When we look around the Computer users in India and ponder about "Security", one thing that strikes our notice is the negligence in handling the "Access Controls" to Information assets.
Out of the many options available, the "Password" is the most commonly used access control mechanism which is used by individuals and organizations to control access and monitor usage of Computer systems.
Consequently, "Passwords" become the key identifiers in case of any fraudulent use of Computer resource leading to Cyber Crimes.
When world over, efforts are being made to increase the awareness of the importance of "Passwords", the need to use "Strong Passwords", avoid "Sharing of Pass Words", need to keep changing passwords, etc, and fighting against Bugbear kind of viruses which may install Key Loggers and steal your passwords while you use them, the news which appears in The Hindu today is rather surprising.
The story being referred to is an announcement by BSNL that it would introduce a new scheme for fixed telephone line users where an automatic Internet access would be provided at a cost of RS 6 per hour (10 paise per minute) in addition to the telephone charges.
The scheme is generally to be appreciated since it provides for universal availability of Internet service. It is likely to bring down the access service cost of other ISPs and in future, new dial up Internet customers have no need for VSNL or SIFY.
However what attracts attention is the announcement that the password to be used for internet access would be the telephone number itself.
It is not clear if the report is incomplete and what is envisaged is to treat the telephone number as the User ID and not the password. If not, it would be strange if any body can use a telephone, log in to Internet, use an anonymizer service and leave no trace for identifying the origin in case of cyber crimes.
It is also to be clarified if a person can log in from any telephone and use another telephone number as password. Even though the system can disable logging in when the physical line and the password do not match, considering the possibilities of accidental and deliberate cross connections, the system would be unreliable for source tracing.
At present, when a person uses a dialup account, he can be traced to the telephone line used and made accountable for his session activities because he uses a unique authentication password. Even if he uses anonymizer services, his log in trace still remains.
In the proposed system, this key investigative link would be lost. This is a dangerous proposition in the light of intense terrorism related activities that take place through internet.
Further, it is necessary to make the service require "Activation" and capable of being "Deactivated" like the STD facility so that consumers can protect themselves by disabling their Internet connection and avoid it being used by spoofers.
It is therefore necessary for BSNL to introduce the following.
1. While every telephone number can be provided with Internet access enabling, usage should be subject to specific customer request and activation. Activation should ideally be through a tear off form in the Bill or such written request.
2. At the default set up, a password can be assigned randomly such as the "Called Telephone Number 10 in the Bill" or "Bill amount in paise" etc, which will be known only to the person in posession of the Bill. Subsequently, the user can be mandatorily made to reset the password on first login with the proviso that such password has to be different from the default password. {In such a system, a person can use any telephone to log in but conduct his session with his own identity. There is no need to link the physical line with the user ID.}
3. Multiple ID registration to the same line can be provided so that multiple users of a telephone can use the Internet services without compromising on accountability .
4. Once activated, "Deactivation" facility should be provided like STD. Such deactivation and subsequent reactivation and deactivation should be based on the PIN selected by the user.
5.The log in should be through a password which the user himself sets at the time of activation.
6. Appropriate notice should be given prominently in every Bill that the "Telephone is enabled for Internet" and briefly advising the customer to keep the facility deactivated to avoid misuse.
In the meantime, the other ISP s can start looking at alternate revenue models to avoid becoming redundant.
Naavi
June 7,2003
Related Article:
Chennai Telephones Plans Account -Free Internet Service-The Hindu
Send Your Views if any to Naavi
For Structured Online Courses in Cyber laws, Visit Cyber Law College.com