How crucial data -- for banking, e-commerce etc -- can be tapped and misused
- Require personal data -- e-commerce, banking, crucial data, biometric data -- for authentication which can be accessed through the Net with specific tools.
- Users submit credit card password/PIN, biometric data on the Net which can be traced
- Most Wi-fi links -- transmitting e-commerce, banking, crucial data -- are unsecured, can be easily hacked.
- Have been misused by terrorists to send emails
- Banks use secure authentication process to ensure security of customer data.
- Companies/shops depend on secure payment gateways of banks to protect customers
- M-banking, commerce and Internet putting user data in one device.
- In case of handset loss, crucial data can be available to anyone
- Can identify users through IP address, they can access personal data and bank accounts.
- Unsecured Wi-fi links easiest to misuse
- Credit/debit card data on magnetic strip can be copied from ATMs and misused
- A senior Delhi-based executive got a frantic SMS from his wife's mobile phone: she'd forgotten the four-digit ATM code. The unsuspecting husband messaged the code back to her. Within hours, the account was cleaned out.
- After returning from a trip to China, a journalist was informed that his credit card had been used in three countries to its maximum limit. This was after he had used the card at a Beijing mall.
- And late last year, in a shocking "mistake", Lakshmana Kailash K—a 26-year-old techie from Bangalore—spent 50 days in a Pune prison for a crime he didn't commit. His Internet provider, Airtel, gave the wrong IP address to the Pune police.
Wake up to the insecure edge of technology. Our passwords, bank account details, biometric data and medical records are vulnerable even as we try to protect them in a digital world. Websites are routinely hacked, databases sold and personal data tossed about as the cyber age ushers in new challenges of privacy.
Sure, technology is making light work of everyday humdrum transactions. But with convenience comes vulnerability, turning technology's big advantage into an area of concern. Is my password safe, are my online or mobile transactions secure, can my bank account be hacked, are my credit cards truly secure? These are questions we ask ourselves all the time. And we don't have definitive answers. Not yet.
Every time you do anything online, a part of your personal data either resides on the terminal or floats through cyberspace. Every access to the Internet can be traced back to the mobile or PC, which you may lose or find hacked into. Similarly, credit card details can be traced from the online trail. For every online service, we have to provide personal data—it's supposed to be confidential, but could reach people who use it to their advantage. Worst, with terminals now using biometric access systems, even a person's physical identification proof could be up for grabs.
In an age of anytime, anywhere access, what suffers is individual privacy. The question is, how much of this privacy are we prepared to compromise for convenience? The central thread is convergence—where all our information rests on one or a few devices. Today most of us bank, buy, sell, and run our lives via the Internet, either through PCs or mobile devices.
Now, 2009 will see banking and commerce take off big on mobiles. Vineet Taneja, country head, GTM, Nokia India, warns: "In India, convergence will be driven by mobile phones as PC penetration is low." That is scary because with mobile phones increasingly being Internet-enabled, more private data would either reside on a single device or float in cyberspace and be open to misuse.
Are companies and service providers alive to this? The leading players say they take all possible measures to protect identities and personal data. But the ultimate choice lies in the hands of the user. Says Shailesh Rao, MD, Google India: "Google takes privacy very seriously...but we give users a choice. A user should use a Google product if they choose to and want to." Ultimately, who takes responsibility if things go wrong?
The maximum concern, of course, is in areas like banking, where ease of use has pushed people to online and mobile banking. Bikramjit Sen, CEO, Tech Process, an electronic payment processing company, says the big trigger is the reduction in costs, which holds true even in case of financial services like mutual funds and insurance. It's well-documented that the most expensive form of distribution is a branch, he says.
"A customer has the convenience of utilising services of a bank without the hassle of finding a branch or ATM. It is cost-effective for banks as well," says an SBI official. While customers can now check account balance and make payments through their cellphones, banks are looking at facilities like fund transfer.
Amidst these conveniences, banks also have to contend with activities like phishing—a fraudulent way to acquire sensitive information in the guise of an official e-mail—which threaten customers' and banks' security. Although the Reserve Bank of India has prescribed daily limits (Rs 5,000 and Rs 10,000 per customer for funds transfer and transactions respectively), a lot more needs to be done, like authentication of users and m-PIN. The effectiveness of the set of measures will be tested as more people use online and mobile banking services.
So what does the future hold? It could be cloudy, as convergence will make devices and terminals smaller, multifunctional and more vulnerable. Protocols like the IPSO or the smart objects alliance—linking household devices with each other online—may make every device accessible by any other. Says Taneja: "Nanotech will lead to a morphing of technologies where device form factor would be completely flexible." So unlike now, when a few connected devices can do specified jobs, all devices would be connected and do anything. How about making a financial transaction through a Net-enabled refrigerator?
Does that mean we should go slow on technology? No one favours that. Says Allen Ma, president, BT Asia Pacific: "One of the first tools was the knife, which was dangerous. If we discarded it then, we would've never known its advantages. The solution to the problems is in education and awareness."
Niranjan Upadhye, AVP (e-commerce), Axis Bank, agrees and says that apart from ensuring technology is in place along with sufficient firewalls to protect data, security also depends on the attitude of the customer and how well they protect data at their end. But how many comply? Despite warnings that bank and ATM PINs should be alpha-numeric, unusual and changed frequently, few oblige. Domestic Wi-fi systems are rarely secured despite the recent terrorist attacks. Most users in India do not change their passwords, many continue with the password provided by service providers.
What most people do not grasp is that technology-enabled fraud can hurt them really bad. There's nothing like a strong dose of caution. For instance, with terrorists discovering the Wi-Fi route as an easy way to conduct their operations, the careless could become easy prey. The fallout could be dangerous.
What needs to be done? Can cyber legislation tackle the issue fully? Other parts of the world have a robust framework of cyber laws, but India is still teething. Penalties are minimum and rarely act as a deterrent; it takes ages to even register a complaint. Says cyber law specialist Pavan Duggal: "The IT Act is weak on privacy and doesn't deal with issues like making a breach of privacy a ground for criminal or civil complaint."
Worse, enforcement is a big question mark in India. Says Duggal: "Enforcement is probably the weakest links of the IT Act. There is no adequate training of the police or orientation of the judiciary and a citizen-friendly reporting mechanism is missing. With most police officers not proficient in computers, registration of cyber crime remains at their whims." The numbers say it all. In the last eight years, India has seen just two convictions under the IT Act and one under the penal code for cyber crimes.
Now, it is learnt that the government is reducing penalties further and making it a bailable offence. Currently, the punishments range from 3-10 years and are non-bailable. That could be inviting trouble. Says Prashanto K. Roy, group editor, Cybermedia: "It's a moving target and very challenging. Legislation will have to keep up and change as technologies change."
With the next wave of technology use certain to happen through mobile phones and with a majority of the 300 million being first-time users with little or no technology awareness, it is a big challenge that companies and the government need to address. Fast.
With Arti Sharma in Mumbai