another example of the Credit Card industry's deceptive advertising targeting children
cartoon of the month

Wednesday, June 01, 2005

Another Sucheta Dalal story

Her's another great story from Sucheta Dalal of the Indian Express. This woman sure does write on stories of interest to this blogger. My Hacking Complaint also contains an entire story by her. Way to go and keep writing.

Implications of Pune’s cyber security fraud

By Sucheta Dalal

For A while last week, the Mphasis-Citibank fraud seemed in danger of being blown out of proportion by the anti-outsourcing lobby and its political backers in the US to clamp down on outsourcing to India. There is still a danger that information sent outside the US will be considered especially vulnerable to abuse; but sensible US commentators are already drawing attention to certain positives that failed to find mention in the Indian press.

For instance, Rich Smith, writing for The Motley Fool says, ‘‘Exaggerating the dangers of outsourcing and sending data abroad won’t make our data any more secure. On the contrary, the facts of the Mphasis case suggest that in some cases, data may be safer once sent abroad. Reflect for a moment on how quickly the alleged criminals in Pune were caught. Consider for a second the fact that they were caught by the ‘cybercrime unit’ of the Pune police force. Ponder for a minute the fact that a place most of us have never even heard of before (really? ‘Pune?’) even has something called a ‘cybercrime unit’. I know my hometown doesn’t.’’

Others have pointed out that Indian BPOs have already put in place elaborate precautions to prevent data theft and fraud. One international report describes how BPO employees at a Bangalore outfit swipe ID cards, ‘‘empty their pockets and bags and stuff cell phones, PDAs, and even pens and notebooks into lockers as a dour security guard watches’’. Staffers ending their shifts have to shred notes of conversations with customers. Even visitors have to sign a four-page non-disclosure agreement.

Additionally, India’s Nasscom has come up with the idea of creating a list of all BPO employees, called Fortress India, to track their whereabouts through various job changes.

All these are important measures, even if their efficacy is doubtful. As Rich Smith points out in the Mphasis case: ‘‘Outsourcing wasn’t the problem here. The problem was criminals, plain and simple. And those can be found the world over.’’

Cyber crime and identity theft are worrying regulators around the world. Last week, Hong Kong Bank (HSBC) asked 180,000 credit card holders in North America to replace their GM Mastercards after a computer security breach at Polo Ralph Lauren Corporation. The case also affects Visa US.

A Florida-based businessman Joe Lopez has reportedly sued Bank of America seeking the return of $90,000 that he claims was stolen from his online banking account when he fell victim to a computer virus.

The industry, in turn, is reacting to the threat of such claims. Alan Jebson, Group Chief Operating Officer at HSBC Holdings reportedly said, ‘‘The bank’s busiest day last year was when it was hit by 100,000 attacks’’ on its systems. Jebson said, ‘‘Industry as a whole may have to adopt a firmer line with customers’’ and voiced the radical view that ‘‘at some point we may not allow customers without a firewall to use HSBC online services.’’

The Boston Globe reports that two American legislators, Edward Markey and Hilary Clinton have proposed the ‘Safeguarding Americans From Exporting Identification Data Act’, or SAFE-ID Act, to guard against fraud and identity theft when customers’ personal information is processed overseas. It proposes that US businesses would be permitted to send customer data to countries with strong privacy protection and consumers will have the right to demand that their data be processed domestically. American companies would not be allowed to send customer information to a country with weak privacy laws without his/her permission. Consumers would have the right to sue companies that violate the law.

Such legislation is bound to affect Indian BPO operations. After all, Practical Accountant magazine estimates that 200,000 US tax returns will be sent to India for processing this year. This is a 10 fold jump in just one tiny business opportunity.

A survey by the NHTCU estimated high-tech crime had cost UK companies with more than 1,000 employees around Euro 2.45 billion (US$4.61 billion). Of two hundred large and medium-size companies who were surveyed, 89 per cent said they had experienced some form of high-tech crime in 2004. Of those, 90 per cent suffered from unauthorised access to their company systems, while 89 per cent suffered data theft.

Clearly, the world is worried at the sheer opportunity for the proliferation of cyber crime. And India, as one of the leading player in the IT business needs to watch international developments and beef up its legislation to avoid nasty surprises emanating from international legislation.

For starters, although the Pune police have done us proud, we need to check if our cyber security legislation and privacy laws are demonstrably adequate to deal with cybercrime on an international level.

The answer is negative. Sanjay Pandey, a former Police DCP, qualified software engineer and leading computer security expert who heads I-Sec Service Pvt Ltd., says: ‘‘Computer security has never been addressed in a comprehensive manner in India. India has no law to prevent privacy of data and the Indian Information Technology Act, which deals with computer crime does not define ‘‘computer security’’. It confines itself to Internet transactions, digital certification and some ‘‘minuscule offences’’. Pandey says, ‘‘In fact, the whole IT Act appears only to facilitate CCA (Comptroller of certifying authority) infrastructure.’’

Further, the enforceability of the Act has been diluted by bringing in appellate bodies to deal with offences of a criminal nature and treating them like civil complaints, which are subject to fines rather than criminal punishment.

He argues that although Nasscom’s initiative is a commendable, ‘‘Screening by private agencies whatever be their constitution has no legal sanctity under the Indian Penal Code, IT Act or the Constitution. Enforcement, prevention and R&D in the area of computer security should remain in the domain of state, which, as of now has the constitutional mandate to enforce it.’’

On the one hand, his view seems vindicated by the fact that the quick action of the Pune cyber crime police has been noted internationally. At the same time the ham-handed arrest of then Bazee CEO (now e-Bay) in the Delhi porn scandal raises doubts about the police handling cyber crime without specialised training and awareness. Clearly, the solution lies in defining computer security and having a specific act to address all issues connected with cyber crime that have cross border ramifications.

suchetadalal@yahoo.com

Confidential information freely available

This article of August 2004 predates the MPhasis fraud. Why is the f***ing Government of India so late to react?

Confidential information

By Sucheta Dalal

The booming software sector has led to a constant churn of experienced engineers, programmers and marketing executives. And since the industry is also beset by problems of low productivity, dishonesty about employment and education records and low productivity, a reference check of potential employees is almost mandatory. This task has spun-off a growing out-sourced business for consultants doing pre-employment verification of qualifications and references. Unfortunately, much of this too is being handled with the same incompetence as finance company call centres, with the result that a few companies are beginning to rebel. Exasperation levels are evident by this telling comment by a reputed Bangalore-based IT chief. He says, ‘‘I think reference checks are fine, but the manner in which they must be done is the issue...and I am sick of underpaid, under-aged girls sounding gauchely intrusive while pretending to be courteous, slogging inefficiently for bosses who thrive on the arbitrage and function like parasites while assuming themselves to be entrepreneurs. Home loans, credit cards, employee checks, country club memberships...the list is long.’’ The quote aptly captures the reaction of most people who are pestered by tele-marketing calls from banks and financial service companies, but the issues of out-sourced reference checks has some legal dimensions for software companies in particular.

Fiduciary responsibility

Software job applicants are invariably required to permit potential employers to reference check their submissions. This is necessary and legitimate and most employers have recognised the need for cooperation about providing references on a principal-to-principal basis, even when they lose valuable employees. However, outsourcing of this task to ‘pre-employment verification services’ has raised some interesting legal and monetary questions. For one, the consultant doing the check has no specific authorisation or liability waiver from the applicant. Secondly, as the head of a Pune-based software multinational says, ‘‘Why should I provide a free reference if the ‘pre-employment verification service’ consultant converts it into a paid service? At the least, I must get a free reference done in return’’. The third issue is confidentiality of information. What is the guarantee that the verification service will not use the information collected to create a database that could be repeatedly or selectively sold to headhunters for another fee? Wouldn’t this amount to invading individual privacy without permission? The software industry, which is a big user of such references, needs to deal with the issue before it turns ugly.

Individual records

A completely different aspect of this issue pertains to individual credit records collated by the newly set up Credit Information Bureau of India Ltd. (CIBIL). Competition among personal finance providers has been so intense that consumers who have a dispute with banks or a credit card issuers over wrong billing have been able to switch to another issuer without always resolving it. Not anymore. Over the last two months, members of CIBIL with access to individual credit histories are starting to refuse loans to those with a history of deliberate defaults. On the positive side, CIBIL’s entry forces people to be more meticulous about loan repayments. But what happens when individuals have genuine problems with lenders on account for faulty billing? Will their credit histories be wrecked for no fault of theirs? CIBIL says no. When the dispute is resolved either by the lender or through the order of a court or an ombudsman, the credit history will be corrected. However CIBIL will not, on its own, flag disputed cases or accept individual submissions. While sticky disputes may be the exception, for consumers the inability to file complaints with a clearly designated authority will obviously be a problem. The Tarapore committee looking into issues related to banking services may want to anticipate this problem and help create a mechanism for resolving complaints.

SAT orders

While transparency and disclosure is the touchstone of capital market regulation, the regulators clearly don’t practice what they preach. For instance, the Securities and Exchange Board of India (SEBI) has yet to start putting up adjudication orders on its website, even though some of these cases pertain to serious offences and the penalties run into crores of rupees. If SEBI is dragging its feet on adjudication orders, then the Securities Appellate Tribunal (SAT) which hears appeals against SEBI orders, is setting a worse example. Since January this year, SAT has stopped SEBI from uploading its orders on its website. Ironically, the decision to be less transparent about its order has come about after some key amendments has expanded and upgraded SAT. SAT now has three members (instead of one earlier) and is headed by a retired judge. What is unacceptable is that a healthy convention of allowing open access to orders could be discarded without so much as a debate. The Finance Ministry and the Law Ministry probably need put to do some talking.

Email: suchetadalal@yahoo.com