Last year, a busy ad exec in Chennai got an SMS from his wife: 'Hey, what's
my ATM PIN?' Not again, he muttered, and sent back the PIN. A half hour later he
got a frantic call from his wife: she'd lost her handbag an hour ago, with
mobile phone, cards and cash. Oops. Frantic calls to the banks... but it was too
late. Someone had just withdrawn Rs 20,000 on one card and Rs 15,000 on the
other, the maximum cash limits of those cards. Early this year a colleague in
Bangalore got a mail from his bank, asking him to confirm his account details.
The mail looked genuine, and he followed the link and confirmed his details. The
next day, all his funds were transferred to an unfamiliar account in Delhi. Six
years ago, an ex-employee of a magazine distributor in Mumbai walked off with
the subscriber database of an English weekly. He (and associates) set up a
similar-sounding company and bank account. They sent out a renewal reminder to
the database. A tenth of the subscribers responded with cheques. Over Rs 10 lakh
was encashed by the time the distributor got wind, and sent out warning letters
to all subscribers. The distributor had to make good the loss.
Prasanto K Roy, Chief Editor |
Identity theft is the scourge of a world online, and the gateway to much of
the fraud that happens. The thieves use online and offline ploys, and combine
technology and social engineering. Most corporate network break-ins, or assaults
on websites or networks, begin with ID theft. There's little to beat the sheer
simplicity of stealing a person's identity, with the millions of trusting users
and gullible sysadmins out there. The mobility explosion compounds the problem.
Everyone's on the move, needing remote access to networks. And we carry info
devices, packed with personal information. (A quick survey found two of five
people with their ATM PIN stored in their mobile phone address-book under “ATM
PIN”, and none of them used the protected 'wallet' to store information. Other
interesting entries were “ICICI Pass”, etc.)
At the highest risk level of ID theft are sysadmins and IT personnel, or
officials in key positions in service provider companies, including banking and
telecom. Few are 'potty-trained' in security. I'm horrified at the number of
sysadmins who use their admin password with root-level privileges for their
routine computer and even email use. Enterprises in financial services, BPO,
telecom, and such areas, tend to go overboard with security tech, to levels that
become dysfunctional: RSA SecurID keys and four levels of passwords and
disabling all ports and USB drives...
There's no easy answer, except that it's a mix of security tech and user
training. And the criticality multiplies with the threat level faced by that
business or that person. Here's a guarantee: in the year ahead, a lot of Indian
businesses will be forced to learn about security management and identity theft.
This month's cover story is a guide to some of that technology.