It seemed like any other Monday at Unicorn House in Kandivali, Mumbai. But by the end of the evening of March 9, 2015, the three-storey building was the centre of a rumpus. Somebody had changed the names of its directors on a government website.
That day, the Mumbai-based company's auditors were going through the accounts of DDPL Global Infrastructure Pvt. Ltd. Everything was in order. Then somebody decided to have a look at the company and the profiles of its directors on the ministry of corporate affairs (MCA) portal. That was when all hell broke loose.
The signatory details of the eight-year-old land development company had been changed. The original directors had been replaced by three unknown people from Delhi, Madhya Pradesh and Pune. Similar changes were made to the profiles of the directors of DDPL's associate company, Unicorn Infra Projects.
"We were shocked. The fraudsters supposedly had directors' meetings in our office, made changes to the board and entered these details on the MCA website. We felt like some terrorists had taken over our company," says Dharmesh Shah, promoter and director of the two companies.
Lawyers were consulted and the cyber crime cell of the Mumbai Police was approached the next day. The names and addresses of the fake directors did not match, but summons have been sent to one person.
Shah suspects that the fraudsters were interested in making money out of a multi-crore rupee land project that the firm is developing. They possibly wanted to show themselves as directors of the company and strike a land deal with unsuspecting parties.
That wasn't the end of the story. On March 19, three days after the company's directors approached the Bombay High Court, some people tried to illegally increase the authorised share capital of the company from Rs 5 crore to Rs 45 crore.
"The aim was to allot the shares from the increased capital among the fraudsters. In the process, they would have reduced the shares of existing directors to next to nothing," Shah says.
As details started emerging, it came to light that the alleged fraudsters had obtained a digital signature certificate in the name of one of the directors of DDPL and Unicorn, Sunil Sarda, using a fake PAN card and an MTNL bill. The certificate was used to get access to the company's page on the MCA portal and, step by step, they had executed a corporate hijack.
"They could have easily duped people in the name of the company had the scam lasted a little longer," says Ashish Parwani, a partner in Rajani, Singhania & Partners, a law firm that represented DDPL.
Under government rules, it is mandatory that all filings with the Registrar of Companies (RoC) are done electronically. While companies are asked to obtain a CIN or corporate identity number, company directors are given director identification numbers (DINs). The alleged fraudsters had obtained new DINs for themselves using forged details of Sarda.
This is not a stray case. A 92-year-old company, Maneklal Mansukhbhai Private Limited (MMPL), the owner of a 13,200-square-metre property in Bandra, Mumbai, found itself in a similar situation. On the MCA website, the names of its two directors had been replaced by five other names.
The two directors knew nothing about these people. The alleged fraudsters had also changed the company's registered office address and uploaded several forged documents. On closer examination, MMPL and its lawyers came to know that the fraudsters had obtained a digital signature certificate in the name of a former MMPL director, who had died in 2010, to access and change the company's details online.
A similar case was reported in Delhi in 2014. While the Delhi police had arrested one of the accused and the case is on, the Mumbai Police are yet to make any arrests.
By obtaining false digital signatures and using these digital signatures to access the RoC's database of companies, these fraudsters now had power to effect illicit share transfers, upload minutes of meetings that were never held and also reconstitute the entire board of the targeted company.
"If you look at either DDPL or our case, these frauds were discovered because of sheer accidents. And both had identical modus operandi. Imagine what would have happened if these unscrupulous people had made some form of transaction based on their illegally obtained status," asks Shailesh Mahimtura of Mahimtura & Company, a legal firm representing MMPL.
Incidentally, both the cases involved property. "It is quite possible that these people could have approached some gullible persons and made an initial transaction and earned a few crores of rupees. Who would doubt if a government website is listing these people as directors," asks Shah. He, in fact, suspects a network of "well-educated criminals" who are aware of corporate and cyber laws and the loopholes in them.
The Bombay High Court has termed the cases the "tip of the iceberg". It noted in its order on MMPL in April: "Not a single corporate entity in any sector is today safe from these marauders."
What is of concern is that this could be the fate of any of 9.5 lakh-odd companies registered with the MCA. About a lakh new companies get registered every year.
"Relatively smaller companies have been targeted so far, or at least these have come to light. One can only imagine the implications if some major corporate houses are targeted," Parwani says.
According to the National Crime Records Bureau, reported cases of obtaining fake digital signatures have been on the rise. While there were only four such cases in 2009, they rose to 12 in 2011. Ten cases were reported in 2012. But experts say that the actual numbers may be much higher.
"As the use of digital signatures becomes more common, we are bound to see a rise in its criminal manipulation," says Rohas Nagpal, president, Asian School of Cyber Laws, Pune. He stresses that the problem is not with the technical side of digital signatures. "The issue is that criminals are able to obtain digital signature certificates in other people's names," he says.
But digital signatures are seen as real signatures. Then why are they not safe?
"It appears that these are being issued willy-nilly without sufficient checks and balances and without proper verification or adherence to standard [government] norms," the Bombay High Court noted.
In India, six agencies offer certified digital signature certificates. These offer three classes of certificates. While Class 1 has the lowest security standard, Class 2 is considered adequate for companies. Even MCA accepts Class 2 certificates.
The digital certificate issuing authority in MMPL, DDPL and Unicorn, the Bangalore-based eMudhra Limited, says that it merely followed the guidelines of the government. "They are the same for everybody. We have issued around 9 lakh digital signature certificates so far. We have heard of only a handful of complaints," N. Srinivasan, founder and chairman of the company, says. Around 90 lakh digital signature certificates have been issued in India so far.
At the same time Srinivasan emphasises that companies like his don't have the "latitude" to ask for additional information from the seekers of digital signature certificates than what the government has stipulated. So for a Class 2 certificate, a photo identity and proof of address suffice.
Until the norms for getting digital certificates are tightened, companies like DDPL and others could be in for a tough time. "I would ask all the companies that are registered with the MCA to regularly check the site," Shah says.
The Bombay High Court urged the ministries of corporate affairs and of information technology to "batten these digital security hatches" immediately. "[Else], there is a storm coming," it warned.
