Omani culture of online security

By: Riyadh Abdul Aziz

Oman needs to improve its culture of online security, especially as the government and the private sector continue to move towards electronic services.

Large and small businesses in Oman should try their best to offer their services electronically if possible, but before they do this they must have a proper secure infrastructure for providing their services to ensure that their customers are not subjected to unreasonable risks.

I recently registered a Omani domain name using one of the local registrars. The registration process had to be done online, and even though I was not required to make any payment online, I still sent a lot of personal information through the website, such as my full name, telephone number, address, and a copy of my ID. However, this website did not use SSL even though, ironically, it offered a service to provide websites with Verisign SSL certificates. In addition to this, when I used their “I forgot my password” form, I was sent my password in plain text to my e-mail inbox without having any option to actually reset it in the e-mail message itself.

This was not a major online services provider like BankMuscat or Omantel, but still it is a valid example of a typical online business in Oman. Big corporations and government agencies tend to have better technical infrastructures for dealing with security, but there are still incidents where that is not necessarily the case.

For example, the website of ROP at the moment has a certificate which my browser cannot verify. This means that using the online services of ROP can be risky, especially as they involve sending passport copies, IDs, and driving licence numbers.

Oman’s biggest security challenges are not technical though, they are cultural. People living in Oman can have an extremely casual attitude towards asking for and sharing sensitive personal data. For example, it is common to photocopy, e-mail, and fax copies of passports and IDs even though they can be easily used by identity thieves to acquire access to things such as online banking of others. In addition to this, the majority of people pay using debit cards that do not require a PIN to authorise a transaction and it is common for restaurants to take your card out of your sight if you choose not to pay in cash.

It is true that Oman is a safe country with a low crime rate, but we do not need to wait for a disaster to take place before we take action. It is impossible to be totally secure in this digital age, but we must take reasonable precautions to ensure that our personal data is not easily stolen.

The first action to take to minimise security risks is not to keep or ask for personal data that is not needed in the first place. If there is no reason for a business to keep a record of a customer’s ID number, passport number, or even e-mail address, then it should not ask for it. This should be followed by using encryption when storing personal data, and most importantly training the staff in the way personal data of customers is to be handled.

SOURCE: Muscat Daily