In what may be termed as the worst possible online payment setup, Hathway's system exposes critical customer data - the plan customer is using and his/her registered mobile number. All one needs to know is a Hathway customer ID. Believe me, it is not so difficult to obtain a customer ID - a simple Google Search can bring up customer IDs of troubled customers who often share customer IDs inadvertently while ranting about poor service. Once an ID is obtained someone with malicious intentions can go on keying in random numbers.
What is the issue?
The issue is with Hathway's Quick Bill Pay facility. Here is how it goes:
Once you key in a customer ID and hit 'Submit' you will be shown the name and plan details. From the plan name, it appears that customer IDs are given sequentially even if the customers are in different cities. We came across numbers of Pune and the below one appears to be of Hyderabad.
That is not the end of it. You need to enter some amount and choose Citrus Netbanking to make a payment. The next screen will show the subscriber's email ID (a hathway one) and mobile number. Other payment options do not expose these details. So this seems to be a weak point from Citrus.
We don't understand the need to disclose customer's email ID and mobile number at this stage. This is what Citrus has to say about their Payment Solutions in terms of privacy!
How can you be impacted?
- Now some of you might think what can happen if a mobile number is exposed? A phone number if not registered for DND, is telemarketers target. They can go on to great lengths in spoiling your day. Here's how I was literally harassed by a telemarketer for no reason.
- One can easily wreak havoc with regard to your Internet browsing. This will of course depend on how Hathway handles such requests but if someone is able to convince the executive well, you may land in trouble. Details exposed above must be sufficient for convincing call center employees. As said elsewhere, your data is just as secure as the least paid call center executive. We do not intend to say that every call center executive is least paid or they do a bad job in protecting customer data, but data breach is known to happen through phone support worldwide.
- Someone can call up Hathway posing as a genuine customer and request for plan change - can be upgrade or downgrade.
- Someone who (might even know you) wants to spoil your day might even apply for disconnection!
In second case, Hathway would be sending email/SMS but if you are out of town by coincidence, damage would be done when you are back.
Recently we had reported how Airtel's systems were exposing customer data - Call Details Availability and Mobile Numbers, Handset Details Exposed. While Airtel was fairly quick to acknowledge and fix the issues, the problem is smaller players often look at larger operators as trend setters and try to follow them. When a large operator like Airtel introduces a new feature say QuickPay, customers of smaller ISPs would want to see the same. That is when quality takes a hit and ultimately causes end customer to suffer. We expect any operator who provides online facilities - be it for payments or to check plan/usage details to come up with better systems. Just don't offer some name sake facility with multiple loopholes.
Readers, were you at the receiving end anytime due to these kind of privacy breaches. Are you aware of any other ISP or mobile service provider who expose customer data this way? Let us know.
Update From Citrus: 18th Feb
We got an e-mail from Citrus citing "Citrus completely respects privacy of customer and can’t be accessed by anyone unless merchant chooses to display on payment page. In this instance, customer data on Citrus page is made visible due to the merchant. Citrus Pay provides this option to the merchant to display/hide customer details on payment page. We would like to highlight and reiterate that Citrus Pay is completely safe and respect privacy issues as it is directly governed by RBI and goes through monthly audits from RBI with regard to these things considering they are authorised entity under Payment and Settlement Act."