India has a lot of public policy mishaps such as this. It seems that the people making these rules oftentimes don't do adequate research regarding what's feasible for such a large developing, and rapidly changing country.
A couple of other examples:
There was recently a rule to limit SMS spam by limiting each cell phone to receive a max of 100 texts per day, there still is a rule where you can't entering the country twice within a certain number of days without getting prior permission, IIT students were arbitrarily limited in the number of hours they could spend online because some administrator thought they should get out more, etc.
> IIT students were arbitrarily limited in the number of hours they could spend online because some administrator thought they should get out more
Wow, I didn't believe you at first, but it appears to be true. [1][2][3]
They appear to be justifying by claiming, besides that it prevents them from meeting others, that it somehow causes suicide and depression and that it is responsible for falling grades.
Does anyone know if this is still in effect? The most recent article I could find is from 2008.
This happens every now and then in most state-run colleges in India. The pattern is like this - some kid who has never been exposed to the internet comes to college and is exposed to high-speed, unlimited internet and gets immediately hooked. He starts skipping class, eventually starts flunking subjects. At the end of his pre-final year, when he has to sit for placements, he realises his situation and then he kills himself. College admins want to appear to have taken action, and internet access is time-restricted. Eventually, of course, sanity prevails, and we get to go through this whole routine all over again. Happened twice during my 4 years in college.
This was instituted when I was still at IIT because some people just /stopped/ studying, quite literally. I suppose it was a simpler solution than offering counseling for what could (I suppose) be called 'net addiction'. Ahh, memories :)
“If America had a central bank chief like Y. V. Reddy, the U.S. economy would not have been such a mess,” Joseph E. Stiglitz, the economist and Nobel laureate, has said.
Being financially conservative is different from making adoption of new technology difficult. Today, Paypal doesn't work in India, the payment gateways are in a horrible mess and the one-time-password rule has given mobile commerce a huge setback. I believe the problem lies in not going into the details of implementation. There is a fine balance between security and usability which has to be maintained. As someone who is looking to start a web startup in India, I am disappointed by how consumer concerns are being ignored and online commerce is becoming more and more difficult here.
"Paypal doesn't work in India" statement is not fair. RBI has several guidelines for online transactions of money. It wants to be able to regulate all services that take money out of and put money into the country. Unfortunately, Paypal doesn't want to be regulated by any country but US. You're acting like a bank, and walking like a bank, only online, be prepared to be regulated like a bank. Paypal made a choice that it doesn't want to be a bank. It's not really RBI's fault, while I do think that they have think of some other solution to make people's live easier to accept/transfer money online.
This is not a conservative approach. This is incredibly progressive! Two-factor authentication (when implemented correctly) is a necessary security measure in the world we live in and more banks should mandate it. Today banks simply would rather pay out for fraudulent charges than have to implement this even though there are incredible externalities for customers when their cards are stolen.
I'm quite willing to be convinced that a conservative monetary system has shielded some countries from certain isssues, but some economist saying so doesn't make it so, not even if he's a famous economist. So some background on the mechanics would be nice.
I guess it depends on the interpretation of "some", but it only broadly says what he did (mostly keeping the market shielded off from international influences it seems, not quite what other countries should emulate - imagine what would happen if T-bonds weren't available to international buyers, or if Americans couldn't freely invest world-wide). It has no details on the economic landscape in India (for example, I have no idea about the housing market there) and it certainly doesn't address the question what effect a looser regime would have had in the light of the economic issues of 2008/09.
Now it's an NYT article, on the guy itself and not so much on the economic issues, so for the article, it's fine. But the claim that India was shielded from more economic woes because of this guy is a claim that cannot be backed up with just what is in this article.
doubt he has anything more than hearsay. He's always on the anti-india bandwagon every time such a story breaks out ..
Now, I know Black money is rampant in India and that it's almost a parallel economy in some respects but I'm not so sure it's a number as high as this guy claims.
Also, a whole lot of black money is being "cleaned" up by many a politicos and funneled back into the country via Mauritius and then that money's reinvested in legitimate businesses like real estate/property development as financiers
(source: my family friends have a business partner or two with such financial backing)
"In the United Kingdom, about 5 per cent of the population do not have bank accounts. In Australia, about 7-8 per cent of the population do not do banking.
In India, there are a total of 31 crore (Rs 310 million) savings bank accounts, but given the number of multiple accounts, the number of people having savings bank accounts cannot be more than 20 crore (Rs 200 million).
This means around 85 per cent of India's population does not have access to financial services in a cost-effective, transparent and fair manner."
About the SMS limitation - you got it wrong here, the limit is for sending SMSes with the same text and definitely not for receiving them. There's no limit on the amount of normal SMSes (with different content) you can send in a day.
I think that's a pretty good move, spam SMS is turning into a huge problem here.
there still is a rule where you can't entering the country twice within a certain number of days without getting prior permission
This is by far the stupidest immigration policy in a large list of stupid immigration policies that have been passed. I know a lot of people affected by this crap. This affects tourist visas and so, in foreign high commissions, the visa officers will literally tell you how to cheat the system (by applying for a different type of visa, mostly).
IIT students were arbitrarily limited in the number of hours they could spend online because some administrator thought they should get out more
Whippersnappers. Back in my day, we had to cycle out to the nearby village to a cybercafe to get internet access. :)
(I actually graduated just the year before they wired all the rooms)
Notice how they made the post on Feb 14, but show only data for Feb 1. Is it really surprising that the first day with the new system saw fewer transactions? Making claims that this move "permanently hobbles India's mobile commerce" based on evidence like this is surely unwarranted.
I really think 3D secure is a good move. All it requires is entering your internet banking password at the time of making the transaction. Is this really so bad for usability?
the system has no safeguards for vulnerabilities like man-in-the-middle,etc. attacks. Yet it gives credit card companies, the right to deny chargebacks to customers (whose credit card was stolen/hacked) because they can now wash their hands off the matter ("hey only the customer knew the second password... he must have been careless with it, not us")
Man-in-the-middle attack are made less likely because the 3DSecure page where the user is asked to enter a password also contains challenge question that was originally added by the user at the time of setting up 3DSecure for his/her account. The user should be able to recognize that this is not the bank's website when the challenge question is not his/her own.
The monkey could also fetch the secret question from the 3DSecure page and show it to the user, right? Or am I missing something here? How will adding more information to the login page make it more resistant against mitm?
In most cases the question is the default. The typical flow is the user tries to do a transaction - bank identifies they are not registered for 3D secure yet - a couple of questions and a OTP later - a 3D secure password is chosen. But the question remains the default one unless the user decides to take the effort of changing it.
> because they can now wash their hands off the matter ("hey only the customer knew the second password... he must have been careless with it, not us")
Rather than downvote it's easy to factually counter your argument: it's not because e.g. keyloggers or mitm attacks can compromise the account. Then afterward, the 2-factor auth is used against the customer as a smokescreen - basically banks say 'oh but we've got this very secure system, it can't be cracked'. Then you have to get into a very technical argument with the bank, which is either hard to win (because only 1 person involved understands, deliberate or not) or impossible (because most customers don't understand the details, and we can't expect them to).
This is not a hypothetical situation - this already happens in Western Europe! It's hard to hold banks or merchants responsible for fraud. Now they shouldn't always be held responsible, that's the first issue; but even in cases where they are (like when they guaranteed upfront that they'd take the risk of fraud, as they used to do in the early days of online banking/payment) their first line of defense will be vague 'our technology is tamper proof' arguments. Many consumer association websites are full of stories about this.
I think all your points are valid, but they're referring to a different problem - which is how get control back from the banks to the customer about chargebacks. This problems wasn't introduced by 3D secure, it was always there and it was always just as bad. If you want to replace 3D secure with something that's better, I'm all for it, but this post implies that we should get rid of it as well.
I was able to reset it on the spot by providing my birthday and some information from the card (CVV and expiry date iirc). So really the only additional information someone needs to use my card now is my birthday (and that's without even going to the trouble of MITM).
And if they have your credit card, they probably have your driver license or other something else with your birthday. Either they stole your purse/wallet, or they're a merchant and could ask to see your ID when you used the card.
Agreed. Usability with 3D secure is not bad at all. Breaking the "subscription" model is actually a good thing in the current scenario, where the customer has very little control on when and how he unsubscribes to services, and businesses unscrupulously charge for subscriptions beyond the agreed-on date. This happened recently, when a web hosting provider tried to charge my credit card although I'd canceled - I got an SMS from the bank saying that the charge had not been accepted - how delightful it feels to be in control!
Because there are a few rogue players, should everyone be denied from using a subscription model. How painful will it be to actually subscribe to something and go through this slow painful process every month ?
Reminds me of the law that existed up until recently in south korea mandating that all financial transactions had to be encrypted using ActiveX. Yes. You read that right. It is as mad as it sounds.
India's systems are generally not designed for the "new entrants" and most of the incumbents design the system with walled gardens to protect themselves.
For a startup like us who have a web based software like basecamp, there is no way we can charge subscription services. Infact no payment gateway exists for us to take credit card payments from Indian customers.
Thanks to PayPal, we can serve international customers much easily. I have a lot of anger against the people who run India's large services as if its an entitlement, without caring for the new entrants.
One reason Government has to come up with restrictions like that is because banks and credit card companies do not protect the consumer in case of card theft unlike here in the US where the customer is liable for only the first $50.
All the fraudulent charges are the customers responsibility.
I have stopped using credit cards online for over a year, prefer online banking based payments, because it is one username and 2 passwords(authentication, transaction)
I dont like 2 factor authentication, especially with mobile/sms, when I am abroad or travelling, I still can do my transaction
Online banking based payments work just fine for local Indian sites, but I haven't found a way to pay US based businesses without a credit card. The only use I've had for using a credit card has been to pay for AWS and Linode.
This is nothing. Every time somebody finds an easier way of doing things, the government and the babucracy finds a way of muscling in and making it as bad as all the earlier options. Some of it is not bad, but others are nuts. I should start a list.
- Vehicles registered in one state cant be used for too long in another state
- Banks have insane policies
- Online electronic tax filing requires that you complete the process in paper format as well. To complete the electronic process you have to send it in by normal snail mail as well. And you cant get acknowledgments.
- Universities don't recognize each other between states
Welcome to India, experience teaches you more than what the documents tell you. Given the downvotes, I need to explain.
Vehicles why do you even need to pay across multiple states, pay once, get it to run across India. I don't see a justification for state by state rules on how you use your vehicle. Instead you get cop-stopped, you get questioned, and let off by the usual methods, you know which.
Yes, universities are recognized, but I know from experience that some state universities do not recognize courses from the University of Delhi. Been there and lost 2 years fighting the system, the bitterness doesn't go away.
> Online electronic tax filing requires that you complete the process in paper format as well. To complete the electronic process you have to send it in by normal snail mail as well. And you cant get acknowledgments.
Well, you certainly can digitally sign your return - then you won't have to send your physically signed copy.
There's not too good a way to get around that, is there? You do need to establish your identity by some means initially. Perhaps they can let you renew at less frequent intervals (like they do with passports), but other than that, what do you propose?
The Australian Tax Office will send you an assessment notice after you've filed your tax return, confirming what they believe your income and tax for the past year to be.
When filing online, you can obtain a digital cert by supplying the serial number from last year's assessment.
It usually is :) but cleartrip might just be right here to blame the banks. Asking for more secure authentication is a good idea, particularly in India where on more than one occasion, I've had to stop people from writing down my credit card number for "the record".
That transaction volumes decreased on the /first/ day 3-D secure (and now, the one-time password) was implemented is hardly surprising, but I think once customers get used to it it would have returned back to normal.
I agree with your point I have found it hard to prevent merchants from writing down credit card numbers(!!!) and these additional layers of security are needed for the market.
On the contrary, though I am a regular user of credit / debit cards for online transactions in India - atleast 3-5 times a month, I have found it really hard to use my credit card from the beginning of the month since they introduced the one-time-password.
I have not been able to use my credit card even once since this was introduced due to various reasons - the SMS service that banks are supposed to deliver One-Time-Password is not sent promptly or I do not have a way to get password to authorize even an IVR transaction in time.
It might all work out after initial issues are resolved but so far I find this to be a pain.
I believe the banks do offer an alternative to go online and generate an OTP.
Of course, this does defeat the purpose of an IVR transaction :)
For what it's worth, I'm optimistic: the banks might listen to customer complaints and actually do something about it. I admit that I have no idea what they could do: AFAIK there's no way a telco could even guarantee that a SMS is delivered immediately after it is sent
A couple of other examples: There was recently a rule to limit SMS spam by limiting each cell phone to receive a max of 100 texts per day, there still is a rule where you can't entering the country twice within a certain number of days without getting prior permission, IIT students were arbitrarily limited in the number of hours they could spend online because some administrator thought they should get out more, etc.