When the Indian government recently banned two high-value currency notes, it led to all sorts of chaos. It led to huge queues to exchange money at banks and ATMs. And this in a country where more than half of its citizens do not have a bank account.
But as the dust continues to settle, a tangible long-term benefit of the process appears to be emerging: moving India towards a digital economy in which electronic transactions play a major role in the financial system. The rush to do this, however, is likely to cause a spike in cybercrime.
The Indian government’s push to get ordinary citizens using plastic and digital money is evident in the launch of various schemes like the BHIM app to incentivise digital payments by the poor, rural and illiterate who have hitherto been unrepresented in the country’s modern banking systems.
Encouraging cashless transactions has the potential to curb tax evasion, corruption and the use of hard cash in crime. And to that extent it is a worthy goal to follow for any government. But adequate measures have not been taken to ensure that the hard-earned money of ordinary Indians is secure from the cybercrime that will inevitably follow.
The repeated assertion made by Indian banks and online portals is that they use the latest security protocols and hence they are as secure as any other similar business in the developed world. Even though there is a degree of truth in this argument, it is dangerous to accept it as evidence of sufficient protection for Indian consumers from digital fraud.
The transition to a digital economy will create several new opportunities for financial crime against citizens who will have their first experience of digital India. That will leave them vulnerable to losing their precious assets to new kinds of criminals. Most will be completely unaware of how cybercrime works – and therefore in no position to guard against it.
Research into the field of IT security consistently shows that the Achilles’ heel of systems lies at the consumer’s end. And this is an area where neither the Indian government nor the banks or online portals seem to have any plan of action in place.
Humans are the weakest link in IT security. Decades of research has shown that there is an inverse relationship between the effort required to follow an IT security protocol and its compliance by ordinary consumers. In other words, the banks can put hi-tech security measures in place, but if they are too complicated to follow for a poor farmer in rural India then ironically the same measures may make him even more vulnerable to cybercrime.
The point is best illustrated through a well-known anecdote that gets told in the field of IT security. The security team of a sensitive corporation kept coming up with rules that required the employees to generate more and more complicated passwords to log into the system. They believed that it would make the company virtually unhackable to criminals. However, all their effort came to nought when the employees – fed up with remembering long combinations of words and symbols – simply started writing their passwords on pieces of paper and sticking them to their computer screens.
Conscious effort required
It is for this reason, that over the last few decades a conscious effort has been made to educate people and provide usable security protocols when using debit cards and the internet for financial transactions.
Psychologists, systems engineers, software designers and financial experts have all been involved in the process to identify the capacity of ordinary people to follow security measures and design practical solutions for them. It is an area of security research that is growing outside the digital realm as well. In domains such as infrastructure security, for example, it has been found that even specialists like train drivers fail to follow complicated security procedures.
Many of the new digital clients in India will not be tech-savvy or well-educated and may be vulnerable to cybercrime for reasons such as age, income or social status. They will have a unique set of constraints that will have an impact on their ability to conduct safe electronic transactions.
Unlike the latest technical IT security expertise that Indian banks and online portals have adapted from the West, the methods for designing usable security are not directly transferable. This requires a long-term effort to study consumer behaviour and the specific challenges of users in the Indian context.
Left to themselves, ordinary people in India are experienced at protecting their valuables from criminals. Any traveller on Indian public transport will vouch for that, from the surfeit of chained luggage in trains and buses to prevent thieves from running away with it.
It is now the responsibility of the Indian government, financial institutions and business to ensure that the common citizen is equally well prepared to protect their money from cyber-criminals, through access to usable security. Efforts must start immediately, if it has not already been left too late.