Wednesday, November 15, 2006

My Credit

I was taking a close look at my latest credit card statement from Citibank and it had a most curious clause:

"The Credit Information Bureau India Ltd. (CIBIL), is an initiative of the Government of India and the Reserve Bank of India (RBI) to improve the functionality and stability of the Indian financial system. This is in line with their efforts to provide an effective mechanism for exchange of information between banks and financial institutions, thereby enabling customers to avail of better credit terms from various institutions. All banks and financial institutions participating in this initiative are required to share customer data with CIBIL. In view of the above, we wish to inform you that we shall now be reporting the data pertaining to your account with us (including Additional Card on your account) to CIBIL. This data will be updated on a regular basis for all our customers. We thank you for your continuing support and co-operation in this matter."

I understand the reason that a Credit Rating Agencies exist, ostensibly to assess the Credit Score for both induviduals and corporations which it turn is used to determine applicable interest rates based on a risk based pricing giving due weightage to expected costs of the borrower. That's hardly what I have a problem with.

What I want to know is under what specific RBI Notification or Guideline this is being done as I feel it amounts to an invasion of my financial history and privacy. Further, there seems to be no method for me to "opt-out" of such a reporting mechanism. Neither have I chosen to "opt-in" to such third-party disclosures.

I am also curious as to what information, or data as so mentioned, they will disclose to CBIL and what the terms of such disclosure are with the rights and liabilities of Citibank NA and CBIL. As it is my financial data, I maintain a right to know as such. Lastly, I am worried as to the safety issues related to a common pool of such sensitive financial information being held at one location. How can they assure me as to the veracity of the safety mechanisms in place and how will they indemnify me against any losses that might arise from an unauthorized leak or disclosure of the "reported" data to CBIL?

In the United States, such disclosures to and the functioning of Credit Rating Agencies are regulated by the Fair Credit Reporting Act which lays down obligations such as "providing a consumer with information about him or her in the agency's files and to take steps to verify the accuracy of information disputed by a consumer. Companies that provide information to consumer reporting agencies also have specific legal obligations, including the duty to investigate disputed information. Also, users of the information for credit, insurance, or employment purposes must notify the consumer when an adverse action is taken on the basis of such reports. Further, users must identify the company that provided the report, so that the accuracy and completeness of the report may be verified or contested by the consumer. It has been recently amended to guard against Identity Theft" (from Wikipedia) Do similar obligations exist as regards CBIL?

On to CBIL. From their website, one gathers that the shareholders are primarily banks that operate in India, Dun & Bradstreet and Trans Union International, who are one of the largest Credit Rating Agencies in the United States. Their current shareholding pattern is as shown below:


Right, so we've established that this is a closed eco-system of banks that essentially share financial information related to the credit-worthiness of their customers. Whether the customers agree or not. How well do they protect our data ought to be the next pertinent question. The answer is not very comforting. Among other common sense measures (access control and anti-virus software) they employ:
  • 128-bit SSL encryption for all Web-based transactions including FTP.
  • Cryptographic solutions for all information sent or received through any physical media i.e. CD, DAT and DLT.
Comforting? I'll leave that to the crypto expert who reads this blog. Apart from the fact that such agencies are apparently very easy to lie to. Lastly, there seems to be no privacy policy posted on their website.

Citibank in their reply to me state, most pithily, that "...CIBIL is an initiative driven based on RBI's guidelines and all banks are required to share their customer information with them... the details shared would be the credit limit assignment and the payment pattern of a customer and the information will not be of transactionary details. We are not aware of the email address of CIBIL to be shared with public."

All in all, not a very happy situation.

11 comments:

Anonymous said...

nice article...

interesting enough I could search the CIBIL database and procure names, and addresses of a whole list of defaulters....

looks like they have a long way to go in "restricting" access to their database... like you said... 128 bit encryption etc... is all smalltime crap that may scare the farmers away...

but the database being wide open and searchable may cause them grief along the way....

i was surprised that I could search their databse for a list of defaulters so easily... someone with malicious means could do some damage with that info...

looks likme "privacy" aint on the priority list for CIBIL right now...

Anonymous said...

CLICK HERE TO ACCESS CIBIL.COM and see HOW SECURE IT REALLY IS - THIS IS JUST A DEMO

Anonymous said...

CLICK HERE TO ACCESS CIBIL.COM and see HOW SECURE IT REALLY IS - THIS IS JUST A DEMO

Anonymous said...

Here's another example the previous 2 do not work in certain instances...

blr bytes said...

Rohan, I think the purpose of the database is to disseminate that information publicly.

The point of the post was to highlight that there is no privacy policy in place. Not that you can search the database. The database, consists of cases where a suit has been filed. And if a suit has been filed that knowledge, in the absence of a court order to the contrary, is definitely in the public domain.

That and the fact that you cannot request a credit report nor can you challenge it directly. Which you can do in the US.

Anonymous said...

well you got a point.... but the database of defaulters being publicly searchable opens wider holes in the system.

there would soon pop up several PRIVATE "credit" protection bureau's who would obtain this list and then start contacting defaulters and selling services to them such as credit protection etc....

a credit search even in the US is not "public". I dont think I can perform a credit search against your identity..... without your permission.

the cibil site also boasts of security.. 128 bit encryption etc... but @ the same time... their site is extremely vulnerable to other kids of phishing attacks like the one i showed in my previous comment....

Well.... a good example would be... i could obtain the name of a "defaulter".... and then send him a well drafted email to click on a link and verify the information... and maliciously stead data from his pc...

credit scores... is one thing... privacy is another.. and security is another... I believe cibil has a long way to go in working on all 3 aspects of this newly launched service...

blr bytes said...

But this isn't a credit search. This is a search of defaulters.

Anonymous said...

Some data could be stolen from your browser, but that would depend quite a bit on your browser's threat model and what you have configured it to be.

Some care must be taken to make sure that such an attack cannot be performed on a website and I think the point Rohan's trying to make is that sites of a 'sensitive' nature (like CIBIL's) should take that care.

I imagine the scenario to run like:
1. User A gets an email offering a link to check his 'credit rating'. The link can be fixed so that it looks legit.
2. User A on clicking the link, turns up at CIBIL's site with some information that (s)he may or may not be interested in.
3. In the background some data is stolen from A.

The liability (IMHO, IANAL) is not CIBIL's. If CIBIL has been informed about a possible attack but do not intend to fix it, I, personally, would like to see this documented somewhere. But no other organisation (that I know of) does this, and I would not be surprised if CIBIL does not do this either.

Anonymous said...

Hi,

Is there any security hole in finding customer database. The script exploit you did was only for defaulters above 1 crore.

Altaf Batliwala said...

I am asserting my right under the CICA , 2005
act to obtain a copy of my own credit report and I am
willing to make payment of the necessary fee as well
as provide any identity documents that CIBIL may
require.

Anonymous said...

,中国的骄傲、这表明互联网普及后在线翻译的异军突起,的翻译更为准确呢?对此,笔者做了一个小小的实验。我们分别通过GOOGLE、百度、雅虎这三个在线翻译深圳翻译公司软世界的关注。喜迎2008中国奥运年北京翻译公司了。深圳翻译公司搜索巨头谷歌、俄语翻译
韩语翻译广州同声传译百度对在线翻译广州翻译公司上海翻译公司。,德语翻译
的重视程度商务口译同传设备已经说明一切。翻译是一门严谨不容践踏的语言文化。同声传译,凡购买中国移动手机充值卡深圳同声传译翻译主要以网络为基础深圳翻译.深圳英语翻译 ,无需制作炫丽的界面和复杂的操作功能深圳日语翻译,中国移动后台词库和网络搜索资源来获得最接近的翻译结果。所以 广州翻译公司,用户的体验不能停留同声传译如果广州翻译公司,韩语翻译的今天,同声传译偶尔会和翻译公司东莞翻译公司。在线翻译工具的应用越来越凸显出强大的亲和力。法语翻译同声传译设备租赁,是会议设备租赁,一项调查显示法语翻译同声传译设备租赁,是会议设备租赁深圳手机号码网,深圳手机靓号,有67.1%的用户同传设备出租会议同传系统租赁选择在线翻译会议设备租赁乘坐和所有客户一起分享奥运来临的喜悦。新疆租车,奥运喜充天”活动更多的是通过线翻译同声传译