Fear and Loathing — Security in Cashless India

Abhay Bhargav
5 min readNov 13, 2016


Two thoughts simulataneously come to mind when I think about events that have transpired in the last week. One, of course is the demonetization drive, that has affected millions of lives. India’s Central Government recently outlawed the 500 and 1000 rupee notes in an effort to curb black-money, hoarding and controlling prices among many other benefits. This was a seriously gutsy move and I hail the government in making and executing this gutsy decision, even in a severely media-unfriendly climate. As I write these words, people are lining up at banks, trying to either deposit their money or withdraw their money. There is a sense of uncertainty and might I say, panic at this move, that people are trying to grapple with. Several people that I know have lost millions of rupees that they had in cash, because of their sale of property, etc. However, life moves on in India, as it normally does. Our populus has a way of taking these watershed events and “running” with it.

Obviously, this hails the appearance of a “cashless” society, one in which digital wallets, credit cards, debit cards, are going to be the new cash. They have already been adopted by thousands of people. Especially in urban India, fuelled by discounts, reward points and benefits, digital wallets and cards have become the de-facto system of paying for goods and services, especially among the youth of the country. This brings me to my second thought.

Two months ago, I was visiting my in-laws in their apartment. My father-in-law told me of a heart-wrenching story of the security guard in their building. This security-guard was probably 60 years old and had saved some money to live out his days in peace. As you can imagine, his savings weren’t all that sizable and obviously, he didnt have the kind of padding and back-ups that most of us, urban affluent folks do. Someone had called him pretending to be from his bank. Asked him for his debit card PIN. He offered it of course, not suspecting any foul play. Within a few days, he received multiple text messages intimating him of money that was being withdrawn from his account. This was a Sunday and banks were closed. The poor man witnessed, teary eyed , text message after text message intimating him till his account was drained of every last rupee that he had as savings. While I don’t have the details for what happened after. This is a powerful tale of impact in a cashless society.

This is the fundamental dichotomy I see with a “cashless” way of life in a country like India. Thus far, several people, for very legitimate reasons, stay away from cashless equivalents like credit cards. They mistrust passwords, PINs and other authentication forms. They prefer getting their money from the teller at the bank. They prefer standing in line at public services to pay their electricity bills, water bills and the like. And in India, the number of such people in urban and rural settings, is a sizable one. I believe that one of the key challenges with forcing a transition to near-cashlessness would be the massive security challenge and educating the common man on security challenges.

For people reading this, financial technologies like online bank accounts, credit cards and digital wallets come with the need to maintain complex passwords, distinct PIN values, two factor authentication and other security technology that can make your life a lot more inconvenient than cash. This is a challenge even to highly educated folks, as they are not used to remembering passwords and understanding what the hell “two factor authentication” is all about. Tech-savvy folks like me and you might find it trivial to do this and manage life in a complete cashless way, but for millions of people, security is going to be a huge deterrent in adopting a cashless lifestyle.

This is also going to be a massive opportunity for Social Engineering Attacks. Cyber-criminals calling, texting and “WhatsApping” these folks pretending to be from the bank, the government, the income tax department, asking them to reveal sensitive information about their bank account, their digital wallet and so on. I predict, with a great degree of certainty that cyber-criminals will have their hands full of work (and money) with the rewards they will reap from hoodwinking the common man and separating him from his hard-earned money.

How do we solve this?

  • One of the key things that we can do to reduce the impact of this cyber-driven personal finance apocalypse is to educate people. The Government must use simple messaging in multiple languages and anecdotes to constantly educate and keep people aware of the possible security issues that they will face. This is not as easy as it sounds. Any education initiative is met with boredom, skepticism and more boredom. Education like this has to be relevant AND CONSTANT. Sporadic adverts is not going to help. They have to find ways of educating not only the bread-earning folks, but kids as well. Kids are a huge influence on parents and educating them about security dangers is a sure-fire way of getting their parents to take notice. In addition, technology companies, banks and the like must step up their education initiatives and educate their customers on the dangers of these financially driven cyber-crimes. Currently, banks send a lot of communication on phishing. But they are extremely boring and don’t inspire action. Education has to be kept relevant, simple and anecdotal. And finally, education must begin at home. If you are a relatively tech-savvy person navigating a cashless society, you should take the initiative of educating your family and friends about these malicious acts that can affect their lives and pockets deeply.
  • “Payments” in India is a burgeoning industry. Payment and Fintech startups have received a great deal of funding, media attention and government support. However, I still find security to be an afterthought in most of these companies. They still adhere to a simple “check in the box” approach to security mostly to satisfy guidelines and regulatory requirements. This is the time that these companies need to step up to the plate. They need to make security more usable and think about security as part of their user experience and not just a regulatory mandate from RBI or PCI-DSS. They can leverage ideas from Blockchain and Cryptocurrency to create a far-more secure, yet usable experience for their users.
  • I don’t have any data for this, but I feel that insurance companies must offer some kind of cyber-liability and offer it along with the individual’s bank. This will strengthen the assurance that people will get from their bank. This can be incentivized with low premiums for people who maintain strong security practices and so on. While this may not be a huge play for the aam aadmi, it will definitely help alleviate the concerns of several thousands of users in a cashless society.



Abhay Bhargav

CTO of we45 (An AppSec Company), DevSecOps Greasemonkey, Passionate Security Technologist and Creator