• Investment World
• eWorld
• Brand Line
• Mentor
• Life
• Brand Quest
• The New Manager
• Smartbuy

Stocks

• Quotes
• SE Diary
• Scoreboard
• Open-End Mutual Fund

Cross Currency

• Rates
  
  

Shipping

• Ports
  
  

Archives

• Yesterday
• Datewise
• Resources
• In Focus
• In Depth
• Events 2007

Group Sites

• The Hindu
• The Hindu ePaper
• Business Line
• Business Line ePaper
• Sportstar
• Frontline
• The Hindu eBooks
• The Hindu Images

K. Ananthan

Open to attacks from criminals.

R.K.Raghavan

As I sit down to write this column I am confronted by a deluge of information that may not be unusual for its content but is definitely overwhelming in terms of its potential for damage and mischief.

After reading me, I am sure a lot of my readers could become more wary than before in voluntarily disclosing, online, information that is intensely personal in nature, as, for instance, details relating to one’s physical and financial health.

The occurrence that comes to my most immediate attention is the admitted large-scale intrusion into Citibank’s ATM network in the US. This came to notice a few months ago, but has become public knowledge only in the past few weeks.

It is leant that several of Citi’s ATMs at 7-Eleven convenience stores across the US were targeted by criminal elements, and substantial amounts of money — $2 million, according to one estimate — transferred to accounts possibly in Russia. The modus operandus used was to steal customers’ Personal Identification Numbers (PIN). This is a matter of surprise because so much had been done in the recent past to strengthen security of ATMs, and as an observer said, short of peeping over the shoulders of an ATM user there was no away an unauthorised person could get to know the former’s PIN. This is because the number is encrypted the moment it is assigned to a customer, and is kept absolutely confidential.

Strategically placed mirrors and tiny video cameras have been the bane of bank security, especially at cash machine booths. But in the Citi bank case, the offenders had used other methods. Investigation has revealed that here, the intruders had broken into a server of a third party processing company holding the numbers and managed to get hold of the sensitive information. Obviously, the offenders did not have to go anywhere near any of the cash machines that many wrongly believed had been compromised.

It is further surmised that, once armed with PIN, the former’s task got reduced to merely manufacturing blank cards on to which the stolen numbers were transferred and used at will anywhere in the country. This instance of vandalism would point to how vulnerable ATM technology is. Incidentally, in the Citi bank case, investigation has revealed the involvement of two Russian nationals. It is, however, not clear whether they were the main conspirators or whether they were just conduits. It is just possible that they were used to illegally draw the money from the machines, once the main culprits had obtained the numbers through conventional hacking.

It is in this context that guidelines formulated by the Reserve Bank of India to govern mobile banking in the country assume significance. The RBI is categorical that, in tune with international practice, India should have a national framework for mobile banking. But, in its view, such a framework should have built-in security of a very high quality. In RBI’s words, banks should conform to the following advice: “The technology used for mobile payments must be secure and should ensure confidentiality, integrity, authenticity and non-repudiability…. The Information Security Policy of the banks may be suitably updated and enforced to take care of the security controls required specially for mobile phone-based delivery channel.”

The RBI advice cannot be clearer than this. The regulatory authority proceeds further to prescribe the technology that could be used to provide a secure facility for customer transactions. This includes the allotment of a new mPIN authenticated by the bank concerned or a mobile payment application service provider. The mPIN should be fully encrypted and consist of at least four digits. A two-factor authentication has also been prescribed.

In the first, an offline PIN (either issued by the bank or one defined by the customer himself) should be used to identify the genuine customer the moment he enters the system. The second factor of authentication could be the choice of the bank itself, and all transactions affecting an account, such as debit or credit and stop payment instructions, could be only after this level of authentication had been received. The RBI guidelines also stipulate that the mPIN should not appear in clear text anywhere in the network.

Most importantly, the mPIN should be stored in a secure environment, something that the Citi bank contractors in the US perhaps did not do. These elaborate RBI guidelines are refreshing, and they highlight a welcome sensitivity to the task of secure banking while at the same time reflecting commercial maturity.

Talking of maturity on the part of a government agency, I am happy that the IT Ministry has piped down on its demand for Blackberry operators in the country to make available to security agencies all that passes through their network. Discussions between RIM (which own Blackberry) and government representatives were inconclusive till recently. RIM did not want to concede that all messages sent or received by it should be seen by security agencies in an unencrypted form, something that is totally contrary to its practices elsewhere in the world. It is believed that a kind of compromise would be reached shortly, whereby the needs of national security and the right to privacy of Blackberry will be fused.

This takes me to the subject of the urge that many governments feel, that there cannot be unrestricted and uncensored telephonic and e-mail communication.

My good friend Gemini Ramamurthy, who is passionately devoted to the subject of cyber security, draws my attention to a contentious recent legislation passed by the Swedish Parliament.

This law would enable the National Defence Radio Establishment (FRA), which is a civilian agency and not an outfit of the Defence Ministry as its name would suggest, monitor all cross-border Internet and telephonic communication.

Experts believe that the FRA would actually end up doing much more, because some Internet servers are located abroad and when a Swede accesses them in some context or the other, his communication will also be overseen by the FRA as such communication will be cross-border in nature. There is considerable opposition to the new Swedish law, mainly from human rights activists, journalists and lawyers.

What has been considered most objectionable by critics of the new law is the authority conferred on FRA to snoop on mail and telephonic communication without any judicial sanction, something that the Police need before undertaking such an operation. The Swedish experience in working the controversial law would be of interest to us in India.

Equally relevant would be the feedback from the UK, which also contemplates empowering it security agencies with the right to monitor all telephonic calls and e-mail emanating from the country or received by it.

My sense of balance makes me assume the stand that privacy issues cannot be wholly ignored even if security considerations require keeping a close watch on what goes on in cyberspace.

The writer is a former CBI Director who is currently Adviser (Security) to TCS Ltd.

More Stories on : Security | Information Technology | Security Musings

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Coffee, coffee everywhere

Copyright © 2008, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line