Mobile Numbers Directory
SMS alerts have come to be increasingly used by Banks as
a means of informing customers about Credit Card and transaction
information so that customers can alert the bank if the transactions are
not genuine. Some Banks are even treating this on part with "second factor
authentication". In many mobile banking transactions, SMS is the means of
authentication. In view of this the mobile number of a customer becomes a
key information of the account holder which the Bank should consider as
"Security Sensitive".
I recently
came across an instance where ICICI Bank was sending SMS alerts to a
person concerning some other account holder. The recipient was
considering it as nuisance and ignoring the messages. After this continued
for a time the recipient notified the Bank about the wrongful addressing of
the message to him/her pointing out the concerns that this could be a
security risk for the recipient for which the Bank could be held liable.
A copy of the notice sent is as below:
(PS: numbers masked)
I have a
mobile connection with number 99xxxxxxxx which is being used by my
wife sparingly.
I would like to bring it to your notice that I frequently receive
communication through SMS regarding a credit card 4477xxxxxxx and account
XXXXXX527518 on this mobile number.
These accounts don't belong to me.
The possibility is that the mobile number might have been associated with
some other customer some time back and might have been surrendered to
Vodafone and reissued to me.
Please therefore check your records and remove this mobile number from the
accounts mentioned above and obtain the customer's correct current contact
details.
If you think your records are correct, please let me know the full name,
address, email address and account number of the client so that I will
directly contact him/her and ensure that they instruct you properly.
Please note that any failure on your part to correct the data at your end
will continue to cause the following legal complications.
1. You are associating an account with my mobile number. If the account
holder does any illegal act, there could be a wrong association of me with
such transactions. If such an eventuality arises, please take note that on
the basis of this notice, I will hold the Bank liable.
2. With this error in the maintenance of customer data, you are revealing
confidential account information to a third party. This is violation of
privacy for your other customer and he can claim damages from your Bank.
3.From time to time you may have to urgently contact your customer for
sending fraud sensitive alerts and by sending it to a wrong number, your
alerts will fail to reach the right customer. In such cases the
responsibility of the Bank would be higher and it may have to take
liability for the frauds.
In view of the above, interests of all the three parties namely the mobile
number owner, the account holder and the Bank, it is necessary for you to
correct the mistake on a priority basis.
I am separately taking up this issue with your management in case I don't
receive a proper reply in the next three day.
The object of this mail is to bring to your notice how what could even be a
typographical error in data entry could lead to serious legal consequences.
No offence is meant to any officials responsible for this error. I will be
happy if you take a corrective action.
The Bank is yet to respond to this
notice.
I had also
come across some time back where a mobile applicant had
complained that the service provider's agent collected two sets of address
and identity proofs on the pretext that the first was misplaced and the
applicant was apprehensive that her signed and authenticated address and ID
proofs may be used for issue of SIM to another person.
In order to address the implications of the above two types of legal risks,
there is a need to make some fundamental changes to the system of handling
mobile customer data in India and TRAI needs to take a look at this.
I know that an solution in this regard may not be perfect but it has to be
as perfect as it can be while reducing the legal risks on a third party.
Firstly, while land lines of BSNL are available in a public directory,
other service providers of land line don't have public directories. Mobile
Companies also don't maintain public directories.
The
reasoning for this is that the information itself may be considered as
"Private". As a result of this, there is no public reference to find out
the genuine mobile number associated with a person. Banks and others need
to accept what the customer declares. If a terrorist provides the mobile
number of another person while opening an account or uses a mobile account
at the time of opening, discontinues later and the number is re-issued to
another person, then the Bank will be carrying the wrong mobile number in
its data.
The absence of a publicly available directory of mobile phones is hampering
the Banks and others from checking the mobile numbers provided by another
person except by sending a mobile message and asking for confirmation. This
procedure is yet to become a standard security practice.
Some would
argue that a public directory would lead to SMS spamming. However we all
know that even now spamming does happen. To prevent spamming the
concept of Do Not Call register may continue so that the directory itself
can mark the DNC registered numbers in red.
Further, those who advocate privacy argument must appreciate that one of
the established norms of privacy is that the data owner should have the
ability to check if the data associated with him in a data base is accurate
or not.
If today I raise a query to an ISP " Please certify that my address .....
or my name.... is not associated with any mobile number other than
........", will the ISP be in a position to provide such certificate?
Alternatively, if there was a directory which is searchable on address or
name, this can be verified by the citizen himself. This is now possible in
a BSNL directory (though updation is still an issue)
In order to address the Privacy issues, every search of such a database may
be permitted only after the IP address and declared identity of the person
searching the data is obtained in a request screen and supported by a
declaration that the information would not be used for spamming or other
illegal purposes.( for whatever it is worth).
A request has also been made to TRAI
to find a solution to this problem.
Naavi
December 13,2009
Related Articles:
Comments are Welcome at
naavi@vsnl.com
