After demonetisation, the Government of India is pushing for digital transactions. How do you view this move?
Demonetisation may change the economy forever and will help in the making of a Digital India. Digital transactions performed through digital platforms such as Paytm and other mobile wallets allow easier tracking of flow of money in commerce, resulting in better monitoring and audit. Mobile wallets and online transactions do reduce the hassle of handling cash, and can certainly bring in much-needed transparency.
Watch What Else IS Making News:
Is the country ready for such a mega shift?
India does not seem fully prepared. Much of the rural population does not even have bank accounts, let alone debit/credit cards. Moves such as opening accounts under Jan Dhan Yojana can help India move towards a cashless economy, but not at the expected timelines. There are only 18 ATMs per 100,000 citizens in India, according to the World Bank. Low internet penetration and literacy rates in rural areas are a big hurdle.
What are the challenges in moving to a cashless society?
Two major challenges that we envisage are lack of infrastructure and cyber security issues. Banks do not have the required infrastructure to open so many more bank accounts, offer digital platforms, assist customers in using net banking, and conduct awareness campaigns. In certain states, like Jammu and Kashmir, Internet is the first thing that gets blocked.
In October, cyber attacks hit banks, forcing them to block around 20 lakh debit cards. How vulnerable is our system to data theft and security breach?
The country’s digital infrastructure will remain vulnerable until we have indigenously developed security hardware and software. Software and application developers have a first-to-market mindset, and tend to ignore security and privacy issues. Given the manner with which Indian companies and the Government treats customer data, BPOs seem to be the biggest threat to data security breaches. The legal system to handle cyber fraud needs further strengthening.
How can banks develop the required infrastructure?
Banks need to dedicate far greater resources and should have a designated senior officer such as a CISO for overseeing security issues.
Though the Ministry of Electronics and Information Technology (MEITY) has issued guidelines and policies, the implementation has been poor. Incident reporting and handling, having a complete information security management system in place, developing business continuity plans, and threat modeling are a few important steps that banks need to take immediately.
How have cyber threats evolved over the years?
Cyber security threats are constantly evolving. Viruses infecting personal desktops were the first generation. The second generation can be traced back to 2001, when hackers took down the Microsoft and EBay websites by targeting their domain name server with a denial of service (DOS) attack, giving rise to “botnets.” The third generation began in 2007, with the release of Red October, a state-sponsored cyber-espionage campaign that stole data from classified computers, mobile devices, and network equipment. Perhaps the most famous of these attacks is Stuxnet. Malware is also evolving to become more platform-focused. Now, with the advent of smart devices, malware is penetrating pervasively and focusing on all security dimensions, that is, access, data theft, and destruction. The trend is global and does not affect India alone.
What measures need to be taken to strengthen the existing security system?
Some of the positive initiatives which RBI is already taking with regard to digital payment systems, are two-factor authentication in net banking/online transactions by using one-time password’s (OTPs), SSL/128 bit encryption used as minimum level of security, etc.
However, they should consider other ATM security solutions, including advanced anti-skimming technology, silent alarm notifications and video surveillance, ATM lighting and remote video monitoring at all places, 24/7 surveillance and security systems strictly controlling access to all banking facilities, and so on.
How would you rate the existing infrastructure to prevent cyber attacks in India as compared to developed countries? Where are we lacking?
In terms of regulations, our banking systems and companies providing digital platforms for digital transactions are at par with international standards. However, we certainly lack in adherence to, and implementation and review of the regulations. We still do not have data privacy regulation in India. Among other things, banks should take necessary preventive and corrective measures in addressing various types of cyber threats including, denial of service, distributed denial of services (DDoS), destructive malware, etc.
What should people keep in mind while making digital transactions?
Never reply to emails, phone calls, or text messages that request your personal information; make a list of every ATM or debit card, credit card, driver’s license number and other forms of ID you carry in your wallet or purse and keep the list in a safe place at home and update it regularly. You will need this list if your wallet or purse is ever lost or stolen. Monitor your paper statement, bills, and online accounts; do not choose a PIN that is easily identifiable such as your personal telephone number, birthday or other personal information, etc.; avoid using sequential numbers; the PIN must be kept confidential; change your PIN immediately if you suspect that it has been revealed; do not store your user ID/PIN in a web browser and do not use shared/public PCs for online banking.
Would you say it is the collective responsibility of government, customer and company to prevent cyber breaches?
Yes, absolutely. First, all companies that offer platforms or services enabling digital payments must offer Payment Card Industry Data Security Standard (PCI DSS) 2.0 certification, which is the current industry security standard. The companies as well as banks should increase awareness among their customers.
Second, the government should check if the current policies regulating these platforms are adequate and update them regularly.
Third, customers should educate themselves about the risks involved. They must minimize vulnerability with two-factor authentication and change their password frequently. A lot of risks can be mitigated by simply being more aware and not becoming prey to fraudulent calls/messages/emails etc.
We all must share the collective responsibility of creating a safe and secure digital infrastructure and in no way should our cyber defense systems stop us from becoming a cashless economy.