As India braces for digital payments future, how secure are banks from cyber attacks?
As the government presses ahead with a cash to less cash to cashless economy, the success of the transition will depend on how the battle between bankers and hackers plays out. Bankers must upgrade and fortify their cyber defences as hackers attempt to pinch funds from banks or steal credit/debit card details of retail customers daily. If suddenly the easiest way to buy anything from soft drinks to cars is to use the mobile wallet, a few clicks of the mouse are all that is required to rob a bank.
True, in a country with 98% cash in circulation, electronic payments replacing cash will not be easy and will take time. But since demonetisation kicked off on November 8, digital payments have got a fillip. That has opened up more opportunities for cyber pickpockets to try and steal card details, PINs, mobile wallets and siphon off money. “India has been at the lower end of frauds as volumes were low. Now, I suspect that will change as digital payments volumes surge,” says R Venkatachalam, managing director, India & South Asia, FIS Global.
Akhilesh Tuteja, partner and global head of cyber security , KPMG says if the benefits of digital payments are exponential, so are the risks. India’s central banker itself flagged off concerns in this regard. In an October note, RBI deputy governor SS Mundra said one of the key targets by the attackers is the credential of the customers, as it provides the key to the ‘khazana’ (treasure). “Recent experience shows involvement of organised gangs and nation-state actors having huge financial backing. On the other hand, the cost of orchestrating such attacks is coming down. There are several reports indicating availability of credentials of customers for sale in dark web, which is really scary.”
The security threat notwithstanding, bankers prefer the shift to a digital payments system. A physical bank branch transaction is 50 times costlier than a digital transaction. And as volumes increase scale will ensure even lower costs of digital transactions. The government’s push emanates from a desire to track the flow of money and check corruption and black money generation. The downside of a digital economy is that millions can lose money in seconds.
A single hack can ensure millions of accounts being compromised, as it happened in October when 3.2 million card details were stolen in a malware related security breach. These cards from customers of State Bank of India, HDFC Bank, ICICI Bank, Axis Bank and others, were used at ATMs. The stolen debit cards were used in China. The heist is still under investigation, but is almost forgotten in the scramble for a digital payments future.
Indeed, one of primary concerns over the rush to a digital economy, besides the challenge of drawing in swathes of people who do not even have a bank account, is the threat of cyber attacks. The government for now seems to be more focused on the second problem — goading people to embrace digital payments. On November 15, it announced a scheme to encourage digital payments between Rs 50 and Rs 3,000, offering around Rs 340 crore in cash awards for such transactions. The twin schemes, Lucky Grahak Yojana and Digi Dhan Vyaypari Yojana will be launched on December 25 and run by the National Payments Corporation of India (NPCI) for 100 days. NPCI is the nodal agency controlling e-transactions like Universal Payment Interface (UPI), USSD, NEFT and RTGS.
Mobile wallets are already experiencing a tremendous growth in transactions. The user base of the Chinese Alibaba-funded Paytm has climbed from 100 million to 170 million in a month. Likewise, sales of Point of Sales (PoS) machines have risen 200 times since November 8. “India is on the fastest track when it comes to growth of digital channels use in financial services. The troika of Jan-Dhan, Aadhaar and mobile is one of the catalysts in making it happen,” says Rajashekara V Maiya, head, Finacle product strategy, Infosys.
The problem is hackers won’t be far behind. According to the latest available data from RBI, 13,083 and 11,997 cases related to ATM, credit, debit card and net banking fraud were reported in 2014-15 and 2015-16 (up to December 2015). The October breach of 3.2 million cards was the single largest of its kind in India. Globally, Juniper Research says value of online fraud transactions is expected to reach $25.6 billion by 2020 up from $10.7 billion last year. “This means by end of the decade $4 in every $1,000 of online payments will be fraudulent,” says Maiya. The 0.4% fraud transactions does not include money that could be stolen from compromised accounts.
Another study by Assocham-PwC notes a surge of about 350% in cybercrime cases registered under the IT Act, 2000 between 2011 and 2014. Madhur Singhal, partner Bain & Company, says as it happens with other payments, there is a risk if user does not understand how e-payments work. “Just like losing a signed cheque leaf exposes a consumer to fraud, being negligent with passwords, card details could pose a risk in wallet or net banking transactions.”
Singhal says there are three kinds of risks unique to e-payments. One, devicerelated risk. If someone loses their mobile phone and there are no passwords protecting the phone or the app, money in an e-wallet could be compromised, or, leaving your accounts open when making payments from a public device. Two, risk from rights access. Connecting the e-wallets or other fintech apps with other apps like social networks could pose a risk of data leakage or a consumer unknowingly sharing information that should have been kept private. Three, negligence in sharing passwords or OTP (one time passwords) with others especially when using these modes publicly.
There are some other risks that are common to e-payments as well non-electronic payments — for example, giving away your account details to a third party. Provided the consumer takes basic precautions, the benefit of electronic payments far exceeds the inconvenience and transaction costs one would have incurred in other forms of payment, especially when the payment ticket sizes are small. Besides, downloading unverified apps and software can compromise security. Users should download apps with high ratings. Banking portals can get compromised as well. Altaf Halde, managing director, Kaspersky Lab says, “HTTPs (the small `s’ for secure) was always thought to be safe. But hackers can get here as well.” Venkatachalam says problems can arise at both the bank and user end.
“While banks have to regularly update software and fraud detection systems, users should be aware of basics like changing passwords frequently, using unique passwords for different accounts (instead of the same for net banking, Facebook, Twitter).” The problem could be the hardware as well. Mobile chip maker Qualcomm’s senior director for product management Sy Choudhury recently raised concerns over hardware level security. “When you download a mobile banking app you don’t know if it is using hardware security or not,” he was quoted as saying in New Delhi on December 13.
Credit cards, debit cards, mobile wallets, net banking fall in two distinct buckets. Credit, debit cards work under Payment Card Industry (PCI) standards, reviewed every year. PCI DSS (Data Security Standards) are a set of instructions to store, process and transmit plastic transactions with details about firewalls configuration, storing passwords, information of users and so on. “If PCI is not adhered to, the card can be compromised,” says Venkatachalam.
Card companies like Visa, Mastercard, Amex do this but banks want to control customer information and hence vulnerabilities can exist at their end. Net banking comes under electronic payment channels and the security protocols are released by Internet Engineers Task Force (IETF). When net banking started more than a decade back it worked with 40 kb encryption which went up to 64 kb and now 128 kb. “This is very good. But when you are dealing with variety of people with varying ability to transact digitally, the chance of a hacker getting the better of you increases,” says Tuteja. Even if the network is robust (in India it is maintained by RBI with NPCI as nodal agency), the leaks could be at the banks end (software not updated) or the user end.
Basudev Banerjee, banking expert at Microsoft, says systems managing the links from origin to settlement of a transaction are robust and secured, yet probability of fraud exists at every stage—for example, buying a water bottle at a road side vendor via card or m-wallet, transmission of details to authenticate user to ok buy, completing the purchase with user getting a SMS or confirmation slip and reconciliation at the backend.
A hacker could get at any of the five stages— origin, transmission, transaction, settlement and reconciliation. To keep fraudsters at bay, Vishak Raman, senior regional director, India & Saarc, FireEye (a security software maker) offers a laundry list of precautions like unique passwords, typing out links in address bars instead of clicking on links, avoid exchanging sensitive information (even your birthday) over e-mail, enable two factor authentication if available and so on. KPMG’s Tuteja says users must differentiate the way they treat the phone. “It’s your bank.”