Cyber insecurities in a developing society
RANJAN DWIVEDI and ASIM ARUN
WHILE cyber crimes like bank frauds, identity theft, phishing, spoofing and hacking get central focus in a developing society like India, the real trouble, both in volume and in gravity, lies elsewhere. The number of mobile phones in India is 16 times the number of personal computers. (919: 57 million); 9.05 million of these mobile users use Internet whereas 13.81 million households have a broadband connection. Clearly, an increasing number of people are preferring to use their mobile devices to connect to the Internet and this deserves a lot more attention.
The wide use of pirated operating systems, software, and media creates inherent vulnerability. The awareness of people using computers is extremely low as hardly any cyber security issues are addressed in Hindi or other Indian languages. It can also be attributed to the fact that not many people use IT in a way that it becomes mission critical for them and are hence disinclined to invest in making themselves more secure.
Issue of SIM on fake IDs: A person wouldn’t commit a crime if he knew there was an outside chance of getting caught. The entire crime prevention effort is based on this premise. In the business of mobile telephony, when a SIM card is bought the person has to submit proof of identity and address to the retailer who forwards it to the company, which after vetting the two documents activates the SIM. The company does a tele self-verification, a process in which a call is made to the new SIM and details mentioned in the application form are verbally verified. Because of this feeble process, it is easy to get possession of a SIM on a fake ID.
Not all the people using such SIMs do so because they are terrorists or professional criminals. Many do so to hide their fat mobile bills from the taxman. Quite a lot of people choose to buy these ‘pre-activated’ SIMs simply to avoid the delay between the purchase and activation. According to the 2012 World Bank report, ‘Maximizing Mobile’, 96% of mobile subscribers in India use prepaid connections. The main reason is probably that India is a price sensitive market and prepaid connection users can easily hop from one provider to another if they find a more attractive tariff plan. But this reality and a weak verification process have led to a huge number of SIMs on fake IDs. While no official figures are available, police investigators say that virtually eight out of ten SIMs they come across during investigations are fake! The law provides that if a company is found to have issued a SIM on a fake ID, it is liable to pay a fine of Rs 50,000. However, because of poor or little enforcement, this is unheard of.
The best way out is to make the process simpler. Immediate activation should be possible if a person applies with his Aadhar card. As the UID authority allows everyone to verify the Aadhar online, the retailer could do the entire process himself – take a finger print scan, make entries into a central software system and activate the SIM immediately. A pilot has been done in the state of Andhra Pradesh and the Department of Telecom is likely to formulate and announce a policy soon. A similar process could be adopted for persons holding a valid passport. This way a foreign visitor landing at an Indian airport could easily buy a SIM and start using it immediately. This process would also help save money otherwise spent on the verification process, which is anyway feeble.
H
arassment – crank calls and blank calls: This is beyond doubt the most prevalent of all mobile crimes and also a stepping stone to further crimes. Calling numbers randomly to have some fun is a pastime for many aimless individuals and women are their preferred targets. The tenacity of such pesky callers can be estimated from the fact that nine out of ten calls on the police emergency helpline 100 are of this nature! Even radio jockeys do this routinely to turn someone into a ‘bakra’.This is quite similar to telemarketing calls, specifically known as unsolicited commercial calls. The good news is that a reasonable solution has been found for it. Through a system of registering telemarketers on one hand, and enabling subscribers on the other to register and block such communication, the menace has substantially reduced. A similar solution can be put together to end this problem. A mechanism for reporting such crimes and another for warning and then withdrawing services to that subscriber could be an effective and cost-effective solution. If the problem persists, legal action could be initiated.
Until the recent amendments to the Indian Penal Code, a person making such pesky calls to a woman could be punished with one year’s imprisonment and a fine. But have you ever heard that happen? No. That’s why such crimes have soared. After the 2012 Delhi gang rape case, many amendments were made to the IPC, one of which is section 354 D that provides for a maximum punishment of three years, plus a fine to a person found ‘stalking’ another.
The Uttar Pradesh Police has a hugely popular service called 1090-Women Power Line. Here, women report ‘pesky callers’ to lady call takers, while male counsellors call the accused to counsel them. Most of them learn to behave and those who don’t have legal action initiated against them. In less than a year of its existence, the service has more than 100,000 satisfied clients. Such arrangements must be further nurtured.
M
obile theft, IMEI counterfeiting: Going by the conventional definition of crime, theft is on top of the list. Mobile phones are no exception to this. Industry experts say that more than Rs 500 crore worth mobiles are stolen each year. Stealing is an offence under the Indian Penal Code and an arrangement to prevent mobile theft through a number called IMEI is in place. IMEI (International Mobile Equipment Identification) is a 14 or 15 digit identification number that uniquely identifies a mobile handset, similar to what a chassis number is to an automobile. When a mobile device tries to register into a network, its IMEI is recorded. It is possible to create a registry of blacklisted IMEIs and block them off the networks, thereby rendering theft of mobile phones a useless business proposition. Australia was the first country to implement this across its GSM networks in 2003. The United Kingdom has also done this effectively by creating a National Mobile Property Register.The registry will not work until change of IMEI is also made impossible. Presently, it is possible to change the IMEI of a device by using software that can be downloaded free. Legally, this act constitutes a serious crime of counterfeiting, which is punishable by up to seven years in prison. Some Chinese manufacturers make phones that don’t have any IMEI! The Government of India has prohibited the use of such phones, and the networks are now effectively complying with this directive.
Manufacturers ought to devise a hardware solution that makes it impossible to change the IMEI number of a handset. Despite extensive research in this area, the money invested is a small fraction of that being lost. Until that happens, consumers should be encouraged to use software that helps track a phone. Available free of cost, it is an effective tool for investigating thefts.
W
idespread use of pirated software: For decades, users in India have managed with pirated software operating systems, applications and media. Initially, a lack of awareness and enforcement to prevent piracy led to widespread use of such software. For most people it was normal to buy hardware and request the vendor to load the software free of cost. Even some government offices did not buy official software! In those times, floppies and CDs constituted the main mode of viral injection, but with the progression of Internet, computers have become far more vulnerable. Concomitantly, software manufacturers developed an arrangement of sending out regular updates to plug the security gaps and make other improvements. Here arises the problem in its present shape. Several users in India continue to use ‘not genuine’ software, which does not update itself while the threats and vulnerability around it grow and descend through the net.The situation can be ameliorated by putting in place policies that encourage the use of open source software. For a start, the government could make it mandatory for its own offices and their servers to use open source software. Brazil, for example, has promoted open source in a big way. It has even set up a portal to host open source software for municipal agencies, schools, retail outlets, libraries, accounting, and so on (www.softwarepublico. gov.br). Users in a region are encouraged to develop software best suited to their needs. The BRICS countries, which includes India, have pledged their support in this transformation. Imagine how much money can be saved by the country if only there is a strategic large-scale recourse to software, as also years of manpower, currently wasted in securing cyber systems.
I
nadequate awareness for security wares for smartphones: Though the mobile revolution has taken users by storm, the regulatory and security environment has been slow to react, and has been left far behind. While the issues of standards and interoperability have been addressed for personal computers, the case of mobiles still requires more effort. As smartphones replicate most functions of computers, the vulnerability to data theft goes up several fold, as people increasingly store and access critical information on smartphones, unfortunately without adequate attention to vulnerability. The sale of smartphone antivirus as compared to that for personal computers, reveals an inverse equivalence to the number of smartphones and personal computers sold.
L
anguage divide deepens the digital divide and cyber insecurity: Only three per cent of Indians have access to the Internet at home and only 21 per cent understand English, and a much smaller percentage, well. A vast majority of people have no means of educating themselves about cyber threats. An occasional and superficial article in the Indian language newspapers is of little help. It is only recently that software was made available in the Indian languages, but the antivirus software by and large does not provide any support. If security related messages pop up in a foreign script, it is not easy to visualize their use.Cyber security in developing societies is a challenge that we have barely begun to address. It is exacerbated not just by the digital divide – a large population struggling with rising hardware and software expenses, the rise often having little relation to productivity – but also a huge language divide. What is more tragic is that our development leaders and policy makers are inadequately sensitive to this. While the Government of New Zealand portals have a Hindi section and the UK has information in several Indian languages, most Government of India portals have only dated and sketchy Hindi sections, and nothing in other Indian languages. The journey to a cyber secure environment is likely to be a long and testing one.
* The authors are officers of the Indian Police Service. The views expressed are personal.