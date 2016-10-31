Stung by the scope and size of a rapidly burgeoning debit card fraud, India’s upwardly mobile world of meta data and exabytes received a rude jolt. With public memory so short and driven at one level by telly guerrillas, the Tata-Mistry spat overtook everything else and the debit card fraud received a quiet burial. Government too has been alive to upgrading the payments system in the country by recommending appropriate measures for encouraging digital payments with requisite filters and security protocols. All told, $194,000 was filched in this data breach by the hackers but the level of vulnerability is humongous, for India has 697 million debit cards and 26 million credit card holders. The illegal withdrawals were limited to 641 customers of 19 banks. Porous firewalls are obviously a matter of concern and if we believe we have cauterised this fraud, then we are way off the mark. For, these are recurring nightmares and the next break-in could be much more significant. The urgent requirement for an upgrade to the broader security framework is a given.With the PM envisioning a cashless society, Google Inc has prognosticated that the size of the digital payments industry will grow 10 times to $500 billion by 2020 in India. The government has constituted a committee in this regard, but several of the recommendations to build a robust framework are now going to be rolled out in the medium and long term only. While the terms of reference essentially revolved around legislative and regulatory mechanisms, government payment systems, leveraging of eKYC and payments history and other measures to bump up the payments ecosystem, comments and suggestions are now being collated before they take shape as policy. And while the government power train moves slowly, I spoke to Nasscom president and former DoT secretary R Chandrasekhar. He is of the view that there were two separate committees set up by the government, one for short-term measures and the other, of which he was a part of, deals with a longer-term view. This is very much work in progress as government committees are. While the remit is large and expansive dealing with multiple issues, the ongoing overriding concern once again underlines the need to bolster the security framework.The perils of unethical hackers using the cold pipes of the internet to subvert economies by targeting vulnerable platforms is a reality that one cannot wish away. This breach once again underscored the need to brush up on security concerns and build in best practices. One hopes that policy mavens are concerned about this transgression and are equally worried about what has gone wrong and where and how. Security vetting and risk analysis methodologies need a thorough amelioration. Data theft and cyber security require a spanking new strategy, for this is a focus area for hackers. What the Data Security Council of India (DSCIL) top echelons have discovered with this latest breach is that new threshold levels of preparedness are manifest and technical drills to tackle these emergent situations are a priority area. Nasscom itself has set up DSCIL to zero in on new security protocols. This body has to be up to speed as it coordinates with RBI and law enforcement agencies to thwart new versions of malware and ransomware. Hostile and sophisticated intrusive software like say ransomware which is a type of malicious software designed to block access to a computer system until a sum of money is paid is deadly dangerous and India has to be prepared to deal with these new fangled things. Worms, adware and trojan horses have joined the lexicon of malicious programs, which can run amok if not checked adequately.The rules of engagement have changed dramatically and attacks, which used to be generic in nature, for instance they would zero in on business processes of ATM infrastructure, are rapidly evolving. The debit card data fraud was a result of malware. The risk to new transactional targets will increase with alarming regularity is what experts are prognosticating. To obviate this, banks and business organisations will have to ring fence themselves by increasing their firewalls. The real problem is that ATM infra is passé, what is in vogue is that banking boundaries are now infinite and limitless so, the malware and ransomware will seek to target mobile smartphones, devices like ipads, wearables and for that matter all instruments and tools where commerce is the axis. The problem thus is two-fold, institutions and individuals both are in the line of fire. The sheer magnitude of the threat percept is frightening and increasing all the time. Security firewalls and filters have to be ramped up at all times. As India moves to transact on different devices and mobile e-commerce is burgeoning at a frenetic pace, so should the security watch.Banks are the most aggressive in terms of implementing security moats because for them the issue is existential, but RBI’s role in all this upgrade has been crucial. Compliance mechanisms have to be bolstered and attack trends constantly studied and disseminated. What has really shaken the world is epicentre Bangladesh. A few months after hackers broke into Bangladesh’s central bank and came close to getting away with $1 billion, researchers have uncovered evidence that a separate hacking group is targeting the same payment network. This was a contemporary digital heist of significant proportions and it brought the dangers of digital payments ecosystems to the forefront. The Globe and Mail story shook the foundations of the international banking system, it was jeeper’s creepers. It was the start of a weekend in Bangladesh when an official at the country’s central bank checked a printer in a server room. The tray was empty, which was strange. There should have been a sheaf of reports confirming payment instructions sent through the Swift system, the network that connects 11,000 banks around the world. The printer glitch was no accident, but a deliberate strategy by criminals to hide their tracks. A day earlier, cyber thieves had issued instructions to transfer $951-million (US) out of Bangladesh Bank’s account at the New York Federal Reserve. Most were declined, but $81-million was transferred to a bank in the Philippines, never to be seen again. It was not simply enormous in size, but ambitious in its selection of target: the Swift system, the backbone of international finance. The methods deployed were highly sophisticated, involving a combination of technical prowess and intimate knowledge of how Bangladesh Bank interfaced with Swift. Gottfried Leibbrandt, chief executive of Belgium-based Swift, called the Bangladesh cyberattack “a watershed” for the banking industry. “Audacious is the new buzzword and what happened in India was a follow up to the Bangladesh attack, fortunately the amount pilfered wasn’t too much, but in a nation where a huge amount of transactions are done on devices, the threat is lurking. It requires collective action where new mechanisms are jump-started. The information sharing centre in Hyderabad as a part of RBI’s R & D wing is at the cutting edge of tools to beat back the malwares. While the vigil levels are being ratcheted up, it is given that the regularity of such attacks will increase exponentially. The way forward is respond, manage and limit the damage at all times.