Feb 07 2018
Are we geared to handle cyber threats?
With societies transitioning from a cash to less cash to now cashless economies, the success of this transition depends on an aspect that is now becoming increasingly important – cyber security. As the government’s focus towards creating a cashless economy is increasing day by day, there is an urgent need to ensure that the digital payments being made are channeled through a secure channel. As mobile wallets become increasingly the most used methods to pay for purchases, a few clicks of the mouse are all required to rob a person or a bank. To counter this threat, banks must upgrade their cyber defenses on an immediate basis to ensure that customers are not robbed off their money or data due to unscrupulous hackers.
In a country like India where 98% of transactions are cash based, replacing it with electronic payments is not an easy task and will take a lot of time. But post demonetization, digital payments have got a boost and have seen a substantial increase. The increased digital payments have opened up more opportunities for hackers to try and steal credit card details, mobile wallets and PINs.
It has been observed that the risks of digital payments match the benefits of the same. A recent KPMG survey showed that one of the main barriers to the growth of digital payments is security concerns, which have also been highlighted by India’s central bank, the Reserve Bank of India(RBI). According to RBI deputy governor SS Mundra one of the key targets is the credential of the customers as it provides the key to the finances. Recent experience has shown the involvement of organized cyber gangs and the cost of putting together of such attacks is also coming down.
Despite presence of security threat, banks prefer digitalization of payments. This is because the cost of one physical transaction is fifty times more that of a digital transaction. The Government’s main idea behind promotion of digital payments is to track the flow of money and check corruption and black money generation. However, despite all the benefits, a major pitfall of a digital economy is that millions can lose all their money in seconds.
According to several media reports, the government is contemplating imposing a cyber security cess on e-payments companies. The Department of Financial Services (DFS) along with the Ministry of Electronics and Information Technology (MeitY) and the home ministry are said to be preparing such a proposal. This 'security fee' or cess like the Swachh Bharat cess could be used to create better infrastructure that will ensure secure digital transactions. Analysts are however of the view that levying a cess on digital firms is not the right way to improve cyber security of digital payments and creating such a body is not the way ahead to handle the country’s digital payments security.
India’s e-commerce market is expected to grow at a 30 per cent compound annual growth rate for gross merchandise value to be worth $200 billion by 2026, according to a report by the investment bank Morgan Stanley.
Mobile wallets are already experiencing a tremendous growth in transactions.
“India is on the fastest track when it comes to growth of digital channels use in financial services. The troika of Jan-Dhan, Aadhaar and mobile is one of the catalysts in making it happen”, says Rajashekara V Maiya, head, Finacle product strategy, Infosys.
The problem is that hackers would not be far behind. The October 2016 breach of 3.2 million cards was the single largest of its kind in India. There are plenty of instances of the most secure and firewalled databases being hacked into not just for financial profit but also for motivated political and ideological ends. Data breaches have affected big names. From WikiLeaks to the US Democratic presidential campaign to email service provider Yahoo, networking sites such as LinkedIn, all have suffered data breach. Closer home, Twitter accounts and emails of businessmen, politicians and journalists were recently hacked by a group of hackers who called themselves Legion. Government websites have been hacked into and have been defaced several times in recent years. Globally, according to Juniper Research, the value of online fraud transactions is expected to reach $25.6 billion by 2020.
It has been assessed that there are three kinds of risks unique to e-payments. There is device related risk. If someone loses their mobile phone and there are no passwords protecting the phone or the app, money in an e-wallet could be compromised. Even leaving your accounts open when making payments from a public device is a device related risk. Two, there is the risk that emanates from rights access. Connecting the e-wallets or other financial technology apps with other apps like social networks could pose a risk of data leakage or a consumer might end up unknowingly sharing information that should have been kept private. Three, negligence in sharing passwords or OTP (one-time passwords) with others especially when using these modes publicly.
There are some other risks that are common to e-payments as well non-electronic payments — for example, giving away your account details to a third party. Provided the consumer takes basic precautions, the benefit of electronic payments far exceeds the inconvenience and transaction costs one would have incurred in other forms of payment, especially when the payment ticket sizes are small. Besides, downloading unverified apps and software can compromise security. Users should download verified apps with high ratings.
Banking portals also run the risk of getting compromised. While banks have to regularly update software and fraud detection systems, users should also be aware and educated of basics such as changing passwords frequently using unique passwords for different accounts. The problem could be hardware as well.
Credit cards, debit cards, mobile wallets, net banking fall in two distinct buckets. Credit, debit cards work under Payment Card Industry (PCI) standards, reviewed every year. PCI DSS (Data Security Standards) are a set of instructions to store, process and transmit plastic transactions with details about firewalls configuration, storing passwords, information of users and so on. If PCI is not adhered to, the card can be compromised.
Card companies like Visa, MasterCard, Amex do this but banks want to control customer information and hence vulnerabilities can exist at their end. Net banking comes under electronic payment channels and the security protocols are released by Internet Engineers Task Force (IETF).
A hacker could get at any of the five stages- origin, transmission, transaction, settlement and reconciliation. To keep fraudsters at bay, Vishak Raman, senior regional director, India & Saarc, FireEye (a security software maker) offers a laundry list of precautions that should be adhered to. Some of these precautions include unique passwords, typing out links in address bars instead of clicking on links, avoid exchanging sensitive information over e-mail, enable two factor authentication if available.
The usage of digital payments is expected to rise as more point of sale terminals are installed across the country as the Centre has made this a priority and announced ambitious targets. While users of payment cards are the most vulnerable, both in India and globally, others are not exactly safe. Hackers such as Legion claim India’s cyber security is weak and that they already have access to mountains of sensitive data. That should have us worried about the security of our financial data. In such a fast changing, high-risk environment, cyber security related to finance systems and digital payments needs be a high-priority item.
Digital payments-Analysing the cyber landscape - KPMG