ARTICLE IN ECONOMIC TIMES DATED 8 OCTOBER 2019
https://economictimes.indiatimes.com/blogs/et-commentary/atm-security-safety-in-pins-needles/
MY LETTER TO THE EDITOR
Dear Editor of Economic Times:
This has reference to the article entitled “Safety in PINs & Needles” by V Kamakoti in today’s edition of The Economic Times.
Only a fool argues against more safety in payments, all other things being the same, but, equally well, only an intelligent man knows that all other things are seldom the same.
After two factor authentication was mandated by RBI for all online payments in India, friction increased, failed payments exceeded 40%, people – like me – who were using credit card for online shopping before switched to Cash on Delivery (COD), with the result that cash usage did not decrease. PayTM and other alternative payments emerged with innovative ways of subventing 2FA, thus increasing adoption and becoming runway successes. From their exploding popularity, banks and RBI realized that people want security but only until they get it, after which they get annoyed by the friction accompanying every transaction, and go back to cash. That resulted in NPCI, the RBI-administered bank consortium to go back to the drawing board and come up with UPI, a frictionless way of using the IMPS rails, which had suffered from lacklustre performance earlier.
I hope we don’t repeat the same mistake with leg-to-leg message authentication proposed by the author for ATM payments.
Firstly, it does not seem like the right solution for the problem. If, as the article says, ATM fraud is caused by malware inside the issuer bank’s system, I fail to see how authenticating the message between banks can prevent it. The author seems to be confusing “perimer breach” with “man-in-the-middle attack”, two different threat vectors that required two different cybersecurity strategies to be thwarted.
Secondly, leg-to-leg authentication can cause delays and failures at ATMs, driving people back to branches to withdraw cash.
On a side note, I read the line “foreign payment companies have been reluctant to (implement leg-to-leg authentication), citing technical difficulties” with great interest. I personally believe the obstacle is related to user experience but since they say “technical difficulties”, I take it at face value.
But I have two questions: (1) If all these security techniques have been invented by American companies, why they are not implemented in the USA? (2) If America can’t resolve these technical difficulties and implement these systems at home, how will India succeed with them? I had these questions when America-invented 2FA was not mandated in USA but mandated in India, and they’re coming back to me now with America-invented leg-to-leg authentication. (While the article seems to suggest that NPCI has invented this technique, I am quite sure it is based on core components invented in America).
Call me a tinfoil hatter but I tend to believe that American companies unleash such technologies on India and other unsuspecting countries, watch them impede the progress of these countries on digital payments by delivering a bad user experience, then come back a few years later with frictionless solutions that solve the UX problems they created earlier with their own security products, and take over the market.
We have ourselves to blame for becoming a digital colony.
Thanks and Regards.
KETHARAMAN SWAMINATHAN
Pune, INDIA