April 2023

Google security teams have discovered 18 zero-day vulnerabilities in Samsung Exynos chips used in several top Android smartphones and wearables that may put those devices at risk. Google’s Project Zero head Tim Willis said in a blog post that four most severe of these vulnerabilities “allowed for Internet-to-baseband remote code execution”. Tests conducted by Project Zero confirmed that those four vulnerabilities allow an attacker to remotely compromise a phone at the baseband level with no user interaction, and require only that the attacker know the victim’s phone number. With limited additional research and development, “we believe that skilled attackers would be able to quickly create an operational exploit to compromise affected devices silently and remotely”, said Google security researchers. “Until security updates are available, users who wish to protect themselves from the baseband remote code execution vulnerabilities in Samsung’s Exynos chipsets can turn off Wi-Fi calling and Voice-over-LTE (VoLTE) in their device settings,” said Willis. Turning off these settings will remove the exploitation risk of these vulnerabilities, he added. The affected mobile devices are from Samsung, Vivo, Google (Pixel 6 and Pixel 7 series); any wearables that use the Exynos W920 chipset; and any vehicles that use the Exynos Auto T5123 chipset. Google expects that patch timelines will vary per manufacturer, and affected Pixel devices have already received a fix. “As always, we encourage end users to update their devices as soon as possible, to ensure that they are running the latest builds that fix both disclosed and undisclosed security vulnerabilities,” said Google. Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.

As I have repeatedly warned in this column, corporates, especially those in the finance and technology sectors, who want to find ways for rapid on-boarding of customers, lobbied hard to push the linking of Aadhaar to just about every identity, benefit and even returns on our own income. Successive governments gave in to these corporates and created an ‘expressway’ for using Aadhaar for a host of purposes never mentioned or envisaged initially. People have forgotten that Aadhaar was created primarily to provide an identity (ID) to economically backward people, migrants and nomads who did not have any ID. The creators, in their hurry to launch it, ignored aspects of security, privacy, ease of updation, and issues with biometrics that continue to afflict the Aadhaar ecosystem. Add to this, the problems such as wrong data entry, unreadable biometrics and the need for frequent updation of addresses, especially by younger people who change jobs often, and you realise the many issues with asking for Aadhaar everywhere. The worst sufferers are the poor and less literate. You would see hapless people standing in queues at Aadhaar service centres to pay money and rectify mistakes in their Aadhaar documents. In the process, some of them have their personal details stolen and sold by those who offer the service. Later in this column, I will also tell you what would happen if you install a mobile app shared or downloaded from anywhere other than the official Playstore of Google. Several instances have come to light where such fake gaming or loan apps are found stealing confidential data and emptying users’ bank accounts. Online Financial Fraud Using AePS The over-dependence on a flawed Aadhaar system continues to cause difficulties for people. A few days ago, the national cyber crime reporting portal of the Union ministry of home affairs (MHA) warned about online financial fraud using the Aadhaar-enabled payment system (AePS) without the need for a one-time passcode (OTP). A few months ago, I met a senior citizen who had two bank accounts in the same bank but in different cities. She wanted to close one account and went to the bank branch in that city. However, the branch was too crowded. In the meantime, she considered withdrawing some money from her bank account before closing. But even that counter had several people standing in a long queue. Someone told her that she could withdraw money using the service offered by a banking correspondent sitting outside the branch. She went there, and after much effort, her thumb impression was recorded for Aadhaar authentication, and she received the money. The serious part is that this money was withdrawn from her bank account in another city, not the one she wanted to close. This raises a serious question about why and how the money was withdrawn from an account whose details she never shared with the banking correspondent. One possible explanation is that the money was withdrawn from the account linked with Aadhaar. However, the senior citizen had linked her Aadhaar with both accounts. Yet, money from her account was withdrawn from only one account whose details she never shared with the banking correspondent. This is a flaw in Aadhaar systems which takes into account only the recently linked bank account as valid for transactions. AePS enables a person to withdraw money from their bank account using a local business correspondent anywhere in the country, and this also makes it easy to cheat people. Last year in August, we wrote about how, during the scrutiny of suspicious bank accounts, HDFC Bank Ltd discovered that 33 savings accounts were opened with the photographs of just two individuals, while the name in each account was different. The Bank filed a complaint with the IFSO (Intelligence Fusion and Strategic Operations) unit of Delhi police which busted a gang engaged in creating fake documents, especially Aadhaar cards and opening bank accounts. According to the police, the fraudsters used silicon fingerprints and printouts of the iris scan of the authorised agent to log in to the UIDAI database. “Whenever any illiterate came to them for any Aadhaar updation, Navneet Prajapati captured the biometrics of that person but updated the photograph and address as suitable to him.” The warning issued by the national cybercrime portal also cautions about the misuse of Aadhaar biometrics. It advises Aadhaar-holders to lock their biometrics on the official site of UIDAI or the Aadhaar app. Remember, once your biometrics are locked, you cannot use them again for authentication without unlocking them. This may pose a different kind of issue for Aadhaar holders. So, think twice before enabling or disabling the biometrics of your Aadhaar. A few days ago, the Telangana police suggested that one should disable the biometric link from Aadhaar if the holder has lost money in an AePS fraud. It asked people not to share Aadhaar details with anyone and to be aware of fraudulent transactions carried out using fake biometrics. The main reason for AePS fraud using Aadhaar biometrics is the ease with which fraudsters can create clones of fingerprints. Cloning of fingerprints is very easy; several video tutorials are readily available online and Moneylife Foundation even demonstrated it at a webinar in October 2016! Fake Apps There are hundreds of apps available on Google Playstore. Many Android application package (.apk) files are readily available for download at several unofficial portals. The biggest issue with all of these apps downloaded from unofficial places is they collect all data and information available on the device and send it to the fraudsters hiding in the garb of app developers. In the case of bogus loan apps, if the borrower does not pay the loan on time, the app company badgers the borrowers’ contacts, including sending messages for payment, as well as abusive and defamatory messages and even morphed nude images of the person. They also use social media like WhatsApp to shame borrowers over not repaying a loan. Source: moneylife.in.

Dismissing a complaint, the national consumer disputes redressal commission (NCDRC) ruled that the act of Jawaharlal Nehru Port Trust (JNPT) inviting quotations from banks seeking higher interest rates for its term deposits does not fall under the Consumer Protection Act. In this case, JNPT had also filed a case with the central bureau of investigation (CBI) against Oriental Bank of Commerce (OBC) for transferring Rs180 crore to one Padmavati International. JNPT had deposited the money with OBC as a term deposit in two tranches. In an order, the bench of justice Ram Surat Ram Maurya (presiding member) and Dr Inder Jit Singh (member) says, “…transactions between the complainant (JNPT) and the opposite party (OBC) were business to business transactions with motive to earn profit and for commercial purpose. The complainant falls within the exclusion clause of the definition of ‘consumer’ as defined under the Consumer Protection Act, and the complaint on its behalf is not maintainable.” The bench observed that in 2014, JNPT invited quotations from various banks seeking interest rates for its term deposit of Rs100 crore to Rs120 crore for two years. OBC offered an interest of 9.67% per annum (pa), the highest among other banks. On 12 February 2014, JNPT transferred Rs110 crore as a term deposit with OBC for two years with an interest of 9.67% compounded quarterly. Again on 15 February 2014, JNPT invited quotations from banks for a term deposit of Rs60 crore to Rs70 crore. OBC offered an interest rate of 9.75%pa, which was again the highest compared to other banks. On 17 February 2014, JNPT transferred Rs70 crore to OBC as a term deposit. JNPT sent emails to OBC seeking term deposit receipts (TDRs) for its two deposits of Rs110 crore and Rs70 crore. However, it did not receive the TDRs from OBC for the two deposits. JNPT alleged OBC ‘was making some excuse for not issuing TDRs’. After escalating the complaint with the general manager of OBC, the Trust learned that the amount of its term deposits had been transferred to the current account of Padmavati International. JNPT then filed a complaint in CBI. OBC contended that JNPT’s finance manager B Vasudeva Rao handed over the original letter dated 12 February 2014 to the Trust’s assistant technician Atmaram P Thakur, for creating a TDR of Rs110 crore for one year. “This original letter dated 12 February 2014 is now untraceable anywhere, which shows that misappropriation was done in connivance and active involvement of the employee of the JNPT.” “In spite of the fact that JNPT did not receive TDR of the money transferred on 12 February 2014, it again transferred Rs70 crore on 17 February 2014, further strengthening the connivance of the employees of JNPT. The complainant (JNPT) did not insist for issue of TDRs immediately and is guilty of contributory negligence. Transfer of money in the account of Padmavati International was at the behest of JNPT,” OBC contended. OBC also requested NCDRC to dismiss the complaint as JNPT is not a consumer and the complaint is not maintainable. Referring to NCDRC’s judgement in Synco Textiles Pvt Ltd vs Greaves Colton & Company Ltd, the bench stated the expression ‘for any commercial purpose’ are wide enough to take in all cases, where goods are purchased for being used in any activity directly intended to generate profit. “…the intension of the Parliament must be understood to be to exclude from the scope of the expression ‘consumer’ any person who buys goods for the purposes of their being used in any activity engaged on a large scale for the purposes of making profit. The Parliament wanted to exclude from the scope of the definition not merely persons who obtains goods for resale but also those who purchase goods with a view of using such goods for carrying on any activity on a large scale for the purposes of earning profit,” NCDRC says. In January 2019, the enforcement directorate (ED) attached Rs41.87 crore lying in bank accounts in Hong Kong of some shell companies in connection with the JNPT-OBC fraud case. According to the ED, one Rajesh Bangawala conspired with bank officials and fraudulently transferred Rs180 crore deposited by the JNPT to Padmavati International using forged documents. The agency recovered and returned Rs109 crore to JNPT. (Consumer Case No1564 of 2016 Date: 22 March 2016) Source: moneylife.in

Numerous supplement companies, including Unilever’s Nutrafol, Viviscal, Zenwise and NutraPro, and other hair product companies, such as Vegamour, advertise their products as able to grow hair and prevent hair loss, in violation of FDA and FTC law. The following are some examples: Pursuant to the FDA, claims that a product can stimulate hair growth and prevent, reduce or treat hair loss are drug claims requiring FDA approval, which these companies do not have. In fact, the only products that have been approved by the FDA to increase hair growth and treat hair loss are finasteride (Propecia) and minoxidil (Rogaine). Further, pursuant to the FTC, such hair loss and growth claims must be supported by competent and reliable scientific evidence in the form of “tests, analyses, research, or studies that (1) have been conducted and evaluated in an objective manner by experts in the relevant disease, condition, or function to which the representation relates; and (2) are generally accepted in the profession to yield accurate and reliable results.” What does this mean? Generally, the type of substantiation that experts would require for health benefit claims are randomized, controlled human clinical trials (RCTs). Many wellness companies that make health benefit claims do not have this level of scientific support. Even in cases where companies purport to have clinical trials or studies substantiating their advertising claims, the studies frequently have major flaws that prevent them from properly supporting the claims at issue. Some companies also use positive consumer testimonials in their marketing, but such endorsements do not amount to clinical proof that the products work (and can also present other deceptive marketing issues). What all this means is that consumers presented with hair growth and hair loss prevention ads should exercise caution and be aware that the FDA does not approve supplements for safety or effectiveness. Consumers should also always conduct their own independent research before purchasing such products, as well as consult with their health care provider. In addition, some hair loss companies have also used influencers to promote products on social media without ensuring the influencers properly disclose their material connection to the company or that the promotional posts are ads. This violates FTC law. TINA.org has taken steps to eradicate such deception in the hair growth industry by filing a complaint with the FTC and FDA regarding one company’s numerous violations of law, as well as notifying 25 other hair product companies of the law as it pertains to hair growth and hair loss prevention claims. To learn about those efforts, click here and here. Consumers are also encouraged to submit any questionable hair growth promotions to TINA.org here. Courtesy: TruthInAdvertising.org

The Reserve Bank of India (RBI) will soon put in place a process whereby people will be compensated by credit information companies (CICs) for delayed updation/rectification of credit information reports, said governor Shaktikanta Das. Recently, the CICs were brought under the purview of the Reserve Bank Integrated Ombudsman Scheme (RB-IOS). “It is now proposed to put in place the following measures: (i) a compensation mechanism for delayed updation/rectification of credit information reports; (ii) a provision for SMS/emailAalerts to customers whenever their credit information reports are accessed; (iii) a timeframe for inclusion of data received by CICs from Credit Institutions; and (iv) disclosures on customer complaints received by CICs,” Mr Das said. According to him, the above measures will further enhance consumer protection. Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.

In a significant ruling, the national consumer disputes redressal commission (NCDRC) says a patient obtaining free services from a government hospital is not a consumer. The bench also appreciated a gesture by the doctor to offer Rs2 lakh to the complainant on humanitarian grounds for the death of a newborn. In an order passed last week, Dr SM Kantikar, presiding member of NCDRC, says, “It is pertinent to note that the community health centre (CHC) hospital is a government hospital providing free services and Dr Kirandeep Kaur was working as a government servant. Therefore, it was a ‘contract of service’ which Dr Kirandeep Kaur was rendering in CHC. Thus, the patient was not a consumer as defined under section 2(1)(d) of the consumer protection act. This view dovetails from the recent decision of the Supreme Court in Nivedita Singh vs Dr Asha Bharti. Therefore, the consumer complaint filed before the district forum is not maintainable.” Even though no negligence was attributable to her, Dr Kirandeep Kaur volunteered to pay Rs2 lakh to Beant Kaur, the complainant, on humanitarian grounds for the death of the newborn. “I appreciate the humanitarian gesture of the petitioner (Dr Kirandeep Kaur) and allow to pay a total of Rs2 lakh to Beant Kaur after deducting the amount, if any, that has already been paid or deposited. This direction, in any case, shall not be construed as a precedent,” NCDRC says. Beant Kaur was pregnant and, during the intervening night of 12 August 2011 and 13 August 2011, went to CHC hospital in Dhanula. Chhinderpal Kaur, the staff nurse at the Hospital, examined the patient and suspected gastritis. Beant Kaur’s labour pain further increased and meconium-stained discharge was noted. As there was no facility for Cesarean delivery (C-section), Dr Kirandeep Kaur referred the patient to the Civil Hospital at Barnala to Dr Jasbir Singh Aulakh. Beant Kaur delivered a baby with meconium which subsequently died. Beant Kaur, being aggrieved by the alleged negligence of Dr Kirandeep Kaur and Chhinderpal Kaur, filed a complaint before the district forum at Barnala, against the Punjab government, the chief medical officer (CMO) Dr Kirandeep Kaur, staff nurse Chhinderpal Kaur and Dr Jasbir Singh Aulakh. Partly allowing the complaint against the Punjab government and Dr Kirandeep Kaur, the district forum directed them to pay Rs2 lakh jointly and severally as compensation to Beant Kaur. Both the Punjab government and Dr Kirandeep Kaur filed an appeal before the state commission. However, the state commission upheld the order passed by the district forum. Dr Kirandeep Kaur then filed a revision petition before NCDRC. After hearing both sides and perusing medical records and documents, Dr Kantikar from NCDRC observed that it was full-term pregnancy. Beant Kaur approached Dr Kirandeep Kaur at midnight on 12th August and 13 August 2011 with acute abdominal pain. On the instructions of Dr Kirandeep Kaur, the staff nurse prescribed antacids, some lab tests were done outside and the patient was kept under observation. The bench says Beant Kaur showed meconium-stained discharge; therefore, emergency caesarian delivery was needed. However, due to the strike of national rural health mission (NRHM) staff nurses at CHC, Dhanaula, the C-section was not performed. Therefore, Dr Kirandeep Kaur referred the patient to Dr Jasbir Singh Aulakh at Civil Hospital in Barnala in the early morning by ambulance. The C-section was performed on 13 August 2011 at 10am. The newborn was engulfed with meconium stain and died after a few hours. “In my view, due to the strike of nurses, Dr Kirandeep Kaur was unable to perform a C-section and took a prompt decision to shift the patient at the civil hospital at Barnala. It was done in the best interest of the patient, which does not constitute medical negligence. It was neither deficiency nor failure of duty of care from Dr Kirandeep Kaur,” NCDRC says in the order. While allowing the revision petition, the bench set aside orders passed by the district forum and state commission. (Revision Petition No1786 of 2017     Date: 3 April 2023) Source: moneylife.in

The government on Wednesday said 18,890 complaints have been received on National Consumer Helpline since 2017 against cab aggregators Ola and Uber. “441 grievances have been received on PG (Public Grievance) portal and 18,890 complaints received on National Consumer Helpline from January 1, 2017 to March 31, 2023 against Ola and Uber,” Minister of State for Food and Consumer Affairs Ashwini Kumar Choubey said in a written reply to Lok Sabha. The Central Consumer Protection Authority (CCPA) has issued notices to Ola and Uber on concerns related with deficiency in service, inadequate consumer grievance redressal mechanism, unreasonable levy of cancellation charge and lack of any information on the algorithm, he added. Source: Business-standard.com

The Delhi High Court (HC) on Wednesday said its interim order staying the guidelines of central consumer protection authority (CCPA), that prohibit hotels and restaurants from levying service charges ‘automatically or by default’ on bills, shall not be shown on the menu cards or display boards in a manner to mislead the consumers that the service charge has been approved by the court. Justice Prathiba M Singh was hearing the petitions filed by Federation of Hotels and Restaurant Associations of India and National Restaurant Association of India challenging the CCPA’s rules released on 4th July past year, which the HC stayed later that month. A co-ordinate bench stayed the guidelines while specifying that the service charge and obligation of the customer to pay it must be “duly and prominently displayed on the menu or other places.” “It is clarified that the interim order shall not be shown in the display board or menu card in a manner to mislead the consumer that the service charge has been approved by this court,” justice Singh said. During the hearing, additional solicitor general Chetan Sharma submitted that various restaurants are ‘misinterpreting the interim order’ by using it to give legitimacy to levy of the service charge. Both Associations were ordered by justice Singh to produce an affidavit stating the proportion of their members who insist on the service charge as a requirement on meal bills. The court further stated that the response must state whether the members would object if the term ‘service charge’ were to be replaced with another term, such as “staff welfare fund, staff welfare contribution, or staff charges”, in order to prevent consumers from assuming that the fee is being levied by the government. “The affidavit shall also indicate the percentage of members who are willing to inform the consumers that the service charge is not mandatory and they can contribute voluntarily.” The judge then listed he matter for the next hearing on 24th July. “For a long time, most of us thought that the service charge is being taken by the government. That is where the problem is because people think service charge is like a service tax. A consumer doesn’t know the difference between service tax, GST etc. because people think it is being taken by the government. I have come across a lot of people who think like that,” the court said. The Centre had earlier argued that the recommendations were released in the best interests of consumers and urged the court to take the matter into consideration, including its plea for the vacation of the stay order. It had further apprised the court that certain restaurants were currently relying on the interim order to create the image that they are permitted to impose service charges. Justice Singh had said that without hearing the parties, the interim order cannot be modified and added that the application for a vacation of stay shall be taken into consideration if the main case cannot be heard on the next date. Counsel appearing for the petitioners had said the service charge, which has been in existence for the last several years, is a ‘traditional charge’ and is distributed among those who ‘are not before the customers’, and restaurants are seeking it after displaying due notice of the same on their menu cards and in their premises. The petitioners had further claimed that the CCPA’s order is arbitrary, untenable and ought to be quashed. Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS and do not reflect views of Moneylife and hence Moneylife is not responsible or liable for the same. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.