Cyber Crime India

This "popular" blog makes it to national print media

2007-07-16T15:24:00.000+05:00

Small war against the big premium SMS rip-off

Mayank Tewari, Hindustan Times
First Published: 03:10 IST(15/7/2007)

Randhir Verma, president of the Chandigarh Telecom Subscribers Association, is all set to take on telecom operators over what he calls the ‘premium SMS fraud.’

A premium SMS costs anywhere between Rs 3 to Rs 6 – unlike Re 1 for a local one, and Rs 2 for a national — and the cost is shared by the cellular operator and the media channel.

“Kaun Banega Crorepati”, for instance, generated 58 million SMSes over three months. Assuming a charge of Rs 3 per SMS, a total of Rs 174 million was shared by the TV channel and the cellular operator. So who is losing out? The consumer.

“This is open cheating,” says BS Sharma, president, All India Consumer Congress, another consumer forum. “If the subscriber is at the root of this money generation, then why don’t they get a share?”

Two weeks ago, Sarbajit Roy noticed his 7-year-old son trying to send an SMS to win a free trip to Singapore.

“I was shocked to see the “Pyjama Pakdo” contest on Hungama TV. Every time a child sees a pyjama on screen he is expected to send an SMS. The first child to send 100 SMSes could win a trip to Singapore,” says Roy, a telecom consultant who writes the popular blog Cyber Crime India.

“My son was very upset when he learnt that a boy from Hyderabad had won a trip.” The Telecom Regulatory Authority of India (TRAI), which registers consumer forums like the Chandigarh Telecom Subscribers Association, does not control the pricing of value-added services.

“We don’t interfere with the price mechanism of premium SMS-based services — this does not fall under the purview of the TRAI,” says TRAI chairman Nipendra Misra.

There is one more reason why telecom operators are getting greedy. The Average Revenue Per User (ARPU), as on March 31, 2007, is going down. Market leader Bharti’s ARPU, for instance, has come down to Rs 406 (quarter ending March this year), compared to Rs 427 in the previous quarter. Idea Cellular too has witnessed a drop: to Rs 317 from Rs 322.

Result? “Everyone is focused on value- added services (VAS),” says Kartikeya, president, content, Cellebrum, a firm that provides telecom operators with VAS packages. VAS, estimated to be worth Rs 4,950 crore in March 2007, is set to grow by over 65% and generate business worth Rs 8,200 crore by the end of this financial year, according to estimates made by the Assocham.

If consumers have a problem, they should take it up with a consumer court, says Misra since TRAI is not a content regulator.

TrackBack:
http://www.hindustantimes.com/StoryPage/StoryPage.aspx?id=8411e96e-7ee4-40bf-b709-debbb4a5ddb2&&Headline=War+against+the+big+premium+SMS+rip-off

Sarbajit puts Delhi Govt in "legal fix"

2006-09-16T14:39:00.000+05:00

Govt in legal fix
NIDHI SHARMA
[ 14 Sep, 2006 0013hrs ISTTIMES NEWS NETWORK ]

NEW DELHI: Traders may be invading Town Hall with requests for giving more roads the commercial tag, but there's some bad news.

Attempts to save the capital from the sealing drive have hit a legal hurdle as Delhi government is unable to figure out under which Act it should formally notify 1,979 streets as commercial, mixed land use and pedestrian shopping streets.

MCD's standing committee had approved change of land use of these streets on Monday and forwarded the resolution to Delhi government for notification. The land use has to be changed under the new mixed land use regulations in Master Plan 2001, notified last week by the Union urban development ministry.

The government, however, is struggling. The file is still with the urban development department and officials are finding it difficult to find a legally sound way out.

Their predicament is that Delhi government cannot change the land use under Delhi Municipal Corporation Act.

According to sources, Delhi urban development minister A K Walia held meetings with principal secretary (law) B S Mathur on Tuesday and Wednesday but was told that Delhi government had no legal backing to change the land use of the streets as this pertains to land, a subject under the purview of the Centre.

The government has to frame a notification and send it for lieutenant-governor B L Joshi's approval. The notification has to be done under an Act. According to law department sources, the only sound legal option is to notify change of land use under Delhi Development Act 1957.

Constitutional expert Sarbajit Roy, who has also challenged the ministry's notification in the high court, said: "The land use regulations can be changed only by DDA and there is a set procedure for this. The Act clearly specifies that the regulations need to be put before the two Houses of Parliament."

trackback:
http://timesofindia.indiatimes.com/articleshow/1988741.cms

Sarbajit versus Goliath.

2006-03-17T18:53:00.000+05:00

"Distcoms now in RTI net"
ALOKE Tikku and MOUSHUMI Das Gupta
New Delhi {Hindustan Times - Delhi edition)

INFORMATION IS power and Delhi's power distribution companies will
finally have to share it.

The Central Information Commission on Thursday delivered a ruling that
brings the private power distribution companies (distcoms) under the
purview of the right to information law. The decision settles a
controversy over the status of the distcoms that had claimed exemption
from the RTI law on the ground that the majority shareholding was held
by private parties.

Welcoming the move, Rakesh Mehta, principal commissioner (power) said,
"The government was always of the view that distcoms should be bought
under the purview of Information Act. It would help empower consumers."

The distcoms are yet to be communicated the order. Talking to the
Hindustan Times, J.P. Chalasani, director, BSES said, "We have not
received any communication as yet. But if a decision has been taken to
bring us under RTI we will abide by it."

The Delhi government holds a 49 per cent share in the equity of the
distribution companies. In its order announced at the conclusion of a
hearing in an appeal filed by Delhi citizen, Sarbajit Roy, a
two-member bench of the commission held that this was quite sufficient
for the private bodies to be treated as a "public authority" under the
right RTI law.

Rather than seek a majority shareholding of the government, the only
requirement for a company to qualify as a public authority under the
RTI is that it should be "owned, controlled or substantially financed"
by the government.

The issue about the status of the discoms came up when a RTI request
was filed with the Delhi Electricity Regulatory Commission (DERC) to
seek information on the implementation of a Supreme Court order. Roy
had sought the information under a clause that empowered a public
authority to seek information from a private body. He never got the
information but the DERC did promptly move the Delhi government for a
clarification.

... Power to the people, finally

THE MOVE to include distcoms in the right to information Act is good
news for consumers. It means that from now distcoms will have to open
up to requests for information from consumers on all aspects of their
functioning, including issues like disposal of complaints, reason for
delay, what action has been taken against staff for delay, how much
power they get from Transco etc.

The issue had been hanging fire for quite some time. In fact, the
Delhi government had written to the Centre last month seeking their
clarification. The issue had also rocked the ongoing session of Delhi
Assembly.

sarbajit roy

DERC faces contempt petition [Sarbajit Roy]

2006-01-12T10:26:00.000+05:00

Sarbajit files a contempt petition in Supreme Court of India

DERC faces contempt petition
NIDHI SHARMA
[ Saturday, December 10, 2005 01:14:16 am TIMES NEWS NETWORK ]

NEW DELHI: A contempt petition has been filed against Delhi Electricity Regulatory Commission (DERC) for not directing private power companies to disconnect electricity connections of illegal industrial units running in non-conforming residential areas in the Capital.

The petition was filed after the fire mishap in a Vishwas Nagar factory on Wednesday which was triggered by a short-circuit.

On May 7, 2004, Supreme Court had given Delhi government a time-frame to close down illegal industrial units that had come up after August 1, 1990.

The order was clear: water and electricity connections of the industrial units found operating after the due date of closure (the last deadline was November 8, 2004) had to be disconnected.

The deadline for disconnection was December 8, 2004. According to statistics of Delhi Pollution Control Committee, the number of illegal industrial units that had come up after the 1990 cut-off date was about 51,000 in 1990 but had increased to 1.01 lakh by 1995.

Official figures provided by the industries department show that only 2,673 water and electricity connections have been disconnected.

The petition points out that despite the court orders, the private power companies were not directed to disconnect connections of illegal units.

The drive against illegal industrial units was also carried out by SDMs and not the companies. The petitioner, Sarbajit Roy, has said: "The power companies have earned profits worth Rs 2,000 crore because of not initiating a drive against illegal industries.

The contempts, which have commenced from December 9, 2004 and which are still going on, have seriously affected the administration...and deprived the residents of Delhi from their lawful entitlements to electricity."

Trackback:
http://timesofindia.indiatimes.com/articleshow/1326185.cms

Sarbajit and his multicoloured RTI raincoat

2006-01-12T10:16:00.000+05:00

Sarbajit Roy gets results on opening day :-)

First proceeding under RTI Act
Manoj Mitta
[ Saturday, December 24, 2005 01:55:08 am TIMES NEWS NETWORK ]

NEW DELHI: The first ever quasi judicial proceedings under the Right to Information Act 2005 kicked off on a propitious note as a public authority readily agreed to mend its ways and give information to citizens without asking questions.

The Delhi Development Authority (DDA), represented by its vice-chairman Dinesh Rai, told the Central Information Commission (CIC) that it would shortly revise the format of its existing application form to bring it in line with the RTI Act, so that no citizen has to give any explanation for why he is seeking information.

In another far-reaching reform, the DDA said that each of its 40 public information officers would, in keeping with the RTI Act, be directed to accept any application for information regardless of whether the subject pertained to him or not.

The CIC also forced the DDA to admit that its website does not comply with the RTI mandate of making a pro-active disclosure in form of 17 manuals on different aspects of the organisation.

The concessions wrested from the DDA at its very first hearing may help the two-month-old CIC establish its credentials as the independent appellate body envisaged by the RTI Act.

It is still too early to say whether the CIC packed with ex-babus really has the will to thwart the covert and not so covert attempts by the bureaucracy to hide information from citizens.

In keeping with its stated policy of transparency, the CIC took the unusual step of allowing TV cameras to capture the proceedings in the face of objections from DDA officials.

At the end of a two-hour public hearing, the CIC gave a fortnight to the DDA to explain why it had withheld from an applicant, Sarbajit Roy, the public feedback on the proposed Master Plan for Delhi-2021.

The first hearing, however, had its share of teething problems. For one, the room available with the CIC to hold its public hearings turned out to be too small.

In fact, the CIC, currently housed in the old campus of JNU, has already put out an advertisement to lease a larger and more centrally located premises.

The CIC also admitted that it should not have in the very instance summoned the head of the DDA. It is likely that for future hearings, the CIC will summon only the public information officer of the department concerned to respond to the grievances of the applican

Trackback:
http://timesofindia.indiatimes.com/articleshow/msid-1344538,curpg-1.cms

RTI: Depts have put up manuals online

2006-01-12T10:14:00.000+05:00

More on Sarbajit Roy and his Right to Information Complaint against DDA

RTI: Depts have put up manuals online
Manoj Mitta
[ Friday, December 23, 2005 02:20:21 amTIMES NEWS NETWORK ]

NEW DELHI: The first-ever hearing by Central Information Commission on a particular matter is going to decide how much water does the RTI law hold.

The RTI law specially provides that where the information sought for "concerns the life or liberty of a person, the same shall be provided within 48 hours of the receipt of the request".

This implies that public information officers will have to attend to such urgent requests even on weekends and holidays. Most departments have made no arrangement yet for complying with this statutory requirement.

The most commonly flouted provision of the RTI Act is the one that prescribes that each department should maintain 17 manuals in the public domain to usher in greater transparency in the functioning of the government.

The departments that have put such manuals on their websites can be counted on fingertips. Each of these omissions and commissions on the part of bureaucracy have been highlighted by the complaint filed before Central Information Commission by a Delhi-based engineer, Sarbajit Roy.

Trackback:
http://timesofindia.indiatimes.com/articleshow/1343137.cms

Central Information Commission to hear first case Friday

2006-01-12T10:11:00.000+05:00

Sarbajit Roy's RTI Test Case will have its first hearing on Friday 23-December-2005

Central Information Commission to hear first case Friday
New Delhi | December 22, 2005 2:15:06 PM IST

It will be a baptism of sorts for the newly formed Central Information Commission when it hears its first case under the Right to Information Act Friday.

"It's about procedural matters of the Delhi Development Authority (DDA). The appellant has said that the mechanism of providing information by the DDA is inadequate," India's first Chief Information Commissioner Wajahat Habibullah told IANS.

This will be the first appeal case after the RTI Act was enacted Oct 12 and the Central Information Commission was set up.

"It will help us clarify a lot of issues. I don't know whether there was any offence against the RTI Act which the appellant (he didn't mention the name) has accused the DDA of," Habibullah, a retired officer of the Indian Administrative Service, said.

The full five-member commission that also includes O.P.Kejriwal, Padma Balasubramanian, M.M. Ansari and A.N. Tiwari will hear the case.

"This will set a precedent for hearing such cases by the commission," Habibullah pointed out.

The veteran bureaucrat also disclosed the modus operandi on appeal cases to be heard by the commission. The procedure was finalised over a week ago.

"We have assigned various ministries to different commissioners. The appeal, depending on which ministry it pertains to, will first come to one commissioner," he said.

"If the commissioner rejects the appeal, he will ask for the assistance of another commissioner. If the two differ, then they will place the matter before the multi-member commission," Habibullah explained.

"The first court is the public information officer of the ministry. And the first court of appeal lies with the ministry. The commission is the final court of appeal," he clarified.

The commission is, however, still in the process of evolving practices and procedures to deal with cases where information has been denied or adequate information has not given to a person.

Fiercely defending the independence and integrity of the commission, Habibullah, an advocate of transparent governance, said: "The commission is being set up outside the government. The commission can ask any papers from the government. I am not answerable to the government.

"The commission will decide whether the government's instructions on are in conformity with the act or not," he added.

The right of information seeks to bring greater accountability and transparency in governance of the country by providing citizens access to all government records except in cases that affect national security.

The commission, which is presently located in the guesthouse of the Lal Bahadur Shastri Academy for Training in Jawaharlal University's old campus, is also in search of new premises.

"We are venturing out in search of new premises from the private sector. It should happen in not more a month's time," said Habibullah.

Responding to Kejriwal's contention in the open letter he wrote to Prime Minister Manmohan Singh sometime back, he said: "He (Kejriwal) felt the process of setting up the commission was very slow. It could be because he is not from the government."

"The commission is still in the process of being set up. We have skeletal staff. I don't have space to put staff here," he admitted.

Trackback:
http://news.webindia123.com/news/showdetails.asp?id=198500&cat=India

2005, Right to Information Act gets 1st applicant

2005-10-04T16:15:00.000+05:00

Right to Information Act gets 1st applicant
- By Urvashi Kaul

New Delhi, Oct. 3: While the citizens of India are waiting for October 12 to spam the system to request for information using the Right to Information Act 2005, which officially comes in to force from that day, there already seems to be a request for information filed with the Department of Information Technology, due to a "tricky loophole" that the applicant citizen has pointed out.

Official sources said that this is the first request for information under the Right to Information Act 2005.

The application requests for information pertaining to amendments to the Information Technology Act under this Act.

The request, under the said Act, a copy of which lies with this newspaper, points out that as per Section 1(3) certain provisions, particularly Sections 5(1) and 5 (2) of the Act, have long been in force. The letter further says that "these sections provide for mandatory designation of information officers within the department to receive the requests for information from applicants within 100 days of the Act coming into force."

Mr Sarbajit Roy, who requested for information under this Act, wanted to know "whether a cyber regulation advisory committee has formally considered and submitted any advice and/or recommendations concerning amendments to the Information Technology Act 2000 and the other specifics related to it."

The Act was passed in order to promote transparency and accountability in the working of every public authority.

The Right to Information Act, 2005, received the assent of the President on June 15, 2005, and was accordingly published on June 21, 2005.

The Act provides for setting out the practical regime of right to information for citizens to secure access to information under the control of public authorities. Under the Act the department must expeditiously provide information.

The maximum time limit is 30 days from the receipt of the request.

Trackback : From Asian Age, New Delhi, 3, October 2005
first request for information under Right to Information Act 2005

----

The info I seek from DoIT is as follows:-

1) Please inform me if the Cyber Regulation Advisory Committee has
formally considered and submitted any advice and/or recommendations
concerning amendments to the Information Technology Act 2000. If so,
please list out, and well specify, the dates / reference numbers of
such advice(s) / recommendations.

2) I wish to inspect (and take notes from) all records and/or recorded
deliberations of proceedings, materials, representations to,
submissions to/of, documents, information etc. considered from time to
time by the Cyber Regulation Advisory Committee concerning amendments
to the Information Technology Act 2000.

3) Likewise (to para 2 above), I wish to inspect all similar records,
information(s), opinions, materials, file notings etc. concerning the
Expert Committee(s), in any, formed to examine amendments to the
Information Technology Act 2000.
----------

Title: First Applicant under Right to Information Act 2005, India, Request for information under RTI India.

Pawan Duggal comments Ebay India PaisaPay encryption

2005-08-11T10:40:00.000+05:00

Is Encryption legal in India?

By Urvashi Kaul (Asian Age)

New Delhi, Aug. 10: Is encryption legal in India? Well that’s the impression one gets when you log on to any of the online auction sites. Any Indian citizen, unaware of the IT Act 2000 or the Wireless and Telegraph Act would be led to believe that it is, indeed, legal in India, without realising that he/she would be liable to imprisonment for up to five years.

For instance, ebay.in, an online auction site has been, apparently, inducing (in to participating) its buyers and sellers in to breaking the law. Incidentally, Ebay India had acquired bazzi.com in July 2004. It may be recalled that bazzi.com’s CEO Avnish Bajaj is still facing charges in connection with circulation of the lewd MMS depicting two Delhi Public students in a sexual act.

While the Indian IT Act, 2000 allows absolutely no encryption, ebay.in, seemingly, tells its site visitors that 128 bit encryption is legal in India. Furthermore, ebay.in has been inviting its customers to fax their Credit Card details in order to pay sellers through PaisaPay (a gateway used for payment provided through leading banks like ICICI, HDFC, Citibank), that the website claims comes to a "secure server" and only "authorised ebay employees have access to".

IT Act experts point out that by asking customers to fax their credit card statement which contains other details like name, credit card number and billing address, these websites are actually "aiding and abetting" credit card frauds.

"Going by the present status," said informed sources, "The Central Government, so far, has not notified any security procedures under Section 16 of the IT Act for on-line electronic commerce, banking and financial transactions in India." Informed sources also point that the department of telecom, which consents to 40 bits encryption also seems to be overlooking law.

Cyber law expert Pawan Duggal said that, "Although the government has not made any effort to define encryption in the Indian IT Act, but technically it clearly says that it is not allowed."

Trackback: Pawan Duggal illegal ebay 128-bit encryption

Ex RBI GM K.Vijayraghavan comments

2005-07-27T14:21:00.000+05:00

Deccan Herald » Economy & Business » Detailed Story

RBI’s proposed norms may ease life for cardholders

The RBI has come out with a draft guideline for credit card issuers, but how far this is implementable is the moot point, says K Vijayraghavan.

The Reserve Bank of India (RBI) has recently come out with a draft guideline for the issuers of credit cards. The guidelines have been issued in the wake of complaints of harassment and ill-treatment meted to card holders particularly at the time of recovery.

The first issue that juts out is that issuers, viz., banks and NBFCs have been made liable for the actions of their direct sales agents (DSA). The issuers have been told in very unmistakable terms that the agents will have to comply with the norms of KYC (know your customers). What this essentially means is that the background of the customer should be thoroughly screened by the agents before issuing cards. The intention is laudable, but implementation is not easy.

It is not clear as to what options are available to issuers in case agents fail to fulfill the mandate. Well, the agency can be terminated, but it is only curative and less preventive. In other words, there appears to be a need to spell out more clearly the issues that could crop up in this area which would need to be settled between issuers and agents or how complicated problems can be sorted out and solutions enforced on the agents if necessary.

The Banking Ombudsman will look into complaints from holders or issuers. But it is not indicated whether disputes between issuers and agents fall within the ambit of Banking Ombudsman. Appointing DSA is part of outsourcing activities which banks do. But the extent of risk involved in this exercise needs to be carefully measured. The issuers of cards will do well to keep this in mind and ensure that their agents are kept under strict surveillance. A larger issue is: whether outsourcing is desirable everywhere and anywhere may also worth debating.

Fixing credit limit

The guidelines say that the drawing limit for cards should be fixed by issuers after taking into account the fact that there is no prohibition on a person getting several cards, which will increase his drawing/borrowing power. The intention, again, is commendable, but one point needs clarification. What is the mechanism available to issuers to obtain information on the number of cards (and their drawing power), a person has? Will a declaration from the applicant be sufficient? What is the option available to issuers if an applicant suppresses such information? We are in a super computer world, and the death of distance has already been brought about. Can there be not a centralised agency where full details of cards issued by all agencies can be pooled? It should also be possible to plug loopholes in such a system where a person tries to obtain card under different names or by differently spelling his name.

Making calls

A number of protective clauses are seen in the guidelines from the point of card holders, particularly in regard to levying of interest, wrongful billing etc. This is no doubt welcome. It is also desirable to ensure that unsolicited calls are not made to customers and unsolicited cards are not issued as said in the guidelines. Maintenance of a “do not call registry” has been prescribed to be maintained by issuers. The agents are to be told by issuers that only those calls which are cleared by the latter should be made to customers. But, what will be the position in the case of calls made to a card holder who prefers to treat even a recovery call as an unsolicited call which is non-permissible and accordingly takes objection. How can the issuer or agents prove that it was not an unsolicited call? It will not be out of context to mention in this connection that making unsolicited calls have become a part of marketing strategies, and some foreign banks make such calls to offer loans.

Information protection

Considerable protection also seems to have been extended to card holders with regard to confidentiality of information. The issuers have been told that they should be very discreet and selective while passing on information about card holders to agents. It is said that “personal information provided by the card holder but not required for recovery purpose should not be released” by the issuers to agents. If the issuers make the agents fully responsible for recovery, stipulating such conditions may ultimately create problems for the issuers. The question will also arise as to who will be responsible to decide what all information about cardholders can be released or should not be released to agents by the issuers.

Recovery

It is not inconceivable that somebody asks for a list of dos and donts in this regard, which may not be very easy to prepare. The guidelines also say that neither the issuer nor the agents shall cause harassment of any kind to any holder while effecting recovery. It is known that certain cardholders get rough treatment at the time of recovery. There is no doubt that authorities effecting recovery should not take law into their hands while carrying out their duties. At this juncture, it is necessary to ponder as to how banks have been effecting recovery of normal advances. The situation is no different in the case of credit cards....Perhaps it may be advisable to bring in the concept of “willful defaulters”, who fall in a different category. This is a tricky and partially risky area and is double-edged. Putting such instructions in black and white as also not doing so are both trouble-inviting strategies. Needless to say all cases of credit card defaults cannot be taken to court either. Whatever may be the suggestions or disagreements one may have about the guidelines, instructions from RBI will have to be given due importance by all concerned. The point, however, is that instructions coming from RBI have statutory backing and are more or less mandatory. This being the case, RBI would also like to consider whether some portions of the guidelines could have been issued by Indian Banks’ Association (IBA).

No doubt, the guidelines have thrown lot of light on many grey areas. Nevertheless, issuers and agents will always be interested and rightfully so, in getting their money back. Their interests also need to be protected because, ultimately, here also depositors money is involved.

One may not be able to visualise hundred per cent recovery position for credit cards, but many of the problems which cropped up in this area have been to a significant extent, caused by the haphazard and untrammelled way in which credit cards were issued.

Proper appraisal

It would be interesting to conduct as study to ascertain whether default level and also the various other problems are more in the case of customers or non-customers. There is reason to assume that they will be more in the case of non-customers. If so, it would prove beyond doubt that lack of proper appraisal and examining the need to possess a credit card have given rise to the present state of affairs.

In the name of retailing, banks have perhaps compromised on certain cardinal issues thereby glossing over the inherent risks associated with retailing. Let me again quote the RBI deputy governor who said “While retail banking offers phenomenal opportunities for growth, the challenges are equally daunting.

How far retail banking is able to lead to growth of banking industry in the future, would depend on the capacity-building of banks to meet the challenges and make use of opportunities profitably.” This being so, RBI may like to consider whether banks need to be advised in unambiguous terms that they should put more emphasis on proper appraisal before issuing credit cards.

The writer is a retired Chief General Manager, RBI. E-mail: k.vijayraghavan@gmail.com

CIBIL and the Law

2005-07-27T13:37:00.000+05:00

"Do not intimidate credit card holders"

Special Correspondent

Reserve Bank issues draft guidelines to banks, NBFCs

MUMBAI: The Reserve Bank of India has stated that banks and finance companies issuing credit cards should not resort to intimidation or harassment to recover dues.

"The banks or non-banking finance companies (NBFCs) and their agents should not resort to intimidation or harassment of any kind either verbal or physical against any person in their debt collection efforts, including acts intended to humiliate publicly or intrude the privacy of the credit card holders' family members, referees and friends, making threatening and anonymous calls or making false and misleading representations," the RBI said in its draft guidelines on Credit Card Operations issued here on Tuesday.

When banks outsource credit card operations, they had to be extremely careful that the appointment of such service providers did not compromise with the quality of the customer service and the bank's ability to manage credit liquidity and operational risk.

In the choice of the service provider banks had to be guided by the need to ensure confidentiality of the customer's records, respect customer privacy and adhere to fair practices in debt collection.

`Follow procedures'

Before reporting default status of a credit card holder to the Credit Information Bureau of India Ltd (CIBIL) or any other credit information company authorised by the RBI, the banks might ensure that they adhered to a procedure, duly approved by their board, including issuing of sufficient notice to such card holder about the intention to report him/her as defaulter to the Credit Information Company.

Banks need to Educate Card Users.

2005-07-27T13:35:00.000+05:00

In search of friendly recovery measures
PREETI R IYER
Friday, July 15, 2005 at 0000 hours IST

As American business tycoon John Paul Getty rightly pointed out, “If a customer borrows $100 from a bank, it’s the customer’s problem. But if he borrows $100 million from a bank, then it is the banker’s problem!”

Increasingly, the rate at which credit card dues are piling up, it now seems more like a bankers’ problem than the borrower’s. Competition within the industry has forced card issuers to go for massive countrywide expansion, compromising on the due diligence of issuees.

Lack of awareness about various conditions, including charge of high interest rates (between 20 and 40% per annum) and roll-over of outstandings lead the cardholder to commit frequent defaults and fall into the debt trap. Since credit card exposure is an unsecured lending, recovery remains a challenge for the credit card issuer.

Several measures could help salvage the situation. The establishment of the credit bureau (CIBIL) provides a unique opportunity to improve the screening of new applications and banks plan to fully avail of this service to spot the defaulters. Banks are sprucing up various methods to try and identify the potential risks a customer carries and accordingly, issue cards to applicants.

Says HSBC’s head-personal financial services India, Nicholas Winsor, “This helps safeguard the quality of the bank’s portfolio. We also refer to various sources that might indicate a history of delinquency, an attempt aided by the credit bureau. Based on portfolio data, we do identify segments which are not performing well and restrict these cases.” Another route banks adopt is to provide credit card users the facility of converting outstandings into a personal loan, payable via EMIs at lower interest rates.

Standard Chartered Bank attempts to ensure high portfolio quality by deploying scoring models and advanced portfolio management techniques. Explains the bank’s head-consumer banking-India and Nepal, Murali M Natrajan, “We process new applications through scoring, verification, negative database, telephone and residence verification. We also have experienced underwriters who are able to spot fraud attempts.”

Of late, the methods of recovery of credit card dues from defaulting customers deployed by banks have become a matter of immense concern for the banking regulator, Reserve Bank of India and various consumer forums. In this regard, banks typically follow a recovery procedure beginning with written communication, reminding a customer about outstandings, along with a phone call. Banks also claim that after an adequate period of time along with series of reminders, bank representatives help the customer plan his repayment schedule, including financial counselling to ensure that the customer avoids the debt trap.

However, HDFC Bank’s vice-president and head-product and portfolio, credit cards, Parag Rao opines, “The number of customers in India maintaining outstandings against credit cards is still well below international levels, and most of them pay their dues within the stipulated time.”

However, there is more to it than meets the eye. Banks also need to acknowledge the fact that they do need to play an educative role by helping customers manage credit in a wiser manner. In this pursuit, banks have started using various methods to reach out to the masses, be it via booklets, manuals, internet or on-ground initiatives. These convey to the customer how he can avoid falling into the debt trap by managing his credit prudently. In a bid to reward customers with prompt payment track records, banks try and give these customers added benefits and a favourable interest rate structure. At times it becomes imperative that punitive measures and corrective steps be taken, well ahead of time before it becomes too late.

Credit card issuers also need to adopt measures which will help them reach out to the customer in a better manner. The aim should be to lend a personal touch to the banker-customer relationship, wherein the customer is made aware of his needs, responsibilities and privileges.

Credit Cards: RBI's Houdini Act. (Smoke & Mirrors)

2005-07-27T13:33:00.000+05:00

Finally, relief for credit card users

Niranjan Krishnan | July 02, 2005 14:59 IST

In a welcome move that will wipe the frown off the face of many credit card holders, the Reserve Bank of India has proposed a set of guidelines to regulate credit card operations in the country.

The draft of the guidelines is presently placed in public view for feedback from various stakeholders. They will be finalised in the next few months and come into force for implementation by the end of August.

The scope of the proposed guidelines spans a whole gamut of credit card operations, touching upon card issuance, interest assessments, billing, customer rights, information-privacy and confidentiality, debt collection practices, outsourcing activities and redressal of customer grievances.

Some of the creditable and consumer-friendly features of the proposal are:

* The terms and conditions of the credit agreement should be disclosed in clear and simple language in all important communications to the customers. A listing of key items to include in those communications is also provided in the guidelines.
* The interest calculations must be explained with illustrations in each billing statement dispatched to customers.
* The credit card companies should send their billing statements without delay and customers must be given at least 10 days for settling their bills before interest assessments can kick in.
* Personal information of customers should be held confidential and cannot be shared with third parties.
* An Internet-enabled "Do not call registry" must be maintained by credit card companies to give consumers the choice of opting out of unsolicited phone calls and SMS messages.
* Debt collectors should not resort to verbal or physical intimidation or harassment of cardholders, their friends and family.
* The credit card companies are liable for the actions of third parties hired by them for sales or collections.
*
Customer complaints should be resolved within 60 days.

The RBI guidelines, though covering a lot of ground, however, are not free from their baggage of controversies, limitations and omissions.

The credit card companies are now authorised to issue the plastic to only those consumers with independent financial means. The card issuers are explicitly forbidden from signing up students into their portfolio.

Expectedly, this rule has been greeted with consternation by the industry. It will elicit a similar disapproval from the student population and is also bound to take some fun out of their ephemeral and insouciant school life.

There is a provision that implies placing credit limit restrictions on customers holding multiple credit cards. It appears a tad gratuitous, if not officious, on the part of the regulator to make such a rule or recommendation.

While it is reasonable to prohibit the issuance of credit cards to minors, criminals and anti-nationals, the right of approving otherwise bona fide customers should remain with the risk taker and not the regulator.

By the same token, the number of credit cards and total spending limit to approve or avail of, are decisions best left to card issuers and their customers.

Both these stipulations appear ill-advised and smack of over-regulation that hinders than helps the interest of card issuers and consumers. Only a fence is needed between the two parties so that they can stay within their limits and do business with each other. Not a fortification that could stifle them both.

These two controversial provisions will hopefully be modified before the guidelines are released for implementation.

Issues concerning unsolicited offers, identity theft and fraud do not appear addressed adequately by the present batch of guidelines:

* There is a ruling that states that unsolicited credit cards should not be generally issued but it stops short of prohibiting such a practice. Sending unsolicited credit cards to customers' doorsteps is an unwarranted allurement that could set them up for a debt trap. It would be expedient to tighten the rule further and strictly bar such an entrapment tactic.
* There is no mention of the liability of credit card issuers to customers in case there is leakage or loss of customer information, or theft of customer identities due to weakness in their customer information storage and processing. Fixing the liability of card issuers for customer damages stemming from internal operational failures would further reinforce the rules on information privacy and confidentiality.
*
In case a credit card is lost or stolen, the customer is usually held liable for any unauthorised charges made from the time of loss to the deactivation of card by the company following customer's report. As it happens in developed countries, an upper limit needs to be placed on the extent of the customer's liability since the card issuer, too, has the responsibility of managing fraud risk by diligently scanning out-of-pattern behaviour while approving transactions at the point-of-sale.

One overarching theme that did not get sufficient attention in the guidelines is the specification of penalties for their violation. Given that grievance redressal is a tardy and, at times, tormenting process in India, especially for consumers who often lack the awareness and resources, setting a stringent minimum threshold for penalties upfront can go a long way towards motivating the card issuers in following the guidelines in their day-to-day operations.

On the other hand, the critical issue of card issuers making uninitiated and unwanted contacts with customers could possibly be resolved more efficiently than the arrangement envisioned presently.

The rules propose an internet-enabled "Do not call registry" to be maintained by each and every card issuer to give customers the choice to be excluded from solicitations.

This entails customers individually contacting every card issuer in the country, a cumbersome task given the proliferation of card issuers in the country. Also, there will be replication of efforts by card issuers whose resources could be more gainfully deployed in other value-adding activities.

A more efficient mechanism for enabling customers to opt out of solicitations would be to maintain the registry in a central location accessible to both card issuers and consumers.

Credit bureaus such as Credit Information Bureau of India Ltd. (Cibil), which maintain a record of all credit consumers, could provide a perfect platform for this purpose.

Entrusting the credit bureaus with maintaining the "Do not call registry" can also address another such "excuse me, please" issue not taken up by this initiative. Not only can customers opt out of unsolicited phone calls, they can also be given the right to make their credit file inaccessible to lenders making unsolicited offers through other channels like mass-mailing, which is another matter that would need to be addressed at some point in time.

This proposal does not also cover the issuance of credit cards to consumers because their employers require it done. This matter opens up a few grey areas where the regulatory lakshman rekhas between different parties need to be drawn, and could perhaps be a subject of the next round of regulations.

Overall, the most glaring limitation of the present set of guidelines is that they are expressly confined to credit card operations. A majority of the regulatory gaps the guidelines help in filling are also common to other credit schemes available in the market such as vehicle loans, home loans, and personal loans.

The RBI can consider broadening the scope of the guidelines to apply for all other credit products and facilities depending on the pertinence and possibility of application.

In summary, although the proposed set of RBI guidelines on credit card operations has some wrinkles to be pressed out, it will undoubtedly serve as a first solid pass of the steamroller in levelling the playing field and promoting an equitable balance between credit card issuers and their customers.

Why US Cyber Laws are better

2005-07-11T10:08:00.000+05:00

Trackback From : eplaw.us

Information Security Negligence: PSECU v. BJ's Wholesale

05/22/2005

I wrote that the development of information security depends on litigation, and litigation between private parties, specifically. The BJ's Wholesale litigation is especially interesting because it involves credit card security, the plaintiffs are large companies (specifically, banks), and it raises some novel legal issues.

Credit Cards
Litigation over credit card security is interesting because credit cards are ubiquitous in legitimate commerce and a frequent target of computer crime. Credits cards are a commodity for computer criminals, who have even automated the trade of credit card numbers. As computer intrusions continue to target credit cards, credit card security standards will play a larger role in information security litigation.

Payments over the Visa and MasterCard networks involve at least five parties. When a cardholder presents a credit card to a merchant for payment, the merchant swipes the card and transmits the information encoded on the magnetic strip on the back of the card to an acquiring bank (or, sometimes, a third party processor). This information can include card number, expiration date, cardholder name, and the card verification value. The acquiring bank transmits the information through Visa's network to the issuing bank (which gave the credit card to the consumer). The issuing bank confirms the account, verifies the transaction is within credit limits, reviews the transaction for signs of fraud, and approves (or disapproves) the transactions. Actual payment is made when the acquiring bank and the issuing bank settle their accounts by wire transfer. (Discover and American Express simplify this arrangement: they operate the network, and act as issuing bank and acquiring bank.)

All this is supported by a contractual framework. Visa (which an association of member banks) operates the authorization network. Member banks (be they acquiring or issuing banks) have a contractual relationship with Visa through its operating regulations (which govern many aspects of credit card transactions). Member banks do not, however, have a direct relationship with each other. The acquiring bank has a contractual relationship with the merchant through a merchant agreement. The operating regulations require that acquiring banks include certain requirements in their merchant agreements, and monitor their merchants' compliance. This way, Visa has some control over merchant behavior, even though most merchants do not have a direct relationship with Visa. Finally, issuing banks use low-interest teasers, cash rebates, low minimum payments, and universal default clauses in their cardholder agreements to attract and profit from cardholders. (Debit card transactions tap directly into cardholders' accounts.)

Visa and MasterCard have generated a number of procedures in their operating agreements to limit fraud. One of the center innovations is the card verification value (CVV) which is printed on the back of a credit card, not embossed onto the card. [Update: Scott Loftesness over at Payment News informs me that CVV refers to a separate three digit amount encoded on the magnetic strip, while the number printed on the signature panel on the back of a credit card is CVV2.] (This might seem like a nominal measure, although it frustrates bulk manufacturing of fake cards.) Visa and MasterCard direct merchants to collect CVV2s in transactions where the card is not present (e.g., Internet and phone sales). Visa and MasterCard have also pushed minimum standards for merchant information security, to protect against computer criminals collecting credit card numbers from insecure merchants. Visa and MasterCard apparently started this initiative after a well-publicized incident in which a computer criminal obtained 350,000 credit card numbers CD Universe and attempted to extort $100,000 from the firm. These rules have evolved over time; the most recent standard is the Payment Card Industry Data Security Standard.

The Security Breach at BJ's
Litigation has exposed some facts about BJ's credit card equipment. BJ's contracted with IBM to replace the credit card processing system at its cash registers in 1999. (BJ's now alleges that contract required IBM to ensure that its replacement system was compliant with Visa operating regulations, and BJ's alleges it specifically told IBM to prevent its system from storing magnetic strip data. IBM disputes these claims.) It was later determined that IBM's system did in fact store certain magnetic strip data in its system logs from July 1, 2003 to February 29, 2004. Fifth Third Bank was BJ's acquiring bank and managed BJ's interface with the Visa system. BJ's learned of "an alleged compromise" in February 2004, and had a computer consultant review its systems. The consultant found "no breach of BJ's centralized computer system or via the Internet and no direct evidence of a compromise at the club level," but did discover the credit card information in IBM's system's logs. Visa's Cardholder Information Security Program and Visa's operating regulations prohibited merchants from retaining information from magnetic strips on the back of the cards.

I have not seen any indication that BJ's has yet learned how the breach occurred. It seems that BJ's first learned the breach happened from credit card companies. (There is no indication of how Visa learned that BJ's was the source of the compromise. I would assume it identified compromised credit card through fraud detection algorithms and identified BJ's by working backwards from the historical purchases on those credit cards.) MasterCard and Visa's initial warning to effected issuing banks did not disclose BJ's identity, but BJ's publicized the breach in March 2004. We know that authorities have detected and located some of the individuals using and trading the cards, and some law enforcement have concluded that the attack was accomplished over the Internet (which contradicts the findings of BJ's consultant).

In any event, BJ's breach caused substantial damages to issuing banks: under 15 U.S.C. ss 1643 and 1693g, the issuing bank is liable for fraudulent charges, rather than the cardholders. In BJ's case, many of the banks cancelled the compromised cards and reissued new cards to limit their liability for fraudulent charges. Issuing banks must also absorb the costs of notifying cardholders, reissuing cards, and the interruption of business in the interim. In Note F to the Financial Statements of its last 10-K filing, B.J.'s estimates that there are approximately $10 millions in outstanding claims against it. The Pennsylvania State Employees Credit Union (PSECU) claims losses approaching $100,000, while Sovereign bank claims $500,000 in losses, and Banknorth NA filed suit claiming losses of $583,000. Meanwhile, CUNA Mutual Group (mutual insurance company for credit unions) alleges it suffered millions of dollars of losses.

PSECU's Lawsuit
PSECU filed suit in Pennsylvania state against BJ's and Fifth Third on June 18, 2004, and the case was removed to the U.S. District Court for Middle District of Pennsylvania on July 16, 2004. PSECU's complaint was filed on August 5, 2004. In essence, it states that BJ's collected magnetic strip data from its customer's credit cards from July 1, 2003 to February 29, 2004 and failed to delete it, and that Fifth Third did nothing about it. Consequently, PSECU had to reissue 20,029 cards at a total cost of $98,128.13(!). PSECU's complaint states two claims against Fifth Third and BJ's each. PSECU's breach of contract claim alleges that Visa operating regulations in effect at the time required that merchants to secure magnetic strip data while using it, to delete it as soon as it was no longer needed, and also required acquiring banks' merchant agreements to require merchants to abide by the operating regulations. PSECU's negligence claim alleges that BJ's breached its common law duty to secure the magnetic strip data and to delete the data after its use, and that Fifth Third breached its duty to ensure that BJ's did so. BJ's and Fifth Third answered PSECU's complaint on September 14, 2004.

BJ's Third Party Claim Against IBM's
BJ's filed a third party complaint against IBM, essentially seeking to shift any liability to IBM for the flaws in the credit card processing system that caused magnetic strip data to be retained. IBM moved to dismiss the complaint. BJ's response is here. The court's May 3, 2005 ruling dismissed some of BJ's claim but saved others. The court dismissed BJ's Massachussets-based unfair practices claim, its New York-based deceptive practices claim, and its declaratory judgment action, as well as certain parts of BJ's indemnity claim. The court rejected, on the other hand, IBM's argument that the complaint was deficient without an allegation that IBM's retention of magnetic strip data was connected to a security breach, noting that Federal Rule 8(e) permits BJ's to make conditional allegations: if BJ's is held liable for a security breach, then IBM is liable to BJ's for retaining magnetic strip data.

Economic Loss Doctrine and Information Security
The court also rejected IBM's arguments against BJ's negligence claims and the part of its indemnity claim related to replacement of compromised cards. Those rulings are the most significant part of the court's decision. IBM claimed the indemnity claimed was barred by disclaimers in the contract. The disclaimers had an exception for third-party claims for damages to "tangible, personal property." Citing America Online, Inc. v. St. Paul Mercury Ins. Co., 347 F.3d 89 (4th Cir. 2003) for the proposition that computer data is not tangible property property, the court dismissed those indemnity claims arising from damage to the personal data on the cards. The court also found that money held in debit cardholder's accounts was not tangible property either, and so dismissed those parts of BJ's indemnity claim related to theft from debit cardholders' accounts. The court did not dismiss the parts of BJ's indemnity claim related to the costs involved in replacing credit cards. The court's response to IBM's argument that the card were not physically damaged is interesting; the court holds that there is no reason that the damage to tangible property need be physical. Here, the cards were not destroyed, but were made useless (or worse) after they were compromised. "IBM's liability was preserved as to the injury to these cards as physical objects, the loss of the use of these cards [for credit card transactions,] but measured by the value of the cards as blanks."

The court applied the same logic to summarily reject IBM's economic loss doctrine argument against BJ's negligence claim. The economic loss doctrine has hazy outlines. Generally speaking, the economic loss doctrine limits the recovery of economic losses (typically, disappointed commercial expectations) to parties to a contract. (Thus, breach of contract plaintiffs can seek to be put in the same position they would have been if the contract had been performed.) The economic loss doctrine applies to negligence and strict liability claims; it does not apply to personal injuries, property damage, or intentional torts. The economic loss doctrine is widespread (the Supreme Court recognized it in East River S.S. Corp. v. Transamerica Delaval Inc., 476 U.S. 858 (1986)) but there is substantial variation between different states' application of the doctrine. Because defendants can argue the economic loss doctrine eliminates liability for the disclosure of confidential or secret information, it will become a central feature in information security negligence cases.

Poor Laws cause Intel India Exit

2005-07-09T15:29:00.000+05:00

Intel freezes $400m India investment
- By Urvashi Kaul

New Delhi, July 8: Global chip manufacturer Intel has frozen plans to invest $400 million in India for the setting up of a manufacturing plant. The move is seen as a major dampener to the UPA government’s plan to attract foreign investment,

After returning from his trip to the US last month to woo IT and telecom majors to set up manufacturing bases in India, information technology minister Dayanidhi Maran had told reporters in New Delhi that Intel had chosen India for its manufacturing unit and that investment up to $400 million was expected.

Sources said a formal announcement on the deal was meant to be made during Prime Minister Manmohan Singh’s visit to the US later this month. But they added that Intel has now told the government that it has a problem with India’s intellectual property laws on semi-conductors. Intel argues that they are not effective enough.

Official sources said Intel, which was considering Chennai, Bangalore and Noida as possible locations for its unit, has conveyed to the government its decision to pull out from India. Earlier, Mr Maran had claimed that Intel would make an announcement on the location in a month. Mr Maran had also claimed that his "fruitful discussions" with Intel CEO Craig Barret, who was previously considering China and Vietnam, had led to finalising India as the location for its plant. The minister had asserted that the deal was clinched in India’s favour as he was successfully able to present India as a booming market with investor-friendly policies.

The government policy on promoting IT special economic zones with 15-year tax breaks and market access had clinched the deal in India’s favour, he was quoted as saying. But sources said that India appears to have lost the deal to China.

When contacted, an Intel spokesman seemed to contradict Mr Maran’s suggestion that Intel was all set to have the plant in India. "Intel has not announced any plans to build a plant in India," he said. "Intel is always looking around the world exploring potential new sites, and I’m sure we’ve looked in India, China and many other places around the world," the spokesman said. He hinted that there had been only initial "explorative activities".

"However, these explorative activities don’t mean we will or won’t build a site in a given country," he said. Since no plans to set up a plant have been announced, the question on the investment plans is "speculative" in nature, he added.

Trackback : Intel exits India

RBI fails to stop Credit Card woes

2005-07-09T14:14:00.000+05:00

Chains on credit card thugs
- RBI prohibits strongarm tactics to recover dues
OUR SPECIAL CORRESPONDENT
Buy in peace

Mumbai, June 28: Credit card companies are being reined in.

The Reserve Bank has ordered them to stop sending out an intimidating army of goons to recover dues from defaulters.

The banking regulator has come out with draft guidelines that lay down rules of conduct for credit card issuers to bring about a modicum of civility in the way they deal with errant customers.

Credit card issuers resort to the practice of sending out thugs to stem payment defaults that some estimates put at 9 per cent of the industry’s overall outstanding credit.

The RBI today unveiled draft guidelines that seek to stop banks and non-banking finance companies (NBFCs) issuing credit cards from “resorting to intimidation or harassment of any kind either verbal or physical against any person in their debt collection efforts”.

Banks, NBFCs or their agents will also be barred from putting through threatening and anonymous calls or making false and misleading representations.

They also have been told not to indulge in acts intended to humiliate publicly or intrude on the privacy of the credit card holders’ family members and friends.

Though the RBI did not state the penalty that will be imposed on banks or NBFCs in the event of this guideline being violated, it is still considered a major relief to credit card holders who have often complained of the strongarm methods used by banks to recover dues.

There are now 12 million credit card holders with an annual average of spending per card of below Rs 50,000.

The guidelines also seek to stamp out the practice of credit card companies sending out unsolicited cards to customers and then billing them for it after activation without the consent of the recipient.

The guidelines said the credit card company will “not only reverse the charges forthwith, but also pay a penalty without demur to the recipient amounting to twice the value of the charges reversed”.

Further, the card issuing bank or NBFC has also been told not to unilaterally upgrade credit cards and enhance credit limits. “Prior consent of the borrower should invariably be taken whenever there are any changes in terms and conditions,” the RBI said.

It also directed the card issuers to be more transparent in their dealings. They have been directed to quote the annual interest rate — called in trade jargon annualised percentage rate (APR) — card products separately for retail purchase and for cash advances, if different. Moreover, the method of calculation of APR should be given with a couple of examples for better comprehension.

The RBI also said late payment charges, including the method of calculation of such charges and number of days, should be prominently indicated.

Banks have been told not to reveal any information relating to customers obtained at the time of issuing the credit card to any other person or organisation without obtaining the customer’s consent. Reacting to the guidelines, an official of a credit card issuing foreign bank said a customer is categorised as a defaulter only if he has failed to pay his dues (minimum plus late and other finance charges) for six months. It is only after this that the task of recovery is entrusted to an agent. “The default rate in the credit card industry is very low. Given this, the instances of strongarm tactics or rude behaviour are very few,” he said. According to him, the trend of banks appointing recovery agents started from the absence of data about customers’ credit records. This problem has been largely solved with the launch of Credit Information Bureau India Ltd (Cibil) which is collating the credit history of 45 million customers of banks and credit card institutions.

Card issuers do not use such heavy-handed measures to recover dues in the West because of an integrated financial system that maintains the repayment histories of all customers. The system forces customers to repay else they are in danger of being denied credit in a plastic-dominated economy.

In India, such a system doesn’t exist. The problem is compounded by the fact that debt recovery proceedings in courts are extremely tardy.Cibil has been launched for banks, financial institutions and other financiers to share retail and commercial customer information.

CIBIL Credit Cards at what cost ?

2005-07-09T14:13:00.000+05:00

The regulator recognises credit card woes

Credit card issuers across the country probably raised a toast to the Reserve Bank of India (RBI) last week. After a long and sustained lobbying by harried customers, the central bank has finally planned regulatory intervention to check harassment, empower the consumers, increase transparency and force some discipline on companies out to grab market share without matching service standards.

Interestingly, credit card issuers have always offered a simple explanation for the vast mismatch between consumer expectations and their treatment. A top executive of one of the biggest credit card issuers told me that although there are a few genuine mistakes (because the numbers they deal with are very large) where customers are wrongly inconvenienced, in a majority of cases, it is the customer who is usually trying to avoid interest or delaying payment by false claims about not having received their bills in time. But the inordinately large number of genuine complaints, acknowledged and rectified by card issuers (after outside intervention), tell a different story.

In fact, the issue of credit cards in India has always been a one-sided affair, where the only real power that the customer had was to dump the card and switch to another. The creation of the Credit Information Bureau of India Ltd (CIBIL), which is a database of the personal credit record of individuals, had threatened that right as well. Banks now had the power to report consumers with unresolved disputes to CIBIL and cause them grave damage by cutting off their access to credit and loans.

RBI has partially addressed this by recommending that banks must inform customers about their intention to report them to CIBIL. This is not an ideal solution, but it gives consumers some time to approach the courts and protect their rights. RBI’s draft guidelines have been put up for public discussion before being issued as a regulation.

Among the broad areas of harassment covered by the bank are the obvious ones such as unsolicited sales calls, unsolicited issue of cards, harassment and intimidation by recovery agents, violation of information privacy and lack of transparency in billing. The new rules will make the credit card companies explicitly liable for the actions of third parties whose services are used for sales and collection.

Similarly, the regulations will ensure that customers are given a clear 10 days to make payments, but this will work only if plastic issuers are also asked to maintain proof that their bills have been sent on time. Also, it says complaints must be resolved in 60 days. But it would be even better if the regulator had prescribed stiff penalties to be paid for some basic offences. Most of the recommendations, if converted into regulation are a good beginning. They put banks on notice that the regulator would have to intervene in order to ensure good customer service.

But some rules may need further tightening. For instance, RBI frowns on the issue of unsolicited credit cards, but does not ban them. Similarly, it provides for an Internet-enabled do-not-call registry allowing people to legitimately avoid harassment through marketing calls, but it could have prescribed a stiff penalty if the list was not honoured. It also does not fix a liability on the card issuer that contacts customers by buying stolen databases of customer information.

An important recommendation is that banks must quote annualised rates on credit card products. Also, interest calculations must be explained to customers with illustrations in each billing statement. This is even better than what we put up with in bills provided by mobile phone providers. Will these rules cover a gamut of tricks devised by banks to lure customers?

For instance, an angry consumer points out that she acquired a State Bank of India credit card because it was promised to be free. However, she found that the very first bill was loaded with uncommitted charges such as insurance premium, yearly charges and service charges. This made a mockery of the free card concept and the consumer, who naturally refused to pay the charges is now being harassed by a collection agent.

Recently, customers of a particular credit card issuer were shocked by interest charges of a few hundred rupees each for failing to pay up a few paise differential that ought to have been rounded off. When they complained, the card issuer confessed that when it had upgraded its credit card software and migrated to another system, it had failed to incorporate the rounding off facility, leading to customers being slapped with a fat charge.

In this case, the Bank says it has identified all such cases and plans to reverse the charges, whether or not it receives a complaint. However, in a similar situation that was brought to the notice of RBI by this newspaper, Citibank had charged a small late fee on the customer despite an unusual four-day bank closure. The bank reversed the charges when exposed, but we are not clear if it bothered to reverse them for all customers.

Many banks such as Citibank and ICICI Bank have slapped charges for insuring customers against potential card misuse. Clearly, this is a service that ought to come free. In many cases the charges have been reversed for customers who complained; but these levies and charges should, at some point of time, attract regulatory scrutiny.

In some respects, the RBI guidelines may have swung the other way by getting too restrictive. For instance, the recommendation that credit cards can only be issued to consumers with independent means will restrict or even eliminate the access of many women and students to the convenience of carrying plastic. This is a little ironical at a time when some professional colleges encourage payment of fees through credit and debit cards.

Similarly, the move to impose restrictions on credit limits to individuals or restricting multiple card issuance is bound to upset card issuers and smacks of moral policing, the presumption being that multiple cards and high credit limits encourage people to go dissolute. But one cannot help thinking that the credit card industry has brought these upon itself.

suchetadalal@yahoo.com

CIBIL: Strong arm agency

2005-07-09T14:11:00.000+05:00

Why recovery agents are here to stay
RBI guidelines are good, but agents are only practical solution: Banks
Sayli Udas

Mumbai, July 5: ‘‘We will abide by the Reserve Bank of India’s (RBI) fair-trade practice code, but we will not do away with any of our recovery agents.’’

—Neil Chatterjee, Head, Corporate Communications of Standard Chartered Bank.

Despite the RBI’s intentions of cracking down on credit-card operations (see box), banks in Mumbai have admitted that recovery agents have become a part of their debt-recovery system and it would be difficult to eliminate them entirely.

‘‘The intimidation and harassment is exaggerated by defaulters,’’ said Chatterjee, adding that banks do monitor the method of recovery to ensure it happens in a ‘civil’ manner.

‘‘Do we have any other means of recovery?’’ he asked.

‘‘The judicial process in our country is very slow and we are in a business where we need to have a practical approach to recovering debts.’’

Most banks would agree. Only a small percentage of customers default on payments and have to deal with recovery agents, they say.

And agents, they add, only come into the picture after repeated attempts by bank executives have failed.

‘‘The procedure starts when an executive makes a telephone call and informs a defaulter about his dues. Then, we send a few letters and statements,’’ said Rohan Jogi (name changed), spokesperson for a leading Indian private bank. ‘‘It’s only when there’s no response that agents are intimated.’’

While, on record, banks refuse to admit that they’re aware that many recovery agents cross the line, off the record, spokespersons say using abusive language or threatening customers is the only option at times.

‘‘A white-collared guy cannot recover dues,’’ said Jogi. ‘‘You do need a stern voice and a tough-looking guy to get out money.’’

ICICI Bank claims to go through a thorough verification procedure before appointing its agents.

‘‘Any complaints coming to us are immediately investigated and action is taken,’’ said a spokesperson.

Citibank also claimed to have an internal policy on collections and guidelines for their agents, detailing how and when customers should be spoken to.

But despite redressal systems like 24-hour helplines and e-mail facilities, the bank claims that they have to involve a third party to bring defaulting customers back on track.

The solution, say industry experts, could be CIBIL or Credit Information Bureau (India) Limited.

An RBI and government effort to create a comprehensive database on the ‘creditworthiness’ of customers, CIBIL is expected to help banks share data on their credit-card users.

Formed in 2000, CIBIL has started collating data, but it will take at least another year for all the information to be in place.

Until then, recovery agents are here to stay.

New guidelines
* No physical or verbal intimidation or harassment of credit-card users
* Any act intended to publicly humiliate or intrude privacy banned
* Bank responsible for all acts of omission or commission by agents
* Penalty on unsolicited cards issued without consent
* Banks to maintain ‘Do Not Call Registry’

sayliudas@expressindia.com

CICRA CIBIL Simplistic optimistic article abso shit

2005-07-08T08:25:00.000+05:00

From Outlook.com
17 Jun 2005
Every loan you take Every payment you make, they'll be tracking you. Will the credit information act just enable banks to play Big Brother? Or will there be real benefits for consumers too?

Rajesh Gajra

Imagine this: you walk into a bank for a car loan prepared for a tedious runaround. But the official across the counter taps a few keys on his PC, runs his eye over the screen, and instantly sanctions you the loan. And that at 0.5 per cent lower than the going rate. Futuristic? Not any more. With the passage of the Credit Information Companies (Regulation) Act 2004, credit information companies can be set up and registered with the RBI. These companies can then invite banks and other credit issuers to become members, who share the credit records of all borrowers, retail and corporate.

For four years now, there has been a company doing just this–the Credit Information Bureau (India) orCibil. Says chairman S. Santhanakrishnan: "Our retail bureau started in July 2002 and our membership already represents 90 per cent of the financial sector." By February 2003, RBI had directed all banks to get the voluntary consent of their borrowers and to pool their credit data throughCibil. Today, almost all banks are members. Says Nicholas Winsor, head, personal financial services-India,HSBC, a 5 per cent equity holder in Cibil: "Experience in other markets has proven the value of credit bureaus in the development of consumer credit."

Open book. What CICRA does is to allow the creation of several such credit information agencies. Banks will thus be able to readily access your full credit history: whether you have ever borrowed, ever defaulted, have a perfect repayment record, who your lenders are, etc. This holds good across loan products, credit cards and card withdrawals.

Before you worry about invasion of privacy, consider this: depending on your credit history plus other factors gleaned from your application, the credit officer will offer you an interest rate different from the advertised rate. And if your record is good, this rate could be much lower than the prevailing rates. Of course, a bad record means a far higher rate.

According to Santhanakrishnan, Cibil already has the credit records of 22 million retail borrowers, which is about 60 per cent of the country’s borrowers. That’s a stunning number and all of it seemingly obtained by voluntary consent. So, if you have given consent, your loans record might already be in Cibil’s computers. But with CICRA now legally mandating banks and others to provide borrowers’ data to a credit information company, your consent as a borrower is no longer required.

Once CICRA comes into force, details of the remaining 40 per cent–about 14 million–will be submitted toCibil, as will details of new borrowers. The act also lets Cibil collect data for borrowings of a single person across banks. At the moment, of course, there’s no competition toCibil, and till other agencies come up, it will be the only one with this vast data pool.

How it works. Once CICRA is legally enforced, all your credit information will be automatically submitted toCibil, whether you like it or not. Details of loans you have taken–credit card from one bank, home loan from another and car loan from a third–will be electronically submitted toCibil, which will process the data and create a single ‘credit information report’ in your name, to be updated periodically.

Banks and home loan companies can access this report either when you approach them for a loan or for their internal portfolio review. Says Cibil CE0 ArunThukral: "Our members can make one-off enquiries of a particular retail borrower through a secure Net-based access. For bulk enquiries, they can use file transfer protocol connectivity and we’re also working on direct 24x7 computer-to-computer connectivity with each bank. With this, they can fire enquiries any time they want."

Banks find Cibil’s resources invaluable. As HSBC’s Winsor says: "We’ve already begun credit enquiries throughCibil. In due course, we expect to use the bureau data for active portfolio management." This saves banks time and money. Says V.Vaidyanathan, senior general manager (retail banking), ICICI Bank: "The costs of field investigation are high. Getting this report from the bureau means we can relax."
SANJAY PANDEY 34
Loan: Rs 15 lakh from ICICI Bank
Tenure: 15 years
EMI: Rs 13,500

If Pandey defaults, banks will quickly penalise him under the new credit information act. However, by paying all EMIs on time, Pandey hopes to build a strong credit history. Will banks then show equal alacrity in reducing interest rates on this and future loans?

What’s in it for you. Three years ago, Sanjay Pandey took a 15-year, Rs 15 lakh home loan from ICICI Bank. He’s been paying his Rs 13,500 EMI regularly. "A good track," saysPandey, "should fetch me an interest rate rebate after a few years. Ideally, on the existing loan but surely on any new loan." Pandey is right. As Santhanakrishnan says: "Today, one rate fits all and good borrowers subsidise bad ones. When bad borrowers are weeded out, average interest rates will fall."
LOANWATCH

Banks will get access to:
DETAILS of every loan you’ve ever taken
OUTSTANDINGS on every credit card you’ve owned
OVERDRAFT usage history
COLLATERAL or guarantee you’ve given on your loan
RECORD of EMIs and credit card payments

There’s more. Says Thukral: "If one bank delays processing, you can walk to the next bank nearby, which will have the same credit report and get faster processing." In theory, it looks good, but warnsPandey: "In practice I hope the benefits are not gobbled up by the banks." And that’s a valid concern because banks seem singularly unwilling to cut rates even for good customers. Says ICICI Bank’sVaidyanathan: "Customers are already getting low rates in a highly competitive market and I have doubts whether they will slide further."

The point to remember: whenever your bank or finance company uses your credit information report for your loan application, you have the right under CICRA to ask for a copy for a nominal charge. SaysPandey: "I should know on what basis my loan application is assessed." He also stresses the need for a transparent and standardised mechanism to grade borrowers. "Everyone should know what value is allotted to a borrower who pays 59 out of 60 EMIs on time; with no subjectivity in the interpretation of credit reports."

The good news is Cibil plans to introduce a ‘credit scoring’ system. The bad news is it will take time. SaysThukral: "Our immediate priority is to go live with a credit information system for corporate borrowers." It may be over a year before you can reap the benefits of the scoring system.

Concerns. Leakages and unauthorised access to your credit report are the main concerns. CICRA provides for a Rs 1 lakh penalty for any unauthorised access. But that’s meagre compared to the value of the information and may not be an effective deterrent. Another problem is data accuracy. What if the bureau is rigid and harshly interprets even one or two delayed EMI payments? You may have valid temporary cash flow problems. SaysVaidyanathan: "There are standard norms on what constitutes ‘default’; we’ve to follow that." At the end of the day, to a credit information bureau, you are just another number.

Rajeev Mathur, director, Consumer Unity and Trust Society, a research and advocacy group, is not convinced. Says he: "I’m concerned with the way they rate borrowers. On many occasions it’s the fine print they hold back and which results in poor rating. What if a credit card is thrust on me unsolicited. I don’t pay the annual fee and I end up with a poor rating."

CICRA does permit you to apply to Cibil if you think the rating is incorrect, asking for anupdation. In case of a dispute, your only recourse is to approach the RBI, which will appoint an arbitrator. Says a displeasedMathur: "Why should a customer waste his time rectifying inaccuracies that are no fault of his? Look at the number of uneducated consumers; how can they take on the strong influence of the institutions?"

CICRA gives the RBI supervisory and penalising powers. In fact, the RBI is to come out with detailed regulations on the objects of CICRA and enforce its provisions specifically, but for this, RBI regulations will have to be amended, which needs Parliament approval. All of this will take time. Till then, CICRA provisions will be enforceable by banks and credit institutions, and the RBI will be authorised to act against offenders. Other regulations that await RBI amendments include the fee you have to pay for your credit report. Cibil charges members Rs 10-50 per report; and banks are likely to charge you a similar amount.

The provisions have to be seen through diligently and with as much attention to individual concerns as for institutional. All we can hope for is that the process is not bogged down by politics or red tape.

Sarbajit Roy, NDTV's sting on Dr. Bajaj

2005-07-05T10:09:00.000+05:00

So the truth is out, "Sarbajit Roy is a former hacker for the Government", or so says NDTV. Its comforting to know that we have a free and vibrant media in India, bold enuff to take spycams into the office of India's top cyber investigator Dr. K.K.Bajaj and get to see him blathering away that he has no powers to investigate cyber crime in India, or data theft either. Mind boggling stuff! "Sarbajit"

BPO fraud: Was it a sting or a set up?
Priyam Bhasin

Monday, July 4, 2005 (Gurgaon):

Ten days after the British tabloid Sun claimed its reporter had bought confidential details of British customers from an Indian call centre employee, it's not yet clear who is investigating the BPO fraud.

No formal complaint has been lodged yet though the Prime Minister has said cyber laws in the country need to be strengthened.

But in another twist, a former hacker with the government says it's very easy to get credit details of UK bank customers in India.

Reacting to charges that the Indian BPOs have poor securtiy standards, the industry has fought back saying business is booming only because they have the confidence of their clients.

"There's more security here than in many places in the west," said Pramod Bhasin, global head, Gecis.

"Clients who outsource ensure security standards. They are very good here," said Dr Balakrishnan, head, Supercomputing, IISc.

Data source

Then where did Karan Bahree get the data from?

Sarbajit Roy, a former hacker with the government, says it's not difficult to get credit details of UK bank customers in India.

Roy says these are given by banks themselves to small call centres to chase defaulting customers, which find their way to the markets in the form of CDs.

Perhaps, Bahree could have just bought one of these CDs to sell to Harvey.

So Roy, who has raised this issue with the RBI, has filed an application with the government asking Bahree to appear and reveal where the data came from.

Police investigations into the matter have been far from revealing. More than a week after the story broke, the Haryana police say they are yet to make a breakthrough. A formal police complaint has still not been registered.

In fact, it's not even clear who is investigating the case.

The IT Act says that the certifying authority of the government's IT department is fully empowered to investigate IT thefts.

But the controller of certifying authorities refused to comment saying it's not his job.

The delay means that the trail of crucial electronic evidence will turn cold and the truth may never be out.

Was it a security lapse?

So what was the sting operation trying to expose. Security lapses or just hit at the thriving BPO business?

Security experts and companies themselves see in this whole controversy an attempt to hit at the credibility of India's BPO industry and tarnish its image.

"I agree it's a set up," Dr Balakrishnan said.

"It's not about security, it's about outsourcing. You are at more risk if you use your credit card in a shop," said Bhasin.

But the Bahree case has had some positive fallout. The industry is strengthening systems just so that this one-off incident does not have any long term impact.

Agencies are being appointed to check the background of employees and the government is planning to tighten the IT Act to minimise data theft to make sure that their security standards are internationally recognised.
Business News
Trackback: Sarbajit Roy cyber hacker

Sarbajit Roy, The Insider

2005-07-05T10:05:00.000+05:00

The Insider
PRAGYA SINGH (Indian Express Newsline)

Posted online: Sunday, July 03, 2005 at 0000 hours IST

IN the last few days Karan Bahree has become the face, though a reluctant one, of the outsourcing industry. It’s a face that reflects the troubled industry that makes $13 billion a year.

Last Thursday, British tabloid The Sun declared it had Bahree on camera, exchanging British banks’ private information for Rs 3.4 lakh. The Sun says he got the information from call centres in Delhi.

Since then, Bahree has vanished, but the call centres haven’t rested. The papers flash his pictures, the tabloids feast on him and every self-respecting blog underwrites India’s IT industry.

Even Prime Minister Manmohan Singh has stepped in: On Wednesday, he wanted to know how the culprits are being booked and the alleged security loopholes in call centres plugged. These call centres, flagships for India’s equally well-to-do software exports, are taking a lot of the flack.

Bahree, still only 24, emerged briefly in a letter to his employers. In it he said he took the money, gave the CD to Sun’s reporters but says he doesn’t know what was on it. In fact, it wasn’t his CD at all, he claims; it belonged to an acquaintance, with whom he split the booty.

A vortex of allegations has spawned, turning Bahree into a foolish boy, the law enforcement into spectators, The Sun into an evil avenger for ‘Benedict Arnold CEOs’. And call centres, which say Indian security is world class, into victims of racism or of vested interests. BPOs know trouble when they see it, and after dealing with the US, they sense a need to lie low.

In the ruckus, Bahree, a public-school boy brought up in Delhi, turned his cellphone off. Neighbours at his parent’s Dilshad Garden home say they haven’t spotted him for a while. Even his father won’t say where he is.

The evasion may seem ridiculously easy, considering the storm Bahree has raised. But this hide-and-seek could, in fact, be Karan’s life’s work: At Infinity e-Search, a small Gurgaon-based web design firm (not call centre) he was on probation for

Rs 10,000 a month. It fired him without notice on Tuesday, not convinced by his desperate letter. On weekends, Bahree’s closest ally was a gentleman who runs a PCO next door to his home.

In all this, where does a CD wielding 1,000 bank customer’s names, passwords and PIN numbers fit in? The closest anyone has got to an answer is: Palika Bazaar, Nehru Place and Janak Puri.

In one of these buzzing marketplaces, frothing with everything from the contraband to the unusual, someone picked up the troublesome CD and Bahree handed it to the sleuths from The Sun. This much is indicated by a public interest litigation (PIL) filed before the Delhi government on June 28.

The PIL follows up on an eight-month-old legal battle against illegal call centres that allegedly compromise the outsourcing industry. It is the only formal complaint in the Bahree case.

It could be—though that does not excuse Bahree’s role—that he thought he was pulling a fast one on his UK ‘clients,’ by peddling a relatively easy to find CD for big money. If that was the case, then The Sun missed the bigger story.

Re: The Insider

1) As the sole complainant in this matter, my "PIL" (actually its my interim application in the sole "hacking" complaint under IT ACT filed in Delhi till date) simply requests Oliver Harvey and Bahree to help the ongoing investigations into "theft" of banking data which is ongoing for 14 months now. Forensic analysis of the CD in Harvey's possession will lead India's cyber cops to a mother-lode of hacked data (estimated to be over 1.2 million accounts Indian credit card accounts of British Banks) which RBI and the Indian Govt have known about for almost 14 months now and had tried to sweep under the carpet.

2) Its therefore hilarious to see Dr. K.K.Bajaj (Deputy Controller of Certifying Authorities and Director CERT-IN and India's Top Cyber Investigator under section 28 of the IT ACT) caught on hidden spycams by NDTV blathering away that "data theft" does not fall within his investigative powers.

3) As a small newspaper(?) in Delhi says "Let there be Light" shed on this matter and especially why the Cyber Regulatory Tribunal has not been constituted till date thereby bottlenecking all cyber prosecutions in the country. Once again Dr. Bajaj - has a lot to answer for.

Posted by: sarbajit roy, India, 04-07-2005 at 0930 hours IST

Trackback: Sarbajit Roy Insider

Brilliant Article by Urvashi Kaul. Govt. soft on cyber crime

2005-07-01T12:57:00.000+05:00

This blogger is very stingy with praise generally. BUT, this is a brilliant article that nails Dr. K.K.Bajaj (Dy Controller of Certifying Authorities and Director CERT-IN), the head cyber crime honcho for India. All ManMohan Singh's empty rhetoric can't disguise that our cyber enforcement sucks BIG TIME !! Sarbajit Roy

Cyber crime: PM wants strict laws
- By Urvashi Kaul

New Delhi, June 30: Whether or not Mr Karan Bahree, who was involved in UK tabloid sting, has committed a criminal offence is a hard question to answer.

It becomes even harder to initiate prosecution by the specialised cyber enforcement and investigating authorities (like controller and adjudicating officer), when no Cyber Regulations Appellate Tribunal has been constituted to try cyber crime cases, as required under the Indian Information Technology Act 2000.

Prime Minister Manmohan Singh on Wednesday had directed the Union information technology ministry to make changes in cyber laws to make illegal transfer of data a punishable offence. Prime Minister Manmohan Singh’s directive comes in the wake of a recent media sting operation by a British newspaper involving the employee of a private data processing company where allegation of breach of data secrecy have been levelled.

The IT Act, which came in to existence in October 2000, required the Central government to establish an appellate tribunal headed by a nominated presiding officer.

While details about presiding officer’s term in office, salary, removal procedures and other conditions have been duly notified in the Act, the government, so far, has not appointed the presiding officer.

Confirming that no tribunal has been formed, a senior officer in the IT ministry said, "If at all a presiding officer is nominated, he would sit in the Electronics Niketan."

While the adjudicating officer of a particular state, takes decisions on whether a particular case relates to cyber crime, he forwards the case to the tribunal only after determining the maintainability of the case under the IT Act. The case is then transferred to the magistrate through the tribunal’s presiding officer. In the absence of the presiding officer and the tribunal, cyber crime cases cannot ordinarily be transferred to the magistrate. Prosecution becomes impossible when the adjudicating officer, too, derives his power from the tribunal.

Highly-placed sources in the BPO industry are aggrieved about government’s soft approach to cyber crimes.

"Government is not serious about cracking cyber crimes," said a source in the BPO industry.

Under the IT Act, the only criminal offence under which Mr Bahree can be booked by the police is the one mentioned under Section 66 relating to hacking with computer system.

Section 66 of the Act requires the investigating officers to prove that "the wrongful act was done with an intent to cause loss or damage to the public or any person, damage or destroy or alter any information residing in a computer resource or diminish its value or utility or affect it injuriously by any means, commits hacking." Official sources in the industry point out that in the particular case of Mr Bahree, the police cannot issue an arrest warrant in Mr Bahree’s name unless they obtain the CD, which the Sun reporter claims to possess.

trackback : Government soft on cyber crime india

BPOs, BS7799 IT Act 2000 Hacking

2005-07-01T12:51:00.000+05:00

Cyber crimes: Can the West trust Indian BPOs
KAUSHIK DEKA

INDIATIMES NEWS NETWORK[ FRIDAY, JULY 01, 2005 03:32:30 AM]

The latest sting operation by UK's Sun on a BPO executive in India leaves an impression that getting classified information out of a call centre is just a matter of few bucks and greedy youngsters are always eager to part with it. However, the moot question here is: is that so simple? Can a call centre executive access your confidential information such as credit card numbers or bank account number?

Industry insiders seem to be divided over the issue. Many feel that data security breaches are quite prevalent in call centres , while others think it's next to impossible.

There is no doubt that unless fully convinced of the vendors' capability in data confidentiality, clients do not outsource. Some common information security management standards like ISO 17999 and BS 7799 are strictly adhered to by most BPOs.

"We apply adequate security measures in our call centres and our executives cannot carry any data outside the office premises. They are not allowed to carry cell phones, paper, pen, digital diary or even a wallet to their work-stations. If they are handling sensitive issues like financial matters, insurance, etc they cannot even access the internet. There is no hard drive or floppy disk on their computers. Having said that, you must know a hacker can hack into even Nasa. So, if someone is bent on committing a crime, how can you stop that person?" says Amit Agarwal, senior vice president, vCustomer, a Delhi-based BPO.

On the other hand some young BPO executives feel otherwise. According to them, there are enough opportunities to take a peek at the personal data and information of customers. Many believe that although there are lots of firewalls and technical barriers, it's quite easy to manipulate the system if one has good software skills.

"One must realise that despite the complex and detailed fraud tracking units, if a bunch of employees collude and indulge in wrongful activities, it becomes extremely hard to stop it. Though it's do-able, it's also easily traceable," says Anupam Sharma, a BPO executive.

"The customer's identification number is confidential, but can be accessed if given a try," says Anjali Dubey, a call centre executive from Gurgaon.

On being probed on these issues, Vipul Agarwal, manager operations, Convergys says, "It's very unfair to blame BPOs only for the frauds happening around. The clients also have to take proper security measures. There are chances of security breaches when it comes to web-enabled data. Maximum one can know is the credit card number or the date of birth, which are required for verification. Besides, a fraud will always be caught, sooner or later; no one can get away with it."

Mumbai-based security expert Vijay Mukhi, however, does not subscribe to this view. He feels that though BPO centres in India are mushrooming and they are hiring people at random, they ignore a very serious issue -- the requirement of security experts in BPOs.

"I still have to come across an advertisement by a BPO seeking security experts to monitor the process inside the BPO. Unless they pay heed to security, these frauds will keep happening," says Mukhi.

However, the Indian BPO industry is putting their best efforts to counter emerging security challenges. In most of the BPOs the contract with the appointment letter itself prohibits the employee from leaking out information to anybody. To be on the safe side many BPOs even install hidden cameras to keep vigil on the activities of their employees. Earlier sensitive information like credit card numbers of the clients were available to employees, now technology has been upgraded. Everything is now encrypted.

Why do frauds happen?

Is it because of sheer greed? Or do young BPO executives get carried away by the fact that they can sneak into their customers' private domain?

"Greed is one of the primary driving instincts behind most crimes, so it would be unfair to single out the BPO sector here. But the feeling of power over another person's innermost secrets and the power to possibly make big bucks without the 'risk' of getting caught are two unique determinants here," says Sanjay Chugh, founder chairman, International Institute of Mental Health, Delhi.

s there any way to check these frauds?

"I think prevention is the best measure. Before hiring an executive we do a thorough verification including his residence proof, educational qualification and previous work experience. After that we give proper training and from time to time we sensitise them on the ethics of data security," says Vipul Agarwal.

Experts believe that as BPO executives deal with many sensitive data and they join work at a very early age, it's imperative on the recruiters to do a psychological evaluation before hiring. This kind of evaluation can work as a very effective deterrent to fraudulent activities.

"There are some wonderful psychometric tools that we routinely use to assess a person's temperament and character traits and to assess the likelihood of a particular behaviour coming up in particular circumstances. Psychological intervention/training ought to be made compulsory in all corporate set ups except for the fact that the decision makers in such set ups are completely naive, ignorant or blind to this need," says Chugh.

"Though these tests are very effective, however, they are not entirely foolproof. The BPOs have to apply supporting security measures as well," adds eminent psychologist, Dr. Samir Parikh.

Where does the law stand?

Some experts believe that the Indian IT Act 2000 does not have enough teeth to tackle cyber crimes related to BPOs. "The Indian IT law is primarily an e-commerce enabling legislation and does not specifically deal with the issue of online fraud. It also does not have adequate data protection measures. We need a distinct overhaul of the IT Act since its cyber crime provisions do not deal with emerging BPO-related crimes and frauds," says Pavan Duggal, Delhi-based cyber law expert.

Not everyone would agree with Duggal. Says Na. Vijayashankar, an e-business consultant based in Chennai, "Many persons in the industry and eminent lawyers have not observed that ITA-2000 can be used for data protection through section 66 and section 43. These two clauses make me feel that the law is adequate as it is."

"India has a sound cyber law regime and both paper-based and electronic data can be effectively and legally protected in India. The TRIPS Agreement (Agreement on Trade-Related Aspects of Intellectual Property Rights) and the Copyright Act, 1957 provides sufficient safeguards for preventing violations of databases. The data provided by the clients will get the protection of "Data Property" if the same involves intellectual creations within the meaning of Article 10(2) of the TRIPS Agreement. If they fail to satisfy the requirement of Article 10(2), still they will be protected as copyright," says Praveen Dalal, advocate, Delhi High Court.

What puts the industry at grave risk is also the practice of the BPO outfits further subletting contracts to small-time players. Many Indian companies transfer a part of the job to smaller outfits to complete the job faster. The subletting of contracts, often without taking the original client into confidence, further exposes the BPO industry to the risk of frauds.

"All Indian BPO companies are network service providers under section 79 of the IT Act. They are made liable for all third party data or information made available by them. As the law requires due diligence to be done in order to escape such liabilities, it is imperative for all the BPOs and also their clients to insist that there is appropriate documented cyber-legal due diligence," says Duggal.

Cyber crime incidents are not India-specific. In 2004, the UK lost about £3 bn to unauthorised access, penetration into computer systems, data theft, virus attacks and financial frauds. FBI chief Chris Swecker reported to the US Senate Judiciary Committee that he '"opened 1,081 investigations of identity thefts" and was carrying out over 1,600 "active investigations".

In India these kinds of cyber crimes are still in a nascent stage. With proper implementation of the law, these crimes can be easily curbed.

Who is Oliver Harvey Really ?

2005-06-30T16:53:00.001+05:00

A few stories on who this Oliver Harvey really is :- Anatoly Tal, Dominic Mohan(? ho ho), a caring father in a spiderman suit, or just a guy who weighs big breasts!

The Communicator
SUN BUNGLES JUICY ASYLUM SCOOP
Guest Editor Gordon Doh Fondo believes The Sun's ASYLUM EXPOSED was a magnificent if muddled story, skewed to satisfy the paper's xenophobic tastes.

I read this 'Major Sun Investigation' on Mon 19 May with admiration, and great disappointment. An otherwise fine piece of journalism was reduced to a mere platitude - that asylum-seekers get FREE accommodation and FREE food. It also insinuated that new arrivals should be starved to death.

No one can fail to admire the courage and bravado of journalist Oliver Harvey, alias Moldovan asylum-seeker 'Anatoly Tal'). Those who flee the Saddams and Mugabes come in the wings of planes, at the back of uncushioned containers, and on foot. Harvey hid 'in the back of a white van' wrapped 'inside a duvet… rather than risk suffocation'. That takes nerves of steel.

However, this self-styled undercover agent failed to take on board the physical and psychological torture experienced by asylum-seekers who have escaped death by a hair's breadth.

Harvey's investigation did prove one thing; however well you fake it no one can ever replicate the weight that asylum seekers carry with them.

He had contingency plans and probably credit cards tucked safely away; most asylum-seekers fee with more will than wallet, taking risks far too excruciating for a white-collar journalist to copy.

It took Harvey thirty-five minutes to get to his 'promised land'; it may take many weeks for some of those genuinely seeking asylum-seekers.

DEFINING TERMS

A definition of 'refugee' or 'asylum-seeker' (the difference is rarely explained in the UK press) might help The Sun.

Article 1 (2) of the UN Convention of 1951 defines a refugee as a person who, 'owing to a well-founded fear of being persecuted for reasons of race, religion, nationality, membership of a particular social group or political opinion, is outside the country of his nationality and is unable, or owing to such fear, unwilling to avail himself of the protection of that country; or who, not having a nationality and being outside the country of his former habitual residence as a result of such events, is unable or, owing to such fear, unwilling to return to it'. (my emphasis)

The emboldened passage is often left out but needs to be emphasised. It means, in essence, that all 'British' Zimbabweans fleeing from Mugabe's iron fist ARE asylum-seekers in the UK.

It follows that British nationals habitually resident in Iraq or Saudi Arabia who flee war or terrorism, ARE asylum-seekers in the UK. Yet the press never bothers to write about their situation or the free housing they receive on arrival. Are they more entitled to it by virtue of their colour and accent?

The Sun also needs to find out more about the rights and entitlements of asylum-seekers under international law.

ASYLUM BENEFITS

Harvey uses the word 'FREE' eleven times to refer to accommodation, food, transport and NHS care, given asylum-seekers.

Article 13 of the 1951 Convention could not be more explicit: "the Contracting States shall accord to a refugee treatment as favourable as possible and, in any event, not less favourable than that accorded to aliens generally in the same circumstances, as regards the acquisition of movable and immovable property and other rights pertaining thereto.."

My emphasis on the key phrase.. Which means that if white people are fleeing from Mugabe to seek asylum in the UK, then the same accommodation and other related benefits ought to apply to them as it applies to Africans, Arabs or, as in the case in point, Moldavians.

The Sun declared (Wed 22 May, 2002, p.8) that '90% of asylum-seekers are conmen' seeking benefits.
The paper frowns at 'free hand-outs' to asylum-seekers. In other words a destitute asylum-seeker should pay rent and buy food and bus tickets with no money!

Section 95 (1) of the 1999 Immigration and Nationality Act entitles asylum-seekers to support on the grounds of destitution [95 (2) and 95(3) (a) and (b)].
The Sun may argue that Article 55 of the 2002 Act has superseded this provision, especially in relation to in-country applicants who fail to claim 'as soon as is reasonably practical' (whatever that may mean).

Recent court decisions suggest otherwise. Mr Justice Collins described this provision as "ultra vires" and "draconian". Ruling against it Lord Ellenborough said "the law of humanity, which is anterior to all positive laws, obliges us to afford [asylum-seekers] relief, to save them from starving."

Where would The Sun's man Oliver Harvey have slept if he were not immediately granted accommodation? Would he have shared a phone booth with a homeless asylum-seeker or headed for the comfort of home or a 5-star hotel on expenses?

DUE PROCESS

I am no apologist for the Home Office but in fairness to them, it can be argued that the asylum process is like other judicial procedures where rules relating to discovery and evidence apply.

Paramount, though, is the presumption of innocence. An asylum-seeker must be considered genuine until such time as the asylum procedure proves otherwise. The onus of proof rests with the Home Office.

Obtaining an ID card marked 'Employment Prohibited' and a tiny room with 'dirty sheets' does not sound to me like a good motive for seeking asylum.

Our man in the duvet had a healthy bank account, a passport (held by his friend Paul in case he was discovered) and a clear mind - not having abandoned his wife and family to a vengeful dictator. He ended his journey just when he would have started learning the harsh realities of asylum seeking.

He missed out on completing the exacting 21-page Statement of Evidence Form, and avoided the 13-day minimum (sometimes longer than 6-month) wait to be called for a Substantive Interview. He did not share the fate of Baindu Dassama from war-torn Sierra Leone, whose file was 'mislaid'.

RUMBLED

Before the interview, a caseworker would have read up on the history, geography and politics of Moldova, and quickly rumbled Harvey's 'five minutes study on the internet'.

'Anatoly Tal' would also have found that the biometrics data held in his file had been checked against asylum databases all over Europe and the UK.

Could he not provide clear, concrete evidence that he was a journalist, his claim would have been refused. He would wait another two to six months to be called for appeal, after which he might have a deportation order hanging over his head.

Meanwhile he would live on a 'free breakfast of mango juice, toast and jam' in his "free accommodation," with no wife to return to, no child to lisp at his return, no company to share jokes with, and an uncertain future.

The authorities may not earn high marks for failing to detect a human bundle hidden under crates in a van driven by a UK national. But they acted on the assumption that Oliver/Anatoly was an asylum-seeker.
The port is not the place to decide whether or not he was genuine. The law has to run its cours e. Nor can The Sun draw conclusions from an isolated case. Let's see it get the same result 6 out of 10 times.

POISON PEN

The Sun found ink to fill a poisonous pen. An otherwise brilliant story, which could have been used for political leverage to spark off reforms, was presented to readers as another reason to hate asylum-seekers.

The Sun's feeble outburst of mea culpa does not mitigate the xenophobic tone of the article. But it does show that even an enemy of asylum-seekers can see their plight. Of 'Anatoly''s free room Oliver says: 'the sheets were dirty but the mattress was comfortable enough'. Of those he met, he says, 'Many seemed to have suffered in their homelands'. And of the atmosphere, '[it] was a bit like a community centre on a housing estate".

Not even a Sun journalist looking for a reason to witch-hunt asylum-seekers could ignore their shoddy living conditions.

The enemies of the UK are not asylum-seekers. They are the thousands of able-bodied men and women who sign on at the dole for decades and rip off the test of us by claiming benefits from the state; they are the journalists whose racist pens stir up a people to maim and kill innocent men and women who have fled for their lives.

Well done The Sun. A great story which has not advanced the asylum debate one iota. It just muddied the waters, and added to your reputation as the most xenophobic paper under the sun.

Gordon Doh Fondo worked as a sports reporter and presenter for the Cameroon National Television Corporation. Since January, he has been co-presenter of In Site on Channel 7 Television UK.

The Sun also revealed that Bahree, “an ex-public school boy”, is “a member of India’s top Brahmin caste” and that he is “a virgin who lives with his parents”. How either nugget is relevant to Bahree’s alleged financial crime is not made clear.

Sun reporter fails language test

Chris Tryhorn and Claire Cozens
Wednesday April 13, 2005
The Guardian

A Sun journalist's attempt to gain entry to Britain posing as an asylum seeker came a cropper when his language skills were found wanting.

The reporter, Brian Flynn, until recently the paper's New York correspondent, was questioned by immigration officers at Dover yesterday after claiming to be a Kosovan refugee.

When officers summoned an interpreter, Flynn's inability to speak either of the region's languages, Serbo-Croat or Albanian, were exposed.

Article continues
"We can confirm that some journalist posing as a clandestine immigrant was stopped at Dover by immigration officers," a Home Office spokesman said. "He was questioned and subsequently released."

A spokeswoman for the Sun declined to comment.

In May 2003, another journalist at the paper, Oliver Harvey, successfully claimed benefits posing as an asylum seeker.

Harvey pretended to be a Moldovan journalist fleeing state oppression, using the name Anatoly Tal and "hamming up" an east European accent when meeting officials.

In the article, Harvey explained how he had avoided the trap into which Flynn fell two years later.

"I said I was an ethnic Russian whose mother tongue was Russian. My interviewer asked: "Do you need an interpreter?' I replied: "No, no. My English is very good. I have a degree in English and media." In fact, I was born in Hertfordshire and I don't speak a word of Russian."

Harvey added that his knowledge of Moldova was "based on five minutes' study on the internet".

http://www.thesun.co.uk/article/0,,2-2003510656,00.html

Causing chaos ...

'Spiderman' climbs along crane yesterday Spidey's protest
fiasco

By IAN HEPBURN
and OLIVER HARVEY

A DESPERATE dad demonstrating in a Spiderman outfit up a 200ft crane has been branded a bigger pain than David Blaine. David Chick¹s protest has paralysed the area around London¹s Tower Bridge ‹ just weeks after it was gridlocked by fans flocking to see the US magician in a box. The crossing and several surrounding streets have been closed by police since Chick, 36, scaled the crane on Friday ‹ causing misery for motorists and crippling trade for local businesses. The dad, of Burgess Hill, Sussex, is protesting lack of access to his four-year-old daughter and vowed to stay for 10 DAYS on the Taylor Woodrow building site, where 120 staff have had to suspend work. Drivers endured 44 days of congestion and delays as people came to see Blaine¹s starvation stunt by the bridge, which ended last month. Local Bill Kennedy, 35, said: ³This idiot is causing a total snarl-up of the roads. As if David Blaine wasn¹t bad enough!²

Police were criticised for closing off the area. But a Scotland Yard spokesman said: ³The blame for this lies with the demonstrator, not the police. Unmasked ... David Chick

³Police have a duty of care to the man himself and the public and our priority has to be health and safety.
³Not to close the bridge would be to expose motorists to the risk of the man falling from the crane.² Three officers climbed up the crane yesterday, but Chick clambered along the 100ft jib ‹ swaying as it was buffeted by the wind. Police said last night Chick would be arrested for aggrevated trespass and public nuisance offences.
* IF you are a dad fighting for access call The Sun on 020 7782 4019
between 10am and 6pm today, email features@the-sun.co.uk or write to Rights
For Dads, The Sun, 1 Virginia Street, E98 1XY.

By SHARON HENDRY
and OLIVER HARVEY

THE specialist who helped wrongly convict Angela Cannings of murdering two of her babies was blasted by another jailed mum yesterday.

Donna Anthony, 30, is serving life after Prof Sir Roy Meadow, 70, dismissed her claim that HER two tots were cot death victims.

But the child care expert’s evidence in several cases has been discredited and he is being investigated by the General Medical Council. Mrs Cannings, 40, walked free from a life sentence on Wednesday after being cleared by the Appeal Court.

And Anthony’s lawyer George Hawks, 54, said: "Donna knows now that a lot of people are rooting for her."

Shortly before the Cannings appeal, Anthony said at Durham prison: "People are leaning on me to admit murdering my babies so that I can get parole.

"I know they don’t let you out unless you admit your guilt.

"But I won’t - because I didn’t kill my babies. I loved them."

Anthony, of Yeovil, Somerset, was jailed in 1998 - the year that Prof Meadow was knighted.

She was found guilty of murdering daughter Jordan, 11 months, in 1996, and son Michael, four months, in 1997.

Mr Hawks now wants her to be granted a second appeal hearing after the first failed.

During his client’s trial Prof Meadow said of the babies: "I find the circumstances of both lives and both deaths are typical of a child who has been smothered."

The Sun told yesterday how Angela - cleared of murdering sons Matthew, 18 weeks, and Jason, seven weeks - was the third mum accused of baby killing to be freed this year.

Prof Meadow, now retired, was a prosecution witness in each case.

He has argued that multiple cot deaths are suspicious events.

But his theory is not supported by scientific evidence. In one instance he alleged the chances of losing two babies to cot death were 73 million to one, a figure he now accepts was inaccurate.

The correct statistic is closer to 64 to one.

Campaigner Anne Diamond, 49, yesterday called for a review of how multiple cot deaths are investigated.

Ban him now

‘See You In May: Thousands of gipsies head for Britain’ was The Sun headline on January 18. Inside a two-page spread by Oliver Harvey used the simple fact that 1.5 million Roma who live in Poland and Slovakia will become EU citizens after May 1 and can come and work in Britain.

Of course it is impossible to predict how many Roma may come to the UK but The Sun claimed ‘tens of thousands are poised to flock to Britain when the EU expands on May 1.’

The Daily Express had no qualms about predictions. Its front page on January 20 had the emotive scare headline ‘1.6 million gipsies ready to flood in’ and a double spread accompanied by a map of Europe with the caption ‘The Great Invasion 2004: Where the gipsies are coming from’.

Date added: Monday, February 02, 2004 07:33 PM
Last modified: Monday, February 02, 2004

A superintendent pharmacist accused of misconduct after becoming involved in the internet supply of Viagra, exposed by an investigation carried out by The Sun newspaper, has been reprimanded by the Royal Pharmaceutical Society.

In the first case of its kind to come before the statutory committee, ABC Drug Stores Limited of Portobello Road, Notting Hill and its superintendent pharmacist Julian Wyatt from Raynes Park, southwest London, faced a series of allegations.

Sun journalist Oliver Harvey managed to buy Viagra via the website Menscare UK. Later he obtained the slimming drug Reductil without first obtaining a prescription from a doctor. ...

THE SUN NEWSPAPER

Edition 1GMD TUE 30 SEP 2003, Page 20
Dark Forces
OLIVER HARVEY
CONSPIRACY THEORIES RUN WILD OVER BLACKOUTS
THE electricity blackouts that brought New York, London, Copenhagen
and Italy to a standstill have the conspiracy theorists working
overtime.
From cries of an alien invasion to the rise of a new world order,
the doom and gloom merchants cannot get enough.
When 57million Italians suffered power cuts at the weekend, it was
the FOURTH time in SIX weeks a Western nation had been plunged
into
darkness.
The cuts, which have affected more than 100million people, started
in August when New York and much of north-east America was blacked
out.
Within days London and southern England suffered a similar power
failure, then Denmark and its capital Copenhagen followed suit.
But is it just coincidence, the groaning of long outdated and
creaking power grids, or are there really dark forces at work?
Secret
The Internet is buzzing with wild theories and bizarre rumours.
One of the most popular is that the Western nations have secretly
organised the blackouts as dummy runs against terror attacks.
One US web user said on a chat site: "There's a good chance this was
orchestrated to test public response and as a reminder to be
prepared."
Others believe a top secret US military experiment is to blame,
suggesting it had affected the Earth's magnetic field which caused
the cuts.
One Net nerd has even written an essay titled Did A Secret Military
Experiment Cause The 2003 American Blackout?
Another web surfer called Keith put it down to the rise of a new
global power. He said: "Power cuts in the US, the UK and now Italy.
Is the new world order up to something?"
Others attributed the blackouts to aliens taking over the world. One
conspirator said: "The aliens transmit large amounts of electricity
into power relay stations and blow out their circuit breakers. It's
all part of their invasion plan and every industrial country will be
affected."
Perhaps the most bizarre explanation came from a conspirator simply
known as Acoloss, who said: "Maybe electricity is a form of life and
it's become aware."
But last night electricity suppliers insisted there was a rational
explanation to the cuts. National Grid Transco spokesman Chris Mostyn
said: "The British blackout had nothing to do with terrorism or
aliens. It was a technical fault."
But for conspiracy theorists, this explanation is just another
example of how we are being kept in the dark.

It's £500 for a passport
The Sun 12-5-04.
by KATHRYN LISTER NEIL SYSON
and OLIVER HARVEY

CROOKED immigration officer Lucy Denyer demanded £500 for a dodgy passport — then bragged she could get THREE more.

Brazen Denyer even claimed she was charging HALF the going rate.

The Gatwick Airport worker — exposed in an undercover investigation by The Sun — refused to haggle over the price.

She insisted: “Normally it would cost you £1,000, so it is cheap.

“You have got to remember this is my job at risk and this is my life at risk for you, so it’s £500. It is a very good price, trust me.”

Denyer, 21, who earns £21,500 a year in her job STOPPING illegal foreigners at one of Britain’s biggest gateways, made her demands to two Sun investigators in a pub.

Asked if she could provide more passports, she replied: “Yeah, two or three.”

Denyer was clutching one filched from an office at Gatwick’s North Terminal — part of a stack confiscated from suspect travellers.

The greedy official believed it was for a Romanian called Piotr who had slipped into the UK in the back of a lorry at Dover.

But Piotr was in fact reporter Oliver Harvey — and the entire meeting was captured on video.

An appalled gay pal had tipped off The Sun that lesbian Denyer was touting around her friends for dodgy visa and passport business.

Reporter Kathryn Lister first contacted her by text, posing as a woman called Andrea and asking for help for a friend.

The women had met briefly months before — but Andrea was not the person who tipped us off.

Over five days, Denyer exchanged text messages and even asked for a description of our Romanian so she could get the best passport match.

The officer then sent the excited text: “I’ve got it now. Will arrange to meet in croydon monday afternoon, hows that? Will he have the £’s on him? X.”

Denyer, an immigration officer for three years, arrived at the South London pub, sure of a sale with Oliver and Kathryn.

Ironically, the venue is half a mile from the immigration service’s national HQ, where thousands of asylum seekers flock for processing.

Cocky Denyer collected her £500 as she slipped the passport under the table. She told Oliver: “You take the photo out the top and slide yours in.

“You need to be very, very careful with it. Do it very slowly. It is better to have your own photo in it rather than get someone like you.”

The passport, number 034705825 and issued on June 28, 1999, was in the name of James Smallwood, supposedly born in Northampton on February 6, 1979.

It was seized at Gatwick in September 2001 from drug smugglers and used as evidence at Croydon Crown Court.

Denyer even had advice for Oliver if officers grew suspicious.

She said: “If they stop you and say ‘I know that’s not you’, hold your hands up and claim asylum. It is either claim asylum or go to jail. If you claim asylum there’s no jail.”

Pals allege Denyer has openly boasted about taking bribes from foreigners entering Britain and once pocketed £1,500.

Denyer said of the passport: “This will be my second like this but I’ve done visas before. The visas are easier because it is something I can just put a stamp on.

“We have got two drawers full of British passports — about 70.”

Reporter Oliver last month uncovered a fake passport scam in Poland when he bought one for £800 in a Warsaw market.

Denyer, of Lingfield, Surrey, told him part of her role involved assessing passengers through two-way mirrors.

She bragged: “When I joined I was the youngest immigration officer in the UK. I think I’m still one of the youngest.”

Last night The Sun gave its damning dossier to the Home Office and Denyer was suspended from duty pending a probe.

Immigration Minister Des Brown said: “We’d like to thank The Sun for bringing this incident to our attention. We treat it with the utmost seriousness.”

Excellent False Passports Sold in Polish Marketplace
AN undercover Sun reporter has exposed just how easy it is to get a false east European passport and exploit the Government’s shambolic immigration system. Our man was able to buy a forged Polish passport with a false name in a bustling Warsaw street market for just £800. He was also able to buy a picture ID card in his own name for £330. The Home Office last night confirmed that from May 1 — when Poland and nine other nations join the EU — either document will allow entry to Britain. Similar fake credentials could be used by illegal immigrants from non-EU countries . . . as well as terrorists or big-time criminals.

A tip-off from a contact in the Polish underworld led us to Rozyckiego Market, a vipers’ nest of criminality in the centre of Polish capital Warsaw. Within seconds of entering the collection of rickety wooden and corrugated iron stalls we were approached by an unshaven man in a leather jacket. Through a translator, the man, with black moustache and baseball cap, offered our reporter a Polish ID card. The man boasted: “You can have it in whatever name you like. You will be able to travel all over Europe with it. It will be a perfect fake. You can pick it up tomorrow.” Then, as other shoppers strolled by, we were ushered behind a flower stall out of sight of the busy street. Our man was then introduced to another gang member, an overweight, bald man in his fifties. He asked through the translator for our reporter’s height, hair and eye colour. He agreed to provide an ID card in the name Oliver Harvey. Our man handed over a passport picture and 300 US dollars (£165) up front. Returning two days later, he picked up the picture ID, a brilliant fake which also gave our reporter a false address in Warsaw. It also gave the city as his place of birth and a made-up name for his father. The green-fronted card, number DX1258874, came complete with official government stamps and watermarks. We paid a further £165 in US dollars for the ID and shook hands.

The bald man then said through our translator: “We trust you now. Why don’t you buy a passport? We have Polish and Austrian, but Austrian is more expensive. You can have any name you like but why don’t you let us make up a Polish identity for you? Border guards will simply look at your passport and wave you through.” His pal said: “People travel to Britain and throughout Europe on our passports. We will create a new identity for you, no problem.” After quoting $2,000, around £1,100, our man bartered the price down to £800. As we struck the deal another man, of central Asian origin, arrived to collect HIS false passport. The racketeer proudly showed the fake to our reporter who, judging the papers a good copy, handed over a £500 down payment in US dollars. Our reporter now had the false name of Andrzej Miler, false date of birth March 28, 1968, and passport number BM3196643. When we compared our version with a legitimate Polish passport, there was no obvious difference. One local said: “This market is like a passport consulate. As well as passports and ID cards, you can get driving licences and degrees.”

In four weeks Poland will be the EU’s eastern frontier. Mafia gangs have already established the nation as a people-smuggling staging post en-route to Britain and the West. Around 50,000 illegals from as far afield as China, Afghanistan and Somalia were stopped trying to cross Poland’s borders last year. Almost 10,000 forged passports and other ID documents were discovered at British ports in 2002, the latest year for which figures are available — an increase of 46 per cent on 2001. But an unknown number of illegals with false papers make it into Britain each year. Forged passports are commonly used by terrorists to slip in and out of countries undetected. Two al-Qaeda terrorists, jailed in Britain in 2003, were discovered with hundreds of false travel documents. ....

The false documents we bought in Poland were examined by a counterfeit passport expert . . . who passed them with flying colours. The London-based specialist, unnamed because he helps investigations involving terrorists and organised crime, subjected the documents to vigorous forensic tests. He concluded in a written report: “Both documents would be accepted as genuine in a variety of scenarios. After Poland’s accession to the EU, the passport is likely to be accepted in all EU countries. “This is particularly the case where they are not physically examined but merely accepted ‘on the nod’ as the holder passes through the control holding the photo page open, as in the UK.” Once in Britain the passport could be used for a string of criminal and black market activities. The specialist added: “You could use the passport to open a bank account, get a credit card, get a job and cash cheques.” But he said the fakes are not perfect. And the passport could be rumbled if a Customs man decided to look closely at it. He added: “I would not expect an immigration officer to accept the passport if it is subjected to any kind of physical examination. “Having said that, if there were travel stamps and visas in the passport, it might be enough to put the officer off asking too many questions.”

A gang netted more than £1million by sticking immigrants’ pictures into genuine British passports. In 14 months up to 500 illegals were waved through at British airports and ferry terminals. Three of the gang — Britons Robert Walkden, 31, Mohammed Jamil, 32, and Khalid Mahmood, 31 — were jailed for six years each in Bradford yesterday. They charged £2,000 to escort the Asian migrants from Europe into Britain, sticking their photos into genuine passports believed to have been bought from British citizens. Detective Constable Peter Thornton, who led the inquiry, said: “The fact is if you are in the queue for people with British passports, the chances are you won’t be stopped.”
Posted by Mike Sylwester 1:00:07 AM|| E-Mail|| Page ||

#1 You will note that the Mob don't deal in Euros.
Posted by: Shipman 2004-04-02 8:32:21 AM Top Page

#2 This explains why the US has not lifted visa restrictions on travel from Poland despite their help in Iraq and the WOT. The Polish government can bitch all they want, but those restrictions need to be kept in place until Poland cleans up this problem.
Posted by: Steve 2004-04-02 8:46:12 AM Top Page

#3 Yeah right. This reporter should ask for a refund. First of all, the last name on the passport should be 'Miller' not 'Miler', even though they are pronounced the same way in Polish. An easy mistake for a dumbass forger to make (and even dumber reporter). With a sharp border guard this should immediately raise a flag.

Who is Oliver Harvey Really ?

2005-06-30T16:53:00.000+05:00

A few stories on who this Oliver Harvey really is :- Anatoly Tal, Dominic Mohan(? ho ho), a caring father in a spiderman suit, or just a guy who weighs big breasts!

Another Hoax story from NYT

2005-06-30T16:05:00.000+05:00

Card sharps after your bank details
June 29, 2005

Cyber-savvy gangs are after your banking details, costing business more than $50 billion a year and shaking the world's financial system. Tom Zeller reports.

'Want drive fast cars?" asks an advertisement, in broken English, atop the website iaaca.com. "Want live in premium hotels? Want own beautiful girls? It's possible with dumps from Zo0mer." A "dump", in the blunt vernacular of a flourishing online black market, is a credit card number. And what Zo0mer is peddling is stolen account information - name, billing address, phone - for gold Visa cards and MasterCards, at $US100 apiece.

It is not clear whether data stolen from CardSystems Solutions, the payment processor reported in recent weeks to have exposed 40 million credit card accounts to possible theft, has entered this black market. But police and security experts say it is a safe bet the data will eventually be peddled at sites such as iaaca.com - its name shorthand for International Association for the Advancement of Criminal Activity.

Despite years of security improvements and tougher, more co-ordinated policing, the information that criminals siphon - credit card and bank account numbers, and raw consumer information - is boldly hawked on the internet. The data is used for online purchases, producing counterfeit cards, or in elaborate identity theft schemes.
AdvertisementAdvertisement

The online trade in credit card and bank account numbers, and other consumer information, is highly structured. There are buyers and sellers, intermediaries and service industries. The players come from all over the world, but most of the websites on which they meet are run from computer servers in former Soviet countries, making them difficult to police.

Traders quickly earn titles, ratings and reputations for the quality of their goods. That quality also determines prices. A wealth of institutional knowledge and shared wisdom is doled out to newcomers to the market - such as how to move payments and the best time to crack an account.

The US's Federal Trade Commission estimates that about 10 million Americans have their personal information pilfered and misused every year, costing consumers $US5 billion ($6.47 billion) and businesses $US48 billion.

"There's so much to this," says Jim Melnick, a former Russian affairs analyst for the Defence Intelligence Agency who is now the director of threat development at iDefense, a company that tracks cyber crime. "The story that needs to be told is the larger, long-term threat to the … financial industry. It's a cancer. It's not going to kill you now, but slowly, over time."

No one will estimate knows how many cards and account numbers make it to the internet auction block, but investigators describe the market as huge. Every day, at sites such as iaaca.com and carderportal.org, pseudonymous vendors do business in an arcane slurry of acronyms.

"Cobs", or changes of billings, are a hot commodity. Typically, a peddler of cobs is offering fresh bank or credit card accounts, along with the ability to change the billing address through a pilfered PIN. In other cases, a vendor selling cobs is offering to change billing addresses as a service. Sometimes the address is changed to a safe "drop", which might be an empty flat or some other scouted delivery point.

Lengthy tutorials posted at online "carding" forums indicate that the cob art form is highly developed. A criminal will wait until the day a victim receives a billing statement. "That way you have a full 30 days" before the victim is likely to look at his account again, explained one tutorial collected by the FBI.

A user called "mindtrip" had cobs for sale recently. "I'm selling cobs from at this time only banks Discover and American Express t'ill further notice," he wrote in brusque English. "The cobs come with full info including MMN [mother's maiden name]." Discover Card cobs with any balance were on special: $US50. American Express, a more exclusive and potentially more lucrative account, commanded $US85.

Alongside advertisements for cobs are pitches from malicious-code writers, who sell their services to the con artists, known as phishers, who contract with spammers to send out millions of increasingly sophisticated phoney emails designed to lure victims into revealing account information.

A successful phishing operation might bring in thousands of fresh account numbers, along with other identifying details: names, addresses, phone numbers, passwords, PINs, and mothers' maiden names. The richer the detail (and the higher the account balance), the better the asking price.

A user nicknamed Sirota is peddling account information so detailed, and so formatted, that it clearly came from a credit report. He is asking $US200 per dump on accounts with balances above $US10,000, with a minimum order of five if the buyer wants accounts associated with a particular bank.

Every day brings more. "These things have a short shelf life," says Dan Larkin, from the FBI's Internet Crime Complaint Centre. "The criminal value of a compromised credit card is very short-term, so there's a constant need to keep backfilling their resources."

Those buying fresh batches of account numbers may try to make purchases online, having goods delivered to a drop and then fencing them through online auctions.

More sophisticated thieves will seek vendors of encoding devices, and others who sell "plastic" (blank credit cards) and "algos" (algorithms needed to properly encode the magnetic strip and produce a usable card). And "cash-out" services can be arranged with those offering to take the encoded plastic to a cash machine and make withdrawals until the account is depleted. The cash-out risk commands a premium - often 50 per cent or more of the total balance.

Traders build reputations by earning the right to advertise, and then augment their status by receiving published kudos from other members. No one is permitted to post product or service offers at most of these websites without first having their wares vetted by site administrators, or by those selected as trusted "reviewers".

At iaaca.com, for example, those who want to sell cobs or cob services "will be required to provide 10 change of addresses, to be distributed to two reviewers", who "will test this service by either phone or internet". New vendors of credit card numbers "will be required to furnish 20 valid dumps (five classics, five business, five platinums, five corporate; 50 per cent Visa, 50 per cent MasterCard)", say the administrators. "The testers will determine the quality, in a percentage of valid numbers."

Once the wares are vetted, a vendor might then pay a fee to peddle them on a site's message boards. Banner ads can also be purchased.

Contacts among deal makers almost always move off the boards and onto ICQ, the instant-messaging program of choice among cyberthieves because of its easy anonymity (no names, no registration, no email required). Payments often change hands in relative anonymity (and with little regulation) by e-gold, an electronic currency that purports to be backed by gold bullion and issued by e-gold Ltd, a company incorporated in the Caribbean.

Transactions might also be made in WMZs, electronic monetary units equivalent to American dollars and issued by WebMoney Transfer, a company based in Moscow.

Mark Rasch, the former head of cyber investigations for the US Justice Department and now the senior vice-president of Solutionary, a computer security company, says the numbers taken in the CardSystems breach - at least 200,000 are said to have been in stolen files - will probably end up in one of these trading posts.

CardSystems represented a vital hub through which millions of account numbers passed. ChoicePoint, a data aggregator, was another goldmine. It announced in February that thousands of records had been downloaded from its databases by thieves posing as legitimate clients (no hacking required).

"It used to be you'd get a few numbers from a few merchants and aggregate them yourself - a few numbers from a lot of people," Rasch says. "But at some point they said, 'Wait a minute, there are other people who aggregate this stuff.' "

And, he points out, it is nearly impossible to stop. For all the information that police and security experts can glean from sites such as iaaca.com, "there are whole marketplaces of bulletin-board systems and chats that are invisible".

Still, law enforcement has made inroads. In October, the US Justice Department and the Secret Service announced the internationally co-ordinated arrest of 28 people in eight US states and several countries, including Sweden, Britain, Poland, Belarus and Bulgaria. The Justice Department says that among them are the ringleaders of Shadowcrew.com, the largest English-language web bazaar, trading in everything from stolen credit card, debit card and bank account numbers to counterfeit drivers' licences, passports and social security cards.

The investigation, called Operation Firewall, broke up a 4000-member underground that, according to the Justice Department, bought and sold nearly 2 million credit-card numbers in two years and caused more than $US4 million in losses to merchants, banks and individuals.

But eight months later, the traders have adapted and resumed business. They are a bit more skittish, says John Watters, the chief executive of iDefense. Operation Firewall did take out some of the "low-hanging fruit", but that has caused the pricing models to become more refined, and the characters in this black-market economy to become more sophisticated.

He says there is also a small but growing market for the type of raw consumer information that has been pilfered from ChoicePoint, LexisNexis and other general-data aggregators.

"We've observed people paying for identities," Watters says, describing web forms where criminals can tick off the fields they have to sell or want to buy: address, date of birth, social security number, driver's licence number, mother's maiden name.

And as the traders slip deeper underground - or onto servers in regions with lax laws, overburdened or uninterested law enforcement, and no real working relationship with American authorities - the odds of pulling off another Operation Firewall get worse. "It's getting harder for us to do our job," he says.

Asked at a symposium on cyber crime recently if law enforcement was losing the battle against cyber criminals, Brian Nagel, assistant director for investigations at the Secret Service, said no, according to published reports.

But another panel member, Jody Westby, the managing director of security and privacy practice at PricewaterhouseCoopers, disagreed, insisting that based on US Federal Trade Commission statistics on identity and credit card theft, only about 5 per cent of cyber criminals are caught.

Westby later offered an assessment no less bleak. "We're not making an impact. The criminals are too hard to track and trace, too hard to prosecute, and the information they steal is too easy to use."

At one Russian-language site, a user called Lexus celebrates the CardSystems breach, saying that "judgement day has come for the bourgeoisie". Another, Zer0, suggests on the site that the hacked numbers might represent new opportunities in the underground. "It is a good occasion for us," Zer0 says. "Happy hunting."

The New York Times

Sarbajit Roy : Cyber Law Expert view

2005-06-30T13:13:00.000+05:00

Block The Sun’s portal: Complainant demands

[ THURSDAY, JUNE 30, 2005 02:41:43 AM]

NEW DELHI: In an interesting development, a complaint filed under the Information Technology Act, 2000 with Delhi’s IT adjudicating officer Prakash Kumar has called for blocking of The Sun’s website, and involving The Sun’s undercover reporter Oliver Harvey and accused Karan Bahree into the on-going investigation in the BPO scam relating to the data leakage.

Under the Act, each state has a designated adjudicating officer to look into cases relating to the breach of the Act. Delhi’s IT secretary Kumar serves as the adjudicating officer for the Capital. Currently, out of the country, he may take a call whether to entertain the complaint only next week.

According to complainant Sarbajit Roy, an IT consultant, Indian investigating authorities need to have physical possession of the “evidence”, namely the CD containing the leaked data for forensic examination to establish whether the data is actually of “confidential nature”.

His contention is that it is important to establish the nature of the data. “It can very well be confidential data like credit card particulars and mobile phone billing data and addresses which are easily available for a price and used by direct sales agents of banks, telecom companies and credit bureau of banks,” he added.

Roy alleges that the operation by The Sun reporter might have been undertaken with an aim to “defame” India as there are no laws in India concerning data protection and privacy for foreigners.

Meanwhile, an industry-government committee set up by the IT ministry, early this year, is already looking at updating the IT Act and giving more teeth for data protection and security. With the Prime Minister taking active interest in the case, it may well expedite the move to revamp the Act.

trackback : Roy on data protection and privacy

Hacked PM seeks Stronger IT Laws

2005-06-30T13:11:00.000+05:00

India's Prime Minister Singh Seeks Stronger Data Privacy Laws

June 29 (Bloomberg) -- India's Prime Minister Manmohan Singh called for changes in the country's laws to strengthen data privacy and make breaches a punishable offence after a U.K. newspaper reported bank account details were sold for cash.

``Indian professionals have built for themselves an enviable global reputation through hard work, dedication and commitment and the occasional misguided acts of some individuals should not be allowed to damage the high reputation of all professionals,'' Singh said in a statement issued today, after a meeting to review steps to deal with cyber crimes.

Changes in the law may strengthen the protection of data and help Indian investigative agencies to convict people accused of misusing data at a faster pace, easing concerns about security at Indian customer contact centers that threatens to derail one of the nation's fastest growing industries.

``We will need to put in stronger methods to prevent such things,'' said Raman Roy, who founded Spectramind eServices Pvt., a customer contact center that was acquired by Wipro Ltd. ``There are enough laws but the cycle time for conviction is long. If there was a separate data protection law, it could make it shorter, faster and more robust.''

Kkaran Bahree, a former employee of a call center, allegedly sold personal information, including bank account and credit card details, of 1,000 customers of HSBC Holdings Plc, Barclays Plc and Lloyds TSB Group Plc to an undercover reporter of the U.K's Sun for $5,000.

The sting operation came after former employees of Mphasis BFL Ltd.'s call center unit in Pune were accused of stealing as much as $300,000 from customers of Citigroup Inc, the world's biggest financial services company. They have been arrested and are being tried.

Employee Database

Kiran Karnik, president of the National Association of Software and Service Companies, or Nasscom, said the grouping will build a database of employees in the nation's call center and transaction processing industry to ensure quality standards.

``India's brand equity in this area is very strong,'' Karnik said in a statement. ``The recent incident may well have been a sting operation directed to give Indian industry a bad name against the background of its growing competitiveness.''

Export revenue from the Indian call center and transaction processing industry is forecast to quadruple to $21 billion by 2009 from $5.2 billion in the year ended March 31, according to a 2002 study by McKinsey & Co. for Nasscom.

Under the Information Technology Act, 2000, Bahree, if found guilty, could be jailed for three years and be asked to pay a fine of 200,000 rupees ($4,600), said Pavan Duggal, managing partner of New Delhi-based law firm Pavan Duggal & Associates.

In addition, Bahree may face charges of cheating, theft and breach of trust under the Indian Penal Code, Duggal said.

The Indian government in January set up a committee to look into changes in the Information Technology Act.

To contact the reporter on this story:
Saikat Chatterjee in New Delhi at schatterjee4@bloomberg.net.

Brijesh Kumar to the Rescue of Indian BPOs

2005-06-29T17:35:00.000+05:00

CHINA HAPPY ABOUT INDIA's BPO WOES.
By SarbaJit Roy: Now its the turn of Chinese News Agency Xinhua to gloat over India's BPO woes whilst India's Top IT Bureaucrat Mr. Brijesh Kumar issues pathetic little statements saying that "the law will take its course". That is exactly the sort of dynamic sound byte needed to reassure foreigners that all is well in India. BPOs OUT !!! Take off to CHINA -- PLEASE !!

NEW DELHI, June 29 (Xinhuanet)--The Indian Government said Wednesday that it was looking into the issue of alleged leakage of data from a web marketing company employee to an undercover reporter of a UK daily in a sting operation and asserted that guilty would not be spared.

"We are finding out the truth. The case is being looked into by us relating to the allegation of 'classified' data leakage. After inquiry if anybody is found guilty, existing law will take its own course. Nobody would be spared... But we would not do anything prematurely... Let the inquiry be over," Brijesh Kumar, India's Informational and Technology Secretary said.

However, he did not specify any time-frame for the on-going investigation.

Karan Bahree, an employee of the India-based web marketing firm,was at the center of a storm involving leakage of credit card information, after he admitted to handing over a CD to the reporter of the British tabloid The Sun, but claimed he did not know that the information contained in the CD was classified.

His company Infinity e-search, which has already sacked him in the wake of the controversy, said that Bahree, in his explanation letter, had said he was offered a job and 5,000 US dollars by the UK daily in return of a presentation information contained in a CD.

The local police are also looking into the case.

Data theft, the Indian legal position (a primer)

2005-06-29T16:19:00.000+05:00

A good primer article on the state of Indian Laws concerning BPOs, data theft etc. Some glaring flaws are evident, but this story is a decent starting point for anyone interested in examining laws of India on data privacy and sharing.

A suitable law is not ready as yet

Incorporate issues under contractual, IT and criminal legislations

CHETAN NAGENDRA
Posted online: Tuesday, June 28, 2005 at 0006 hours IST

The issue at hand is the state of readiness of the Indian legal framework in coping with the increasing multitude of data security and privacy threats. Though there is no specific data protection statute in India, the existing legal framework can be utilised for data security and privacy.

In India, the Indian Contract Act, 1872, and the Specific Relief Act, 1963, provide the framework for legal agreements. Agreements may be used to contractually enforce data security. Almost all entities outsourcing to third party outfits in India prefer to do so within a contractual framework, employing a combination of strict confidentiality and non-disclosure agreements. Most outsourcing entities (OEs) enter into service- level agreements (SLAs) to ensure prescribed quality levels by the service provider (SP). SLAs often prescribe monetary damages and proffer at-will agreement termination clauses that try to ensure SPs adhere strictly to data security and privacy norms.

The Contract Act recognises a contract as a civil obligation, non-compliance of which may lead to compensatory, not penal, damages. While courts are loath to enforce large sums of liquidated damages or unlimited penalties, reasonable compensation for loss or damage, as laid down by the parties in the contract, are usually enforceable. Consequential damages, if detailed in the contract, are required to be reasonably computed. Penalties in the form of higher interest rate computations in the event of default are usually disregarded or recomputed by the court at reasonable rates.

OEs may also utilise the Specific Relief Act. This is particularly useful to enforce provisions in outsourcing contracts against SPs. For example, in the event the latter is required to destroy all traces of data imported post-processing and neglects to do so, the OE may sue for specific performance to ensure compliance under the contract.

OEs may also resort to other remedies, in the form of temporary/permanent injunctions restraining SPs, in the face of imminent data security or privacy threats by the latter.

OEs also favour shifting jurisdiction and governing law of the outsourcing contract to more favourable locations than India. For example, some plaintiff-friendly US states do not recognise limitation of liability clauses on the part of SPs. Therefore, the tab for non-compliance of contracts containing such clauses can be heavy on Indian SPs. On the other hand, there is a practical difficulty in enforcing such decrees by foreign courts in India. Enforcement of foreign decrees will require a fresh application before Indian courts, if those were awarded by courts in territories not considered reciprocal for this purpose (such as the US).

Utilising a contractual framework for protecting data and ensuring privacy is an effective choice for OEs interested in outsourcing data that requires high-level legal compliance. Examples are medical histories of patients, processing of financial information requiring utilisation of personally identifiable information, like social security numbers, or areas prone to identity theft, like credit card transaction processing. However, approaching the courts here may mean a long battle, due to the backlog of prior litigation. OEs should, instead, opt for other means of dispute resolution, such as arbitration.

The IT Act has several provisions on data security and privacy. Some of the penal provisions include Section 43 (penalty for damage to computer, computer system, etc), Section 65 (tampering with computer source documents) and Section 66 (hacking with computer system). Most prosecutions under the Act commence under these provisions.

It has been reported that an expert committee, constituted for an in-depth review, favours widening the ambit of computer offences in the wake of rapid technological advancements. Although there is no lack of statutory support for prosecuting crimes within the Act’s ambit, there is a distinct lack of sensitisation of the police. For instance, a CEO of a reputed online auction company was arrested for an arguable offence under Section 67 (publishing of obscene information in electronic form). The enforcing authority’s policy seems to be to act first and review at leisure.

The fundamental rights enshrined in Article 19 (the right to freedom of speech and expression of an individual) of the Constitution come closest to protecting an individual’s privacy and his freedom of expression. The two rights are two sides of the same coin. One person’s right to know and be informed may violate another’s right to be left alone.

Though the Constitution and interpreted case laws enumerate upon the rights of privacy, speech and expression to be enjoyed by citizens, these may be invoked only in disputes between a citizen and the state.

As for criminal law, the possibilities of prosecution of offences emanating from actual breach of data security and privacy under the Indian Penal Code, 1860, are bleak. For instance, forgery, cheating or criminal breach of trust, have been interpreted as an offenses against corporeal property. However, ‘data’ being incorporeal, may not fall within the interpretation of ‘property’ under the IPC.

In sum, the current legal system does not provide a strong legal framework for companies willing to outsource work here. A new data security and privacy statute is proposed to be enacted shortly. It will need to incorporate various issues under the contractual, IT and criminal law frameworks. Unless the legal regime is made to suit new types of threats against privacy and confidentiality, and unless such a regime is implemented effectively, India’s position as an important outsourcing destination may be threatened.

The writer is an associate at Amarchand Mangaldas

Foreign foxes raid Indian chicks.

2005-06-29T16:02:00.000+05:00

Investigators foxed by lack of evidence in BPO case
SUDIPTO DEY

TIMES NEWS NETWORK[ WEDNESDAY, JUNE 29, 2005 01:18:58 AM]

NEW DELHI: Investigating agencies are in a quandary over the probe in the alleged leakage of confidential data by an Indian BPO worker, in the absence of hard evidence. Awaiting a formal nod from Interpol, senior police officers point out that it has to be first established whether there was a theft of data.

“The British financial institutions, who are supposed to have suffered the loss of confidential data, have to establish that the body of data resides with an ITeS company in India,” said a senior official from the Delhi Police crime branch.

“They will either have to hand over the entire body of evidence for us to corroborate, if there has been any theft of data, or give us specific instructions about the help they need on the case,” an official added.

As per procedure, the Interpol generally alerts the CBI, who then takes a call on whether to probe the matter itself or pass it on to some other agency.

In this case, as the Gurgaon police has already begun preliminary investigations into the issue based on media reports, the likelihood of the same agency being asked to undertake the probe is high.

In some cases, Interpol gets in touch with state police directly. Till date, neither Haryana or Delhi police, nor the CBI has received any intimation from Interpol to probe the issue. A spokesperson of the London police told ET that the agency has already forwarded a request for probe to Interpol.

The claims and counter-claims by parties involved have further confounded the agencies. Oliver Harvey, the undercover Sun reporter, continues to stand by his story, and refutes claims by accused Karan Bahree that he was a mere conduit in the whole incident.

“I have evidence in the form of video, and e-mail, in which Bahree is clearly seen peddling confidential data,” Harvey told ET from London. Bahree, in a statement issued through his former employer, Gurgaon-based Infinity eServices, has pleaded ignorance about the contents of the CD, while conceding that he did meet the undercover reporter and gave him a CD for $5,000 and promise of a job.

In a queer twist, some of the banks who are supposed to have suffered loss of confidential data are maintaining a stony silence. Some of them have even said that there they do no outsource their processes to any Indian agency.

What makes matters more difficult for Indian agencies is that under the IT Act, 2000, theft of data is not treated as a punishable offence with no clear-cut guidelines as to what constitutes data theft. Legal experts claim that the incident will be treated as a case of “hacking” and is punishable with a three-year jail term and a fine of up to Rs 2 lakh. Moreover, each of the affected parties can also claim statutory damage to the tune of up to Rs 1 crore, under Indian laws.

The Indian IT industry is already treating this scam as a “one-off” incident. “We will nevertheless push for more stringent laws for data theft by amending the IT Act,” Nasscom president Kiran Karnik said.

A industry-government committee set up by the IT ministry is already looking at updating the IT Act. Whatever the outcome of the scam, it may well expedite the move to revamp the Act and give it more teeth to deal with such issues, feel most industry players.

How the BPO Sting Data was faked ??

2005-06-29T10:26:00.000+05:00

Devangshu Datta: Bahree versus keystroke loggers
WORM`S EYE VIEW
Devangshu Datta / New Delhi June 29, 2005
The episode could happen anywhere. So far, Indian BPOs haven’t suffered hacker attacks so common elsewhere

The Sun sting operation proves nothing security specialists didn’t know. There are forums on the Net where you can buy larger, more comprehensive lists. Crackers barter personal details harvested off computers penetrated with keystroke loggers, remote administration tools and assorted spyware.

If, instead of trolling the Net, somebody walks upto a cyber-savvy man and offers large sums for sensitive data, the youth in question may be tempted to supply it. If he’s a lazy chap, he will do a version of the following:

1. Go to online telephone directories and download every 30th name at random, to create primary entries for the “database” he intends to sell.

2. Then, write a program to generate random 13-digit or 15-digit numbers, based on the length of the standard credit card series in the target country.

3. Link the random numbers generated in 2. to the names in 1. Voila! We have a database, which looks and feels real and stands up to preliminary check.

It is an entirely different matter that transactions utilising this “data” would be impossible. The seller might not even be legally liable since he would not be hacking or trading sensitive information. I don’t know if Karan Bahree was smart enough to do this or if he went out and acquired real data. But it is a tempting thought to “sting the stinger”.

The Sun’s main tack was its anti-outsourcing stance. This is also old hat. It is merely a racist variant of the linguistic discrimination advocated by so many Indian regional parties. To say British jobs must be done in the UK by British citizens is exactly the same in principle as demanding that Maharastrian jobs must be done by Marathi-speakers based in Maharashtra.

It is no more and no less offensive for somebody to be at the receiving end of either opinion. The existence of a right-wing, anti-BPO lobby doesn’t affect the pro-BPO case one whit more than the existence of the Shiv Sena alters the case for Mumbai businesses to employ the best people they find, regardless of ethnicity.

Oddly enough, the Bahree sting and the scam at Mphasis that preceded it, offer several positives for the Indian IT industry. For one thing, no Indian BPO operation has thus far been electronically hacked. Both these incidents depended on social engineering — which is the art of persuading individuals to voluntarily offer sensitive data.

One can easily make the case that Indian software/ ITES / BPO operations are more secure than their rivals because major global credit card and bank databases in the US are electronically hacked on a daily basis.

In terms of comparative security, India is, therefore, a better environment than most of the first-world nations to which it provides outsourcing services. It is unquestionably a better security environment than competing east Europeans and east Asian nations.

However, it is high time that the global personal finance industry re-examined its own value and service-delivery chains in the light of growing incidences of electronic fraud. Credit cards were invented in the 1950s and seamlessly integrated into the electronic environment of the mid-1990s.

The crooks have caught up and in order to stay ahead, the financial industry must change its modes of operation. For one thing, a customer is now at risk if he simply offers his credit card at a restaurant and a waiter with an eidetic memory files away the number for electronic use.

One way forward is the virtual credit card (VCC), which some banks now offer. A VCC generates a ID number valid for one electronic transaction only with a defined credit limit. This limits damage from a possible hack.

Another way is to leverage MMS-SMS for automated verification of transactions though this method fails in cases of identity theft where contact details and photo IDs have been changed. There are also biometric options such as fingerprint and retina scans.

Perhaps identity-broking could also be a route to greater security. Nothing and nobody will ever totally eliminate hacks via social engineering but better modes of e-commerce could certainly limit the damage.

trackback: Devangshu Datta

Police fail to act in BPO Sting

2005-06-29T10:24:00.000+05:00

Police could have acted before formal complaint
SUDIPTO DEY

TIMES NEWS NETWORK[ SUNDAY, JUNE 26, 2005 11:21:35 PM]

NEW DELHI: Even as London police was caught up over the issue of jurisdiction while probing the case of alleged theft of financial data by an Indian IT worker, their counterparts in India could have, on their own, initiated preliminary investigation on the basis of media reports, without waiting for a formal complaint.

Gurgaon police on Saturday formally began investigating the issue, nearly 48 hours after a British tabloid broke the news about alleged sale of confidential information by accused Karan Bahree, an employee of a Gurgaon-based web development company.

Section 80 of IT Act, ’00, gives power to police officials - of the rank of Deputy Superintendent of Police (DSP) or above - to enter any public place, search and arrest without warrant any person suspected of committing any offence under the IT Act. The term “public place” includes any public conveyance, hotel, shop or any other place intended for use by, or accessible to the public.

Legal experts point out that Indian police need not have waited for any formal complaint but could have initiated an inquiry on their own.

Karan Bahree loses BPO job

2005-06-29T10:15:00.000+05:00

Bahree loses job, dad says it’s a conspiracy
Pragya Singh

New Delhi, June 25: Nearly three days after a UK tabloid revealed that Karan Bahree, 24, had exchanged cash for confidential BPO data, his folks insist he is the victim of a conspiracy.

Karan’s father, S K Bahree, answers the doorbell. ‘‘We’re very concerned. I’m worried about my son. Is there news of what is happening outside (in London)?’’ he asks through a crack in the door.

Advertisement
‘‘My son is an unlucky victim of some conspiracy. He is innocent, the poor thing,’’ says Bahree Sr.

Bahree is anxious for details about the ‘‘case’’ against Karan. ‘‘Please courier me all the papers you have on what London is saying,’’ he says. However, he does reveal his residence telephone number.

But the Bahrees, along with the BPO industry, the government, Gurgaon police and Karan’s employers Infinity e-Search, seem to forget that Karan is free. Others in his position were not so lucky.

Remember Bazee.com? As per cyber laws police have the right to ring the same doorbell, seize all computer systems and haul them back to the police station for scrutiny as evidence. It can even arrest Karan, though no complaint has been filed against him.

‘‘The provision is draconian, as we saw in the Bazee case. But it’s 65 hours — the world wants to know what India is doing about this case? Will any action be taken under the IT Act or not, after all, hasn’t Bahree triggered something that will affect the interests of the BPO industry?’’ asks advocate Pawan Duggal.

London police have said they can’t get cracking because the matter is out of their jurisdiction. But it has requested Interpol to seek help from Indian authorities and perhaps make an arrest or two.

CBI sources said they had been alerted about the request through Interpol channels. The agency is gearing up to investigate the case once a formal request is made.

Meanwhile Karan, who is ‘‘away,’’ lost his job today.

‘‘We have terminated his services. Since he was on probation there was no need for a notice period. We have done this in the interests of the company,’’ said Infinity eSearch’s lawyer Deepak Masih.

Section 66 of the IT Act, which covers hacking in its widest definition, can fetch Bahree, if he is found guilty, three years in prison plus a Rs 2 lakh fine. It also makes him liable to civil suits for damages up to Rs 1 crore for every count he is found guilt of.

‘‘Around six sections of the Indian Penal Code also appear to apply to his case,’’ said Duggal.

Urvashi Kaul on Indian BPO websites Blocking

2005-06-29T10:10:00.000+05:00

Complaint filed against Sun’s online edition
- By Urvashi Kaul

New Delhi: A complaint has been filed under the Information Technology Act with adjudicating officer Prakash Kumar, in which RBI stands as one of the respondents, asking the government to block the Sun’s online website for attempting to cause damage to India’s economy by "defaming the legitimate Indian BPOs".

The complaint is a part of the ongoing matter pending with the government relating to the hacking of 8 million credit card accounts (including 12 lakh Indian accounts), involving a British Bank in August 2000.

While the CD, which the Sun reporter claims to possess, is crucial for forensic examination, the complainant in capacity of a qualified computer engineer wants it to be examined whether the CD was a re-writeable CD, and also if it has been "finalised" at the time of burning, an information necessary to determine maintainability of this issue under the IT Act 2000.

The complainant in his complaint, a copy of which lies with this newspaper, alleges that the sensitive data that Mr Oliver Harvey, the Sun reporter, projects as having originated from Delhi, India (as hacked data from the Indian BPOs), may have been sold data provided by the British Banks that freely circulate in India.

Informed sources claim that the CDs containing hacked confidential data like credit card particulars and mobile phone billings data’s and addresses are freely sold all over Delhi in places like Palika Baazar, Nehru Place, and Janakpuri District Centre without fear of the law. The complainant alleges that it is quite possible that the CD was sold containing data freely available in Delhi, which are being used by direct sales agents of banks, telecom companies and credit bureaus of banks.

While there are no immigration records of Mr Oliver’s visit to India on a journalistic visa, official sources said that if he intended to do his business of reporting on a tourist visa, which doesn’t go with his tourist status, then the reporters act needs to be dealt with harshly under the Foreigners Act. The complainant also alleges that the visit might have been undertaken with an aim to "defame" India as there are no laws in India concerning data protection and privacy for foreigners in India. Repeated attempts by the complainant to get a response in the matter by Mr Oliver Harvey, via email, failed.

For all you know Karan Bahree, the eye of the "BPO scandal" storm, cannot be booked under the IT Act, as Indian laws are applicable for data protection and privacy of data for Indian citizens only and that he may not have broken any laws including the Indian Penal Code.

trackback : Asian Age Delhi Karan Bahree

Data Security Indian BPOs Karan Bahree

2005-06-29T10:05:00.000+05:00

BPO sting: IT Act petition asks Govt to get cracking
Petition calls for roping in cyber response team, CERT-IN.

Pragya Singh

New Delhi, June 28: KARAN Bahree sold data hacked from Indian call centres to The Sun’s reporters. Or did he? To find out, wait another week.

A petition filed with the Delhi government today requests that law enforcement agencies access the CD and ‘‘dossier’’ prepared by The Sun reporter Oliver Harvey, investigate their contents and block the tabloid’s website in India.

Advertisement
The petition, filed by Sarbajit Roy, has been presented to the Adjudication Officer under the Information Technology Act, 2000, in the Delhi government to which, the government hasto respond within a week.

It also calls for roping in cyber enforcement authorities like the Computer Emergency Response Team, India (CERT-IN) to dredge out the truth.

The government, the petition says, must examine if the data allegedly sold by Bahree was made accessible by the British banks themselves.

‘‘It is entirely possible that Respondent No. 5 (Harvey) may have been sold data provided by the British Banks itself, which he is proclaiming abroad to be hacked data from Indian BPOs and thereby defaming legitimate Indian BPOs and our nation and damaging India’s economy,’’ says the petition.The truth will emerge only if a forensic examination of the CD is conducted.

Roy’s petition is the first that can put the IT Act in motion.In the investigations so far, none of the Indian law-enforcement agencies have contacted the London Police, which has already registered a case.

Speaking to The Indian Express over the phone, London Police’s spokesperson Orna Joseph said,‘‘Any Indian authorities wanting to contact us over the case can do so.’’ (With inputs from Raghvendra Rao)

trackback: Delhi Newsline Karan Bahree

BPO frauds and India's IT Minister sleeps.

2005-06-24T12:09:00.000+05:00

Indian BPOs stung where it hurts most
Prerna K. Mishra, Siddharth Zarabi and Vijay Dutt
New Delhi/London, June 23, 2005

In a claim that may re-ignite passions against outsourcing work to India, mass-selling British tabloid The Sun has created a sensation by reporting that it managed to purchase bank details of 1,000 Britons for just £3 each from one Karan Bahree, 24, in Delhi.

The paper said its reporter had obtained addresses, passwords, phone numbers and details of credit cards, passports and driving licences which could be used to raid the accounts of unsuspecting victims.

It said the institutions targeted included many of Britain's top banks such as NatWest, HSBC, Barclays, and Lloyds TSB. Bahree said he had obtained the information from contacts working at call centres and boasted he could provide 200,000 account details a month -- including those of US citizens.

In separate statements, HSBC, Barclays, and Lloyds TSB said the security of data was a top priority and they were taking the allegations seriously.

Not the first

This is the second blow for the Indian call-centre industry, which employs over 3.5 lakh people spread across nearly 600 international call-centre locations. In April, the Pune police had arrested 16 Mphasis employees for a $350,000 online credit-card fraud in which Citibank customers were allegedly enticed to part with their personal identification numbers.

It is perhaps why the Sun's rather hysterical headline, "Your Life for Sale", evoked a wide range of responses in the UK and India.

UK response

For starters, London police said they were investigating the newspaper claim. Detective chief inspector Oliver Shaw said the allegations were serious, but added: "We would like to warn the Sun readers, instances of this kind are still relatively rare." A London police spokeswoman said, "The breadth of what we are going to be investigating is not clear yet."

Barclays spokeswoman, however, clarified: "We would be surprised if we were involved as no personal data is held in India."

An executive at one of the banks whose client details are claimed to have been broken into, told HT in London that the report was "sketchy" about how the security arrangements in place were breached. She admitted that such an incident could happen anywhere, "Glasgow, Wales" or any other place.

Ian Mullen, the British Banking Association's chief executive, said they were concerned but added staff in India were checked as rigorously as workers elsewhere. "The quality of staff in these call centres is very high," he told BBC Radio.

Indian response

In New Delhi, Minister for Communications and IT Dayanidhi Maran dismissed the incident as a "freak" occurrence. "Please remember that incidents like this have happened all over the Western world," he said. "We do not believe that it is a matter for us (the government) to get into, as it relates to private parties."

Nasscom president Kiran Karnik acknowledged that this was a terrible thing to happen. He, however, added: "The problem is not unique to any single nation -- it is one that affects us all."

Cyber-crime lawyer Pavan Duggal said a case, if filed, will fall under the dual jurisdiction of India and Britain.

Sex and Indian BPO data security risks exposed again

2005-06-24T12:02:00.000+05:00

Your life for sale

By OLIVER HARVEY
and SUN ONLINE REPORTER

CROOKED call centre workers in India are flogging details of Britons’ bank accounts, a Sun probe has found.

Our undercover reporter Oliver Harvey was sold the top secret information on a thousand accounts, and numbers of passports and credit cards.

And today City of London police launched an investigation after receiving a dossier of information from The Sun giving details of the banks whose security may have been compromised.

A number of high street banks including Barclays, the Woolwich, HSBC and Lloyds TSB, said they were working with police.

Harvey, who paid a total of 5,000 US dollars (£2,750) for the information and was asked for another £275 to be sent later, was told details usually cost £4.25 but he was getting a special deal.

Karan Bahree, who said he got the details from a network of call centre workers in Delhi, also boasted that he could get up to 2,000 account details a month.

The information received included account holders’ addresses, secret passwords, credit card details, passports and driving licence information.

In some cases there were also the issue and expiry dates of bank cards, as well as the three digit security number from the back of the card.

A spokeswoman for the City of London Police said: "All the financial institutions identified have been fully informed of the situation.

"An investigation is now under way. Therefore it would be inappropriate for us to provide further details at this stage."

The spokeswoman said The Sun handed police the names of banks that might have been compromised following an investigation into the security of financial information held at foreign call centres.

"At this stage we are not fully aware of the breadth of what we are going to be investigating.

"We have been handed information and it is being reviewed."

Worlds top Cyber Cop

2005-06-20T15:03:00.000+05:00

About Schmidt

6/3/2005 5:00:00 PM - q&a He started off as a policeman, but the former head of IT security at Microsoft and eBay has learned a lot since then. Listen to his advice about internal threats, two-factor encryption and identity management

by Poonam Khanna

Howard Schmidt is a much sought-after expert in his field, and a quick glance at his career history makes it easy to understand why.

Schmidt has served as the chief security specialist for the U.S. Computer Emergency Readiness Team (CERT), as the CISO and CSO for Microsoft Corp., where

he spearheaded the trustworthy computing initiative and most recently as the CISO for online auction company eBay. Schmidt left that position last month to devote more time to his consulting work for CERT, other international governments and some corporations.

ITBusiness.ca recently spoke over the phone with Schmidt, who will be heading into Toronto on June 15 to speak at the Infosecurity Canada conference.

ITBusiness.ca: What are the biggest cyber security issues facing businesses today, and how are they changing?

Howard Schmidt: I think the biggest things are still the same things that we’ve been seeing in the past 20-some odd years, and that’s vulnerabilities in software and firmware within hardware that we are constantly creating in environments where we have vulnerabilities and holes that are oftentimes unpatched for a multitude of reasons. And what’s changing about that is that it used to be, for the longest time, particularly those involved in hacking and denial of service attacks on a regular basis, (that they) were generally attacking large enterprises. As we saw, the distributed denial of service attacks back in February of 2000, they were against large corporations and things of this nature. We’re starting to see now, the small and medium enterprise can be targeted as well as the consumers and the end users through a variety of different methods. Not only through vulnerabilities in their systems, but also the electronic version of social engineering, and with phishing and spyware, and things of this nature.

ITB: Do you have advice for other businesses on how they can deal with those issues?

HS: I think first and foremost, you need to have an organization that has senior leadership enough that’s on par with other executives in the business world. First and foremost, there’s a perspective in many cases in the business folks that security actually slows down one’s ability to generate revenue, slows down the ability to innovate and do business. That’s traditionally been the focus: That security is this necessary evil. You know, “We’ve got to have it, but try to avoid it at all costs.” In the recent past, in the past four or five years that the model, the way we do security has changed to where it actually becomes a business enabler and actually helps with the branding, helps with making sure that the functions are taking place as they should be — making sure the availability is there. So we’ve seen some change in there, but that’s only been because the position of security officers has been raised to the business unit executive.

ITB: Are vendors doing enough to address the issue of security?

HS: Well, vendors have changed dramatically over the past three years or so. I know when I was at Microsoft and we started the trustworthy computing group, that was, you know, a clear issue where the whole focus was shifting to security being priority No. 1, instead of just a priority. I know Oracle and Sun and Cisco and all the big IT companies are really, really focusing on doing a better job on security. The challenge we see right now is we’ve got a whole lot of legacy equipment out that’s out there, a lot of legacy operating systems and hardware that it’s tantamount to driving a 1950s car that did not have airbags, that did not have safety belts that did not have collapsible steering wheels. You can’t afford to buy a newer car with the new safety features. So even though vendors are doing more, they’re doing a better job, it’s going to take a while to transition to the safer operating systems, safer applications than we’ve seen in the past. Part of the challenge with that is some of the new technologies that are designed to help us be more collaborative — for example, instant messaging, some of the peer-to-peer activities. As we get better about security operating systems and better about networks, people are starting to look for things, like “Oh, gee, peer-to-peer — I can start attacking that and hit instant messenger,” for example. Now people are using it for business reasons.

ITB: What led to the trustworthy computing initiative at Microsoft?

HS: I think it was a couple of things. The CTO, Craig Mundy and I were talking about the security of our enterprise, and of course back in the year 2000 even Microsoft was the victim of a hack, even though we were doing a lot of things right. It turned out it was an external system which was insecure and it led to someone’s ability to come inside a corporate network. So the idea of having firewalls and all the other protections to keep someone out that came in appearing to be a legitimate user. And that’s what many companies have experienced. Most of the hacks we see are run that way, as a matter of fact. So, consequently, it was recognized, well, if the company with the IT resources that Microsoft has could be subject to that, can you imagine the people that had less expertise? So therefore it was decided to create the trustworthy security group and make that a company-wide priority.

And once again, just to be fair, it wasn’t not only Microsoft. That just happened to be the one we were personally involved in. At the same time, Mary Ann Davidson from Oracle, who’s the chief security officer there, who runs the product security component (did the same). Many of us were meeting and talking at the time about how there was no competition between us as security officers, it was all about “How can we make not only our own specific companies more secure, but how can we make the infrastructure more secure as well?”

ITB: Do you think there needs to be legislation to make sure security is an integral part of the efforts of vendors?

HS: Well, I think to some level, particularly in the U.S., we’ve seen some movement in that direction, for example, the Gramm-Leach Bliley Act on the banking and financial industries talks about the security of financial systems, and Sarbanes-Oxley, which was not designed to be an IT security tool. It was more around accountability — it was more around financial systems. It has indeed been translated into things relative to cyber security. So we do have the recognition. The government has created some legislation. I think overall, there’s not much the government can do to legislate these things, other than making sure the resources are available for law enforcement to successfully investigate and hold people accountable for doing these things.

Because these are not being done by corporate security people, these are being done by criminals. As long as there’s a way for a criminal to commit a crime and there’s an incentive for them to do so, they’ll continue to do it. So by putting some in jail and holding them accountable for their actions, sending a clear message, that, “Yeah, you may find someone who leaves their keys in their automobiles when they go to the shopping malls, because they forget or they weren’t thinking, or whatever, that doesn’t give you the right to go out and steal something.”

And so that’s the sort of thing the government can help in. And we’re seeing that internationally.

ITB: What kind of measures should companies put into place to guard against internal threats?

HS: Insiders always have and always will be a challenge. Number one, I think we fundamentally have to redo the way we do identity management in society. If you think about some of the recent things that have become available in the media about tapes that are becoming lost, insiders stealing tapes, ripping off bank accounts, not only domestically, but internationally as well. So these are the sorts of things that basically are successful only because we provide access to too much data for the wrong reason. For example, say you have tech support for an issue with your mobile phone, and you call tech support. Why would a help desk person need to have your Social Security number or your national ID number? Why would they need to have your date of birth, your credit card number, all of these other things? All they should know is that you’re a legitimate subscriber and here’s the level of service that you’re entitled to. We haven’t done a good job of looking forward on what people would have access to. Another example is issues around when people would open up fake businesses and then pull data down and do identity theft. That’s been going on now for almost 20 years. In 1986, when I was a policeman a lot of my first cases were like that. Because what happens is, we have a desire to aggregate data — whether it’s credit ratings or to make it easier to look things up on people legitimately. I think it was a fundamental failure to realize that this can also be used by bad guys to do bad things. So, number one, that’s what we need to do. We need to change the way we do identity management, the way we aggregate data, and only have that amount of data necessary to do, say, the tech support job or reset your password that one would need to do without providing more information than that.

ITB: So how exactly do we need to change the way we do identity management?

HS: Two-factor authentication clearly is one of the ways to go forward on this. Smart cards are one way, secure ID tokens. Some of the companies are coming out with mobile devices, for example, where you have the one-time password with rotating numbers so its also on a USB device. You can plug it into a USB device.

Now, as I think you fully realize, there is no such thing as 100 per cent security with any technology. But two-factor authentication clearly gets us to the next level.

The next piece after the strong authentication would be more granular authorization that we go to. And once again, I’ll give you a classic example. In many of the vulnerability assessments — the many security service companies — what they will do is they will walk into a company, whether it’s SMB or a large enterprise, or a government agency, as part of their testing, they’ll sit down in a conference room, plug into the network jack, and they’ll start perusing what they can get access to on the network. Often times, as a stranger, they get access to much more than they should have to begin with, but then they also have the ability to identify vulnerabilities that may exist, which oftentimes occur, identify those, exploit those, escalate privilege. And also, within a short period of time, they get access to data they shouldn’t have access to. So having very, very granular . . . and people say by the way, it’s very, very complicated to become very granular, that out of the 150 resources within a corporation, I can only have access to ten of ’em. That’s difficult to do. Well, it may have been at one point, but I think we’re getting much, much better about more granular authorization and resources within an IT system.

The third piece that I think we really, really need to take a strong look at, is encryption. I got some new eyeglasses last year — it was a little local eyeglass shop. I got a letter from them saying “We regret to inform you that your identity may be at risk because our computer system was stolen in a burglary.” It was a standalone PC, not networked to anything, but it still had my credit card information, my medical ID number, all these other things. My first question to them was, “Did you have any encryption on that so people couldn’t get access to it?” And, of course, the question was, “What’s encryption, and why would we need that?”

ITB: So when you talk about two-factor encryption, are you talking about just employees, or citizens as well?

HS: Society in general. And that’s one of the things that I think we really need to accelerate. If you look at some of the countries in Europe that are basically issuing smart cards as part of their national ID, some of the financial institutions, are mandating that in order to do online banking, you must do two-factor authentication. These are situations where normal citizens doing normal online transactions are using them and doing it successfully.

ITB: What about people who would express concerns about privacy?

HS: Clearly, by using strong authentication, you do as much for better privacy than you do for security. The classic example is when one uses a user ID and password, and say that user ID and password is compromised. That’s not a hard thing to do anymore, whether it’s spyware or key loggers. Once you get access to a person’s user ID and password, then the bad guys will try all the different online e-commerce sites, they’ll try the ISP sites. They’ll keep using the user ID and passwords on multiple sites till they find out what they can about you. And invariably, they can wind up finding out a great deal of information.

So, consequentially, two-factor authentication would help reduce the likelihood of privacy violation as well, as will encryption.

ITB: What have you learned from past mistakes?

HS: I think the biggest mistake that any of us in security have ever made is trying to sell security as a black and white issue, that basically, either you do this or bad things are going to happen to you. Because what happens is, particularly in the early days, a lot of executives, when something bad didn’t happen, they would say, “OK, you’ve been telling me that if we didn’t buy this antivirus software, we were going to lose our reputation in the industry. We had a virus come into the system, it took as seven hours to get rid of it, but we’re still doing good.” Clearly that’s an issue where talking about the sky is falling doesn’t help. So that’s one issue. The other one is basically not working with the business units as much as you should. Understanding what the business needs are and how you can help facilitate the business unit work, as opposed to saying, “No, you can’t do this because bad things are going to happen.” Clearly, those are the two biggest lessons that I’ve learned.

And the third piece is, there used to be a time where we in security would view security as something that you had to either do it my way or you shouldn’t be doing it at all. And clearly you have to learn that you really have to operationalize security — where security, particularly the security executive’s role is more about setting strategy, policy and not so much doing the day-to-day work, which the IT folks are very, very good at doing.

Comment: info@itbusiness.ca

Bank Frauds in India

2005-06-20T14:38:00.000+05:00

Bank Frauds-A chronic Disease
Some relevant issues to tackle the bank frauds.
An INDIA FORENSIC approach.

BANK FRAUDS – A CHRONIC DISEASE, by
Anuradha A. Pujari

All the major operational areas in banking represent a good opportunity for fraudsters with growing incidence being reported under deposit, loan and inter-branch accounting transactions, including remittances.

A broad analysis of various frauds that have taken place throw up the following high-risk areas in committing frauds:

Misappropriation of cash by dodging accounts.
Unauthorized withdrawal or transfers of funds, mostly from long dormant accounts. These kinds of frauds involve the forgery also.
Opening of fictitious accounts to misappropriate funds from illegal activities ie. Laundering through the fictitious accounts.
Use of interbank clearing for accommodation, kite flying and misappropriation.
Cheating in foreign exchange transactions by flouting exchange control provisions.
Over valuations of the securities and tampering with the security documents, which has lead to many of the co-operative bank failures in the recent past.
Fraud in collusion with bank staff in emerging areas and services under the computerized environment.

Frauds take place in a financial system only when safeguards and procedural checks are inadequate or when they are not scrupulously adhered to, leaving the system vulnerable to the perpetrators. Anecdotal evidence shows that whether the agency or individual committing the fraud works for the bank or deals with it, the culprit does careful planning before he attacks the system at its most vulnerable point.

The most effective defense banks could have against fraud is to strengthen their operational practices, procedures, controls and review systems so that all fraud-prone areas are fully sanitized against internal or external breaches. However, the huge expansions in banking transactions consequent to the transition of banks to mass banking and the large-scale computerization have played a major role in the perpetration of the frauds. Hence mere reliance on the internal controls is of no use.

Expect fraud. To expect the fraud one needs formal education to think on the given guidelines. Nowhere in the world the fraud can be avoided and the banks are no exceptions. It is a human tendency of taking the risk to commit the frauds if he finds suitable opportunities. So it is wise to expect the occurrence of the fraud. When the different schemes of frauds are classified it gives a broad idea of the fraud schemes that are possible in the country. Unfortunately no Indian body does this work. If the fraud is expected, efforts can be concentrated on the areas, which are fraud prone. Fraud is the game of two. The rule makers and rule breakers. Whoever is strong in the anticipation of the situations wins the game of frauds. Fraud is a phenomenon, which cannot be eliminated, but it needs to be managed.

Develop a fraud policy. The policy should be written and distributed to all employees, Borrowers and depositors. This gives a moral tension to the potential Fraudster. Maintain a zero tolerance for violations. The Indian bank needs to roar against the action that is taken against the Fraudsters. The media publicity against the fraudsters at all the levels is necessary. The announcement by US president George W. Bush that the “Corporate crooks will not be spared” gave the deep impact to the Corporate America. In India also we need to consider it as a sever problem and need to fight against it.

Assess Risk. Look at the ways fraud can happen in the organization. It is very important to study the trend and the style of frauds in the bank. The Basel-II accord deals in the assessment of various kinds of risk. Some of the big nationalized banks in India maintain the databases of the fraud cases reported in their banks. But the databases are dumb. They yield nothing unless they are analyzed effectively. Establish regular fraud-detection procedures. It could be in the form of Internal audit or it could also be in the form of inspections. These procedures alone discourage employees from committing fraud. In addition to this the Institute of Chartered Accountants of India has issued a “Accounting and Assurance standard on internal controls which is a real guideline to test internal controls. Controls break down because people affect them, and because circumstances change.

Segregate duties in critical areas. It is the absolutely basic principle of auditing a single person should not have the control of the books of accounts and the physical asset. Because this is the scenario which tempts the employee to commit the fraud. Hence it becomes essential to see that no one employee should be able to initiate and complete a critical transaction without involving someone else. Most of the banks in India have the well-defined authorization procedures. The allocation of the sanctioning limits is also observed in most of the cases. But still the bankers violate the authorities very easily. They just need to collude with the outside parties. However the detection of the collusions is possible in most of the cases if the higher authorities are willing to dig the frauds.

Maintain the tone of Ethics at the top. The subordinates have the tendency to follow their superiors. When the signals are passed on to the middle management about the unethical behavior of the top management the fear of punishment gets reduced and the tendency of following the superior dominates. Fear vanishes when the tendency of “If I have to die I’ll take along the superior and die” tendency rises.

Review and enforce password security. The incidences of hacking and the Phishing have troubled the Indian Private sector banks to a great extent. In addition to this most of the Indian banks are running behind the ATM and credit cards to compete with each other but have conveniently forgone the fact that ATM cards and the credit cards are the best tools available in the hands of the fraudsters. Inappropriate system access makes it possible to steal large amounts of money very quickly and, in many cases, without detection. Hence the review and the enforcement of the security policy is going to be a crucial.

Promote the Whistle blowing Culture. Many of the surveys on Frauds have shown that the frauds are unearthed by the “TIPS” from insider or may be from outsiders. Internal audits and internal controls come much later. The message about contacting the vigilance officers is flashed in most of the branch premises. However the ethics lines are very rarely seen. The ethics lines are the help lines to the employees or the well-wishers of the bank, which tells them whether a particular activity constitutes a fraud, or not.

Conduct pre-employment screening. Since the raw material of the Banks is cash the banker needs to be more alert than any other employer before they recruit. Only testing the aptitude of a person is not of any use. Know whom you are hiring. More than 20 percent of resumes contain false statements. Most employers will only confirm dates of employment. Some times post employment condition might create the greed in the minds of employee, hence atleast the bankers should test check the characters of their subordinates by creating real life scenarios such as offering the bribes by calling on some dummy borrower.

Screen and monitor Borrowers. Bad borrowers cause the biggest losses to the banks. What are they? Who they represent themselves to be? Look at their ownership, clients, references, and litigation history. In many cases the potential fraudsters have history of defaulting in some other bank or Financial Institution. The more realistic approach is to maintain the centralized databases of the defaulters and the properties offered by them, which would give the banks very easy access to the list of defaulters, which in turn could be used to take the decisions regarding the disbursements and all other issues.

This ten-fold approach to combat the frauds is an endeavor to reduce the operational risks of the banks in the wake of the coming BASEL-II norms. These norms have identified the operational risks to be one of the biggest threats to the progress of the banking sector. Complying with these norms yields the definite results.

Mumbai BPO cyber sex pictures

2005-06-20T14:24:00.000+05:00

Courtesy: Hemal Ashar / Mid-Day

Mumbai, Jun 11: Sleazy photographs taken by a strategically-placed camera in a leading Business Process Outsourcing (BPO) unit has put the call centre in a quandary about how to react.

The call centre (whose name is being withheld) says it is looking at legal options about how to tackle the photographs doing rounds on the Internet as the sex pictures have their company name above them.

They show a couple having sex in an office cubicle with the headline: ‘Caught red-handed at’ and the BPO’s name. Text accompanying these pictures also admonishes: Indian Office Environment: Careful.

What can be seen

In the photographs, the woman is wearing a brown salwar-kameez and the man is wearing a white shirt and black trousers.

There are eight photographs, the first of which shows the couple kissing after which the series gets progressively more explicit.

The call centre mentioned is a very prominent one with branches in Gurgaon, Mumbai, Philippines and Bangalore. The centre was taken over by a multinational company in 2004 and currently has 10,000 employees, making it one of India’s largest BPOs.

Call centre reacts

The Mumbai branch is located in the city’s call centre hub in Malad.

Says a spokesperson from the BPO, “We are aware that these photographs have been posted on the Internet stating that they have been taken at our company. We deny that this has ever happened at any of our branches.

Also, the couple shown in the picture are not our employees and do not have any connection with the company. We just hope this dies a natural death.”

An employee stated, “This may be an attempt to discredit call centres at a time when India is becoming a major player in the sector. This is purely spam mail and has no credibility at all.”

What can a company do in a case like this?

Dr S Apranti, DCP, cyber crime cell, Mumbai police says, “In cases like this, one has to file a complaint with the cyber crime cell and the cell swings into immediate action. We will find out who has been sending these emails, connect the man with the machine and take action after that."

Cyber laws of India are 98% perfect says Government

2005-06-20T14:21:00.000+05:00

Foolproof Cyber laws on par with global standards
Wednesday, June 08, 2005

BANGALORE: Cyber laws in India will soon be brought on par with global standards and made nearly foolproof.

A group of law firms in India, the U.S. and the UK, which was commissioned by the Nasscom to take close look at the cyber regulations in all the three countries and the kind of data security violations reported, has submitted its recommendations.

The objective of the exercise was to ascertain to what extent Indian cyber laws provided protection against cyber violations.

The comparative study found that all the four major Indian regulation like the Indian Penal Code, the IT Act, Contracts Act and Consumer Protection Act already addressed to 98 percent of all “committable” cyber crimes.

Nasscom has recommended to the ministry of information technology for a couple of amendments in the existing IT Act and IPC frameworks. Nasscom submitted its recommendation two weeks back to the ministry of IT, which is now expected to work with the ministry of law to make the required amendments in the IPC.

Nasscom has a problem of sorts at hand. Technology changes frequently and so do crime techniques and hence Nasscom has recommended the ministry of IT to set up an expert committee to review the IT Act on an annual basis.

Ovum on: CITIGROUP'S CUSTOMER DATA LOSS

2005-06-20T14:16:00.000+05:00

Ovum on: CITIGROUP'S EMBARRASING CUSTOMER DATA LOSS

Citigroup said earlier this week that data tapes containing credit information on 3.9m of its customers have gone missing while in transit with UPS to a credit bureau. The data contains customer names, Social Security numbers and payment history information. Citigroup is writing to the affected customers, who are all in the US.
David Bradshaw, Principal Analyst and Practice Leader (CRM) and Graham Titterington, Principal Analyst, comment:

Comment: "Just when you thought that all the security problems that banks face came from the internet, up pops this news to show that data-security problems exist just as much in the physical world.

What next, will people start stealing money from bank branches? Seriously, it seems odd that banks don't use secure delivery services that take into account the fact that people might want to steal data. It reminds us of people who refuse to buy things from Amazon because the Internet isn't secure, but who'll happily hand over their credit card to a restaurant waiter they don't know.

Actually, the biggest security threat on the Internet is not the hacking of interactive transactions, but rather the risk that hackers will hack into merchant's customer databases, thereby harvesting thousands of customer records and credit card details in one swipe. The irony is that these databases may contain customer records for offline as well as online customers. And even merchants with no online sales may have hack-able databases, so customers who avoid shopping on the Internet are still at risk. There's no easy solution. "

Ukranians hacked my VISA credit card

2005-06-20T14:13:00.000+05:00

Credit card frauds, an interview with Vladimir Golubev
Date: June 03, 2005
Source: Computer Crime Research Center
By: Vladimir Golubev

Roman, who is the victim, told us about this outstanding case. He is a manager with one of big companies here in Zaporozhye, Ukraine. He said his company set up a contract on salary cards project with the bank A. Employees have their personal credit card accounts and receive their wages through ATMs of the VISA Classic international payment system. Roman also used mobile-banking services. When a transaction on his account occurs, an immediate notification is sent to his GSM phone via SMS.

Roman told CCRC it happened on February 6th, 2005. On that Sunday evening he and his wife were at home. They were receiving guests when Roman got an SMS saying that $300 have withdrawn from his account, he continued. In a minute he received another message and another $300 were gone. The third message notified about the next inquiry for $300, which was not performed due to insufficient funds on the account. His wife also had an additional card on the same account. The first idea that came into Roman’s mind was that the cards were stolen. However they found all their cards. SMS also stated the place where the inquiries were performed. It was the ATM of the Privatbank.

Without any loss of time Roman dialed the hotline number of the bank A. Bank personnel confirmed the cash disbursement of $600. According to their words, his wife’s Visa card was used to withdraw money. Bank officials recommended him to turn to the central office of the bank A in Kiev, the capital of Ukraine.

Next day Roman came to the central office of the bank A in Kiev. There he put in an application and canceled the additional card. He was told that bank’s security service would carry out an investigation and take certain measures. The most interesting is that Roman travels very much all over Ukraine, being in different cities, using the card to pay in shops, withdrawing money via ATMs. Therein it is much more possible that his card could be forged rather than his wife's. His feme was a housewife, she used her card only in two or three ATMs. Noone knew she had an access to the account.

The bank was silent during the next month. Roman spent a quite sum on phone calls to Kiev, resulting in no outcome. He was only told that bank security service is engaged in the case. Thereafter it turned out that the materials on the case were brought to the local Zaporozhye bank office. He received no answers except endless “will you call back tomorrow?”

In the middle of March bank security service of the Zaporozhye office phoned Roman and told that they turned out incompetent, such case was new to them. All they could do for him was just to pass the case to police. At the end of their conversation bank officials blabbed out about a certain scandal in the Visa payment system. An alleged leak of data occurred, someone supposedly could have obtained access to card accounts and Roman was not the only victim. Policemen in the regional police department didn’t promise much. They only told if they found a person, it would be possible to give the money back. The bank dropped out of the game. Police argued that Roman was the owner of the account, thus the money was stolen from him.

Here are few comments on the case by Dr. Vladimir Golubev, director of the CCRC.

Q: Vladimir, you seem to deal with plenty of such cases. Can you explain us the case?

A: It will be clear if you carry everything happening to you in real life to the virtual world. How do people get robbed in the street? People are robbed in the Internet the same way. Criminals just use IT instead of a knife or a cudjel. Virtual criminals use the same schemes. The Internet, being an open and global information system, is not entirely adapted to these services acquired by our banks. Criminals will always be around where they catch a smell of money.
Thus information is stolen, money on bank accounts is stolen, websites are hacked, technical espionage and information war are carried out.

Q: What is carding?

A: Carding is not just a bunch of swindlers with plastic cards, it is a well-organized criminal community. They have special websites, blogs, forums. Newcomers are training and pros exchange useful information there. Anyone may know how it is organized on their sites.

There are many ways of carding. It's a credit card fraud. Carder is the player in such fraud. It is hard to get PIN-codes from real cards, though, it is possible. Carders use a wide range of tools like PIN MasterCard, PIN Visa card and other systems. They can also resort to systems of exterior videomonitoring over ATMs and key logging devices. Finally criminals could just peep your pin-code over your shoulder.

Q; How did they get the card?

A: It is a sure thing. Carders often use the so-called “white plastic”. It is a forged blank payment card with a magnetic strip. There is nothing labelled on it. All the data on the real card is written to this magnetic strip. So the criminal can use it only at the ATM. Salary cards are usually of no interest for criminals. They prefer credit cards with an overdraft option on the holder’s account.

There is a certain risk that data on the card could be read while paying for the goods in the markets. It is easy to make a slip, a copy of the card. There are also pocket devices designed to make a print of the card in a moment, and then criminals create a copy.

Q: Bank insiders also could be involved in this case, couldn't they?

A: We can’t rule this out. I will tell you more, in 70% of frauds with payment cards, a former or a present employee of the bank is involved with the criminal group. Here in Zaporozhye, Ukraine we had a case when a former bank official tried to transfer $1 million from the account of a local company last year.

Q: What are the scales of the carding in Ukraine, is there any official statistics?

I brought up a question of statistics at one of the latest conferences where employees of the National Bank of Ukraine were present. One of their officials told there was no such statistics and would never be. Bankers are not interested to divulge their incompetence to the public. Thus, we call such crimes latent.

Q: It is much more complicated to cope with secret threats. Therein I would like to know rights of victims.

A: I believe that in each specific case any bank should carry out an investigation and also recompense the damage to the victim if carding was proved. And it is a point of honor for police to go find and punish the criminal and then to pay damages to the bank.

And what is more, everything that the bank should and should not do is provided by a contract signed by both the bank and the client.

By the way, having read some blank contracts we surprisingly found out the presence of the following clause:

“Bank is not responsible for any operations performed with the payment card by third parties, for any money transfers perfromed using lost or stolen cards until the bank receives a notice of a loss. Such risks and responsibilities are laid on the client.”

Unfortunately this clause is typical in every contract. A carder who hacked the system and stole money could have been that third party.

But I still believe that Visa could have been compromised much more likely than the bank. Such case could have happened to any Visa holder.

Q: Then the Visa is not so reliable if it was hacked, right?

A: The point is that protection and hacking is the everlasting competition of the intelligence. Thus, if the security system was hacked today, tomorrow this flaw will be fixed. Somehow or other, any bank has its own security policy. I think such precedents will make officials to draw some certain conclusions about the information security. However it doesn’t mean that tomorrow will be no breaks-in.

Here are some recommendations for plastic cards holders:

• Take an interest in insurance policy at purchase of a card. Take insurance always. Most likely, money for this service is already paid.

• Never write a PIN-code on a card.

• Never store the written down PIN-code together with a card. Learn a code by heart and do not store it in written form at all.

• Leave a sample of the signature on the back side of a card at once after its reception.

• Never transfer a card to other person. In case of need it is possible to make, for example, a family card.

• Never inform somebody the PIN-code. None (workers of the bank, the attendants of a cash dispenser, the inspector) has right to demand it.

• Do not leave a card without supervision, for example, in the machine, on a table at restaurant and so forth.

• Never phone to anybody number of the card. It is not known how many the person will hear your conversation, and whether there is no among them the one who can use heard number in the mercenary purposes.

• At loss cards phone about it immediately. If you have lost a debit card, call in bank which has given out it. It is necessary to inform representatives of payment system and the bank which has emitted a card at loss a credit card.

• Ñheck movements of money on your card account not less often, than once a month. The special attention should be turned to operation after trips in which you used the card.

The safety precautions at a cash dispenser (ATM):

• Try to not use a cash dispenser in deserted places or in places where is the big congestion of people. You become too vulnerable object for a robbery in a deserted place, it is impossible to be confident, that nobody will see a PIN-code entered by you in crowd.

• Do not allow to extraneous people to see an entered PIN-code. It is quite possible, after that you will find out loss of a card, and hardly later and money from your card account.

• Be not mistaken at input of a PIN-code. Cash dispenser will detain your card after three erroneous inputs of a code.

• Be operative at use a cash dispenser. Certain time (30-45 seconds) is given on each operation. If during this time operation will not be completed, at the best the cash dispenser will return to you a card, in the worse - will detain it.

• Check up, whether you have taken away all from a cash dispenser. After finishing of operation you should have: a card, money, an extract about the made operation. If something does not suffice, and the cash dispenser did not inform you any additional information, here something wrong. Probably, you risk to fall a victim to swindlers. Do not trust anybody at a cash dispenser even if this person is dressed in the form of the employee of a cash dispenser service.

• Keep extracts on results of operation which are given out with a cash dispenser always. It will allow to keep account the taken off money and to supervise write-off of money from your account.

• Do not show somebody the wallet and money which you have received from a cash dispenser. It is not necessary to recalculate them before a cash dispenser. The machine is not mistaken, and if will be mistaken, will not answer you of anything intelligible.

The safety precautions at payment by a card in shop, restaurant, etc.:

• Never let out a card from a field of vision. It is access to your money. Imagine, that you give the cashier or the waiter all money at your account and ask him to take how many it is necessary.

• Never sign more than three checks at payment without the POS-terminal. The signature on the check is consent to write off the specified sum from your card account. At the place where you pay by means of a card without POS-terminal first check remains in the organization, second is sent by this organization to the bank and third remains at you as acknowledgement of made operation.

• Never sign check where the sum is not specified. Having signed such check, you enable to write off from your account more money than it is necessary.

• Ñross out all empty fields after sign the check. Thus you will relieve the cashier of a temptation to enter there something superfluous.

• Demand check cancellation at incorrect registration

The safety precautions when paying by card on the Internet:

• Do not leave your personal and the card data at unknown sites. Take an interest in certain conferences. Look, where is the organization which you are going to pay. If there is no address or you don't trust it, think, whether costs to pay?

• Do not use card on which you have large sums of money for payment in the Internet. It is better to get a separate card for such purpose.

• Pay attention to the various certificates confirming safety of settlement through the given site.

• Address to bank?at occurrence of the slightest suspicions about wrongful write-off of money from the account. You have certain term to refuse or challenge wrongful money write-off from your card account. Duration of this term should be specified in the bank which was giving out to you a card.

Sarbanes-Oxley for India. NOW !!

2005-06-20T14:09:00.000+05:00

Security theft opens market for IT workers
By Charlie Anderson
The Business Journal of Kansas City
Updated: 8:00 p.m. ET June 12, 2005

Kris Drent leaps out of his seat and throws his body against a conference room door like a power forward boxing out an opponent for a rebound.

Drent, co-founder of Security PS Inc., actually is impersonating a CFO from a previous engagement. It was that finance chief's way of saying: "Nothing leaves this room."

Thus is the life of an information security professional, a cadre whose profile rises with each new revelation of data theft or loss, such as those reported by ChoicePoint Inc., Bank of America and CitiFinancial Inc. Fear of a breach in data security drives companies to pay people like Drent as much as $225 an hour to hack their corporate networks and expose holes that need plugging.

"As you can tell," Drent said, "we obviously love what we do."

There's demand for more like him. The number of information security techs is expected to double worldwide, from 1.1 million in 2003 to 2.2 million in 2008, according to a study commissioned by the International Information Systems Security Certification Consortium, which certifies security professionals.

It's unclear how many security techs work locally, but evidence suggests that the number is increasing.

That's good news for a tech work force that has been downsized, outsourced and dot-bombed in the past few years. It also provides a sexier career track for IT professionals who have grown weary of installing software for a living.

"It's intriguing," said Jody Brazil, vice president of FishNet Security Inc. "There's that James Bond appeal."

FishNet may be the best local example of the boom. The nine-year-old firm consults with corporate and government clients on IT security plans and then sells hardware and software to protect networks from attacks.

The company has grown to 110 employees nationwide -- 60 in Kansas City -- and reported revenue of $44.5 million in 2004. FishNet raised $12 million in equity investment earlier this year, and founder Gary Fish has said that he hopes to take the closely held firm public within three years.

Smaller companies, such as Security PS and Archer Technologies LLC, both of Overland Park, have sprouted up since 2000 with a singular focus on IT security.

Then there are the big accounting and consulting firms, such as Ernst & Young LLP, that are rapidly hiring security professionals to beef up their Sarbanes-Oxley Act compliance teams.

Archer Technologies CEO Jon Darbyshire ran Ernst & Young's national security practice from Kansas City before starting his software company. He said that in four years, Ernst & Young's security practice grew from zero to 1,500 people nationwide.

"We were bringing in 300, 400 people a year," Darbyshire said.

And that was before Sarbanes-Oxley, which requires CEOs and CFOs of public companies to sign off on the integrity of their companies' financial reporting systems. Most interpret this as including the security, as well as the accuracy, of financial data.

Companies don't want to be the next one in the string of headlines about data breaches, said Stephen Gillilan, an adjunct professor at the Keller Graduate School of Management at DeVry University. A California law requires notification after a breach; a national disclosure law is being discussed in Washington.

"Security is getting baked into everything now," Gillilan said.

The primary reason for heightened security awareness is the increased risk for companies doing business on the Internet.

Banks offer online bank statements, hospitals offer online billing, and retailers take credit cards on the Web. A decade ago, this data wasn't floating around cyberspace, where skilled criminals could pick it off.

At a local bank that he won't name, Drent said he was able to pull off something called "session-thefting," in which he jumped into someone else's online access to an internal system.

"I did a few things and became CFO of the company," he said.

That's chilling news for the software development community, which has seen its reputation sullied by such easy hacking of programs.

"I think we are doing a disservice if we don't teach security," said Deep Medhi, a University of Missouri-Kansas City professor of computer science from India.

Based on the job prospects for the sector, students may demand classes in security.
© 2005 The Business Journal of Kansas City.

Slashdot: Smart Card Hacking

2005-06-20T14:05:00.000+05:00

Who says smart cards can't be hacked? Apparently all you need is a 50$ oscilloscope. ;-) rol..

Smart-Card Hacking?
Hardware Hacking
Privacy
Posted by Cliff on Saturday June 18, @11:45AM
from the what-exactly-do-they-put-on-these-things dept.
W3bbo asks: "With the ever-increasing information being stored on so-called 'Smart-Cards', including credit cards with the chips, how do we know what data is read by stores when you hand over your plastic? Seaching for 'smart-card hacking' just turns up satelite TV piracy websites and virtually nothing for (sort-of) legitimate investigation to our cards. So what methods are available to hack smart-card chips and see what information about us our banks store on our cards?"
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
it's called carding... (Score:4, Informative)
by da5idnetlimit.com (410908) on Saturday June 18, @11:56AM (#12851204)
(http://www.jadwio.com/ | Last Journal: Saturday October 30, @06:54PM)
so have a few searches on this term
http://www.kallipse.com/creaweb/galaad/carding.php [kallipse.com]

Also there is an open source project devoted to reading cards and chips, don't remember the name right now...

Was on slashdot, so have a check 8)
[ Reply to This ]

Re:it's called carding... (Score:5, Informative)
by Mattcelt (454751) on Saturday June 18, @12:56PM (#12851533)
(http://www.emprecords.com/)
One of the original smart card hacks was done by Ben Jun, Paul Kocher, and Joshua Jaffe, the guys at Cryptography Research [cryptography.com], using a technique called "Differential Power Analysis" which they did with a $50 HP oscilliscope to extract the private key stored on a smart card. You can find the white paper here. [cryptography.com]
[ Reply to This | Parent ]
o Re:it's called carding... by pbhj (Score:2) Saturday June 18, @08:32PM
o 1 reply beneath your current threshold.

Kind of Esoteric, But... (Score:5, Informative)
by fuzzybunny (112938) on Saturday June 18, @11:56AM (#12851205)
(http://www.zog.net/ | Last Journal: Friday December 12, @08:21AM)
The best way to learn is to latch onto someone who really knows their stuff (which is what I did on a previous project.) If you don't have that luxury, start looking at vendor pages (Schlumberger, ActivCard, Siemens, Utimaco, Gemplus, etc.) and chipset manufacturers (Infineon, Sagem or Giesecke & Devrient for example.)

Depending on how far down you want to dig (do you want to learn about applications? Circuit design? Interfaces? Security issues?) you should probably browse around related manufacturers' pages and related newsgroups. A good example would be looking at PKCS#11-related docs, Entrust implementation docs, the Javacard specifications, how Javacards differ from other implementations, docs on "Open Platform", types of card readers (class 1 through class 4, what is "middleware", how hardware key storage works, etc.)

A lot of card-related documentation and information is strongly vendor-specific, poorly documented and, to be honest, largely irrelevant for someone who wants to learn about it in a not-too-hardcore manner.

If you're professionally seriously interested, I recommend talking to one of the serious pros, such as Jerome Ajdenbaum [iteon.net] who really know their stuff. For starters, though, a quick google search on "smart card" +documentation turned up a number of good results, including from Microsoft [microsoft.com] (whose card interface for many manufacturers and variants is surprisingly well-written), ,a href="http://java.sun.com/products/javacard/refere nce/docs/">Java card docs from Sun, and the Open Card [opencard.org] platform.
[ Reply to This ]

* Re:Kind of Esoteric, But... by Cthefuture (Score:3) Saturday June 18, @12:26PM
Re:Kind of Esoteric, But... (Score:5, Informative)
by swillden (191260) * on Saturday June 18, @01:05PM (#12851572)

Along with PKCS#11 and Javacard, you should be looking at all the ISO 7816 specifications for technical information.

The ISO 7816 specs are generally not free. You buy them from your national standards body, which in the US is ANSI. It'll cost around $150-$200 to buy the whole set from ANSI.

However, much of the content of the 7816 documents is replicated in the EMV specifications. EMV stands for Europay Mastercard Visa and is a consortium for establishing smart card banking standards, so if you're interested in looking at your bank card chip, that's the more relevant set of documents anyway. You can find all of the EMV documents on-line, free, at the EMVCo web site [emvco.com]. You may still have to acquire some of the 7816 specs (parts 3 and 4 are probably the most important), but the EMV docs contain most of what you need. Word of warning: be prepared to plow through a lot of material. Smart card technology has acquired a lot of complexity through 30 years of incremental enhancements.
[ Reply to This | Parent ]
+ Re:Kind of Esoteric, But... by aminorex (Score:2) Sunday June 19, @02:20AM
o Re:Kind of Esoteric, But... by fuzzybunny (Score:3) Saturday June 18, @01:10PM
o Re:Kind of Esoteric, But... by AdamInParadise (Score:2) Saturday June 18, @04:31PM

Who else finds it funny... (Score:2, Funny)
by Toby_Tyke (797359) on Saturday June 18, @12:21PM (#12851347)
(Last Journal: Monday May 02, @02:43AM)
That the story below this one is "Security Breach Exposes 40M Credit Cards" ?

[ Reply to This ]

No "sort-of" about it... (Score:2)
by Saeed al-Sahaf (665390) on Saturday June 18, @12:59PM (#12851547)
...and virtually nothing for (sort-of) legitimate investigation to our cards...

I think it's important to understand that there is no "sort-of" about it. We have every right to know what information is contained on the cards that we use. Why wouldn't we? What can there possibly be there that is none of our business?
[ Reply to This ]

* Re:No "sort-of" about it... by tengwar (Score:2) Saturday June 18, @03:47PM
o 1 reply beneath your current threshold.
* Re:No "sort-of" about it... by vettemph (Score:1) Saturday June 18, @03:52PM

Maybe this is too obvious... (Score:1)
by WonderSnatch (835677) on Saturday June 18, @01:34PM (#12851739)
Have you tried calling your card company?

Brett
[ Reply to This ]

Card security attacks (Score:4, Informative)
by brejc8 (223089) * on Saturday June 18, @01:46PM (#12851787)
(http://www.cs.man.ac.uk/~brejc8/ | Last Journal: Sunday November 16, @07:21PM)
These break down to a few different kinds:
Information leaking e.g. power analysis: observe the power consumption of a divide to determine what operations it is executing and what data it is working on. Usually these will only tell you the number of bits which are on in a particular stage. I found the ARM 6 gave a very clear signature of the result of the adder and could determine the number of on bits down to the nearest 2.
Error introduction e.g. clock glitch attack: This is an asynchronous engineers favorite. Basically a method of inserting errors into the processor in a deterministic method. Say the processor stage calculating a compare operation is the worst case path, the attack inserts an early clock forcing the comparison to be incorrectly made. Place this in the "are the checksums correct" code. Usually though these are a little more difficult than that.
Brute force with limited tries e.g. Flash charge pump: So to crack your card it only takes as many attempts as there are pin code combinations. To stop people from just trying out the 10,000 or so combinations the card remembers how many tries you had. Before it writes something to the flash it needs to drive up a charge pump. This is visible using power analysis and at this point you cut the power and try again.

More interestingly why are these not investigated? Well because there is no money for it. The async community has been offering better methods but the companies who make the only get a tiny profit are not inclined to make them any better.
[ Reply to This ]

h1kari did some smart card work: (Score:1)
by undef24 (159451) on Saturday June 18, @02:19PM (#12851940)
http://www.dachb0den.com/projects/scard/smartcards .ppt [dachb0den.com]
[ Reply to This ]

Circuit Cellar (Score:1)
by AndroidCat (229562) on Saturday June 18, @05:14PM (#12852787)
(http://home.primus.ca/~ronsharp/)
Circuit Cellar magazine [circuitcellar.com] has articles on smart cards, RFID, etc, now and then.
[ Reply to This ]

MUSCLE project (Score:3, Informative)
by sgifford (9982) on Saturday June 18, @07:48PM (#12853469)
(http://www.suspectclass.com/~sgifford/)
Information from the MUSCLE smartcard-on-Linux project be useful:

http://www.linuxnet.com/ [linuxnet.com]

[ Reply to This ]

Frighteningly enough (Score:2)
by Dachannien (617929) on Sunday June 19, @04:58AM (#12855287)
There may be a potential DMCA violation involved with doing this, especially if credit card company-issued smart cards contain proprietary copyrighted information on them. In any case, the threat of a lawsuit (whether it's valid or not) may be enough to silence any efforts to figure out what sorts of personally identifiable info is stored on these cards.

[ Reply to This ]

Re:Legitimate Investigation? (Score:3, Insightful)
by FidelCatsro (861135) on Saturday June 18, @12:45PM (#12851470)
(Last Journal: Wednesday June 15, @03:08AM)
1:) finding out what personal data is stored on your card
2:) hacker(traditional meaning) mentality ,Some of us just can shake the urge to explore discover and create.
3:) setting up your own credit card reader to go into bussiness as a manufacturer

The real MasterCard data security story

2005-06-20T14:02:00.000+05:00

The Irish Independent also reports that credit card giant MasterCard has sought to play down what has been called the biggest ever security breach which exposed more than 40 million cards to possible fraud.

MasterCard, which had 14 million of its credit cards accounts exposed to possible fraud, said only a small fraction of them were considered "at high risk".

But mystery still surrounds the nature of the security breach, and there is controversy over MasterCard's decision to go public about it.

MasterCard announced on Friday that the breach was traced to Atlanta-based CardSystems Solutions In, which processes credit card and other payments for banks and merchants.

CardSystems' chief financial officer, Michael A Brady, said his company was "blindsided" by the MasterCard release, adding that his company was told by the FBI not to release any information to the public. FBI spokeswoman Deb McCarley said they did ask CardSystems to not release details that might compromise the investigation - but denied asking the company not to disclose that the intrusion occurred.

"I'm not sure where they got that impression. It's important for the public to be warned so card holders can be more careful while checking their statements." But she declined to confirm reports that the breach was the result of internet hacking.

"I'm not going to get into details of what we have been able to determine right now," she said.

MasterCard spokeswoman Jessica Antle said only about 68,000 of its card holders are at "higher levels of risk", and should closely examine their credit or debit card accounts. Customers do not have to worry about identity theft, Antle said. "No, none at all," Antle said. "Social Security numbers, dates of birth, information like that are not stored on your credit card."

The incident appears to be the largest in a series of security breaches affecting valuable consumer data at major financial institutions and data brokers.

A few weeks ago, Citibank said it had lost the personal data on almost four million customers after delivery service UPS lost a box of tapes.

Like privacy ? beware RFID !

2005-06-20T13:59:00.000+05:00

June 11, 2005

my view: Kelly Jones Sharp
If you like privacy, beware of RFID

Just because we can doesn't mean we should.

Manhattan Project scientists wrestled with this moral dilemma while building the atomic bombs the U.S. dropped on Japan in 1945.

Opponents of cloning, fearing a brave new world of test-tube automatons, have expressed similar sentiments.

Now, science brings us again to a moral crossroads. This time the dilemma is our privacy, and the technology in question is the radio frequency identification chip.

RFID is not new technology, but technology that is gaining momentum in a world where consumerism and terrorism rule both policy and zeitgeist. Rebranded for mass marketing as "contactless chips," RFID has wide-ranging applications and implications.

The microchips provide automatic identification of objects, animals and people. They are radio transmitters that can be as small as a grain of rice and have a transmission and detection range of less than an inch to almost 20 feet.

The "passive" type of RFID chip approved last October by the Food and Drug Administration for implant in humans has no internal power supply but gets its juice from a tag reader that enables the chip's antenna to respond with information, typically a serial identification number. These numbers lead the reader to more detailed information stored in databases.

Wal-Mart and other companies have been successfully using RFID for efficient tracking of merchandise within their supply chains. Pet adoption agencies, such as the Humane Society of Indianapolis, offer micro-chipping for dogs and cats.

Those things are fine, presuming that the chip on my Advil bottle won't be read from my medicine cabinet, and that Fluffy and Fido won't be programmed for evildoing. It's the potential for misuse and abuse of information within people applications that concerns me.

Consider some ways RFID chips are already being used. The chips are being embedded in toll road passes, library cards and ID badges. Recent applications include "contactless" credit cards and U.S. passports.

RFID also is being combined with the global positioning system (GPS) and with wireless fidelity (WiFi) for automobile fleet management and prescription drug tracking -- uses that also could be applied to people.

Some hospitals are now using RFID to tag patients for surgery and newborn babies for security.

In the case of medical records -- the use approved last fall by the FDA -- the chip contains an access code to a person's medical information and is inserted into the upper arm. The code points to databases that grant medical providers instant access to a patient's records.

It's easy to see benefits of automatic identification. No mistaking who you are. Not having to carry information. Never having to wait -- for credit approval, for medical histories or clearance to board a plane. Your preferences auto-profiled wherever you go, from the bookstore to the supermarket. It's life in the fast lane, only faster than ever.

But at what cost? Do we really want our movements tracked and our personal data scrutinized out of some intangible fears or to save a few seconds in the checkout lane?

In May, the Government Accountability Office released a report citing privacy concerns related to RFID use among 23 federal agencies. The report says, "The use of tags and databases raises important security considerations related to the confidentiality, integrity, and availability of the data on the tags, in the databases, and in how this information is being protected. Key privacy concerns include tracking an individual's movements and profiling an individual's habits, among others."

Technology does not necessarily beget security. Recently thugs hacked into LexisNexis, grabbing personal data, including Social Security numbers, on more than 310,000 people, 2,602 of them Indiana residents.

Some RFID chips are not only readable but "writeable," meaning that tag readers could alter information on them. Reader "collision" happens when two tag readers try to read the same microchip at once. Surely techno-geeks would find surreptitious reading and switching of information on RFID chips the ultimate challenge.

The slippery slopes of science always have been paved with well-intentioned scholars who pursue their ends despite the consequences. It's time we prevail on lawmakers to set limits, and on those who would exploit this technology to "do no harm."

Sharp is a writer who lives in Indianapolis. Contact her at kelly.jones.sharp@sbcglobal.net

1 million Japanese credit card data hacked.

2005-06-20T13:56:00.000+05:00

UFJ admits customer data leak has led to theft from accounts

Personal information on Japanese credit card holders stolen from a data handling company in the U.S. has been used to steal money from some customers' accounts, UFJ Card Co. admitted Monday.

Company officials said personal information on the holders of some UFJ-Master Card joint cards was stolen when a U.S. company handling the data was hacked into.

Master Card notified UFJ Card of the identification numbers of joint cards whose information may have leaked to outsiders. UFJ subsequently checked their payment records to discover that some of the accounts had been accessed illegally.

The company has decided to replace the cards of cutomers whose personal information was stolen and fully compensate victims who have lost money to the thieves.

In their admission, the officials stopped short of clarifying the number of victims and the amount of money stolen saying they are still investigating the incident.

Moreover, personal information on up to 2,500 customers of consumer credit firm Central Finance may have similarly leaked, company sources said.

A number of other companies in the industry have also received information that personal data on some of their customers may have been stolen, and are currently investigating the allegations. (Mainichi)

Credit cards induce indebtedness, Scientific proof

2005-06-18T15:40:00.000+05:00

Survey: Americans most cash-strapped

The Kansas City Star
Published June 18, 2005

Americans are the most cash-strapped among consumers in 38 international markets, according to an online consumer confidence survey taken in May by ACNielsen.

The survey, which gathered 21,000 responses from North America, Europe, Asia, Australia and New Zealand, found that 28 percent of U.S. residents claimed to "have no spare cash" after covering their monthly living expenses.

After Americans, those most likely to say they lived from paycheck to paycheck were residents of Portugal (24 percent), Brazil (23 percent) and Chile (21 percent).

At the other end of the spectrum, responses that some might consider counterintuitive found that only 5 percent of Russians said they had no spare cash at the end of the month.

Also surprising were the other markets with the lowest percentages of consumers who said they lived from paycheck to paycheck: Indonesia, Spain, Mexico, Ireland, India, China, Taiwan and the Philippines.

It's important to note that the poll was taken online and thus reached only consumers who had access to the Internet, which probably means that people on the lower end of the economic scale were not proportionately represented.

But Matthew Bell, a spokesman for ACNielsen, said: "The other factor to consider is that high incomes do not necessarily correlate with high levels of spare cash. Americans have higher incomes than people from most other countries, but they also carry very high levels of debt."

Among Americans who said they had money left over after meeting basic monthly living expenses, the most likely use of that money was to pay off credit cards, loans and other debts, the survey found.

MasterCard security breach 40 million credit cards

2005-06-18T15:30:00.000+05:00

Only 40 million credit cards exposed to data security breaches? When I complained that over a million credit cards were hacked in India, the Government of India's sole repsonese was to set up a working group packed with credit card industry vested interests to examine the matter - a bit like asking Dawood Ibrahim to rewrite the Indian Penal Code. Why are Information Technology and cyber crime laws are so obsolete here in India ?

By Spencer Swartz (Reuters)

SAN FRANCISCO (Reuters) - MasterCard International on Friday said a security breach of credit card payment data had exposed about 40 million cards to potential fraud in the biggest such privacy violation ever reported.

An unauthorized person infiltrated cardholder data at CardSystems Solutions Inc., which processes transactions for MasterCard. About 13.9 million of those credit cards at risk are MasterCard-branded cards, the company said.

The total number of cards exposed exceeds the population of California, the most populous U.S. state.

"It sounds like the Guinness Book of World Records here," said Richard Smith, a leading computer privacy activist who runs a Web site called ComputerBytesMan.com.

There are 1.1 billion credit cards in circulation in the United States, according to the Nilson report which tracks the credit card industry.

A string of companies this year have reported stolen or misappropriated customer data, including Bank of America Corp. BAC.N, ChoicePoint Inc., and Reed Elsevier's.

MasterCard said its security staff identified the breach at Tucson-based CardSystems Solutions Inc., a third-party processor of payment card data. Third party processors process transactions on behalf of financial institutions and merchants.

MasterCard said social security numbers and dates of birth were not "stored on MasterCard cards." The company was not available to elaborate on what types of information were exposed and whether any wrongdoing had occurred.

The Secret Service, which helps protect U.S. financial institutions in addition to protecting the U.S. president, declined to comment, spokesman Jonathan Cherry said. CardSystems and Visa USA, MasterCard's biggest rival, were also not available to comment.

CARDSYSTEMS, LEGISLATION

MasterCard said security vulnerabilities in CardSystems processor's systems allowed the breach.
CardSystems has already taken steps to improve the security of its system, MasterCard said, adding it was giving the company "a limited amount of time" to demonstrate compliance with MasterCard security requirements.

CardSystems, which has been in business for about 15 years, processes more than $15 billion annually in transactions made online and with credit card issuers Visa, MasterCard, American Express, and Discover, according to the company's Web site.

MasterCard, based in Purchase, New York, said it immediately notified its customer banks of specific card accounts that may have been subject to compromise so they can take measures to protect their cardholders. MasterCard's roughly 23,000 customer financial institutions around the world issued 679.5 million MasterCard-branded cards in 2004, according to its Web site.

Since ChoicePoint announced in February that it mistakenly sold 145,000 consumer profiles to a ring of identity thieves, dozens of other organizations have announced security breaches of their own, ranging from banks to universities.

So far this year nearly 10 million Americans have been exposed, according to the Privacy Rights Clearinghouse.

The flood of revelations, triggered by a California state law that requires such disclosures, have prompted cries for tough national standards on privacy.

Several Democratic U.S. senators have introduced bills that would require companies to take "reasonable steps" to protect consumer account information and tell them when that information has been compromised.

Those bills have not yet attracted any Republican co-sponsors. Observers expect a more business-friendly, Republican-backed bill to be introduced as soon as next week.

New York Democratic Sen. Charles Schumer, who has sponsored a consumer data protection law, called on Congress to move quickly to pass legislation to better protect consumer data following Friday's news.

"Hardly a week goes by without startling new examples of breaches of sensitive personal data reminding us how important it is to pass a comprehensive identity theft prevention bill in Congress quickly," he said in a statement.

(Additional reporting by Andy Sullivan and Peter Kaplan in Washington, Duncan Martell and Eric Auchard in San Francisco)

CIBIL the specific consent fraud exposed.

2005-06-11T15:44:00.000+05:00

Dear Ms. Dalal, this matter pertaining to CIBIL, Standard Chartered Bank, and RBI is already in court. Please read my Hacking Complaint

Caveat emptor,
by Sucheta dalal
06 Jun, 2005

Last week, we pointed out that personal information provided to a plethora of government-mandated databases puts people at risk, in the absence of a Privacy Policy, with clearly enunciated rights, responsibilities and safeguards. Nikhil Ojha sent us his blog posting on how banks are already manipulating people to unknowingly sign away their rights. For instance, Standard Chartered Bank, he says, has sought a negative consent from its customers (the letter says ‘‘Non-receipt of any communication from your end by June 10th 2005 will be deemed as acceptance of consent and authorization’’) to share information about their account with ‘other’ parties. It claims that the consent is in accordance of a Reserve Bank circular ‘‘reference no. DBOD No. DL.BC.29/ 20.16.002/ 2002-03 directing all banks operating in India to periodically submit credit information pertaining to their customers to the Credit Information Bureau (India) Ltd. or any other agency authorized by the RBI. Ojha writes, ‘‘In a classic sleight-of-hand, the letter goes on to construct a clause for consent and authorization that goes far beyond what the RBI requires’’ and extends the consent and authorization to suit its own needs and agenda. The clause asks customers to agree to the following: ‘‘Authorize the bank to disclose to Credit Information Bureau (India) Ltd (CIBIL) or any other agency authorized by RBI or such other parties as the Bank shall deem fit’’ (‘the Bank’ is Standard Chartered not the Reserve Bank); ‘‘The Customer(s) also consent and authorizes CIBIL or any such other agency authorized by RBI or such parties as the Bank shall deem fit, to use, process the said information disclosed by the bank in the manner deemed fit by them and to furnish for consideration, the processed information or products thereof prepared by them, to banks/ financial institutions and other credit grantors or registered users, as shall be specified by RBI in this behalf or otherwise’’ (Emphasis provided). Can such a sweeping authorisation be sought by a negative consent? What right does any Bank have to pass on customer data to anybody without specific consent? Shouldn’t customers be made aware of what they are signing away? Will the central bank wake up to such mischief only when the matter finally lands in court?

Indian lawyers become BPO slaves

2005-06-10T15:08:00.000+05:00

Its really alarming for the state of affairs of data security and iinformation technology protection if Indian Lawyers are reduced to slaving away for US BPOs.
Indian legal eagles wing their way to BPOs
LAXMI DEVI

INDIATIMES NEWS NETWORK[ THURSDAY, JUNE 09, 2005 12:55:01 AM]

I started my career three years back with just Rs 2,000 under a senior advocate in Delhi. I had a tough time to manage a decent life with that kind of money," laments Swati Arora who is currently handling the legal outsourcing division in one of the leading business process outsourcing (BPO) firms in Gurgaon.

Similarly a fresh graduate from Delhi University shares her career plans: "My dream is to become a top-notch lawyer like P Chidambaram or Harish Salve or Kapil Sibal. But it will take my entire life to reach those heights.

I shall not work like my seniors for less money and slog my butt till late night. So I plan to take the BPO route because I heard they pay well. I have no hassles working for such firms and still maintain my designation as lawyer."

The web of outsourcing has enmeshed the legal service too with a host of BPOs offering white-collar legal services to their foreign clients.

"There is a major revolution in the legal industry and the demand for paralegal is exploding. The legal outsourcing is expected to cross $2 bn by 2010. And it is projected that India can become the legal back office of the world," says Atul Jalan, CEO, Manthan Services, Bangalore .

Manthan started its legal services in 2003, and has grown in a short span to a team of 120 people with over 80 lawyers. It provides legal solutions in domains of conveyancing, legal research, intellectual property, litigation support, personal injury and bankruptcy.

Outsourcing legal work in India began in 1995, when the 34-lawyer, Dallas-based litigation firm of Bickel & Brewer opened an office in Hyderabad. Co-founder and co-managing partner Bill Brewer, explained that the idea was hatched when he was out to brunch with an Indian relative.

"We were looking for new ways to be more efficient in handling the millions of pieces of information that confront us in each case. Somewhere I asked, 'You can have a lawyer for how much an hour in India?' My relative said, 'Two dollars an hour.' We didn't make it to dinner before we were setting up the subsidiary in India."

Bickel & Brewer has since spun off its Hyderabad office into a separate company called Imaging & Abstract International, which handles work for Bickel & Brewer as well as other American clients. In 2001, General Electric added a legal division to a currently existing base of operations in India to handle legal compliance and research for two of its divisions, GE plastics and GE consumer finance.

Some of the dozen of outsourcing companies that have sprung up over the last decade in India are focusing on low-level paralegal work - keeping track of filing dates and document reviews.

"India's lumbering justice system may be a dread to its citizens but is on its way to becoming the darling of US and UK-based law firms," says Arora who got promoted recently, has a good pay package with other perks and benefits.

According to a recent study by researchers at the University of California at Berkeley, legal assistants and paralegals working in India on behalf of US law firms earn, on average, between $6 and $8 per hour. That's about one-third of what their counterparts in the US are paid.

"The work being outsourced is not only legal; nor is it only secretarial. It is a mix of core legal work like research, and secretarial works like preparing drafts and letters. The services vary from the type of clients who outsource the work. The legal executives of many multi-national corporations get hardcore legal work done in India," says Shailesh Vikram Singh, MD, Indialegal.net which is part of Escorts Finance Ltd, Delhi.

What legal services are outsourced?

Broadly, the work outsourced offshore can be classified into four categories based on complexity and skill base required.

. The first category involves content work including editing and transcription.

. The second category involves conversion from one format, say, from a word document to XML or legal XML.

. Legal research involves case histories, judgment, and finally client briefs going up to the penultimate stage of a petition submitted to the court.

. Legal transcription involves interviews with clients or witnesses by lawyers.

Some of the other overseas firms like Oracle, Sun and Cisco have been outsourcing their patent research and documentation work to Indian firms or to their captive centres in the country. Even foreign law firms say Allen & Overy and Hammonds Direct are working as third party service providers.

"Most of the outsourcing of legal work seems to be coming to India because English is spoken here. Moreover Indian law is based on British law which is prevalent in majority of commonwealth countries," says Vikram Singh. He goes on to add: "However we provide requisite training in US laws and legal writing."

The fact that the legal profession is not very remunerative in India except for in the top level and the abundance of law graduates is helping India to emerge as the hub of outsourcing business in legal services. "It is creating a lot of interest in the youngsters and experienced lawyers too. There are people who are non-lawyers entering this field, especially in the patent sector," says Sridhar Suryanarayan, CEO, Prolifus, which started operating only eight months back in Delhi.

"The opportunities are immense, but India needs to move cautiously," says Jyothi Mendiratta, a lawyer practicing in Delhi High Court. "Concerns over data security and service quality will be extremely important. There are fears that intellectual property and data may not always be tamper-proof within Indian territory."

For the vast majority of India's annual 298,000 law graduates, BPOs may become the ticket to jump on to the wagon of fat pay packets and a better life.

MNC BPOs dumping India for Africa ?

2005-06-09T09:45:00.000+05:00

Not the great rollback, but BPOs losing big business

Prerna K Mishra

New Delhi, June 8, 2005

With companies across the world spending more and more of their IT budgets towards engineering and automation processes, Indian BPOs are feeling the heat.

A few months ago, Daksh eServices lost some of the business from Sprint Corp after Big Blue (incidentally, Daksh’s parent company) automated the processes for the long distance major doing away with the need to outsource them to India.

Raman Roy, CEO, Wipro Spectramind, admits that there has been some reversal in the BPO space. “But that is happening because of two reasons: in the low-end of business (where automation is easier), or because of poor capacity and capabilities of Indian partners in implementing projects, which is a performance issue.”

The larger Indian players have already geared up to face the challenges of automation. Progeon CEO Akashay Bhargava says: “Any BPO worth its salt today offers re-engineering services as a value proposition in its sale offering. If clients are automating, prudent players would seize the opportunity to do it themselves than allow a third party to cannabalise the business. So automation, if anything, is a greater opportunity for us.”

Nasscom president Kiran Karnik also doesn’t look at automation as a threat. “It is well established now that the social experience of customers is less satisfactory when talking to a machine.”

India to face manpower shortage in ITES-BPO space by 2009 »
Wipro appoints new BPO chief »
India to hire workers with European language skills »
Indian call centres to swell with foreigners soon »
India to face shortage of workers with language skills »
Indian BPO staff quitting due to alleged racial abuse »
India set to become knowledge outsourcing hub: CII »
BPO job seekers to face all-India level entrance »
Mphasis opens its fourth BPO facility in India »
After BPO, India faces biotech challenge from China »
Indian call centres face African challenge »

More Big Brother

2005-06-09T09:44:00.000+05:00

Govt allocates Rs 3,000 cr for SWAN

BANGALORE: The Centre has cleared Rs 3,000 crore statewide area network (SWAN) project under the national e-Governance plan in government-to-business (G2B) and government to citizens (G2C) domains, Planning Commission Member Secretary, Mr Rajeeva Ratna Shah said today.

SWAN, an e-governance initiative that aims to deliver official services to citizens through the electronic route, is part of the 25 mission-mode projects approved by the Government, he said at NASSCOM's India ITES-BPO strategy summit here.

Under SWAN, the Government envisages to connect government to government establishments through the Internet of speeds not less than 2Mbps and then connect the state administration with users in block levels.

Andhra Pradesh and Tamil Nadu have already submitted their proposals to the Government to implement the project. Mr Shah said there was also a proposal to provide unique ID number to every citizen and all businesses in the country. - PTI

Indian BPOs, a Lesbian Paradise

2005-06-09T09:42:00.000+05:00

Hidden cameras show enormous on the job sex by BPO gals and guys at night
Preeti Singhani, indiandaily.com
Jun. 8, 2005

Indian BPO corporations have started monitoring their employee activities at night. The call center guys and gals at night are having sex with each other and these are getting into secretly placed video cameras watching them. The sex epidemic in India especially among call center gals and guys is rising at astronomical heights.

According to some think tanks, these guys and gals in early twenties get the sexual freedom at night working together. The sex activities take place during and after work hours in different places.

Many companies take disciplinary actions. Mostly they fire those employees who engage in sex at work. But the number of employees engaged in lesbian and straight sex has skyrocketed recently.

Credit Card Fraud and IT Act data protection laws

2005-06-08T12:21:00.000+05:00

Needed: a facelift for cyber laws

The absence of legislation governing credit card fraud and data protection, as well as a lack of clarity in applying cyber laws are problems faced by Indian companies, says Sushma Naik

Industry sources estimate that the Indian e-commerce (B2C) segment is worth about Rs 150 crore. To encourage the smooth functioning of this segment, the IT Act 2000 plays a vital role. Unfortunately, somebody forgot to implement it.

Concerns not addressed

Credit card fraud is still not covered under the IT Act, so one has to approach the
crime branch Vishwas Patel Chief Executive Officer, Avenues

We are not aware about the procedures for dealing with cyber crime, though one is familiar with work done by cyber labs. K Vaitheeswaran, Chief Operating Officer, Fabmall

Data protection guidelines, protection from spam, and credit card fraud are absent in the Indian cyber law. Most Indian companies have compliance standards to meet. With the recent credit card fraud perpetrated by Msource employees, a lot of certification-oriented processes have come under scrutiny. Issues of privacy need to be addressed through data protection laws. Says Vishwas Patel, CEO, Avenues, a payment gateway provider for credit cards, “Credit card fraud is still not covered under the IT Act, so one has to approach the crime branch.” This defeats the purpose as the crime branch isn’t IT-savvy.

The law (or the lack of it) has crippled enforcement agencies. The Internet and Online Association interacts with the IT ministry to provide feedback vis-à-vis changes that are urgently needed in the IT Act. Even Nasscom is advocating the case for a stronger, enforceable IT Act.

Banks also are affected considering their thrust on Internet banking. According to RBI guidelines, Indian banks and the RBI have to gear up and meet Basel II norms by end-2006. The actual implementation is scheduled for April 2007. One of the key aspects in this implementation will be to provide greater risk assessment by banks’ internal systems as inputs to capital calculations. It also details a set of minimum requirements that should ensure the integrity of these internal risk assessments.

In making the risk assessment based on the probability of losses arising from cyber crimes, it will be necessary to look for appropriate insurance coverage. However, the insurance premium has to depend on the level of cyber law compliance that organisations undertake, as evidenced by documented evidence of a cyber law compliance audit. In case cyber crime risks are not properly covered and the existing fraud risk insurance fails to cover for the lack of due diligence, risk turns into ‘uncovered exposure’ under the Basel II norms, and therefore require higher capital provision. It is therefore time for banks working on Basel II compliance to simultaneously undertake cyber law compliance audits of their systems.
Pointers for change

* More safeguards and stringent measures for protecting software copyrights and patents
* Penalties for cyber crimes to be made more stringent
* The liability and accountability of ISPs has to be clearly defined
* The Indian cyber law should be brought on par with cyber laws in countries that have comprehensive legislation in this regard
* India should be a signatory to international bodies such as the Information Society of Geneva so that fraudsters can be caught
* There should be a national ethical committee (which they have in Norway) that has the power to engage in summary hearings. This will do away with long, drawn-out court cases especially in the case of smaller crimes
* Data protection laws must come under the ambit of cyber laws
* At present, credit card frauds come under the criminal code as fraud; these should be included in the IT Act
* The IT Ministry should be in a position to make minor alterations to the Act without requiring parliamentary approval
* The provisions of the Criminal Procedure Code should not be blindly applied to the Internet without taking into account its different nature and characteristics

Awareness needed

Says K Vaitheeswaran, Chief Operating Officer of Fabmall, “We are not aware about the procedures for dealing with cyber crime, though one is vaguely familiar with work done by the cyber labs.” Vaitheeswaran’s concern shows an urgent need for the police to step up their resolve to tackle cyber crimes, which affects e-businesses. E-commerce companies also feel that the cyber crime cell should be actively involved in promoting the Internet as a safe medium for trade.

One might argue that the Internet as a medium of trade in India has not yet evolved to the extent that it has in the US or Britain. However, with a few changes, the cyber law might just turn out to be the force behind Indian e-commerce.

sushma@expresscomputeronline.com

Standard Chartered Credit Card Fraud

2005-06-08T12:12:00.000+05:00

StanChart Credit card dues harassment suit

New Delhi (PTI): Delhi High Court has issued notices to Standard Chartered Bank and Delhi police on a JNU teacher’s petition accusing the bank of harassing him for payment of credit card dues of his deceased brother.

Justice H.R. Malhotra directed StanChart and the police to respond to the petition filed by Yogesh Sharma, an associate professor at the Centre for Historical Research, JNU, within eight weeks.

The court also asked them to file a status report before July 25, the next date of hearing.

Sharma alleged that the bank deliberately blocked payment by his brother Rakesh, who had lost his mental balance. He went missing and was found dead in Mumbai on October 18, 2004.

The teacher also accused the police of not taking any swift action when Rakesh went missing.

In his petition filed through counsel N.K. Jha, Sharma pointed out that according to the bank’s statement, in September 2004 — when the cardholder was alive — the outstanding was only Rs 7,966. But immediately after Rakesh’s death, the bank inflated the bill to Rs 95,390, he alleged. Sharma claimed that StanChart illegally transferred the bank balance towards credit card outstanding after Rakesh’s death.

Accusing the bank of using criminals to intimidate him, he said even his elderly parents were not spared.

RBI acknowledges data security fraud

2005-06-08T12:03:00.000+05:00

I warned the RBI in February 2004 that Bank's outsourcing of credit card information in India was unsafe and a data security hazard. The corrupt DBOD Department of Banking Operations and Development) department of RBI at Mumbai ignored my complaint. Then we had this Mphasis CitiBank information theft. Somebody should sue CitiBank and RBI in the USA for punitive damages. On my part I have merely sued RBI and Standard Charterd Bank (for a similar offence) and I am asking for all these corrupt officials to be jailed for Information technology frauds and Cyber Crimes especially hacking. This conclusively shows why India has different rules and laws for foreigners and Indians. MNCs OUT !!

RBI plans norms to curb banks’ outsourcing risks

TIMES NEWS NETWORK[ WEDNESDAY, JUNE 08, 2005 12:04:27 AM]

MUMBAI: The frauds by some call centre ex-employees seems to have drawn RBI’s attention. The Central bank is putting in place rules to minimise risks faced by banks and customers from outsourcing activities.

In April, ex-employees of MphasiS BFL group call centre defrauded four account-holders of Citibank — a subsidiary of Citigroup — of $3,00,000. The accused did so by collecting and misusing account information from customers they had dealt with at the call centre.

The RBI will come out with new guidelines on outsourcing to improve the regulatory supervision and risk management of outsourcing, RBI deputy governor KJ Udeshi said on Tuesday. These will cover aspects related to operational and prudential risks arising out of outsourcing of banking activities by banks.

“RBI has constituted an internal group on outsourcing and based on its recommendations, regulatory guidelines will soon be issued,” Ms Udeshi said at the ‘BFSI Conclave,’ co-sponsored by economictimes.com, along with Indian Banks’ Association and Cisco Systems.

The guidelines apply to banks operating in India. The move is not towards curbing BPO, but to put in place checks and balances to lower incidence of fraud. “A number of IT-related services were outsourced (by banks).

This is posing a challenge to operational risk management and data integrity. Caution needs to be exercised as the new Basel norms require banks to handle voluminous data,” said Ms Udeshi. “Outsourcing has its own challenges, specially in drafting of legal contracts,” she added.

The new guidelines will address regulatory concerns on operational risks and data integrity. RBI is also concerned that outsourcing could lead to transfer of banking risks, management and regulatory compliance to third parties, over whom RBI may not have any regulatory control.

Ms Udeshi spoke about extending the reach of banking to rural areas. She mooted the idea of banks setting up information kiosks in villages. “There are six lakh villages in the country and one bank branch per 18 villages.

Banks can set up an information kiosk for every two or three villages. At the click of the mouse, the farmer will know his account balance and interest due to him and have a host of value-added services at his disposal,” she said.

“The kiosk can double up as a vending machine, but the only constraint will be adequate power supply. Customers can use these kiosks. What better way can there be to free farmers from the shackles of moneylenders and middlemen,” she said.

Emphasising on the potential in rural credit, Ms Udeshi said while industry with a 22% share in the country’s GDP accounted for 45% of gross bank loans, agriculture with 20% of the GDP, received about 11% of advances. She said banks need to deal with data transmission in a safe and secure way on a priority basis.

sitemap

2005-06-08T11:52:00.000+05:00

sitemap of this blog
last updated:21-May-2005

Cyber Crime India

Crime and Cyber Crimes India

2005-06-07T09:14:00.000+05:00

This story of the Time of India is another example of how half baked legal idiots mislead the public. India's present IT - Information technology laws fully protect the data security, privacy, confidentiality etc. and information security of Indian computer users. Howver, the Baazee.com matter has so unnerved corporate India and their lapdog NASSCOM, that they are pushing to dilute the present IT ACT 2000 where everything is defined to be a computer - from MP3 players, mobile phones, bar code stickers, audio casettes, credit cards, your TV remote etc. - with severe penal consequences for CEOs of corporates and banks. Read SarbaJit Roy's Hacking Complaint for the full inside scoop.

Is theft a crime?

[ SUNDAY, JUNE 05, 2005 02:03:29 AM] Times News Network.

Is theft a crime?

The above question appears to beg the obvious. However a marked difference in approach happens to the same offence of theft between the real and the virtual world. The admitted position as on date is that there is no criminal provision or statute to protect “information” or “data” in the virtual world in India. This applies not merely to the above offense but to various serious misdemeanors in the virtual world, which gives increased opportunity and reach for commission of offences but the law is not sufficient to extend a cloak of protection.

Crime & Cyber Crime

The recent Mphasis case highlights the urgency for laws in the field of Information and Data security. In the absence of exhaustive criminal provisions existing laws ought to be applied to crimes loosely termed as “Cyber Crimes”. Having said that, the problems posed in applying existing laws to emerging trends in Cyber Crimes is patently apparent when we actually attempt to apply them.

Provisions under the IT Act

Before looking at the time tested criminal enactment here's a look at the provisions of the Information Technology Act, 2000 ("IT Act"), the only "cyber law" as on date in India. The IT Act does not list Information or data "theft" as a crime. However Section 43 of the IT Act provides for a civil penalty by way of compensation of up to Rs 1crore, for downloading, copying, extracting any data, computer data base or information from such computer, computer system or computer network including information or data stored in any removable storage medium (floppy, CD, etc.,), without permission of the Owner. This penalty is to be imposed by the Adjudicating Officer who is to be appointed as per the provisions of the IT Act. Listing of the above misdemeanor under Civil Penalties appears to indicate that the framers of this Act did not intend to include Information / Data appropriation as a criminal offense, under the IT Act.

Applicability of IPC

In the absence of the application of the IT Act to such wrongs, existing penal provisions are to be applied, and Section 81 of the IT Act would not preclude such application. The Supreme Court has emphasized the need for applying the principles of purposive interpretation for harmonious construction of Statutes in A. T. Corporation Ltd. vs. Shapoorji Data Processing Ltd. (AIR 2004 SC (“Supreme Court”) 355). Applying such purposive interpretation the provision for theft may be applied to verify if “Information Theft” is an offense under the Indian penal Code (“IPC”).

Section 378 IPC defines theft as taking dishonestly any movable property out of the possession (emphasis added) of any person without that person’s consent. The offence of “theft” under IPC relates to the “possession” of movable property and not “Ownership” thereof.

Section 22 IPC defines ‘movable property’ as words “intended to include corporeal property of every description, except land and things attached to the earth or permanently fastened to anything which is attached to the earth”.

Hence only corporeal property can be the subject matter of theft, which prima facie rules out incorporeal property such as information, data etc., as a subject matter for commission of an offense of “Theft”. “Electronic Record” is defined in Section 29 A IPC (included by the amendment of 2000 after the enactment of the IT Act), as data, record or data generated image or sound stored, received or sent in an electronic form, micro film or computer generated micro fiche.

Even if such “electronic record” is presumed to be corporeal property, transfer of information / data through such electronic record would still not amount to an offense of “theft” as defined in IPC as the most essential ingredient of the offense under IPC is that movable property which is the subject matter of theft should be moved out of the possession (emphasis added) of any person without his consent (State of Maharashtra Vs. Vishwanath AIR 1979 SC 1825,). The Supreme Court has further held in K. N. Mehra Vs. State of Rajasthan AIR 1957 SC 369 that even if it is only temporary there should be actual deprivation of the property i.e., the owner or person in possession of such property was deprived of its use at least for a temporary period of time

Information / Data pilfering however does not deprive the owner of the use of such information or data even whilst such stolen data is being utilised without authorization. Hence the essential ingredient of Section 378 IPC, of deprivation of possession, is absent in such “cyber wrongs” as a person only takes "into their possession" and do not take “out of the possession” of the owner. It could therefore be safely concluded that mere taking / pilfering / stealing of information per se does not amount to an offence under any Indian Law and there is an immediate necessity for filling this lacunae.

Hence mere taking of information and / or data may not be an offense under Indian Laws. However the usage that such information is put to could amount to the commission of an offense under IPC. For instance, in the recent Mphasis BPO case whilst being in possession of personal information like passwords, bank account numbers, access codes etc., may not have been an offence as such information was obtained through legal means, utilization of such information to commit a bank fraud, siphoning of money from bank accounts, creation of false bank accounts, creation of false mail IDs to divert Bank statements etc., are all offences punishable under the IPC namely under broad heads of forgery, falsification of accounts, etc.,

Immediate solutions

Information theft is merely one example where existing laws are insufficient to curb the “Cyber Crime” menace. There are several instances of Cyber Crime, which do not fall under any penal provision. Such actions admittedly cause severe damage & loss to society and individuals and yet the culprits cannot be booked for any crime.

Further clarity in what amounts to a crime is imperative as knowledge that an action is a crime may deter the offender in several instances particularly as the “Cyber offender” is an educated person. Also interpretations of criminal statutes always favour the Accused hence clear criminal provisions are required to ensure proper prosecution of offenders. The Legislature should therefore hasten in comprehensive amendments / enactments not merely for Data & Information Protection & Privacy but also for various kinds of Cyber Crimes which impact the economy and individual rights.

Government shirks Cyber Crime Enforcement

2005-06-04T10:32:00.000+05:00

Delhi Police celebrates its Raising Day New Delhi

Union Home Minister Shivraj Patil on Wednesday honoured policemen here to mark the force's raising day celebrations. The nearly 60,000 people strong force, touted as the largest metropolitan contingent in the world, came into being in 1912. The force has in the past year been lauded for its crackdown on a range of economic offences, busting terrorist hideouts besides making new forays into cyber crime. Patil stressed the need for stringent check on cyber crime, which now includes computer hacking and rendering help to terrorist organisations. "Cyber crime is one of the crimes but there are more grievous crimes. We have to think about them and do something about them," he said.

India has in 2000 joined an elite club of 12 nations with digital laws after its passed the Information Technology Act, which enable police to combat cyber crimes and civil authorities to legally validate deals done on the Internet. Delhi Police Commissioner Krishna Kant Paul hailed his men for their impeccable record in ensuring law and order with minimal hazards in the capital, particularly its success in cracking terrorist hideouts. "Delhi police has made big achievements in the past years. They have nabbed hardcore criminals and more than that have been extremely successful in curbing terrorists. There was no breach of security last year implying there is improvement in the security situation in Delhi and all of this is because of the efforts of the officers and soldiers of the Delhi police," he said.

Credit Card fraud is so easy

2005-06-04T10:27:00.000+05:00

Fraud expert becomes victim of credit card crime
By John Leyden, Published Friday 27th May 2005 10:06 GMT

CNP (Cardholder Not Present) fraud in the UK has grown nearly 50 times between 1994 and 2003 to £116.4 million.

The founder of an anti-fraud website has himself become the victim of credit card fraud. Andrew Goodwill, managing director of Early Warning UK, a scheme set up to help retailers avoid credit card fraud, is down $600 (£329) after crooks used his credit card to pay for services online.

Egg, which has issued Goodwill with a new card, is investigating the suspected fraud. “People must look at their statements regularly whether they’re on paper or online, because the sooner you spot fraud the better, and the less likely that the consumer will have to pay,” Goodwill said.

Far from being embarrassed by becoming a victim of a credit card fraud, Goodwill reckons his case illustrates the ease of card misuse. “This can happen to anyone. I was shocked when I found that someone had spent $600 on one of my cards to pay for online poker in the States. This shows that no-one is immune whether they’re the head of a major bank or a fraud prevention company,” he said.

The card number that was copied was for an online account with Egg which Goodwill took out for the free balance transfer facility. “The statements are online and because I needed a password I just didn’t look. It wasn’t until I queried another matter on my normal current account that I saw that the monthly minimum payment to Egg had doubled.”

“It is so easy for criminals to generate credit card numbers by downloading special software that provides them with the means to produce 50,000 numbers in just 30 seconds. No-one can find the fraudsters, and they get the goods without having to pay for them.”

Tourist Victim of Credit Card Fraud, India

2005-06-02T12:42:00.000+05:00

Another Brit Expat defrauded in India.

Well sooner or later I had to get caught out by it :( I am currently in dispute with my credit card company (well not so much them as Textiles Fair Jaipur). When we were India last November we bought a carpet from a shop in Jaipur called Jalmahal Carpets. Now I am not a suspicious person but the longer I stayed in the shop the more uneasy I became. I know now I should go with my gut instincts. When we arrived the proprietor seemed a really nice bloke, showed us around the shop, demonstrated how carpets were made etc. etc. We are used to all this pre-sales blah as we live in Sri Lanka and have seen it many times before. However, when we went upstairs to actually view some carpets he announced it was his birthday and would we like some food and beer? My wife readily accepted but something made me refuse the beer, probably because I knew we were about to end up in a bartering situation, which after 12 months in Sri Lanka, I am still not imparticularly good at. All during the sale he tried to make me have a beer and I did relent but only once I had seen the carpet I wanted and decided how much I was willing to pay. In the end I got about 20-25% off the price of the carpet but experienced barterers say they could have got 40-50% knocked off. But hey, I was happy with the carpet and the price I paid so I've no issues.

I hadn't got enough money to pay cash so I produced the credit card, signed the receipt along with a couple of other documents, which I was told were local government documents (and they looked the part). Now when the proprietor was filling out the receipt he asked what the date was so I immediately assumed the front about his birthday was to put us in a good mood in the hope we would not barter him down and we left. (Had he really forgotten what day his birthday was on). I smiled and assumed that was all part of the bartering experience and we left, carpet in hand and went on to a restaurant.

When we got back from India I checked my credit card statement and I immediately noticed an entry I could not account for. It wasn't for much, 2700 rupees, for a company called Textiles Fair Jaipur but I simply could not match the entry up with any receipts and neither my wife nor myself could recall what it was for. So I rang the credit card company and requested the receipt and the transaction has been marked as in dispute. They sent my mother-in-law a copy of the receipt for us to check the signature, which my father did (We currently live in Sri Lanka and all my post goes to either my father or my mother-in-law in the UK). It matched. However, it was not the orginal receipt but a photocopy. I can guarantee I did not sign for it but I assume that the bogus receipt was placed under one the the documents I signed. Interestingly the transaction of the bogus receipt was 1 minute after the legitimate receipt. i.e. Jalmahal Carpets was 20:02 and Textiles Fair Jaipur was 20:03.

Alarmingly I also came across this thread, http://www.indiamike.com/india/archive/index.php/t-7162.html. Another person had been to the same shop and had one legitimate and one bogus transaction placed against their card using exactly the same two companies. So this appears to be a not uncommon occurrance with this shop.

Needless to say I have no intention of paying the bill. The amount is imaterial. I just don't like to be conned. It will be interesting to see the reaction of my credit card company. I assume I am not liable until the original, pen written receipt is produced but I know nothing about law. You'd assume that once a few people had complained about this the credit card companies would have some sort of agreement where they take the criminal to court and got him locked up ...

Anyway I thought I'd write this blog entry in case anyone else got caught out using this shop and does a search like I did on google. At least they will have two people to back up their claims of being conned.

Original Source

Shandy,

I read these kinds of testimonies all to often where I work. I do chargebacks for JP Morgan Chase credit cards. I would say that you were a victim of merchant fraud.

Some merchants will swipe your card once for the sale, but while they are doing so will swipe your card one more time. It could be a second Point of Sale Device right next to the one for the legitmate purchase.

The good news for your the consumer is that they are protected, however this protection can easily abused. With MasterCard an unauthorized dispute does not begin with a sales draft order unlike with VISA. A customer signs a form or sends in their own signed letter stating that the a specific sale is unauthorized. For MasterCard, the issuer commences an immediate chargeback for reason code 37. For VISA the issuer will order a sales draft if the point sale value is card present or keyed. However if the mail order telephone order (MOTO) indicator is present then an immediate chargeback is typically commence for reason code 75.

In any case the merchant must respond in representment if the merchant wants to keep the money for the sale. In other words the merchant responds to rebuttal the issuer's claim on the their customer's behalf. For MasterCard if the merchant can show that the card was present and there is a signature, a mark or any type of scribble in the signature line, then merchant wins the dispute hands down. That is true even if the signature is not yours. It could say Mickey Mouse or just have squiggly line and the merchant wins. At that point the issuer has no recourse to recover the funds, so what issuers often to do avoid a write off and rebill a customer's account and send the customer a letter with the sales draft enclosed saying, "Hey, this charge is good and we think you ought to pay it."

As a customer at this point you are still protected. Even though the merchant has won the dispute the customer is protected under Reg Z. All the customer has to do is write back the issuer and state that you have reviewed the sales draft, the signature and maintain as you originally did that the sale is unauthorized. Its not your signature.

At that point depending upon how much money we are talking about the bank may just write it off or look for ways to keep from writing it off. For some of you if your dispute just seems to keep dragging and dragging for month after month this is what is taking place. Banks do not like to write off money, however Reg Z says that an issue must write it off, regardless.

What is important to relize that Reg Z will not protect you if you have not requested that your account be closed and a new number issued. This espically true for MasterCard. If there is no account transfer a bank will use that to avoid a write off. The logic is that if it were truly unauthorized and your account number is compromised than why have you not taken the steps to prevent further unauthorized usage?

For VISA once the merchant provides sales draft then the issuer mails it to you with a fraud affadavit. If you sign it you basically stating that this not my charge. Once the issuer recieves the affadavit they will automatically close your account and reissue a new number, commence a chargeback for reason 84 (no signature), reason code 81 (no imprint), or reason code 61 (unauthorized moto). There are many other fraud reason codes however for VISA these are the top three. Like MasterCard, if the card was present and there is a signature, a mark or something present in the signature line then issuer has no chargeback rights and must do a Reg Z write off. Unlike MasterCard, the chargeback is done first, whereas VISA all the relavant data is ascertained first before a chargeback is commenced. For VISA the dispute has to be qualified so to speak.

Thougt you might find these facts interesting.

Information security leaks and chargebacks

2005-06-02T12:34:00.000+05:00

Now British Credit Card issuers in England are releasing all their confidential data on UK customers to small insecure and unknown BPOs in India. God Save the Queen! What wont a nation of shopkeepers do to save a buck and damn the customers. HoHoHo

It's to our credit
Raja Simhan T.E.

A BPO employee in Chennai tracks credit card frauds in the UK... that's a scene straight out of Xansa Inc's offshore centres in India. High-end BPO services are now coming home to roost.

SITTING inside the Siruseri information technology park in Chennai, Meena is tracking the details of a credit card statement. The cardholder claims he has not made one of the purchases charged to him. This may sound like a routine check. But what is interesting is that the cardholder, whose purchase Meena is tracking, is in the UK and not India.

This high-end service called credit card chargeback is currently offered to a UK-based bank by the Indian offshore centres of Xansa Inc.

India is turning into an important destination for such high-end business process outsourcing (BPO). Chargeback happens whenever a cardholder disputes a credit card purchase. There are a variety of reasons why a cardholder may dispute a charge. These include not receiving the item ordered; not getting what they thought they were buying; the credit card was stolen and the charge was not authorised; and someone simply taking unfair advantage of the chargeback clause.

Xansa checks the veracity of each chargeback claim and helps the bank avoid paying unnecessary refunds. A leading bank that uses Xansa's services has recorded a 30 per cent increase in productivity due to enhanced recovery and a 50 per cent increase in recovery rate, says Amitabh Shrivastava, Director Operations (Chennai), Xansa. The company employs over 1,500 in Chennai, Pune and Noida.

A report by a leading international bank says that in the Asia-Pacific region, chargeback cost credit card members $25 million a year — $10 million for processing and $15 million in write-offs.

Cardholders have the right to dispute any transaction listed on monthly statements. The tracking begins with the customer services department contacting the cardholder. If the cardholder's claim is found genuine, a case is created in the system. The cardholder is sent a dispute form, which he/she completes and returns to the credit card company. Alternately, the cardholder sends a letter to the bank, disputing a transaction on his/her statement. The disclaimer letter is scanned and a case created in the system.

A Xansa employee calls the shop where the purchase was made in the UK, to verify the claims. The end-result of the process could be any of the following:

the disputed amount is returned to the customer, and the credit card company claims the amount from the merchant (or the merchant acquirer);

the claim is denied, and the customer is given the reason;

the amount is "written off" (when there are no existing chargeback rights, or it is a low-value transaction, or the transaction has timed out, or the case is identified as "fraudulent");

the disputed amount is returned to the cardholder and the case is transferred to the fraud department;

no action is taken, for instance, if the merchant issues a credit for the disputed transaction.
The entire process is handled from India, says Shrivastava. For banks, recovery from a single customer may be minuscule. But with the volume of chargeback increasing, the bank loses a substantial amount, he said. The origin of the disputes could range from "card not recognised" to counterfeit cards and Internet/ mail/ telephone orders, he says. Shrivastava declined to give the number of claims that Xansa processes from India, nor the number of employees working on chargeback.

According to Gartner, a research firm, approximately 1.1 per cent of online transactions are estimated to result in fraudulent-buyer chargeback.

That is like paying an extra 1.1 per cent fee on every transaction.

Chargeback risks vary depending on the type of goods sold, but nearly everyone who accepts credit card payments will face some chargeback risk, the report said.

An international bank's report states that in the Asia-Pacific region, online payments worth nearly $3 billion are made in a year. There has been about $25 million worth Internet-related chargeback in this region in 2000, and this is expected to grow to $300 million next year. The incidence of chargeback on the Web are ten times higher than in the physical world, the bank report says.

More Credit Card Chargebacks FAQ

2005-06-02T12:29:00.000+05:00

Credit Card Chargeback Primer
By: John Conde, Published: 2005-04-29, Parent Category: Ecommerce

Nobody goes into business to lose money. You work hard for every penny, and every penny counts. To have that taken away from you months after a sale was completed is not only bad for business but extremely frustrating. Too many chargebacks usually spells doom for an online merchant.

The best tools for avoiding a chargeback are not available for online merchants. Retail-style businesses can perform certain actions that render them virtually bulletproof to chargebacks (they're still vulnerable, so don't be envious just yet). They can either swipe the customer's credit card through a processing terminal or get a manual imprint of the card. Plus they can get a signature on that receipt at the time of sale. All of these verify that the customer, merchant, merchandise, and credit card were present and satisfactory at the time of sale. Pretty hard to dispute that.

So what is an online merchant to do? Since giving up is not an option, education and prevention are an online merchant's best weapons. Having some basic policies and procedures in place can significantly reduce the number of chargebacks your business will receive. Below we will both educate ourselves as well as identify some strategies that will lower your potential for chargebacks.

What exactly is a chargeback?

A chargeback is when a customer initiates a refund for a purchase they made on a credit card by contacting their card-issuing bank. The reasons for this can vary greatly but generally is a result of a customer being dissatisfied with their purchase. The customer may or may not have contacted the merchant about remedying this situation ahead of time. They may even be completely wrong. However, responsibility falls on to the seller to ensure that the transaction goes smoothly and the customer is satisfied. A failure somewhere along the fulfillment process, including at the customer service level, can lead to a chargeback.

The Chargeback Process

The chargeback process is a largely unknown to merchants and can often be a cause of frustration. To assist merchants in understanding the chargeback process, I've provided the chargeback process used by Visa and MasterCard. American Express and Discover Card use a similar process. However, because they do not issue their credit cards through member banks there are fewer steps involved and the process is usually faster. The process is as follows:

1. The customer disputes a transaction by contacting their card-issuing bank

2. The card-issuing bank researches to determine whether the reasoning for the chargeback is valid. If not, the chargeback is declined and the customer is held responsible for the charge.

3. A provisional credit is provided to the customer. The card-issuing bank initiates a chargeback process and obtains credit from the merchant's processing bank.

4. The merchant's processing bank researches the validity of that chargeback. If they determine the chargeback is invalid they will decline the chargeback and return it to the card-issuing bank.

5. The chargeback amount is removed from the merchant's account and the merchant's processing bank provides written notification to the merchant.

6. Did a processing error occur? If so the sale is re-presented to the card-issuing bank for corrections.

7. The merchant provides documentation to remedy the chargeback. If the provided documentation is found to be satisfactory the chargeback is declined and the customer is once again charged for the sale. If the documentation is found to be unsatisfactory the chargeback is successful and the process ends.

As you can see, there are multiple steps involving multiple parties- each requiring their own amount of time to manage their responsibilities. A typical chargeback can take anywhere from six weeks to six months before it is resolved. If each party takes the maximum amount of time to complete their responsibility, it is not hard to see how a chargeback can seem to drag on forever.

Reasons for Chargebacks and Their Remedies
There are five different reason categories that chargebacks can fall into:

1. Point-of-Sale Processing Errors
2. Customer Dispute
3. Post-Transaction
4. Potential Fraud
5. Authorization-Related

We're going to cover three reason categories that most commonly apply to online merchants: Point-of-Sale Errors, Customer Dispute, and Potential Fraud. Within each category will be one or more common reasons for chargebacks. In parenthesis will be the chargeback code assigned to them by Visa and MasterCard. This is commonly used when notifying a merchant of a chargeback and has been included for your reference.

Point-of-sale processing errors

Incorrect Account Number (36) - The card-issuing bank identified the account number on the original transaction receipt as being different from the account number in the record deposited for payment (e.g. the merchant made a data entry error (keyed in the wrong account number for that particular transaction)). Remedy: Issue a credit back to the customer's credit card. Re-ring the original sale with the correct credit card number if possible. Further contact with the customer may be necessary to attain corrected credit card information.

Duplicate Processing (82) - The card-issuing bank received the same transaction more than once for posting to the customer's account. (e.g. The customer was charged twice for the same transaction). Remedy: Issue a credit back to the customer's credit card.

Customer disputes

Customer Claims Services Not Performed (30) - The card-issuing bank received a written complaint from a customer stating that a promised service was billed but never performed. Remedy: If the service was performed, send a copy of an invoice or contract signed by the customer and other evidence that the service was performed to the processing bank. If the service hasn't been performed because it was set to happen a specified date which has not passed, send a copy of the contract specifying that information to the processing bank.

Canceled Recurring Transaction (41) - The card-issuing bank received a claim by a customer that the merchant had been notified to cancel the recurring transaction and has since billed the customer, or the transaction amount exceeded the pre-authorized dollar amount range, or the merchant was to notify the customer prior to processing each recurring transaction and had not done so. Remedy: Issue a credit back to the customer's credit card.

Merchandise/Service Not as Described (53) - The card-issuing bank received a written claim that the goods or services were not the same as shown and described on the documentation presented to the customer at the time of the transaction (on the website) and the customer attempted to return the merchandise or to cancel the services. Or if services had already been rendered, customer attempted to resolve the dispute with the merchant. Remedy: If the customer has not returned the merchandise, notify your processing bank. The customer must attempt to return the merchandise before attempting a chargeback. If they have already returned the merchandise, or this is a service, issue a credit back to the customer's credit card.

Defective Merchandise (56) - The card-issuing bank received a written claim from a customer that merchandise received was damaged, defective, or unsuitable for the purpose sold, and the customer attempted to return the defective merchandise. Remedy: If the customer has not returned the merchandise, notify your processing bank. The customer must attempt to return the merchandise before attempting a chargeback. If the merchandise was returned, but is not defective, notify your processing bank. If they have already returned the merchandise, and it is defective, issue a credit back to the customer's credit card.

Customer Claims Merchandise Not Received (90) - The card-issuing bank received a written claim from a customer that merchandise ordered was not received or that the customer canceled the order as the result of not receiving the merchandise by the expected delivery date. Remedy: If the merchandise was delivered, send all evidence of the delivery to your processing bank. If the chargeback is attempted less then 30 days from the date of sale, send a copy of the transaction to the processing bank showing the 30 days has not yet passed since the sale was performed. Also be sure to state the expected delivery date. You are allowed a fair amount of time to deliver your product.

Potential Fraud
Fraudulent Card-Not-Present Transactions (61) - The card-issuing bank received a written complaint from a customer stating that he/she neither authorized nor participated in a transaction appearing on his/her billing statement. Remedy: If you obtained authorization approval, received an exact match to the AVS request (e.g., a match on the customer's street number and ZIP code), the merchandise was delivered to the AVS address, and you have proof of delivery, provide this information to your processing bank.

The Additional Burdens of Chargebacks
Besides losing the money earned from a sale, online businesses have additional costs, some monetary, some not, that additionally hurt their business. One cost rarely recovered is the cost of shipping merchandise in a disputed sale. If you shipped that package via overnight service to the customer chances are you lost an additional $35 - $100 on top of your lost sales revenue.

Even worse, if a merchant gets too many chargebacks, usually more than one or two percent of total sales, their merchant account will be terminated by their processor and the merchant will be added to the Terminated Merchant File (also called The Match File). This file is a blacklist that effectively prevents the merchant from ever accepting credit cards again. Needless to say it is important to keep chargebacks to an absolute minimum as online merchants have few options for accepting payment and none are as powerful as owning a true merchant account.

Even if your online business manages to keep its chargebacks below the 1-2% threshold, any chargeback you receive will require spending time researching the sale and gathering the necessary documentation requested by your processing bank. Every online business would rather spend that time promoting their business instead of defending its already completed sales.

Chargeback Prevention

The best way to deal with any chargeback is to prevent it from happening in the first place. The following suggestions are very generic and can be used by most businesses to decrease their potential chargeback potential.

Use a clear DBA (Doing Business As) name that customers will recognize. Vague corporate names that do not accurately describe what your company might do or sell will only confuse customers when they review their billing statements. An unrecognized DBA name on billing statements is one of the most common causes of chargebacks.
Put your phone number on your customer's statements. If they do not recognize your DBA they can call you to find out who you are and why you charged them.
Always respond to a chargeback as quickly as possible. There is a limited amount of time allotted to resolving a chargeback. If you miss the window of opportunity to respond, you forfeit your ability to fight the chargeback. If your processing bank has any more questions or requests, a quick response from you will ensure that they have enough time to get the relevant information from you.
Never accept an expired credit card.
Obtain authorization for the full amount of the sale. Declined transactions should not be accepted or split into smaller amounts.
Some disputes are not the result of unauthorized credit card use. Rather, they start because the customer disputes the quality of the goods or services purchased. The best way to avoid this type of chargeback is to work closely with the customer to establish a mutually satisfactory solution.
Balance each batch to the host or to your tickets; this will help prevent duplicate charges.
Call or fax any large or suspicious orders to ensure the order is legit. If you are unable to reach the customer, you might have been intentionally been given incorrect contact information.
Verify the customer's address. It is possible to verify the customer's name, address and phone number with the card-issuing bank. By calling the Voice Authorization Center for address verification, you can verify the address and also provide proof that you verified the address.
Always get signed proof of delivery. Be able to provide a shipping tracer log that shows that the customer received the shipped goods.
Charge the customer's account at the time the goods are shipped. If you know there will be a delay in delivery, wait to process your customer's credit card.
Be suspicious of high-ticket sales requested to be sent next-day air or if a runner will be in to pick up the purchase at a later time.
Use the fraud services offered by the processing bank including AVS (Address Verification) and CVV2.
Have your return/refund policy clearly stated on your website. Make it a requirement to read before processing the order.
Provide accurate descriptions and images of your products on your website.
Be very cautious of any foreign orders. Generally, orders from Asia, The Middle East, and most parts of Africa should be considered high risk.
Be wary of orders with domestic billing addresses but with foreign shipping addresses. They are usually fraudulent.
Be wary of orders where the customer is willing to pay more for faster delivery.

Summary
It's no secret that online merchants are at a disadvantage when it comes to chargebacks. With no credit card to swipe or receipt to sign, verification of a sale is voodoo at best.

There are new tools available, and more on the way, that aim to reduce online fraud and therefore reduce opportunities for chargebacks. Two similar technologies, Verified by Visa and SecureCode, by Visa and MasterCard respectively, will help to verify a customer's identity at the time of purchase. Unfortunately, at the time of this article was written, these technologies were not fully supported and have a limited impact on fraud.

So what is an online merchant to do? Exactly what you've always been doing: making your customers happy by offering them a great product or service, having a customer-centric customer satisfaction policy, and providing your customers with an overall positive experience. Just be sure to approach each sale with due diligence and you'll be keeping your hard earned money, not giving it back.

This article was written by John Conde. John has been in the credit card processing industry for three years and has established thousands of merchant accounts. He is currently forming JNA Merchant Services a sub division of JNA Web Services.

Credit Card Chargebacks FAQ

2005-06-02T12:24:00.000+05:00

This article from the Office of the Attorney General of California clearly guides Americans how to fight for their chargebacks from Credit Card issuers and Banks. But what does our f***ing RBI Officers do in India? (A)Sit on their asses, (B)get influenced by VISA and MasterCard to put them on RBI Working Groups (C) harass any poor consumer who complains to RBI. You guessed it A+B+C

Your Credit Card Chargeback Rights

We have prepared this information to advise you generally of your credit card chargeback rights under federal and California state law.

If you wish to examine them yourself, the federal laws are found in 15 United States Code §§ 1666, 1666i, and 1640(e) and in 12 Code of Federal Regulations §§ 226.12(c) and 226.13. The California laws begin at California Civil Code § 1747

Under these laws, you may have a right to the issuance of a credit by the bank or other financial institution that issued your Mastercard or Visa card or, if you used an American Express card, by American Express itself. On the back of your monthly statement is the address to which all inquiries and written requests for chargebacks should be directed.

When you apply for a Visa card or Mastercard, it is usually issued by a bank. Your dealings are with the bank, called the "issuing bank" and not Visa or Mastercard. In order to issue such credit cards, a bank must agree to follow Visa or Mastercard regulations, but these regulations cannot take away any of your rights under federal and state laws.

A merchant who takes your credit card prints a receipt and deposits it with his "merchant bank". Under the standard agreement, the merchant maintains a reserve account in the merchant bank to cover chargebacks by dissatisfied cardholders. The merchant bank pays the merchant and sends the receipt to your issuing bank. Your issuing bank then pays the merchant bank and sends you a "statement". There are two categories recognized by federal or state law under which you can resist payment: "billing errors" and "claims and defenses".

BILLING ERRORS

There are several types of "billing errors"; mainly:

Charges you did not authorize;

Charges for undelivered goods or services;

Charges for goods or services different from what was represented or of the wrong quantity;

Charges for goods that were not timely delivered.

If you believe there was a "billing error", you must, within 60 days following the date of the first statement on which the charge appears (not the date you made the charge; the date of the issuance of the statement appears on the face of the statement), write a letter to your bank setting forth in specific detail your dealings with the merchant (i.e., Did you respond to an ad in a newspaper, receive a telephone call, visit a store? What did the merchant tell you about what you would be receiving? etc.). If you kept a mailer or the ad from the merchant, attach copies to your letter, along with any correspondence between you and the merchant.

If you get your letter to your bank within the 60-day period (some banks extend this to 90 days), you need not meet any other condition. No geographical restrictions apply. You need not make any attempt to resolve the dispute with the merchant, and you can assert a billing error even if you have already paid off the disputed amount. Your bank may ask you to send the merchandise back to the merchant or to the bank itself before it will give you a credit refund. Your bank stands in the shoes of the merchant and will credit your account while it checks to determine whether your claim is valid.

CLAIMS AND DEFENSES

Under federal and state laws, you have up to one year from the date of the statement (far longer than the 60-day limit for asserting "billing errors") to notify your bank in writing of "claims and defenses". However, unlike billing errors, you must meet four additional conditions:

The disputed amount must be over fifty dollars ($50);

You cannot dispute the charge under "claims and defenses" if you notify your bank after you have already paid off the disputed amount. However, if you have paid off only a portion of the disputed charge, you can still resist payment on the unpaid balance of the disputed charge. For example, if the charge was for $300 and your last payment to your bank was only $50, you can still seek a chargeback for the remaining $250 under the "claims and defenses" category;

The transaction cannot be with a merchant more than 100 miles from your home or outside the state of your residence. For example, let's assume that you travelled to New Orleans from California for a vacation. While there, you purchased an expensive vase using your credit card. The merchant hands you a box which you open upon returning home. Inside the box is confetti, but no vase. If you notify your bank within 60 days, you can qualify for the issuance of a credit from your bank under the "billing errors" basis for chargebacks. However, if you wait beyond the 60-day period to assert a claim and defense against your bank, you would be ineligible for the issuance of a credit. In California and in some other states, transactions on the telephone are considered to take place at your home and not at the merchant's place of business, no matter who placed the call. Similarly, in those states, if you fill out an order form sent to the merchant, and agree to purchase by writing down your credit card account number, the transaction also occurs in your home (federal law states that where the agreement is reached depends on state law);

Before notifying your bank, you must make a good faith effort to obtain a refund or credit from the merchant. A letter, documented telephone call, or signing a notice of rescission (cancellation) would suffice.

Most cancellations are made because of merchant misrepresentations, but in some transactions, the most common being home solicitation consumer sales, the merchant must give you a written notice which you sign, date and return to the merchant within three (3) business days to cancel the transaction. In California and in some other states, sales by telephone are considered home solicitation sales. If the merchant does not give you the necessary notice, you may have even a longer time to cancel. Before notifying the bank, you may wish to send to the merchant a rescission or cancellation notice.

We do not know whether you have a valid "claim and defense". Unfortunately, notwithstanding efforts by this and other law enforcement agencies, and particularly Visa, to ensure that card-issuing banks honor the federal and state rights of cardholders, your letter asserting a "claims and defenses" basis for a chargeback may be handled by a customer service representative who is poorly trained. In some instances, we have heard of denials of valid claims and defenses which otherwise meet all of the requirements on grounds that the letter was not received within 60 days, the merchant has filed for bankruptcy, or the merchant bank refuses to pay back the card-issuing bank because the time limits regulating dealings between the banks under Visa or Mastercard regulations have expired. None of these are proper or legal grounds for denying a valid claim for a chargeback under the "claims and defenses" category. In short, your letter may fall into the hands of an inexperienced customer service employee of the bank who has not been properly trained about "claims and defenses" and will erroneously deny your claim. To give yourself some protection against this happening, you may wish to attach a copy of this letter to the letter you prepare for your bank.

Finally, even if you cannot satisfy either the "billing errors" or "claims and defenses" requirements for chargebacks, you may still wish to write your bank. Some banks will process these requests upon voluntary compliance arrangements they have reached with other banks. In the event your bank denies your request, and you believe that you have satisfied all of the required conditions, please feel free to write to our Public Inquiry Unit at the above address.

CIBIL: "Round up the usual suspects"

2005-06-02T09:34:00.000+05:00

So CIBIL and the other CIB's can "circulate" credit information without the consent of borrowers? Well this blogger will certainly have to approach the superior judiciary once his Hacking Complaint is disposed off.

The recently-passed Credit Information Companies (Regulation) Bill, has formalised the credit data-sharing efforts already under way with the establishment of CIBIL in May last year. Banks and finance companies hold equity in CIBIL. This effort may change the face of credit risk management finds Minna Kumar of Sify Finance.

The recently-passed Credit Information Companies (Regulation) Bill has legitimised the credit data-sharing efforts already under way with the establishment of Credit Information Bureau (India) Ltd (CIBIL).

Since the inception of CIBIL in May 2004, banks have been awaiting a new law that would allow them to share credit information of a borrower without seeking his consent. So far, banks had to obtain permission from borrowers before sharing information with the bureau. The premise of setting up CIBIL was to minimise non-performing assets that were plaguing the banking industry for the past decade.

CIBIL, works on the principle of reciprocity. Only those members who provide data will have access to information from CIBIL.

The Bill now makes it mandatory for every credit-providing institution in the country to report to at least one credit information company such as CIBIL about personal information on borrowers and their transactions including, but not limited to the amount, repayment history and default status.

The Bill covers a wide array of secured and unsecured credit schemes including personal, home and vehicle loans, leasing and hire purchases, credit cards, bank guarantees and letters of credit.

The ownership of CIBIL was till recently broad-based. Its equity was held by State Bank of India, Housing Development Finance Corporation Limited, Dun & Bradstreet Information Services India Private Limited and Trans Union International Inc. The shareholding pattern was in the proportion of 40:40:10:10 respectively. SBI and HDFC have now divested 23.75 per cent stake each. Nine new investors including ICICI Bank, Punjab National Bank, HSBC, Citibank and Sundaram Finance have stepped in.

This follows Reserve Bank of India's statement in the annual Monetary and Credit Policy 2004-2005 that credit bureaus should have a sufficiently diversified ownership. RBI wants the ownership to be shared among lenders as the bureau will collect and disseminate sensitive credit information pertaining to an individual or a business. This also brings in more direct participation from financial institutions.

Under the new shareholding structure, ICICI Bank would hold 10 per cent stake with a position on the board of directors. PNB, Bank of India, Central Bank of India, Union Bank of India, Bank of Baroda, Citibank and HSBC would hold 5 per cent stake each and Sundaram Finance would have 2.5 per cent stake. SBI and HDFC will now hold only 16.5 per cent each.

CIBIL has two streams - the consumer bureau, comprising information of individual borrowers in respect of credit cards, home loans and personal loans. It also has a commercial bureau where banks share information of corporate clients in the near future.

The credit report from CIBIL would indicate, how much the individual has borrowed and what his/her repayment history has been. This is expected to mitigate credit risks, enable speedier and more objective credit decisions by banks.

The concept can be very effective in controlling non-performing assets of banks. The law covering the operation of credit bureaus like CIBIL will change the face of risk management in the country. However, some questions remain unanswered. For example, what is the legal responsibility of credit bureaus, lenders and the government in informing and educating the consumers about how their personal information is used and what rights they have?

With a series of mishaps reported from the US, particularly the theft of information from the Bank of America in recent months brings on a whole new shade to this process. It appears to be the responsibility of lawmakers to ensure the safety of information.

The Usual Suspects:

Mr.Haren Parekh is my all time favourite contact person at CIBIL. I wish that I could post the rejoinders that CIBIL has made to my Complaint on this BLOG -- too bad that I can't since then I could be sued-- the rejoinders are well drafted, factual and professional. Quite unlike those Standard Chartered Bank clowns :-)