Author Archives: Prasanna

SEBI & MCA are causing a massive Personally Identifiable Information Leak

NOTE: I had published this article first here on Medium

I think when it comes to Privacy for Indian Citizens, the old adage “choosing between the Devil and the Deep Blue Sea” seems to hold true.

On one hand our Government is stripping privacy of citizens part by part by linking Biometrics with everything ranging from Airport to Stadium entry.

On the other hand we have to deal with sheer incompetency shown by the same Government Agencies that are supposed to keep the above data secure, are instead leaking them left, right and centre!

Here is what happened: SEBI and MCA in their eagerness to solve the fraudulent issues surrounding unclaimed/unpaid dividends relating to stocks and mutual funds had mandated that the investor details be put on the websites of all the listed companies and Mutual Fund Houses.

There are about 5800 Publicly traded companies at the BSE and almost every one of them have put a Spreadsheet or PDF document containing the following data accessible to the Public without any authentication or checks of any sort.

· Name of the Investor

· Address

· Name of Mutual Funds

· Amount

· Demat Numbers

· Folio Numbers

Full name and address together constitutes Personally Identifiable Information (PII). Some companies have also listed the Demat Account Numbers in addition to these Personally Identifiable Information. As these include financial information, it could be further classified as Sensitive PII. If you have ever traded for stocks on invested in mutual funds but have not received the dividends, chances are your PII may be put on website for everyone to see on the internet. Caveat: The above data is for those investors, whose bank details are not updated with the fund houses/publicly traded companies for them to transfer this money.

In my estimate, there are more than a million records of PII out there is public.

One of the file I downloaded had about 25000 entries. Yes, Personally Identifiable Information (PII) of 25,000 investors spread across not just India but different parts of the globe. This above file was for just 2015–16, all the publicly listed companies host these data from 2009! Another file from a different publicly traded company included 1100 page PDF with rows of information containing addresses, Folio numbers, Demat account numbers with names!! Here are some samples:

http://www.sonata-software.com/sites/default/files/Details%20of%20Unpaid%20Interim%20Dividend%202016-17.pdf

https://www.nmdc.co.in/Docs/Investors/Dividends/NMD_DIV23.pdf

http://3i-infotech.com/content/investors-2/details-of-unclaimedunpaid-dividend-with-the-company/

Background: The first of the notifications was made by Ministry of Corporate Affairs (MCA), Gazette of India G.S.R. 352(E) dated May 10, 2012

The Ministry of Corporate Gazette of India G.S.R. 352(E) dated May 10, 2012, notifying the Rule “Investor Education and Protection Fund (Uploading of information regarding unpaid and unclaimed amounts lying with Companies) Rules, 2012”. As per this Rule, companies have to identify and upload details of unclaimed dividend on their website.

SEBI notified a similar one in 2016 via SEBI/HO/IMD/DF3/CIR/P/2016/84 which makes it mandatory for all publicly traded / Mutual Fund houses to publish the list of the following details on their website:

“AMFI shall also provide on its website, the consolidated list of investors across Mutual Fund industry, in whose folios there are unclaimed amounts. The information provided herein shall contain name of investor, address of investor and name of Mutual Fund/s with whom unclaimed amount lies.”

I sent out emails to many of these publicly traded companies. Except for one, nobody bothered to respond. Even when they did respond, they mentioned that they are complying by the MCA diktat.

But the most callous response was from CERT-in. CERT-IN manages the Cyber Swachta Kendra which our minister launched with much fanfare and media blitz. Their response is above and you can make your opinions on how secure India’s infrastructure is going to be.

Probable Mitigation:

Instead of publicly listing the address, Demat IDs etc of people, these companies can send out the notifications to these investors. While researching on this topic I came to realise that there have been cases of some intermediaries transferring the unclaimed/unpaid dividends to themselves and it is scary to say the least. The sophistication and the amount of fraud is of unthinkable proportions. Some of the fund management companies transferred the amount to their friends, relatives while others showed it in P&L results!!

The public disclosure of addresses without the consent of the end users is violation of their privacy.

Every individual ranging from top ranked bureaucrat to minister needs to learn a lesson or two on Privacy. What is appalling is that none of the 5800 odd listed companies seem to have opposed this stupid directive. Everyone of them has complied by putting PII of its investors out there on public. I don’t know how their overseas clients are going to judge them on this.

#dividendleak #privacy #india #unclaimeddividends #millionrecords

How E-commerce Companies In India Rely On Black Hat SEO

Ok, taken for granted that competition is intense and running an e-commerce company is difficult especially in our country. I have friends who say they are not sure about their company existence for the next financial year. But does it mean that you have to resort to unethical tactics, in this case Black Hat Search Engine Optimization (SEO)?

I was looking for a mobile phone and was researching about its availability online. Nothing eye-catching about the results as in the picture below. The usual promoted listings and the normal search results on Google. Now had I read that this particular model of phone is available exclusively at Amazon India. I was surprised and glad to see the product listings (promoted listings/ads) at other sites like Snapdeal and Flipkart as well. The ease of shopping online at the convenience of our fingertips, coupled with deals and coupons, and also the refund policies of some these vendors. The reason for stressing on the refunds are becuase I have had to return One Laptop and One netbook and much of it was accomplished without any fuss. Interestingly I never saw those products for sale again!

Google Search results (look besides the arrows):

blackhatseo-ecommerce-india

Now if the phone is exclusively available at only one site, what are the other two sites showing their ads for?

I clicked on three ads in separate tabs and as advertised the Amazon India site showed up Micromax Canvas A1, which they are selling exclusively, while the resulting pages were for totally different products at Snapdeal and Flipkart. Not sure if this violates any law in India, if you are aware of the laws and regulations on improper/false advertising, please drop an email or tweet to me at @terminalfix. The paid listing by Snapdeal lands on a product page for Karbonn phone, running Android one like Micromax Canvas A1. Flipkart’s listing lands on a product page for Spice Android One Dream Uno, also running Android One.

Flipkart’s ad for Micromax Canvas A1 shows Spice Android One instead:

flipkart-blackhat-seo

Snapdeal’s page shows Karbonn:

snapdeal-blackhat-seo

Actually this is not the first time I have seen such tactics being used. Previously as documented here (Why Flipkart Is Wrong To Hijack Crossword’s Name Using Sponsored Ads), Flipkart was listing its ads for the term “crossword bookstore”. After I had pointed this out, they had removed the listings.

I am not much familiar with Google’s Terms and Conditions when it comes to violations but if a company is consistently doing it, it deserves some action big or small. Over to Google, Flipkart, Snapdeal and Micromax for more on this…

Passport Office Website Can Share Your Personal Information

If you are filling up the online form at Passport Office’s website for a new passport or for renewal, please pay close attention to the last field before the Submit Button.

One of the option there states that:

“I authorize Passport Seva to share my name and contact with companies that offer financial, travel & tourism products, where such companies may offer special schemes for passport applicants from time to time. With my consent as YES, i agree to override the Do-Not-Call (DNC) mandate for the communication I may receive from them

While the check box has further information on what information is shared: “YES, share my name, contact, gender, date of birth, application type and education qualifications with  <the advertiser/third-party service provider changes with the time, check the screenshots below>”

In my opinion, this is a bad feature and am very apprehensive of the fact that Passport office provides an option to share our personal information with Third Party providers. I am wondering who gave them the idea to monetize on our private information, of course this is a opt-in but still. What more that the list of Vendors changes with the time. I had taken the screenshot a few months back and again revisited the page to check, but this time it showed a different service provider! Once these information is shared, we do not have any control on how it is stored and used. My recommendation to Passport Office is to stop sharing these information at the earliest, with or without choice, and if you are filling the form, ensure you select Do Not Share option.

The below screenshot was taken few months back, it was TATA AIG for Life Insurance then:

passport_office India privacy_selection

Currently the vendor is listed as Chola-MS for Chola Shubh Yatra Travel Insurance:

passport_information_thirdparty

 

I tried giving feedback at the passport office site here. But there is no way to proceed unless one provides the file number and other details!

How Browsers Handled Website with Revoked SSL Certificate

This incident of unauthorized Digital Certificates relating to Google issued by Indian CA has caused quite a scare among netizens. While we have to wait for the exact causes of this incident, I just thought of seeing how browsers handle websites with revoked certificates. The browsers I tested were Chrome, Internet Explorer, and Firefox. The website was:

https://nicca.nic.in/

While NIC CA’s website mentions that all Certificate issuing Operations have been shutdown for sometime , it still continues to use the invalid certificate.

Date 3rd July 2014 

Due to security reasons NICCA is not issuing certificates as of now. All operations have been stopped for some time and are not expected to resume soon. DSC application forms will not be accepted till operations are resumed and further instructions will be issued thereafter. Inconvenience caused is regretted. 

Here are the results with screenshots:

Chrome Version 35

Of the three browsers tested, Chrome stood out from a security perspective for its users by providing detailed information on why the connection may not be secure and also NOT providing an option to override and access the affected website. Clicking on More button provided technical details with regards to certificate information (revocation details in this case)

Revoked SSL Certificates Handling by Chrome

 

chrome ssl revoke details

Firefox Version 30

Firefox too provided detailed information on why the connection is untrusted. However Firefox also provided an option to ignore the warning, add an exception and continue to browse to the site. It would have been good if Firefox had blocked the Security Exception function and not allow the loading of the site. Not good practice in my opinion.

Firefox handles revoked SSL Certificate

 

firefox override ssl_revoke

 

NIC CA website

Internet Explorer Version 11

Of the three browsers, Internet Explorer provided the least technical information when trying to access the site with invalid certificate. All it says is the Certificate is revoked and even clicking on the More Information button hardly provides any details and instead directs to a IE help, which I could not figure out. However like Chrome, IE too did NOT  provide an option to add an exception and continue to browse, which is good from a security perspective.

Internet Explorer SSL Revocation

Lost in Escalation, What I learnt from Target Data Breach

Amidst the news of Target’s CEO stepping down due to the breach last year,  you might have also read about this: Missed Alarms & 40 Million Credit card numbers stolen. It appears from the news report that their infosec team in Bangalore had notified about malicious traffic in the network to their counterparts in US but unfortunately no action was taken. This is disturbing! If a InfoSec team notices a malicious behavior, why aren’t they not authorized to act upon? Even as they escalated the matters, looks like no action or follow up were made to neutralize the threat.  Acting upon the received alert could have prevent the breach and also save millions of dollars for the company and ofcourse a lost job for the CEO! It is also reported that the active feature in the tool which would have blocked the malicious traffic was turned off and only notification was enabled! Perhaps it was not tuned properly. This is a good lesson to all those investing in Security Tools and applications but not configuring them properly.

This incident reminded me of my own experiences. At my previous company working in a Global IT Risk Management team, we had the freedom and responsibility to take off any system in the network that showed malicious behavior. There were no exceptions to it, even if it were a CEO’s system or a critical server and if they posed a threat to our networks, off they were going. This was not an easy task as Security intelligence from multiple sources were to be collated and correlated.  These included reports from Network IDS, Firewall logs, AV threat summary, Compliance checks and etc and then finding the owner of a system among tens of thousands of systems needed a herculean effort. Many a time, if we made the contact with the owner, we would give him time just enough to take it offline, repair/clean/reformat and then we would validate it before putting it back on the network.

But before doing that we had to ensure it was not a false positive, quantify the threat and then instruct the network team to pull the plug in case there were no identifiable owner. We made those final call of pushing a system off the net and there was no escalation involved.

Ofcourse,  knowing  when to press the dreaded kill-switch is something that we got to learn with time, experience and mentoring. Innumerable concalls, followups, understanding network architecture spread over different geographies, different work culture are all part of the job, but worthwhile.

So if you are responsible for data security at your organisation, ensure your team has the skills and freedom to act upon the information and not just wait for the people on the top to give a go ahead.