The future of hacks

Fraud in Bangalore heralds a data-intensive, insecure age

In the past few weeks, Bangalore has reportedly seen over 150 instances of money being fraudulently withdrawn from automated teller machines or ATMs. The fraudulent transactions have been carefully timed at the cusp of midnight, to bypass daily withdrawal limits. The modus operandi is otherwise unclear; footage from surveillance cameras has not been helpful. The criminals may have cloned cards by copying data off magnetic strips. They may have hacked the software that validates transactions. Or perhaps, the chips in specific ATMs have been compromised. Bangalore has a large population possessing the requisite skills. The Reserve Bank of India and the banking/financial services industry will now have to brainstorm to identify and plug the specific hole, or holes.

These incidents are a pointer to the fact that new technology brings new hazards. They have broader relevance that is worth taking note of. After all, India is experiencing fast economic growth with a service-sector orientation; inevitably, it is increasingly becoming a cashless and paperless economy. Credit card penetration is increasing. Bank accounts are associated with debit cards by default. What is more, mobile service providers are interested in enabling cash transfers and payments for a variety of transactions, as they do in Africa. In developed economies, cash transactions are often only for illegal activities; they account for less than 10 per cent of the official gross domestic product. Indeed, paperless transactions have many advantages, apart from convenience. One is that electronic trails are easily audited. Over time, swiping and mobile transfers should help differentiate the legal components of the informal economy from the “black”. However, a lesson from developed economies is that strong electronic know-your-customer (KYC) protocols are vital. If an individual loses a phone, or if a SIM-card and IMEI (International mobile equipment ID) can be cloned, he or she stands to lose a great deal more than just a handset. Ditto for a debit or credit card, of course.

At heart, electronic validation boils down to addressing questions of identity that border on the philosophical. On the network of networks, identity consists of diverse attributes, like email IDs, mobile numbers, unique credit and debit card numbers, digital signatures, etc. Each comes with associated passwords — and, perhaps, biometric validation. Those attributes (mobile number, email, credit card number) may also change. If any of those attributes is insecure, identity theft could occur. There is some logic to the “single sign-on” approach, wherein all attributes are unified and held in one electronic “vault”. In this, the service provider who controls the vault validates ID upon being approached by any other service provider. Everything is fine as long as that one gatekeeper cannot be hacked. Another possibility is to have multiple validations for electronic IDs, including single-use passwords. This is actually more likely to evolve organically. Whatever the approach that's adopted, the Bangalore ATM fraud indicates a continuing battle of wits on this front. Security consultants will evolve new methods to protect identities; and people will hunt for even newer methods to bypass the new security measures.