Cashless is not Stressless

|December 19, 2016 1
Safety, reliability and uptime: digital transition is struggling with anticipated struggles already. But the outcomes, are they as anticipated?

INDIA: There’s nothing wrong in aspiring to be as advanced and as digitally-savvy as an ahead-of-the-curve Western or European country. But a country like India that is still looking for an inflection point at its learning curve, practical questions just can’t be sidelined in this sprint to join the front-runners.

Within days of demonetisation triggering a new tangent and purpose altogether – with the ‘Go Cashless’ bugle, we have witnessed exasperated queues because the plastic cards refuse to work, we have heard CERT-level advisories on some grave security concerns and we have been first-hand bystanders of a conspicuous lack of readiness, hardware, habits, machines, bandwidth and processing capacity already.

This assumes serious contours because just before the cashless crescendo started, many banking customers had stumbled upon a wide-spread POS fraud, huge EMV adoption debate, and card-replacement hassles with their banks; and just after the demonetisation change, users were again left grappling with pressure on digital infrastructure and overall ecosystem readiness.

It doesn’t help a hesitant cash-inclined user much when one hears of ATMs and POS machines running on outdated (or worse, no) security software, when merchant’s Wi-Fi laziness is enough of a reason for hackers to come in from the front-door. The Computer Emergency Response Team India (CERT-In) has already issued an advisory on security and brought to fore how vulnerable a POS terminal can be to skimming and malware.

Then there are warnings about security vulnerabilities from semiconductor majors, like Qualcomm, that provide the chips that run the smartphones, which run these wallets and apps. Its recent report based on OEM feedback emphatically points out that none of the mobile wallets operating in India are safe and thereupon argues about the efficacy of just Android-based security layer without a hard-ware layer security effort. To add to that, there is a glaring gap of authentication layers and the loophole of a new, easy surface area for thieves that mobile wallets throw up. As many safety experts have already demonstrated, pick-pockets or muggers now may not need to sneak or snatch these wallets, they just need to get your phone in their hands for a few seconds to steal some easy money. E-wallet users can’t be surprised if random strangers thank them for sponsoring huge pizza parties.

Amidst such safety and ‘will it work/not work at the moment of swipe’ fears, can we indeed be confident about going cashless?

As such, there’s been very little path-breaking work that has taken place in the move towards becoming cashless – as Rohan Angrish CTO of Capital Float, an online platform that provides working capital finance to SMEsm acquiesces. “Most of the changes were already in play earlier. These are just being executed on a bigger scale now. So all the well-known and documented measures are still in check.”

The pressure is on the infrastructure and we see preparations towards aligning it as well but there is an overall lag which needs to be addressed. DD Mishra, Research Director, Gartner assesses that the overall ecosystem is evolving and needs to keep pace with the growth of digital payments.

As to the back-end of the systems, that, in the reckoning of Angrish is quite secure. “All the recent credit card frauds, etc. were not a result of vulnerabilities in the back-end, but because how data was being captured, stored and transmitted in the front-end. Compliance of standards like PCI-DSS or EMV adoption is now a bare minimum.” However, entities anywhere in the digital money flow-chain will have to be paranoid about how they deal with sensitive data, he avers.

Creation of new infrastructure and improvement of existing digital infrastructure can definitely help more people accept cashless economy and also protect the existing user base. Massive campaigns, around awareness and faster evolution of UPI payments will go a long way to enable the same, Mishra indicates.

Easy OR Safe? Why the ‘Or’?

The onus of being safe now falls largely on the shoulders of users. That’s why we can hear so many caution-lists in the air.

Watching which app to download and which one to let go based on security features/reviews/ ratings; Setting strong passwords (in case there’s room for that in current apps); Avoiding hard-to-trust banking transaction modes or networks; Taking care of the device’s whereabouts as well as updates for its security; Using a secondary card/specific-purpose card instead of putting your primary account at stake; Enrolling for activity-notification and transaction-alerts wherever possible; Looking out for reliable indicators like https/padlock; and Being wary of pop-ups that look too tempting to be true – are just some things to start with.

What’s interesting is that there’s more money now in the digital-sphere, but the points of attack haven’t changed too much. Angrish here recommends that one should store passwords and pins in email accounts or desktops, and make sure phones are locked well (biometrics or hard to guess pins). “Keep your credit card and debit card pins secret.”

It is worth noting here that one of the harder problems in the security industry is identifying the malicious actions of code that was designed to behave like legitimate software, with low false positives like what Vincent Weafer, Vice President of Intel Security’s McAfee Labs underlined in the McAfee Labs Threats Report: December 2016. “The more authentic a piece of code appears, the more likely it is to be overlooked. Just as 2016 saw more ransomware become sandbox aware, the need to conceal malicious activity is driving a trend toward ‘Trojanizing’ legitimate applications. ”

It is also crucial to be alert to targeted phishing scams, the socially-engineered attacks that cybercriminals use to lure people into clicking malicious URLS with malware.

The problem is compounded with a brazen lack of awareness and appropriate actions. Look at what a recent Sophos survey of 1,250 consumers, confirmed: As many as 47 per cent respondents are not familiar with phishing or perceive it as a low threat, which is a concern considering phishing is the number one attack method used to gain access to personal information. More than 30 percent of those surveyed rated themselves as being extremely unprotected, unsure of being protected or completely unaware of phishing attacks.”

Ajay Dubey, senior Channel Manager, Forcepoint cautions strongly about protecting one’s digital identity. “It is important, don’t lose it – Keep track of your digital footprint, know which all websites you have become members with and how many of those web sites are storing your credit card information and personal details.” He also warns about the chances that you may not be accessing many websites now and may want to delete your account profile on such websites. “Personal information can be used for identity theft, spamming or to launch scam campaigns.”

Incidentally banks are getting cognizant of the security pitfall in a pragmatic way. When YES BANK, collaborated with FortyTwo42 Labs, a Cyber Security Research Lab; Rana Kapoor, MD&CEO, YES BANK, emphasized that in this increasingly connected world, where digitalisation takes centre stage in Banking, it is critical to address the associated risks in the networks. “To protect digital transactions from advanced cyber-attacks, we believe that there is a need to move from application level security controls to transaction level security controls.”

Security, as Mishra admits, is a big concern in a cashless system. One should follow the guidelines from their banks and other wallet providers to keep themselves safe from any theft.

Time to pull up both socks

The financial services eco-system was already moving in the direction of digital-heavy cash flows. Angrish opines that everyone realizes that the timeline though has been squeezed substantially with the recent demonetisation push and we’ll all need to work together to make sure we can quickly transition the ecosystem onto a smooth digital platform before any cracks begin to appear.

What’s different this time, as Angrish observes, is that now, for the first time, the push to move to digital money is coming from the highest offices in the country. And the office of the Prime Minister brings some serious fire-power with it. “Rarely do we get such alignment between Government and Free Enterprise towards a common goal. There will be teething issues for sure, but I’m equally certain that we’ll know who the right people are that need to be brought into the room to fix those issues and handle any other potential problems.”

Education and Trust would help a lot in this direction. Mishra injects a plausible factor here. “Education is key and the Government must focus on educating people towards safer usage of cashless options. Trust is an important factor for adoption of this practice and all Government, private sector, banks and financial institutions should come together to drive an awareness campaign to ensure safety. Bad news spreads faster than we envisage and there have already been some incidents of theft in few isolated cases.”

The Government need to ensure that critical services are available to people at all levels and comprehensive IT and security policies are in place to promote the delivery, adoption and usage of digital infrastructure; echoes Dubey.

“Corporations need to ensure consumers are able to transact with ease at all times and infrastructure issues like accessibility, and reliability is not there. Currently, our cybersecurity policies have not changed for a long time, it needs to be constantly reviewed and revised as per changing technologies and IT environment.” He contends that companies must be held accountable for not meeting security standards and that public-private partnership on information sharing about cyber threats and insider threats should be strengthened.

RBI-mandated audits would be just the kind of start we need here. As the notification rightly confronts: “While all efforts should continue to be made by entities (PPIs) for onboarding new customers and merchants, it needs to be borne in mind that any kind of cyber security incident affecting the digital channels/products, particularly at this juncture, may have significant system-wide ramifications and act as a dampener for the adoption of digital products by public at large,”

A Forrester’s research on the state of digital wallets had revealed how 21 per cent consumers in the US and 17 per cent of consumers in Europe would be interested in, or already use, digital wallets. It had also scraped some intriguing questions about the very relevance of banks when engagement, disintermediation, contextual services become factors working towards the advantage of e-wallets. Now that would be quite fascinating – would the hygiene expectation of ‘safety’ turn as a X-factor for banks competing with digital-money players; and vice versa?

Mobile wallet players and those pushing their weight after the digital blitzkrieg may want to turn their attention away from raving on about the advantages of going cashless and instead, try to spend some communication, efforts and money on ensuring that the user goes towards a cashless regime in an organic and confident stride. Make it compelling instead of something s/he is compelled to do.

That might just swipe well.

1 Comment so far

Jump into a conversation
  1. BRK
    #1 BRK 11 September, 2019, 05:22


    Reply this comment