On February 13, the National Cyber Security Coordinator, Gulshan Rai revealed that 1.5 lakh, out of the 230 crore online transactions, are compromised every day in India.
Interestingly, the Computer Emergency Response Team (CERT) pegs that number at a modest--but no less alarming--40,054, in 2017 alone.
CSO India talks to industry leaders in the digital payments space to get a read on what’s putting digital wallets at risk, and why the existing authentication process is simply not enough to keep fraudulent transactions at bay.
Why OTP authentication cannot be relied upon
"Wallets are generally very insecure. The general security practices that people have for wallets are fraught with so many loopholes," says Ramakrishna Gaddipati, co-founder and CTO of Zeta India.
“The most common reason for data being compromised stems from the lack of awareness among users, which results in them divulging account details and OTPs via fake emails, SMSes, or over phone calls from people pretending to be bank officials.”
Harshil Mathur, CEO and co-founder, Razorpay
Elaborating his point, he explains that most wallet transactions are limited to One Time Password (OTP) as an authentication mechanism. Now over 90 percent of the populace using digital payments use Android devices, and there are numerous fraudulent apps that users may download based on some promotion.
Now, these apps have access to the user's SMS. It's no big deal to trigger an SMS for a user and read it, in an Android environment. So anyone relying on OTP-based authentication is susceptible to this vulnerability.
Harshil Mathur, CEO and co-founder of Razorpay shares this viewpoint saying that the most common reason for data being compromised stems from the lack of awareness among users, which results in them divulging account details and OTPs via fake emails, SMSes, or over phone calls from people pretending to be bank officials.
He points out that there have been cases where customers’ cards were used for offshore transactions, because there is no OTP authentication in place, and all that’s required is the users’ card details.
“RBI has received a lot of complaints, there have been pro-active measures that have taken place and sometimes the money has been reversed, but most of the fraudsters were able to get away with the money,” says Mathur.
Vimal Gupta, VP–server engineering, IT and InfoSec at MobiKwik, in an earlier interaction with CIO India had stated that the current challenge is to enable more security features to handle malicious traffic. The other factor to be considered is application optimization, to deal with a smoother flow of traffic.
The KYC conundrum
On October 11 last year, RBI mandated digital payment companies to ensure KYC compliance by the end of the year, and the deadline was later revised to Feb’ 28, 2018. The mandate also states that customers who haven’t updated KYC details can store no more than Rs 10,000 in their wallets.
Highlighting the importance of KYC, Gaddipati says: “The information digital wallet providers have about their customers is next to nothing. And from a customer experience point of view, they can't really deny users access to their money. With no KYC data, digital wallet companies have no information with which the user can be authenticated."
He adds that the recent Aadhaar breach has unimaginable consequences on the general payment ecosystem. This is because the security questions customers are asked by digital payment companies are generic ones like DoB, father's name, or PIN code. Now all this information became readily available after the Aadhaar data exposure. "I can say that 100 percent of digital payment systems today remain compromised," says Gaddipati.
He explains that if a customer calls and says that his/her information has been compromised, there's no recourse for digital payment companies to act on that information.
Throwing light on emerging technologies being leveraged to bolster security, Mathur cites the example of how RBI is ensuring that banks adopt NFC-based cards on Europay, MasterCard and Visa (EMV) standard. As they have stronger security standards, you cannot use a random OTP in someone else's device, and this is one way of curbing fraud.
With respect to the blockchain, he foresees a lot of banks deploying the technology but is unlikely to be seen in the digital payments system. However, he believes blockchain can definitely be deployed in the remittances system to reduce costs and operate in real time.