Saturday, November 28, 2009

Are hotel key cards safe? Well.....


Many hotels and resorts use electronic key cards. These cards with a magnetic strip are programmed in such a manner that once the duration of the stay is over, the person does not get access to the room.

The key cards make it impossible to pick up a card and break into a room. Electronic door locking systems were introduced across the globe as they help enhance hotel security, but what information does it contain?

Are electronic key cards safe? Well, it could be a threat depending on the details it has stored on it.

"All hotels mention the customer's name, address, room number and duration of stay in the key card. The key card of the hotel has vital information. Some of the hotels and resorts do store personal details -- including credit card number and its expiry date," says Shah Amber, consultant (information security management services), Mahindra Special Services Group.

Agrees, Pramoud Rao, managing director, Zicom Electronic Security Systems, there are many ways the credit cards can be misused in a hotel. There are chances that key cards could be lead to a data theft.

Some of the five-star hotels declined to reveal details of the key card citing security reasons.

"The key card has the code to access a particular room. It does not store any other details, not even the name of the guests," Kanan Udeshi, manager communications, The Oberoi Group, said.

The key card has the name of the guest and the period of stay. Credit card details are recorded separately by the front desk to validate payment. There is also a provision in the system to make the credit card function as an e-key, according to an industry official.

If the electronic key card contains information like the credit card details it can be easily manipulated.

"There has been no data theft reported so far in India, but there are chances as the information remains on the card till it is handed over to another guest. If the credit card number is stored in the key card, when a guest uses other services in the hotel, he can swipe the card, which in turn is aligned to the front desk for billing," says Shah.

"We cannot reveal any details about the key card. We do not disclose any information that could be a threat to our guests," Nikhila Palat, Taj Hotel spokesperson, Mumbai, said.

The key card is not allowed to be taken by the guest and it remains with the hotel when the guest leaves the hotel.

"The details from the card can be accessed by swiping the card in a normal scanning device. There have been cases abroad where the key card details were used to make mock credit cards. Most of the time the customers are not aware of the fact that the key card holds their credit card number," Shah points out.

If some of the employees connive with miscreants they can access all the information by just swiping the card in any scanning device, Shah adds.

However, the All India Credit Card Users Association has not received any complaints. "There has been no case of fraud reported from a key card data theft. The possibility of hotels giving credit card numbers on key cards seems remote," says Vinod Kumar Chand, general secretary, AICCUA.

Meanwhile, Trend Micro, a leading antivirus and Internet content security software and services entity, says on its website that this a hoax and calls it an 'urban legend'.

The firm says that there is a 'rumour circulating via email which alarms the public that hotel key cards contain personal information about the guest that can be put to ill use by malicious hotel personnel who have easy access to it. This hoax erroneously claims that the guest's home address and credit card number are recorded on key cards dispatched by hotels, thus exposing their customers to unauthorised purchases and cash withdrawals made using the sensitive information'.

The company says that although the origin of the email is based on a real investigation effort of a Southern Californian police district, US authorities have ruled out any security risks this controversy may pose. Moreover, hotel owners have clarified that only minimal information about their guests -- like their names, room numbers and arrival/depature data -- are encrypted in the cards they use.

Data theft

Shah Amber explains how data theft can be prevented.

"Internal threat is a big risk factor for companies. Companies must see to it that any data that can be misused should be completely secure. There are all kinds of technologies to secure IT systems," Shah says.

"Companies have hiked IT security budget and have made no compromise on this. Many have changed application security procedures as well. They have learnt how to recoup from the crisis," he adds.

"As for individuals, they must be very careful about data theft with proper anti-virus systems installed in their computers. It should be updated. They must make sure their Wi-Fi is not misused. They must not disclose e-mail id to any unknown site. They must also make sure children do not surf sites and accidentally pass on information," says Shah.

"There are many fake sites which can lure you and many end up giving their passwords as well. So there is a big threat so one must be very careful. To avoid hacking they can secure ports."

Internet has become an open medium so it is exploited by terrorists. But it is not possible to shut down all those sites. One must be very cautious while surfing and sharing information.

Source: Rediff.com, By Manu AB


Thursday, November 26, 2009

PEEP SHOW - Fake it & you may lose your dream job

ECONOMIC RECOVERY HAS BROUGHT EMPLOYERS BACK TO THE HIRING ZONE, BUT IT’S NOT EMPLOYEES’ MARKET YET Cos Step Up Background Checks Of Prospective Employees’ Educational & Personal Information

Our Bureaus NEW DELHI | KOLKATA

As the economy rebounds and hiring begins to pick up pace, companies are going to unprecedented lengths with sweeping background checks of prospective employees. The scope of pre-employment screening, which has been traditionally limited mainly to senior executives and involved basic searches to verify the accuracy of the resume, the educational background and biographical data, is now getting vastly expanded. All job applicants, not just those at senior levels, are being scrutinised with a fine toothcomb. And almost no area is off limits.

While false claims about education and employment are among the main triggers for rejection, some job applicants have been tripped up by their personal lives. One such was denied a job after an agency specialising in background verification discovered that the individual was having an extra-marital affair. The agency asked the prospective employer, a multinational company, to put the application on hold by filing a ‘pink’ report and the employer obliged. “In our lingo, green means a goahead, pink is doubtful and red signifies rejection,” said SK Sharma, group director-HR at Premier Shield, a security solutions company that carries out background checks on behalf of corporates. A red flag can be activated by a number of other factors: criminal history, substance abuse, a poor credit track record or even dodgy equity trading. While former colleagues, classmates and those living in the applicant’s neighborhood are tapped for information, some agencies go even further.

Premier Shield admits to setting up sting operations to test for ethics and some companies infiltrate staff into the organization where the applicant is working to gather information about the
prospective employee’s conduct with colleagues, especially women.

Arun Bhagat, vice-president, HR, with infrastructure group GMR said he visits colleges and universities and at least two past employers to do reference checks of candidates. It recently sacked an employee
just days after he joined after it was discovered that he had falsified some documents. “For key roles in finance and at executive levels, we make discreet enquiries on the reliability of the professional, his reputation in and outside the organization and even carry out a search on the internet,” he said. Mr Bhagat insists that the checks are carried out with the consent of the prospective employee. Software and back-office service providers were among the first to make background checks mandatory for all potential hires. Many IT companies and HR consultants like Ma Foi engage firms such as First Advantage, PP Verify, PremierShield, Onicra, Authbridge for pre-employment screening, which can cost between Rs 1,000 and Rs 5,000 per employee.

Pinkerton Consulting & Investigations
India, a detective agency, which undertakes screening for several multinational firms, found in a recent survey for IT and IT-enabled Services providers that about 4,000 companies, universities and institutes of dubious background were providing fake documents. Pradeep Bahirwani, vice-president (talent acquisition) at Wipro said that in the IT industry the average percentage of fake resumes is 20-30%. “Based on preventive and corrective actions less than 1% of the total active applications we receive would be fake,” he added.

Among other sectors, the financial services industry, which hires an estimated 75,000 employees every year, is now actively adopting the practice started by IT companies. Battling a marked rise in the incidence of fraud by employees — a recent study by risk consultancy Kroll showed that fraud is increasing twice as fast in the financial services sector than in others — companies are snooping on potential hires more than ever before.

“This is part of the new belt-tightening system in all high-profile recruitments in the financial sector,” said veteran headhunter, Ajit Isaac, MD & CEO of Ikya Human Capital Solution.

While nearly all leading banks carry out verification with the police for criminal history, some private banks like Axis Bank have also started checking the cred
it history of recruits. “Since credit history is closely associated with one’s reputation, reviewing it is becoming a norm before recruitment,” a senior Axis Bank official said. The country’s largest private sector insurer ICICI Prudential Life concedes that nearly 7% of the candidates it reviewed for hiring had a fraudulent past. The company has now partnered with reputed risk management agencies to undertake background screening.

“As one of the leading players in the insurance space, we are deeply concerned about the incidence of fraud and are working with the industry to explore ways to mitigate the risk of fraudulent activities,” said ICICI Prudential Life HR head Judhajit Das. The insurance sector is now even thinking of creating a common central database that will include the names of all employees fired for fraud. The proposal, put forward by Bajaj Allianz General Insurance, is now being discussed by all leading players.

The Life Insurance Council, the grouping of life insurers, is also keen on the idea. “However, someone has to manage such a database of delinquent employees — it may either be us or the regulator IRDA,” said chairman SB Mathur. With curious employers prying deeper into the backgrounds of potential employees, there are concerns that they could intrude into individuals’ privacy. E Balaji, CEO of HR firm Ma Foi, observes that in Europe, there are stringent privacy laws and strict regulations and guidelines about how much an employer can check the background of an employee. “In comparison, awareness about privacy laws is much lower (in India). Companies just take a broad declaration from the individual about such background checks,” he said.

Reporting by Monica Behura & Mahima Puri in New Delhi and
Writankar Mukherjee, Debjoy Sengupta & Atmadip Ray in Kolkata

Thursday, November 12, 2009

Good times for fraud

Fraud is a growing problem for corporate Australia, but there are tools that can detect suspicious activities.
Litigation is often cited as the main beneficiary of any business downturn, but there is another oblique area of financial services which proliferates during a financial crisis. Accountants are now reporting an unprecedented boom for their forensics departments, because in a downturn, fraud is rife.
Deloitte Australia claims that it has undertaken as much as five times its normal work in this area over the past 12 to 18 months and there is no sign of it slacking off. KPMG has also reported a considerable increase in its forensics business, and the need to take on new personnel to cope with the “boom”.
Unlike litigation, fraud is far less heralded – it is the corporate stain which dare not speak its name. Often accountants are brought in with both a covert and an overt role – overtly as auditors to check accounts and covertly to dig deep inside company data to check for both forced and unforced errors.
Frank O’Toole, Deloitte’s national financial crimes services leader, says the uncovering of fraud tends to occur when companies are compelled to examine their spending. “Sometimes it comes up during a normal cost-cutting exercise,” he notes.
While the media tends to hype up the proliferation of external, web-based fraud, internal fraud is by far the bigger problem for corporate Australia, costing the economy around $3.5 billion a year, according to the Australian Institute of Criminology. KPMG says around 65 per cent of frauds perpetrated on companies are internal. O’Toole says that often it is the employee who would be least expected to commit fraud who is tempted. “Normally those who would choose to do the right things are faced with certain pressures – they’re not getting a pay rise and they’re struggling with mortgage repayments and school fees – faced with the opportunity to misappropriate $20,000 or even $50,000, they succumb.”
KPMG’s head of forensic, Gary Gill, says it will continue for some time to come: “They’re saying the worst is over and things are looking good – well the bottom line is people are still doing it tougher now than 12 months ago,” Gill says.
Simple tricksWhat kinds of frauds are being discovered? Gill says much of the fraud is very simple – on the accounts payable side KPMG is seeing a lot of false invoicing – the setting up of bogus vendors and then the processing of false invoices.
Gill also sees a lot of simple online payments fraud, much of which is barely disguised. “Sometimes they just transfer money straight out of the company account into their personal accounts,” says Gill.
O’Toole mentions slightly more canny pretences – the collusion with suppliers, whereby invoices are inflated for the benefit of both parties. Expenses fraud is also escalating, says O’Toole. “They tend to be around the $10,000 or $15,000 mark but we have seen expenses fiddles of up to $1million occurring.”
Forensic departments never tire of saying that companies which fail to segregate authorization and custodial duties will always be more susceptible; they also point to the need to regularly test internal controls for weaknesses.
Last but not least, a whistleblower process – which may incorporate a number of lines of access to report suspicions anonymously, is deemed essential.
Deloitte Forensic research found that around 70 per cent of frauds are usually identified by someone else in the organization, and over 80 per cent of staff who will not report fraud cite a fear of retribution as the reason.
Insurers even say that without good lines of reporting suspicions, a company will not be considered for fidelity insurance, which covers Corporates for internal fraud. See Fire, flood or … fraud?
Technology sniffs out fraudBoth Gill and O’Toole say one of the most exciting developments has been the growth of data analytics technology to monitor suspicious electronic transactions among thousands of pieces of information.
Document management systems are also becoming critical to support complex legal cases stemming from the misdeed.
Deloitte has its own proprietary system, as does KPMG. Both are constructed to analyze the million pieces of data in everyday business systems, such as comparing vendor master files to employee records. They can uncover real frauds as well as operational mistakes.
What kinds of things can they flag? Gill says you can run a comparison between accounts of employees on the payroll system against your vendor bank account numbers. “If an employee has the same number, you know there’s a problem.”
“You can look for duplicate payments – one legitimate, one false. Also round sum payments – very few invoices are for round sums. It’s a good idea to have them checked as well as any payments processed outside of normal business hours,” Gill says.
Deloitte cites a number of “red flags” the technology is most likely to throw up, which also includes things such as short-term changes to employee or supplier accounts.
Another give-away that fraud may be occurring is the repeated structuring of transactions just under the delegated authority limit. “Of course, five payments of $9999 authorized by a staff member with the authority to approve costs up to $10,000 would certainly be subject to close investigation in any organization … if detected,” says O’Toole.
Transactions conducted directly through the electronic funds transfer system rather than the accounting system is also subject to scrutiny. “Typically, instances of EFT fraud appear to be linked to issues around access to computer log-ons and inappropriate use of passwords,” says O’Toole.
Is the cost of using this technology worth it? A company can spend millions trying to get to the bottom of its problems, but huge frauds have been discovered quickly – and at a relatively low cost.
Source:- The Sydney Morning Herald; By Adam Courtenay

Monday, November 2, 2009

Banks pushing chip-and-PIN place elderly at high risk of fraud

Customers kept in the dark as banks are reluctant to be upfront about alternative to chip-and-PIN cards
Thousands of elderly people are being left vulnerable to fraud because of the banking industry’s failure to explain to customers that there is an alternative to chip-and-PIN technology.
Under the Banking Code, all banks must offer a “chip-and-signature” account for those who may find it difficult to remember their PIN, or cannot use a chip-and-PIN terminal. However, Times Money has discovered that some banks are reluctant to tell customers of this alternative method.
Vulnerable people who are forced to use chip-and-PIN are likely to write down the number or tell it to someone else, which means that it is highly unlikely that they will be reimbursed if they become a victim of fraud. Jane Vass, of Age Concern and Help the Aged, says: “Many older people are driven towards payment methods that they are not comfortable with, putting their financial security at risk.”
John Walter, a pensioner from Devizes, Wiltshire, was recently sold a fee-based NatWest current account that came with a chip-and-PIN card. The card was stolen and thieves drained his account of £7,000 by withdrawing money at cash machines over 14 days. Mr Walter, who is 73 and described by friends as vulnerable and forgetful, admitted to NatWest that he had written his PIN in his diary. Although the diary was not stolen, NatWest still refused to reimburse his losses.
Elizabeth Merritt is a friend of Mr Walter and has taken up his case with NatWest. She says: “John has been with NatWest for 50 years and trusted the bank implicitly. He does all transactions inside his branch and had never even used his card. Despite this, NatWest still persuaded him to pay £13 a month for a chip-and-PIN account with features that he would never need. He was never told about chip-and-signature.”
NatWest told Mr Walter that somebody with access to his home must have seen the PIN and stolen his card, and that this constituted a breach of his terms and conditions. He was also told by NatWest that none of the cash machines used in the fraudulent transactions had CCTV cameras, and “this may be something the fraudster had considered before using the card”.
When Times Money approached NatWest, the bank maintained that Mr Walter had been negligent. However, it agreed to refund the £7,000 as a gesture of goodwill. Mr Walter has now been given a basic bank account and will request chip-and-signature.
Another pensioner, Rosa Farrell, of Hereford, recently had £3,500 fraudulently withdrawn from her bank account by her eldest son, who had a gambling problem. Mrs Farrell, 65, wrote down the PIN and kept it well hidden in her house, away from her card, but on a visit her son managed to find the card and the number. He was convicted for the theft.
Mrs Farrell’s bank, The Co-operative Bank, said that because she had written down the number she had been negligent and would not be reimbursed. She had to take her case to the Financial Ombudsman before she recovered her money. “I don’t know why the bank did not stop the suspicious transactions, which were totally out of character,” she says. “In the end, the ombudsman ruled that I was entitled to believe that my bank details were safe in my own home.”
The Financial Ombudsman Service, which resolves disputes between consumers and banks, deals with about 150 complaints about chip-and-PIN fraud every month — usually when someone’s bank has refused to compensate them for losses.
Fewer than 500,000 people have a chip-and-signature account, according to the UK Payments Association, despite the banks agreeing to offer vulnerable people an alternative to chip-and-PIN when it was introduced in 2004. However, there are 700,000 people with dementia in the UK, according to the Alzheimer’s Society, while the Royal National Institute for the Blind says that 1.8 million people are blind or partially sighted. Many of these people should have chip-andsignature accounts.
Sandra Quinn, of the UK Payments Association, says: “It would be very disappointing if banks were not giving chip-and-signature to customers who need it. Some people may find in the future that chip-and-PIN is not suitable. They have every right to ask for an account with chip-and-signature.”
Pensioners are also encouraged to use chip-and-PIN to receive their state pension and other benefits via the Post Office card account, which was introduced in 2003 to replace pension books. Neil Duncan-Jordan, of the National Pensioners Convention, says: “Some pensioners still queue up to receive their pension holding a piece of paper with their PIN on it. Anyone who is uncomfortable with PINs can request to have benefits sent by cheque in the post.
“Chip-and-PIN is simply not suited to many elderly people, and banks and the Government should do more to promote alternatives.”
Ross Anderson, a security expert at the University of Cambridge, says that it is in banks’ interests to push chip-and-PIN. He says: “Quite simply, if you use a PIN, disputed transactions are your fault. However, a forged signature makes a transaction null and void, which means that the banks cannot hold customers liable. Banks are exploiting the old and vulnerable because they want to take away their consumer protection. It’s a disgrace.”
The Banking Code, to which all banks must adhere, states: “We will tell you about alternatives to chip-and-PIN, which are available if you are unable to use a PIN because of a disability or medical condition.”
Several high street banks confirmed to Times Money that they offered chip-and-signature, but emphasised that it was only for specific types of customer. A spokeswoman for Barclays says: “Chip-and-signature is for customers who have a disability that makes using a PIN difficult or imposs-ible, either because of dexterity problems, visual impairment or difficulty remembering the number. All other customers are issued with a PIN.”
A spokesman for Santander, which owns Abbey, Bradford & Bingley and Alliance & Leicester, adds: “Chip-and-PIN is an important tool in fighting card fraud, and PINs should not be divulged to other people or written down. Customers can change their PIN to a more memorable number.”
New rules relieve customers of burden of proof
The Banking Code will be abolished next month and replaced with a complex set of rules, the Payment Services Regulations (PSR).
Experts fear that consumers will no longer have a user-friendly set of guidelines that clearly explain banks’ responsibilities. Instead, they will have to wade through a 152-page document for details of their rights.
The Financial Services Authority, the City watchdog, will enforce the new regulations. It says that victims of fraud will actually have more protection, with the onus on the bank to act quickly to prove that a transaction was the customer’s. Unless the bank can show a good reason why it needs to investigate the claim, it will have to refund the amount immediately.
Page 38 of the PSR states that if a person notices a suspicious transaction on an account, it is for the bank to prove that the transaction was “authenticated, accurately recorded and not subject to technical breakdown or other problem”.
Currently the onus is on customers to prove that suspicious transactions were not their own. The Banking Code states: “We will need you to give us confirmation or evidence that you have not authorised a transaction.”
Source:- Times Online, UK ; By Lauren Thompson