ICICI Bank phishing fraud case: Is the organization at fault?

Judgment against ICICI bank in a recent phishing fraud case is a game changer for Indian banking, with effect on other verticals. Be worried, very worried!

The Adjudicator of Tamil Nadu jolted Indian Bankers out of their cozy slumber by his decision on April 12, 2010 in the case of Umashankar Sivasubramaniam Vs ICICI Bank. In this case, the adjudicator PWC Davidar held ICICI Bank liable to pay damages to the extent of Rs 12.85 lakh on an alleged "phishing" fraud incident involving fraudulent transfer of an amount of Rs 6.46 lakh. In the ICICI Bank phishing fraud case, the Adjudicator clearly documents reasons why he considers it necessary to hold the bank liable not only to repay the involved amount, but also interest and other expenses.

In my opinion, ICICI Bank should be glad that it escaped with only a financial liability instead of also being held liable for criminal liabilities under several sections of the Information Technology Act 2000 (ITA 2000) and the Indian Penal Code (IPC). There was (and still is), a possibility that criminal liabilities would have stuck on

Resources to curb phishing
Phishing protection begins with training, antiphishing evangelist

How to prevent phishing attacks with social engineering tests

Preventing phishing attacks: Enterprise best practices

User authentication gets multi-factor edge at IndusInd Bank

 several officials of the bank for this phishing fraud incident, including Managers of two of its branches, the CISO, the Directors and the Chairman of the Bank, as well as resulted in jail sentence for the officials.
The ICICI Bank phishing fraud case judgment is a landmark judgment in India for several reasons, some of which can be highlighted here.

1. It is a revelation for many in India to realize that there is a judicial office called the "Adjudicator", which it can deliver such decisions. Though Adjudicators are in place for every State and Union Territory in India since March 25, 2003, few have recognized their presence and role. There have been hundreds of phishing fraud cases involving banks over the past few years in India, and a few customers have tried to take legal action for recovery of their losses. However, most phishing fraud victims have approached the Banking Ombudsman or consumer courts in the past. The ICICI bank phishing fraud case was the first instance when a victim recognized the correct jurisdiction for such disputes, and approached the Adjudicator.

2. Most professionals in the banking industry had so far failed to recognize the fact that "phishing" is an offence that falls within ITA 2000. Section 66 (as well as Section 43) can be invoked in such cases. This finding of the Adjudicator has really opened the eyes of the ignorant, and recognized the latent potential of the ITA 2000. This is the second beneficial aspect of the ICICI Bank phishing fraud case's decision.

3. The ICICI Bank phishing fraud case's decision traces the cause of the phishing loss to inadequate implementation of security in general, and non usage of digital signatures in particular. Therefore, this phishing fraud is likely to open up a spate of new security initiatives in the banking sector.

Hopefully this decision will convince Boards of most banks to include a discussion on "How to introduce digital signatures in the bank" in their next meeting's agenda.

Banking law and practice from times immemorial is clear that if money is withdrawn from the customer's account through forgery, there is no mandate for the customer to pay. Hence this loss due to phishing fraud has to be borne by the Bank. This law practice is also applicable to the withdrawals through electronic instructions. Unless the customer is part of a conspiracy to defraud the Bank using phishing, he cannot be held liable in such circumstances. So in phishing fraud cases, mere negligence in not being able to differentiate an impersonated e-mail from a normal e-mail from the Bank cannot make the customer liable for passing of a forged payment instruction.

In cases such as phishing fraud, banks are trying to change these established principles by adding some fine print clauses to their application forms, which the Reserve Bank of India has failed to observe and correct. Consumers consider these as "unfair banking practices". Judiciary however holds the last say on such matters to decide if "fine print clauses which are unconscionable and affecting the basic tenets of Banking law and practice and forced on the unsuspecting customers at the time of opening of accounts" are valid or not.

Additionally, ICICI Bank was at fault in the current instance for having been grossly negligent in meeting "know your customer" (KYC) norms, and facilitating the fraudster to commit this phishing fraud. The bank was also inexplicably naïve in deleting electronic evidence which should have been preserved, and deplorably complicit with the fraudster in not initiating even a Police complaint at their end as soon as the phishing fraud came to light.

What many do not know is that this phishing fraud incident could be a case of a possible diversion of funds for terrorist activities—in addition, ICICI Bank tried to place itself in the position of a "Co-Beneficiary" of the phishing fraud while trying to wriggle out of its liability. This self defeating approach of the bank (which has been documented during the trial) may come to haunt them later as a criminal liability, if this phishing fraud case lands up in a Court—either on appeal or when the Police pursue investigations on criminal aspects of the case to its logical end.

Thisphishing fraud case will remain for a long time the "Game Changer" for the Banking community in India. As a remedial measure, it is essential for ICICI Bank as well as other bankers to immediately undertake an ITA 2008 compliance audit of their activities, and take up appropriate compliance measures. This is essential so that when "phishers" attack them next time, banks are in a better frame of mind to fight the attacker—not the hapless customer.

Na.Vijayashankar (Naavi) is a former banker. He is the founder of www.naavi.org and is a techno-legal information security consultant.

Read more on IT risk management