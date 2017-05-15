BUY
ICICI Bank reduces home loan rates by 30 bps
IANS
15 May 2017
Private sector lender ICICI Bank on Monday said that it has reduced interest rates by up to 30 basis points (bps) for home loans of up to Rs 30 lakh.
 
"With this reduction, salaried borrowers can avail home loans at among the lowest rates in the industry. Salaried women borrowers will get home loans at 8.35 per cent and others at 8.40 per cent," the private sector lender said in a statement. 
 
According to ICICI Bank, customers from economically weaker section (EWS) and low income group (LIG) can avail the dual benefit of low interest rates and credit linked subsidy under the Pradhan Mantri Awas Yojana.
 
Commenting on the initiative, ICICI Bank Managing Director and Chief Executive Officer Chanda Kochhar said: "ICICI Bank is committed to support the government's vision to provide housing for all by 2022. In line with this commitment, we have reduced the home loan interest rates for the affordable housing segment."
 
On May 8, the country's largest home loan provider State Bank of India (SBI) announced a reduction in the home loan rates by 25 bps from 8.60 per cent to 8.35 per cent per annum.
 
Disclaimer: Information, facts or opinions expressed in this news article are presented as sourced from IANS and do not reflect views of Moneylife and hence Moneylife is not responsible or liable for the same. As a source and news provider, IANS is responsible for accuracy, completeness, suitability and validity of any information in this article.

Public Interest
Is your Aadhaar information being used without your consent?
Derick Thomas
15 May 2017
As Aadhaar is increasingly used coercively to seek your identity information from Unique Identification Authority of India (UIDAI), the provisions of the Aadhaar Act that require you to provide consent are being pushed aside. Here is a quick guide to your consent rights and how to protect them.
 
Why does consent matter?
 
In a civilised society, each individual is entitled to dignity. Dignity of an individual is one of the basic rights of a human being and is guaranteed by the Constitution. When you interact with a person, be it a family member, friend or an outsider, both parties are expected to honour the dignity of the other. A person's willingness to interact is considered as consent. Consent, therefore, is essential to preserve dignity in civilised societies. Consent is also important to preserve the security of individuals.
 
Is Aadhaar Authentication legal without your consent?
 
When your Aadhaar number is used to authenticate you, the organisation requesting your Aadhaar information from the UIDAI is expected to obtain your consent. According to Chapter III 8 (2) (a) of the Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act 2016, consent has to be restricted for purposes of authentication.  
 
According to the Act (section 8(2)) and Authentication Regulations (section 5), before authenticating, the service provider is expected to provide you the nature of the information that will be available to the requesting organisation  upon authentication from the UIDAI, the ways in which the information shall be used by the requesting organisation and alternatives to submission of identity information, should you not wish to use an Aadhaar number. 
 
Once you understand the nature of the information and manner in which it shall be used, according to the Authentication Regulations (section 6), the service provider is supposed to hand you a consent form, which you shall fill. The authentication regulations mandate that the service provider use a template provided by UIDAI to take your consent. The consent may be recorded either in paper form or electronic form. In either case, the requesting organisation is required to offer alternate methods of identification, should you not wish to use Aadhaar. The service provider is supposed to keep a log of consent information. And, according to Aadhaar Act (section 32(2)), you have a right to access that information, if you wish to, in case you are willing to undergo Aadhaar authentication.
 
The Aadhaar Authentication Regulations (section 16 (5)) gives you the right to revoke your consent to the organisation that has obtained your identity information from the UIDAI. When you revoke your consent, the requesting organisation would be required to delete your identity information that it obtained from the UIDAI. For example, if you decide to stop using your once favourite mobile connection for whatever reason, you can revoke the consent you granted them and inform them accordingly. Once they receive your request for revoking consent, they shall delete all your information received during e-KYC (know-your-customer) process, which you followed to get the connection in the first place. This ensures that your identity information is not misused. 
 
Interestingly, UIDAI, which provides the e-KYC service to authenticate you, does not provide any means to revoke your consent. UIDAI does not mention the turnaround time for completing the revocation request, too. The UIDAI-supplied consent form template does not mention any method to revoke your authentication. There is, therefore, no best practice available to requesting organisations to allow you to revoke your consent. This amounts to denial of your legal rights. 
 
On a related note, neither the UIDAI nor Government of India has defined standards to irrevocably delete your data from a service provider’s systems. Ask a cyber forensic expert, and he will show you how the deleted data can be recovered from disks. Even our Information Technology (IT) Act and subsequent rules are silent on this matter.
 
So it is illegal use of your Aadhaar number if your Aadhaar number has been used to obtain your identity information from UIDAI without your consent.
 
Can your identity information be used for any purpose?
 
There are three actors in the process of your authentication -- you, the service provider and UIDAI. Only two of the actors (you and service provider) know the purpose. You have a right to know how the data will be used by the service provider. The purpose of authentication has to be recorded by the service provider, but it is not sent to UIDAI (Aadhaar Act, section 32(3)). Since you do not digitally sign the purpose, it may be difficult to prove in a court of law whether your identity information obtained from UIDAI has been misused.
 
Organisations requesting your identity information from the UIDAI cannot include a phrase like “the usage will be subject to privacy policy and terms and conditions”, as the purpose of using the identification information must be explicit and unchanging under the Aadhaar Act.
 
Although, the Act says that the information can be used only for the purpose for which it is granted, there is no way for the UIDAI to enforce such requirements. The Act does not provide for an alternate redressal mechanism in case an organisation requesting your identity information misuses it. This leaves the users at the mercy of the service provider, without any remedies. Under section 47 of the Aadhaar Act, you are not allowed to approach courts except under authorisation of the UIDAI. It, therefore, leaves those with grievances without any remedies.
 
What UIDAI should do?
 
UIDAI should advertise in the media about the rights of citizens to provide and revoke consent for obtaining and retaining identity information using the Aadhaar number. In addition, UIDAI should learn from the experiences of other regulators to protect the Aadhaar holder from phishing and other frauds that illegally obtain and misuse identity information. 
 
UIDAI should acknowledge the design flaws in the Aadhaar framework, its application-programming interface (API) and various systems and processes built around it. The UIDAI cannot live in denial any longer. The rights of those with Aadhaar numbers depends on the actions of UIDAI to protect them. If users’ identity information is used without consent, it is UIDAI’s problem too. Such unauthorised use amounts to a leak of data from the UIDAI.
 
Various authentication agencies are audited as required under the Regulations. UIDAI should make the audit findings, particularly on consent, public. Such actions will enhance the trust of ordinary citizens in the processes of UIDAI.
 
Section 139AA of the Income Tax Act violates the Aadhaar Act and Regulations requirement to obtain consent, to specify purpose of use of identity information as well providing an alternative to authentication using Aadhaar. The UIDAI should move the courts to prohibit such illegal use of the Aadhaar number. 
 
How can you protect your right to informed consent?
 
You can deny any requesting organisation the use of your Aadhaar number to obtain the identity information stored with the UIDAI if they do not provide you with a form asking for your consent, or do not state the specific purposes to which the information will be used and do not provide you a mechanism to revoke your consent anytime. You can demand an alternate way to submit identity information if you do not wish to use the Aadhaar number. 
 
Now that you are aware of your rights, it is time to demand your rights. Always ask for clarifications, in written mode. When you leave a service, revoke your consent to the service provider and demand that it acknowledge the deletion of all records from its systems. If you have an Aadhaar, call 1947 now and ask them questions. If you are on social media, tweet to @uidai and @ceo_uidai with the hashtag #AadhaarFailures #NoConsent.
 
(Derick Thomas is a communication engineer with expertise in network architecture, privacy and secure communication technologies. He can be reached on https://twitter.com/derick_thomas)
 

Life
Use Multi-factor Authentication for Security
Yogesh Sapkale
15 May 2017
As the name suggests, multi-factor authentication (MFA) is a mechanism for which the user is required to separate pieces of information or evidence to gain access. The most popular MFA across the globe is a two-factor or two-step authentication or 2FA, as it is popularly known. This is used for authenticating transactions using cards, netbanking transactions or even for emails or some websites. 
 
The MFA, typically, is required to have at least two of the following categories: knowledge (something the user knows), possession (something the user has), and inherence (something the user is). For example, for withdrawing cash from an automated teller machine (ATM), the user is required to have a plastic card (debit, ATM or credit). This is what they possess. Secondly, the user needs to know the personal identification number (PIN), which is knowledge or something the user knows. Using the 2FA transaction, the user can withdraw cash from an ATM.
 
Now, consider that you are making an online payment through your card to buy an item. You have your card number and your PIN (or card verification value - CVV). After submitting this information, you can opt for a one-time password or passcode (OTP) which is received on your mobile phone registered with the card issuer. Your payment will take place only after you enter the OTP. This is an example of MFA. 
 
MFA provides an added layer of security. Someone may steal your card and PIN, but will not be able to use it for transactions (except at an ATM or at point of sales —POS—terminal) that require validation through OTP. Most of the times, the OTP is sent through SMS and there may be some technical issues with the network that may prevent the message from reaching the user device. For such issues, the payment gateways or banks offer a chance to seek a fresh OTP. The user needs to use the latest OTP for such transactions. (As standard practice, never share the OTP with anyone, especially for transactions that you have not initiated.)
 
The third factor in MFA is inherence, or something that the user is. This involves use of biometrics, like fingerprints or retina scans. But the problem is that we still do not have scanners for authenticating biometrics within a stipulated time. Add to this, the cost and connectivity issues and the use of biometrics as part of MFA fails. Also, biometrics or similar authentication works well in a stipulated environment and for limited users. You can use fingerprints to unlock your mobile phone. However, when the time comes for using it for other authentication and verification, the payment gateway needs to compare your fingerprints with millions of other fingerprints to validate that you are who your fingerprints claim to be. A super difficult task, especially for a country with over a billion population! Some transactions are taking place through this method, but are dependent on a locally-stored database. 
 
Apart from financial service-providers, several others like Apple, Google, Microsoft, Amazon, Facebook and Twitter also offer MFA for login. Apple allows access to its multiple devices after entering the ID, password and the six-digit verification code received, either by text or a phone call. Similarly, Google allows the user to opt for a second authentication factor like a six-digit code, received either through SMS on the registered mobile or via a phone call. Recently, Google launched a service where the user just needs to tap on Google’s mobile app installed on the registered device. In addition, Google lets the user authenticate a particular device (PC or laptop) so that it can be used without the second authentication factor.  
 
Some users may find it cumbersome or time-consuming to use the multi-factor authentication, but being safe and secure is not easy. Remember, cyber criminals love people who are lazy about protecting themselves. But if you are punctilious about avoiding a serious theft like your identity, email ID, data or money, then it is better be safe than sorry and use MFA, wherever available. 

