Financial Daily from THE HINDU group of publications
Monday, Jul 11, 2005
eWorld
Features
Stocks
Port Info
Archives

Group Sites

 eWorld - Security
Info-Tech - Economic Offences
Columns - Security Musings


Time for action

R.K. Raghavan

With data thieves on the prowl in cyber space, pushing in even a hastily drafted Data Protection Act is better than no law at all. Plunge into the pool, and then perfect your strokes.

TWO recent events — one in the US and the other in India — offer renewed evidence that securing customer information is a nightmare to credit card companies and those who manage BPO operations.

MasterCard, one of the world's most well-known and trusted names in the plastic money business, admitted on June 17 that it had notified member financial institutions about the exposure of 40 million cards (about 22 million Visa cards and 13.9 million MasterCards) to possible fraud.

While the miscreants gained access to account numbers and verification codes, they could not lay hands on social security numbers or dates of birth of cardholders.

Within days of the MasterCard outrage, the Sun, London's most high-profile tabloid, said in a screaming headline that one of its reporters had been able to buy a CD carrying data pertaining to about 1,000 customers of UK banks from an employee of a Delhi BPO firm, Infinity eSearch, at the rate of £4.25 per account.

With the MasterCard and Delhi happenings coming close on each other, customer confidence has suffered a nose-dive.

The dimensions of the MasterCard fraud are massive, although the happening itself is not unique. While an FBI investigation is on, a probe conducted by experts from Cybertrust (which provides information security technologies) has revealed that the attack was centred on the network of CardSystems Solutions, a third-party contractor entrusted with the processing of payments.

It is possible that an individual or a group had exploited a system vulnerability and gained remote access. (There are any number of tools available for establishing such access from a remote site.) A rogue programme installed in the system was, in all probability, the culprit. Cybertrust has found fault with CardSystems for storing data without encrypting it, and also holding records that should have been discarded quite sometime ago.

Incidentally, identity theft does not always require the most sophisticated of technologies, especially if the target is an individual victim and not a whole system.

A pocket-sized imprinter is said to be enough to capture information from a credit card and pass it on to the underworld. (An English friend of mine told me a few months ago how an Australian cricketer of yesteryears was duped in this manner at a famous London restaurant when he handed over his credit card unsuspectingly to a waiter who had served him. The card was duplicated and several unauthorised transactions took place in different parts of the world in no time.)

While the MasterCard intrusion may not exactly be difficult to figure out, details of the Delhi incident are still hazy as I write this column, except that the villain of the piece is possibly one Karan Bahree, who worked for Infinity eSearch. (The latter has announced that Karan has since been dismissed.)

The Sun report had alleged that its successful sting operation could manage to buy sensitive customer data relating to some UK banks. Denying that it had bank clientele in the UK or that it had lost some data, Infinity is categorical that it was a mere Web-development organisation and Karan was a lowly content writer who had no access to any sensitive information.

There are, however, reports that Karan has confessed to passing on a CD (whose content he claimed he did not know) received from a friend to an utter stranger.

The City of London Police (not the Metropolitan Police), which takes care of the city's financial district, has received a report on the incident from the Sun, which has been passed on to the Interpol for being handed over to the Indian Police.

It is difficult to hazard even a guess on how significant the happening is, without an idea of what the CD in question contained and how Karan or his friend had access to any data that the CD may have captured. But enough has been reported that would cast a heavy shadow on the security systems that prevail in India's BPO centres.

Some developments in the US that focus on enhancing the security of online transactions are positive. Liberty Alliance, a 150-strong association formed to develop an open standard for federated network identity, has announced the setting up of an Identity Theft Protection Group. Comprising famous names such as America Online, General Motors and Nokia, this group will approach the problem from a multi-vendor angle.

Also, Voice Recognition authentication is being seriously considered as an effective means to defeat fraudsters.

Further, a Microsoft researcher is reported to have stated in a recent presentation at Stanford University that online transactions can be secured greatly by incorporating a display and a set of buttons into a smart card reader or security token. This will be for authentication in general and authorisation of particular transactions.

The Delhi episode may be just a case of deception resulting from social engineering, as was the recent Pune MphasiS incident. In any case, India has to do a lot to enhance the confidence of the rest of the world in its ability to protect online information.

Nasscom has made the right noises to persuade the Government to take up the issues involved with the required seriousness. The Prime Minister, Manmohan Singh's directive, after the Sun report, that we should bring in needed reforms to cyber crime law is most welcome.

But then how long are we going to only speak about this, and not act at all? India's credibility is heavily at stake. A sizeable number of our MPs are computer-savvy, and they understand the gravity of the situation. It is not difficult to build a consensus on this essential and non-controversial law that would encompass data protection and privacy and push it through Parliament.

A hastily drafted Data Protection Act with likely imperfections is far better than no law at all. We can definitely work to plug the lacunae as we go along.

The writer is a former CBI Director who is currently Adviser (Security) to TCS.

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Stuck, for now

Curtain-raiser
`Manage' those lies
Hitch while using IE
Designs that sell
Safety at every step
Time for action
The eye of opportunity
Quiz
Performance on four pillars of knowledge
Cartoon
Hands-free talk
Two-in-one treat
For a clear picture
Case citation

The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

Copyright © 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line