Advocate Prashant Mali
Blogs

Untitled

posted Aug 7, 2017, 5:21 AM by Prashant Mali   [ updated Aug 7, 2017, 5:22 AM ]

Won 6 Landmark Cases of Online Banking & Credit Card Fraud cases 2015

posted Jan 22, 2015, 10:41 PM by Prashant Mali   [ updated Jan 22, 2015, 10:50 PM ]

6 Landmark cases of Online Banking & Credit Card Frauds where Compensation is granted of 1.25 crore 
Advocate Prashant Mali won 6 Landmark cases of Online Banking and credit card frauds for his clients . Shri Rajesh Agarwal, IAS & Adjudication Officer under Section 45 of The IT Act,2000, i.e Cyber Crime Court for Compensation and Damages in layman’s term has awarded Compensation to Online Banking Frauds . Justice is done to all those who have lost money in recent frauds.
http://timesofindia.indiatimes.com/tech/tech-news/6-banks-telecom-firm-to-pay-for-credit-card-frauds/articleshow/45879324.cms

I Win Three Landmark Cases starting Jan 2014

posted Jan 17, 2014, 4:40 AM by Prashant Mali   [ updated Feb 12, 2014, 2:50 AM ]

Case No. 1
Amit Patwardhan V Bank of Baroda
It was held that Bank cannot share with Clients Bank statement with anyone. If does so it amounts to Data Theft under The IT Act,2000
The Decision Order Copy can be downloaded from following Link
Case No. 2
Sanjay Dhande V ICICI BANK & Vodafone 
i.e Mr Sanjay Dhande; Mrs Medha Dhande M/s Sango Consultants Pvt Ltd V/s ICICI Bank, Vodafone Store, Vodafone India and Ors
Mr. Dhande Was given Compensation of Rs. 18 Lakhs for Online Banking Fraud
and it was held that the Data Which Telecom Companies hold is "Sensitive Personal Data" under Section 43A of The IT Act,2000
The Decision Order Copy can be downloaded from following Link
Case No.3
Rohit Maheshwari V Vodafone &ors
It was held that CDR is a Sensitive Personal Data under Section 43A of The IT Act,2000. Vodafone cannot part with Mobile Phone Bill with any third party
The Decision Order Copy can be downloaded from following Link
http://it.maharashtra.gov.in/Site/Upload/ACT/Final%20Order_Rohit%20Maheshwari%20Vs%20Vodafone_Scanned.PDF 
Case No. 4
An Anticipatory Bail in "Data Theft & Hacking case" was secured for an Managing Director of an IT Services Company in Sessions Court
Case No. 5
An 2 times rejected Bail was then secured by me in a pornography and obscenity matter of the IT Act,2000

Online Banking & Credit Card Fraud Lawyers Advisory

posted Sep 26, 2013, 12:35 AM by Prashant Mali   [ updated Jul 22, 2014, 5:30 AM ]

Online Banking Fraud & Credit Card Fraud Advisory !!
After listening to plight of sufferers from various online and credit card banking related frauds and handling so many cases of fraud right from Rs. 15 thousand  to Rs. 52 Lakhs, i have humbly by experience come to following conclusion and Advisory
1. Every Net banking users should have two bank accounts
2. One in technology oriented banks like icici, hdfc,axis,yes,sbi etc with online banking option etc
3. One account in any other cooperative bank but balance up to Rs. 100000/- only na d if you want to have more balance at hand Rs. 1 lakh each in different trustworthy cooperative banks. Rest can be in fixed Deposits 
[ This is said coz RBI only insures up to 1 lakh i.e if the bank goes kaput up to 1lakh RBI will pay you]
4. In the technology oriented bank maintain only amount needed for handling online transactions as Bill payment or ticketing e.t.c
5. When ever required, money can be transferred to online banking account by cheque/DD/cash etc
6. Go back to your banks and check whether in your account opening form you have ticked for Online Banking or Mobile Banking , please untick the same
7. Please go to your bank immediately and ask them to issue chip based credit/debit cards to avoid cloning(this can take time but RBI had asked banks to do this by june 2013)
8. Any extra cash in the online banking account can be moved to Fixed deposits .
9. Avoid Mobile Banking / mobile payment gateway completely till standards, rules and regulations are formulated, take my word i m getting ready to handle mobile banking and payment related frauds as cases have started tickling. 
10. Even though i personally  hate handling cash, but in Indian markets cash still remains a king and various frauds in banking are asserting the faith in cash based economy again..
God Bless You by Lots of Money and Bless You further to Keep it safe safe and safe always

Banking ombudsman received 70,541 complaints in 2012-13, of which 25 per cent — 17,867 — pertained to netbanking and ATM, debit and credit card frauds. Over 21 per cent (14,492 cases) of the total complaints in 2011-12 and 24 per cent (17,116 cases) in 2010-11 pertained to plastic money fraud.

The total loss from technology-related fraud in the last four years, till March 2013, was put at over Rs 357 crore. Of this, over Rs 183 crore was reported from new private sector banks. Foreign banks reported a loss of over Rs 145 crore in the same period.

There have been several instances wherein fraudsters have employed hostile software programmes or malware attacks, phishing, vishing (voicemail), SMSishing (text messages), whaling (targeted phishing on high networth individuals) apart from stealing confidential data..


Acquittal under Section 67 of The IT Act,2000(cyber law)

posted Sep 16, 2013, 12:10 AM by Prashant Mali

Hurrahhh!!!!!!
Today I Got Acquittal (Baa Izzat Bari) for my client in a matter pertaining to Section 67(facebook obscenity) of The IT Act,2000(cyber crime matter), 419,469,509 of IPC were also included. This was a first case of Facebook Abuse in Thane District and a huge media matter then.
1. FIR was registered in 27/09/2006, 
2. Charge sheet was submitted by police on 30/04/2007, 
3. Acquittal on 16/09/2013. 
This is my Third Acquittal in last two years in The IT Act, 2000 related cases.
earlier cases were of Section 66A(online defamation) and Section 66(Data theft & Hacking) of The IT Act,2000

Your Brain Also Can Be Hacked ?

posted Sep 13, 2013, 6:56 AM by Prashant Mali

Brain hacking, it’s time to protect our mind from hackers ..

Brain hacking is the act to read the content of the human brain and modify it, is the technology mature to allow hackers to penetrate our mind?
Brain hacking refers the possibility to attack the human brain to extract sensitive information such as data and memories, including also the capability to inject new information. Exactly as any other computer computers, human brains may be vulnerable to hacking attacks, state of the art of technology already allow researchers to perceive changes in the magnetic field related to brain activity making possible reading of people’s thoughts.
Neurotechnologist are currently working to the designing of a portable brain monitor called iBrain that can detect the brain’s electrical activity from the surface of the scalp, individuals with amyotrophic lateral sclerosis or similar pathologies still have healthy brain activity and the iBrain could be used to control a mouse pointer on a computer screen.
Recently researchers at the Usenix Security conference have demonstrated that exploiting a zero-day vulnerability in the human brain is possible hack it. The scientists used a commercial off-the-shelf brain-computer interface for the brain hacking resulting in the disclosure of information that victims had in their minds.
The brain-computer interface consists of principal components
• the hardware composed by a (an EEG; an electroencephalograph) equipped with a series of sensors that are placed directly on the human scalp
• the software designed to interpret brain activity signals
The price for a Brain Computer Interface is sensibly decreased in the last years, just around Rs. 15000 are sufficient to buy an Emotiv or Neurosky BCI, immediately usable to control the user computer.
The Brain Computer Interfaces shall be accompanied with API to build applications able to elaborate BCI’s output. Researchers from the Universities of Oxford and Geneva, and the University of California, Berkeley have designed an application able to access to sensitive data in the human brain, hacking brain makes possible the disclosure of sensitive information such as the debit card PIN, home location and month of birth.

Advance Persistent Threat(APT) & India

posted May 2, 2013, 2:32 AM by Prashant Mali

With the cyber attacks on DRDO and kind of Internet blackout India faced in March of 2013, thought of penning this Blog to make my readers aware about the scenario on APT in general and where India should be poised.

What is APT?

A common definition of APT is hard to come by as many vendors, consortiums and groups put their own twist on the terminology. A commonly accepted explanation of APT refers to it as “an advanced and normally clandestine means to gain continual, persistent intelligence on an individual, or group of individuals such as a foreign nation state government.” APT is sometimes used to refer to sophisticated hacking attacks and the groups behind them. What does that mean to the Indian citizen, though?

Simply put, APT is reconnaissance and investigation of your network, in addition to your infrastructure and your information assets. It’s a reference to a sophisticated and dedicated attacker or attackers who are willing to “lay low” and go very slow in exchange for gathering data about you, your organization and how you operate. For the IT Professional managing an environment, adjusting your current infrastructure and preparing for this threat will require a different mindset and some analytical assessment.

According to CERT-In (Computer Emergency Response Team - India), till October an estimated 14,392 websites in the country were hacked in 2012. the general acceptance that social media usage boosts the likelihood of a successful APT attempt.

The attackers behind APTs are interested in a broad range of information, and are stealing everything from military defense plans like latest DRDO attacks to schematics for toys or automobile designs. Their motivation can be financial gain, a competitor’s advantage in the marketplace, the sabotage of a rival nation’s essential infrastructure, or even just revenge.

APTs start by identifying vulnerabilities that are unique to your employees and infrastructure. And since they are precisely targeted, surreptitious, and leverage advanced malware and zero-day (unknown) exploits, they can bypass traditional network and host-based security defenses.

Cybercriminals are increasing the use of Web-based malware, and employing malicious uniform resource locators (URLs) for only brief periods of time. They use “throw-away” domain names in just a handful of spear-phishing emails before moving on, enabling them to fly under the radar of URL blacklists and reputation analysis technology. Additionally, the report points out, they are blending URLs and attachments in email-based attacks, and reproducing and morphing malware in an automated fashion.

These techniques render the use of defenses that rely on known patterns of data almost entirely ineffective. We are in April and year 2013 is already the 'year of the hack'. Even more disturbing is the fact that many attacks are being carried out by state sponsored actors from countries like China, Korea and Iran.

It is imperative to know when a targeted attack is underway, and how to gather evidence to be able to understand its purpose and origin. Leveraging multiple security solutions that use different methods to detect malicious activity for both internal and external threats can enhance your capabilities. Security technology has been evolving, and manufacturers are developing ingenious ways of not only detecting, but stopping, zero-day attacks. 

Many advanced security monitoring tools work well in conjunction with more traditional defenses, such as firewalls, IDPS, antivirus, gateways, and security information and event-management (SIEM) systems. With the right tools in place and staff and operational support behind them, you can gain the situational awareness and counterintelligence needed to identify an attack, and potentially block or quarantine threats. Even if an attack is successful, the insight gained into how it occurred, what information may have been compromised, and the relative effect of your defenses can be invaluable to recovery efforts, and will help you continuously improve your security posture.

India’s Cyber Law i.e under the section 66F (Cyber Terrorism) of The IT Act, 2000 has enough teeth to fight against such criminals if found. India needs to implement a huge knowledge management system which can be used by its defense forces along with DRDO, NTRO, CERT-in. This knowledge management on APT can help us weed of any successful cyber attacks and can increase our cyber attack preparedness. India needs a Holistic approach and view to encounter APT threat as a country, We have cyber security heroes in pockets but for APT we need team of heroes guided with systems and processes to channel their fight against APT.

Intermediary (ISP,Website Hosting,Facebook,Google,Banks,Stock Exchanges,Social Networking sites) Law in India

posted Feb 21, 2013, 5:35 AM by Prashant Mali

As per Section 2(1)(w) of the IT Act, 2000 (Indian Cyber Law) "Intermediary" with respect to any particular electronic records, means any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecom service providers, network service providers, internet service providers, web hosting service providers, search engines, online payment sites, online-auction sites, online market places and cyber cafes;
1. All Banks ,Insurance & Finance companies
2. All Stock Exchanges(NSE,BSE,MCX etc)
3. All ISP's(BSNL,MTNL,SIFY,Tikona etc)
4. All Telecom Companies(Airtel, Vodafone, Aircel, Reliance etc)
5. All Auction Sites(ebay.in,Quickr,mybid.in,Auto auction sites etc)
6. All ecommerce sites(flipkart,myntra,jabong,amazon etc)
7. All Payment gateways, payment agreegators
8. Search Engines,Social networking websites
9. cyber cafe(Any place where public surfing on internet is allowed)
10. to be interpreted an case to case basis
Responsibility of an Intermediary
The intermediary or person in-charge of computer resource shall be responsible for the actions of their employees also, and in  case of violation of the provision of the Act and rules made there under pertaining to maintenance of secrecy and confidentiality of Information or any unauthorised  monitoring or collection of traffic data or information, the intermediary or person in-charge of computer resource shall be liable for any action under the relevant provision of the laws for the time being in force.
(Under Clause 6 0f THE INFORMATION TECHNOLOGY (PROCEDURE AND SAFEGUARD FOR MONITORING AND COLLECTING TRAFFIC DATA OR INFORMATION) RULES, 2009
 Intermediary to ensure effective check in handling monitoring or collection of traffic data or information.
The Intermediary or person in-charge of computer resources shall put in place adequate and effective internal checks to ensure that 
unauthorised  monitoring or collection of traffic data or information does not take place and extreme secrecy is maintained and utmost 
care and precaution is taken in the matter of monitoring or collection of traffic data or information as it affects privacy of citizens and also 
that this matter is handled only   by the designated officer of the intermediary or person in-charge of computer resource.
Destruction of records by Intermediary
   (1) Every record, including electronic records pertaining to such directions for monitoring or collection of traffic data shall be destroyed 
by the designated officer after the expiry of a period of nine months from the receipt of direction or creation of record, whichever is later, 
except in a case where the traffic data or information is, or likely to be, required for  functional requirements.
(2) Save as otherwise required for the purpose of any ongoing investigation, criminal complaint or legal proceedings the intermediary or 
the person in-charge of computer resource shall destroyed records pertaining to directions for monitoring or collection of information 
within a period of six months of discontinuance of the monitoring or  collection of traffic data and in doing so they shall maintain extreme 
secrecy.
Due diligence to be observed by Intermediary in India
The intermediary shall observe following due diligence while discharging his duties, namely :
(1) The intermediary shall publish the rules and regulations, privacy policy and user agreement for access or usage of the 
intermediary’s computer resource by any person. 
(2) Such rules and regulations, terms and conditions or user agreement shall inform the users of computer resource not to host, 
display, upload, modify, publish, transmit, update or share any information that —
(a) belongs to another person and to which the user does not have any right to;
(b) is grossly harmful, harassing, blasphemous, defamatory, obscene, pornographic, pedophilic,  libelous, invasive of another's privacy, 
hateful, or racially, ethnically objectionable, disparaging, relating or encouraging money laundering or gambling, or otherwise unlawful 
in any manner whatever; 
(c) harm minors in any way;
(d) infringes any patent, trademark, copyright or other proprietary rights;
(e) violates any law for the time being in force; 
(f) deceives or misleads the addressee about the origin of such messages or communicates any information which is grossly offensive 
or menacing in nature;
(g) impersonate another person;
(h) contains software viruses or any other computer code, files or programs designed to interrupt, destroy or limit the functionality of 
any computer resource;
(i)   threatens the unity, integrity, defence, security or sovereignty of India, friendly relations with foreign states, or or public order or 
causes incitement to the commission of any cognisable offence or prevents investigation of any offence or is insulting any other nation.
(3) The intermediary shall not knowingly host or publish any information or shall not initiate the transmission, select the receiver of 
transmission, and select or modify the information contained in the transmission as specified in sub-rule (2):
Provided that the following actions by an intermediary shall not amount to hosting, publishing, editing or storing of any such information as
specified in sub-rule (2) ―
(a) temporary or transient or intermediate storage of information automatically within the computer resource as an intrinsic feature of 
such computer resource, involving no exercise of any human editorial control, for onward transmission or communication to another 
computer resource;
(b) removal of access to any information, data or communication link by an intermediary after such information, data or communication 
link comes to the actual knowledge of a person authorised by the intermediary pursuant to any order or direction as per the provisions
 of the Act;
(4) The intermediary, on whose computer system the information is stored or hosted or published, upon obtaining knowledge by itself or 
been brought to actual knowledge by an affected person in writing or through email signed with electronic signature about any such 
information as mentioned in sub-rule (2) above, shall act within thirty six hours and where applicable, work with user or owner of such 
information to disable such information that is in contravention of sub-rule (2). Further the intermediary shall preserve such information and 
associated records for at least ninety days for investigation purposes.
(5) The Intermediary shall inform its users that in case of non-compliance with rules and regulations, user agreement and privacy policy 
for access or usage of intermediary computer resource, the Intermediary has the right to immediately terminate the access or usage rights 
of the users to the computer resource of Intermediary and remove non-compliant information..
(6) The intermediary shall strictly follow the provisions of the Act or any other laws for the time being in force.
(7)  When required by lawful order, the intermediary shall provide information or any such assistance to Government Agencies who are 
lawfully authorised for investigative, protective, cyber security activity. The information or any such assistance shall be provided for the 
purpose of verification of identity, or for prevention, detection, investigation, prosecution, cyber security incidents and punishment of 
offences under any law for the time being in force, on a request in writing stating clearly the purpose of seeking such information or any 
such assistance.
(8) The intermediary shall take all reasonable measures to secure its computer resource and information contained therein following the
 reasonable security practices and procedures as prescribed in the Information Technology (Reasonable security practices and 
 procedures and sensitive personal information) Rules, 2011.
(9) The intermediary shall report cyber security incidents and also share cyber security incidents related information with the Indian 
Computer Emergency Response Team.
(10) The intermediary shall not knowingly deploy or install or modify the technical configuration of computer resource or become party to
any such act which may change or has the potential to change the normal course of operation of the computer resource than what it is 
supposed to perform thereby circumventing any law for the time being in force:
Provided that the intermediary may develop, produce, distribute or employ technological means for the sole purpose of performing the 
acts of securing the computer resource and information contained therein.

(11) The intermediary shall publish on its website the name of the Grievance Officer and his contact details as well as mechanism by which
 users or any victim who suffers as a result of access or usage of computer resource by any person in violation of rule 3 can notify their 
complaints against such access or usage of computer resource of the intermediary or other matters pertaining to the computer resources 
made available by it. The Grievance Officer shall redress the complaints within one month from the date of receipt of complaint.
To be Contd..

prashant.mali@cyberlawconsulting.com

How do You clear Your web browser's cache, cookies, and history?

posted Jan 19, 2013, 5:03 AM by Prashant Mali

Something About cache, cookies, and history 
Each time you access a file through your web browser, the browser caches (i.e., stores) it. By doing this, the browser doesn't have to newly retrieve files (including any images) from the remote web site each time you click Back or Forward. You should periodically clear the cache to allow your browser to function more efficiently.
A cookie is a file created by a web browser, at the request of a web site, that is then stored on a computer. These files typically store user-specific information such as selections in a form, shopping cart contents, or authentication data. Browsers will normally clear cookies that reach a certain age, but clearing them manually may solve problems with web sites or your browser.
A browser's history is a log of sites that you visit. When you press a browser's Back button, you are moving back one entry in the history log. Browsers will normally clear their history at regular intervals, but you may want to clear it manually for privacy reasons.
Internet Explorer 9 and 8
1. Click Tools, and select Delete Browsing History... . 
2. Deselect Preserve Favorites website data, and select Temporary Internet files, Cookies, and History. 
3. Click Delete.
Internet Explorer 7
1. From the Tools menu in the upper right, select Delete Browsing History... . 
2. To delete your cache, click Delete files... .
To delete your cookies, click Delete cookies... .
To delete your history, click Delete history... .
3. Click Close, and then click OK to exit.
Firefox 3.5 and above for Windows
1. From the Tools menu, select Clear Recent History... . Alternatively, in Firefox 4 and above, you can also click the orange Firefox button, and then select Clear Recent History from the History menu. 
2. From the Time range to clear: drop-down menu, select the desired range; to clear your entire cache, select Everything. 
3. Click the down arrow next to "Details" to choose what history elements to clear (e.g., check Cookies to clear cookies). Click Clear Now.
Firefox 3 for Windows
1. From the Tools menu, select Clear Recent History... , and then select the items you want to delete (e.g., Browsing & Download History, Cache,Cookies).
2. Click Clear Recent History... .
Chrome
1. In the browser bar, enter: chrome://settings/clearBrowserData
2. Select the items you want to clear (e.g., Clear browsing history, Clear download history, Empty the cache, Delete cookies and other site and plug-in data).
From the Obliterate the following items from: drop-down menu, you can choose the period of time for which you want to clear cached information. To clear your entire cache, select the beginning of time.
3. Click Clear browsing data.
Safari
1. From the Safari menu, select Reset Safari... . 
2. From the menu, select the items you want to reset, and then click Reset. As of Safari 5.1, Remove all website data covers both cookies and cache.
Firefox 3.5 and above for Mac OS X
1. From the Tools menu, select Clear Recent History. 
2. From the Time range to clear: drop-down menu, select the desired range; to clear your entire cache, select Everything. 
3. Click the down arrow next to "Details" to choose which elements to clear. Click Clear Now.
Firefox 3 for Mac OS X
1. In Firefox, from the Tools menu, select Clear Recent History. 
2. Select the elements you want to clear (e.g., Browsing & Download History, Cache, Cookies), and then click Clear Private Data Now.
Mobile Safari for iPhone OS (iPhone, iPod touch, iPad)
To clear cache and cookies:
1. From the home screen, tap Settings, and then tap Safari. 
2. At the bottom of Safari's settings screen, tap the buttons for Clear Cookies and Clear Cache. To confirm, tap Clear Cookies or Clear Cache again.
To clear history:
1. From the home screen, tap Safari.
2. At the bottom of the screen, tap the Bookmarks icon.
3. In the lower left, tap Clear.
4. Tap Clear History.
Android
To clear cache, cookies, or history:
1. Start your browser. 
2. Tap Menu, and then tap More. 
3. Select Settings. 
4. Under "Privacy settings", select Clear cache, Clear history, or Clear all cookie data as appropriate, and then tap OK to accept (or Cancel to cancel) the deletion.

66A of The IT Act, 2000 & Facebook Incident

posted Dec 4, 2012, 2:21 AM by Prashant Mali

Be judicious while posting on facebook. While using the right to Freedom of speech and expression given by our constitution, the atmosphere and sentiments around should be
 accounted for to save yourself from such rare arbitrary interpretation and usage of law. The freedom of speech right given by our constitution is not absolute, defamation is an exception to this freedom of speech under Article 19(1)(2). We should also look towards people whose lives are destroyed by blasphemous, vulgar or careless statement by free speech advocates on the facebook. So who is affected most from 66A financially? I strongly feel facebook and google whose business in the form of loads of compliance towards law and enforcement agencies by providing them ip address and other evidences get affected. I completely agree that words “Grossly Offensive “ and “Menacing Character” in Section 66A(a) can be widely and vividly interpreted by the law the enforcement agencies but then I think what words would Law makers use for mindless expression of some facebookers which offend people personally to the destruction of their character or moral. More over Internationally India is not the only jurisdiction in the world using such words in there statute.
I feel police using IT Act,2000 sections where it is not applicable because all the sections being cognizable to arrest the person, this can be a bone of contention and further as per Section 81 of the IT Act,2000 which has overriding effect over other laws Then also when sections of the IT Act,2000 are applied police adding sections of The IPC or other statutes to make the offense non-bailable could be matter of education or discussion

1-10 of 13