potential risks involved. As investigations unfold, there is an urgent need to employ the importance of robust cybersecurity measures. The broader community, both organisations and individuals alike, should remain vigilant in the face of these evolving cyber threats, taking proactive steps to safeguard sensitive data and mitigate the risks associated with unauthorised access. Stay tuned for ongoing updates as the alleged organisations look closely into the investigation, and the cybersecurity world continues to make developments. 


Read more »
User Privacy
Criminal Law Data Privacy Laws Data Protection Bill Fine Indian Government Privacy Sensitive Data Leak User Privacy

Govt Proposes Rs 250 Cr Fine for Consumer Data Leaks

The Indian government has proposed a fine of up to Rs 250 crore on enterprises found guilty of disclosing customer data, which is a significant step toward bolstering data protection procedures. This action is a component of the Data Protection Bill, which seeks to protect sensitive personal data about individuals and improve corporate accountability for handling such data. The bill's recent introduction into Parliament represents a turning point in India's effort to strengthen data security.

As per the bill, businesses and entities handling consumer data will be held liable for severe penalties if they fail to maintain the necessary safeguards to protect this information. The proposed fines are among the most substantial globally, reflecting the government's commitment to ensuring the privacy and security of its citizens' data.

According to the Minister of Electronics and Information Technology, this step is crucial to "create a robust mechanism to protect the data rights and privacy of individuals." The increasing digitization of services and the rise in cybercrimes have underscored the urgency of enacting comprehensive data protection legislation.

Industry analysts predict that the proposed sanctions would motivate companies to prioritize data security and make significant investments in cybersecurity. They think that the potential financial repercussions will encourage businesses to embrace cutting-edge frameworks and technologies to stop data breaches.

The Data Protection Bill is the result of intensive talks with several stakeholders, including business representatives, academics, and civil society organizations. In addition to focusing on sanctions, it also seeks to create a Data Privacy Authority (DPA) tasked with monitoring and upholding data privacy laws. The DPA will be crucial in assuring compliance and enforcing any infractions.

Both supporters and opponents of the bill have drawn attention as it moves through Parliament. While supporters applaud the government's efforts to protect personal information, some detractors contend that small firms may be disproportionately affected by the sanctions. Legislators continue to struggle with finding a balance between the protection of personal information and corporate convenience.

Data security has grown to be of utmost importance in a world where it is frequently referred to as the new oil. The government of India has made it clear that it intends to develop a solid framework for data protection, aligning the country with international trends in protecting digital privacy, through the planned fines. As the bill advances, its effects on both consumers and corporations will likely change how data management and privacy are viewed in India.



Read more »
Threat Landscape
Aadhar Security Deepfake Digital Identity Generative AI Indian Government Technology Threat Landscape

Generative AI Threatens Digital Identity Verification, Says Former CTO of Aadhar

 

Srikanth Nadhamuni, who formerly held the position of chief technology officer (CTO) of Aadhar between 2009 and 2012, believes that the tremendous improvement we are seeing in the field of artificial intelligence, particularly generative AI, poses a clear and present danger to digital identity verification. He and Vinod Khosla co-founded Bangalore-based incubator Khosla Labs, where he serves as CEO. 

The trust mechanisms that have been meticulously built into identification systems throughout time are seriously threatened by deep fakes, synthetic media that effectively mimic actual human speech, behaviour, and appearance. The need for a "proof-of-personhood" verification capability, probably using a person's biometrics, becomes paramount in this increasingly likely future scenario where AI-generated impersonations cause chaos and erode trust in the system, the tech expert wrote in a LinkedIn post titled "The Future of Digital Identity Verification: In the era of AI Deep Fakes." 

Disinformation is now taking on a whole new dimension thanks to generative AI. Text-to-image AI models like DALL-E2, Midjourney, and Stable Diffusion can produce incredibly realistic visuals that are simple to mistake for the real thing. The ability to create misleading visual information has been made possible by this technology, further obscuring the distinction between truth and fiction.

Even though the Indian government has stated that it will not regulate artificial intelligence (AI), it has revealed that the impending Digital India Act (DIA) will include provisions to address disinformation produced by AI.

“We are not going to regulate AI but we will create guardrails. There will be no separate legislation but a part of DIA will address threats related to high-risk AI,” Union Minister Rajeev Chandrasekhar said. 

The draft hasn't been released yet, so it's unclear how it will address the challenge that generative AI poses to digital identity verification. 

How to identify deep fake images

According to Sandy Fliderman, president, CTO, and creator of industry fintech, it was simpler to spot fakes in old recordings because of changes in skin tone, odd blinking patterns, or jerky motions. But since technology has advanced so much, many of the traditional "tells'' are no longer valid. Today, red flags could show up as irregularities in lighting and shading, which deepfake technology is still working to perfect.

Humans can seek for a number of indicators to distinguish between authentic and fraudulent photographs, such as the following: 

  • Body components and the skin have irregularities.
  • Eyes have a shadowy area. 
  • Unorthodox blinking patterns.
  • Spectacles with an unusual glare. 
  • Mouth gestures that are not realistic. 
  • Lip colour is unnaturally different from the face. 
Read more »
User Privacy
Cyber Attacks Indian Government Information Technology Tata Motors Scam User Privacy

Hacktivist's Target Tata Power Company

On October 14, Tata Power acknowledged a cyberattack on its information technology (IT) infrastructure. The company declared that it has taken steps to recover and restore the systems and that all essential operating systems were functioning properly. The company noted that for staff and customer-facing portals and user experience, it has also implemented restricted access and preventative checks. 

Tata Power did not provide any additional information on the subject. The Social media manager declined to comment when questioned about the nature of the attack and how it affected the company. Additionally, they opted not to comment on whether any data had been stolen. As mentioned in the Statement, the firm has taken action to recover and restore the systems. 

The corporation creates, transmits, and sells electricity in South Asian countries. It aspires to increase the proportion of clean energy in its portfolio from around a third to 60% in five years and to achieve net zero by 2045. It claims to have the highest installed and managed energy-producing capacity in the nation, with 13,974 MW. 

The expansion of Tata Power's business via rooftop solar, microgrids, storage options, solar pumps, EV charging infrastructure, and home automation has recently caught their attention. Through its distribution firms, the company provides service to over 12 million consumers.

In its official statements, the Indian government has cited the nationwide energy network's cybersecurity as a challenge. Chinese state-sponsored hackers allegedly targeted the Indian electricity sector as part of a long-term scheme, according to a report released in April by the American cybersecurity firm Recorded Future. In response to the news, the spokesperson for India's Ministry of External Affairs, Arindam Bagchi, stated that the nation has not brought up this matter with China. 

Read more »
User Privacy
Corporate Hacking Indian Government Privacy User Privacy

Flaws in Policybazaar Insurance Firm

A small cybersecurity company informed Policybazaar last month that it had found severe security flaws in the organization's internet-facing network that could expose the private financial and personal information of at least 11 million customers to malicious hackers.

The unnamed firm used the typical ethical hacker strategy, which gave Policybazaar, the insurance aggregator, time to fix the bugs and notify the authorities. It said that it felt legal, in part because it had workers who were clients, but it did not get permission in advance to test Policybazaar's technology.

On July 24, a publicly held entity Policybazaar — which counts Tencent among its investors — notified India's stock markets that it had suffered an unauthorized breach, but "no substantial customer data was compromised."

Flaw analysis

CyberX9's director Himanshu Pathak said that anyone with decent computer/IT expertise could have easily found, used, and leaked all of this material.

CyberX9, a startup, is not passive. The company's managing director wants Indians to be aware that since many extremely significant flaws were so simple to find, it appeared as though Policybazaar had purposefully left itself vulnerable to hacking by criminals.

The data also contains copies of the identification, health, and financial documents that people must present in order to obtain insurance, such as tax returns, pay stubs, bank statements, driver's licenses, and birth certificates.  90% of India's internet insurance aggregator market is claimed by Policybazaar, a broker for various carriers and types of policies that collects data through user uploads and self-generated records.

The Associated Press contacted three of the people listed in the sample material, which included copies of private data from CyberX9, one of whom was a soldier stationed in Ladakh, a region that is disputed by Pakistan and China. All three of them acknowledged that they were Policybazaar users. All of them claimed they were unaware of any security incident.

56 million users were enrolled on Policybazaar at the end of December, with 11 million of them as 'transacting clients' who bought 25 million insurance policies, according to documentation on the website of Policybazaar's parent firm, PB Fintech Ltd.

Other than to declare that it had corrected the discovered vulnerabilities and had forwarded the incident to outside consultants for a forensic audit, Policybazaar refused to answer the queries from the AP.

After learning about the volume of private and sensitive data that Policybazaar was in charge of maintaining during its November IPO, CyberX9 claimed it made the decision to check Policybazaar's network for vulnerabilities.

There were no limitations on the number of times an unauthorized user could perform such a retrieval, per the report, which detected five vulnerabilities and was able to collect user data without requesting permission.

Data privacy in India

The founder of SecureLayer7, Sandeep Kamble, said that the handling of these cases by the legal system is immature since most judges lack the necessary technological knowledge. 

Despite the nation's top court deemed privacy to be a fundamental right in 2017 and ordered the government to draft legislation, India, which has 800 million internet users, also lacks a data protection law. Criticism of some of the bill's provisions, such as one that allowed the government access to personal data in the interest of 'sovereignty,' caused a delay in its consideration in Parliament.

A data protection law is deemed required in India, where financial fraud and data leaks are common, as per digital experts. Due to previous events in which both private companies and the government leaked people's data, its absence has raised privacy issues in the nation.









Read more »
UPI
Crypto Exchange cryptocurrency Indian Government Technology UPI

Indian Crypto Exchanges Disables Deposits Via UPI System

 

Multiple Indian crypto exchanges have disabled rupee deposits using the Unified Payments Interface (UPI) system, which is the most widely used retail payment method. This comes after the National Payments Corporation of India (NPCI) said last week that it was unaware of any crypto exchange using UPI. 

The Indian government has spent years working on a law to ban or regulate cryptocurrencies, with a ban backed by the central bank over risks to financial stability. However, recently the government has taken a decision to put a tax on the income from cryptocurrency and other digital assets. 

Crypto exchange Wazirx is not offering UPI support. The exchange tweeted on Wednesday, “Currently, UPI is not available,” and advised users to do P2P payments instead, which have zero fees. The platform also added that it has no estimated time limit to address the issue with UPI deposits. Coindcx is also not supporting payments by UPI, saying on Twitter Monday, “UPI is temporarily unavailable.”

Coinswitch Kuber, with over 15 million users went one step ahead and reportedly suspended all INR deposit services, including UPI and bank transfers via NEFT, RTGS, and IMPS. The Nasdaq-listed crypto exchange Coinbase, which recently launched in India, has also disabled all purchase options, including the UPI. 

Last month, multiple reports suggested that Coinbase has begun rolling out UPI and IMPS support for its users in India after users noticed the inclusion of the two payment systems (UPI & IMPS) on Coinbase’s app. The company acknowledged the same at its launch event on 7th April. 

“We are aware of the recent statement published by NPCI regarding the use of UPI by cryptocurrency exchanges. We are committed to working with NPCI and other relevant authorities to ensure we are aligned with local expectations and industry norms,” the exchange clarified. 

An industry source with direct knowledge of the matter said the NPCI was caught between a rock and a hard place when Coinbase claimed to launch with UPI support. “Once the launch of Coinbase happened in India and they announced the usage of UPI as a payment option, NPCI realized it needed to put a clarification out there,” the person said. 

Earlier this month, popular payment service Mobikwik also disabled offering services to crypto exchanges. Meanwhile, crypto exchanges have been declining in India after the 30% tax on crypto income went into effect without allowing loss offsets or deductions on April 1. From July 1st, a 1% tax deducted at source (TDS), will also be applicable on crypto transactions. 

There are no official data available on the size of India's crypto market, but industry experts believe the number of investors ranges from 15 million to 20 million, with a holding of about Rs 40,000 crore ($5.25 billion).
Read more »
Technology
Cyber Attacks Hackers Indian Government Technology

Indian Govt Bans Foreign Firms from Conducting IT Security Audits


The Indian Government directs the ministries and departments responsible of India's basic infrastructure to abstain from employing foreign firms to conduct IT security audits of its frameworks and systems; this was brought to light following the cyber-attack on Kudankulam Nuclear Power Plant.

From now onwards Indian firms empanelled for inspecting will require a clearance from domestic spy agency, Intelligence Bureau (IB) to preclude any foreign link. Security reviews in every one of the ministries and critical sectors are done to guarantee that nation's information infrastructure isn't vulnerable against attacks by hackers and that every one of the systems have a protected government firewall.

As per the reports looked into by Firstpost, Computer Emergency Response Team (CERT-IN) — under the domain of the Ministry of Electronics and Information Technology — has arranged a rundown of evaluating firms in consultation with the IB.

It has been additionally observed that certain critical segments are confronting dangers from numerous sources and increasing attacks on the frameworks are organised and targeted with the assistance of criminals and state actors to thusly receive monstrous rewards out of 'information compromise or espionage'.

The cyber criminals may indulge in fraud, conduct espionage to steal state and military mysteries and disturb critical infrastructures by misusing the vulnerabilities in any framework.

The administration archives state that, “The public sector, although increasingly relying on information technology, has not fully awakened to the challenges of security. Economic stability depends on uninterrupted operations of banking, finance, critical infrastructure such as power generation and distribution, transport systems of rail, road, air, and sea which are critically reliant on information technology.

Even though the focus has been on improving systems and providing e-governance services by various institutions, the IT networks and business processes have not placed the desired emphasis on information security," Aside from this there are a couple of different directives which have been issued for critical areas for protective observing of sensitive data and risk radiating from terrorist groups or enemy state.

Workers taking care of sensitive servers will be required to unveil the phone they are carrying, its serial number, model number alongside subtleties like security abilities and vulnerabilities and the critical segments will claim all authority to control official information on the said employee's mobile, including the privilege to back up, retrieve, modify, decide access or erase the organization's information without an early notice.

Likewise, people or specialists employed for security reviews of government frameworks will have to sign a non-disclosure agreement to anticipate spillage of sensitive information.
Read more »
Indian Government
Cyber Crime Cyber Security Indian Government

Indian Govt. Takes Steps For Preventing Incidents of Cyber Crimes; Improving Cyber Safety in the Country



With the ascent of phishing attacks being at its prime, Mr Ravi Shankar Prasad stresses at the government's contribution in finding a way to avoid more and more episodes of cyber security and improving the cyber safety in the nation.

The current Union Minister holding the Law and Justice and Electronics and Information Technology portfolios in the Govt. of India took to the Lok Sabha this issue and tended to it with most extreme consideration.

He wrote, “With the innovation of technology and rise in usage of cyber space, cyber-attacks such as phishing and identity theft are observed. Such phishing attacks are global phenomena which target users to trick them to divulge information such as online credentials."


According to the data accessible with Indian Computer Emergency Response Team (CERT-In), more than 260 phishing incidents were seen in the initial five months of 2019.

With the parliament informed on Wednesday , 26th June , the report was reviewed and it was observed that around 552 phishing incidents were observed during the year 2017, while in 2018, the number stood at 454, and in 2019 (till May) it was 268.

"CERT-In is working in coordination with Reserve Bank of India (RBI) and banks to track and disable phishing websites,” Prasad said including that CERT-In issues cautions and warnings in regards to most recent cyber threats and counter-measures on a regular basis to guarantee the safe utilization of digital technologies.

Read more »
Indian Government
Ayushman Bharat Bharat Breach of Security and Privacy Health Health insurance Indian Government

Security breached of Ayushman Bharat

Ayushman Bharat, the government run health insurance programme, on Saturday confirmed that there had been an attempted security breach. “There have been attempts to get illegal access to large medical data including sensitive personal information,’’ said Dr. Indu Bhushan, CEO Ayushman Bharat - Pradhan Mantri Jan Arogya Yojana.

Alerted about the intrusion 48 hours ago, the National Health Authority — which administers the programme — has now written to all State Governments alerting them about the threat and warning that no sensitive data be shared.

Describing the nature of the attempted breach, Dr. Bhushan said contact had been made with Ayushman Bharat employees urging them to leak sensitive information on the available health profiles of those covered by the scheme.

With more than 3 crore e-cards issued countrywide to individuals covered under the scheme and over 21 lakh hospital admissions, worth ₹2,820 crore, having been approved, the scheme is one of the world’s largest state-run health insurance programmes, according to the government. Health data is extremely sensitive and of great value to commercial and pharmaceutical companies.

“We have this data enveloped in multiple layers of security which is tough to penetrate,” explained Dr. Bhushan. “We also have a stringent access system for those within Ayushman Bharat and we were alerted, almost immediately, when the breach was attempted,’’ he said.

The authority is now also seeking assistance from the public to help ensure that the programme stays cybersecure and that patient data and records are not compromised in any manner.

“We are making a public appeal to please report such cases to @AyushmanNHA at the earliest for proper investigation and actions to mitigate any potential risk,’’ Dr. Bhushan said.

Ayushman Bharat has also had to combat multiple attempts to defraud individuals and companies “using our programmes as a disguise,” said an official, who spoke on condition of anonymity. “People have been offered jobs and some have even been duped saying that we charge for registration. All of this is illegal,’’ the official added.
Read more »
TikTok
App Stores Apple Google Indian Government TikTok

Indian Government asks Apple and Google to remove TikTok from App Stores







The government of India has asked Google and Apple to remove the Chinese short-video sharing application TikTok from their app stores.

India’s Ministry of Electronics and Information Technology (MeitY) reportedly asked the companies to do so after the Supreme Court of India, refused to stay an order by the Madras High Court to ban the app. 

The bench was headed by the Chief Justice Ranjan Gogoi, and the matter was posted till April 22, as the Madras High Court is expected to hear the case on April 16. 

TikTok's official statement: ’’As per the proceedings in the Supreme Court today, the Madras High Court will hear the matter on ex party ad interim order. The Supreme Court has listed the matter again for April 22, 2019, to be apprised of the outcome of the hearing on the April 16th, 2019 before the Madurai Bench of Madras High Court.’’

‘’At TikTok, we have faith in the Indian Judicial system and the stipulations afforded to social media platforms by the Information Technology (Intermediaries Guidelines) Rules, 2011. We are committed to continuously enhancing our existing measures and introducing additional technical and moderation processes as part of our ongoing commitment to our users in India.’’

‘’In line with this, we have been stepping up efforts to take down objectionable content. To date, we have removed over 6 million videos that violated our Terms of Use and Community Guidelines, following an exhaustive review of content generated by our users in India."




Read more »
WhatsApp
Indian Government Misinformation Social Media WhatsApp

Whatsapp Declines to comply with the Government’s Demand



With general elections scheduled to be held one year from now in India, the Indian Government is taking a strict prospect of the utilization of various social media platforms like Facebook, Twitter, and WhatsApp for the spread of prevarication of information.

In the light of the same it had requested from WhatsApp for a solution for track the outset of messages on its platform.

The Facebook owned firm though declined to comply with the government's request saying that the move will undermine the protection and privacy of WhatsApp users.

Sources in the IT Ministry have said that the administration has declared that WhatsApp should keep on exploring the specialized technical advancements whereby if there should be an occurrence of mass circulation of offensive and detestable messages whipping up clashes and delinquency, the outset can be figured out easily.

The ministry is additionally looking for an all the more firm affirmation of the assent with Indian laws from the company, along with the foundation of grievance officer with a wide framework.

Accentuation has been given to the fact that a local corporate entity, subject to Indian laws, ought to be set up by the company in the outlined time period.


Prior this week the WhatsApp Head Chris Daniels got together with the IT Minister Ravi Shankar Prasad for tending issues similar to this one. After the gathering, Mr. Prasad said that the legislature has requested that WhatsApp set up a local corporate entity and uncover a technological solution in order to ascertain the outset of the  phony messages circled through its platform simultaneously commission  a grievance  officer.

 “People rely on WhatsApp for all kinds of sensitive conversations, including with their doctors, banks and families. Building traceability would undermine end-to-end encryption and the private nature of WhatsApp, creating potential for serious misuse,” the Facebook-owned firm said on Thursday.

“WhatsApp will not weaken the privacy protections we provide,” a company spokesperson stressed, adding, “Our focus remains working closely with others in India to educate people about misinformation and help keep people safe.”

A month ago, WhatsApp top administrators, including COO Matthew Idema, met IT Secretary and other Indian government authorities to summarize the several different advances being taken by the company on this issue.

Read more »
Subscribe to: Posts (Atom)