They started requiring customer authorisation on all card transaction recently (signature doesn't cut it and no Paywave for you). There were reports on how that that forced Uber to use local payment gateway.
Anyway, couple months ago I was in Chennai, went to a restaurant with a customer and when the bill came which customer didn't give me a chance to pick up, they handed over a card AND a PIN number for the card.
I was shocked, naturally. The customer explained to me this is standard practice and "a requirement" now for locally issues cards.
It isn't really, but since most terminals are wired and installed at the checkout counter, Customers aren't invited to enter the PIN over at the other end of the venue and aren't keen to, frankly. It is upper class who uses cards for payments and psychologically and culturally they're expecting a full service. Walking to the terminal to enter a PIN is a bit of a "walk of shame".
So, that's how best government intentions turn into known, en-masse and country-wide security hole and a direct breach of banking service contract, that requires customer to keep PIN private and waives any responsibility if PIN is shared.
I would not at all be surprised if this 12-digit personal API ID will be shared just as easily as a card PIN.
I'd like to clarify a couple points here. The terminals have been in use for years now across petrol pumps, restaurants, malls, pubs etc. And the majority are the wireless kinds now where they bring the machine to you to punch in the pin number.
And the cultural part about the upper class finding it a walk of shame is, quite frankly, ridiculous. Instead, we feel secure giving out the pin number because we know that the person needs the card and the pin to make a transaction and we'll get an SMS the moment a transaction goes through. And more often than not, we're too lazy to walk to the terminal so we just tell the waiter the pin number.
>It isn't really, but since most terminals are wired and installed at the checkout counter, Customers aren't invited to enter the PIN over at the other end of the venue and aren't keen to, frankly. It is upper class who uses cards for payments and psychologically and culturally they're expecting a full service. Walking to the terminal to enter a PIN is a bit of a "walk of shame".
In the last 2 years or so, since PIN has become mandatory, I've come across one instance where the hotel asks for the PIN in this manner. Most of them have wireless terminals now and the others ask you to come over and type in the PIN. This experience is quite rare in Chennai or Bangalore.
I have been guilty of sharing the PIN in restaurants, when they don't have wireless terminals (which happens very rarely). There are a couple of reasons why I didn't feel it was a security hole.
1. All Indian cards are chip cards, hence they cannot be replicated (or not replicated quickly)
2. I get a transaction message immediately. I know exactly how much money was charged into my account.
3. My credit card cannot be used anywhere to make a transaction > 20$ without a 2 factor message to my phone.
All these security ideas are built into the system and its not opt in.
Thanks for clarifying, peeps! As you understand, I'm selling it at what I bought it for, merely retelling what I've been told. In this particular case, bill was definitely more that $20 and to my knowledge, there was not 2-step auth, just a notification.
I definitely seen it more than once and it also does seem to me that wired terminals are still quite common, but I might be wrong since I, naturally, pay with foreign bank's card and don't have to punch in a PIN.
Afaik, fully cloning a chip card is fairly easily done with a cloning device, one of those you might have seen hooked up to an ATM.
And I'm happy that you guys seem to be content with the way things are. I'd be totally paranoid having to share my PIN even once, ever. I mean, after that some one should be able to withdraw tons of cash and after I see the notification, bank would be in their full right to refuse reimbursement on the grounds that I shared my PIN. And they'd be absolutely right.
> I'd be totally paranoid having to share my PIN even once, ever. I mean, after that some one should be able to withdraw tons of cash and after I see the notification, bank would be in their full right to refuse reimbursement on the grounds that I shared my PIN. And they'd be absolutely right.
Well, most of us have a separate account for making small transactions like these. Even if it gets misused I won't lose much.
I was under the assumption that the 12-digit ID is public data, the bank account number, not the password to access it. Unless they can scan your iris and derive the number themselves to identify you, which makes it similar to a bitcoin address, while the private key for that address is your biometric data.
Can relate to some parts of this. Controls are bypassed routinely. The concept of privacy is a foreign idea, almost. People don't understand basic elements of security. But openly giving up your PIN seems quite silly. Not shame as much as laziness and stupidity, it seems.
The plan is based on a national identity system with 80% penetration:
> So far, India's attempt to assign every citizen a unique 12-digit number associated with a person's unique iris, fingerprint or facial features, is succeeding—just last week, Aadhaar reached its milestone of registering 1 billion people. With more than 80 percent of Indians enrolled, it gives the payments system a solid base to build on.
This reminds me of an article I read awhile back talking about the things that technology has made disappear. Farms. Factories. Horses. Many diseases. And so on. It ended with the question: what fixtures of current life are likely to disappear in the future?
I held off for a very long time. I realized finally that if it is OK for me to give these details to foreign governments ( for visa ) atleast I should not be so uneasy about giving it to the Indian government which ( at least theoretically ) have the responsibility to defend my interests.
>> ...giving it to the Indian government which ( at least theoretically ) have the responsibility to defend my interests.
That's an assumption not borne out by facts. The Indian govt. has denied that citizens even have a right to privacy [1]. And there is no recourse (or even disclosure requirements) if a citizen's data is lost, stolen or misused under the Aadhaar ID system [2].
This is not say Aadhaar or the Indian govt. are bad, but I'm just contesting your point Indians "should not be so uneasy" about giving up their biometrics and other data to the govt. There are massive, valid concerns.
Banks can't arrest you for violating bogus immoral crimes. Your government can. You should be much more afraid of the government violating your privacy than your banks.
Indian banks have their own problems. I have spent lots of time dealing with Indian banks which want me to show up in person to handle certain account issues while i was in US. Security works more by obscurity where you have to provide lots of details, which can be bad if you don't regularly use the accounts.
Customer service depends on situation. When i deal with private banks, i will be treated really well (with offer for tea/cold drinks/snacks :) & personal attention from manager. My dad, who deals with public sector banks in rural area tells me that he dreads to go near banks. The managers apparently are super rude, with a condescending attitude towards rural people.
I'm not going to argue against the general thesis that the US banking system is antiquated, but I gotta pick these nits:
- Checks are usually free in the US.
- You don't usually get charged to have a checking account in the US.
- The lack of interest on most US checking accounts is due to the very low inflation rate and nearly zero federal rate. Adjusted for inflation, what is the interest rate of your Indian checking account? Back in the 70s when inflation was high in the US checking account that carried interest were not uncommon. I do seem to remember that they were called something else, but I can't remember right now.
- You don't usually get charged to have a checking account in the US.
I have to maintain a minimum balance of 1500$ for the checking account to be free.
>> - The lack of interest on most US checking accounts is due to the very low inflation rate and nearly zero federal rate. Adjusted for inflation, what is the interest rate of your Indian checking account? Back in the 70s when inflation was high in the US checking account that carried interest were not uncommon. I do seem to remember that they were called something else, but I can't remember right now.
Agreed. I got carried away trying to make a point :).
Pick an even better bank and you have no fees, non-negligible interest, and free ATM withdrawals with fee reimbursement worldwide. You'd have a hard time finding many other banks in the world that offer that.
A lot of Indians frequently mention "message for every transaction" as a positive. I see it as a negative. Cash use is declining in most European countries, and if I had to use 2-factor every time I paid for a pack of gum with my card I'd go nuts. Instead my card providers provide risk-based alerts, e.g. when I shop at a new place (I recently received an alert while ordering furniture at a new online store). Overall fraud rates are pretty low in Europe, so this probably works out okay for both customers and card providers.
That said, given how much malware there is on the average Indian PC/phone, perhaps two-factor makes more sense there.
They seem to be starting from scratch and the U.S. financial system is probably the worst system available in first world countries so it makes sense that they'd skip it.
It'd be fantastic if the U.S. would follow their example and take more than baby steps out of the 20th century.
People were forced to get UID by misinformation. The people were led to believe it was compulsory. Only by intervention of the supreme court, the govt was forced to admit it was optional. This was introduced undemocratically without legislative back up with an executive order. An example of corporate insensitivity to democracy. BJP pretended to be against UID before election. Now they have conveniently forgotten their stand.
Now there is legislation for UID, but this was introduced by deception. It was introduced as money bill in parliament, so that rajyasabha could not discuss it(BJP has majority in loksabha). Money bill can only deal with govt finances but it is now used to give approval for data collection, which needs constitutional amendment in a real democracy. This is again undemocratic and fascist. The stated aim of biometrics was to avoid duplication. but by insisting on 10 fingerprints and iris, the real aim is data collection itself. But they are really not sure UID biometrics is enough to avoid duplication, there is condition like you can only apply for it once. UID is successful by deception, ignorance, and undemocratic methods.
Exciting, but I'm wary of journalism that presents no critical voices.
This was interesting:
Srikanth Nadhamuni, chief executive officer of Khosla Labs, said the best way to think of the project is by comparing it to how shampoo was introduced in India. Decades ago, most people couldn't afford to buy an entire bottle of shampoo, so Unilever, Procter & Gamble and other companies sold them in small sachets that people could afford to buy, paving the way for marketing everything from detergent to toothpaste in rural areas. Nadhamuni is betting that the new digital payments system will be be low-cost, high-volume, like a "shampoo-sachet revolution in the financial sector."
Perhaps this tech could help with micropayments elsewhere.
I'll disagree with the fact that multinationals like Unilever and P&G start producing and marketing sachets in India. This was pioneered by an Indian entrepreneur Chinni Krishnan[1]. These firms just ended up copying their business model.
Funny reading that, multinationals introduced relatively useless products to the masses using small quantities they could afford. The first hit is free.
This is more about control then actually improving anything. India still has problems with terror that could be better tracked if all finances could be scrutinized. Corruption too. If we can only get Pakistan to do the same.
Shampoo is maybe useful. Some sort of soap + scalp action, occasionally, is beneficial. Plenty of people in the west don't use shampoo or use it rarely.
You don't really need toothpaste. It's the brushing part that's good for removing detritus from your teeth.
Edit: Downvote with no comment? How is this comment non-constructive, so I can avoid doing it in the future?
For toothpaste they were already using other things. And shampoo does not have health benefits. Maybe it makes you smell a bit better, but rural Indians don't care too much about BO even now.
Setting aside the fact that condescending comments aren't mutually exclusive with true ones, I wonder if those packagings weren't "relatively useless" simply for the fact that small packagings ususally tend to be more expensive in the long run. It's more or less the same problem as with poor people in developed countries not being able to save money on batch buys, especially in case of supermarket discounts.
In a country where genocide and sectarian violence are a regular occurrence†, I am sure that a detailed database of religious affiliation, biometrics, photographs, and addresses won't be misused.
Much like the Dutch census, history will look back at this registry of citizens with horror.
If you remove the links from the parent's comment, the main point is valid: "In a country where genocide and sectarian violence are a regular occurrence, I am sure that a detailed database of religious affiliation, biometrics, photographs, and addresses won't be misused."
This point applies without regard as to who is responsible for the violent acts. There are large scale acts of violence (which is horrid) and a database such as this can/may be used to facilitate future acts of violence.
I think GP was pointing out the fact that people in power are infact hindu nationalists who can misuse power. Islamic terrorists are not in power, hindu nationalists are.
I didn't know opinion articles from The Gaurdian count as facts. The other wiki pages about Christian Church burning has no link to the government in power. Not sure what the implication was there. The Sikh riots did not have a religious motivation, rather a fallout of operation Bluestar and the resulting assassination of Indiri Gandhi (A congress leader, the party which is supposedly far left on cultural issues. Their party members killed 2500+ Sikhs in 1984.) Not sure what the connection to BJP there was either.
it was a Muslim who cut off a Christian professor's hand in South India. His wife committed suicide because he was fired. Of course BBC, Gaurdian, Firstpost and all other far left websites will not report this. On censorship happy sites like HN and reddit they have successfully created massive propaganda against the Indian government. I can spout nonsense as facts too. Here are example of some 'facts' for you then:
OP is parroting the conspiracy theory that millions (still a small % compared to India's billion+ population) do because they cannot digest seeing Modi in power. I can go full conspiracy mode and point out who owns left wing media outlets but I don't think HN is a place for such discussions. There are hundreds of report of Hindus being killed in minority rich areas in India, but unfortunately these incidents aren't covered in BBC and Gaurdian because Hindus are a dying majority in India.
Hindus have always been the majority on the Indian subcontinent (around 90%), similar to how the majority of Americans (after the 1700s) have been white. The prime worry of the Hindu population seems to be that gradually they would represent smaller proportions of the overall population. The reasoning behind this is that although you can convert to other religions, it isn't possible to convert to Hinduism. In 1951 Hindus were 84% of the population. In 2011, that had dropped to 79%. [1]
With the loss of majority status, it becomes difficult to dominate the political discourse like Hindus do today. Just like how it was impossible to think of a non-white person becoming President of the US, it is also impossible to think of a non-Hindu holding any serious power in India for the foreseeable future.
Note for those unfamiliar with India - the language Hindi is unrelated to the religion Hinduism. Its possible to be a Hindi speaker and not a Hindu and also possible to be a Hindu and not a Hindi speaker.
It is always possible to convert to Hinduism. There is no authority that decides if you are Hindu or not. You just are if you believe that you are.
Lets I digress. You can be a Hindu today if you want. Just start incorporating Hindu philosophies in your life. Choose an atheist one if you like.
PS: Not advocating anyone to convert to Hinduism. In fact I think that the lower castes should abandon Hinduism if the upper castes don't reform fast enough.
After my discussions with Srikanth Nadhamuni I understand there to be no religious data in the UID database. I also haven't read anywhere that this is the case.
Sigh. No, I did not suggest that all other initiatives should be put on hold. The pivot, fulcrum, etc. for my comment was the use of the word "audacious" in the article title. Since the use of brevity has... muddied the waters:
I don't think the deployment of yet another digital payment method that allows for the highly centralized storage of personal information, in a country that does not yet have enough toilets (yes, there is an initiative under way) or reasonable access to fresh water, qualifies as audacious.
I suppose I may have pulled up short on the Audacity Scale by copping low with sewage and water, instead of mentioning crime and air pollution.
They started requiring customer authorisation on all card transaction recently (signature doesn't cut it and no Paywave for you). There were reports on how that that forced Uber to use local payment gateway.
Anyway, couple months ago I was in Chennai, went to a restaurant with a customer and when the bill came which customer didn't give me a chance to pick up, they handed over a card AND a PIN number for the card.
I was shocked, naturally. The customer explained to me this is standard practice and "a requirement" now for locally issues cards.
It isn't really, but since most terminals are wired and installed at the checkout counter, Customers aren't invited to enter the PIN over at the other end of the venue and aren't keen to, frankly. It is upper class who uses cards for payments and psychologically and culturally they're expecting a full service. Walking to the terminal to enter a PIN is a bit of a "walk of shame".
So, that's how best government intentions turn into known, en-masse and country-wide security hole and a direct breach of banking service contract, that requires customer to keep PIN private and waives any responsibility if PIN is shared.
I would not at all be surprised if this 12-digit personal API ID will be shared just as easily as a card PIN.