SMS alerts have come to be increasingly used by Banks as a means of informing customers about Credit Card and transaction information so that customers can alert the bank if the transactions are not genuine. Some Banks are even treating this on part with “second factor authentication”. In many mobile banking transactions, SMS is the means of authentication. In view of this the mobile number of a customer becomes a key information of the account holder which the Bank should consider as “Security Sensitive”.
I recently came across an instance where ICICI Bank was sendingÂ SMS alerts to a person concerning some otherÂ account holder. The recipient was considering it as nuisance and ignoring the messages. After this continued for a time the recipient notified the Bank about the wrongful addressing of the message to him/her pointing out the concerns that this could be a security risk for the recipient for which the Bank could be held liable.
A copy of the notice sent is as below: (PS: numbers masked)
I have a mobile connection with number 99xxxxxxxxÂ which is being used by my wife sparingly.
I would like to bring it to your notice that I frequently receive communication through SMS regarding a credit card 4477xxxxxxx and account XXXXXX527518 on this mobile number.
These accounts don’t belong to me.
The possibility is that the mobile number might have been associated with some other customer some time back and might have been surrendered to Vodafone and reissued to me.
Please therefore check your records and remove this mobile number from the accounts mentioned above and obtain the customer’s correct current contact details.
If you think your records are correct, please let me know the full name, address, email address and account number of the client so that I will directly contact him/her and ensure that they instruct you properly.
Please note that any failure on your part to correct the data at your end will continue to cause the following legal complications.
1. You are associating an account with my mobile number. If the account holder does any illegal act, there could be a wrong association of me with such transactions. If such an eventuality arises, please take note that on the basis of this notice, I will hold the Bank liable.
2. With this error in the maintenance of customer data, you are revealing confidential account information to a third party. This is violation of privacy for your other customer and he can claim damages from your Bank.
3.From time to time you may have to urgently contact your customer for sending fraud sensitive alerts and by sending it to a wrong number, your alerts will fail to reach the right customer. In such cases the responsibility of the Bank would be higher and it may have to take liability for the frauds.
In view of the above, interests of all the three parties namely the mobile number owner, the account holder and the Bank, it is necessary for you to correct the mistake on a priority basis.
I am separately taking up this issue with your management in case I don’t receive a proper reply in the next three day.
The object of this mail is to bring to your notice how what could even be a typographical error in data entry could lead to serious legal consequences. No offence is meant to any officials responsible for this error. I will be happy if you take a corrective action.
The Bank is yet to respond to this notice.
I had also come acrossÂ some time backÂ where a mobile applicant had complained that the service provider’s agent collected two sets of address and identity proofs on the pretext that the first was misplaced and the applicant was apprehensive that her signed and authenticated address and ID proofs may be used for issue of SIM to another person.
In order to address the implications of the above two types of legal risks, there is a need to make some fundamental changes to the system of handling mobile customer data in India and TRAI needs to take a look at this.
I know that an solution in this regard may not be perfect but it has to be as perfect as it can be while reducing the legal risks on a third party.
Firstly, while land lines of BSNL are available in a public directory, other service providers of land line don’t have public directories. Mobile Companies also don’t maintain public directories.
The reasoning for this is that the information itself may be considered as “Private”. As a result of this, there is no public reference to find out the genuine mobile number associated with a person. Banks and others need to accept what the customer declares. If a terrorist provides the mobile number of another person while opening an account or uses a mobile account at the time of opening, discontinues later and the number is re-issued to another person, then the Bank will be carrying the wrong mobile number in its data.
The absence of a publicly available directory of mobile phones is hampering the Banks and others from checking the mobile numbers provided by another person except by sending a mobile message and asking for confirmation. This procedure is yet to become a standard security practice.
Some would argue that a public directory would lead to SMS spamming. However we all know that even now spamming does happen. To prevent spammingÂ the concept of Do Not Call register may continue so that the directory itself can mark the DNC registered numbers in red.
Further, those who advocate privacy argument must appreciate that one of the established norms of privacy is that the data owner should have the ability to check if the data associated with him in a data base is accurate or not.
If today I raise a query to an ISP ” Please certify that my address ….. or my name…. is not associated with any mobile number other than ……..”, will the ISP be in a position to provide such certificate?
Alternatively, if there was a directory which is searchable on address or name, this can be verified by the citizen himself. This is now possible in a BSNL directory (though updation is still an issue)
In order to address the Privacy issues, every search of such a database may be permitted only after the IP address and declared identity of the person searching the data is obtained in a request screen and supported by a declaration that the information would not be used for spamming or other illegal purposes.( for whatever it is worth).
A request has also been forwarded by the undersigned to TRAI for finding a solution to this problem.