Not so long ago, your money-related transactions used to be between you and your bank. It was a closed loop with everything happening in the premises of the bank. The scope for frauds was limited. Over the last few years, as technologies such as internet and mobile banking spread, thousands of people can fall victim to one cyber attack or fraud in a matter of minutes. And with the arrival of third-party financial service providers, such as mobile wallets and UPI, the scope for attacks has expanded, requiring additional efforts from financial institutions to protect their networks and systems.
Last month, when malicious ransomware (in which the attacker locks down your computer and demands money to unlock it) infected hundreds of computers in different countries, questions were raised on how safe are we from cyber attacks, especially when digital transactions are increasing by leaps and bounds?. Consider this: the number of Paytm users recently crossed the 200 million figure, all in a period of just seven years. The question arises -- with technology and financial services integrating at a fast pace, how safe is it to transact online?
Here is a detailed account of the different ways to make digital payments and, more important, how secure are each one of these methods.
A vast majority of people in the country do not have access to mobile wallets or debit cards. They still depend on cash for day-to-day transactions. For example, India has 867 million debit card and 31 million credit card holders.
To make all these people part of digital India, the government has launched Aadhaar Pay, a platform that allows you to make payments using Aadhaar number-linked bank accounts. It is a merchant version of Aadhaar-enabled payment system which lets you make payments without a smartphone. One just requires the fingerprint of the payer for authentication; there is no need for a POS machine to swipe the card.
Rama Vedashree, CEO, Data Security Council of India, says, "It is a good intervention, as in other parts of the globe it is mostly privately built and supported. Aadhaar Pay also brings interoperability as you can connect with multiple banks."
This payment solution is considered a huge step forward for popularising digital transactions in the country as about 99 per cent of the country's adult population has an Aadhaar number. Considering it the future of digital payments, banks have already started asking for Aadhaar numbers of customers.
However, when passwords are fallible, how reliable can biometric authentication from Aadhaar Pay be, particularly when there have been cases of leakage of Aadhaar data? On this, Rama says, "Aadhaar authentication is pretty strong because you cannot connect to the Aadhaar database except through secured APIs that they have given. It is not that every third party is connecting to the Aadhaar database. They are going through the APIs, through which they need to authenticate."
With the government pushing Aadhaar, we may soon see commercial establishments authenticating transactions through just finger prints. But how secure will the process be? Can fingerprints be replicated the way it is shown in sci-fi movies?
Ramaswamy Venkatachalam, Managing Director - India & South Asia, FIS, the largest provider of banking and payment technology around the world, says, "Even biometric readers are getting better. Apart from fingerprints, they try to capture various other things such as the blood flow pattern. The whole market is evolving and one must not become paranoid about the increasing use of technology in the financial sector."
Biometrics include iris scan, which is considered more reliable for authentication considering that many people in India do not have clear fingerprints due to the nature of their work. Another point of concern is testing and certification of third-party apps before they go live in the payment ecosystem. Rama says, "Though the core of Aadhaar seems safe and secure, there should be some framework to ensure that the app goes through all necessary testing and certification."
UNIFIED PAYMENT INTERFACE
The BHIM app, launched recently for fast cashless transactions, has recorded more than 14 million downloads till date. The app is based on Unified Payment Interface from National Payments Corporation of India (NPCI) which is used to transfer funds from one bank to another through a virtual id.
Recently, however, Rs 25 crore moved out of Bank of Maharashtra (BoM) accounts due to a bug in the bank's UPI application, which was procured from a vendor. Explaining how it happened, A.P. Hota, Managing Director and Chief Executive Officer of NPCI, had said after the fraud that "even if the core banking declined a transaction, the UPI at the bank level used to send a success message to NPCI. At NPCI, even if the CBS said no, based on the UPI of the bank, we used to do the clearing and settlement."
Clearly, considering the risks involved around third-party service providers, there is a need for proper regulation and ensuring proper testing and certification of apps.
Anoop Pai Dhungat, Chairman and Managing Director at Galaxy Office Automation, says, "The biggest challenge will be emerging technology risks and how prepared are these organisations to ensure security while embracing the emerging technologies. With platforms such as UPI and mobile wallets, I think regulatory concerns are the biggest bottleneck."
Compared to mobile wallets, however, UPI is tied to your mobile hardware and checks all your technical signatures. It also uses the second factor of authentication (that is, the MPIN password), which makes a transaction more secure.
A mobile wallet works like an electronic prepaid card and can be used to pay for things ranging from grocery to rail tickets without the need to swipe the debit/credit card. All you have to do is to key in the username and password for logging in. The app can be loaded with money either through debit/credit card or net banking.
The flip side is that these wallets mostly rely on the phone's locking system for security and don't ask for any PIN or password while the payment is being made. So, if your phone is stolen, anyone can transfer money using the wallet by merely unlocking the screen.
Rahul Gochhwal, co-founder of Trupay, says, "The biggest security issue is lack of second factor of authentication (password) while transacting. This makes them vulnerable to system-level breaches as transactions can be system generated by a hacker without a password. Thus, technically, a hacker can make thousands of fraudulent transactions simultaneously."
There is also a fear that your phone might fall into wrong hands, who might use it to make fraudulent transactions. Hence, users should create a personal password (under security and settings feature) for making mobile wallet transactions.
Several banks have recently started offering digital accounts to their customers. These can be opened through an app on the smart phone without visiting the branch. With these, you can transact round the clock, apart from doing online shopping. Considering the new services that are being rolled out almost every other day, experts say users need to follow safety measures strictly.
"These new channels come with risks such as device falling into wrong hands and unsafe sharing of passwords in public domain. Also, compromises happen when banking/payment apps are connected to social security accounts," says Dhungat of Galaxy Office Awutomation. He says users need to follow basic safe practices such as "using complex and unique passwords for different accounts, changing them frequently, and using secure apps, preferably enabled with two-factor authentication."
While there have been new threats with the recent expansion of digital services, phishing remains the oldest and the most used technique. It is used to get sensitive information such as personal details, bank account number and password by sending fake e-mails. It works like this. The targeted individual receives an email which looks like an official communication from the bank with a link to a look-alike of the bank's portal. Once you key in the details asked for on the fake site, the data, including your password and PIN, is passed on to the fraudster. Therefore, before making any payment, make sure that it is not a fake website.
Card cloning in another widely-used method to defraud people. Under this, the data of the original card, including the ones with the magnetic strip, is imprinted on another, making it a fully functional card.
Nevertheless, the banking industry, with the help of tight regulations, has been striving to improve cyber security. For example, the RBI, in a release, asked banks and white-label ATM operators to move to chip- and PIN-based card infrastructure by September 30, 2017. "Contact chip processing of EMV chip and PIN cards at ATMs would not only enhance the safety and security of transactions at ATMs, but also facilitate preparedness of banks for the proposed 'EMV Liability Shift' for ATM transactions, as and when it comes into effect," the RBI said.
Malicious insiders are a concern for insurance and mutual fund sectors too. In insurance, there have been cases of policy holders getting calls from people asking them to surrender their policy. After the policy is surrendered, they invest the money in plans that earn them high commissions. While data theft continues to be a threat for insurance companies too, the online payment option increases the risk. Risks are not very different when it comes to mutual funds. Jimmy Patel , CEO Quantum Mutual Fund, says, "All mutual fund investments face the same risk that a bank customer faces. The only difference is that in case of a bank account the risk is directly to the account while in case of mutual fund the hacker will have to first hack the MF account to change banks details before making the redemption request." He adds there are checks and balances as they verify the name of the account holder before completing the redemption request. "No instance of wrong fund transfer has happened so far in the mutual fund industry," he says.
With proliferation of digital payments, there is a need for a comprehensive law to make people feel secure. Although we have the Information Technology Act, 2008, we still need further legal recourse to address concerns regarding jurisdiction, evidence collection, coverage of various crimes like cyber extortion, spam mails, copyright infringement and data privacy issues.
Anoop Pai Dhungat says, "The latest IT Act 2008 amendment, when compared to global standards, lacks in a few aspects. First, it does not comprehensively cover crimes though mobiles. We also need a strengthened mechanism for preventing misinformation on social networking websites. Additionally, we need complete data protection guidelines for enterprises."
Akshay Garkel, Partner - IT Security, Risk Advisory Services, BDO India, says. "Indian IT laws are not stringent enough to deal with hacking cases. In case any university or institute network is hacked by someone, the maximum punishment is three years and Rs 5 lakh fine under Section 66, read with 43 (I)."
With fraudsters taking advantage of loopholes in the system, a comprehensive law in the country is certainly the need of the hour. Till the stringent laws are around, you should take the following steps to protect yourself from cyber crimes.
WHAT TO DO?
Encryption is a must. If a device is encrypted, all photo apps, music, account data will only be accessible with a unique key. For this, Android owners can go to -- Settings > Personal > Security -- and see the option 'Encrypt Phone'. The phone needs to be plugged in while the process takes place, as any shutdown will cause an error in the process. Then, they can set a password to access the newly encrypted files. For iOS, under the Settings option, tap on General and then Passcode Lock. You need to choose between a four-digit numeric PIN or something more complex. To set a harder password, slide the 'Simple Passcode' setting to 'off.' For other precautions, see How to Stay Safe.
Alex Suh, Chief Data Analyst, True Balance, says, "However keeping in mind that online payment gateways and digital wallets are comparatively new technologies they are prone to many undiscovered attack vectors. Hence, embedding security measures at every step is the need of the hour. With the use of online payment platforms has gone up, the incidence of fraudulent misuse of payment networks and data theft have also grown."
In the end there is no way anyone can claim foolproof security. But we need to be vigilant. Experts say the recent ransomware attack could have been averted if people had acted on time. Despite the known vulnerability, which was published months back, the ransomware managed to attack computers in different countries. Take the necessary precautions and be vigilant to protect yourself from cyber attacks.