We are now getting quite used to hearing or reading about major web sites getting hacked. Last week, when Adobe reported that its site was hacked, all those who had ever transacted with Adobe were worried. What had happened to their credit card information? Should they talk to their banks? Or should they talk to Adobe?

Most of us don’t realise that we may be dealing with third party sites in the process of transacting with a site. In many sites, credit card transactions are not handled by the sites, but by third parties that act as intermediaries between the site and the card company. Do we bother to check which company is handling your transaction? Does the company have enough security measures in place? Is the site secured? Does the URL say https instead of http? Do you use Verified by Visa or MasterCard SecureCode?

We don’t deal with sites like Adobe often, that are secure, but any way, hacked. But what about other sites? Do you pay your electricity bill online every month? Or do you pay the local body taxes online? Have you bothered to check how safe the sites are?

Security checks

Most often, we don’t. We are so carried away by the convenience of buying or paying online that we don’t bother how secure these sites are.

An Indian e-commerce site was found to store users’ passwords without encryption.

Even if you don’t transact online, do you know that in many sites, anybody can access details of your payments and outstanding transactions to government bodies? If you think this is a joke, let me assure you, it’s not.

If you are in Chennai, your property tax details can be accessed by just keying your property assessment numbers. There is no ID or password required. Ditto with water tax. Of course, they can’t do much with the data, except may be, pay the tax on your behalf, but the fact that the information is publicly available may be unnerving for some.

The electricity payment portal is slightly better. You require an ID and a password to pay your electricity bill, but if you just want to access your neighbour’s consumption and payment details, they are just a couple of clicks away.

If you have created an ID, you can bring any account under your ID. Of course, again, you can’t do much. All you can do is to see others’ consumption and payment (or default) details. At the most, you can pay their bill (if you wish). Some e-governance sites allow unrestricted access to data like birth certificates. Just entering a date is enough to access all the birth certificates of those born on that date.

Yes, there is nothing much others can do other than accessing your information, but does the Government or local bodies have the right to share citizens’ info without their permission?

State of affairs

A report by the Centre for Internet Security ( http://cis-india.org/internet-governance/securing-e-governance-event-repo- rt ) quotes the speech of Prashant Iyengar, Assistant Professor, Jindal Global Law, in a public discussion on ‘Securing e-Governance: Ensuring Data Protection and Privacy’, at the Ahmedabad Management Association’: “The State Government of Karnataka, announced a plan to “post on its web site all details of (1.51 crore) ration cardholders in the state”, to weed out duplicate ration cards and promote transparency. Details posted on the web site would include the “ration card number, category of card (BPL/APL), names and photographs of the head and other members of a family, address, sources of income, LPG gas connection and number of cylinders in village/taluk/district wise.” An official said, “This would also work as a marriage bureau, for instance, a boy can see a photograph of a girl on the web site and see whether she suits him”

If the e-governance sites are so lackadaisical in protecting data, how can a user trust them with credit card or other important information? At the same meet, Sunny Vaghela, Founder and CTO, TechDefence Pvt. Ltd, “conducted a live demonstration, showing how simple it is to hack into a government web site. From his personal experience as an ethical hacker, he stated that government agencies are extremely negligent about the privacy and the security of data. A major concern with e-governance web sites is that they not designed with privacy in mind, leaving the personal and private details of citizens vulnerable”, the report says.

Even the Election Commission’s sites aren’t exempt. A few clicks can give you access to voters’ lists and voters’ ID numbers. The Tamil Nadu site also allows one to apply for modification in voters’ ID details. All one has to do is to enter the voter’s ID number and edit the information. Again, there is no need for user ID or password. There is a ‘security check’ where the user has to key in an email ID where a confirmation email will be sent. Apart from this, there are no further checks and someone not on good terms with you can modify your data, like changing your wife’s name.

dinakaran.rengachary@thehindu.co.in

Related Topics
comment COMMENT NOW