Sunday, December 2, 2007

Bhelpuri - the ultimate privacy mish mash

Inspired by

http://timesofindia .indiatimes. com/articleshow/ msid-2586516, prtpage-1. cms

Isn't it apt that identity and card information was available in a bhelpuri, and that too at the hands of a techie with the source being the world's largest chip maker and the world\s largest car rental company.

The bhelpuri is the ultimate Indian smorgasbord - a mish mash of a snack which can be spiced up on a scale of 0 to infinity and can symbolize all the regulations and controls thrown into a wrapper and mixed into obliviion so no one knows what came from where - just pass the audit, make sure there is evidence controls.

Oh, I am digressing, this can be a plot for a new Bollywood blockbuster "Secure Bhel" and the catch line will be CIA on the street.... Compromised and Internationally Available.

Is this another lapse which is being swept under the carpet ? Now we wonder, as security professionals, that if a company on the bleeding edge of technology can send private data in this manner what is the state of it's internal systems. Not that they will reveal this.

Well that is the international giant, the bleeding edge technology company and they do not have a clue about security of private information, because they are busy securing technology IP. So how about the leading car rental company which handles tons of personal data from credit cards to driver licences, addresses, birthdates, travel plans etc - so how does current and valid personal data land up in a snack ! Is this how they treat personal data of clients - boy I would love to audit them and take them to the cleaners.

This rambling was prompted by this article......

Credit card info found on bhelpuri wrapper
1 Dec 2007, 0238 hrs IST,Kavita Kukday,TNN

MUMBAI: On Tuesday evening, Aneesh, a media professional in his thirties, bought a packet of bhelpuri from the roadside vendor in MIDC, Andheri. While munching on the snack, he happened to glance at the paper cone in which the vendor had mixed the bhel. His curiosity was piqued. It was a computer printout of an invoice for a car rental. Once he had eaten up his bhel, he studied it carefully: it had the name of a credit card holder, the 16-digit credit card number, the three-digit batch number (from the back of the card) and the expiry date. In short, all the ammo needed for online transactions.

It was an American Express card. The request had gone on email from tech firm Intel to Avis, an international car rental firm with offices in India. It was sent in March last year for an Intel guest who was staying at the Grand Hyatt and needed to hire a car for a day. Despite the invoice being more than a year old, the expiry date (Feb 2008) showed that the card was still valid. To heighten the risk, it was a company credit card, which automatically scales up the chances of misuse --- not only is the credit limit higher even the authenticity of the spends are tougher to track.

So how did such sensitive information find its way to the bhelwalla? While the paper trail is hard to trace to source, an important stop must certainly have been the raddiwalla.

An Intel spokesperson said, "It is an unfortunate incident and Intel is deeply concerned. We hold our employee confidentiality in the highest respect. We are currently investigating the matter."

Those in the credit card business warn that this is not an isolated case. Security norms for digital transactions are still very lax in India, and the use of shredders for documents is almost non-existent.

The bhel-puri credit card story, however, had a safe ending. The person eating bhel didn't head for the nearest cyber cafe. He carefully ironed out the paper cone and passed it on to a writer friend, who called TOI.

http://timesofindia .indiatimes. com/articleshow/ msid-2586516, prtpage-1. cms

No comments: