Post demonetization, we are making strides toward becoming a cashless society. This has led to digital wallet firms witnessing an unprecedented rise in their usage and popularity.
Recently chipset maker Qualcomm said that wallets and mobile banking applications in India are not using hardware-level security which can make online transactions more secure.
Paytm has been the most aggressive digital wallet firm to capitalize the government's policy. To expand its service to small vendors the company ignored the privacy and data security concerns of customers. It pulled back its in-app point of sale feature that was designed for merchants to accept credit or debit card payments after security concerns were raised by payment networks such as Visa and MasterCard over data breach concerns.
“Post our launch, we have had several discussions with stakeholders on how we can make this process even more secure. Based on some suggestions from the industry, we have decided to add additional certifications and features before making it available to merchants,” Paytm said in a blog post.
Indian financial institutions and weak security
In terms of cybersecurity, India is way behind compared to other countries and this ignorance is evident in the Indian enterprises and financial institutions as well.
“Most of the banking or wallet apps around the world don’t use hardware security. They actually run completely in Android mode and users’ password can be stolen. In India, that is the case for most of all digital wallets and mobile banking apps,” Qualcomm senior director product management Sayeed Choudhury has said.
He said that even the most famous digital payment application in India is not using hardware-level security. “Reason we are saying that none of them is using it because we work with OEMs (original equipment makers),” Choudhury said.
In October this year, 3.2 million debit cards were compromised. The worst-hit of the card-issuing banks were State Bank of India, HDFC Bank, ICICI Bank, YES Bank and Axis Bank.
Cyber-security firm, Kaspersky Lab, announced that it had tracked at least one cyber espionage group, called Danti, that had penetrated Indian government systems through India’s diplomatic entities.
These examples clearly indicate that the threat of cyber damage is real and country’s economic strength can be crippled if hackers gain access to either the bank accounts or the stock market.
“Effective public-private partnerships are absolutely essential in the fight against cybercrime to maintain global security. As we are seeing more and more sophisticated attacks – many of which have a global impact – partnerships and information exchange between cybersecurity companies and the private sector are becoming increasingly valuable,” said Altaf Halde, Managing Director (South Asia) Kaspersky Lab India.
The usual "modus operandi" in such incidents with attacks against banks is - spearphishing email with a malicious attachment. After initial infection the attackers uploads to the victim additional tools and started lateral movement inside banking internal network. It takes few weeks for them to gain access to bank servers and system administrators account. After that, they can make money transfers - and cashing out via different ways - SWIFT transfers, from ATM, etc.
A few months ago, a research by Kaspersky Lab revealed the ATM machines' outdated communication standard leaves them open to attack. ATMs can be easily hacked; malware can be installed and funds could be stolen. Almost any ATM in the world could be illegally accessed and jackpotted with or without the help of malware. The main reason for this is the widespread use of outdated and insecure software, mistakes in network configuration and a lack of physical security for critical parts of the ATM.
The results of the research show that even though vendors are now trying to develop ATMs with strong security features, many banks are still using old insecure models. This makes them unprepared for criminals actively challenging the security of these devices. This is today’s reality that causes banks and their customer's huge financial losses.
Many ATMs studied by Kaspersky were running Windows XP, which is no longer supported by Microsoft. This means their security isn't up to date and malicious malware can be installed without too much effort.
Strong cybersecurity laws
Cyber threats may range from email hacks to siphoning off bank funds or crashing the stock market by dumping stocks at the fraction of a cost. A comprehensive Cyber Security bill is the need of the hour and it must be introduced which would recognize each of these threat levels and address them in a proportionate manner.
In a new research paper entitled "Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?" published in the academic journal IEEE Security & Privacy, researchers from the University of Newcastle explained how online payments remain a weak spot in the credit card security which makes it easy for fraudsters to retrieve sensitive card information.
The technique, dubbed Distributed Guessing Attack, can circumvent all the security features put in place to protect online payments from fraud.
Cash Vs Cashless
The move to make India a cashless country increases security risks for all citizens, with each account/wallet company becoming a single point of failure.
The drive towards cashless economies is driven by commercial banks and payment service providers rather than governments or central banks. In Sweden, for example, the exercise has been driven by the two major commercial banks, which are closing down ATMs and denying cash services at branches, making it more expensive and burdensome to get hold of cash. But recently the central bank has declared that these banks have gone too far and is calling for a debate in Parliament on the minimum level of cash services banks should offer.
But, what happens when a whole economy is on a cashless system? In Belgium, the entire card payment system broke down the day before Christmas, so those doing their last-minute Christmas shopping had to rely on cash payments exclusively. In fact, if you want examples of cashless economies, you have Panama, which has no central bank and uses the US dollar as a currency. Or Zimbabwe, which ceased printing banknotes in 2009 because they had lost value following an extended period of hyperinflation!
Sacrificing privacy for cashless
A switch to cashless means that each and every transaction will be tracked and documented. This is great for governance, but there is no protection for citizens, as to who owns that data, whom they can share it with, and how it will be utilized. Users are going cashless as they don’t have any choice. India doesn’t have a privacy and data protection law, and last year the Government of India held that “citizens do not have a right to privacy under the Constitution”.
Article 12 of the Universal Declaration of Human Rights – of which India is one of the signatories – explicitly states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks.”
Other countries in the world have already enacted privacy laws to safeguard their citizens. France began ensuring data security from 1978, while Canada passed the historic Personal Information Protection & Electronic Documents Act in 2000. Mexico has serious punishments for privacy violators and New Zealand has a Privacy Commissioner.
What began as “surgical strike” on black money has now transformed into a campaign promoting digital economy and cashless life. The readiness of the regime to tackle economic challenges post demonetization has so far been shoddy and the government should ensure that fin tech companies are getting the full security requirements necessary to make the user's data safe.