Check, please!

Kripa Raman

Rakesh Goyal, Managing Director of the Mumbai-based Sysman Computers Pvt Ltd, recently made a purchase worth $5 on a Web site through his credit card.

Goyal says he was greatly surprised that his credit card was accepted at all, although it was not an international one. Secondly, he was asked for nothing more than his credit card number. ``Anybody who knew my credit card number could have made the purchase.''

Now that his card bill has arrived, Goyal has to pay up. Goyal says he can always ask the credit card company to show the charge slip proving that the purchase was his. He can even refuse to pay. ``I am going to pay, of course, but what if I had not actually made the purchase?''

With a digital signature system not yet in place in the country, the credit card is, technically speaking, open to easy misuse on the Net, points out Goyal.

Goyal is director of the National Centre for Research in Computer Crime as well as member on the auditors' committee of the Controller of Certifying Authorities of the Ministry for Information Technology. (Certifying Authorities (CAs) are those organisations who are licensed by the Government to grant digital signatures).

Internet security experts say that until the use of digital signatures becomes an established practice, the danger of misuse of credit cards and other Internet financial transactions will remain.

The danger is not merely from the possibility that merchant establishments (sellers who accept credit cards) could compromise their customers by letting out vital details about their credit cards.

``Most of the merchant establishments would not like to do it as they have a reputation to defend,'' says the systems head of a foreign bank in Mumbai. ``The danger is also from other people around you who could misuse your card on the Net simply by knowing your card number and some basic details such as your address and date of birth.''

Internet security experts say they are amazed that merchant establishments are often content to just get the credit card number of the buyer and ask for little else. ``That was all they asked of me,'' says Rakesh Goyal.

Satish. J, Manager, Systems, at a foreign bank, and on the advisory of the cyber crime cell of Mumbai police, said such happenings were on the increase for two reasons. ``Access to the Net has grown. Also, Indian credit cards are now globally acceptable. Most Net merchants are located overseas. Anyone who knows your credit card can transact.''

There are some safeguards, of course, say the technical experts. Some merchants will only send your purchase to the address as declared by you with the credit card company itself. This means that even if your neighbour stole your number, the purchase he makes will eventually come to your own billing address.

But there are loopholes in this, too. A lot of people want to gift their purchase, and in that case, the gift need not land at the actual owner's doorstep. The thief would then have to ``gift'' the purchase to himself.

In a particular case faced by a credit card company, an elderly gentleman had vehemently insisted that he had not made certain payments through the card. Later, it turned out that his son and friends were using the card to access ``paid girlie sites''.

Digital signatures (electronic replacements of physical signatures created by software) are just waiting to happen in India. More than 200 entities ranging from software companies, banks, ISPs, and even departments such as the Income-Tax Department, have picked up the application details from the Controller of Certifying Authorities.

The licensed CAs will offer digital certificates to persons. The Controller certifies the public keys of the CAs, laying down standards.

Only a few of the 200 interested parties may eventually become CAs, notes Goyal. The Controller has stipulated a minimum paid-up capital as well as the net worth of the parties that may be eventually licensed. ``To develop a proper certification solution and system itself could cost around Rs 10-15 crore.''

Many institutions, such as the Indian Merchants' Chamber in Mumbai, say that once the digital certification is available, several of their facilities would be available electronically. ``We issue Certificates of Origin which we are authorised to grant to our member-exporters,'' says Bhavin Kadakia, head of the IT committee of IMC. ``Once digital signatures are in place, we can issue the certificates much faster -- at a fraction of the time that it actually takes now.''

Digital signatures are an essential part of any safe transaction. ``We are sitting on a little gunpowder keg every time we do online transactions without them,'' says the chief systems manager at another financial institution. ``I would say that only intranet exchanges are truly safe in the absence of digital signatures with their public and private key infrastructure requirements.''

Feedback can be sent to kripram@thehindu.co.in

Please e-mail us at eworld@thehindu.co.in if you have queries on computer usage or if you find an interesting way of using the computer.