How safe is your credit card ?
Recently one of my friends lost 92k on a online credit card fraud. Google search found few other people lost their money the same way.So is the credit cards safe for online transactions in India?
Short answer is NO.
Why?
1. In India 3D secure (Verified by Visa or Master card secure code ) is mandatory for online credit card transactions above 5000.
2. In US this is not mandatory for any transaction.
Looks like India is more secure county for online transactions! This is what the banks want you to believe The truth is the opposite.
Security of any system is the of security of the weakest link. The weakest link here is 3D secure(3DS). Surprised! Try forgot password link on your verified by visa page. This requires your card number , date of birth ( The most secret information about you !) and CVV number. This is from HDFC netsafe websites. This can be different for other banks.
How long it takes some one to find our your DOB given the full name ? Google and Facebook made this so easy.
Now the secure CVV number. It is a 3 digit number. total combinations are 999. Assuming it is random . People make it more secure by eliminating combinations like 111, 222 etc. That will again reduce the total number of combinations to try out. This is the wrong public concept of security. The way of thinking is explaining a customer that 111 is more secure than 592 is difficult so we better avoid these numbers. The easier way out. The real irony is CVV number is required for a transaction. So any compromised website will already have your CVV number. This reduce it to just DOB.
Have you ever received an email/SMS when you reset your verified by visa/MasterCard secure code password. I haven't got any for my HDFC card till now.
So it is obvious that this is not designed for security then what is the use of it?
This is called
liability shifting normally all the liability of fraudulent internet transaction is on the bank not on the merchant if the bank is authenticated you. The advantage of this is more merchants will be willing to accept the credit card online. With 3DS the liability is shifted to the credit card holder. It uses a password known only to you so any transaction is your liability if it goes through the 3DS.
If you buy gold jewellery or electronic goods by swiping the card you will get a call asking did you do this transaction. Because in that case the onus is on the merchants to authenticate you and later you come back and prove the signature is not your signature they will have to revert the transaction.
Most fraudulent transaction uses card to book flight tickets and this will leave less traces. Have you ever got any call after you book tickets online ? No need, bank is no longer liable for this fraud.
Fine. This don't talk why bank cannot make these 3DS implementations secure enough.
Any secure authentication protocol will add inconvenience user. User will forget passwords frequently since they are not using this password daily. If the reset password is made secure then it need to use multi factor authentications and reset process will take time. This means loss of business for the merchant. When you try to buy some items on the net and during the credit card authentication it require you to reset password securely then chances are there that you will forgo the transaction.
So your security is compromised for the merchants by
your bank. Steven J. Murdoch and Ross Anderson from University of Cambridge U, has written
a paper on the security issues around 3DS protocol.
It will be difficult to comprehend that internet transactions are safe without a password. With the current implementation of 3DS this what we can conclude. At least bank will make a phone call and check with you before authorizing it if it is high valued transaction.
What are the repercussions?
My friend lost Rs 92 K on a fraud on 29th Oct 2012. As of today HDFC is still not willing to investigate the fraud saying that the verified by visa password is compromised and it the customer's responsibility. If this is the attitude this is definitely going to attract
banking trojans. We don't even know if this is work of a Trojan HDFC bank should investigate it and find out any password reset has happened or if the password is retrieved by a Trojan in that case a security alert is must.If there is already a Trojan out there in the wild this can happen to lot more unsuspecting people.
Ross Anderson is Professor of Security Engineering at the Computer Laboratory, University of Cambridge UK. He is working on banking security and has proved that the security of these protocols and implementations are not secure enough to conclude that for online credit card fraud to happen the password needs to compromised by the user.
What the banks can do to prevent this?
1. Make sure that there is no liability shifting so that
the banks treat online transactions like normal transactions. It means
banks should investigate the fraud for online transaction with verified
by visa protected realizing that the security is not enough for hackers.
This is what the bank is refusing to do now. Public pressure needs to be built on this.
2. Banks should make sure these protocols and implementations are secure with transaction signing and other protection mechanisms.
3. Any password reset should at least use a second factor like registered email address or mobile phone.
4. Banks providing a way to limit the online transaction amount. This
is will not work against targeted attacks where email and SMS can be flooded
to avoid detection.
As bank customers what are the options left for us?
1. Limit our liability by reducing the credit card limit.
2. Use net banking for online transactions. This is more secure for the time being.This also require safeguards to limit exposure like using a separate account.
Update: My friend got his money back. But no information on what happened.
Disclaimer
This is a personal weblog. The opinions expressed here represent my own and not those of my employer.
Arvind Kejriwal - Is he right of left ?
The sling shot act that Arvind Kejriwal is now doing around Anna Hazare is a clever manipulation of peoples minds that can only be compared with what Gandhiji did. May be it is a sweet revenge that few Gandhis who hijacked real Gandhi's India happened to be in the receiving end.
Arvind Kejriwal is not just dancing on the chance but he is flying. All those people accusing him tried for years to make an impact. Realizing the moment and utilizing the opportunity is what Arvind Kejriwal is doing.
People should realize that any extremist campaign in India will tone down to a TV show over time.Most of the people in india are happy with the way life is going and that was the case for centuries that is what our culture taught us.
Aruna Roy and other has all the right to criticize Arvind Kejriwal but they need to understand that they went inside the system and from there there is no way they can correct the system. Expecting criminals to make a law against crime is little too much.
This should be launching point for radical political reforms. I am sure these people can see it but too naive to accept that Arvind Kejriwal stole the show even before they even see it coming.
http://indiatoday.intoday.in/site/story/arvind-kejriwal-rti-activist-anna-hazare-people-movement/1/148497.html
http://www.youtube.com/watch?v=2CHcKlIsvAQ
Mind and Suspense II
The recent Newsweek article on
fear and Blog by Bruce Schneier on
The psychology of security talks about Fear and logic and how Fear overrides the logic. This reminded me of my old blog about
Mind and Suspense where I was trying to figure out how the suspense overrides the rational thinking of the brain. These articles helps to explain the reason. The article in Newsweek by “Sharon Begley “says
“ The amygdala sprouts a profusion of connections to higher brain regions—neurons that carry one-way traffic from amygdala to neocortex. Few connections run from the cortex to the amygdala, however. That allows the amygdala to override the products of the logical, thoughtful cortex, but not vice versa “
Suspense is a product of fear. So the same way brain allows suspense to override the logical thinking. This is a instinct which we all posses to survive from the dangers we face.
Bruce Schneier in his blog talks about the higher level dangers that we face in our daily life now and which are different from the natural dangers like wild animals. Our brain is programmed to evoke fight-or-flight response against natural risks. While the current day risks needs more logical analysis to evaluate the risk and the brain may try to override this if met with a less risky natural scenario. Bruce Schneier is trying to prove his point “ This behavior of human brain makes it difficult for people to understand the security risks involved in Internet transactions”
Labels: Fear, Mind, Suspense
India is doing badly in IT
America, ‘he said will lose the war. And Italy will win it.
America is the strongest and most prosperous nation on earth,’ Nately informed him with lofty fervor and dignity.’ And the American fighting man is second to none’
‘Exactly,’ agreed the old man pleasantly, with a hint of taunting amusement. ‘Italy on the other hand is one of the least prosperous nations on earth. And the Italian fighting man is probably second to all. And that’s exactly why my country is doing so well in this war while your county is doing so poorly.’
….
‘But Italy was occupied by the Germans and now being occupied by us. You don’t call this that doing very well do you?
‘But of course I do. ‘Exclaimed the old man cheerfully. “The Germans are being driven out and we are still here. In few years you will be gone, too, and we will still be here. … Italy will survive this war and still be in existence long after your own county has been destroyed.’
…
“America is not going to be destroyed!’
‘Never?’ prodded the old man softly
“well… ‘ Nately faltered.
The old man laughed indulgently, ... ‘Rome was destroyed, Greece was destroyed, Persia was destroyed, Spain was destroyed, all great countries are destroyed. Why not yours?
…
‘ I don’t believe anything you tell me,’ Nately replied, with a bashful mitigating smile. “The only thing I’d believe is that America is going to win the war.’
‘You put so much stock in winning wars, ‘the grubby iniquitous old man scoffed. “The real trick lies in losing wars, in knowing which wars can be lost. Italy has been losing wars for centuries, and just sees how splendidly we’ve done nonetheless. France wins wars and is in a continual state of crisis. Germany loses and prospers. Look at our own recent history. Italy won a war in Ethiopia and promptly stumbled in to serious trouble, we helped start a world war we hadn’t a chance to win. But now that we are losing again, everything has taken a turn for better, and we will certainly come out on top again if we succeed in being defeated.
The above extract is from “
Catch22” a must read book. see
catch22 in wikipedia.
There are multiple faces to the above argument between Nately and the old man. I try to highlight one of it. It says when ever you think you are winning actually you are loosing in long term perspective. You have to lose a good many battles to win the war. But it doesn’t end there; if you want to continue to win you need to start loosing again. What will you get by loosing; you ensure that you will not be destroyed?
India’s IT industry is now in a wining streak that means it is going to be destroyed if this continues. When you are in a winning streak you are not learning any lessens for survival and when your luck drains and start loosing you cannot survive and will be destroyed.
America was doing badly before 2000 and after the dot com crash they are started doing well. America and other countries are doing well in IT now. Currently India alone is doing badly. Unless we start loosing now, India’s IT revolution will be a lesson in history books.
The argument may not be convincing at first. But if you investigate more you will understand that it is fundamentally strong than you think. The first signs of loosing shows up with the quality of education. When anyone comes out the college gets a high paid job you are starting to loose. Students don’t have to learn anything to get a job and gradually the people comes out of the colleges doesn’t have the basics required for survival and good for nothing in the long term. If this trend continues India will have scarcity of the good programmers and abundance in programmers in few years. Even now the industry started feeling the crunch.
Now the curriculum is tailored for IT industry it is a curriculum for short term profit and not for long term growth and survival. If you want the students from the colleges to be employable and start productive from day they join, flexibility is being compromised. When the software development paradigm shifts these people and the companies cannot survive. The next problem is the commitment of the employees. Since the jobs are plenty this is not considered as a required quality now.
The quality of the software products will be affected due the lack of skilled and committed developers. Unless the IT solutions and products contribute to the customers bottom-line this accelerated growth phase cannot continue.
It is time for the companies to analyze the software they are creating and do a self check whether any one will pay for the software they create after 10 or even 5 years. If not then you have started digging your grave.
Cost advantage cannot and will not drive outsourcing forever. If companies are thinking that they have a cost advantage compare to American companies then it is time to re-evaluate the cost of quality. Only the talent pool can drive the outsourcing. When this started shrinking all cost related advantages will be nullified.
As more and more software jobs are outsourced only skilled people can survive in American IT market and the quality will improve. Shortly down the line the a product that takes I person month in USA or Europe will take 4 to 5 person month in India considering maintaining the same quality of the product. Also the Indian salaries will grow to a limit where outsourcing will no longer give cost advantages and the turn around time still will be more. This estimate has done keeping in mind the communication factor which is involved in the offshore development model.
Martin Fowler's article gives another perspective on the offshore development model
This is one side of the picture. Consider the damage IT has already done to the traditional production industries and the economical gap it created from the increased buying power and the inflation the collapse is not far away.
Professor M. Krishnan Nair
Malayalam Literary critique Professor M. Krishnan Nair departed us on 23rd February 2006. Malayalam literature is indebted to Krishnan Nair for the guidance he provided. He attacked bad literary works with his heart and made sure that people cannot write trash in reputed Malayalam magazines. Whenever the popular weekly’s like Mathrubhumi publishes a bad story or poem he told the whole world that Mr/Ms X is using Mathrubhumi as a toilet. His disdainful attack on literature which he perceived as bad put the writers and editors on the watch. The perception of quality about a work may be different for different people but most of the time one can distinguish a quality work from a bad peace of work. So even people who do not subscribe to Krishnan Nair’s views agree that he acted as a gatekeeper for good Malayalam literature. Only brave and courageous were able to break the barrier he provided.
Budding writers used to say that whenever they publish a new work they will wait for the next “Sahityavaraphalam” the column Krishnan Nair was writing for more than 35 years . If he didn’t say anything about the work in the column then it is not so bad.
He introduced a number of famous international writers to Malayalam readers. Marquez is a household name in Kerala just because of Krishnan Nair. I have to admit his contribution to my reading. I started reading translations of Russian, Latin American and European novels just because of Krishnan Nair. When he talks about “Magic Mountain” (Thomas Mann) and compares other Malayalam works with this book and says that this is a mountain compared to them. I couldn’t resist reading that book.
When I got a job the first thing I did was buying some these books so that I can read and re-read it at leisure.
He called his column literary journalism opposed to criticism and wrote in a language which common people can understand. This made the column popular and attracted public to good literature.
Psychology of traffic jam
Recently traffic jam is becoming part of life in Chennai. I was noticing that it happens with no real reason. Obviously the number of vehicles on the road is growing. But that is not the main cause for some of the traffic blocks here.
Some one told me how to measure the value of time is. When you cross the road and you are not careful for a second a vehicle can come and kill you. So the price of a second can be life or more than that. But, is one second worth paying your life for it? I don’t think so. But here in Chennai I have seen people think otherwise. When the traffic signal is turned red and the vehicles from other side started moving some people want to squeeze through with their life.
I always wondered about the psychology of these people. Once Jesin and I were going in a bike and another person overtook us and went past. I tried to catch up with that guy. Jesin told me “You are better than him in lots of other areas. Why are you worried when that guy overtakes you on now, It is not worth proving that you are better than him in this area( driving ) let us leave him.”. Then it occurred to me that may be the inferiority complex and peer pressure are what makes people do this suicidal act.
The main reason for traffic is crowd does not obey traffic rules and no one has the patience to wait for a second.
Long back you need lot of courage to break laws. Police will arrest you and put in prison. Now the situation has changed. You need lot of courage to obey the law when all the others are breaking it. You need to withstand the peer pressure, control your inferiority complex.
This is the same psychology in breaking the queues. In India none of the bug guy’s stands in the queue, Ministers, higher government officials etc. So if you break the queue you are their league. Nobody wants to be a common man. Is it the power game?
When I google it I got an article from Pshycology today. http://www.findarticles.com/p/articles/mi_m1175/is_v21/ai_4757174/pg_2"> Waiting is a power game
“The power principle, then, is a triad: First, making a person wait is an exercise in power. Second, powerful people have the capacity to make others wait. And third, the willingness to wait acknowledges and legitimizes this power.”
If you can and willing to wait, others can’t use their power on you. So they stop possessing the power to make you wait. The authors Robert Levine, E.B. White quotes from Siddhartha to explain it. Unknowingly I was using Siddhartha’s strategy so I was wondering why people are worried about waiting for a second. This explains few things.
I need to re-read Siddhartha( Herman Hesse) again. Siddhartha is a beautiful poetic novel. I read it few years back and one concept I remembers about this book is Siddhartha talks about Budha. “Budha’s way is the right way only for him, others have to find their way on their own and nobody can do it for them” You may see a similarity between J Krishnamurthy and Hesse here. Herman Hesse is the grandson of Hermann Gundert whom the Malyalis can’t forget.
Is it something to do with our education system? Or time is money and every one want to make money? May be the values are changing when globalization is set to change the world.
Feedom From The Known
“For centuries we have been spoon-fed by our teachers, by our authorities, by our books, our saints. We say, 'Tell me all about it - what lies beyond the hills and the mountains and the earth?' and we are satisfied with their descriptions, which means that we live on words and our life is shallow and empty. We are secondhand people. We have lived on what we have been told, either guided by our inclinations, our tendencies, or compelled to accept by circumstances and environment. We are the result of all kinds of influences and there is nothing new in us, nothing that we have discovered for ourselves; nothing original, pristine, clear”I was reading the famous book by J KrishnaMurthy
Freedom from the known . Essence of the book is be always your own guru. Don’t expect other Guru’s to guide you. They can only guide themselves.
In this book he discuss about conditioning, Fear, Filters, awareness, joy and all other feelings in depth.
“It is the same with sexual desire or any other form of desire. There is nothing wrong with desire. To react is perfectly normal. If you stick a pin in me I shall react unless I am paralysed. But then thought steps in and chews over the delight and turns it into pleasure. Thought wants to repeat the experience, and the more you repeat, the more mechanical it becomes”. Krishnamurthy is asking us to live in the present not in past or future. This is fantastic book when I read it 10 years back. Even when I re-read it it excites me with the depth of ideas. This is must read book for anyone.
Krishnamurthy talks about awareness which is nothing but a deep understanding of things. Be aware about your conditioning which prevents you from knowing things. When you identify a tree by name you are satisfied that the tree is a Banyan tree. But still you don’t know anything about the tree, how the leaves are ,how the branches originates how its flowers and fruits look like how the trunk is and how it roots go into the soil etc. The name of the tree prevents you from understanding the tree.
These conditioning and filters prevents you understanding things. When you are aware of your conditioning and see beyond that you will start seeing and feeling the world.
This concept is same as the concept used in research to identify the hidden assumptions used in a theory to understand the theory completely. Krishnamurthy came to my mind when Shashi mented
Navier stokes Equations and how mechanical engineers using it. We chemical engineers always start from the complete equation simplify the equation using all assumptions. Where as mechanical engineers use a simplified version of the equation in most of the cases. Most of them use the simplified version without understanding the assumptions behind.
Capitalism communism evolution and MOQ
Capitalism is like evolution where the natural forces will define the path in which the economy should progress. So if evolution is good or has more quality than anything else capitalism is should be right.
How do you define quality?
Robert M Pirsig defines quality in terms of evolution. If the species is higher in the chain of evolution then it will have higher quality. So evolution defines quality. This argument is valid assuming that evolution progress basedon
Darwin theories of struggle for existence and natural selection. So capitalism should be the best method for economic growth.
Pirsig defines the quality in his book Lila. He defines the quality based on the biological evolution tree and extends it to societies which comes the next stage of man in the evolution tree. Evolution tree becomes a scale for economical analysis.
If we look into the drawbacks of evolution we will get the limitation of capitalism. One major draw back as well as advantage is time tested values. In larger time scale evolution is always right. Even though it takes wrong turns in smaller time scale and correct it. In higher scale it is predictable to an extent but highly unpredictable in smaller time scale.
Like all the non linear systems we can’t say the when the solution will bifurcate. Once it deviates from the path can it come back by its own is a question. Since the system is highly nonlinear and stable for some time we can assume that it will come back. Other wise the new path will become the right path, because the world economy is the one defining the highest level of quality.
When this is deviating from the stable path do we need to correct it? Yes the society it self will create the potential to correct itself. Nonlinear analysis on the economy and the society is a vast topic and I am forced to split the post here.
Mind and Suspense
Always used to think how I was able to watch a suspense movie over and over and wonder what will happen next. Even though we know that the ending of the movie we always expects a twist or we will be curious to know how Arnold is going to save the kid in Terminator II.
Think about the cold war stories. We know that there was no nuclear disaster otherwise we won't be here to read these stories. Still we are anxious to the last minute thinking whether they will be able to avert the danger. How this happens? Are we so dumb?
This should have something to do with the way mind stores these memories or knowledge and retrieves it, and the part of the mind that creates the suspense. There seems to be some lack of co-ordination between these two departments. Either the part of the mind which creates suspense doesn't care about the knowledge which is already there or creating the suspense is faster than retrieving the memory.
We cannot completely retains the suspense. Some part of it is lost when we watch the movie second or third time and some part is always there. The “what is next” part will be lost after the first time but the “how is it going to happen” part remains.
This should give some inside information of the working of the mind. “What is next” part of the suspense is mostly a static part which will be created for the complete movie and each incidents in the movie. But “how” part of suspense is a dynamic one which is updated each and every moment so this part seems to be not in sync with our knowledge.
Think of this as a shared object and which is getting calculated and updated very frequently and after the update another function try to correct the correct the value using some static values and these happens in a two independent threads. What will be the output. Calculated value or corrected value?. This depends on the frequency at which the correction thread executes. Brain will have some resource contention/ performance issues and might have optimized this for optimistic concurrency which caused this issue.
Don't think it is a bug because of tons of business banks on this feature.
Classes in Economics
There are are self believed classes in economics. People believe that they belongs to one class and beahave based on their class.
Whatever happens outside their class doesn't affect them.These classes existed in all over the places.
Consider the people moving in a road, the person travellig in a car is only worried about the cars others possess. If he has a small sized car he is not worried about the people having BENZ or BMW. He is comparing his car with the same class and will be worried only if he see a better car in that class. Not by a BMW Z3 moving infront of him.The same way person travelling in a bike is worried about other better bikes and not about cars.
This happens in all domains. According to an old study normally you will be attracted to the opposit sex belonging to your class. When the love breaks class that was a story.
This classes make people confortable with the success they achived inside the class.
When this class structure is broken it create unrest and chaos. If you see in chennai the class structure is more or like rigid. It may have started from the cast system and now powered by the economics. This makes most of the people happy to stay in their class.
Consider the situation in kerala. Because of education advancement and the land reforms the class structure is almost broken. One other major reason is the so caled GULF effect. This creates descripencies in the already week class system.
There was a time in kerala were people beleaved only on educational class and not bothered about the economic and social classes. As and when the values shift towards money this shift towards economic class is also inevitable.
Consider two families staying in the near by houses with same economical and education classes.Then one person from the one family goes to gulf countries and this family become economically forward.The other family still beleave that both are in the same class, but economic difference are huge and imbalance creeps up.Soution to this problem is the awareness of economical class.
All these in the wake of the increasing number of suicides happening in kerala. Most of it has the reason of not accepting that their neighbours are moved to a high economic class or difficulty in staying in the same class they originally belong.
One reason why this is not prominent in other parts of india is the strong caste system. where still scocial class is the prominent class. Also the economical and the social class are more or less the same.
This class shifts occurs in all countries if they had a strong class system existed before which is not economical class. In the present scenario the economical class is gaining importance and acceptence of this fact make the people more unconfortable. People belonging to higer classes now find them in lower class based on the financial status. This happend in different time in different paces based on the existing system and economic growth.
