Phishing in India: The onus of prevention now lies with banks
11 June 2010
With increasing adoption of internet banking in India, internet frauds including phishing has been on the rise. An April 2010 judgement on a phishing case filed by a victim of phishing against ICICI bank went against the bank. This was a landmark case for many reasons: • This was the first phishing case filed under the relatively new Information Technology Act 2000 (though there are some phishing cases lying with consumer courts across the country) • The adjudicator (Tamil Nadu IT secretary) not only dismissed the bank’s plea of negligence on behalf of the aggrieved customer and ordered the bank to compensate him for the entire loss of money but also chided the bank for its lack of due diligence and even ordered the bank to compensate for the trauma suffered by the customer and his legal and travelling expenses. This judgement clearly puts the onus of prevention of phishing on banks (unless a higher court reverses it) In his judgement, the adjudicator gave the following reasons for favouring the customer: • The bank did not authenticate its email to customers with Digital Signatures (which is against RBI guidelines) • The money was transferred to an account which had been in debit for 2 years and encashed through issuance of self cheques. Failure to identify a major transaction on an overdraft account is evidence of negligence and lack of due diligence by the bank • The bank’s failure to retain CCTV record (as per Know Your Customer norms) is another evidence of negligence by the bank The reasons put forward by the adjudicator clearly highlight the problems with internet banking in India. In spite of RBI rules and guidelines, digital signatures are hardly used, KYC norms are often not adhered to and due diligence and fraud prevention systems are missing in arsenal of Indian banks to fight online fraud. The judgement has thereby been hailed as a wake-up call for the banks. However absolving the customer of all charges of negligence in a phishing case may have wider repercussions. Even if digital signatures are used by a bank in its communication with customers, it is ultimately upon the customer to check for the digital signature each time an email arrives from the bank. If an email comes from a fraudster and the customer does not even check whether it has a digital signature and divulges his login details, then it is negligence on part of the customer. Hence, the solution to phishing is not just better technology and due diligence by banks but better customer education. Just as everyone knows that a signature needs to be authenticated in a paper cheque; similarly everyone needs to know that digital signature needs to be authenticated in electronic communication. This is not an easy task in India, where everyday a large number of people with very basic knowledge of internet are starting to use internet banking. ICICI Bank has runs campaigns through emails to customers, on its website and through large advertisements in major newspaper about the dangers of phishing which explicitly warn customers not to divulge account details in links sent through emails as ICICI would never send such emails. If all liability in case of a phishing loss is transferred to banks, customers will inherently not be careful in their online transactions (the problem of moral hazard). Similarly if banks are not also held responsible for phishing, they will have no incentive to invest in better systems. Hence losses arising out of phishing needs to be shared by both the customer and the bank, depending upon the level of negligence of each.