another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Wednesday, June 29, 2005

How the BPO Sting Data was faked ??

Devangshu Datta: Bahree versus keystroke loggers
Devangshu Datta / New Delhi June 29, 2005
The episode could happen anywhere. So far, Indian BPOs haven’t suffered hacker attacks so common elsewhere

The Sun sting operation proves nothing security specialists didn’t know. There are forums on the Net where you can buy larger, more comprehensive lists. Crackers barter personal details harvested off computers penetrated with keystroke loggers, remote administration tools and assorted spyware.

If, instead of trolling the Net, somebody walks upto a cyber-savvy man and offers large sums for sensitive data, the youth in question may be tempted to supply it. If he’s a lazy chap, he will do a version of the following:

1. Go to online telephone directories and download every 30th name at random, to create primary entries for the “database” he intends to sell.

2. Then, write a program to generate random 13-digit or 15-digit numbers, based on the length of the standard credit card series in the target country.

3. Link the random numbers generated in 2. to the names in 1. Voila! We have a database, which looks and feels real and stands up to preliminary check.

It is an entirely different matter that transactions utilising this “data” would be impossible. The seller might not even be legally liable since he would not be hacking or trading sensitive information. I don’t know if Karan Bahree was smart enough to do this or if he went out and acquired real data. But it is a tempting thought to “sting the stinger”.

The Sun’s main tack was its anti-outsourcing stance. This is also old hat. It is merely a racist variant of the linguistic discrimination advocated by so many Indian regional parties. To say British jobs must be done in the UK by British citizens is exactly the same in principle as demanding that Maharastrian jobs must be done by Marathi-speakers based in Maharashtra.

It is no more and no less offensive for somebody to be at the receiving end of either opinion. The existence of a right-wing, anti-BPO lobby doesn’t affect the pro-BPO case one whit more than the existence of the Shiv Sena alters the case for Mumbai businesses to employ the best people they find, regardless of ethnicity.

Oddly enough, the Bahree sting and the scam at Mphasis that preceded it, offer several positives for the Indian IT industry. For one thing, no Indian BPO operation has thus far been electronically hacked. Both these incidents depended on social engineering — which is the art of persuading individuals to voluntarily offer sensitive data.

One can easily make the case that Indian software/ ITES / BPO operations are more secure than their rivals because major global credit card and bank databases in the US are electronically hacked on a daily basis.

In terms of comparative security, India is, therefore, a better environment than most of the first-world nations to which it provides outsourcing services. It is unquestionably a better security environment than competing east Europeans and east Asian nations.

However, it is high time that the global personal finance industry re-examined its own value and service-delivery chains in the light of growing incidences of electronic fraud. Credit cards were invented in the 1950s and seamlessly integrated into the electronic environment of the mid-1990s.

The crooks have caught up and in order to stay ahead, the financial industry must change its modes of operation. For one thing, a customer is now at risk if he simply offers his credit card at a restaurant and a waiter with an eidetic memory files away the number for electronic use.

One way forward is the virtual credit card (VCC), which some banks now offer. A VCC generates a ID number valid for one electronic transaction only with a defined credit limit. This limits damage from a possible hack.

Another way is to leverage MMS-SMS for automated verification of transactions though this method fails in cases of identity theft where contact details and photo IDs have been changed. There are also biometric options such as fingerprint and retina scans.

Perhaps identity-broking could also be a route to greater security. Nothing and nobody will ever totally eliminate hacks via social engineering but better modes of e-commerce could certainly limit the damage.

trackback: Devangshu Datta


Post a Comment

<< Home