Better A Digital Colonizer Than Digital Colony Be!

by

Of late, there’s a lot of concern in the public discourse that India is becoming a digital colony of the West.

If this concern is valid, we have ourselves to blame for letting India become a digital colony. What’s worse, we’ve been doing this for ages and never seem to learn from past mistakes.

I found the latest proof of this in the op-ed entitled Safety in PINs & Needles in The Economic Times. In this article, the author argues that India should implement leg-to-leg message authentication of ATM messages to prevent ATM frauds.

I disagree.

Only a fool argues against more safety in payments, all other things being the same, but, only an intelligent man knows that all other things are seldom the same.

After two factor authentication was mandated by RBI for all online payments in India, friction increased, conversion declined, failed payments exceeded 40%, and people who were using credit card for online shopping earlier switched to Cash on Delivery (COD), with the result that use of cash did not decrease.

PayTM and other alternative payments emerged with innovative ways of subventing 2FA, thus increasing adoption of digital payments.

Looking at their exploding popularity, banks and regulators realized that, while it was noble, their traditional thinking “security first, convenience next” failed to resonate with the consumer behavior wherein people want security but only until they get it. They figured out why IMPS, the 24*7*365 Account-to-Account Real Time Payment system launched by bank consortium NPCI, met with lukewarm reception from the public. Learning their lesson, they went back to the drawing board and came up with UPI, a frictionless way of using the IMPS rails.

UPI is a more convenient way of using the IMPS rails. But, going by reports of UPI fraud almost everyday in the newspapers, UPI is not so secure. Nevertheless, it has taken digital payment adoption to the next level. People are now asking whether companies like Google Pay, PayTM and PhonePe, who raised the specter of India becoming a digital colony, will survive the onslaught from banks and their UPI apps.

Remember, folks, people use payment products because it’s convenient to make payments with them. While they expect their payments to be safe, nobody uses a payment product for the sake of security. We learned this lesson the hard way.

We’d be forgetting this lesson and risking becoming a digital colony once again if we implement leg-to-leg message authentication for preventing ATM fraud.

Firstly, I doubt if the technology is fit for purpose.

  1. If, as the article says, ATM fraud is caused by malware inside the issuer bank’s system, then authenticating the message between banks can’t prevent it. The author seems to be confusing “perimeter breach” with “man-in-the-middle attack”, two different threat vectors that need to be thwarted with two different cybersecurity strategies.
  2. Many ATM frauds of Indian banks – including the incident described at the start of the said article – happened in ATMs installed outside India. They’re owned by banks outside the purview of RBI / NPCI.
  3. Leg-to-leg authentication can cause delays and failures at ATMs. As anyone who has suffered from a failed ATM transaction would know, it’s extremely painful to get your money back. Failed ATM transactions will risk driving customers back to branches to withdraw cash, thus defeating the purpose of ATM networks. (A related fact: Debit cards are strictly non-transferable. Even your spouse or children cannot use your debit card to withdraw cash from an ATM.)

Secondly, I doubt if the technology can be implemented in India.

According to the article, “foreign payment companies have been reluctant to (implement leg-to-leg authentication), citing technical difficulties”. I personally believe the obstacle is related to user experience but if it says “technical difficulties”, I’ll take that at face value.

I have two questions:

  1. Whenever I worked for Indian companies outside India, the first question prospects and customers asked me was, “Who are your customers in India?” So, my question is, if all these security techniques have been invented by foreign companies, why are they not implemented in their home countries?
  2. If these foreign companies can’t implement these systems in their respective home countries because they can’t resolve these technical difficulties, how will India resolve these technical difficulties and implement these systems in India?

I had these questions when the core technologies undergirding 2FA were invented in USA but were not implemented there at the time. (Years later, they’re still not implemented in the USA.)

The same questions are returning now, with the talk of implementing America-invented leg-to-leg authentication of ATM messages in India. (While the article seems to suggest that NPCI has developed this technique, I’m quite sure it’s based on core components invented abroad.)

Maybe I’m wearing a tinfoil hat but, over time, I’ve begun to see the following playbook used by the west – mainly USA – to colonize countries digitally:

Digital Colonizer Playbook

Foreign companies unleash security technologies on India and other unsuspecting countries, watch them impede the adoption of digital payments in these countries because of bad user experience, then come back a few years later with frictionless solutions that solve the UX problems created by their own security products in the past, and take over the market.

The following cartoon is a great illustration of Digital Colonizer Playbook at work.

Maybe that’s the way of capitalism but we don’t have to be the victim by becoming a digital colony.

That said, I’m open to the idea of creating global technology companies out of India such that India becomes a digital colonizer!