Online security is a completely different ball-game. Indian regulators haven't even begun to understand what it means. I am very confident that it won't take too long for a semi-smart hacker to enter and steal information from banks, telecom operators and public utilities. Every once in a while, I notice how many websites have extremely complex processes to hide very basic holes in their security policies.
I registered for the mChek facility of Airtel. This allows you to link all your credit card details to the cellphone number. Paying for services is as easy as sending an sms. The shocking part is that after I canceled my Airtel phone number, the credit card details continued to exist in their database. My linked mChek account is not deleted automatically when the Airtel account itself is deleted. I know this because on my new Airtel number, I get an error stating the credit card is already in use by another mChek account (2 months after that number is discontinued).
When I contacted Airtel, they asked me to contact my bank and get the credit card number changed. So every time I use a lousy service provider, I must get a new card? Wow!
To quote from their reply:
Please be informed that you need to register in your bank if you want to change the number for your card after registering in mchek. Hence we request you to change the number in bank by calling to bank call center and try to use mchek for your new mobile number.
This is unsafe because it reveals that Airtel as a service provider does not really understand how mChek works and how it is used (or misused). Any financial instrument must have the same checks and balances as a regular bank instrument-- online systems requiring MORE so. Why have so many checks on banks but none on a telecom company? In the absence of regulatory understanding, non-traditional financial offerings put too much onus on the user and too little responsibility on the provider.
This is just one example. I have seen similar security gaffes for banks like HDFC and broking houses like NJ Invest. Some time ago, I found all my personal details on a BSNL website while Googling. An application I sent them was available on their customer support server. A direct URL with NO login required! Luckily they took it off after I complained.
Mobile Commerce is new to India and a great technology evolution. These services must take special efforts to appear secure and belie the worries of tech-phobic users. Hiding behind opaque helpdesks and living in denial of breaches already made, is a dis-service to their own cause. The mChek page on Airtel does not even have a link to report bugs, errors or disputed payments. Your only option is the standard Airtel 121 helpdesk which is rather ill-equipped to handle these specialised (and sometimes, more urgent) cases.
Making the customer pay with either his time or money is preferable to securing systems and places where THEY must take an effort. After all, if all comes crashing down, the government is always standing by for a bail-out.
Next Day Update:
The process is actually as simple as reporting the change of phone number to email@example.com and they delink the accounts. Someone at mChek with a knack for thwacking kulhadis on their own feet found this blog and offered to help. Very impressive in an era where they could have easily allowed brick-headed call-centers to play ping-pong with me. Thanks, Nidhi! Next up, try to convince Airtel to add some useful FAQ on their website and educate their L1 engineers about VAS support :-)