Wednesday, December 28, 2011

Are ICICI Credit Cards In India Insecure?

Recently news about virus attack upon ICICI bank transactions was reported. While it is premature to consider this fact true or false yet truth and authenticity of the claims of either the security professional or the ICICI bank must be established through an official channel.

Now another person has raised hypothetical doubts about the security of ICICI Credit Card in India. The author has tried to explain the hypothetical weakness in ICICI Credit Cards, as issued in India. On plain reading of the fact, the doubts also seem to be very genuine and reasonable.

This may be a single case or this may be the regular practice adopted by ICICI bank. But at this stage it is too early to comment upon that aspect. Let us analyse the facts provided by the author of the website. He writes:

“When a card is blocked and new card is reissued by ICICI Bank, the first 14 digits of the new card are the same as the old card. The 2 changing digits are also in a series. I did it twice on the same card i.e. block a card and request for a reissue. So the three card numbers were having same first 14 digits and the following last two digits.

(1) xxxx xxxx xxxx xx08
(2) xxxx xxxx xxxx xx16
(3) xxxx xxxx xxxx xx24

So say if your card details was leaked online and you request ICICI to block the old card and get a new one, then all the attacker has to do is wait for a month for a hypothetical new card to reach and then use all other details (except for the CVV of course, but cvv is just a 3 digit attack vector) and guess the last two digits. The last two digits also following a series. According to my totally unlearned eyes, this is a weakness. What do you say?”

He further explains in the comment “Once you have a card number + personal details from previous attack, expiry date is the lamest to crack. Cards are issued for years and not months, so it will mostly be the same month as when the card was issued, i.e. the same month as the card was blocked. Year part will be a company policy right? i.e. from the year of issue + x years types. CVV is just a 3 digit numerical hack. If you have all other info, cracking CVV should not be a challenge”.

Can somebody shed light upon this hypothetical doubt?

Manual Action Penalty And Censorship By Google

For long Google denied the concept of manual action penalty against websites. Google maintained that websites are only algorithmically demoted if they are found violating the guidelines and quality standards of Google. However, this assertion of Google cannot be trusted if we analyse the numerous cases of websites delisting and demotion that is frequently conducted by Google.

The real question that must be analysed here is there a system to uncover what a rogue employee of Google is doing under the garb of manual action penalty? Clearly either Google or malicious competitors are manipulating websites and blogs.

Even Matt Cutts has publicly acknowledged that Google uses whitelists as well as manual actions penalties to demote and delist websites and blogs. This contradicted the earlier stand of Google and this acknowledgement is a direct result of the antitrust investigations from the EU, the Texas attorney general, and possibly the US Federal Trade Commission.

Matt has provides examples of cases where a manual action penalty can be imposed by Google. It includes cases where Google receives reports of spam, off-topic porn, things like that, etc. This list is not only vague but is also a potential source of imposing censorship and websites filtering by Google without following the due process of law. Surprisingly, after Google even Facebook used censorship to block my Facebook account without citing any reasons.

There is no doubt that whenever companies like Google or Facebook have to adopt measures that are neither strictly legal nor in conformity with their own policies, they always invoke the trump card of “spam communications”. Of course, spam is a violation of terms of services (TOS) of any company, including Google and Facebook, but a resource must actually be spam to invoke such penalty. Both manual action penalty and algorithm demotions methods of Google are prone to misuses and they may actually be misused in many cases by Google employees.

There is no second opinion about the fact that manual interventions are an important part of any search engine. The problem is that for so many years, Google has largely avoided acknowledging that these interventions exist, and it has said almost nothing about how they work. So the question why has Google censored cyber laws in India blog would remain unanswered by Google.