RBI’s push for digital economy can have chilling consequences

Password, 1234, 123abc, your name, data of birth in ddyymm; well, if these are your passwords you can be sure to have your email or online banking account hacked anytime soon. In fact you are just plain lucky if it hasn’t been broken into by now. In fact 123456 ranks about the most used passwords in the world followed by ‘password’ itself, and most of us who are new to digital banking are ending up using these. Just connect the dots in this information with another dot—in 2015, the British insurance company Lloyd’s estimated that cyber-attacks cost businesses as much as $400 billion a year.

Closer home, in the last three years, public sector banks in India have lost a jaw dropping ₹22,743 crore on account of various banking frauds, according to a working paper published by IIM Bangalore in March 2016. IT Minister Ravi Shankar Prasad told Parliament last year that close to 12,000 cases of fraud related to credit or debit cards and net banking were reported during April-December 2015 alone.

A cyber-crime court recently has directed six banks in India, including a foreign bank, to pay ₹1.06 crore compensation to customers. These customers have been victims of various online banking frauds in the past two years, but banks had held that customers were responsible for their accounts being compromised. According to RBI data, 11,997 cases related to ATM/credit/debit cards and net banking frauds were reported by the banks during 2014-15 and 2015-16 (up to December 2015). In recent instance, as fresh as in October 2016, nearly 3.2 million credit cards from multiple banks were compromised; in other words data was stolen.

When you view the present government’s big push towards a cashless digital economy in the context of white collar cyber-crime, the scenario assumes chilling proportions. The push is even more startling given the abysmal level of financial literacy in our country. I cannot imagine people, like some of our parents, who are uncomfortable even sending an SMS from a mobile handset, operating smartphones and doing digital banking in one clean sweep as the Prime Minister would like all of us to do.

All a fraudster has to do is to find out your date of birth and name. Armed with just these two pieces of data he can crack open a large number of accounts of ordinary people who continue to use simple passwords. The sheer vulnerability of the Indian banking customer is shocking to say the least, and hackers are getting smarter all the time.

At a time when one should be making the security systems for digital banking more robust, we seem to be moving in the opposite direction. An RBI circular on December 6, 2016 has allowed banks to give retail customers the option to complete card-not-present transactions worth less than ₹2,000 without having to enter an additional factor of authentication, or the PIN code. This effectively means you can complete a transaction without entering the One-Time-Password that you receive on your mobile; which is a second layer of security. So even if someone hacked into your account, the fraudster was helpless without the OTP sent to your mobile phone. Now this layer of security has been made optional or even not required for transactions up to ₹2,000. However, RBI has left it to banks to decide what would "velocity of transactions" be permitted (eg., how many back-to-back such sub-₹2,000 transactions can take place in say 1 hour or 1 day).

I simply shudder to think how vulnerable the ordinary citizen, being pushed to go cashless and digital, would be to the increasingly sophisticated methods of the cyber criminals.

Abhijit Roy writes on technology issues. He is based in Kolkata