27 November 2016

Beware the security risks before you jump onto digital payments bandwagon

November 23, 2016

Deficit in cash flow has forced users into digital payments. Without proper precautions and security policies, the highly reactive nature of cyber security leaves us vulnerable to cyber-attacks.

The whole demonetization of currencies has shaken our country to its core. In the past week, we saw how it affected people at all levels and how they were coping with it, hoping for the better in the near future. While the challenges still persist, it has nudged people towards digital transactions even for their daily needs using virtual wallets, PayTM and others. Companies that enabled digital payments acted as buffers soaking up some of the pressure. In fact, there was a surge in digital payments hitting records high over the past week; PayTM saw a 200% increase in its mobile application downloads and a 250% increase in overall transactions. MobiKwik saw an increase of 200% in its application downloads within few days. Other companies within this domain such as, Oxigen and PayU have also seen a rise in their service usage.

Resultant trend maybe vulnerable to security threats

This new trend is certainly heading in the right direction towards digitization, however there is risk of casting a blind eye towards the security aspect in the whole process of adapting to this digitized lifestyle. The Nordea Bank Fraud incident that occurred in 2007 is a classic example of e-banking cyber-attack, where perpetrators infected unsuspecting customers’ systems with a malware that stole login credentials, and made off with over 1.1 million US dollars. Not even major financial corporations like VISA, PayPal, and MasterCard are invincible from cyber-attacks.

The security standards and precautions have certainly evolved since these high profile attacks. But the speed of technological developments and its integration into our economy far supersedes that of the defense mechanisms and protocols in place to mitigate any cyber-attack on these developments. It goes to show that they are unparalleled and reactive in nature which ultimately begs the question: Is it safe to utilize these new payment platforms?

PayTM for instance is certified under the Payment Card Industry Data Security Standard (PCI DSS) 2.0 certification, which is the current industry security standard set by American Express, Visa International, MasterCard Worldwide and few other international dealers. This is an essential certification for companies that store credit-card info. PayTM also uses 128-bit encryption technology to crypt any information transfer between two systems. It takes more than 100 trillion years for a hacker to crack a password under 128-bit encryption. Needless to say, transactions via PayTM are fairly secure. Other companies like MobikWix also employ the 128-bit encryption technology. This is a common security measure that companies dealing with credit card information and transactions deploy, hence there is little doubt that companies taking advantage of demonetization are employing their share of precautions for secure transactions.

Is that secure enough?

But, these precautions won’t make us invulnerable. There are other things aside from the login credentials that hackers target these days. For example, just few days back, hackers breached a British mobile company, Three Mobile’s database and stole private information on six million users. Another example is the recent massive data breach of Indian bank networks that compromised over three million users’ financial data. The breach occurred between May 25 and June 10, victimizing major banking companies, including HDFC Bank, ICICI Bank, YES Bank, and Axis Bank. This stolen data can be sold underground, used for identity theft, or strengthen brute force attacks for further personal attacks.

These breaches may appear sophisticated, but there are other easier methods that anyone with basic IT skills can deploy. For Instance, here is an article by a hacker displaying the html code on how to fake the PayTM website. Using a spoofed site, a hacker can use phishing tactic to gain login credentials from unsuspecting users. Other tactics include fake mobile applications or spyware that steal information, social engineering tactics that make you reveal your login credentials, etc. This is nothing new however; spoofing, phishing, and spyware have plagued the IT security industry for more than a decade, with their tactics getting increasingly sophisticated.

But, if companies like HDFC and ICICI, which are most likely proactive in updating their security systems, still experienced cyber-attacks, what does that imply about unsuspecting users? Most new users were forced onto the digital payments bandwagon due to the currency demonetisation. Especially street-vendors, who were primarily reliant on cash payments before the demonetization, such as the Chai-wallas and Pan-wallas that were quick to adapt so as to maintain their revenue. Are these new users aware of the security risks involved here? I highly doubt it. Even if they are aware of the risks, whose responsibility is it and what precautions can they take to minimize damage from future attacks?

Whose responsibility is it?

It is not a single entity’s responsibility. Everybody involved in the process, including companies offering the service, the customers, and the government should do their share to mitigate cyber-attacks and minimize its damages. The following is a three pronged approach for companies, customers and the government to mitigate security risks:

Companies

All companies that offer platforms or services enabling digital payments should, first and foremost, increase awareness of the risks among their customer base and educate them on ways to secure themselves. Employ behavior analytics and pattern analysis at their fraud departments to predict suspicious behavior. Stay proactive in looking out for any spoofed applications or websites that masquerade their service. Proactively monitor discussion boards, social media platforms, and forums that discuss hacking and fraud tactics, and implement proactive measures to thwart their tactics.

Government

The Government should also do its share to protect its citizens by minimizing vulnerabilities. It should check if the current policies regulating this platform are adequate, and update it if necessary. Educate the populace on the risks involved. Enforce strict policies and hold companies accountable for not meeting security standards. Minimize benefits that come from overlooking security precautions. And, strengthen public-private partnership on live information sharing about cyber-attacks and fraud.

Customers

Customers should do their share to minimize damages. They should educate themselves about the risks involved, and take appropriate precautions. Minimize vulnerability with two-factor authentication and routine password changes. Check for applications’ authenticity by looking for the number of downloads and reviews by other users; the higher the number of downloads and reviews are, the higher the chances that the application is legitimate. In addition, check for other application releases from that developer. Check for website’s authenticity by checking for proper spelling of the web address, or if the website is secure by checking for a green padlock symbol on the left to the web address, and that the address starts with ‘https:’ Keep the web browsers updated as they can recognize illegitimate sites easily. Do not share sensitive information including login credentials over emails, phone calls, or chats. Lastly, trust your instincts and double check to make sure you don’t leave yourself vulnerable.

No comments: