Hutch and Security

couple of months back, i needed to make a payment of hutch, and since i could not find any time to goto a hutch shop, i tried their online payment service at http://www.hutch.co.in, you can register your mobile number in the site and then using the options in their site you can make online payments. curiously i wanted to check how good their website is and how secure it was, i went to the viewbills section, which will allow you to view all the bills online, with information about the numbers you called , your address and amount etc. They had provided a great security feature in their page !!!, to stop people from seeing their highly secured HTML, they open their dialogs in a new window and disable the menu and right click so that people will not be able to view what they are doing.

it takes any tom a minute to see the http request going out from a webpage and i just opened the source of the information they are sending, to my Horror i saw them embedding a common username and password in the information they are sending and i could easily change some details in the Post request and Bingo !! i was seeing the details of other users !!!!!, unbelivable ?believe it, thats how secure these websites are.

I called up the hutch call centre immediatly and told them this problem and after trying 15 mins and listening to their "You and I song", finally it got connected, and a girl picked up and said how she can asssit me. I reported the problem i found and she cooly said "its not possible sir !!, and she then advised me that i may be doing something wrong !! and she wholeheartedly explained where to click properly !!, it took me 10 mins to make her understand the problem, when i started telling the details, it was over her head and she told me she will transfer to tech dept, so after 2 min one more guy came online and i explained him the problem, he didn't have the patience to listen to me and asked me to send a mail to customer support !!!!, well for all this time i thought i am doing a favour for them and know i knew its our problem if we are using their service !!. I left him my number to call if he want details and till date never heard back. I also sent a mail to their support explaining the problem and till date no replies.

Last month beforw coming to france, i happen to visit the hutch site again and just checked if they have corrected this issue !!, No no they thought may be sharing all the bills online is not a big issue !!, its democracy so everybody have right to information, is not it ?!.

After that while having coffee with one my system admin friends, i told this story to him and he happened to be working at Hutch previously and he didn't believed me, i showed him right in his machine and hew was surprised and he called few of his friends in Hutch and told them.

Next day i heard from him that the issue is corrected now. May be they have corrected now, i didn't check. The point i am trying to make here is, how service providers in india so careless about security ??. they think purchasing costly servers and installing few softwares and sending data will make their service secure (you can even see this big words in any website that their site is SSL 10000000 encrypted, when a software itself is fundamentally flawed, no technology will help you to make a secure service. I hope some higher manager from hutch read this and takes necessary action. even if they want to contact, my email is there and they are welcome to contact.

This is just one example, may be if i look really seriously into their site i can find lots of problems, and same applies to all other service providers. Please be careful with security in your sites, make security a priority, people trust you big companies and leave the information in your hands for granted. i am not trying to cram here about this not so big effort of mine in finding the problem, I am as worried as you people what if another guy is doing the same and accessing my account ?!.