Tuesday, September 22, 2009

Airtel mChek: Convenient but Confusing

Online security is a completely different ball-game. Indian regulators haven't even begun to understand what it means. I am very confident that it won't take too long for a semi-smart hacker to enter and steal information from banks, telecom operators and public utilities. Every once in a while, I notice how many websites have extremely complex processes to hide very basic holes in their security policies.

I registered for the mChek facility of Airtel. This allows you to link all your credit card details to the cellphone number. Paying for services is as easy as sending an sms. The shocking part is that after I canceled my Airtel phone number, the credit card details continued to exist in their database. My linked mChek account is not deleted automatically when the Airtel account itself is deleted. I know this because on my new Airtel number, I get an error stating the credit card is already in use by another mChek account (2 months after that number is discontinued).

When I contacted Airtel, they asked me to contact my bank and get the credit card number changed. So every time I use a lousy service provider, I must get a new card? Wow!

To quote from their reply:

Please be informed that you need to register in your bank if you want to change the number for your card after registering in mchek. Hence we request you to change the number in bank by calling to bank call center and try to use mchek for your new mobile number.

This is unsafe because it reveals that Airtel as a service provider does not really understand how mChek works and how it is used (or misused). Any financial instrument must have the same checks and balances as a regular bank instrument-- online systems requiring MORE so. Why have so many checks on banks but none on a telecom company? In the absence of regulatory understanding, non-traditional financial offerings put too much onus on the user and too little responsibility on the provider.

This is just one example. I have seen similar security gaffes for banks like HDFC and broking houses like NJ Invest. Some time ago, I found all my personal details on a BSNL website while Googling. An application I sent them was available on their customer support server. A direct URL with NO login required! Luckily they took it off after I complained.

Mobile Commerce is new to India and a great technology evolution. These services must take special efforts to appear secure and belie the worries of tech-phobic users. Hiding behind opaque helpdesks and living in denial of breaches already made, is a dis-service to their own cause. The mChek page on Airtel does not even have a link to report bugs, errors or disputed payments. Your only option is the standard Airtel 121 helpdesk which is rather ill-equipped to handle these specialised (and sometimes, more urgent) cases.

Making the customer pay with either his time or money is preferable to securing systems and places where THEY must take an effort. After all, if all comes crashing down, the government is always standing by for a bail-out.


Next Day Update:
The process is actually as simple as reporting the change of phone number to support@mchek.com and they delink the accounts. Someone at mChek with a knack for thwacking kulhadis on their own feet found this blog and offered to help. Very impressive in an era where they could have easily allowed brick-headed call-centers to play ping-pong with me. Thanks, Nidhi! Next up, try to convince Airtel to add some useful FAQ on their website and educate their L1 engineers about VAS support :-)


nidhi said...

This is wrt the mChek experience you had. This is not an expected behavior of the service. Please share your phone number (old and new) and we will get this checked.
And dont worry about the security because even if someone gets your phone number, he will have no access to your credit card data. This can be explained in detail over phone or email.
Sorry for the inconvenience.

Anonymous said...

I am glad to see some reaction here!! I hope you get some help.

I find it unfair that there is often, too much onus on the user and too little responsibility on the provider.

Hiding behind opaque helpdesks and living in denial of breaches already made, is a dis-service to their own cause. True again!

nidhi said...

@Vidooshak - I have sent you an email. Please let me know in case you dont receive it.

Mama - Mia said...

hail blogging!! :)

hope the issue gets sorted out to your convenience!



Vidooshak said...

@Nidhi, yes thanks for following up. mChek is lucky to have good employees-- even if they are dependant on Airtel to promote the services.

I have edited the post to clarify the tone. My grudge is against Airtel service. The fact that I want to register with mChek again means I obviously like what it does!!

nidhi said...

@Vidoodhak - Thanks for the update at the blog and the appreciation!

choxbox said...

hey i know someone who works for mChek! will fwd this to the person.

Vidooshak said...

@choxbox - thanks for the help. the issue has been sorted out-- incidentally, by someone from mChek directly. 3 days after it was fixed, the "official" mChek support called me because they received the complaint from Airtel Nodal officer. so essentially, it was just a case of the 121 helpdesk not knowing what to do with these issues. that is distressing.

the mChek service and support, itself, was quite satisfactory and comforting!

Poppins said...

Oh yay for blogging!