April 23, 2018

No one to protect digital identity: how vulnerable is consumer data in Pakistan?

Have you ever ordered food online or over the phone? Have you ever noticed that the call center representatives usually have ALL your private information including your phone number and the home address stored in their databases?

Digital Rights Monitor carried out an investigation to see how easily the personal data of others are casually doled by the call centers after a bit of social engineering.

In the video below, our team members call popular food delivery services using personal mobile numbers but pretending to be ‘Sadaf’. By only stating Sadaf’s phone number, they were easily able to get all her information including her home and office address. 

This goes on to show the lax security and disregard for privacy concerning the private information of customers. The information is doled out by the call center representatives without realizing its implications on the safety of the person. 

This, however, is just one example of the casualness of corporations and call centers which house personal data of millions in their servers. There have been many reported instances where systems of big local corporations such as Careem, Zameen.com and PakWheels were compromised putting in danger the  personal information of thousands, if not millions. 

Zameen.com is Pakistan’s largest real estate portal with 3 million visits every month. Millions have set up their online accounts to sale, purchase and rent out their properties.  However, in May 2016, a Bangladeshi hacker with the psuedo-name of Tiger Mate hacked into the Zameen.com and made the personal data of Zameen.com users public.  The leaked information included usernames, passwords, email addresses and phone numbers in addition to other details. 

In a similar fashion in December 2016, a hacker exploited the vulnerability in Pakwheels.com, the largest website that facilitates the sale and purchase of new and used cars in Pakistan. As a result of the exploitation, more than 600,000 user accounts were compromised with their data publicly shared.

One wonders why should this be a concern at all? Can’t the passwords be changed and one can move on with his life? According to Peshawar based ethical hacker Babar Akhunzada, the situation is not as simple as it appears. “The issue is not that the passwords of an account on Zameen.com or PakWheels have been hacked. The issue is that users in Pakistan, in many cases, use same passwords for their other social media accounts and thus the scope of the affected accounts widens.”

Ethical hackers reaching out to corporations in vain:

Babar Akhunzada is a young ethical hacker and also a founder of Security Wall, a cyber-security consulting firm. He and his fellow team members have worked with more than 100 international corporations including Microsoft, Nokia, Sony and helped them identify vulnerabilities of their systems. His company has been awared cash prizes in recognition for their work.

In Pakistan, he also cracked into the systems of renowned companies and informed them about their vulnerabilities. While talking to this scribe, he claimed that they had already informed Pak Wheels and Zameen.com about the vulnerability of their servers. “Prior to hacking, we wrote to Pakwheels and Zameen and informed them about the vulnerabilities of their servers. However, they did not respond to our emails.”

A few months ago, his team also reported a vulnerability found in Careem’s system by another young ethical hacker Danial Nasir. Daniyal, using vulnerabilities in Careem’s system was able to access the confidential information of 1.4 million users. This included the names, email addresses, mobile phone numbers, ID card numbers, trips, payment information and even the pictures of Careem drivers. The data also included the details of the cars registered with Careem”.

Government systems vulnerable to data breach

Mainstream media is devoid of reported incidents of the data breach. However, there have been instances where hackers were able to access the government servers (including NADRA) that stored sensitive personal data.  In 2017, an online technology news website Pro Pakistani reported that Punjab Information Technology Board’s system encountered a security bug that exposed the personal data of millions of people.  As the Pro Pakistani News story noted, anybody with basic computer knowledge could download data including CNIC numbers, Front and Back of CNICs, scanned copies of all the educational degrees and CVs.

Holding government and corporations accountable

In the midst of the aforementioned reported incidents, the basic question that comes to mind is why one should blame government and corporations if anyone tries to steal data?  Babar insists that they should be held accountable for not regularly updating their systems.  “Companies tend to forget the customer support aspect affiliated with their online service.It is the responsibility of the respective company or agency to ensure that their systems are regularly upgraded and updated. When they do not regularly update their systems, they provide the opportunity to hackers to steal personal data.”

No Data Protection law in sight

In more than 100 countries around the world, there are dedicated data protection laws that bind government agencies and corporations to ensure that they have put in place up-to-date systems that protect consumer data.  In countries like Canada and Philippines, companies are also bound to disclose data breaches not only to the regulator(s) but also to the consumers being affected by these incidents. Also, in countries around the world, privacy commissions are empowered to regularly inspect the systems of the companies and also take complaints for the breach of data. They also hold them accountable if they violate user trust and give access to unauthorized people.

In Pakistan, there is no such law that puts any liability on companies.  Although different companies claim that they have strong systems put in place to protect data, there is no way to check whether their systems are up-to-date or not.

For more than a year, Pakistan’s Ministry of Information Technology and Telecom is believed to be preparing a draft on data protection act for consultation. However, despite government assurances to rights activists, they have yet to commence consultation there are meek chances of enactment of a data protection act any time before 2018-2019. Media Matters for Democracy, in its investigation recently, reported that the draft legislation on data protection was not even properly consulted among government stakeholders. Sources also revealed that with current political instability in the country, there are fears that the data protection act may not be enacted in the current tenure of the government which is due to end in early 2018.

Does that mean our personal data will be at the mercy of corporations/government agencies for another year with no check and balance?

 

Image Courtesy: LifeLock

Written by

Talal Raza is a Program Manager at Media Matters for Democracy. He has worked with renowned media organizations and NGOs including Geo News, The Nation, United States Institute of Peace and Privacy International.

No comments

leave a comment