For last 3 – 4 days, my left eye was bit reddish. It was dry compared to right eye and there was some itching. Under persistent pressure and instructions (of family), I decided to visit a doctor today. Not too many clinics are open on Sunday for Outdoor Patience. But there is an eye hospital chain which has a branch closer to home that’s open on Sunday. They usually don’t do appointments and entertain walk-in. In anticipation of rush and to avoid waiting for long duration, I reached clinic at 9:00 am. The staff had just arrived. They were getting things setup. After exchange of pleasantries, the staff informed Doctor would be in clinic by 10:00 am. I requested him to proceed with scheduling. Reception staff was powering up computers. Then he powered up card swipe machine. During the powering up, he entered User ID as 1234 and then password as 1234. After terminal powered up, he entered the amount and inserted my chip card. We finished the transaction. I went back to lobby and sat on sofa in disbelief with what I had seen….
First thought that came to my mind was – in this digital day and age, how can people use such poor security standards. I guess you may not argue a lot about user ID being 1234. It’s not very strong but can be a valid combination in sequential processing. But how can somebody have a password as 1234. And finally, having same string as User ID and password should be a criminal offence!!
After Doctor arrived, I proceeded with consultation. She wrote a prescription. To get the medicines, I went to pharmacy attached to the clinic. The same story repeated here as well. Teller in pharmacy keyed in 1234 as User ID and password and got this card swipe machine going. I was completely shocked with such poor data security standards.
Off course this is not the first time, I had seen such a poor security. I hold an account with Canara Bank. They send me e-statement every month. To my surprise, complete account # is written in subject line. There is no masking. I have came across few other examples over the years. In some cases, things have got improved but in some cases they’re still the same.
Financial Institutions (FIs), Banks and Payment processors are heavily regulated by variety of data standards. Payment Card Industry (PCI) has very stringent Data Security Standard (commonly known as PCI DSS). All the FIs and Payment Processors need to adhere to their guidelines to ensure compliance. With these experiences I have had, I continue to wonder how did these guys passed their PCI DSS audit…