Wednesday, November 15, 2006

Waiting for the online fraud

I came across a blog entry on lack of security in Indian online trading. People are shocked when they find that online trading and banking sites in India are a joke. In my experience, Geojit's website is so bad I won't use it. Luckily, it is also designed quite poorly, so using it is impossible anyway. Within minutes of using their website, my wife and I found a fairly large security loophole. The support at Geojit is also ridiculous. Actually, Geojit has no redeeming quality whatsoever, so let me not pound on them anymore. The point of this post is not how bad Geojit is (they are bloody horrible: get your money out, and move elsewhere), but how such bad examples are spoiling the whole basket.

In the blog entry linked above, the first post was by a person who said the equivalent of, "but Microsoft is so insecure and crappy, why should Indian websites be better". The second post was by a person who said, "but American banks are insecure and crappy, why should Indian websites be better." You get my drift.

First, Microsoft is a bad example. The entire company is chugging along on the strength of their monopoly. Many people avoid Windows if they can. I use Linux, and many people I know use Linux, Mac OS, or something else. So don't hold Microsoft up as the epitome of software design. They are bad enough that most of my peers (at University, in Computer Science) would not work for them if they had anything else.

Second, American banks might have security loopholes, but these are fixed quickly. The support team is looking for bug reports, and they get their websites looked at by independent security experts. A trading site like Geojit wouldn't last a day in America, if it had any customers. Moreover, the US isn't the best in online trading. My European friends have 2-factor authentication, where they get an RSA card, which generates a changing ID, which you type in along with your password. So even if someone snoopes and gets your password, they cannot login unless they steal your RSA card as well.

So that settles that. But going beyond, I am surprised that posts should be so defensive of everything Indian. Look, we make a killer vada-pav, and some absolutely gorgeous biryani, but online trading isn't our forte, right? Online newspapers ain't our forte either. Compare the Times of India to New York Times, and you see what I mean. Saying that in India, Geojit is the best, and so it should be applauded is stupid. Geojit is absolutely horrible, and you should have the courage to say that it is unusably bad.

And going even further, don't use lousy examples to support theories. Microsoft gets held up every time some software gets trashed. Yes, Internet Explorer crashes every day, and Windows has a tough time with just 1G of RAM. But do your research before claiming that all software is bad. Microsoft is setting up a very wrong example for my field. There are systems which are rock-solid. Microsoft isn't. Deal with it.

The pity is that the culture in India has been feudal for so long that we tend to bow down too quickly. The notion of support doesn't exist because for a Geojit employee to actually listen to a customer is unthinkable. Further, to admit that they made a mistake, and to correct it is even harder. Ultimately, Geojit, ICICI and others need constant reminders that their pretty PR is not sufficient. That customers demand good service.

As with Windows, once enough incentive exists to attack this systems, attackers materialize from nowhere. (Kind of a nice twist to the Zen saying, "When the student is ready, the master appears".) Most spam originating now is coming from bot-nets: giant collections of Windows machines that have been taken over by malicious software. These are pumping spam day and night, unknown to their owners. And these are all over the world.

So I'm waiting for the day when online fraudsters realize what a goldmine Geojit is, how easy it is to pry open, and force these companies to deal with reality. Being on the Internet also means that you have to leave your large ego behind, and learn how to manage a world-class website.