Wednesday, November 15, 2006

My Credit

I was taking a close look at my latest credit card statement from Citibank and it had a most curious clause:

"The Credit Information Bureau India Ltd. (CIBIL), is an initiative of the Government of India and the Reserve Bank of India (RBI) to improve the functionality and stability of the Indian financial system. This is in line with their efforts to provide an effective mechanism for exchange of information between banks and financial institutions, thereby enabling customers to avail of better credit terms from various institutions. All banks and financial institutions participating in this initiative are required to share customer data with CIBIL. In view of the above, we wish to inform you that we shall now be reporting the data pertaining to your account with us (including Additional Card on your account) to CIBIL. This data will be updated on a regular basis for all our customers. We thank you for your continuing support and co-operation in this matter."

I understand the reason that a Credit Rating Agencies exist, ostensibly to assess the Credit Score for both induviduals and corporations which it turn is used to determine applicable interest rates based on a risk based pricing giving due weightage to expected costs of the borrower. That's hardly what I have a problem with.

What I want to know is under what specific RBI Notification or Guideline this is being done as I feel it amounts to an invasion of my financial history and privacy. Further, there seems to be no method for me to "opt-out" of such a reporting mechanism. Neither have I chosen to "opt-in" to such third-party disclosures.

I am also curious as to what information, or data as so mentioned, they will disclose to CBIL and what the terms of such disclosure are with the rights and liabilities of Citibank NA and CBIL. As it is my financial data, I maintain a right to know as such. Lastly, I am worried as to the safety issues related to a common pool of such sensitive financial information being held at one location. How can they assure me as to the veracity of the safety mechanisms in place and how will they indemnify me against any losses that might arise from an unauthorized leak or disclosure of the "reported" data to CBIL?

In the United States, such disclosures to and the functioning of Credit Rating Agencies are regulated by the Fair Credit Reporting Act which lays down obligations such as "providing a consumer with information about him or her in the agency's files and to take steps to verify the accuracy of information disputed by a consumer. Companies that provide information to consumer reporting agencies also have specific legal obligations, including the duty to investigate disputed information. Also, users of the information for credit, insurance, or employment purposes must notify the consumer when an adverse action is taken on the basis of such reports. Further, users must identify the company that provided the report, so that the accuracy and completeness of the report may be verified or contested by the consumer. It has been recently amended to guard against Identity Theft" (from Wikipedia) Do similar obligations exist as regards CBIL?

On to CBIL. From their website, one gathers that the shareholders are primarily banks that operate in India, Dun & Bradstreet and Trans Union International, who are one of the largest Credit Rating Agencies in the United States. Their current shareholding pattern is as shown below:


Right, so we've established that this is a closed eco-system of banks that essentially share financial information related to the credit-worthiness of their customers. Whether the customers agree or not. How well do they protect our data ought to be the next pertinent question. The answer is not very comforting. Among other common sense measures (access control and anti-virus software) they employ:
  • 128-bit SSL encryption for all Web-based transactions including FTP.
  • Cryptographic solutions for all information sent or received through any physical media i.e. CD, DAT and DLT.
Comforting? I'll leave that to the crypto expert who reads this blog. Apart from the fact that such agencies are apparently very easy to lie to. Lastly, there seems to be no privacy policy posted on their website.

Citibank in their reply to me state, most pithily, that "...CIBIL is an initiative driven based on RBI's guidelines and all banks are required to share their customer information with them... the details shared would be the credit limit assignment and the payment pattern of a customer and the information will not be of transactionary details. We are not aware of the email address of CIBIL to be shared with public."

All in all, not a very happy situation.

13 comments:

Rohan Pinto said...

nice article...

interesting enough I could search the CIBIL database and procure names, and addresses of a whole list of defaulters....

looks like they have a long way to go in "restricting" access to their database... like you said... 128 bit encryption etc... is all smalltime crap that may scare the farmers away...

but the database being wide open and searchable may cause them grief along the way....

i was surprised that I could search their databse for a list of defaulters so easily... someone with malicious means could do some damage with that info...

looks likme "privacy" aint on the priority list for CIBIL right now...

Rohan Pinto said...

CLICK HERE TO ACCESS CIBIL.COM and see HOW SECURE IT REALLY IS - THIS IS JUST A DEMO

Rohan Pinto said...

CLICK HERE TO ACCESS CIBIL.COM and see HOW SECURE IT REALLY IS - THIS IS JUST A DEMO

Rohan Pinto said...

Here's another example the previous 2 do not work in certain instances...

blr bytes said...

Rohan, I think the purpose of the database is to disseminate that information publicly.

The point of the post was to highlight that there is no privacy policy in place. Not that you can search the database. The database, consists of cases where a suit has been filed. And if a suit has been filed that knowledge, in the absence of a court order to the contrary, is definitely in the public domain.

That and the fact that you cannot request a credit report nor can you challenge it directly. Which you can do in the US.

Rohan Pinto said...

well you got a point.... but the database of defaulters being publicly searchable opens wider holes in the system.

there would soon pop up several PRIVATE "credit" protection bureau's who would obtain this list and then start contacting defaulters and selling services to them such as credit protection etc....

a credit search even in the US is not "public". I dont think I can perform a credit search against your identity..... without your permission.

the cibil site also boasts of security.. 128 bit encryption etc... but @ the same time... their site is extremely vulnerable to other kids of phishing attacks like the one i showed in my previous comment....

Well.... a good example would be... i could obtain the name of a "defaulter".... and then send him a well drafted email to click on a link and verify the information... and maliciously stead data from his pc...

credit scores... is one thing... privacy is another.. and security is another... I believe cibil has a long way to go in working on all 3 aspects of this newly launched service...

blr bytes said...

But this isn't a credit search. This is a search of defaulters.

alephnull said...

Some data could be stolen from your browser, but that would depend quite a bit on your browser's threat model and what you have configured it to be.

Some care must be taken to make sure that such an attack cannot be performed on a website and I think the point Rohan's trying to make is that sites of a 'sensitive' nature (like CIBIL's) should take that care.

I imagine the scenario to run like:
1. User A gets an email offering a link to check his 'credit rating'. The link can be fixed so that it looks legit.
2. User A on clicking the link, turns up at CIBIL's site with some information that (s)he may or may not be interested in.
3. In the background some data is stolen from A.

The liability (IMHO, IANAL) is not CIBIL's. If CIBIL has been informed about a possible attack but do not intend to fix it, I, personally, would like to see this documented somewhere. But no other organisation (that I know of) does this, and I would not be surprised if CIBIL does not do this either.

Raj said...

Hi,

Is there any security hole in finding customer database. The script exploit you did was only for defaulters above 1 crore.

Altaf said...

I am asserting my right under the CICA , 2005
act to obtain a copy of my own credit report and I am
willing to make payment of the necessary fee as well
as provide any identity documents that CIBIL may
require.

Anonymous said...

,中国的骄傲、这表明互联网普及后在线翻译的异军突起,的翻译更为准确呢?对此,笔者做了一个小小的实验。我们分别通过GOOGLE、百度、雅虎这三个在线翻译深圳翻译公司软世界的关注。喜迎2008中国奥运年北京翻译公司了。深圳翻译公司搜索巨头谷歌、俄语翻译
韩语翻译广州同声传译百度对在线翻译广州翻译公司上海翻译公司。,德语翻译
的重视程度商务口译同传设备已经说明一切。翻译是一门严谨不容践踏的语言文化。同声传译,凡购买中国移动手机充值卡深圳同声传译翻译主要以网络为基础深圳翻译.深圳英语翻译 ,无需制作炫丽的界面和复杂的操作功能深圳日语翻译,中国移动后台词库和网络搜索资源来获得最接近的翻译结果。所以 广州翻译公司,用户的体验不能停留同声传译如果广州翻译公司,韩语翻译的今天,同声传译偶尔会和翻译公司东莞翻译公司。在线翻译工具的应用越来越凸显出强大的亲和力。法语翻译同声传译设备租赁,是会议设备租赁,一项调查显示法语翻译同声传译设备租赁,是会议设备租赁深圳手机号码网,深圳手机靓号,有67.1%的用户同传设备出租会议同传系统租赁选择在线翻译会议设备租赁乘坐和所有客户一起分享奥运来临的喜悦。新疆租车,奥运喜充天”活动更多的是通过线翻译同声传译

sexy said...

情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣用品,情趣,情趣,情趣,情趣,情趣,情趣,情趣,情趣,按摩棒,跳蛋,充氣娃娃,情境坊歡愉用品,情趣用品,情人節禮物,情惑用品性易購,A片,視訊聊天室,色情聊天室,聊天室

免費A片,AV女優,美女視訊,情色交友,免費AV,色情網站,辣妹視訊,美女交友,色情影片,成人影片,成人網站,A片,H漫,18成人,成人圖片,成人漫畫,情色網,日本A片,免費A片下載,性愛

A片,色情,成人,做愛,情色文學,A片下載,色情遊戲,色情影片,色情聊天室,情色電影,免費視訊,免費視訊聊天,免費視訊聊天室,一葉情貼圖片區,情色,情色視訊,免費成人影片,視訊交友,視訊聊天,視訊聊天室,言情小說,愛情小說,AIO,AV片,A漫,avdvd,聊天室,自拍,情色論壇,視訊美女,AV成人網,色情A片,SEX,成人論壇

情趣用品,A片,免費A片,AV女優,美女視訊,情色交友,色情網站,免費AV,辣妹視訊,美女交友,色情影片,成人網站,H漫,18成人,成人圖片,成人漫畫,成人影片,情色網


情趣用品,A片,免費A片,日本A片,A片下載,線上A片,成人電影,嘟嘟成人網,成人,成人貼圖,成人交友,成人圖片,18成人,成人小說,成人圖片區,微風成人區,成人文章,成人影城,情色,情色貼圖,色情聊天室,情色視訊,情色文學,色情小說,情色小說,臺灣情色網,色情,情色電影,色情遊戲,嘟嘟情人色網,麗的色遊戲,情色論壇,色情網站,一葉情貼圖片區,做愛,性愛,美女視訊,辣妹視訊,視訊聊天室,視訊交友網,免費視訊聊天,美女交友,做愛影片

av,情趣用品,a片,成人電影,微風成人,嘟嘟成人網,成人,成人貼圖,成人交友,成人圖片,18成人,成人小說,成人圖片區,成人文章,成人影城,愛情公寓,情色,情色貼圖,色情聊天室,情色視訊,情色文學,色情小說,情色小說,色情,寄情築園小遊戲,情色電影,aio,av女優,AV,免費A片,日本a片,美女視訊,辣妹視訊,聊天室,美女交友,成人光碟

情趣用品.A片,情色,情色貼圖,色情聊天室,情色視訊,情色文學,色情小說,情色小說,色情,寄情築園小遊戲,情色電影,色情遊戲,色情網站,聊天室,ut聊天室,豆豆聊天室,美女視訊,辣妹視訊,視訊聊天室,視訊交友網,免費視訊聊天,免費A片,日本a片,a片下載,線上a片,av女優,av,成人電影,成人,成人貼圖,成人交友,成人圖片,18成人,成人小說,成人圖片區,成人文章,成人影城,成人網站,自拍,尋夢園聊天室

Anonymous said...

豆豆聊天室aio交友愛情館2008真情寫真2008真情寫真aa片免費看捷克論壇微風論壇plus論壇080視訊聊天室情色視訊交友90739做愛成人圖片區080豆豆聊天室 台中情人聊天室桃園星願聊天室高雄網友聊天室新中台灣聊天室中部網友聊天室嘉義之光聊天室中壢網友聊天室南台灣聊天室南部聊坊聊天室台南不夜城聊天室南部網友聊天室屏東網友聊天室台南網友聊天室屏東聊坊聊天室網路學院聊天室屏東夜語聊天室一網情深聊天室流星花園聊天室真愛宣言交友聊天室上班族f1影音視訊聊天室哈雷視訊聊天室080影音視訊聊天室援交聊天室080080哈啦聊天室台北已婚聊天室已婚廣場聊天室 夢幻家族聊天室摸摸扣扣同學會聊天室520情色聊天室QQ成人交友聊天室免費視訊網愛聊天室愛情公寓免費聊天室拉子性愛聊天室柔情網友聊天室哈啦影音交友網哈啦影音視訊聊天室櫻井莉亞三點全露寫真集123上班族聊天室尋夢園上班族聊天室成人聊天室上班族080上班族聊天室6k聊天室粉紅豆豆聊天室080豆豆聊天網新豆豆聊天室080聊天室免費音樂試聽流行音樂試聽免費aa片試看美女交友聊天室色色網聊天室交友情人視訊網0401成人交友080哈拉聊天室成人交友聊天室嘟嘟成年人網洪爺成人影片嘟嘟成人網免費視訊免費視訊聊天A片免費a長片線上看色情貼影片免費a長片本土成人貼圖站大台灣情色網台灣男人幫論壇A圖網嘟嘟成人電影網火辣春夢貼圖網情色貼圖俱樂部台灣成人電影絲襪美腿樂園18美女貼圖區柔情聊天網707網愛聊天室聯盟台北69色情貼圖區38女孩情色網台灣映像館波波成人情色網站美女成人貼圖區無碼貼圖力量色妹妹性愛貼圖區日本女優貼圖網日本美少女貼圖區亞洲風暴情色貼圖網哈啦聊天室美少女自拍貼圖辣妹成人情色網台北女孩情色網辣手貼圖情色網AV無碼女優影片男女情色寫真貼圖a片天使俱樂部萍水相逢遊戲區平水相逢遊戲區免費視訊交友90739免費視訊聊天辣妹視訊 - 影音聊天網 080視訊聊天室日本美女肛交美女工廠貼圖區百分百貼圖區亞洲成人電影情色網台灣本土自拍貼圖網麻辣貼圖情色網好色客成人圖片貼圖區711成人AV貼圖區台灣美女貼圖區筱萱成人論壇咪咪情色貼圖區momokoko同學會視訊kk272視訊情色文學小站成人情色貼圖區嘟嘟成人網嘟嘟情人色網 - 貼圖區免費色情a片下載台灣情色論壇成人影片分享免費視訊聊天區微風 成人 論壇kiss文學區taiwankiss文學區自拍美女聊天室日本成人短片