With the current cash flow deficit, people are being forced to make digital payments. Without proper precautions and security policies, the highly reactive nature of cybersecurity leaves us vulnerable to cyberattacks.
One of the biggest financial data breaches in India, exposed in late October, had compromised the financial data of over three million users and victimised major banking companies. The breach occurred when a network of Hitachi ATMs infected with malware enabled hackers to steal users’ login credentials and make illegal transactions. Following this, companies issued new cards and asked customers to limit their ATM usage to those operated by their banks. However, a few weeks after the breach, the demonetisation announcement pushed people to do just the opposite — rush to withdraw money from just any functioning ATM. Till date, there has been no communication from banks or the Reserve Bank of India assuring the public that the infected ATMs have been taken out of service or fixed to prevent further breaches.
Digital transactions
Over the past week, digital payments have hit record transactions: PayTM said there was a 200 per cent increase in its mobile application downloads and a 250 per cent increase in overall transactions; MobiKwik said its user traffic and merchant queries increased by 200 per cent within a few days of the government’s announcement. Companies such as Oxigen and PayU have also seen a rise in their service usage.
This trend is certainly heading in the right direction if we are moving towards a cashless economy, but the speed of technological development and its integration into our economy far supersedes the speed of defence mechanisms and protocols that could mitigate cyberattacks. Cybersecurity is unparalleled and reactive in nature, which begs the question: is it safe to utilise these new payment platforms?
PayTM, for instance, is certified under the Payment Card Industry Data Security Standard (PCI DSS) 2.0 certification, which is the current industry security standard set by American Express, Visa International, MasterCard Worldwide and a few other international dealers. This is an essential certification for companies that store credit card information. PayTM and other such companies also use 128-bit encryption technology to crypt any information transfer between two systems. It takes more than a hundred trillion years to crack a password under 128-bit encryption. Needless to say, transactions via these companies are fairly secure, hence there is little doubt that companies taking advantage of demonetisation are employing their share of precautions for secure transactions.
However, this does not mean that these precautions won’t make us invulnerable. Apart from login credentials, hackers target other things. For example, just a few weeks back, hackers breached a British mobile company, Three Mobile’s database, putting at risk the private information of six million users, which was later used to purchase mobile accessories at the users’ expense. Other uses for stolen data include underground sales, identity theft, or targeted personal attacks such as extortion. According to the 2015 data breaches study by IBM and the Ponemon Institute, India is the most targeted country for data breaches.
While these attacks may appear sophisticated, there are easier methods that anyone with basic IT skills can deploy. These include creating fake mobile applications and spyware that steal information, or social engineering tactics that make you reveal your login credentials. Forums on the Internet are flush with step-by-step instructions on how to create fake websites that imitate digital payment platforms.
The larger concern, however, is that if companies like HDFC and ICICI, which are most likely proactive in updating their security systems, also experienced cyberattacks, what does that imply about unsuspecting users? Most new users, especially street vendors, have been forced onto the digital payments bandwagon. Are they aware of the security risks involved? And even if they are, what precautions can they take to minimise the potential damage from attacks?
Collective responsibility
Companies, customers, and the government should collectively participate to mitigate cyberattacks and minimise its damages.
First, all companies that offer platforms or services enabling digital payments should increase awareness among their customers of the risks, and educate them on ways to secure themselves. They must employ behaviour analytics and pattern analysis at their fraud prevention departments to predict suspicious behaviour. They must be proactive in looking out for any fake applications or websites that masquerade their service. They must monitor discussion boards, social media platforms, and forums that discuss hacking and fraud tactics, and implement measures to thwart such tactics.
Second, the government should check if the current policies regulating these platforms are adequate and update them regularly. People must be educated on the risks involved, strict policies must be enforced, and companies accountable for not meeting security standards must be held. Benefits that come from overlooking security precautions must be minimised, and public-private partnerships on live information sharing about cyberattacks and fraud should be strengthened.
Third, customers should educate themselves about the risks involved and take precautions. They must minimise vulnerability with two-factor authentication and change their password frequently. They must check the authenticity of applications by looking for the number of downloads and read reviews by other users — the higher the number of downloads and reviews, the higher the chances that the application is legitimate. Customers must also check for other application releases from that developer. For instance, they must check the Website’s authenticity by searching for the proper spelling of the Web address, check if the Website is secure by looking out for a green padlock symbol on the left side of the Web address, and keep Web browsers updated so they can recognise illegitimate sites easily.
Prime Minister Narendra Modi recently asked people to embrace the digital cashless world, reiterating that digitisation of economic activities is here to stay. In the midst of going cashless, we should not cast a blind eye to the security aspect of digital payments. We all share a collective responsibility to build a safe and secure digital infrastructure.
Puru Naidu is a research analyst with the Takshashila Institution. Ranjeet Rane leads the digital policy team at The Dialogue, an online policy analysis portal.
