Moving towards a secure digital economy
Even as incessant political bickering is polarizing opinion on demonetisation, India is making a significant transition to a digital payments ecosystem. This project endeavours to breach the urban-rural divide, geographical exclusions of the real world, and income criteria that privileged only a few with access to certain private and public services. This new digital payments ecosystem is brutal in its attempt to alter the way India transacts, trades and is taxed.
A wider adoption of digital payments will invariably change the dimensions of risks, crime and security as well. If pickpockets were a common menace some decades ago, cybercriminals may dominate conversations in the days ahead as they eye digital and online transactions. While the “pickpocket” had to select a relatively “fat target” to make the effort and risk worthwhile, the cyber thief will have a low-risk environment (lack of forensic capabilities, human capacities and attribution challenges) and an expansive reach of technology that will make even “petty pickings” attractive. And although cybercrime will affect us all, it will harm the poor disproportionately. It could ravage the small savings of many, deprive them of their meagre means and, most importantly, result in erosion of trust in the financial ecosystem currently being built. It is, therefore, important that the government pay heed to small fraud.
An early warning of this was provided by the frisson of panic that followed the cautionary message from the newly launched Bharat Interface for Money application (BHIM app) on 4 January 2017: “Users please beware: Decline all unknown payment requests you may get! We will work on an update, which will allow you to report spam.” This response is inefficient and leaves the ecosystem vulnerable to malicious intent.
Governments around the world and here in India must respond to this new dimension, where “petty cash is big money” and digital pickpockets pose a range of threats to individuals, institutions and economic stability itself. Most governments have left themselves with little time to create the requisite mitigation capabilities. The velocity of digitization and technology adoption must necessitate a response from policymakers different from what was the norm in the “public sector era”, where Centrally controlled banks and enterprises offered a modicum of stability, privacy, and security (with less efficiency). To achieve this, a comprehensive approach for securing the digital ecosystem must be devised and some actions must be taken immediately.
First, there are a multiplicity of stakeholders operating networks and tools that pose varying degrees of risk. This, in turn, demands differentiated security responses. These include the Reserve Bank of India (RBI)-run National Electronic Funds Transfer (Neft) and Real Time Gross Settlement (RTGS), the National Payment Corporation of India’s (NPCI’s) Immediate Payment Service (IMPS) on which the Unified Payments Interface (UPI) currently operates, traditional card networks, mobile payments solutions, various banking apps. In a report released in December 2016, the Union ministry of finance’s committee on digital payments suggested a hierarchical approach based on the level of “systemic risk” posed by different tools and networks. This must form the design basis going forward.
Second, while industry is consulted by expert committees such as the one referenced above, an inclusive multi-stakeholder consultative process must become the norm for policymaking itself, to avoid arbitrariness. This can be done by instituting multi-stakeholder consultations that are transparent and inclusive. This is the model India has agreed is best suited to govern the Internet internationally, and it’s time to adopt consonant processes at home.
Third, while the “mobile” is being hailed as a replacement for physical wallets as well as a proof of identity through its widespread use in second-factor authentication of digital payments, government and users should be circumspect about the risks involved. For instance, there is evidence to suggest that distributed denial-of-service (DDoS) attacks—in which a multitude of compromised systems attack a single target, causing denial of service for users of the targeted system—are increasingly targeting the applications layer rather than the network layer of the Internet. In layman terms this means a sophisticated mode of cybercrime is being unleashed on unsuspecting users of mobile applications and popular software.
Mature hardware-based solutions, such as tamper-proof Universal Integrated Circuit Cards and Embedded Secure Elements, are being tested against the latest forms of cyberattack. Software-based solutions such as Host Card Emulation are also relatively secure but require upgrades through the cloud, placing large data demands on the user and testing the service capabilities of the issuer.
Globally payment solutions that have been able to integrate hardware- and software-based security exist, but domestic mobile payments providers are relying largely on software-based security solutions. And while the Indian government’s Computer Emergency Response Team, RBI and NPCI are undertaking security audits of payment solutions, it is important that users be given standardized information to make informed choices, particularly when the digital adoption drive is at its height.
Lastly, it may be useful for the government to think of the digital payments ecosystem, now anchored by the NPCI, as analogous to the Internet. And much like the Internet, the National Financial Switch (the infrastructure backbone of all Indian ATMs, operated by the NPCI) must acquire robust redundancies offered by private-sector partnerships in order not to be a vulnerable single point of failure—which can potentially be compromised by self-styled “legions” of hackers. The NPCI should be managed through multi-stakeholder groups that can help with standard-setting, and can ensure that the payments ecosystem serves the common citizen, making even a small transaction online.
Samir Saran and Vivan Sharan are, respectively, vice-president at the Observer Research Foundation and founding partner at the Koan Advisory Group.