India unprepared to tackle online data security: report

New Delhi: It’s become a lot easier to buy online private data like credit card details and medical records than before, but India is unprepared to take on this challenge even as it digitizes the records of its citizens, says the author of a recent report by Intel Security Group, previously known as McAfee, Inc., a US-based computer security software company.

Apart from credit card details, data—accessed illegally by cyber criminals—that can be bought online includes account information of online payment services, login details for online services ranging from e-commerce sites to music streaming services, medical records and well as data related to digital identities like social media and email accounts.

To be sure, the trend of accessing stolen data online has been around for a while and there are several websites that offer software tools to acquire stolen financial data. However, what has changed in the past two years, says this report, is that people now no longer need the software—you can buy the information directly from sellers, for cheap.

“The reality is that now you can actually search from your standard search engine for stolen financial data including credit card details,” said Raj Samani, vice president, chief technical officer for Intel Security in Europe, the Middle East, and Africa, and the author of the report, in a telephonic interview from London. “The fact that it is really accessible -- that’s a big change.”

The data up for grabs includes PayPal accounts, Internet banking logins, enterprise login details, access details for digital services including music and video streaming services, loyalty programmes and information on user identity, Samani said.

“The data sets that are available are really rich,” he added.

PayPal did not respond to an email seeking comment.

The rates to access information of Indian users is higher than that of Americans. One can get credit card details of a user registered in India for about $15 while full information including name, address, phone number, date of birth, mother’s maiden name and every other piece of data related to the credit card user can be bought for $30-$35.

For comparable information of a US resident, the charge is $5-$8 for credit card details and about $30 for all the information. Rates for UK residents are at par with India.

“It is not just about you pay this much or that much for a credit card, but the number of options that you have when you buy a credit card is quite significant. It is a real economy on an industrial scale,” said Samani. “There are so many more sellers out there.”

“On individual sites and forums, they are competing with one another. So we are seeing a natural price war occurring,” added Samani.

The factors that influence the price include where the customer details were originally registered, how much money is in the account, the credit limit and the validity rate (whether the credit card is still valid as credit card companies usually disable cards as soon as a data breach happens.)

For instance, information on a bank account that has $400-$1,000 in it can be bought for $20–$50, for accounts with balance between $1,000 and $2,500 is available for $50–$120, while data for higher balance accounts, between $2,500 and $5,000 and $5,000–$8,000, can be purchased for $120–$200 and $200–$300 respectively.

The prices have also “dropped significantly with the increasing supply” of such information mainly due to frequent and bigger data breaches, pointed out Samani adding, “with the single breach in Target Inc., 110 million accounts were compromised.”

According to a 2013 McAfee report, prices for basic credit card users in Asia ranged from $50 to $150, while for a US credit card holder, it ranged from $15-$80.

Sellers of stolen credit cards employ various tactics to be seen as trustworthy. While some offer free replacement services if the data sold is not satisfactory, there are others who give recommendations on who to buy stolen credit cards from.

“We have got a real bustling market over here,” said Samani, who is a member of a few of these forums.

These sellers are not necessarily hackers, which was the case a few years back.

“There are many individuals involved from the time when data gets stolen to when data gets sold. We have individuals who will get the information and re-package it; there are people who go out and identify people to sell it on their behalf,” said Samani. “The distance between the perpetrator and the person actually selling it has become longer.”

The situation has become more challenging now because neither the seller nor the buyer of private data needs to have the technical know-how.

“Now you don’t need to know technical skills to become a cyber criminal. This is the challenge we face,” said Samani. “The skill and knowledge required is the lowest it could ever be.”

This underground marketplace has evolved to include almost every conceivable cyber crime product for sale or rent, said the report. “In reality, this marketplace is not nearly as well hidden as we imagine, and it certainly does not require prior knowledge of a secret public house and its hidden courtyard,” it said.

“India has no choice but to be ready”, to protect all that data from falling in the wrong hands, said Samani.

This is because India is going through a massive digital transformation, with the government’s flagship programme “Digital India” aiming to provide government services online to citizens, which requires information about citizens to be digitized first,

What makes it worse is that there is no provision in Indian law for authorities to shut down or take any kind of action against websites that are hosted in another country.

“India is not at all in a state of preparedness to take on the cyber criminals -- thus, to say, it is not prepared for Digital India,” said Pavan Duggal, a cyberlaw expert and Supreme Court advocate. For one, there’s no legal framework to tackle cyber crime.

The IT Act 2008 partly addresses the issue, but the nature of cyber crimes has evolved and transformed since then. “Without cyber security legislation, India will not be able to become the IT superpower as it aims to be,” said Duggal, adding, “The cyber security policy 2013 is merely a paper tiger. It has not been implemented.”

“The other issue is the awareness about the cyber crimes among digital users in India is abysmally low,” he said. “All the stakeholders including government, enterprises and people need to come together to tackle this huge challenge.”