|
|
|
 |
|
|
|
|
Internet Leeching
by
K S Sudheer
In response to the leaching incident I would like to share my personal experience with BSNL Mysore and its negligent modus operandi in handling the usernames and passwords of its customers.
I have been using BSNL broadband from a year and recently felt it’s a long time to have the same password and changed it accordingly. But due to some technical hitch in BSNL the change did not take effect and even the old password did not work.
Next working day I had to call the customer care for trouble shooting when I was directly asked by the operator the reveal my username and password to check what has gone wrong.
When I questioned the operator that passwords are not supposed to be revealed and it becomes a voluntary security breach the reply was;
This is the way all trouble shooting calls are handled. The operator will verify from BSNL computer whether they can log into my account and if it happens they come to a conclusion that there is something wrong with the customers modem which may not have registered the change properly and will then guide customers the method of changing password in modem.
This method of trouble shooting cannot be accepted. A common man who does not understand the significance of his usernames and passwords will be revealing it to the whole world in the guise of trouble shooting
And another aspect that has to be observed is that the application form for a broadband connection in Mysore has 3 lines which require the applicant to mention 3 different usernames out of which one will be allotted to him, and correspondingly a password will be generated by BSNL. (which will generally be some 1234 or ASDF etc with the first three letters of username or the initials of user) One who knows these methods of BSNL operation can easily find a loophole and exploit users.
With all these the information security breach from insiders (employees) in BSNL cannot also be ruled out for the fact that the employees of BSNL who come to install the modem are the ones to give username and password, if these employees of BSNL are booked/bribed/befriended then its very simple to get 4 or 5 usernames with passwords daily.
The legal implications of the above is a according to ITA 2000 in an event of user accounts being exploited qualifies unconditionally for Hacking under section 66.
Law in this section very clearly mentions that an act of unauthorized intrusion by any means, which also includes the above mentioned trouble shooting technique, Installation procedure and username theft from applications as hacking.
Naavi
October 7, 2007
