And then, there are incredible incidences like this: I received an SMS from a loyalty program a few weeks back:
Login at www.raymondrewards.com with your mobile no. & password <base-64 encoded string> for program benefits. Update your birthday & get 750 bonus pts in your birthday month.
And I just sank in utter despair.
What is the actual logic behind banning pasting, anyway? Is it just anti-scripting? If so, it seems like locking the account after a small number of bad attempts would be enough.
When I was their I had my colleagues mention that most of them find any kind of password a burden to use a service that they see usage drop significantly if they enforce strong password requirements. I don’t think that is a reason not to, I am just saying what the reality seems to be. Hopefully it’s just a subset of population and most of them (increasingly) care about security.
Also are privacy/security laws enforced as strongly in India as other parts of the world?
It depends, what you mean by "privacy". A vast majority of Indians grow up in an environment with lack of privacy in personal life. Imagine 3-4 people (or more) in a family growing up in a 2 room accommodation.
Most people I know, have no issues giving away PII: phone numbers, addresses, income-tax identifier, aadhar (social security numbers, for those unaware).
> Also are privacy/security laws enforced as strongly in India as other parts of the world?
Not quite. Law enforcement, and the general public is not really aware of a lot of these laws. Right to privacy being a fundamental right was something that was debated in the courts in 2017.
That is a good perspective on how your social life in the real world indirectly effects your online world. Thanks for sharing
Grew up with 6 people in a 2 bed apartment and our family income put us squarely in the middle class.
My neighbours at one point, had ~8 people in a 1 bedroom. I used to think of myself as the one with the big house.
Privacy was a dream. My parents themselves didn't get privacy, let alone us kids.
Having said that, subscription based startups struggle due to the the compulsory use of OTP and therefore resort to yearly subscriptions rather than monthly (ex: Amazon Prime).
We have SBI as our client and often they raise issues to us. Most of their technical staff is a joke, coz they don't even follow the basic etiquette during a call.
For ex - The engineer from SBI allowed me to have control of her server, and in a carefree manner called her BF. She knew I would take about 45-50 min to fix her issue, so she went on gossiping with her paramour in the regional language, and all of her lovey-dovey talks were audible to me loud and clear. She didn't even bother to mute her mic. In the same state of passion, she went to have her lunch without bothering about me (She's supposed to be at the server while I am working). After some time her server got locked coz I was pondering over the notes from my computer. I had to wait for the next 30 min for her to finish her lunch and be back at her cubicle to unlock the server.
Anyway, it's not that a criminal needs to target the banks for sensitive data when the govt has made it easy by giving a central depository of citizen data in the name of Aadhaar; for the ease of use -it is linked with bank accounts & mobile numbers as well!
More over Azure is the cloud storage provider for all govt data moving forward.
So not only Billgates would support Aadhaar, NSA & every party benefiting out of privacy abuse would.
In short it will be mostly activist rage on Twitter, and beyond that nothing much actually.
So II guess this is mission accomplished? /s
So despite the fact I would rather not have a nationalized bank account at all, I'm forced to keep one just in cases something else changed in future without any notice. And that's one reason why many other people prefer to open at-least one (first) account there.
 https://timesofindia.indiatimes.com/city/bengaluru/Private-b... [apologies for this terrible website]
I have an SBI bank account but I've never had to use it for anything in the past half a decade. So I would dispute your claim that it's indispensable.
 - https://portal2.passportindia.gov.in/AppOnlineProject/popupo...
 - https://portal2.passportindia.gov.in/AppOnlineProject/pdf/Ci...
And you could get India Post's address proof. Very little known feature but excellent. I have used it once in a city where I was there just for 5 months.
Do they have pretty restrictive minimum deposit amounts or something?
Nationalised banks have zero minimum balance accounts.
Btw, I got my PAN number in late 1999, I think.
The Indian banks, especially public banks, have been hounding everyone with an account for their Aadhaar number for the past 3+ years. It only stopped when the 5 judge bench of the SC ruled last year that Indians have a Right to Privacy and Aadhaar cannot be demanded for everything.
I'm currently in India, in the finance field, and I think it could happen to my company (passwords on post-its, computers left with unlocked sessions, some servers accessible from any employee - or anyone inside the office actually...). Security is sometimes tough to advocate, and raising awareness is easier said than done.
And I can't claim not to be part of the problem - I'm forever wandering off to get coffee without locking my screen, holding doors for people I kinda think I might recognise... every security sin you can name, I'm guilty of it at some point. And so are you. Yes, you. No, probably not you, Mr. Schneier.
One thing I learned is that, with the exception of those directly concerned with the firing of weapons in anger, most military personnel don't give a hoot about operational security, and they HATED our IT department who did.
Given the employment structure of Public Sector Banks, its always a challenge how the tech infrastructure is maintained.
And I quote: "The passwordless database allowed us to see all of the text messages going to customers in real time, including their phone numbers, bank balances and recent transactions. The database also contained the customer’s partial bank account number. Some would say when a check had been cashed, and many of the bank’s sent messages included a link to download SBI’s YONO app for internet banking."
Most importantly why wasn't this tested for security purposes and instead allowed to go live with adequate QA?
Most of these data leaks and hacks occur on nationalized banks/govt institutions. Thanks to various legacy decisions such as quotas on everything other than skills and merits, politics, decades of socialism, etc, the actual skill tech workers (or any kind of skilled workers) go to private institutions or immigrate out. You won't hear any private institutions of having data leaks with such frequency. Private sector companies have high standards. Many of the high performing and skilled people across USA are Indians.
What not many people understand is than up until the last two decades, the only comfortable job in India was in the government. Private sector jobs were few are far between.
Therefore, parents often pressurized kids to get into government services so that they can get official cars, manors and "benefits", without having to do any work. You can imagine what kind of people get into government institutions with such a culture. Rank idiots and rote learners. No one in India is surprised by such shoddy inefficiencies in a govt agency. It's basically expected.
Politicians do not try to change this culture as it benefits them immensely and because of opposition pushback. Modi has been trying to offload more and more government agencies into the private markets, but the sheer amount of bureaucratic pushback is not helped by the opposition trying to portray him as a crony capitalist to earn political brownie points.
Curious what the more canonical opinion is on this.
This article provides a little bit of information, but often times these articles provide little to no information about the nature of the breach, point of weakness, etc.